Understand It
Robust security systems don't begin with hardware and software, but instead begin with careful planning. If you don't know what you want your security systems to protect, or if you don't have an idea of how you want that protection to function, it will be difficult to configure those systems to actually protect your networks and your data.
A security policy is a general statement of the business rules that define the goals and purposes of security within an organization (even an organization of one or two people). Security policies are considered strategic documents, and they define the overall purpose and direction for security. When you start with a solid security policy, configuring your security systems -- or communicating with those who do -- is much simpler and more effective.
One of the most important elements of your overall company security policy is a network security policy that governs what communications you will allow between your internal network and the external Internet. While the Internet facilitates information exchange in what seems like more ways than you can count and is a fundamental component of the way many organizations do business today, it can also provide a direct route for those with less-than-good intentions to your computer networks and their data. The development of a thorough network security policy followed by a solid implementation of that policy can help you leverage the Internet as a communications medium while still protecting your valuable systems and data.
There are many moving parts in the security of your organization. In addition to thinking about how to keep your networks and data safe, you must consider the security of your offices, your staff's computer equipment while they travel, and much more. Although this How-To guide focuses specifically on security policies for protecting your networks and data with firewalls, keep in mind that a firewall security policy cannot exist in a vacuum. It must be accompanied by an overall organization-wide security policy that establishes goals for maintaining physical security, staff training and awareness, and system-specific security controls.