What should be examined to verify 1.1.2 is implemented?

Verifying 1.1.2 is about confirming that there are formal, documented controls for what network traffic is allowed to reach and leave the Cardholder Data Environment. The best thing to examine is the firewall and router configuration standards, because these documents specify the exact inbound and outbound traffic that is permitted, including ports, protocols, and the scope of the CDE. If these standards clearly identify what traffic is allowed to enter and exit the CDE, it shows that boundary controls are defined and enforced, which is essential for limiting exposure to only necessary connections. Other options don’t demonstrate this boundary-control focus: a policy that is unrelated to the CDE doesn’t prove actual implemented controls; requiring encryption for all outbound traffic isn’t the same as showing which traffic is permitted or denied through the network devices; and allowing inbound traffic unrestricted from trusted partners would contravene the principle of controlled access.