No Budget, No Policy: Leading the Bull by the Nose or Thank God for the Cisco IOS Firewall Feature S

As much as we'd like to think, everyone else is as security conscious as the SANS' community, that's just not the case. I know, I come from one such organization. We are a small to mid size with approximately 90 users. One of our smaller programs secured a federal grant to do some work with HIV positive clients (HIPAA driven). Part of the grant requirements require network security be implemented to protect client identifiers. I was the network administrator at the time and our organization immediately decided to include 'network security' as part of my job description. I was sent to my first SANS conference (this was suggested by the grant proposal guidelines). There I got a real taste of security and what it means. Among the many things that were hammered into us at the conference was: you need CEO (top management) buy-in and that you have to do a 'needs assessment' and turn that into a security policy.