Written security policies exist to provide a high-level roadmap of what needs to be done to ensure that the organization has a well-defined and thought-out security strategy | Written Security Policies Written security policies exist to provide a high-level roadmap of what needs to be done to ensure that the organization has a well-defined and thought-out security strategy. It is a common misconception that an organization has a security policy. In fact an organization s overall security policy typically consists of numerous individual security policies which are written to address specific objectives devices or issues. The objective of a security policy is to define what needs to be protected who is responsible for protection and in some cases how the protection will occur. This last function is typically separated out into a standalone procedure document such as the ingress-filtering egress-filtering or management-access policy documents discussed later in this chapter. In a nutshell the security policy should simply and concisely outline the specific requirements rules and objectives that must be met to provide a measurable method of validating the security posture of the organization. To help ensure that your security policies will do this think of the firewall in terms of security layers with each layer having a specific realm of operation. Figure 10-1 illustrates this layered view of the firewall. As you can see the firewall is separated into four distinct components. Figure 10-1. Firewall Security Layers At the center is the firewall physical integrity layer which is predominantly concerned with the physical access to the firewall. Consequently you want to ensure that your security policies address issues related to gaining physical access to the device such as through a hard console port connection. The next layer is the firewall static configuration which is predominantly concerned with access to the static configured software the firewall is running for example the PIX operating system and startup configuration . At this layer your security policy needs to focus on defining the controls that will be required to restrict .