An effective way to mitigate the risk of connecting to the Internet is to make sure your network security policy is up to date and security procedures are working correctly. So before you connect your business systems to the Internet, draft an Internet policy document that states how employees may use the Internet and explains the responsibilities of users and the IS department for maintaining security. This document needs to state
- who may use the company's Internet resources
- how employees may and may not use the Internet (with examples)
- who is authorized to grant access and approve use
- who has firewall system-administration privileges
The policy draft needs to begin by explaining why Internet security and control are important. For example,
Any connection between the ACME corporate network and the Internet presents the opportunity for non-ACME employees to attempt to access corporate systems and information. It is therefore extremely important that such a connection is secure, controlled, and monitored. It is also important that employees use the Internet to increase productivity rather than for nonbusiness purposes that may adversely affect the responsiveness of critical business systems on the network.
The policy also needs to clearly state that, after a trial period, no connection to the Internet is permitted except via the firewall (e.g., no dial-up PPP connections to ISPs) and any use not expressly permitted is prohibited. The policy also needs to inform users that IS will log and audit Internet use to ensure compliance.
After drafting the Internet policy document, IS needs to let user representatives give feedback on the policy before IS selects a firewall product. This process ensures that IS clearly understands user requirements and, more important, lets IS clearly set expectations for the Internet capabilities they will make available to users.
Users are often surprised to learn about limits on the types of Internet access they can have. However, try to accommodate valid business needs for Internet access. Table A gives examples of the permitted and prohibited uses of four typical Internet services. Note that the policy elements address not only security but also performance issues.
|TABLE A: Permitted and Prohibited Internet Services (Example)|
| Email |
| FTP Downloads |
| Web |
| USENET Newsgroups |