Skip to main content
Image coming soon

The Bank Security Manager's FFIEC and OCC Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Security Manager's FFIEC and OCC Evidence Playbook

Walk into the next FFIEC IT exam with control evidence, third-party assurance, and incident response artefacts already mapped to the booklet questions examiners ask.

The FFIEC IT exam request list lands, the booklet questions don't line up to how your control inventory is structured, and you are the person who has to translate.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A bank security manager sits between the SOC, the IAM team, vendor risk, the BCP owner, and the audit liaison. When the FFIEC examiner or the OCC heightened-standards review opens, the request comes back as booklet questions, not as the control IDs in your GRC tool. The Information Security booklet asks about authentication strength and privileged access in a specific shape. The Architecture booklet asks about segmentation and change management in another shape. The BCM booklet asks about resilience testing and recovery time in a third shape. Internal audit asks for control narratives, ERM asks for residual risk, and the board pack asks for a heat map. Same evidence, four different translations, and you are doing all four under deadline. The friction isn't a missing control. It's the translation work, and it lands on you every cycle.

What you walk away with

  • A control-to-booklet-question crosswalk for FFIEC Information Security, Architecture, and BCM booklets, prefilled with the artefact and the owner.
  • A third-party concentration view that answers the OCC's heightened-standards question on critical service provider dependency in one page.
  • A resilience-testing summary template that closes the loop from scenario to RTO to recovery evidence in the language the BCM booklet uses.
  • An incident severity and notification matrix aligned to GLBA Safeguards Rule notification thresholds and the OCC's prompt notification expectation.
  • A SOX IT general controls and GLBA Safeguards overlay so the same control evidence answers both the financial audit and the security supervision request.

The 12 modules

Module 1. The FFIEC booklet question map
Walk through every question class in the FFIEC Information Security, Architecture, and Business Continuity Management booklets that an IT examiner is likely to ask, group them by evidence type, and produce a one-page index that says which control owner answers which question with which artefact. The artefact is a working spreadsheet keyed to the booklet sections, not a narrative document.
Module 2. OCC heightened standards translation
Take the OCC's heightened-standards framing on independent risk management, front-line accountability, and audit, and translate the language into the same evidence the FFIEC questions already pull. The output is a side-by-side that lets the security manager respond to either supervisor with one underlying control inventory rather than two.
Module 3. Authentication and privileged access narrative
Build the control narrative for authentication strength across customer channels, employee workforce, and privileged administrators, in the shape the Information Security booklet asks. Include the MFA exception register, the privileged-access recertification cadence, and the break-glass account log as named artefacts that ride alongside the narrative.
Module 4. Segmentation and architecture evidence
Produce the segmentation diagram and the change management evidence the Architecture booklet calls for, scoped to a multi-line-of-business bank network. Include the boundary inventory, the high-risk zone definition, and the change advisory board minutes pattern that demonstrates the control is operating, not just designed.
Module 5. Third-party and critical service provider concentration
Build the third-party risk view the OCC heightened-standards reviewer asks for: who are the critical service providers, what is the concentration risk by line of business, what is the SOC 2 or alternative assurance position for each, and where are the contractual right-to-audit and exit clauses. The deliverable is a single page that pre-answers the supervisor's likely follow-up.
Module 6. Resilience testing and the BCM booklet
Map the bank's resilience testing programme to the Business Continuity Management booklet's expectations, including the scenario library, the tabletop frequency, the recovery-time objective documentation, and the post-test action register. Produce the summary template that lets the security manager hand the examiner one document that closes the BCM evidence loop.
Module 7. Incident response and GLBA notification
Build the incident severity matrix, align it to the GLBA Safeguards Rule customer notification thresholds, and document the OCC prompt-notification path. Include the runbook excerpt the examiner expects to see, the after-action template, and the trend report the security manager takes to the operational risk committee.
Module 8. Vendor SOC 2 and alternative assurance
Handle the case where the critical vendor provides a SOC 2 Type 2, the case where they provide an ISO 27001 certificate, and the case where they provide neither. Build the alternative assurance worksheet, the gap log, and the compensating control argument the security manager presents to vendor risk and to the examiner when assurance is incomplete.
Module 9. SOX IT general controls and GLBA overlay
Produce the crosswalk that lets the same control evidence answer the SOX IT general controls testing the external auditor performs and the GLBA Safeguards Rule expectations the supervisor reviews. The artefact is a shared evidence library map so the security manager's team doesn't run two parallel evidence collection cycles for the same controls.
Module 10. The board and ERM heat map translation
Turn the control evidence and supervisory feedback into the heat map the board's risk committee wants to see and the residual risk language the enterprise risk function wants to consume. Include the dashboard skeleton, the residual-risk scoring guide, and the talking points the security manager uses when the board chair asks the obvious follow-up.
Module 11. Exam preparation rhythm and the request list response
Set up the pre-exam, in-exam, and post-exam rhythm so the request list doesn't trigger a firefight every cycle. Include the document request log template, the response-quality review pattern, the exit-meeting note structure, and the management response register that closes the supervisory feedback loop within the deadline the OCC sets.
Module 12. The security manager's continuous evidence library
Stand up the continuous evidence library so the next FFIEC IT exam or OCC review draws from a maintained set rather than an emergency rebuild. Include the ownership map, the freshness cadence, the artefact-retirement policy, and the handoff pattern when the security manager rotates or hands off a business-line account during the cycle.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The FFIEC IT exam request list arrives and the response window is four weeks.
The OCC heightened-standards reviewer asks for the critical service provider concentration view by Friday.
The internal auditor asks why the same control answers SOX ITGC and GLBA differently.
The board risk committee asks for a one-page heat map ahead of the next meeting.

What you get with this course

  • Twelve written modules with worked examples drawn from US bank supervisory practice.
  • Downloadable templates: FFIEC booklet question map, OCC concentration view, GLBA notification matrix, BCM resilience summary, SOX ITGC overlay.
  • The hand-built implementation playbook tuned to a bank security manager covering a multi-line-of-business book.
  • Thirty day money-back guarantee.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Module 1 through module 4 are the first week of work. The crosswalk artefact is finished by end of week one.

Modules 5 through 8 are the second and third week, focused on third-party, resilience, incident response, and vendor assurance artefacts.

Modules 9 through 12 are the fourth and fifth week, focused on overlay, board translation, and the continuous evidence library.

Before and after

Before

Every exam cycle, the security manager rebuilds the evidence library under deadline, translates the same controls into three different supervisory frames, and absorbs the request-list firefight as a personal calendar problem.

After

The control inventory, the third-party view, the resilience summary, the incident matrix, and the SOX-GLBA overlay are maintained between cycles. The request list maps to a maintained artefact set. The security manager runs the exam, instead of the exam running the security manager.

What happens if you do not address this

Without the translation layer, the next FFIEC IT exam or OCC review eats four weeks of the security manager's calendar, the supervisory feedback shows up as a finding that lands on the board pack, and the next cycle starts from the same standing position rather than building forward.

Who it is for

Security manager at a US national or regional bank, accountable for the security control story across multiple business lines (retail, commercial, wealth, treasury services). Reports into a CISO or Information Security director. Owns or coordinates the response to FFIEC IT examiners, OCC heightened-standards reviewers, internal audit, and ERM. Has SOC, IAM, vendor risk, and BCP owners as peers or direct reports. Familiar with NIST CSF, FFIEC booklets, OCC guidance, SOX IT general controls, and the GLBA Safeguards Rule.

Who this is NOT for. Not for a SOC analyst looking for detection engineering content. Not for a CISO setting strategy. Not for someone outside US bank supervision, since the artefacts are tuned to FFIEC and OCC frames specifically.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly five to seven hours per module, spread across a five-week working schedule, with the templates designed so the security manager applies the module to a live artefact rather than holding the learning separately from the work.

Why $199 is the right number

Big4 advisory engagements covering FFIEC exam preparation run into six figures and leave the bank with a deck rather than a maintained artefact set. Generic GRC tooling holds the controls but doesn't produce the supervisory translation. Free FFIEC IT Examination Handbook material is canonical but doesn't carry the worked artefacts a security manager needs to respond inside the deadline.

FAQ

Does this cover credit union supervision or only national bank?
The artefacts are tuned to OCC supervision for national banks and to FFIEC for the broader US bank cohort. A credit union security manager will recognise the FFIEC content but the NCUA-specific framing is not the primary lens.
Is this a substitute for the CISO's strategy work?
No. This is the security manager's translation and evidence layer. The CISO strategy work sits above it and consumes the artefacts as input.
How does the hand-built implementation playbook differ from the templates?
The templates are generic to a US bank security manager role. The implementation playbook is tuned to the buyer's specific business-line mix, examiner cadence, and critical vendor inventory after the purchase confirmation.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.