Manager of network security. Yep, that is what is says on my door. Of course, like many IT experts, I wear many hats, but network security????? You tell me. I was hired to evaluate vulnerabilities, assess and implement solutions. Wow, where to start. This was a 300-400 user network in one building running token ring on a wide open class A network with unmanaged switches. There was no logging, no protection, no licensed OSes (yeah, all 300+ were hacked) and I was told I could not require anyone to have passwords on their desktop, as it was asking too much to make people remember their passwords.
Well, that should have told me right away I was in trouble.
As I progressed, I discovered other little nuggets, such as tape backups were left outside the back door for the off-site security guy to pick up without having to bother IT. I was successful in getting them to realize the stupidity of this, but that was about it. Luckily, the accounting department realized they needed passwords for security. GO ACCOUNTING. It was good to know that the payroll data, social security numbers, and credit cards were at least password-protected. I felt relatively safe until I realized the payroll clerk was backing up all of that data to CDs every week and taking them home with no passwords or encryption. I discussed the problem with Accounting to let them know they were defeating their own security. They agreed it was a problem but didn't trust the network tape backups. WHY?? No one knows. So I came up with a better solution. I convinced them to move the data from the payroll clerk's PC to the network, where it could be backed up and safe, only to discover weeks later that she was backing up the data to an external drive to take home to work on, backing up to CD (yep, still) and leaving a copy on her PC in case all of the others get corrupted.
So, here's the deal. Now there are four copies, not synched up, two of which are God knows where with the payroll clerk, (yep, no passwords or encryption). But somehow, the accounting people feel "safer" this way.
I need a new job (and perhaps a lawyer).
After 18 months I was informed I would be implementing a new Exchange server (here we go again). The e-mail had thus far been housed on an AS/400 with simple SMTP mail in and out. No storage or logging, but it worked and there was no down time. After starting on the exchange server, the plan was changed mid-stream no less than four times. It is now almost 2 years later and still no Exchange server. I have it all configured and ready to roll. It is sweet. There is a front-end server (to serve Web mail when users are not in the office) tied in to the Active directory for authentication on the back end. I tell you, it is sweet.
Oh wait, did I forget to mention I am not allowed to ask users to use passwords? So, after testing, I will be asked to roll an e-mail server live to the world with more than 400 user profiles tied to active directory with no passwords. I now know it is time to find another job. This ship is sinking fast. I will keep you posted.