Because security policies are a direct reflection of a corporation's security needs, the immediate decision is how much access is required.
An organisation can meter out services or deny all but the most critical required access.
The second policy issue, which also directly ties to any firewall decision, is the access level.
- Do you want all users to have basic access or limited access?
- This requires examining current use -- does each user separately log into the Internet?
- What will be each user's site restrictions?
- Don't forget to examine the types of file extensions you want allowed and disallowed for downloading and document transfers.
The policy also must determine the degree of redundancy your organisation needs -- should you have a failover backup or provide multi-tiered protections? Also, what, who, and how do you want to monitor network access and Internet use?
Your organisation's networked systems security policy should require that
- testing the firewall system is performed in an environment isolated from your operational networks
- the firewall system be retested after every configuration change and periodically using the regression test suite
- the regression test suite be kept up to date to exercise the current firewall system configuration
- the inventory of all applications software, operating systems, supporting tools, and hardware be kept up to date
- monitoring of all network and systems, including your firewall system, be performed on a regular basis
