An effective way to mitigate the risk of connecting to the Internet is to make sure your network security policy is up to date and security procedures are working correctly. So before you connect your business systems to the Internet, draft an Internet policy document that states how employees may use the Internet and explains the responsibilities of users and the IS department for maintaining security. This document needs to state

  • who may use the company's Internet resources
  • how employees may and may not use the Internet (with examples)
  • who is authorized to grant access and approve use
  • who has firewall system-administration privileges

The policy draft needs to begin by explaining why Internet security and control are important. For example,

Any connection between the ACME corporate network and the Internet presents the opportunity for non-ACME employees to attempt to access corporate systems and information. It is therefore extremely important that such a connection is secure, controlled, and monitored. It is also important that employees use the Internet to increase productivity rather than for nonbusiness purposes that may adversely affect the responsiveness of critical business systems on the network.

The policy also needs to clearly state that, after a trial period, no connection to the Internet is permitted except via the firewall (e.g., no dial-up PPP connections to ISPs) and any use not expressly permitted is prohibited. The policy also needs to inform users that IS will log and audit Internet use to ensure compliance.

After drafting the Internet policy document, IS needs to let user representatives give feedback on the policy before IS selects a firewall product. This process ensures that IS clearly understands user requirements and, more important, lets IS clearly set expectations for the Internet capabilities they will make available to users.

Users are often surprised to learn about limits on the types of Internet access they can have. However, try to accommodate valid business needs for Internet access. Table A gives examples of the permitted and prohibited uses of four typical Internet services. Note that the policy elements address not only security but also performance issues.

TABLE A: Permitted and Prohibited Internet Services (Example)
Email

Permitted uses
  • Sending and receiving email messages with enclosures (file size less than 2MB) for business purposes
  • Sending and receiving short text messages with no enclosures for nonbusiness purposes

Prohibited uses
  • Forwarding email chain letters
  • Sending or arranging to receive mail enclosures greater than 2MB
  • Sending or arranging to receive mail enclosures for personal reasons
  • Sending sensitive information by email over the Internet
  • Opening files received from the Internet without performing a virus scan
FTP Downloads

Permitted uses
  • Any user approved to download files from a particular site may download files from that site if such files are scanned for viruses, IT has approved any software installed on user's workstation, and purchase of any required software license is approved
Prohibited uses
  • Downloading any file from a nonapproved FTP-site; permission to download files is granted on a site-by-site basis, and permission will be granted only for trusted, major commercial sites
  • Downloading software without approval to purchase required license
  • Downloading from any site for nonbusiness purposes at any time
Web

Permitted uses
  • Any user approved for Web access may connect to and view any Web page for well-defined business purposes
  • Any user may print Web pages

Prohibited uses
  • Installation of Web server software on any PC attached to the corporate network without written permission from IS
  • Connection to Web sites related to sex, illegal drugs, criminal skills, hate speech, online gambling, sports, entertainment, online merchandising, humor, or job search
  • Connection to any site for nonbusiness reasons during business hours
USENET Newsgroups

Permitted uses
  • Any user with approved access to Usenet newsgroups may access newsgroups that have been previously requested and approved, if such access is for business purposes

Prohibited uses
  • Accessing any newsgroup for nonbusiness reasons
  • Submitting messages to newsgroups
  • Accessing newsgroups related to sex, illegal drugs, criminal skills, hate speech, online gambling, sports, entertainment, online merchandising, humor, or job search