Security Policy

    Must state what is/is not allowed

        Controls Firewall decisions

        Tells employees what is/is not OK

    No policy ==> Anything goes

    Need top management backing

        --> Office Politics

    Based in part on

        What you are trying to protect

        Date & Systems Integrity & availability

    Reference: Zwicky, Chapter 25

        Sonnenreich, p 34

        Cheswick & Bellovin