Create two policies—one for web server software and one for web browser clients. Remember, you are writing policies, not procedures. Focus on the high-level tasks, not
the individual steps.
Use the following as a guide for both policies:
Type of application software
Description of functions this software should allow
Description of functions this software should prohibit
Known vulnerabilities associated with software
Controls necessary to ensure compliance with desired functionality
Method to assess security control effectiveness