Skip to main content
Image coming soon

The Bank Security Officer's Third-Party Risk Defence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Security Officer's Third-Party Risk Defence Playbook

How a bank Security Officer turns the vendor risk programme into something an examiner accepts on the first walk-through, with the artefacts already on the wall.

The exam follow-up letter names three vendors and a date. The evidence to defend the tiering, the SOC 2 carve-outs, the right-to-audit posture, and the substitute controls is scattered across five systems. The course gives you the artefacts the examiner reads, in the order they ask for them.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

The bank Security Officer sits between the third-party risk team, the line-of-business owners who actually use the vendor, the SOC 2 reviewers who read the bridge letters, and the regulator who wants the inherent-residual logic explained in plain English. When the IT exam follow-up letter arrives and names a handful of critical vendors that need a corrected risk view, the answer is not in one place. The inherent risk score lives in the GRC tool. The SOC 2 review notes live in the procurement team's mailbox. The data-classification mapping lives in a separate sheet maintained by the data office. The right-to-audit clause lives in legal's contract repository. The offboarding evidence for the vendor that was decommissioned last quarter lives nowhere consistent. Pulling that into a single defendable file for each named vendor takes a week of senior-analyst time and still leaves gaps. The bank-side answer is not buying another GRC module. It is having a written method, an artefact set, and a board-ready summary that the Security Officer can produce from any vendor on any week, with the substitute-control reasoning already in writing.

What you walk away with

  • Produce a critical-vendor inventory with written tiering logic that an examiner can walk on first request.
  • Write a SOC 2 carve-out memo per critical vendor naming the controls that fall back to the bank and the compensating evidence.
  • Run the right-to-audit clause from contract reference to invocation letter to received evidence to closure note in one repeatable cycle.
  • Build the concentration-risk view across cloud providers, core processors, and shared fintech partners that the board committee actually reads.
  • Produce the third-party section of the IT exam workpaper response without pulling the analyst team off operational work for a week.

The 12 modules

Module 1. What the FFIEC IT examiner reads first on third-party risk
The IT exam workpaper request list usually opens with the critical-vendor inventory, the tiering methodology, and the most recent SOC 2 reviews for the named vendors. This module walks through what the examiner actually opens, in what order, and what kind of answer earns a quick close versus a follow-up letter. Includes the four artefacts to have on the wall before the entrance meeting and the two questions that catch programmes that look complete on paper.
Module 2. Tiering critical vendors in language the examiner accepts
Inherent risk scoring, residual scoring, and the tiering logic that maps to FFIEC guidance on critical third parties. Covers the data-classification overlay, the regulatory-overlay logic for vendors handling NPI under GLBA, the concentration overlay for cloud and core processors, and the methodology document that explains the scoring to a reviewer who has never seen the bank's GRC tool. Includes a worked example for a cloud infrastructure vendor and a fintech payments partner.
Module 3. SOC 2 Type II review at the bank Security Officer level
Reading a SOC 2 Type II report for what matters at the bank, not what a junior analyst might tick off. Covers complementary user entity controls, sub-service organisation carve-outs, the bridge letter and what it actually attests to, exception conclusions that need a follow-up question to the vendor, and the standing list of conditions that should trigger an out-of-cycle review. Includes the review template the bank's audit team has seen before.
Module 4. SOC 2 carve-outs and the compensating control memo
When a SOC 2 carves out the sub-service organisation, those controls fall to the user entity, which for a banking vendor often means the bank itself. This module walks through how to write the compensating control memo that names each carved-out control area, names the bank-side control that compensates, names the owner, and names the evidence the bank holds. Includes a template memo for cloud infrastructure carve-outs and for managed-service carve-outs.
Module 5. Right-to-audit clause from contract to closure
Pulling the right-to-audit clause from the contract repository, deciding when invocation is proportionate, writing the invocation letter so legal does not slow it down, scoping the audit so the vendor cooperates, receiving evidence in a form the bank can store, and writing the closure note for the file. Includes the invocation-letter template and the receipt-and-closure template that the FFIEC examiner has accepted on prior reviews.
Module 6. Concentration risk across cloud, core, and shared fintech rails
Most large US banks now have meaningful concentration on a handful of cloud providers, one or two core processors, and shared rails for payments, identity, and fraud. This module covers how to build the concentration view in a single page for the board risk committee, how to write the substitute-arrangements narrative for each concentration, and how to evidence the resilience testing the examiner expects to see referenced. Includes the board one-pager template.
Module 7. GLBA Safeguards Rule applied to the vendor programme
The amended Safeguards Rule named the qualified individual, the written information security programme, the risk-assessment cadence, and the service-provider oversight clause. This module walks through how the third-party risk programme evidences each of those requirements when the regulator asks, including the qualified-individual designation memo, the WISP-to-vendor-programme cross-reference, and the service-provider oversight policy that holds up on read-through.
Module 8. OCC heightened standards expectations for third-party oversight
The OCC's heightened standards for large banks raise the bar on third-party risk programme governance, including independent risk function oversight, board-level reporting cadence, and risk-appetite mapping for vendor concentration. Covers how to write the third-party risk-appetite statement, how to evidence the independent challenge function, and how to present third-party metrics in the board risk committee package so they tie to the appetite statement.
Module 9. Offboarding a critical vendor with evidence the examiner can read
Vendor offboarding evidence is one of the most common gaps in IT exam findings, because operational teams move on once a vendor is replaced. Covers the data-return and data-destruction attestation, the access-revocation evidence, the contract-termination notice, the residual-data discovery cycle, and the closure memo that ties the offboarding back to the original tiering. Includes the offboarding evidence-pack template.
Module 10. Board risk committee third-party update that lands
The board risk committee third-party update should land in five minutes, not twenty. Covers the one-page format that names the critical vendors that moved tier this quarter, the SOC 2 reviews that surfaced something material, the right-to-audit invocations in flight, the concentration view, and the two issues the Security Officer wants the board to know about. Includes the deck slides and the speaker notes that survive cross-examination.
Module 11. Producing the IT exam workpaper response in a normal work week
The IT exam follow-up letter usually requests corrected workpapers within thirty days while the team is still running operational work. Covers how to triage which named vendors get a full re-review and which get a written gap-acknowledgement, how to assemble the corrected matrix without losing a week of analyst time, and how to write the examiner cover note that closes the loop. Includes the cover-note template and the response-pack assembly checklist.
Module 12. Building the standing operating method so this is not a fire drill
The Security Officer who is in firefighting mode every exam week is the one without a written method. Covers how to set the third-party programme operating cadence so the quarterly review is real, the SOC 2 receipt cycle has owners, the right-to-audit calendar is in writing, the board package is built once and updated quarterly, and the examiner's questions are answerable on the first walk-through. Includes the operating-cadence document and the role-and-responsibility matrix for the bank Security Officer's third-party function.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The IT exam follow-up letter has named three vendors and the corrected workpapers are due in thirty days.
A critical vendor's SOC 2 Type II has a carve-out paragraph and the team has never written the compensating control memo.
The board risk committee asked for the concentration-risk view across cloud and core and the answer is in five different sheets.
The CISO asked whether the right-to-audit clause has ever actually been invoked on a critical vendor and the answer is not on file.

What you get with this course

  • Twelve written modules covering the bank Security Officer's third-party risk artefact set end to end.
  • Downloadable templates for the critical-vendor inventory, the SOC 2 compensating-control memo, the right-to-audit invocation letter, the offboarding evidence pack, and the board one-pager.
  • Worked examples drawn from cloud infrastructure, core-processor, and fintech-partner vendor situations a large US bank carries.
  • Hand-built implementation playbook tuned to your specific vendor concentration and exam history, delivered alongside course access.
  • Text-based course in the Art of Service learning environment, accessible from desk or browser.
  • 30-day money-back guarantee on the course.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours of purchase, the learning environment account is provisioned and course access is live.

The hand-built implementation playbook tuned to your specific vendor concentration is delivered alongside course access.

Working through the twelve modules at a self-paced cadence typically takes a Security Officer four to six working sessions.

Templates are downloadable from module one onward.

Before and after

Before

The exam follow-up letter arrives, the team pulls a week of senior-analyst time off operational work, the corrected matrix is built late, and the SOC 2 carve-out compensating controls are written ad-hoc per vendor with inconsistent reasoning.

After

The critical-vendor inventory, tiering logic, SOC 2 carve-out memos, right-to-audit calendar, and board one-pager exist as standing artefacts. The exam follow-up letter is answered in a normal work week. The board risk committee third-party update is five minutes and lands.

What happens if you do not address this

Repeat exam follow-up findings on third-party programme adequacy compound. Once the regulator writes the same finding twice, the next conversation moves up the supervisory ladder. The cost of getting the artefact set in writing once is two weeks of focused work. The cost of repeat findings is the Security Officer's standing with the supervisory team and the board.

Who it is for

A bank Security Officer or Information Security Officer at a large US bank who owns or co-owns the third-party risk programme, sits across from the FFIEC IT examiner during exam weeks, briefs the board risk committee on vendor concentration and cyber posture, and is accountable when a critical vendor SOC 2 review is late or a SOC 2 carve-out has not been compensated for. Likely reports to the CISO or directly to the Chief Risk Officer. Reviews vendor risk decisions weekly. Signs off on the critical-vendor list quarterly.

Who this is NOT for. Not for the GRC analyst who fills the vendor risk spreadsheet but does not own programme decisions. Not for security engineers who run the SOC. Not for compliance officers focused on BSA, AML, or consumer compliance, where the regulator and artefacts are different. Not for community banks under 10 billion in assets where the third-party programme is a single shared spreadsheet, the modules here would over-engineer that situation.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Four to six focused working sessions for a Security Officer working through the material at a normal cadence. Templates are usable from module one, so the operating-cadence improvements can start immediately rather than waiting for course completion.

Why $199 is the right number

Free FFIEC IT Handbook guidance and OCC bulletins cover the regulatory expectations but stop at the principle level and do not give you the artefact templates. Generic GRC vendor training covers tool mechanics but not the bank Security Officer's defendable method. A consulting engagement to rebuild the third-party programme costs in the high five figures and leaves the bank dependent on the consultant for the next exam cycle. This course gives the Security Officer the written method and the artefact set to own the programme without the dependency.

FAQ

Does this cover community-bank-sized third-party programmes?
The artefact set is built for a large US bank's third-party programme with critical-vendor inventory, SOC 2 carve-out memos, right-to-audit invocation cycles, and board-committee reporting. A community bank under 10 billion in assets running a single shared spreadsheet will find some modules over-engineered for the situation.
How tailored is the implementation playbook?
The playbook is hand-built per buyer once enrolment is confirmed. It is tuned to the specific vendor concentration profile, the exam history, and the regulatory overlay that applies to the bank. It is not a generic template with the bank's name inserted.
Is this aligned to a specific regulator's guidance?
The modules cross-reference FFIEC IT Handbook outsourcing guidance, OCC heightened standards expectations on third-party oversight for large banks, the amended GLBA Safeguards Rule, and SOC 2 Type II review practice. The artefact templates are written in language those examiner teams have accepted on prior reviews.
What if our GRC tool is different from what the course assumes?
The course is tool-agnostic. The methodology, artefacts, and templates work in any GRC tool the bank runs, and several of the templates are designed to live outside the GRC tool entirely, in the file structure the examiner walks during an on-site review.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!