If you spend much time with teenagers, you know they use a special version of the English language. A few months ago, I was introduced to the term "on fleek." Personally, I never liked it, but by the time I worked up enough courage to use the term in a conversation, I was informed, "Alyssa, 'on fleek' is so last year. Now, we say 'lit'." (Rolling my eyes here.) While both terms can be used to describe something "awesome," I tell you this to emphasize how difficult it can be to understand another language.
In September 2016, the FFIEC released an update to their IT Examination Handbook, Information Security Booklet. As I began to read through the Booklet, at first, it seemed like the FFIEC had written something completely new. From risk appetite, to information security officers, to bizarre buzzwords (e.g., taxonomy, security culture, event trees, escalation, middleware, etc.), the booklet seemed to be written in a completely different language.
But was it a different language? Well, yes and no. Yes, the FFIEC did use new and complicated terminology, but no, the Booklet is not impossible to understand. It just needs to be interpreted. The concept of interpretation is simple: absorb a seemingly new concept, apply your existing knowledge, and present the idea in a different way.
While you may not feel like you have the skills necessary to interpret guidance, I am here today to tell you: Yes, you do. Interpretation never takes place in a vacuum. You have history, experience, context clues, and connections with other professionals to guide your thinking. All of these resources make you the perfect person to interpret the Booklet for you.
Let's use an example. In the Booklet, the FFIEC included a paragraph in section II.C.13(e) titled "Rogue or Shadow IT." While the title certainly sounds interesting, it's not commonplace terminology. If an examiner asked you, "Have you addressed Rogue or Shadow IT in your policies?" you may be inclined to say no, if you don't understand the term.
When confronted with an unfamiliar expression, the first thing you should do is ask, "What is it?" and resolve to find out. Use your resources. Google. Do whatever you need to find "it" out. In this case, the FFIEC gave us a good working definition and some examples in the booklet. In short, Shadow IT is "unsanctioned or unapproved IT resources (e.g., online storage services, unapproved mobile device applications, and unapproved devices)."
Once you crack the cipher, consider what the author wants you to do. Do you know of any personal "online storage services" your employees may use? You should and if you don't, research some more. For the purpose of continuing this discussion, "online storage services" includes things like Dropbox or OneDrive. If only there was a place you could instruct employees to not use unapproved bank resources.
Lucky for you, there is such a place and regardless of whether you're a Teller or a CEO, you should be familiar with it: the Employee Acceptable Use Policy. Look at your policy. You likely already have some policy language about what employees can and cannot use with regard to Shadow IT, even if you didn't know the proper name for it.
So, before you begin to write up several new policies, first try interpreting the Booklet. If you can take a new concept and apply what you know, often topics that appeared foreign become familiar. More than that, the ability to interpret shows you understand ideas presented in the Booklet and not just the language itself.
Did you know the new booklet uses the words "should" and "may" 522 times? This leaves a lot of room for interpretation, if you ask me. As long as you do not directly disregard guidance or regulation, don't be afraid to interpret. Ask questions. Find answers. Enhance and defend your program. Think outside the box and with a bit of confidence, your Information Security Program is going to be "lit."
Alyssa Pugh is a Security+ certified Tandem Software Support specialist for CoNetrix. Tandem is a security and compliance software suite designed to help financial institutions develop and maintain their Information Security Programs. To learn about how CoNetrix can help you, visit our website at www.CoNetrix.com or email info@CoNetrix.com.
