Drafting an Internet Policy Document

To mitigate the risk of connecting to the Internet, make sure your network security policy is up to date and the security procedures are working.

3 Min Read
ITPro Today logo in a gray background | ITPro Today

An effective way to mitigate the risk of connecting to the Internetis to make sure your network security policy is up to date and securityprocedures are working correctly. So before you connect your business systems tothe Internet, draft an Internet policy document that states how employees mayuse the Internet and explains the responsibilities of users and the ISdepartment for maintaining security. This document needs to state

  • who may use the company's Internet resources

  • how employees may and may not use the Internet (with examples)

  • who is authorized to grant access and approve use

  • who has firewall system-administration privileges

The policy draft needs to begin by explaining why Internet security andcontrol are important. For example,

Any connection between the ACME corporate network and the Internetpresents the opportunity for non-ACME employees to attempt to access corporatesystems and information. It is therefore extremely important that such aconnection is secure, controlled, and monitored. It is also important thatemployees use the Internet to increase productivity rather than for nonbusinesspurposes that may adversely affect the responsiveness of critical businesssystems on the network.

The policy also needs to clearly state that, after a trial period, noconnection to the Internet is permitted except via the firewall (e.g., nodial-up PPP connections to ISPs) and any use not expressly permitted isprohibited. The policy also needs to inform users that IS will log and auditInternet use to ensure compliance.

After drafting the Internet policy document, IS needs to let userrepresentatives give feedback on the policy before IS selects a firewallproduct. This process ensures that IS clearly understands user requirements and,more important, lets IS clearly set expectations for the Internet capabilitiesthey will make available to users.

Users are often surprised to learn about limits on the types of Internetaccess they can have. However, try to accommodate valid business needs forInternet access. Table A gives examples of the permitted and prohibited uses offour typical Internet services. Note that the policy elements address not onlysecurity but also performance issues.

TABLE A: Permitted and Prohibited Internet Services (Example)

Email

Permitted uses

Prohibited uses

FTP Downloads

Permitted uses

Prohibited uses

Web

Permitted uses

Prohibited uses

USENET Newsgroups

Permitted uses

Prohibited uses

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like