When it comes to information security, no amount of help is too small. That is why Thomas Vartanian, Robert Ledig and Mark Fajfar -- attorneys with New York-based law firm Fried, Frank, Harris, Shriver & Jacobson -- authored the "Banker's Pocket Guide to Information Security."
The booklet -- which literally is small enough to fit in a pocket -- is designed to provide bankers with the essentials of IT security in an easy-access format. According to Fajfar, a special counsel resident in the firm's Washington, D.C., office, the guide fills a large hole in the financial services industry -- the gap between the breadth of regulatory guidance and legal precedents that could be applied in the field of information security, and "the feeling that there is little learning in this area," as expressed by the firm's clients and others. "We felt that by laying out the basic guidance in a succinct fashion, all parties could see that, in fact, thought has been given to the difficult issues, and resources are available in crafting a sensible approach to information security questions," Fajfar explains.
Since directives in this area are somewhat scattered and the topic has such broad scope, Fajfar says, the "Pocket Guide" was created to lay out the fundamentals of sound data security processes. Included in the guide is a summary of the laws as they relate to information security, tips on how to implement smart IT security policies and suggestions on how financial institutions should handle third parties that have access to their data.
The booklet primarily is targeted at upper to middle managers in banks -- those responsible for laying out security policies. According to Fajfar, he and the other authors purposely avoided discussing "precise technical standards" and instead opted to take the approach of regulators, who typically speak to policies and procedures. "We are trying to assist bank management in deciding where to invest their time and attention by highlighting those factors that will be relevant to the ... third parties who will be examining their information security procedures," he remarks.
Fajfar adds that although the book is essentially a summary of relevant regulatory guidance, the authors extracted certain themes to help readers more fully understand the origins of particular guidelines. "It is much easier to comply with a rule once one understands where it came from and what the rule maker hopes to achieve from the rule," he explains.
In addition to updating the "Pocket Guide" periodically, the authors also will make more-timely information available on the firm's Web site, www.ffhsj.com, Fajfar notes.