We were just audited by State Banking Comm and they want us to write a "Firewall Policy" and add it to our Security Policy. Does anyone have one I could look at or can you point me into that direction...Thanks

Starting on page 42 of the FFIEC IT Examination Handbook is a definition of what a Firewall Policy should look like. Below is an excerpt:

"At a minimum, the [firewall] policy should address
* Firewall topology and architecture,
* Type of firewall(s) being utilized,
* Physical placement of the firewall components,
* Monitoring firewall traffic,
* Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
* Firewall updating,
* Coordination with security monitoring and intrusion response mechanisms,
* Responsibility for monitoring and enforcing the firewall policy,
* Protocols and applications permitted,
* Regular auditing of a firewall’s configuration and testing of the firewall’s effectiveness, and
* Contingency planning."

Thank you so much...that gets me started in the right direction

If you do a Google search for "firewall policy" ... you will find a lot of example firewall policies (for free) that are posted by educational institutions and state/local governments. Also, you should find some archived articles by technology websites (i.e. searchsecurity.techtarget.com) that provide suggestions on firewall policy content -- of course, you will need to modify any policy examples and suggestions to fit your IT environment.