IS auditors evaluating public key infrastructures for enterprise email should prioritize confirming certificate revocation lists stay updated to enable revoking compromised user certificates.
Table of Contents
Question
Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise email?
A. The private key certificate has not been updated.
B. The certificate revocation list has not been updated.
C. The certificate practice statement has not been published.
D. The PKI policy has not been updated within the last year.
Answer
B. The certificate revocation list has not been updated.
Explanation
The IS auditor should be most concerned that the certificate revocation list has not been updated when reviewing the PKI for enterprise email.
Though policy and practice documentation is important, effective certificate revocation is paramount to ensuring communications integrity after inevitable private key compromises. Without promptly updated revocation lists propagated across systems, email encryption remains vulnerable to impersonation via stolen keys.
By focusing PKI audit attention on functional, regular certificate revocation list publishing, IS auditors emphasize effective encryption hygiene over administrative controls. This pragmatically concentrates verification on core security mechanisms defending enterprise mail.
Reference
Isaca Certified Information Systems Auditor CISA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Isaca Certified Information Systems Auditor CISA exam and earn Isaca Certified Information Systems Auditor CISA certification.