An IS auditor reviewing the use of encryption finds that the symmetric key is sent by an email message between the parties.
Which of the following audit responses is correct in this situation?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
The correct audit response in this situation is D. An audit finding is recorded, as the key should be distributed in a secure manner.
Explanation: Encryption is a method of encoding messages to ensure that only the intended recipient can read it. Symmetric key encryption is a type of encryption where the same key is used for both encryption and decryption of the message. In contrast, asymmetric key encryption uses two keys, a public key and a private key, to encrypt and decrypt the message.
Sending the symmetric key via email message between the parties is not a secure method of distribution. Email is a widely used method of communication that is susceptible to interception and hacking. Attackers can intercept the email and access the symmetric key, making the encrypted message readable. Therefore, the key should be distributed in a secure manner to ensure the confidentiality of the message.
Option A is incorrect as asymmetric key encryption is not necessarily required. It depends on the organization's policies and the level of security required for the message. However, sending the symmetric key via email is not a secure method.
Option B is incorrect as distributing a key of this nature via email is not a normal practice for secure communication.
Option C is incorrect as the key can be reused multiple times for encryption and decryption, making it vulnerable to interception.
In conclusion, the auditor should record an audit finding, as the key should be distributed in a secure manner to ensure the confidentiality of the message.