CISA Protection of Information Assets • Set 2
CISA Protection of Information Assets Practice Test 2 — 15 questions with explanations. Free, no signup.
You are an IS auditor reviewing the remote access configuration for a medium-sized enterprise. The company uses a VPN concentrator to allow employees to connect from home. The VPN is configured with IPsec using pre-shared keys (PSK) and requires no multi-factor authentication. Employees use company-issued laptops with full disk encryption. The VPN logs show that connections are coming from a wide range of IP addresses, including some from countries where the company has no business operations. The IT manager argues that the PSK is changed monthly and that full disk encryption mitigates any risk. However, during the audit, you find that the PSK is stored in a shared document on an internal file server accessible to all employees. Additionally, the VPN concentrator uses a single PSK for all users. Which of the following is the MOST critical finding?