Which of the following should be of MOST concern to an IS auditor reviewing the public key infrastructure (PKI) for enterprise e-mail?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
When reviewing the public key infrastructure (PKI) for enterprise email, the IS auditor should be primarily concerned with ensuring the confidentiality, integrity, and authenticity of the messages transmitted using the PKI. The PKI is a set of protocols, standards, and software that enable secure communication between parties through the use of public and private key pairs.
Out of the given options, the most critical concern for an IS auditor reviewing the PKI for enterprise email is option B - The certificate revocation list has not been updated. A certificate revocation list (CRL) is a list of certificates that have been revoked by the certificate authority (CA) before their scheduled expiration date. CRLs are used to verify the validity of a digital certificate, and the lack of updates to the CRL may lead to the acceptance of invalid or compromised digital certificates, which may be used for malicious purposes such as eavesdropping, impersonation, or data tampering.
Option A, The private key certificate has not been updated, is important as well, as the private key is used for decrypting messages and verifying the identity of the sender. However, it is less critical than the CRL, as the compromise of a private key usually requires physical access to the device or network where the key is stored, while an outdated CRL can potentially impact all users who rely on the PKI.
Option C, The certificate practice statement has not been published, and option D, The PKI policy has not been updated within the last year, are also important for ensuring the transparency and compliance of the PKI, but they are not as critical as the CRL, as they do not directly impact the security of the communications.
In summary, an IS auditor should be most concerned about the currency and accuracy of the CRL when reviewing the PKI for enterprise email, as this has the greatest potential to compromise the confidentiality, integrity, and authenticity of the communications.