Skip to main content
Image coming soon

The Senior IR Specialist Triage Playbook for Large US Banks

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Senior IR Specialist Triage Playbook for Large US Banks

Run the first 60 minutes of an in-bank incident so the regulator timeline, the legal hold, and the recovery clock all start clean.

At 02:17 the pager goes off. The SOC analyst is two months in, the duty officer wants a containment call, the BSA/AML team is asleep, and the regulator notification clock has already started ticking even though nobody has confirmed scope yet.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

A senior IR specialist inside a large US bank does not get to run a textbook NIST 800-61 cycle. Containment competes with banking continuity, eradication competes with end-of-day batch windows, recovery competes with relationship-manager travel calendars, and every decision is shadowed by the GLBA notification clock, the Reg S-P data-spill rules, the FFIEC CAT examination calendar, and the OCC supervisory letter that has not been written yet. The hardest part is not the malware. It is the sequencing of containment, legal hold, BSA/AML notification, customer-impact assessment, and executive briefing inside a 60-minute window when the duty officer is asking for a yes-or-no answer. Most playbooks are written by vendors who never had to brief a Chief Risk Officer at 03:30 about a host that touched a wire-transfer workflow. This course is written for the seat that has to make those calls.

What you walk away with

  • Run a containment decision in the first 15 minutes that preserves volatile artefacts, isolates the host without breaking active banking workflows, and starts the legal-hold paperwork.
  • Execute the GLBA notification triage and Reg S-P data-spill assessment inside the 60-minute window so the regulator clock starts clean.
  • Brief the duty officer, the CISO directorate, and the BSA/AML team with a single-page status pack that survives executive paraphrasing.
  • Hand the incident to the recovery team with a chain-of-custody, a timeline reconstruction, and a lessons-learned skeleton the OCC examiner can later read.
  • Run the post-incident retrospective so the next 02:17 pager hit lands on a duty officer who has 80 percent of the decisions pre-cached.

The 12 modules

Module 1. The 02:17 pager: triage in the first 15 minutes
Walks through the actual first 15 minutes of an in-bank IR cycle. Covers the standard pager payload from a US-bank-grade EDR, the duty-officer call tree, the three questions that have to be answered before any containment action (is the host in a banking workflow, is the alert authentic, is escalation warranted), and the decision matrix for isolate-versus-pull-versus-monitor that respects active wire transfers and end-of-day batch windows. Includes a worked example of a phishing-tied detection on a commercial-banking RM endpoint.
Module 2. Containment without breaking the wire
Containment inside a bank is not a button. It is a sequencing problem. This module covers how to isolate a host while preserving an in-flight ACH or Fedwire transfer the relationship manager initiated the prior evening, how to coordinate with the payment-operations duty officer before pulling network access, and how to capture volatile memory and live network connections before the SOC analyst reboots out of habit. Templates include a containment-authorisation form and a payment-operations notification script.
Module 3. GLBA notification triage in the 60-minute window
The Gramm-Leach-Bliley Act notification clock starts the moment the bank knows about a potential customer-information incident. This module walks through the GLBA triage decision tree, the indicators that escalate an event from internal-investigation to regulator-notification status, the coordination with the bank's privacy officer, and the documentation trail that has to exist by hour 24. Includes a GLBA triage worksheet and a sample notification draft tuned to a US national bank holding company structure.
Module 4. Reg S-P data-spill assessment
Regulation S-P covers customer financial information across broker-dealer and bank affiliates inside a US bank holding company. This module covers the data-spill scoping question the senior IR specialist has to answer in the first hour, the affiliate-notification chain when a host in the bank touches data that belongs to a broker-dealer affiliate, the SEC notification implications, and the documentation standards that survive a FINRA examination. Includes a data-spill scope worksheet.
Module 5. FFIEC CAT-aligned containment evidence
The FFIEC Cybersecurity Assessment Tool drives the examiner's expectations for incident-response maturity at a large US bank. This module walks through the CAT-aligned evidence the senior IR specialist has to capture during containment, the maturity-level alignment from baseline through innovative, the evidence-handoff to the bank's third-line audit function, and the way CAT findings end up cited in an OCC supervisory letter. Includes a CAT evidence-capture checklist.
Module 6. FinCEN 314(b) sharing decisions during an IR cycle
When an incident touches a transaction that might involve money-laundering or terrorist-financing concerns, the senior IR specialist has to coordinate with the BSA/AML team on whether to invoke FinCEN 314(b) voluntary information-sharing with another financial institution. This module covers the trigger conditions, the documentation requirements, the coordination with the BSA officer, and the way 314(b) sharing decisions land inside a SAR filing weeks later. Includes a 314(b) coordination worksheet.
Module 7. Executive briefing in under 200 words
At 03:30 the CISO joins the call and the Chief Risk Officer joins five minutes later. The senior IR specialist has 200 words to brief them. This module covers the structure of the briefing pack, the three numbers that always have to be in it, the way to handle questions the IR specialist cannot yet answer, and the format that survives executive paraphrasing. Includes a one-page briefing template and three worked examples.
Module 8. Legal hold and chain-of-custody for litigation later
Half of in-bank incidents end up in litigation, regulator enforcement, or both, 18 months later. The senior IR specialist owns the chain-of-custody from the first containment action. This module covers the legal-hold notification to the bank's general counsel, the evidence-preservation standards that survive a federal subpoena, the documentation of every command run on the affected host, and the way the IR specialist's notes end up in a deposition exhibit. Includes a chain-of-custody log template.
Module 9. Customer-impact assessment and the FDIC notification window
When customer information is implicated, the bank has notification obligations to the FDIC, to state regulators, and to customers themselves under the interagency guidance. This module covers the customer-impact scoping done in the first six hours, the coordination with the bank's customer-experience and corporate-communications teams, the timing of the customer notification, and the call-centre script that has to be ready before the notification mails out. Includes a customer-impact assessment worksheet.
Module 10. Handoff to recovery and the eradication-versus-business-continuity tradeoff
Eradication competes with banking continuity. The senior IR specialist has to hand the incident to the recovery team with a clear directive on what can be eradicated immediately, what has to wait for the end-of-day batch window, and what has to be rebuilt from a clean baseline. This module covers the handoff packet, the coordination with infrastructure operations, the recovery-clock tracking, and the way recovery decisions get re-litigated in the post-incident review. Includes a recovery-handoff packet template.
Module 11. The OCC supervisory letter six months later
Every significant in-bank incident eventually ends up in an OCC supervisory letter, an FRB matter-requiring-attention, or a state-regulator examination finding. This module walks through how the IR specialist's notes, timeline reconstruction, and lessons-learned document get cited in that letter six months later, what examiners are looking for, how to write the contemporaneous record so the bank's response is strong, and how to coordinate with the third-line audit function on the remediation plan.
Module 12. Pre-caching the next 02:17 pager
Eighty percent of the decisions a senior IR specialist makes during an incident could have been pre-cached during a calm Tuesday. This module covers the duty-officer playbook that pre-positions containment authorisations, the tabletop-exercise schedule that exercises the next likely incident class, the cross-training programme that prepares the next specialist, and the after-action template that turns each incident into a structural improvement to the bank's IR posture.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

02:17 pager hits, host on commercial-banking VLAN with phishing-tied EDR detection: modules 1, 2, 3, 7.
Data-spill scoping where host touched broker-dealer-affiliate data: modules 4, 8, 9.
OCC examination preparation following a Q1 incident that produced a supervisory letter: modules 5, 11.
BSA/AML coordination on an incident touching a flagged transaction: modules 6, 9, 11.

What you get with this course

  • Twelve written modules with worked US-bank-specific incident examples.
  • Downloadable templates for containment authorisation, GLBA triage, Reg S-P scoping, FFIEC CAT evidence capture, FinCEN 314(b) coordination, executive briefing, chain-of-custody, customer-impact assessment, recovery handoff, and duty-officer pre-cache.
  • The hand-built implementation playbook tuned to the duty-officer rotation a senior IR specialist actually runs.
  • Access to the Art of Service learning environment for the duration of the course.

What you will have in hand by Day 1, Week 1, Month 1

Within 24 hours: course provisioned in the Art of Service learning environment and the hand-built implementation playbook delivered alongside it.

Week 1: modules 1 through 4. Containment, GLBA, Reg S-P. Pair with the next duty-officer rotation.

Week 2: modules 5 through 8. FFIEC CAT, FinCEN 314(b), executive briefing, legal hold. Pair with a tabletop exercise.

Week 3: modules 9 through 12. Customer-impact, recovery handoff, OCC letter trajectory, pre-caching. Pair with the next quarterly IR programme review.

Before and after

Before

The 02:17 pager produces 90 minutes of improvisation. Containment competes with the wire. The GLBA clock starts before the scope is known. The CISO briefing wanders. The OCC supervisory letter cites gaps in contemporaneous documentation.

After

The 02:17 pager produces a 15-minute containment decision, a 30-minute GLBA and Reg S-P triage, a 200-word executive brief at minute 45, and a clean handoff to recovery at the 60-minute mark. The supervisory letter six months later cites the bank's response, not its gaps.

What happens if you do not address this

Without a sequenced senior-specialist playbook tuned to a US bank, the cost of the next significant incident is not the malware. It is the regulator letter, the customer-notification window missed by four hours, the chain-of-custody gap that surfaces in a deposition, and the supervisory finding that drives 18 months of remediation work the IR specialist personally owns.

Who it is for

Senior Incident Response Specialist inside a large US bank, working duty-officer rotations, owning the first 60 minutes of any IR cycle that touches commercial banking, retail banking, treasury services, or payment processing. Reports into a CIRT lead or CISO directorate. Has authority to contain hosts and to escalate to legal, BSA/AML, and corporate communications. Sits at the intersection of NIST 800-61, FFIEC CAT, GLBA, Reg S-P, FinCEN 314(b), and OCC supervisory expectations.

Who this is NOT for. This is not for first-year SOC analysts who do not yet have containment authority. It is not for fraud-investigation analysts whose remit is transaction monitoring rather than endpoint or network IR. It is not for vendor-side incident responders working a managed-detection contract from outside the bank. It is also not for IT operations staff who handle outage response without an information-security mandate.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Approximately three to four hours per module. Most senior IR specialists complete the twelve-module sequence inside three weeks while running their normal duty-officer rotation.

Why $199 is the right number

SANS FOR508 and FOR578 cover the technical forensics and threat-intelligence layers but do not address GLBA, Reg S-P, FFIEC CAT, FinCEN 314(b), and OCC supervisory dynamics specific to a US bank. Internal bank training tends to be high-level policy walkthroughs rather than sequenced 60-minute playbooks. The free NIST 800-61 guidance is the foundation but does not name a single US banking artefact. This course sits at the intersection that the senior IR specialist actually works in.

FAQ

Is this generic incident response training?
No. Every module is anchored in a US-bank-specific artefact: GLBA notification, Reg S-P data-spill assessment, FFIEC CAT alignment, FinCEN 314(b) coordination, OCC supervisory letter trajectory. A SOC analyst at a non-bank technology firm would not find the same sequencing useful.
How is the implementation playbook hand-built?
Once the course is purchased, the playbook is tuned to the senior IR specialist's actual duty-officer rotation, escalation tree, and bank-specific regulatory posture. It is delivered alongside course access in the learning environment within 24 hours.
Does this conflict with my bank's internal IR runbook?
It is designed to complement an internal runbook by adding the sequencing layer most internal runbooks leave to senior judgement. The downloadable templates are designed to slot into an existing runbook rather than replace it.
What if my bank is a regional rather than a money-centre institution?
The course is written for senior IR specialists at large US banks, which includes both money-centre and large regional institutions. The GLBA, Reg S-P, FFIEC CAT, and FinCEN dynamics are common across both. Money-centre-specific dynamics like OCC heightened-standards expectations are called out where relevant.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!