Interview question- Simplistic way of achieving regulatory compliance
ankurj.hazarika
Member Posts: 56 ■■□□□□□□□□
in SSCP
Team-
I happened to appear for an interview with one of the Big 4 firms today. I was asked, “If a Financial Client asks for the simplest solution of achieving regulatory compliance against likes of FFIC, PCI etc., what would be my approach?”
My answer- My approach then would be to request the client to procure a GRC solution maybe- probably an RSA archer or an Agiliance Risk Vision. Depending upon the inputs the tool would require (Type of industry, regulatory authorities that I want compliance against, etc.), the tool would populate a list of security controls (obviously eliminating the redundant controls common across these standards). The organization would then have to assign a Security Risk Assessor to do a gap analysis of all those controls by liaising with different departments across the organization, gather answers and then perform a risk assessment. Following that, the organization would need to develop a risk mitigating strategy for any risk that emanates out the RA, and for which the organization tolerance level is zero. Following that, the monitoring and continual improvement plans happen.
What do you think about this answer folks? Can you please suggest me a better answer?
I happened to appear for an interview with one of the Big 4 firms today. I was asked, “If a Financial Client asks for the simplest solution of achieving regulatory compliance against likes of FFIC, PCI etc., what would be my approach?”
My answer- My approach then would be to request the client to procure a GRC solution maybe- probably an RSA archer or an Agiliance Risk Vision. Depending upon the inputs the tool would require (Type of industry, regulatory authorities that I want compliance against, etc.), the tool would populate a list of security controls (obviously eliminating the redundant controls common across these standards). The organization would then have to assign a Security Risk Assessor to do a gap analysis of all those controls by liaising with different departments across the organization, gather answers and then perform a risk assessment. Following that, the organization would need to develop a risk mitigating strategy for any risk that emanates out the RA, and for which the organization tolerance level is zero. Following that, the monitoring and continual improvement plans happen.
What do you think about this answer folks? Can you please suggest me a better answer?
Comments
-
simondeys
Member Posts: 13 ■□□□□□□□□□
The answer sounds good , but did you clear the interview , ... -
ankurj.hazarika
Member Posts: 56 ■■□□□□□□□□
This was supposed to be the third and the final round. But the end of the interview, the director said he would like to have another round of technical interview with me, and that the HR will get in touch with me. Fingers crossed!