Skip to main content
Image coming soon

The Regional Bank Cyber Control Evidence Pack Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Regional Bank Cyber Control Evidence Pack Playbook

Build the auditor-ready FFIEC CAT, OCC heightened standards, and GLBA Safeguards evidence pack a regional bank security team can defend in one quarter.

The next OCC examiner request letter will ask for the FFIEC CAT workbook, the privileged access review, the vendor cyber file, the tabletop minutes, the GLBA Safeguards refresh, and a change-control sample. Pulling those six artefacts together inside the examination window is where regional bank security teams lose three weeks every cycle.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security professionals inside regional US banks own a control surface that has to satisfy the OCC, the FDIC where applicable, the state banking regulator, the FFIEC CAT maturity expectations, the GLBA Safeguards Rule update, the SEC cyber disclosure rule when the holding company files, and the bank's own internal audit. The control framework is not the hard part. NIST CSF, FFIEC IT Handbook, and the bank's policy library cover the population of controls. The hard part is the evidence pack: the actual documents, sampled records, signed attestations, and date-stamped reviews that demonstrate the controls operated. The evidence lives across the SIEM, the IAM tool, the ServiceNow change record, the third-party risk platform, the GRC tool, and a folder of PDFs from the last tabletop. When the examiner request letter arrives, the security team spends the first two weeks just locating the evidence, the third week reconciling timestamps and owners, and the final week negotiating which gaps get formal management response language. The course rebuilds the evidence pack as a standing artefact set that is current on the day the request letter arrives, not assembled after it.

What you walk away with

  • Produce a current-state FFIEC CAT inherent risk and maturity workbook the bank's leadership and the OCC examiner-in-charge can both read without translation.
  • Stand up a privileged access review cadence with documented sampling and owner sign-off that holds up under examiner sampling.
  • Build a third-party cyber due diligence file that ties each top vendor to the GLBA Safeguards Rule criteria and the bank's contract clauses.
  • Run an incident response tabletop with minutes, named participants, and a defensible after-action artefact set the examiner asks for.
  • Refresh the GLBA Safeguards Rule risk assessment in a format the bank's compliance and internal audit functions both adopt as the standing document.

The 12 modules

Module 1. The regional bank examiner request letter, decomposed
Walks through the actual content of a typical OCC or FDIC cyber exam request letter for a regional bank in the 10 to 100 billion asset band. Maps each request line to the artefact, the tool of record, and the owner. Identifies the six artefacts that show up in roughly 80 percent of letters and explains why the remaining 20 percent vary by examiner. Sets the standing artefact set the rest of the course builds.
Module 2. FFIEC CAT inherent risk profile that holds up
Rebuilds the FFIEC Cybersecurity Assessment Tool inherent risk side from the ground up using the bank's own product mix, delivery channel mix, third-party connections, and external threat posture. Shows how to source each input from existing bank systems rather than guessing. Produces a workbook the bank's risk committee can sign without redrafting and the examiner reads as internally consistent.
Module 3. FFIEC CAT cybersecurity maturity scoring without overclaim
Walks through the five maturity domains and 494 declarative statements. Shows where regional banks consistently overclaim, where they underclaim, and the evidence each statement actually needs to support a given maturity level. Produces a scored workbook with the supporting evidence references inline, so the examiner does not have to ask for the second file.
Module 4. Privileged access review cadence and sampling
Establishes a quarterly privileged access review process covering domain admin, database admin, network device admin, cloud root, and break-glass accounts. Defines the population, the sampling approach, the reviewer attestation language, and the exception handling workflow. Outputs the review template and the documented sampling rationale the examiner will probe.
Module 5. Third-party cyber due diligence file for top vendors
Builds the standing vendor cyber file for the top twenty third parties by criticality. Covers the GLBA Safeguards Rule oversight criteria, the bank's contract clauses, the SOC 2 or equivalent attestation review, the right-to-audit posture, and the incident notification chain. Produces a per-vendor file the bank's third-party risk and security functions both maintain.
Module 6. Incident response tabletop minutes the examiner asks for
Runs a tabletop exercise scoped to a realistic regional bank scenario such as ransomware in a branch operations subnet or a customer-facing online banking degradation. Produces the minutes template, the named participant list, the decision log, the after-action artefact set, and the escalation chain the examiner expects to see referenced in the cyber programme document.
Module 7. GLBA Safeguards Rule risk assessment refresh
Refreshes the bank's GLBA Safeguards risk assessment under the updated FTC Safeguards Rule expectations, mapped to the FFIEC IT Handbook Information Security booklet. Produces a written risk assessment document the compliance function adopts as the bank-of-record artefact, with the control inventory cross-referenced to the FFIEC CAT maturity workbook from module 3.
Module 8. Change control sample for the cyber population
Sets the ServiceNow or equivalent change-record query the examiner will use to pull the sample. Defines the change population in cyber scope, the sampling stratification, and the evidence per change such as approval, test results, back-out plan, and post-implementation review. Outputs the re-runnable query and the per-change evidence checklist.
Module 9. Threat intelligence and continuous monitoring evidence
Documents the standing threat intelligence inputs, the continuous monitoring telemetry sources, the SIEM use cases, and the metrics the security team reports up to the board cyber committee. Produces the monthly cyber metrics report template, the data lineage diagram showing each metric's source system, and the board-level summary the examiner will ask to see referenced in the meeting minutes.
Module 10. Identity governance evidence pack
Covers joiner-mover-leaver evidence, access recertification cadence, role mining outputs, and segregation of duties matrices for in-scope financial systems. Produces the per-process evidence set the IAM team maintains and the cross-walk to the FFIEC CAT identity domain and the GLBA Safeguards access control criteria.
Module 11. Cyber programme document and board reporting
Rebuilds the bank's cyber programme document so each section ties to a live artefact rather than a one-time paragraph. Maps the document to the GLBA Safeguards Rule written information security programme requirement, the FFIEC IT Handbook expectations, and the board cyber committee charter. Produces the standing programme document and the quarterly board reporting template.
Module 12. Examination readiness drill and standing pack maintenance
Runs a full examination readiness drill against the standing artefact set built across modules 1 to 11. Identifies the artefacts most likely to be stale on any given date, sets the refresh cadence per artefact, names the owner per artefact, and produces the calendar of attestations the bank's security team operates on between exam cycles.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

When the OCC examiner-in-charge request letter arrives, work the standing artefact set built in modules 1 through 8 and hand over without spending three weeks reconciling.
When internal audit opens the annual cyber audit, point them at the same evidence pack and the same owners, no second build required.
When the holding company general counsel asks what the SEC cyber disclosure rule disclosure would look like under a real incident, point at the module 6 tabletop artefacts and the module 9 continuous monitoring evidence.
When the board cyber committee asks for the next quarterly update, run the module 11 reporting template against the live metrics from module 9.

What you get with this course

  • Twelve text-based modules in the Art of Service learning environment
  • The FFIEC CAT inherent risk and maturity workbook templates
  • The privileged access review cadence and sampling template
  • The top-twenty vendor cyber due diligence file template
  • The incident response tabletop minutes template and after-action set
  • The GLBA Safeguards Rule risk assessment refresh template
  • The change control query and per-change evidence checklist
  • The cyber programme document outline and the board reporting template
  • The hand-built implementation playbook tailored to a regional bank security team

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours, account in the learning environment provisioned and the tailored implementation playbook delivered alongside it.

Weeks 1 to 2, modules 1 through 4 cover the examiner request letter decomposition and the FFIEC CAT rebuild.

Weeks 3 to 5, modules 5 through 8 cover the third-party file, the tabletop, the GLBA refresh, and the change control sample.

Weeks 6 to 8, modules 9 through 12 cover threat intel, identity governance, the cyber programme document, and the readiness drill.

Before and after

Before

The examiner request letter triggers a three-week scramble across SIEM, IAM, ServiceNow, the third-party risk platform, and a folder of PDFs from the last tabletop. The security team negotiates which gaps become formal management response language at the end of the cycle, every cycle.

After

The six recurring artefacts are standing documents with named owners and a refresh calendar. The examiner request letter is answered from the existing pack. The team spends its energy on the genuinely new questions, not on rebuilding the foundation.

What happens if you do not address this

Each exam cycle the bank consumes the security team's bandwidth on reconstructing evidence rather than improving control posture. The control improvements that would actually reduce inherent risk get deferred again, and the next cycle starts from the same place.

Who it is for

A security professional inside a US regional bank (covered by OCC or state-charter regulators, subject to FFIEC IT exam scope, with a GLBA Safeguards programme), who owns or contributes to the cyber control evidence pack the bank presents to examiners and internal audit. The role is hands-on enough to know which evidence sits in which tool, and senior enough to influence the cadence at which the evidence is refreshed.

Who this is NOT for. Not for global systemically important bank security teams with a dedicated regulatory exam management function and a full-time CAT scoring analyst. Not for fintech or non-bank security teams not subject to FFIEC examination scope. Not for security consultants selling assessments rather than running the bank-side programme.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly four to six hours per module, including the template work. Twelve modules across eight weeks at a comfortable cadence, or four weeks compressed.

Why $199 is the right number

Big four advisory engagements rebuild the evidence pack as a project deliverable, often six figures, and leave the bank with a static binder that ages out before the next exam cycle. GRC platform vendors sell the tool, not the standing artefact set or the maturity scoring rationale. This course produces the artefact set the bank's own team maintains, with the rationale they can defend to an examiner.

FAQ

Does this assume a specific GRC platform?
No. The templates work in ServiceNow GRC, Archer, AuditBoard, or spreadsheets. The point is the artefact set and the owner cadence, not the tool.
Is this scoped to OCC-supervised banks only?
The FFIEC CAT and GLBA Safeguards Rule pieces apply to state-chartered banks under FDIC or state regulator supervision as well. The examiner request letter shape varies slightly by regulator and the course covers the common core.
What if internal audit is the primary audience rather than the OCC?
The same evidence pack serves the annual internal cyber audit. Module 12 explicitly covers maintaining the pack between exam cycles, which is also the internal audit cadence.
How is the implementation playbook tailored?
It is hand-built for a regional bank security professional context. It names the systems of record commonly used, the typical owner roles, and the cadence the artefact set runs on.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!