What is required regarding firewall management policies?

• A. Firewall policies should be informal and not widely shared.
• B. Documentation is optional.
• C. Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties.
• D. Only the network team needs to know them.

Answer: (C)

The main idea is governance and accountability for firewall management. You need formal, documented security policies and operational procedures for managing firewalls, and these documents must be in use and known to everyone affected. This ensures there is a consistent approach to configuring, changing, monitoring, and enforcing firewall rules, and that those who rely on or implement these controls understand what’s expected, how to request changes, and who approves them. Without documented, widely shared policies, practices become ad hoc and harder to audit or enforce. Informal or optional documentation, or limiting knowledge to just the network team, undermines control, accountability, and the ability to respond consistently across the organization.