CBSM: Certified Banking Security Manager

5 sessions

Chad Knutson


Upcoming Sessions



  • U.S. Information Security Laws and  Regulations
  • Information Security Program Components
  • Security Awareness Programs
  • IT Audit
  • Social Engineering
  • Preparing for your IT Examinations
  • Running Effective IT and Audit Committees

If session dates do not work for you, please contact the institute:

Email:, Phone: (605)269-0909

By purchasing this certification, you are hereby agreeing to the policies and procedures of the SBS Institute. Click HERE to read and review.


Module 1 – Building an Information Security Program

Lecture 1 – Regulatory Overview and ISP

We begin our discussion with an analysis of GLBA and the requirements established by the safeguards rule. Then we evaluate the information provided by the FDIC, OCC, and Federal Reserve designed to address GLBA and help institutions document a comprehensive information security program. Additional resources from NIST, SANS, ISO, and other entities that have built frameworks for information security are evaluated. The objective of this section is to equip students with tools to help them construct a risk-based information security program that is right for their size and complexity.

Assignment 1: Policy Writing Exercise

Module 2 – Risk Management

Lecture 1 – Risk Assessments

The risk assessment discussion begins with an analysis of the regulatory requirements to conduct a risk assessment. We will supplement NIST 800-30 guidance to help construct a repeatable risk assessment methodology for financial institutions. We will look at asset-based risk assessment methodologies that help identity critical it assets, their importance, and known impact and probability of threats, to identify inherent risk. We then identify current controls in place to calculate residual risk, measuring this against board approved risk appetite. Students will exercise the discussed methodology in scenario based exercise.

Lecture 2 – FFIEC Cybersecurity Assessment

This module will also review the guidance and process established by the FFIEC for completion of the Cybersecurity Assessment Tool. It is also critical to build a governance program to ensure a consistent methodology is followed, reports are taken to appropriate channels, gaps are identified an a managed, and improvements are made to the overall information security program. Policies will be discussed to manage the cybersecurity assessment process and students will step through the inherent risk and cyber maturity questions for baseline controls.

Assignment 1: Risk Assessment Exercise

Module 3 – Third Party Management and BCP

Lecture 1 – Third Party Management and BCP

Third Party Risk Management processes are discussed from guidance provided by regulatory agencies, to build a program for selecting new relationships and managing existing ones. Ideas for each step of the process will be discussed and focus is given to building a model that provides the same level of assurances around security as if the product/service was conducted in-house. This includes leveraging the already discussed risk assessment process on the third party, examination reports, SSAE16 (soon SSAE18) reports, internal or external IT Audit reports, and so forth. Attendees will learn to identify issues and manage those risks within their risk appetite levels.

Business Continuity and Disaster Recovery are discussed in this next section. The FFIEC BCP Appendix J (Third Party Management) guidance is evaluated to ensure we connect and integrate cybersecurity risk and the need to understand dependencies on third parties in our business continuity planning. The FFIEC guidance is explored to build a process around Business Impact Analysis, Risk Assessment, Risk Management, and Testing.

Assignment 1: Third Party Management Exercise

Module 4 – Incident Response and Network Security

Lecture 1 – IRP and Network Security

This section will discuss building an incident response policy and detailed procedure for a financial institution. We will examine threats against the institutions network, third party breach notification procedures, CATO incident, and physical losses. Banking regulations are augmented with NIST 800-61 to build a robust IRP.

Customer and Employee Security Training and Awareness models are also discussed in this section. These programs must mature beyond the annual training sessions to become a continual learning program reminding people about the current and evolving threats we face and re-enforce the policies and procedures created by the institution to manage those risks. We explore ideas to build a continuous learning approach.

Last major topic in this section is Network Security. We explore the FFIEC guidance and supplemental regulatory guidance over the years. We put additional focus on other resources that management can use to guide its network security efforts. Resources such as NIST 7621 small business security standard, SANS (CIS) Top 20 Controls, and emerging advanced control ideas.

Module 5 – Security and Technology Trends

Lecture 1 – Security and Technology Trends

This section reviews hot topics in cybersecurity areas and goes over these threats in details. ATM Fraud, CATO, Ransomware, ATP Threats like Carbanak, Malware Attacks, Phishing Campaigns, Wire fraud and many other issues discusses and their associated guidance reviewed.

Assignment 1: Ransomware Guidance GAP Exercise

Assignment 2: FBI Wire Guidance GAP Exercise

Module 6 – Audit

The Audit section is one of the 3 pillars of this course. A strong program is driven by a risk assessment, which creates documented policies and procures, and audit comes in to validate those controls are implemented and adequate to protect to institution. We will discuss the auditing of people, process, and technology. First is the process with the IT Audit on policies and procedures. Then technology with Network Assessments like vulnerability assessment and Penetration Testing, and lastly people are tested with social engineering. We will also talk about specific audit items from FFIEC CAT, such as firewall reviews and access control audits.

Lecture 1 – Auditing Components

Assignment 1: Audit Exercise

Module 7 – Governance Structure and Enterprise Risk Management

Lecture 1 – IT Governance and ERM

Assignment 1: Audit Exercise

Module 8 – Board Involvement in Information Security Programs

Lecture 1 – Board Involvement

We will dive deeper into the governance challenges faced by financial intuitions today to give practical examples of information that should be communicated to the board and how to drive more “creditable challenge” and involvement by the board into the institution. We will apply the previous sections of this course in a review type process that has a board and executive level perspective, to ensure we involve them at the proper level and communicate responsible amounts of information.

Module 9 – InTREx Examination Process

The FDIC has released a new examination process which includes a risk-based approach to scoping the examination. This program consists of multiple parts with an inherent risk assessment process and control evaluation. We will examine these questions and control, walking through the process together. Students will be given a scenario and asked to facilitate an examination.

Assignment 2: InTREx Exam Exercise


Comprehensive 100 Multiple Choice Exam


{{ vm.helper.t('') }}

11/02/2021 CBSM
02/01/2022 CBSM
05/03/2022 CBSM
08/02/2022 CBSM
11/1/2022 CBSM

Shopping Cart

Your cart is empty