Security Policy
Must state what is/is not allowed
Controls Firewall decisions
Tells employees what is/is not OK
No policy ==> Anything goes
Need top management backing
--> Office Politics
Based in part on
What you are trying to protect
Date & Systems Integrity & availability
Reference: Zwicky, Chapter 25
Sonnenreich, p 34
Cheswick & Bellovin