Interview question- Simplistic way of achieving regulatory compliance

Team-

I happened to appear for an interview with one of the Big 4 firms today. I was asked, “If a Financial Client asks for the simplest solution of achieving regulatory compliance against likes of FFIC, PCI etc., what would be my approach?”

My answer- My approach then would be to request the client to procure a GRC solution maybe- probably an RSA archer or an Agiliance Risk Vision. Depending upon the inputs the tool would require (Type of industry, regulatory authorities that I want compliance against, etc.), the tool would populate a list of security controls (obviously eliminating the redundant controls common across these standards). The organization would then have to assign a Security Risk Assessor to do a gap analysis of all those controls by liaising with different departments across the organization, gather answers and then perform a risk assessment. Following that, the organization would need to develop a risk mitigating strategy for any risk that emanates out the RA, and for which the organization tolerance level is zero. Following that, the monitoring and continual improvement plans happen.

What do you think about this answer folks? Can you please suggest me a better answer?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

simondeys

The answer sounds good , but did you clear the interview , ...

ankurj.hazarika

This was supposed to be the third and the final round. But the end of the interview, the director said he would like to have another round of technical interview with me, and that the HR will get in touch with me. Fingers crossed!