A Chief Information Security Officer (CISO) is approached by a business unit manager who heard
a report on the radio this morning about an employee at a competing firm who shipped a VPN
token overseas so a fake employee could log into the corporate VPN. The CISO asks what can be
done to mitigate the risk of such an incident occurring within the organization. Which of the
following is the MOST cost effective way to mitigate such a risk?

A.
Require hardware tokens to be replaced on a yearly basis.

B.
Implement a biometric factor into the token response process.

C.
Force passwords to be changed every 90 days.

D.
Use PKI certificates as part of the VPN authentication process.