An IS auditor evaluates encryption implementation and finds that data at rest is encrypted using AES-256, but encryption keys are stored on the same server in a plaintext configuration file. What is the MOST critical finding?

Home › MCQs › CISA › Question #6831

CISA QUESTION #6831

Question 1

Weak encryption algorithm
Ineffective key management negates encryption protection✔️
Poor documentation
Insufficient key length

Correct Answer Explanation

Encryption is only as strong as key management. Storing encryption keys in plaintext on the same system as encrypted data provides no real protection—an attacker who gains access to the encrypted data can immediately access the keys. This represents a fundamental failure in cryptographic implementation.

More Options