- How do you create and store your personal passwords?
- This question is important as although most companies have guidelines on how to create and store passwords for company use, personal accounts can still create vulnerabilities in a company’s infrastructure.
- The desired answer would be that they use either randomly generated-numbers or random phrases they’ve put together. To store them, I would prefer that they either attach them to their personal emails (which also have passwords created/stored in the same way) or keep them written in a secure place. In addition, the use of two-factor authentication would be preferred.
- Are you comfortable in your ability to view private information about people you potentially know and keep it private?
- This question is especially important as an ISO might often have to look through the data they’re protecting, and depending on the nature of the data, it might be information regarding their fellow employees or friends who do business with their employer. It is important that this information stays confidential.
- The desired answer would be that they are comfortable in their ability to process this information and act as if they don’t know it even exists.
- If you were put in charge the security of your company’s data, what methods would you utilize to protect it? This involves both detecting and dealing with threats.
- This question is important as it strikes at the core of what an ISO does. If candidates aren’t familiar with even basic threat detection and neutralization they aren’t qualified for the job.
- The preferred answer here would be a laundry list of potential items ranging from: basic random password generation, two-factor authentication, comparing past logins to find abnormal login methods/locations, enforcing package verification with file hashing, close-monitoring of logs (both automated and manual), etc. Any number of methods so long as they fall in the ballpark of the aforementioned methods.
- How would you deal with the detection of an attack that the system failed to prevent?
- This question is important because the way an employee handles a cyber attack can greatly affect a company’s standing both in the eyes of consumers and investors. Company’s can be brought to their knees should employees fail to report attacks in a timely manner for personal reasons such as protecting their jobs.
- The preferred response would be that the candidate would immediately report the error to their superiors so that everyone can be alerted, and all the relevant authorities are able to start addressing the problem. The candidate should also determine the extent of the attack: who made it, who were they targeting, and what information was stolen.
- How do you plan on keeping the company’s information security protocols competent in the ever-advancing world of cybercrime?
- This question is important as cybercriminals are constantly developing and discovering new ways to penetrate network security systems.
- The preferred answer here would be looking at what other companies are doing with their own networks and researching developing technologies to use as inspiration for the advancement of their own company. This ensures that they stay competitive and secured.