Certified Information Systems Auditor (CISA) — Question 1126

Which of the following should an IS auditor consider FIRST when evaluating firewall rules?

Answer options

• A. The firewalls' default settings
• B. The physical location of the firewalls
• C. The number of remote nodes
• D. The organization's security policy

Correct answer: D

Explanation

The correct answer is D because the organization's security policy provides the framework and guidelines that dictate how firewall rules should be established and managed. The other options, while relevant, do not provide the foundational context necessary for evaluating the appropriateness of firewall rules.