Regulatory Security Explanation (Capital One 2019)¶
Use this to explain your organization’s security posture and controls to a regulator (e.g., OCC, FTC, SEC); demonstrates program effectiveness and responsiveness.
Purpose¶
This explanation frames the organization’s security posture for regulator, examiner, or counsel review in light of Capital One 2019. It connects governance, technical controls, and evidence practices to the relevant legal or enforcement context so external stakeholders can assess control reasonableness and implementation maturity.
Hallucinated writing examples¶
Scenario: In an illustrative period following the 2019 Capital One cloud breach and related enforcement and litigation tracks (time), the Capital One Bank (USA), N.A. — Chief Information Security Officer (role) prepares a regulatory security explanation (type) for Office of the Comptroller of the Currency (Examiner) (audience).
REGULATORY SECURITY EXPLANATION
Introduction: This submission describes the Bank’s security posture, governance, and control environment for the period following the July 2019 cybersecurity incident and in response to the Consent Order and Civil Money Penalty issued by the Office of the Comptroller of the Currency on August 6, 2020 (OCC News Release NR 2020-98). The scope of this response includes governance, risk management, control environment, evidence of operation, and the incident and remediation. All assertions are supportable by the attached evidence index and underlying policies, assessments, and operational artifacts.
Governance: The Board of Directors delegates oversight of technology and cybersecurity risk to the Board Audit Committee. The Committee receives quarterly reporting on cybersecurity risk, control effectiveness, and Consent Order progress. The Chief Information Security Officer reports to [designated executive] and has authority over security policy, standards, and control implementation. Security and technology risk committees meet on a [cadence] basis; charters and minutes are maintained and available for examiner review.
Risk Management: The Bank identifies, assesses, and mitigates cyber risk through a defined risk taxonomy, risk register, and escalation to the Board. Following the July 2019 incident and the OCC’s findings, cloud configuration governance, identity and access management (IAM), and logging and retention were elevated as top risks. Mitigation is tracked with revisit dates and evidence linkage; progress is reported to the OCC per the Consent Order.
Control Environment and Evidence Of Operation: Key controls by domain: (1) Cloud and perimeter. Config-as-code and peer review for designated AWS perimeter and WAF controls; drift detection deployed with remediation or documented exception. Evidence: repository history, change tickets, baseline documents, drift reports. (2) Identity and access. Least-privilege review and reduction of over-permissioned roles. Evidence: IAM inventory, review records. (3) Logging and retention. Centralized logging; 90-day retention for designated security-relevant data. Evidence: retention policy, log coverage reports. (4) Incident response. IR plan, tabletop exercises, forensic readiness. Evidence: plan document, exercise summaries.
Incidents and Remediation: The July 2019 incident involved unauthorized access by an external actor to customer data stored in AWS-hosted infrastructure. The actor exploited a WAF misconfiguration and over-permissioned IAM roles. Root causes were identified as configuration weakness and governance gaps. Remediation: the vulnerability was secured in July 2019; law enforcement was notified; the individual was arrested (United States v. Paige A. Thompson). Consent order commitments are in progress and reported to the OCC. The Bank has strengthened governance, risk management, and controls per the Consent Order and internal roadmap. This response is submitted for examiner review and is supported by the attached evidence index.
Document-type guide: Regulatory Security Explanation
Writing tips: Writing best practices — Regulatory Security Explanation