Home MCQs CISA Question #6845
Back to Questions
CISA QUESTION #6845
Question 1
In evaluating cryptographic controls, an auditor finds that SSL 3.0 is still enabled on web servers despite known vulnerabilities and availability of TLS 1.2 and 1.3. Management states they need SSL 3.0 for backward compatibility. What should the auditor recommend?
  • Accept management's reasoning
  • Disable SSL 3.0 and conduct impact analysis to identify legitimate compatibility requirements✔️
  • Enable all protocol versions
  • Document as acceptable risk
Correct Answer Explanation
Known vulnerabilities in deprecated protocols like SSL 3.0 create unacceptable risk. Keeping vulnerable protocols enabled 'just in case' without identifying specific requirements is poor security practice. The auditor should recommend disabling the vulnerable protocol and conducting proper analysis to identify any legitimate compatibility needs that can be addressed through secure means.