On Wed, Mar 17, 2004 at 05:30:24PM -0500, STeve Andre' wrote: Hmmm. How can you effectively make a policy for what ports to block or pass? [snip] You can... that *is* the firewall policy. I agree with many of the points you make, but there is a difference between a security policy and a firewall policy. Jim is taking the right approach by developing a security policy first. The security policy itself should be fairly static, because your business needs don't change that much. Using a committee or a board is probably a good thing, because it will be a more precise picture of what your business needs are and shouldn't be dictated by an IT unit/person. sans.org has some good template documents/policies. The security policy isn't going to say what ports to block on your firewall... that's what a firewall policy is. However, a security policy should guide your implementations (security in practice... i.e. anti-virus, perimeter defense including firewalls, account practices, etc.) Implementations are going to be dynamic, often reactions to a new threat, but your security policy should guide the day-to-day decisions (something the IT unit/person does, but then you have backing of your committee/board via your security policy) you make to mitigate those threats. Hope this helps clarify some concepts. Thanks, dpk