The NAC rollout started with the contractors because if anything went wrong, it wouldn't disrupt the main line of business.
"Thankfully we didn't break anything," Spinelli says.
About 60 days later, the company started a nine-month NAC deployment for Equifax employees, starting at headquarters and progressing country by country.
Before turning on the enforcement of NAC policies, Equifax ran the gear in monitor mode to discover how many machines were noncompliant and to fix them. That avoided the problem of locking hundreds or thousands of employees out the first day and crippling their ability to do their jobs, Spinelli says.
The monitoring discovered cases of outdated versions of Pointsec (now Check Point Software) hard-drive encryption software that was a mandatory part of desktop images, Spinelli says. There were even some cases of the software inadvertently still installed in pilot mode, he says.
"NAC is a fail-safe control as we put it in," Spinelli says. "We feel confident we are promulgating the right set of security policies, but without NAC I'm not sure how comfortable I would be saying we've got Equifax covered. We're very confident now."