Skip to main content
Image coming soon

The Regional Bank Security Manager Control Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Regional Bank Security Manager Control Evidence Playbook

Turn the FFIEC CAT, OCC heightened standards, and FDIC IT exam asks into one evidence pack examiners accept the first time.

Your SOC team is assembling the same control evidence three different ways for the FFIEC CAT, the OCC heightened-standards narrative, and the FDIC IT exam IDR, and the next vendor SIG Lite request will ask for it a fourth time.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A Security Manager inside a top-10 US bank sits between the internal SOC, the second-line operational risk function, internal audit, and three federal examiners who each want the same controls described in their own taxonomy. Every quarter the same evidence is rebuilt from scratch because the SOC's ticket system, the GRC platform's control register, and the vendor risk team's questionnaire library do not share a vocabulary. The FFIEC CAT inherent-risk worksheet pulls from one set of screenshots. The OCC heightened-standards three-lines-of-defence narrative pulls from a different set. The FDIC IT IDR asks for both, in a third format. The fix is not another GRC tool. The fix is a single control register, keyed to NIST CSF 2.0 as the spine, with regulator-specific language layered on top so one artefact answers every ask. This course walks through exactly that build.

What you walk away with

  • Ship one control register that answers the FFIEC CAT, the OCC heightened-standards narrative, the FDIC IT IDR, and SOX 404 IT-general-controls testing from the same source of truth.
  • Cut the per-cycle evidence assembly from three full weeks to one Friday afternoon for the named exams.
  • Produce a vendor-facing SIG Lite response that pulls from the same register so customer security questionnaires no longer drain SOC analyst hours.
  • Walk an examiner through the three-lines-of-defence narrative using artefacts the SOC already produces, with no extra collection cycle.
  • Hand internal audit a pre-built IT-general-controls walkthrough that closes their fieldwork in a single sitting.

The 12 modules

Module 1. The four regulators, one control register design
Set up the master control register keyed to NIST CSF 2.0 as the spine, with regulator-specific overlays for FFIEC CAT, OCC heightened standards, FDIC IT IDR, and SOX 404. Walks through the column structure, the control-ID convention, and the cross-reference fields that let one entry answer four asks. Includes the downloadable register template pre-populated for a 5,000-employee bank.
Module 2. FFIEC CAT inherent-risk worksheet, the SOC-evidence version
Map every inherent-risk dimension in the CAT worksheet to the SOC's existing ticket queues, detection-as-code repository, and incident-postmortem library. Shows how to surface the artefacts the CAT actually wants from systems your SOC already runs. Includes the worked example of a $400B asset bank's CAT submission, anonymised, with the inherent-risk score traced back to source evidence.
Module 3. OCC heightened standards, the three-lines-of-defence narrative
Build the three-lines-of-defence story examiners expect: SOC as first line, operational risk as second, internal audit as third. Pulls the narrative directly from your control register so the same artefacts that answer the CAT also answer the OCC. Includes the heightened-standards self-assessment template with first-line and second-line columns pre-mapped.
Module 4. FDIC IT exam IDR, building the one-document answer
Walk through the typical 80-item FDIC IT IDR, group the items by control family, and show which register entries answer which IDR lines. Result is a single PDF response packet that the examiner can open in one place. Includes the IDR-to-control-register crosswalk for the four most common IDR templates issued in the last cycle.
Module 5. SOX 404 IT-general-controls testing, the integrated walkthrough
Hand internal audit the same control register, with the SOX 404 ITGC scope flagged on the control-ID, so the auditor's walkthrough becomes a read of artefacts already in place. Covers access management, change management, computer operations, and program development testing. Includes the ITGC walkthrough script and the population-completeness evidence template.
Module 6. Vendor-side SIG Lite, the register-driven response
Turn the same control register into the source of truth for vendor security questionnaires. Walks through the SIG Lite 2024 question set, the Shared Assessments mapping, and the standard customer questionnaires from large insurers and asset managers. Shows how to publish a response packet customers self-serve. Includes the SIG Lite mapping spreadsheet and the customer-facing trust-page template.
Module 7. NIST CSF 2.0 as the spine, why and how
Explain the design choice of using NIST CSF 2.0 as the master taxonomy and the function-category-subcategory-implementation-tier structure that holds the register together. Walks through where CSF 2.0 differs from 1.1, what the new Govern function adds, and how to map back-and-forth between CSF and ISO 27002:2022 for vendors who insist on ISO language. Includes the CSF-to-ISO-to-CIS-Controls-v8 crosswalk.
Module 8. GLBA Safeguards Rule and the customer information overlay
Layer the FTC Safeguards Rule (16 CFR 314) requirements onto the register, including the qualified individual designation, the written information security program, the annual board report, and the multi-factor authentication and encryption mandates. Bank holding companies own this for non-bank affiliates and trust subsidiaries. Includes the annual board report template and the qualified individual job description.
Module 9. Incident response and the 36-hour notification rule
Build the incident classification, escalation, and 36-hour notification workflow the OCC computer-security incident rule requires for national banks. Connects the SOC's detection thresholds to the regulatory clock and the customer notification clock. Includes the notification decision tree, the OCC notification template, and the customer notification template that survives state attorney-general review.
Module 10. Third-party risk, the interagency third-party guidance overlay
Apply the current federal interagency third-party guidance to the vendor inventory: lifecycle stages, criticality tiering, due diligence depth, and ongoing monitoring. Connects to the SIG Lite work from Module 6 so vendor-inbound and vendor-outbound evidence draws from the same register. Includes the vendor tiering matrix, the criticality scoring template, and the board-reporting summary deck.
Module 11. Examiner conversation prep, walking the artefacts
Run the conversation the examiner will run on entrance and exit days. Covers how to walk the inherent-risk score, how to defend the three-lines-of-defence narrative, how to surface the control deficiency you found yourselves (rather than wait for them to find it), and how to scope a remediation timeline they will accept. Includes the examiner entrance-meeting script and the matter-requiring-attention response template.
Module 12. Quarterly maintenance, the one-day refresh
The 90-day rhythm that keeps the register accurate without rebuilding it. Covers the control owner attestation cycle, the SOC ticket-to-control reconciliation, the policy-to-control alignment check, and the artefact freshness audit. Shows how a Security Manager spends one Friday per quarter on this and the rest of the quarter on actual security work. Includes the quarterly maintenance checklist and the control-owner attestation template.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

Module 1 and Module 7 are foundational. Build the register, set the spine, then everything else layers on.
Module 2, Module 3, and Module 4 are the federal-examiner overlays. Run these in the order the next exam cycle hits.
Module 5 and Module 6 are the inward-facing reuses. SOX 404 testing and customer SIG Lite responses draw from the same register the examiners do.
Module 8 through Module 11 are the substantive control families and the examiner-conversation prep. Run these as the calendar demands.

What you get with this course

  • The full 12-module written course in the Art of Service learning environment, with downloadable templates and worked examples for every module.
  • A hand-built implementation playbook scoped to your specific bank size, regulator mix, and current GRC platform, delivered alongside course access.
  • The control register template pre-populated for a 5,000-employee bank, with CSF 2.0 spine, regulator overlays, and SIG Lite mapping.
  • The four regulator-specific response templates (CAT, OCC heightened-standards self-assessment, FDIC IT IDR, SOX 404 ITGC walkthrough).
  • The 36-hour incident notification decision tree and notification templates.
  • The CSF-to-ISO-27002-to-CIS-Controls-v8 crosswalk spreadsheet.
  • Email access to Gerard for clarifying questions during the build.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

Modules 1 and 7 take roughly four hours each to work through and produce the populated register.

Modules 2 through 6 take roughly two to three hours each, with the worked-example outputs.

Modules 8 through 12 take roughly one to two hours each, with the policy and template outputs.

Total time investment is one to two weeks of evening or off-cycle work for one Security Manager, or one week with a SOC analyst pairing on the population work.

Before and after

Before

Three separate evidence assembly cycles per year for the FFIEC CAT, the OCC IT exam, and the FDIC IT exam, each taking two to three weeks of SOC analyst time. Vendor SIG Lite responses ad-hoc on top of that. Internal audit fieldwork extending two weeks because evidence is scattered. The Security Manager spends most of every quarter feeding evidence to regulators rather than running the security program.

After

One control register answers all three federal examiners, internal audit, and customer security questionnaires from the same source. Per-cycle evidence assembly drops to a Friday afternoon. Internal audit fieldwork closes in a single sitting. Vendor SIG Lite responses publish from a customer-facing trust page. The Security Manager spends quarterly time on actual security work.

What happens if you do not address this

The OCC heightened-standards self-assessment cycle and the FDIC IT exam window are not optional. The CAT update has to be submitted. The SOX 404 ITGC walkthrough has to happen. Without the consolidation, every cycle continues to consume two to three weeks of SOC analyst time, and the Matter Requiring Attention from the last exam stays open into the next exam. The cost is not the evidence work itself; the cost is the security work that does not happen while the evidence work runs.

Who it is for

A Security Manager, or a second-line risk officer who owns the controls library, at a top-25 US bank or large regional bank. Reports into a CISO or Head of Operational Risk. Owns the relationship with internal audit on IT-general-controls testing and is the named contact for the FFIEC CAT submission, the OCC IT exam, and the FDIC IT exam. Manages a SOC team between five and forty analysts. Has a GRC platform in place but spends more time exporting from it than benefiting from it.

Who this is NOT for. Not for community-bank security generalists who run the entire IT function single-handed. Not for fintechs without a national bank charter, where the FFIEC CAT and OCC heightened standards do not apply. Not for security engineers who only build detections and do not own the auditor or examiner relationship.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. One to two weeks of focused work for a single Security Manager, less if a SOC analyst pairs on the population work. Quarterly maintenance after the initial build is one Friday afternoon.

Why $199 is the right number

A GRC platform implementation runs 250,000 USD to 800,000 USD and 9 to 18 months, and still requires the same control register design work you would do here. A Big Four IT audit advisory engagement runs 150,000 USD and 60 to 90 days, and produces a gap report rather than a populated register. This course produces the populated register and the regulator response templates in two weeks for 199 USD, with the implementation playbook scoped to your bank.

FAQ

Does this assume a specific GRC platform?
No. The control register design works whether you run Archer, ServiceNow GRC, OneTrust, AuditBoard, LogicGate, or a spreadsheet-and-SharePoint approach. The register schema imports cleanly into any of them. The implementation playbook is scoped to whichever platform you actually use.
We are mid-cycle on the next FFIEC CAT submission. Is it too late?
No. Module 2 is built specifically for the case where the CAT submission window is open. Working through it produces the submission, not a future-state design.
Our charter is a state member bank under FRB supervision rather than national bank under OCC. Does this still fit?
Yes. The OCC heightened-standards overlay swaps for the FRB SR letter overlay (SR 21-14, SR 16-11, SR 12-14), and the implementation playbook reflects whichever federal regulator and state regulator pair you actually face.
What if our internal audit team uses COBIT 2019 rather than CSF?
Module 7 includes the CSF-to-COBIT-2019 crosswalk so internal audit can read the same register through their preferred lens.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.