Which control is described as regulating the flow of traffic into or out of a network segment, with the most specific rules at the top and a deny all rule at the end?

• A. Access Control List (ACL)
• B. Statement of Applicability (SOA)
• C. Administrative Control
• D. Business Continuity Plan (BCP)

Answer: (B)

Regulating the flow of traffic into or out of a network segment with rules arranged from the most specific to the least specific, ending with a deny-all rule, describes how an access control list functions. An ACL is a ordered set of permit and deny statements that networking devices evaluate from top to bottom. The first rule that matches the traffic is applied, allowing or blocking the packet accordingly. The reason the deny-all rule at the end is important is that it provides a default security posture: if nothing matches the explicit permits, everything else is blocked, reducing the risk of accidentally allowing unwanted traffic. The rules can specify direction (in or out), IP addresses, subnets, ports, and protocols, enabling precise control over who can reach what and how.

This matches the concept of filtering and controlling data flow at a network boundary, such as on routers or switches protecting a segment. The other options describe different kinds of controls: a Statement of Applicability is an ISO 27001 document listing which controls are selected and how they’re implemented, not a traffic-filtering mechanism; an Administrative Control refers to policies, procedures, and organizational measures rather than a technical filter; a Business Continuity Plan focuses on maintaining operations during and after disruptions, not on controlling network traffic.