When it comes to information security, no amount of help is too small. That is why Thomas Vartanian, Robert Ledig and Mark Fajfar, three attorneys with New York-based law firm Fried, Frank, Harris, Shriver & Jacobson (www.friedfrank.com), authored the "Banker's Pocket Guide to Information Security."
The bookletwhich is literally small enough to fit in your pocketis designed to provide bankers with the essentials of IT security in an easy-access format. According to Mark Fajfar, a special counsel resident in the firm's Washington office and co-author, the guide fills a large hole in the financial services industry-- the gap between the breadth of regulatory guidance and legal precedents that could be applied in the field of information security, and "the feeling that there is little learning in this area," as expressed by Fried Frank's clients and others. "We felt that by laying out the basic guidance in a succinct fashion, all parties could see that, in fact, thought has been given to the difficult issues, and resources are available in crafting a sensible approach to information security questions," Fajfar explains.
Since directives in this area are somewhat scattered, and since the topic has such broad scope, Fajfar says the Pocket Guide was created to lay out the fundamentals of sound data security processes. "We thought it would be productive to begin with first principles in order to lay out a sensible approach for banks that would take into account the guidance that is available and would be adaptable as the guidance is refined," he says.
The book is primarily targeted at upper-to-middle managers in banksthose responsible for laying out security policies. Fajfar says the authors purposely avoided discussing "precise technical standards" and instead opted to take the approach of regulators, who typically speak to policies and procedures. "We are trying to assist bank management in deciding where to invest their time and attention, by highlighting those factors that will be relevant to the regulators, auditors ... and other third parties who will be examining their information security procedures," he remarks.
Fajfar says that although the book is essentially a summary of relevant regulatory guidance, the authors extracted certain themes to help readers more fully understand the origins of particular guidelines. "It is much easier to comply with a rule once one understands where it came from and what the rule-maker hopes to achieve from the rule," he says.
In addition to updating the Pocket Guide periodically, the authors will also make more timely information available on the firm's Web site, Fajfar notes.