Part 1: Develop and submit before the deadline, a basic written security policy documenting a business’ end user requirements for network security as it applies to inbound/outbound network communications at the firewall. This document is not to be a list of ACLs. Your policy should include a short introduction of the business, at least 7 individual policy statements that can be implemented at the firewall, and 3 policy statements where you feel the risk is acceptable and will not be implemented, make sure to include a description of what can happen by not implementing the rule along with your estimate of Annualized Loss Expectancy (ALE) for accepting each risk.

If you chose to develop your policy based on your employer or other business, obtain their permission before documenting their requirements. If you are not employed, your employer does not provide you authority, or you do not want to use your employer as your source, the alternative is to consider yourself just hired at Acme, Inc.’s to start up their Information Assurance team. Acme, Inc. is a startup company that has on-line storefront with:

5 employees who have web access, which management thinks spends too much time on Instagram, and is not sure if they spend too much time on Facebook, The company has a Facebook site, but only one person in marketing is authorized by management to access, respond, and update it. All other personal access to social media is not allowed per the company handbook.
publicly-facing web server in a DMZ that contains the customer catalog and is accessed from the internal network via SSH for catalog updates, there is no on-line ordering at this point