Skip to main content
Image coming soon

The Bank Third-Party Security Review Workbench

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Bank Third-Party Security Review Workbench

Run a vendor security review from intake to residual-risk sign-off in one workflow second line and examiners accept first pass.

The vendor security review queue is the bottleneck. Business owners want decisions in days. Second-line reviewers want defensible residual-risk write-ups. Examiners want evidence the conclusion matches the questionnaire, the SOC 2, the pen test, and the data flow. The first line carries all four pressures at once, on every ticket.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

First-line third-party security associates at large US banks sit between the business sponsor pushing for contract signature, the procurement deadline, the vendor's incomplete or contradictory documentation, the second-line reviewer who will challenge any rating that looks soft, and the regulator who reads the file two years later in the next safety-and-soundness exam. The work is not the easy vendors. The work is the vendor whose SIG answers say one thing, whose SOC 2 description says another, whose pen test executive summary is twelve months stale, and whose data-processing addendum quietly extends data access to a sub-processor in a jurisdiction the bank does not approve. Each of those gaps must be resolved into a written residual-risk position that survives second-line review, business pushback, and examiner inspection. The course is the workbench that turns the queue from a series of one-off battles into a repeatable workflow.

What you walk away with

  • Close a vendor security review from intake to residual-risk sign-off in a workflow your second-line reviewer accepts first pass.
  • Read a SOC 2 Type II report against a SIG response and surface the contradictions in under thirty minutes.
  • Write a residual-risk memo in the language FFIEC AIO and OCC heightened-standards examiners read, with the evidence chain attached.
  • Push back on stale pen test summaries, incomplete data-flow diagrams, and sub-processor disclosure gaps without delaying the contract beyond procurement's tolerance.
  • Bring the contract security schedule into the review so the gaps the questionnaire could not close are closed by clause.

The 12 modules

Module 1. Scoping the review against actual data access
Vendor security reviews fail when scope is set by the procurement ticket instead of by the data the vendor will actually touch. This module walks the intake conversation with the business owner that establishes data classification, processing locations, sub-processor chain, and the integration pattern (API, file transfer, embedded SDK, hosted portal). The output is a one-page scope memo that frames every later decision in the review.
Module 2. Reading the SIG and CAIQ against the bank's control baseline
The Standardized Information Gathering questionnaire and Cloud Controls Matrix CAIQ are not answer keys. They are the vendor's self-assessment, and they need to be read against the bank's own control baseline (FFIEC IT Handbook, OCC heightened standards, internal information security policy). This module covers the response patterns that signal genuine maturity, the patterns that signal copy-paste, and the answers that demand follow-up evidence.
Module 3. SOC 2 Type II as evidence, not as a pass
A clean SOC 2 Type II opinion is the beginning of the review, not the end. The module walks the description of the service organisation against the trust services criteria selected, the complementary user entity controls the bank must implement, the exceptions the auditor noted, the period covered (and the gap since), and the bridge letter that closes the gap. The aim is reading the report the way the second-line reviewer will.
Module 4. Pen test summary triage
Most pen test summaries supplied during vendor review are executive-level redacted versions, twelve to eighteen months old, with limited scope statements. This module covers what to ask for when the supplied summary is thin, how to read the scope and methodology against the vendor's actual production environment, and how to write the residual position when a current full report is genuinely unavailable but the relationship must still be approved.
Module 5. Data-flow diagram reconstruction
The vendor's data-flow diagram is often missing or wrong. The module walks the working-session technique that reconstructs the actual data flow from the business owner's process description, the integration team's connection inventory, and the vendor's API documentation. The reconstructed diagram is the artefact that determines encryption, jurisdiction, sub-processor, and retention questions for the rest of the review.
Module 6. Sub-processor and jurisdiction risk
Sub-processor disclosure is the gap that most often surfaces post-signature. The module covers reading the vendor's sub-processor list against the bank's approved jurisdiction list, the questions that surface undisclosed sub-processors (offshored support, AI/ML feature processing, analytics pixels), and the contract clauses that establish prior notification and right of objection on sub-processor change.
Module 7. Encryption, key management, and access path review
Encryption-at-rest and encryption-in-transit answers are where vendor questionnaires most often invoke compensating controls. The module walks the encryption questions through the actual key custody model (vendor-managed, customer-managed, BYOK, HSM-backed), the access path from vendor staff to bank data (jump host, bastion, just-in-time access, standing privileged accounts), and the evidence the second-line reviewer expects to see attached.
Module 8. Incident notification and right-to-audit clauses
Incident notification windows in vendor contracts often default to thirty or sixty days. The bank's regulator-facing notification window is far shorter. The module walks the negotiation pattern that brings the contract clause into line with the bank's actual reporting obligation, the right-to-audit clause language that survives vendor pushback, and the evidence rights that matter when the relationship is terminated.
Module 9. Residual-risk write-up that survives second-line review
The residual-risk memo is the document the second-line reviewer signs and the examiner reads. The module covers the structure (inherent risk, controls, residual rating, supporting evidence, conditions), the language patterns that examiners associate with defensible conclusions, the most common second-line pushbacks (rating too soft, evidence chain incomplete, conditions not measurable) and how to write to head them off.
Module 10. Conditional approvals, recertifications, and the on-going monitoring queue
Most vendor approvals are conditional. The module walks the conditions library (current pen test by date X, sub-processor inventory refresh quarterly, SOC 2 next year by date Y, evidence-of-remediation for the open exception), how those conditions land in the on-going monitoring queue, and the recertification cadence by inherent risk tier.
Module 11. Working with the business owner, procurement, and the vendor's security contact
The third-party security review is a four-party conversation. The business owner wants a decision. Procurement wants the contract closed. The vendor's security contact wants questions to stop. The second-line reviewer wants defensible documentation. The module walks the cadence (intake meeting, evidence working session, draft residual review, sign-off) that gives each party what they need without burning the review timeline.
Module 12. Reading the file the way the examiner will
The closing module walks a completed review file the way an FFIEC AIO or OCC heightened-standards examiner reads it: scope memo, questionnaire response, SOC 2 mapping, pen test position, data-flow diagram, sub-processor and jurisdiction analysis, contract security schedule, residual-risk memo, conditions, on-going monitoring entry. The module gives the self-audit checklist the associate runs before submitting to the second line, and the patterns that turn a queue of reviews into an examination-ready inventory.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 1-2 maps to the intake ticket: scope and questionnaire on the morning of receipt.
Module 3-7 maps to the evidence working session: SOC 2, pen test, data flow, sub-processor, encryption.
Module 8 maps to the contract schedule negotiation with procurement and legal.
Module 9-12 maps to the residual-risk write-up, second-line submission, and on-going monitoring queue entry.

What you get with this course

  • Twelve written modules in the Art of Service learning environment.
  • Downloadable templates: scope memo, SOC 2 mapping worksheet, data-flow reconstruction worksheet, residual-risk memo, on-going monitoring conditions library.
  • Worked examples for SaaS, IaaS, BPO, and embedded-SDK vendor patterns.
  • Hand-built implementation playbook tuned to the vendor mix you actually review.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Suggested working pace: one module per working day, two to three weeks end to end, taken alongside your live review queue.

Before and after

Before

The vendor review queue runs on memory, screenshots, and ad-hoc Word documents. Each review is a one-off battle with the business owner, procurement, and the second-line reviewer. Examination preparation means going back through tickets to reconstruct what the residual-risk position was and why.

After

Each review runs through the same workbench: scope memo, questionnaire-to-control mapping, SOC 2 read-out, pen test position, data-flow diagram, sub-processor and jurisdiction analysis, contract clauses, residual-risk memo, conditions. The file the examiner reads is the file you produced during the review, not a file you reconstructed after.

What happens if you do not address this

Reviews stay slow because the workflow is invented per ticket. Residual-risk write-ups get bounced because the evidence chain is not assembled the way the second-line reviewer expects. The next safety-and-soundness exam pulls a sample of vendor files and the gaps in the file become findings the bank carries for a cycle.

Who it is for

First-line third-party / vendor security analysts and associates inside US banks (national, super-regional, large regional). You run intake on new vendor relationships and recertifications, score the questionnaire responses, request and read SOC 2 Type II reports and pen test summaries, hold the working session with the business owner and the vendor's security contact, and write the residual-risk memo that your second-line reviewer signs off on. The work is operational, daily, and visible to procurement, the business, the second line, and (eventually) the regulator.

Who this is NOT for. Not for second-line risk officers writing program-level vendor risk policy. Not for CISOs setting enterprise risk appetite. Not for procurement leaders writing contract templates. The course is the first-line operational workbench, not the program design.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly 45-60 minutes per module read-through, plus the time to run one of your live reviews through the templates as the working application. Realistic completion: two to three weeks alongside the day job.

Why $199 is the right number

Vendor risk management platforms (e.g. the procurement-led ones the bank already pays for) automate intake and questionnaire delivery but do not teach the read-out, the residual-risk write-up, or the second-line conversation. Industry conferences cover policy and program design, not the daily ticket. Internal training inside a bank covers the bank's own template but not the underlying technique. This course is the operational workbench between those layers.

FAQ

Is this aligned to FFIEC and OCC expectations?
Yes. The residual-risk and on-going monitoring patterns are written against the FFIEC IT Examination Handbook (Outsourcing Technology Services and Management booklets) and the OCC heightened standards as they apply to large bank third-party risk programs.
Does it cover SaaS and cloud vendors specifically?
Yes. The SOC 2 read-out, encryption and key management, sub-processor disclosure, and data-flow reconstruction modules are written for SaaS and IaaS-hosted vendors as the primary case. BPO and embedded-SDK patterns are covered as alternates.
Is the implementation playbook generic or tailored?
Tailored. After enrolment the playbook is hand-built against the vendor mix you actually review (SaaS-heavy, BPO-heavy, cloud-hosting, AI/ML feature vendors). It lands in your account alongside course access.
Can I use the templates inside the bank?
Yes. The templates are designed to drop into an internal vendor risk workflow without modification. The bank's specific control baseline references and second-line reviewer expectations may need light overlay.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!