A focused course, tailored for you
The Regional Bank Security Manager Control Evidence Playbook
Turn the FFIEC CAT, OCC heightened standards, and FDIC IT exam asks into one evidence pack examiners accept the first time.
Your SOC team is assembling the same control evidence three different ways for the FFIEC CAT, the OCC heightened-standards narrative, and the FDIC IT exam IDR, and the next vendor SIG Lite request will ask for it a fourth time.
Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.
Why this course
A Security Manager inside a top-10 US bank sits between the internal SOC, the second-line operational risk function, internal audit, and three federal examiners who each want the same controls described in their own taxonomy. Every quarter the same evidence is rebuilt from scratch because the SOC's ticket system, the GRC platform's control register, and the vendor risk team's questionnaire library do not share a vocabulary. The FFIEC CAT inherent-risk worksheet pulls from one set of screenshots. The OCC heightened-standards three-lines-of-defence narrative pulls from a different set. The FDIC IT IDR asks for both, in a third format. The fix is not another GRC tool. The fix is a single control register, keyed to NIST CSF 2.0 as the spine, with regulator-specific language layered on top so one artefact answers every ask. This course walks through exactly that build.
What you walk away with
- Ship one control register that answers the FFIEC CAT, the OCC heightened-standards narrative, the FDIC IT IDR, and SOX 404 IT-general-controls testing from the same source of truth.
- Cut the per-cycle evidence assembly from three full weeks to one Friday afternoon for the named exams.
- Produce a vendor-facing SIG Lite response that pulls from the same register so customer security questionnaires no longer drain SOC analyst hours.
- Walk an examiner through the three-lines-of-defence narrative using artefacts the SOC already produces, with no extra collection cycle.
- Hand internal audit a pre-built IT-general-controls walkthrough that closes their fieldwork in a single sitting.
The 12 modules
How this addresses your situation
Specific modules that map to what you said you are dealing with.
What you get with this course
- The full 12-module written course in the Art of Service learning environment, with downloadable templates and worked examples for every module.
- A hand-built implementation playbook scoped to your specific bank size, regulator mix, and current GRC platform, delivered alongside course access.
- The control register template pre-populated for a 5,000-employee bank, with CSF 2.0 spine, regulator overlays, and SIG Lite mapping.
- The four regulator-specific response templates (CAT, OCC heightened-standards self-assessment, FDIC IT IDR, SOX 404 ITGC walkthrough).
- The 36-hour incident notification decision tree and notification templates.
- The CSF-to-ISO-27002-to-CIS-Controls-v8 crosswalk spreadsheet.
- Email access to Gerard for clarifying questions during the build.
What you will have in hand by Day 1, Week 1, Month 1
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.
Modules 1 and 7 take roughly four hours each to work through and produce the populated register.
Modules 2 through 6 take roughly two to three hours each, with the worked-example outputs.
Modules 8 through 12 take roughly one to two hours each, with the policy and template outputs.
Total time investment is one to two weeks of evening or off-cycle work for one Security Manager, or one week with a SOC analyst pairing on the population work.
Before and after
Three separate evidence assembly cycles per year for the FFIEC CAT, the OCC IT exam, and the FDIC IT exam, each taking two to three weeks of SOC analyst time. Vendor SIG Lite responses ad-hoc on top of that. Internal audit fieldwork extending two weeks because evidence is scattered. The Security Manager spends most of every quarter feeding evidence to regulators rather than running the security program.
One control register answers all three federal examiners, internal audit, and customer security questionnaires from the same source. Per-cycle evidence assembly drops to a Friday afternoon. Internal audit fieldwork closes in a single sitting. Vendor SIG Lite responses publish from a customer-facing trust page. The Security Manager spends quarterly time on actual security work.
What happens if you do not address this
The OCC heightened-standards self-assessment cycle and the FDIC IT exam window are not optional. The CAT update has to be submitted. The SOX 404 ITGC walkthrough has to happen. Without the consolidation, every cycle continues to consume two to three weeks of SOC analyst time, and the Matter Requiring Attention from the last exam stays open into the next exam. The cost is not the evidence work itself; the cost is the security work that does not happen while the evidence work runs.
Who it is for
A Security Manager, or a second-line risk officer who owns the controls library, at a top-25 US bank or large regional bank. Reports into a CISO or Head of Operational Risk. Owns the relationship with internal audit on IT-general-controls testing and is the named contact for the FFIEC CAT submission, the OCC IT exam, and the FDIC IT exam. Manages a SOC team between five and forty analysts. Has a GRC platform in place but spends more time exporting from it than benefiting from it.
How it arrives
Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.
Time investment. One to two weeks of focused work for a single Security Manager, less if a SOC analyst pairs on the population work. Quarterly maintenance after the initial build is one Friday afternoon.
Why $199 is the right number
A GRC platform implementation runs 250,000 USD to 800,000 USD and 9 to 18 months, and still requires the same control register design work you would do here. A Big Four IT audit advisory engagement runs 150,000 USD and 60 to 90 days, and produces a gap report rather than a populated register. This course produces the populated register and the regulator response templates in two weeks for 199 USD, with the implementation playbook scoped to your bank.
FAQ
30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.
Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.