Certified Information Systems Auditor (CISA) — Question 406

An IS auditor is reviewing an organization's primary router access control list. Which of the following should result in a finding?

Answer options

• A. There are conflicting permit and deny rules for the IT group.
• B. There is only one rule per group with access privileges.
• C. Individual permissions are overriding group permissions.
• D. The network security group can change network address translation (NAT).

Correct answer: A

Explanation

The correct answer, A, highlights a significant issue where conflicting permit and deny rules can lead to security vulnerabilities and unpredictable access behavior. Option B is acceptable as having one rule per group does not inherently indicate a security flaw. Option C may suggest a misconfiguration, but it doesn't directly indicate an access control issue as severe as A. Option D is not a concern if the network security group is authorized to manage NAT.