Skip to main content
Image coming soon

The Bank Security Officer Vendor Exception Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Security Officer Vendor Exception Playbook

Decide vendor onboarding when the SOC 2 is qualified, the business has a deadline, and the OCC will read your notes.

The qualified SOC 2 Type 2 is on your desk, the business sponsor has a release date, and the file you write decides whether the relationship clears risk committee.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security Officers at large regulated banks live in the gap between a SaaS vendor's audit opinion and a line of business that has already signed a statement of work. The SOC 2 has a qualified opinion on change management. The penetration test is twelve months old. The vendor's sub-processor list grew since the last review and now includes an offshore engineering team in a jurisdiction your data residency policy does not cleanly cover. The relationship manager wants a decision by Friday. The risk-committee deck is due the week after. The OCC examiner's next sweep will pull a sample of your third-party files and read the residual-risk rating, the compensating-control register, and the exception memo against the bank's own policy. The course is the file you write when all four of those things are true at once.

What you walk away with

  • Write a residual-risk rating worksheet that survives an OCC sample.
  • Build a compensating-control register that maps to FFIEC CAT domains.
  • Draft an exception memo a Chief Risk Officer will sign without rework.
  • Set re-review triggers tied to vendor change events, not calendar cycles.
  • Hand internal audit an evidence pack they can read without a meeting.

The 12 modules

Module 1. Reading a SOC 2 Type 2 like an examiner
Walk through a real SOC 2 Type 2 report with the qualified opinion section called out. Identify the seven places an OCC examiner reads first: management assertion changes, scope exclusions, sub-service organisation carve-outs, exceptions noted in testing, the bridge letter date, the complementary user entity controls, and the auditor's opinion paragraph. Build a one-page reading summary you attach to the vendor file.
Module 2. The residual-risk rating worksheet
Construct the worksheet that ties inherent risk, control effectiveness from the SOC 2, and compensating controls inside the bank to a single residual rating. Cover the three failure modes that make a worksheet rejectable in audit: scoring without evidence, scoring without a comparable benchmark, and scoring that does not change when a control change is documented mid-cycle.
Module 3. Compensating controls that map to FFIEC CAT
Build a compensating-control register that does not float free of the bank's own assessment. Map each compensating control to a specific FFIEC CAT domain and maturity statement, name the control owner inside the bank, and set the evidence cadence. Cover the difference between a control that compensates for a vendor gap and a control that just describes the bank's own posture.
Module 4. Sub-processor and data residency exceptions
Handle the sub-processor list growing between annual reviews. When an offshore engineering team is added in a jurisdiction the bank's data residency policy does not cleanly cover, write the exception that survives privacy review and legal review without three rounds. Cover the three pieces of evidence a Chief Privacy Officer expects: data-flow diagram, transfer mechanism, and the bank's own breach-notification clause in the contract.
Module 5. The exception memo a CRO will sign
Draft the one-page exception memo with the structure a Chief Risk Officer reads in two minutes: business justification, residual risk after compensating controls, expiration date, re-review triggers, and the named accountable executive. Cover the five sentences that get a memo sent back for rework and the three sentences that get it signed on first read.
Module 6. Risk-committee deck input
Translate the vendor file into the two slides that go into the monthly risk-committee deck. Cover what the committee chair wants to see versus what they want to skip past, how to present aggregate vendor residual risk without losing the outlier, and the language that lets a committee member ask a clarifying question without derailing the discussion.
Module 7. OCC heightened standards alignment
Map the vendor file to the OCC heightened standards on third-party risk management. Cover the four expectations examiners cite most often: board-level oversight, risk-based due diligence, ongoing monitoring proportionate to risk, and termination planning. Build the cross-reference table that lets you respond to an examiner request without rebuilding the file from scratch.
Module 8. Penetration test and vulnerability evidence
Decide whether a twelve-month-old penetration test still counts and what to ask for when it does not. Cover the difference between a penetration test and a vulnerability scan in the eyes of an examiner, the scope statement that matters, and the remediation evidence pack that lets you accept residual risk on open findings without a re-test.
Module 9. Re-review triggers tied to vendor change
Replace calendar-only re-review with event triggers tied to vendor change. Cover the seven events that should force a re-review regardless of cycle date: SOC 2 qualified opinion, breach disclosure, sub-processor addition in a new jurisdiction, ownership change, key personnel change in the security team, material change to the data set the bank shares, and a regulatory enforcement action.
Module 10. Internal audit evidence pack
Assemble the evidence pack internal audit reads without scheduling a walkthrough. Cover the file structure that lets an auditor confirm the residual-risk rating in five minutes, the cross-references to the bank's own policy, the named control owner inside the bank for every compensating control, and the audit-trail entries that show the decision was reviewed and approved at the right level.
Module 11. Termination and exit planning
Write the termination plan that lives in the vendor file from day one, not the day a decision to exit is made. Cover the four exit scenarios examiners ask about: vendor-initiated termination, bank-initiated termination for cause, regulatory directive to exit, and operational failure. Build the data-return checklist, the customer-impact statement, and the alternate-provider readiness note.
Module 12. Run-rate operating model
Move from one heroic file to a run-rate operating model. Cover the queue-management model that lets a small Security Officer team handle the inbound volume without dropping quality, the templates that cut writing time by half without flattening the analysis, and the metrics a Chief Information Security Officer reports to the board on third-party risk posture.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 1 to 3 cover the file you write this week on the qualified SOC 2.
Module 4 to 6 cover the conversations with privacy, legal, and the risk committee.
Module 7 to 9 cover the OCC, the penetration test, and the triggers for re-review.
Module 10 to 12 cover internal audit, termination, and the run-rate operating model.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Downloadable residual-risk rating worksheet, compensating-control register, exception memo, evidence-pack index, and termination-plan template.
  • Worked examples on a qualified SOC 2 Type 2 walkthrough.
  • Hand-built implementation playbook tailored to your role and book of work, delivered alongside course access.

What you will have in hand by Day 1, Week 1, Month 1

Hour 0: course access in the learning environment, all twelve modules unlocked.

Hour 24: hand-built implementation playbook delivered, tailored to the bank's third-party risk operating model and the specific vendor categories on your current queue.

Ongoing: downloadable templates and worked examples available for re-use on every subsequent vendor file.

Before and after

Before

The qualified SOC 2 sits on your queue while you reconstruct the residual-risk rating from memory, draft a compensating-control list that internal audit will rewrite, and write an exception memo that comes back for a third revision.

After

The vendor file is a structured artefact. The residual-risk rating ties to evidence. The compensating-control register maps to FFIEC CAT and names a bank-side owner for each control. The exception memo gets signed on first read. The internal audit evidence pack reads in five minutes.

What happens if you do not address this

The next OCC sample pulls a vendor file with a qualified SOC 2, an exception memo without a re-review trigger, and a compensating-control register that names no bank-side owner. The examiner finding is not the vendor. It is the file.

Who it is for

Security Officer in a regulated US commercial bank, sitting between vendor management, third-party risk, and the lines of business that source SaaS and fintech relationships. Owns the security input to onboarding decisions, the compensating-control register for accepted exceptions, and the evidence pack handed to internal audit and federal examiners. Reads SOC 2 Type 2 reports critically, owns the policy mapping to FFIEC CAT and the OCC heightened standards, and writes the memo a Chief Risk Officer will sign.

Who this is NOT for. Not for application security engineers focused on code-level controls. Not for procurement teams running the contracting side of vendor onboarding. Not for non-regulated environments where federal examiners are not part of the audience.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Three to four hours to read every module. Twenty minutes per template the first time you use it on a live vendor file, then five minutes per re-use.

Why $199 is the right number

The free FFIEC CAT documentation describes maturity but does not give you the residual-risk worksheet or the compensating-control register tied to it. The OCC bulletins describe expectations but do not give you the exception memo a Chief Risk Officer will sign. Vendor risk SaaS platforms automate the inbound questionnaire but do not write the file. This course writes the file.

FAQ

Does this apply if the bank already uses a third-party risk SaaS platform?
Yes. The platform stores the questionnaire and the workflow. The course writes the residual-risk worksheet, the compensating-control register, the exception memo, and the evidence pack the platform does not author for you.
Is the implementation playbook generic?
No. The playbook is hand-built for your role, your bank's third-party risk operating model, and the vendor categories visible on your current queue. It arrives alongside course access in the learning environment.
How current is the OCC and FFIEC content?
The course tracks current OCC heightened standards on third-party risk and current FFIEC CAT domains and maturity statements. Templates are versioned and updated when source guidance changes.
Can a small Security Officer team use this without restructuring?
Yes. Module 12 is the run-rate operating model for a small team. The templates cut writing time without flattening the analysis.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.