Recovering From a Failed Security Audit - A Case Study

In the spring of 2001 my pride was shattered when an independent auditor revealed a number of basic security problems with the network for which I am the Senior Network Administrator including passwords and SNMP services with vendor default public and private strings. Further internal investigation revealed many security and behavioral issues within the Agency (the term I will use for my employer throughout this document) including anonymous FTP accounts enabled, no written policies, and sensitive data being mishandled. This case study opens with recognition of the security and privacy issues within the Agency and walks through the process of remediation, securing the use of sensitive data, development and implementation of strong policies, and initiating a solid monitoring system at very low cost due to a deteriorating budget scenario. The results of our efforts made for a much more secure environment as well as increased productivity for the users.