Drafting an Internet Policy Document

An effective way to mitigate the risk of connecting to the Internetis to make sure your network security policy is up to date and securityprocedures are working correctly. So before you connect your business systems tothe Internet, draft an Internet policy document that states how employees mayuse the Internet and explains the responsibilities of users and the ISdepartment for maintaining security. This document needs to state

The policy draft needs to begin by explaining why Internet security andcontrol are important. For example,

Any connection between the ACME corporate network and the Internetpresents the opportunity for non-ACME employees to attempt to access corporatesystems and information. It is therefore extremely important that such aconnection is secure, controlled, and monitored. It is also important thatemployees use the Internet to increase productivity rather than for nonbusinesspurposes that may adversely affect the responsiveness of critical businesssystems on the network.

The policy also needs to clearly state that, after a trial period, noconnection to the Internet is permitted except via the firewall (e.g., nodial-up PPP connections to ISPs) and any use not expressly permitted isprohibited. The policy also needs to inform users that IS will log and auditInternet use to ensure compliance.

After drafting the Internet policy document, IS needs to let userrepresentatives give feedback on the policy before IS selects a firewallproduct. This process ensures that IS clearly understands user requirements and,more important, lets IS clearly set expectations for the Internet capabilitiesthey will make available to users.

Users are often surprised to learn about limits on the types of Internetaccess they can have. However, try to accommodate valid business needs forInternet access. Table A gives examples of the permitted and prohibited uses offour typical Internet services. Note that the policy elements address not onlysecurity but also performance issues.