Chapter 5. Security Policy

When you talk to vendors or attend a security course, they tell you to do this or that according to your site's security policy, but they rarely attempt to explain what a security policy is or how to write or evaluate one. This is why we have included this chapter in the book. Firewalls and other perimeter devices are active security policyenforcement engines. As we examine the material, we discuss the fact that organizations often have unwritten policies. In the first half of this chapter, we explore the task of mapping policy to perimeter architectures and translating policy to enforceable firewall rules. In the second half of this chapter, we consider an approach to developing policy that requires understanding authority, scope, expiration, specificity, and clarity. Developing and implementing policy is not easy, which is why we explicitly cover the hallmarks of good policy and bad policy.

Note

"A security policy establishes what you must do to protect information stored on computers. A well-written policy contains sufficient definition of 'what' to do so you can identify and measure or evaluate 'how.'"¹