Sprint stresses tailored solutions for security

When it comes to information security, one size doesn't fit all. The commercial world has already learned that lesson, security experts say, and they want to instill it in the federal government.

Sprint's E-Solutions security group, for example, is pushing the idea that security is an intrinsic part of a system, and standardized solutions are not always best.

"The hard part is making sure you know what you need," said Dale Bachman, security practice manager for Sprint E-Solutions.

Customers tend to want the latest "hot" security technology and often fail to consider whether it is necessary for achieving their mission, he said.

The Office of Management and Budget's Circular A-130 says federal efforts should be as "stringent as necessary to provide adequate security." But John Gilligan, co-chairman of the CIO Council's security committee, has said that many administrators have difficulty determining what is adequate.

Before putting security technologies and policies in place, agency officials need to assess the threats the agency might face, the vulnerability of systems and the amount of risk a program can withstand, Bachman said.

Sprint starts by looking at an organization's "business drivers," said Robert Robinson, security/privacy practice principal at Sprint. For agencies, drivers include the objectives of particular programs, the types of information being exchanged, who needs access to the information, and the various laws, policies and guidelines that affect how an agency does business.

In January, the CIO Council, the Chief Financial Officers Council and the Information Technology Association of America issued "Securing Electronic Government," an overview of e-government security challenges and possible solutions. The document highlights the various areas within a program where security plays a role, such as authentication and confidentiality. Through examples, the guide shows how different objectives and policies can result in different levels of risk and vulnerability for two programs that face the same security threats.

Sprint officials use a similar process when they develop a Security Architecture Blueprint for a customer. Although a standard procedure guides development of the blueprint, each is tailored for a particular client's needs.

"Their blueprint can't be the same as even the guy next to them, because they may have the same business, but they have different drivers," Robinson said.