Common Technical Interview Questions and Answers Update on December 31, 2020

Question 101: What steps must be completed prior to the start of a risk assessment in an organization?
A. Determine the qualifications of the firm that will perform the audit.
B. Determine scope, purpose, and criteria for the audit.
C. Determine the qualifications of the person(s) who will perform the audit.
D. Determine scope, applicability, and purpose for the audit.
Correct Answer: B. Determine scope, purpose, and criteria for the audit.
Explanation: According to ISO/IEC 27005 and other risk management frameworks, it is first necessary to establish the context of an audit. This means making a determination of the scope of the audit — which parts of the organization are to be included. Also, it is necessary to determine the purpose of the risk assessment; for example, determining control coverage, control effectiveness, or business process effectiveness. Finally, the criteria for the audit need to be determined.

“Determine the qualifications of the firm that will perform the audit ” and “determine the qualifications of the person(s) who will perform the audit” are incorrect because any confirmation of qualifications would be determined prior to this point. “Determine scope, applicability, and purpose for the audit” is incorrect because an audit that was not applicable should not be performed.

Question 102: A risk manager recently completed a risk assessment in an organization. Executive management asked the risk manager to remove one of the findings from the final report. This removal is an example of what?
A. Gerrymandering
B. Internal politics
C. Risk avoidance
D. Risk acceptance
Correct Answer: D. Risk acceptance
Explanation: Although this is a questionable approach, removal of a risk finding in a report is, implicitly, risk acceptance. It could, however, be even worse than that, and in some industries, this could be considered negligent and a failure of due care. A risk manager should normally object to such an action and may consider documenting the matter or even filing a formal protest.

“Gerrymandering” is incorrect because the term “gerrymandering” is related to the formation of electoral districts in government. “Internal politics” is incorrect because, although the situation may be an example of internal politics, this is not the best answer. “Risk avoidance” is incorrect because risk avoidance is defined as a discontinuation of the activity related to the risk.

Question 103: A new CISO in a financial service organization is working to get asset inventory processes under control. The organization uses on-premises and IaaS-based virtualization services. What approach will most effectively identify all assets in use?
A. Perform discovery scans on all networks.
B. Obtain a list of all assets from the patch management platform.
C. Obtain a list of all assets from the security event and information management (SIEM) system.
D. Count all of the servers in each data center.
Correct Answer: A. Perform discovery scans on all networks.
Explanation: Although none of these approaches is ideal, performing discovery scans on all networks is the best first step. Even so, it will be necessary to consult with network engineers to ensure that discovery scans will scan all known networks in on-premises and IaaS environments. Other helpful steps include interviewing system engineers to understand virtual machine management systems and obtain inventory information from them.

“Obtain a list of all assets from the patch management platform” is incorrect because patch management systems may not be covering all assets in the organization’s environment. “Obtain a list of all assets from the patch management platform” is incorrect because the SIEM may not be receiving log data from all assets in the organization’s environment. “Count all of the servers in each data center” is incorrect because the organization is using virtualization technology, as well as IaaS-based platforms; counting servers in an on-premises data center will fail to discover virtual assets and IaaS-based assets.

Question 104: An internal audit examination of the employee termination process determined that in 20 percent of employee terminations, one or more terminated employee user accounts were not locked or removed. The internal audit department also found that routine monthly user access reviews identified 100 percent of missed account closures, resulting in those user accounts being closed no more than 60 days after users were terminated. What corrective actions, if any, are warranted?
A. Increase user access review process frequency to twice per week.
B. Increase user access review process frequency to weekly.
C. No action is necessary since monthly user access review process is effective.
D. Improve the user termination process to reduce the number of missed account closures.
Correct Answer: D. Improve the user termination process to reduce the number of missed account closures.
Explanation: The rate that user terminations are not performed properly is too high. Increasing the frequency of user access reviews will likely take too much time. The best remedy is to find ways of improving the user termination process. Since the “miss” rate is 20 percent, it is assumed that all processes are manual.

“Increase user access review process frequency to twice per week” and “increase user access review process frequency to weekly” are incorrect because the user access review process likely takes too much effort. Since the “miss” rate is 20 percent, it is assumed that all processes are manual. “No action is necessary since monthly user access review process is effective” is incorrect, since the “miss” rate of 20 percent would be considered too high in most organizations. An acceptable rate would be under 2 percent.

Question 105: What is typically the greatest challenge when implementing a data classification program?
A. Difficulty with industry regulators
B. Understanding the types of data in use
C. Training end users on data handling procedures
D. Implementing and tuning DLP agents on servers and endpoints
Correct Answer: C. Training end users on data handling procedures
Explanation: The most difficult challenge associated with implementing a data classification program is ensuring that workers understand and are willing to comply with data handling procedures. By comparison, automation is simpler primarily because it is deterministic.

“Difficulty with industry regulators” is incorrect because regulators are not typically as concerned with data classification as they are with the protection of relevant information. “Understanding the types of data in use” is incorrect because, although it can be a challenge understanding the data in use in an organization, user compliance is typically the biggest challenge. “Implementing and tuning DLP agents on servers and endpoints” is incorrect because implementing and tuning agents are not usually as challenging as end user behavior training.

Question 106: Randi, a security architect, is seeking ways to improve a defense-in-depth to defend against ransomware. Randi’s organization employs advanced antimalware on all endpoints and antivirus software on its e-mail servers. Endpoints also have an IPS capability that functions while endpoints are onsite or remote. What other solutions should Randi consider to improve defenses against ransomware?
A. Data replication
B. Spam and phishing e-mail filtering
C. File integrity monitoring
D. Firewalls
Correct Answer: B. Spam and phishing e-mail filtering
Explanation: The next solution that should be considered is a solution that will block all incoming spam and phishing e-mail messages from reaching end users. This will provide a better defense-in-depth for ransomware since several other good controls are in place.

“Data replication” is incorrect because data replication is not an adequate defense against ransomware, because files encrypted by ransomware are likely to be replicated onto backup file stores. Instead, offline backup such as magnetic tape or e-vaulting should be used. “File integrity monitoring” is incorrect because file integrity monitoring (FIM) is generally not chosen as a defense against ransomware. “Firewalls” is incorrect because firewalls are not an effective defense against ransomware, unless they also have an IPS component that can detect and block command-and-control traffic.

Question 107: A SaaS provider performs penetration tests on its services once per year, and many findings are identified each time. The organization’s CISO wants to make changes so that penetration test results will improve. The CISO should recommend all of the following changes except which one?
A. Add a security review of all proposed software changes into the SDLC.
B. Introduce safe coding training for all software developers.
C. Increase the frequency of penetration tests from annually to quarterly.
D. Add the inclusion of security and privacy requirements into the SDLC.
Correct Answer: C. Increase the frequency of penetration tests from annually to quarterly.
Explanation: Increasing the frequency of penetration tests is not likely to get to the root cause of the problem, which is the creation of too many security-related software defects.

“Add a security review of all proposed software changes into the SDLC” is incorrect because the addition of a security review for proposed changes is likely to reveal issues that can be corrected prior to development. “Introduce safe coding training for all software developers” is incorrect because safe coding training can help developers better understand coding practices that will result in fewer security defects. “Add the inclusion of security and privacy requirements into the SDLC.” is incorrect because the addition of security and privacy requirements will help better define the nature of new and changed features.

Question 108: An end user in an organization opened an attachment in e-mail, which resulted in ransomware running on the end user’s workstation. This is an example of what?
A. Incident
B. Vulnerability
C. Threat
D. Insider threat
Correct Answer: A. Incident
Explanation: Ransomware executing on an end user’s workstation is considered an incident. It may have been allowed to execute because of one or more vulnerabilities.

“Vulnerability” is incorrect because a vulnerability is a configuration setting or a software defect that can, if exploited, result in an incident. “Threat” is incorrect because ransomware, by itself, is considered a threat, but ransomware executing on a system is considered an incident. “Insider threat” is incorrect because this is not considered an insider threat. However, users having poor judgment (which may include clicking on phishing messages) is considered an insider threat.

Question 109: What is the correct sequence of events when onboarding a third-party service provider?
A. Contract negotiation, examine services, identify risks, risk treatment
B. Examine services, identify risks, risk treatment, contract negotiation
C. Examine services, contract negotiation, identify risks, risk treatment
D. Examine services, identify risks, risk treatment
Correct Answer: B. Examine services, identify risks, risk treatment, contract negotiation
Explanation: The best sequence here is to examine the services offered by the third party, identify risks associated with doing service with the third party, make decisions about what to do about these risks, and enter into contract negotiations.

“Contract negotiation, examine services, identify risks, risk treatment” and “Examine services, contract negotiation, identify risks, risk treatment” are incorrect because contract negotiation should not take place prior to identifying risks that may need to be addressed in a contract. “Examine services, identify risks, risk treatment” is incorrect because contract negotiation is not included.

Question 110: The primary advantage of automatic controls versus manual controls includes all of the following except which one?
A. Automatic controls are generally more reliable than manual controls.
B. Automatic controls are less expensive than manual controls.
C. Automatic controls are generally more consistent than manual controls.
D. Automatic controls generally perform better in audits than manual controls.
Correct Answer: B. Automatic controls are less expensive than manual controls.
Explanation: Automatic controls are not necessarily less expensive than manual controls; in some cases, they may be considerably more expensive than manual controls.

“Automatic controls are generally more reliable than manual controls” is incorrect because automated controls are typically more reliable and accurate than manual controls. “Automatic controls are generally more consistent than manual controls” is incorrect because automated controls are typically more consistent than manual controls. “Automatic controls generally perform better in audits than manual controls” is incorrect because automated controls generally perform better in audits.