[unisog] AUPs re FTP and Telnet

William Yang wyang at gcfn.net
Fri Jul 6 12:27:28 GMT 2007

Kevin Lanning wrote:
> Would appreciate references to Appropriate Use Policies regarding 
> restriction of FTP and Telnet.

Here's one general approach, speaking as the person who (before becoming a 
consultant) used to be in charge of security policy for a public sector 
entity (tens of thousands of employees, similar numbers of Internet 
connected devices, thousands of servers, millions of constituents).

Before deploying [service], identify AND DOCUMENT major threat vectors and 
assess the overall risk to the organization (decide whether you want this 
to be internally or externally).  Justify, to the satisfaction of the 
[person/entity] responsible for the security of the 
[unit/department/college/university], accepting these risks based on the 
value provided by providing [service].  Appropriate ways to shift some 
portion of the cost of responding to an incident to the responsible 
parties, such as [billing response time/fine/public flogging/etc].

This general formula works really well and improves over time, as the 
responsible parties gain experience and expertise in security assessment.

Major elements that will make this work:

1)  Documentation trail must exist
2)  Risk assessment must occur prior to deployment of new service
3)  Justification to an neutral third party is involved
4)  Consequences of security failure go to the "right" parties.

Stock documentation will quickly exist for common services, especially if 
you keep an online archive.

You don't need flowery language or a complicated policy stance.  Keep it 
simple and readable.

Even in the absence of central control, using this in a self-enforced 
method leads to real improvements over time.

William Yang
wyang at gcfn.net

More information about the unisog mailing list