1 Policy Statement
[Your Company Name] (hereinafter referred to as the “Company”) utilises host based and boundary firewalls to protect its devices, networks, property, staff and customers. We understand the importance of effective protective measures and recognise our obligation to set up such firewalls to enable maximum protection and include effective firewall rules.
The boundary firewall is essential in mitigating the risks associated with loss or threats to our information and business and we utilise government and expert guidelines and requirements for setting up the rules and parameters that define the firewall.
We also use host-based firewalls on [some/all] devices to ensure a double layered protective approach. This allows for tailored rules and configuration on specific devices and the ability to protect that device and therefore the information it contains or accesses wherever it is used.
2 Purpose
The purpose of this policy is to define the Company standards for securing devices and networks within the scope of its information security program, as defined below. By utilising host-based and boundary firewalls, the Company aims to protect against cyber-attacks; loss or damage to personal data; unwanted virus and/or malware attacks; loss of intellectual property and any other adverse effects from unauthorised access to our networks or devices.
This policy focuses on the Company’s firewall use, configuration and administration and enables the effective set up, maintenance and monitoring of its firewalls. It also defines how many firewalls the Company utilises and the scope and areas that each of these protect.
3 Scope
This policy applies to all staff within the Company (meaning permanent, fixed term, and temporary staff, any third-party representatives or sub-contractors, agency workers, volunteers, interns and agents engaged with the Company in the UK or overseas). Adherence to this policy is mandatory and non-compliance could lead to disciplinary action.
3.1 In Scope
[You should detail here any device, system, network etc that is within the boundary of your firewalls (i.e. is protected by the boundary and/or host-based firewalls.) You should aim to include as much of your IT infrastructure within your firewalls as possible to ensure maximum protection.]
3.2 Not in Scope
[Detail any areas that are not within the scope of your firewalls (i.e. external service providers etc).]
4 Objectives
The Company has implemented and configured boundary and host-based firewalls to ensure that all network communications from other devices and services are safe and essential.
A boundary firewall protects the network as a whole, placing a protective buffer around all of the devices within your network and protecting against any external network to which the Company connects.
The second type of firewall that the Company utilises are host-based firewalls that are installed onto individual devices (i.e. laptops, smartphones, desktop computers etc). These offer an extra layer of protection from external network traffic and also allow specific user-based rules to be set.
We have defined a number of objectives that we meet when implementing and configuring firewalls, as detailed below. Where an objective applies to either the boundary or host-based firewall, we have defined that in the objective. For any objective that denotes solely ‘firewall’, this applies to both boundary and host based.
- Change the default usernames and passwords on all boundary firewalls as soon as implemented
- Update the boundary firewall password every [week/month/quarter]
- Enable and configure host-based firewalls on all devices within the scope
- Verify and approve connections and/or devices to the firewall
- Verify that the configurations in the firewall block services from inside the network from being accessed externally
- Document the devices connected to the firewall and the business need for this connection
- Define firewall rules for the inbound and outbound traffic
- [You can document the inbound/outbound rules you have added to the boundary firewall – below are examples only and MUST be replaced with your own rules]
- [Add trusted IP addresses/ranges to whitelist]
- [Add an untrusted IP addresses/ranges to blacklist]
- Retain a log of all firewall rules to contain: –
- firewall rule’s purpose
- affected device/service/user/network
- date rule applied
- duration of rule (if duration limited)
- person who authorised the rule
- Review firewall rules every [1 month/3 months/6 months]
- All logs are enabled and are monitored for suspicious behaviour
- Where a port is opened for business reasons (i.e. to allow a client to access an internal system externally); a risk assessment and authorisation review is conducted by the [IT Manager/Named Person] to ensure that risks are minimised and there is an essential business purpose for opening the port
- Where opened port durations are limited (i.e. a client only needs to access a system for one day), the [IT Manager/Named Person] is responsible for disabling the access as soon as it is no longer required
- Limit access to firewall management interface to [IT Manager/IT Team/Named Person] only
- [Delete if not applicable] Where the Company utilises an external IT service provider for IT support and that provider has access to our firewall configurations, we utilise two way authentication for login access, as well as defining a trusted IP address for the provider to ensure risks when accessing the firewalls are minimised
- Regularly update firewalls with relevant patches and/or firmware
- [Add/Delete any other applicable firewall objectives as relevant to your scope, size and business]
5 Responsibilities
It is the responsibility of the [IT Team/Named Person/IT Manager] to oversee; implement; configure; monitor and maintain all firewalls within the organisation. The [IT Team/Named Person/IT Manager] has been assessed to ensure that they have an adequate level of knowledge and understanding in boundary and host-based firewall configuration and maintenance and that they are able to carry out monitoring and reviews on all protective measures.