Starting on page 42 of the
FFIEC IT Examination Handbook is a definition of what a Firewall Policy should look like. Below is an excerpt:
"At a minimum, the [firewall] policy should address
* Firewall topology and architecture,
* Type of firewall(s) being utilized,
* Physical placement of the firewall components,
* Monitoring firewall traffic,
* Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),
* Firewall updating,
* Coordination with security monitoring and intrusion response mechanisms,
* Responsibility for monitoring and enforcing the firewall policy,
* Protocols and applications permitted,
* Regular auditing of a firewall’s configuration and testing of the firewall’s effectiveness, and
* Contingency planning."