Skip to main content
Image coming soon

The Security Manager's FFIEC Exam Evidence Playbook

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Security Manager's FFIEC Exam Evidence Playbook

Walk into the next IT exam with the access-recertification, vendor, and incident evidence already paginated, owner-stamped, and tied to the FFIEC CAT statements that examiners read first.

The FFIEC exam letter lands and twelve workstreams need owners, dates, and a coherent control narrative inside six weeks. Access recertification screenshots, vendor SIGs, incident tickets, CAT maturity self-assessments, cloud baseline reports. All real, all scattered, none paginated the way the examiner will actually ask.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Security Managers at US super-regional and money-centre banks own a slice of the control surface (identity, vulnerability, third-party, SOC operations, cloud security) and inherit the evidence burden every time the FFIEC, OCC, or state examiner cycle comes around. The controls themselves are usually fine. What breaks is the evidence package: ServiceNow exports that do not tie to Archer attestations, vendor SIG responses that do not match the contractual risk tier, incident tickets that close with closure notes the examiner cannot trace to a runbook step, CAT self-assessments rewritten from scratch every cycle because last year's pagination got lost in the shared drive. The course is a paginated, owner-stamped, exam-ready evidence pack for each FFIEC CAT domain and the operational rhythm that keeps it current between exam cycles.

What you walk away with

  • Walk into the next FFIEC IT exam with a paginated, owner-stamped evidence pack tied to each CAT statement the examiner is required to test.
  • Cut access-recertification evidence assembly from three weeks of manual ServiceNow exports to a two-day rhythm that runs every quarter.
  • Produce a third-party risk evidence package the OCC examiners accept on first read, with SIG, contract risk tier, and last-assessment date in one view per vendor.
  • Hand the CISO a board cyber report drawn from the same evidence pack, so the audit-committee narrative and the examiner narrative are the same narrative.
  • Cut total exam-prep time from the typical six-week sprint to a ten-day final assembly off a continuously maintained evidence rhythm.

The 12 modules

Module 1. The FFIEC CAT to evidence map
Walks through each CAT domain (cyber risk management and oversight, threat intelligence, cybersecurity controls, external dependency management, cyber incident management) and lists the specific artefacts a Security Manager must hand the examiner for each declarative statement. Includes a downloadable spreadsheet mapping every CAT statement to a primary evidence owner, a secondary owner, and the pagination structure the examiner expects to see when the artefact is opened.
Module 2. Access-recertification evidence on a quarterly rhythm
Turns the access-recertification process from a pre-exam scramble into a quarterly rhythm. Covers the ServiceNow report extracts, the Archer attestation closure, the orphan-account exception register, the privileged-access quarterly review pack, and the joiner-mover-leaver reconciliation. Includes a worked example showing how four weeks of manual evidence pulls collapse into a two-day quarterly close once the rhythm is in place.
Module 3. Third-party risk evidence the OCC examiners accept
Covers the vendor risk evidence pack the OCC heightened-standards team asks for: SIG questionnaire on file, contract risk tier, last on-site or virtual assessment date, SOC 2 Type 2 report on file with bridge letter, and the fourth-party concentration view. Includes the one-page-per-vendor template that holds all of this in a single view, plus the workflow that keeps it current as vendors are onboarded, retiered, or sunsetted.
Module 4. Vulnerability and patch evidence tied to risk acceptance
Walks through the vulnerability management evidence pack: scan coverage by asset class, mean-time-to-remediate by severity, the risk-accepted exception register with expiry dates, the patch SLA exceptions tied to a named business owner, and the quarterly trend report. Includes the artefact pagination an FFIEC examiner expects when the examiner asks how the bank handles a CVSS 9.x vulnerability that is in production for longer than the SLA window.
Module 5. Incident response runbook to ticket reconciliation
Closes the gap between the documented IR runbook and what the SOC actually did during the last three significant incidents. Covers the ticket-to-runbook-step mapping, the closure-note discipline that lets an examiner trace an incident from detection to lessons learned, the after-action report template, and the FS-ISAC and OCC notification timing log. Includes the one-page incident summary the examiner will request for each Sev-1 and Sev-2 incident in the exam window.
Module 6. Cloud configuration baselines and drift evidence
Covers the cloud security evidence pack for the public-cloud workloads a super-regional bank typically runs: configuration baseline documentation, drift detection reports, identity-and-access policy review evidence, encryption-at-rest and in-transit attestation, and the privileged-access break-glass log. Includes a worked example showing how a Security Manager hands the examiner a clean evidence pack even when the cloud-engineering team owns the underlying infrastructure.
Module 7. The CAT maturity self-assessment without rewriting it every cycle
Treats the CAT maturity self-assessment as a living document rather than a once-a-year deliverable. Covers the per-domain maturity declaration, the supporting evidence pointer for each declarative statement, the quarterly refresh rhythm, and the change-log discipline that lets the examiner see how maturity has moved cycle over cycle. Includes the change-log template and the governance step that signs the refreshed self-assessment off with the CISO.
Module 8. Board cyber report drawn from the same evidence pack
Turns the board audit-committee cyber report into a derivative of the same evidence pack the examiner reads, rather than a separately constructed narrative. Covers the board-level metrics that draw from the access, vendor, vulnerability, incident, and cloud evidence packs, the heat-map template the audit committee actually engages with, and the one-page CISO summary. Includes the rhythm that keeps the board report and the examiner narrative aligned.
Module 9. Examiner Q and A and the evidence walk-back
Covers the operational discipline of handling the examiner Q and A: the document-request response workflow, the evidence walk-back when the first artefact is not what the examiner asked for, the request-for-information log, and the closing meeting preparation pack. Includes the response-template library that lets the Security Manager turn around an examiner request in hours rather than days.
Module 10. Issue and finding management between exam cycles
Covers the discipline of running an examiner-finding remediation plan between exam cycles: the finding-to-action-plan mapping, the milestone tracking that holds up under MRA or MRIA scrutiny, the evidence pack for finding closure, and the validation step that lets the bank close a finding with confidence. Includes the finding closure template and the governance step that signs the closure off.
Module 11. The continuous evidence rhythm between exams
Pulls every prior module into a single operational rhythm: the weekly evidence health check, the monthly evidence pack refresh, the quarterly CAT and vendor refresh, and the pre-exam ten-day final assembly. Covers the operating cadence that turns evidence packaging from a six-week scramble into a steady-state rhythm. Includes the calendar template a Security Manager can adopt directly.
Module 12. The hand-built implementation playbook for your slice
Walks through the per-buyer implementation playbook that is delivered alongside course access. The playbook is hand-built for the specific slice the Security Manager owns (identity, vendor, vulnerability, SOC, or cloud) and the specific bank size and regulator mix the Security Manager works against. Covers what the playbook contains, how to use it in the first two weeks, and how to extend the rhythm to the rest of the security organisation over the following quarter.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

The exam letter lands and twelve workstreams need owners, dates, and a coherent narrative inside six weeks.
Access recertification turns into a three-week ServiceNow export sprint every quarter the audit committee asks for it.
A vendor SIG response does not match the contractual risk tier and the OCC examiner asks why on first read.
The CAT maturity self-assessment is rewritten from scratch because last year's pagination is lost in the shared drive.

What you get with this course

  • Twelve written modules with downloadable templates and worked examples for every module.
  • The FFIEC CAT to evidence map spreadsheet, pre-populated with primary and secondary owner placeholders for the Security Manager's slice.
  • The quarterly access-recertification rhythm template, plus the orphan-account exception register and the privileged-access review pack.
  • The one-page-per-vendor third-party risk evidence template the OCC examiners accept.
  • The incident-to-runbook reconciliation template and the after-action report format.
  • The hand-built implementation playbook delivered alongside course access, tailored to the specific control slice the Security Manager owns and the bank's regulator mix.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: account in the Art of Service learning environment is provisioned and the hand-built implementation playbook is delivered alongside it.

First 7 days: work modules 1 to 4, build the FFIEC CAT to evidence map for the specific slice the Security Manager owns.

Days 8 to 21: work modules 5 to 8, stand up the access, vendor, vulnerability, and incident evidence packs as quarterly rhythms.

Days 22 to 45: work modules 9 to 11, embed the continuous evidence rhythm and roll the board cyber report into the same evidence pack.

Quarter two: extend the rhythm to the other slices of the security organisation using the implementation playbook as the rollout reference.

Before and after

Before

Six weeks of nights and weekends every exam cycle, three weeks of access-recertification evidence pulls every quarter, a CAT maturity self-assessment rewritten from scratch, a board cyber report drafted separately from the examiner narrative, and the OCC examiner asking on first read why the vendor SIG and the contractual risk tier do not match.

After

A continuously maintained evidence pack tied to each FFIEC CAT statement, a two-day quarterly access-recertification close, a CAT maturity self-assessment refreshed with a change log, a board cyber report drawn from the same evidence pack the examiner reads, and a ten-day final assembly before the next exam letter lands.

What happens if you do not address this

The next exam letter lands, the Security Manager spends six weeks pulling and paginating evidence the bank already has, the examiner finds a vendor SIG that does not match the contractual risk tier, an MRA is issued for third-party risk management, the audit committee asks why the same finding shape keeps recurring cycle over cycle, and the Security Manager's slice of the control surface absorbs the remediation burden for the next two quarters.

Who it is for

A Security Manager (or Senior Manager, Information Security Manager, IT Risk Manager) at a US super-regional or money-centre bank who owns at least one of: identity and access management, vendor risk, vulnerability management, SOC operations, or cloud security. Reports into a CISO or Deputy CISO. Has been through at least one FFIEC IT exam and at least one OCC heightened-standards review. Spends a non-trivial slice of the year on evidence pulls, examiner Q and A, and remediation tracking.

Who this is NOT for. Not for first-line developers writing application security policy. Not for CISOs who delegate evidence packaging entirely to a GRC team. Not for community-bank Security Officers whose primary regulator is the FDIC under a different exam manual. Not for security consultants who advise but never own the evidence pack themselves.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately 12 to 16 hours of focused reading and template adoption across the first 45 days. The continuous rhythm, once in place, replaces rather than adds to the existing exam-prep workload.

Why $199 is the right number

A Big4 advisory engagement for FFIEC exam readiness typically runs into six figures and leaves the bank with a slide deck rather than a continuously maintained evidence pack. A GRC platform implementation addresses workflow but not the evidence pagination and owner discipline that examiners read first. Internal-only build cycles consume Security Manager and analyst time that the bank does not have spare. This course delivers the evidence rhythm and the per-buyer implementation playbook for 199 USD.

FAQ

Is this for the Security Manager only, or for the whole team?
Course access is for the buyer. The implementation playbook is hand-built for the slice the buyer owns. The templates can be rolled across the wider security organisation under the buyer's direction.
Does this cover OCC heightened standards as well as FFIEC?
Yes. The third-party risk and issue-management modules are written to the standard the OCC heightened-standards team reads against, which is the higher bar a money-centre or super-regional bank operates under.
Does this assume a specific GRC platform?
No. The templates are platform-neutral. They work whether the bank's GRC stack is Archer, ServiceNow IRM, MetricStream, OpenPages, or a spreadsheet-and-SharePoint rhythm.
What does the hand-built implementation playbook actually contain?
A per-buyer document that names the buyer's slice, the bank's regulator mix, the artefacts the buyer needs to stand up first, the calendar rhythm tailored to the buyer's exam cycle, and the closing template for the next exam window.
Is there a refund window?
Yes. Refund is available within 30 days if the course and implementation playbook do not fit the buyer's situation.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!