IT Risk & Security Senior Analyst interview, potential questions?

chickenlicken09

Hello, Have an initial telephone interview coming up for this role. Its a technical call i have been told, what potential questions would you ask?


Role Value Proposition:
The IT Risk & Security Senior Analyst is responsible for the oversight and/or execution of Global Information Risk & Security Program at large country level, with limited supervision.

Key Responsibilities:
IT Risk & Security Senior Analyst responsibilities include, but are not limited to:
1. Executing IT Security Controls and reporting to management and program, including not limited to:-
* Access Control Compliance Certification
* Database Logging & Monitoring
* IT General Controls Compliance Reassurance
2. Support Global IT Risk & Security Program in country, including not limited to:-
* Implementing & overseeing IT Security Policies & Standards
* Driving Security Awareness Campaigns, Training & Testing
* PCI Compliance, where applicable
* Vendor Management IT Reviews (MORE)
* Application Risk Assessment & Vulnerability Testing
* Infrastructure Vulnerability Oversight & Pen-Tests
3. Coordinate rapid IT Risk & Security response capability in country, including not limited to:-
* Manage IT Risk & Security Incidents to Resolution
* Participating in/Running Exercises
4. Provide local IT Risk & Security Advisory & Business support, including not limited to:-
* Support Technology & Business Projects, ensuring compliance with IT Security Policies & Standards and technology stack
* Coordinate Customer / Regulatory Security Assurance requests
5. Implement Global IT Risk & Security Projects in country.
Essential Business Experience and Technical Skills:
1. 3-5 years professional IT Risk & Security related experiences in Financial services.
2. Expertise and experiences in implementing & monitoring Information Security controls, practices and technology for multiple levels within an organization.
3. IT Risk & Security Certification or similar preferred - e.g. CISA, CISM, CISSP, PCIP;
4. Execution and Results oriented; Ability to transparently plan and execute against plan.
5. Good english language;
6. Strong analytical, critical thinking and report presentation skills.
7. Ability to work independently with a structured approach. Strong excel, powerpoint and/or visio skills.

chickenlicken09

anyone?

McxRisley

I don't think anyone is really going to be able to help you out here man since most places don't handle Risk Management the same way. Yes there is the RMF and other things but I have yet to see two places implement it exactly the same way. The only thing that is going to help you here is having experience in the areas listed above in the job posting.

chickenlicken09

yes of course,thanks.

McxRisley

Sorry man, I wish I could help.

soccarplayer29

Refresh your SSCP knowledge by skimming through some of the topics to prepare. There is a lot of duties listed so it's hard to point to one specific area. There will be the "fit" type questions to determine if you are a good match for the team/position and then likely some scenario type questions to understand your thinking and analysis of risks.

Be able and prepared to discuss the following:

• Compliance frameworks/experience (they mention PCI). Research PCI DSS and be able to relate that to your knowledge/experiences
• Auditing Experience: familiarity with industry best practices, how to ensure proper implementation, etc.
• Vendor management: how to evaluate new products when considering their services and security (common criteria evaluations)
• Vulnerability scanning process: know common vulnerability scanning tools, best practices, patching, etc.
• Penetration testing: be familiar with the process but not necessarily hands on experience--looks like this position oversees external penetrating testing services but does not perform the penetration testing themselves.
• Know the difference between policies vs. procedures vs. guidance, etc. and the importance of each
• Be able to describe a mature IT Security program (including all the pieces mentioned above and the Awareness & training/driving compliance throughout an enterprise)

Good resources for these topics would be CISM/CISSP materials which they also list as relevant certs for this job so if you have access to those they should cover most of the required areas and complement your existing experience to help prepare you for the interview.

yoba222

I wouldn't expect one person to have senior-level experience in all of those areas. Those are probably the duties collectively shared by the entire team of analysts. Perhaps it's that you'd do a lot of coordinating with other people/groups that actually perform those roles.

Probably the technical questions will depend on which area/areas you have experience in, then the call would go that direction. No one can specialize in everything.

chickenlicken09

great thanks, not high up on the PCI side. If you were to guess what questions could ask around PCI?

soccarplayer29

High level stuff should be sufficient. Be honest with them that you don't have tons of experience with PCI but the security concepts (confidentiality, integrity, availability) are the same just with a different focus on protecting payment card data. Watch some youtube videos and be able to relate it to concepts or experience you have that relates.

Cyberscum

Seems pretty basic. All things that an ISSM would be doing. If you have held a role at that level then it should be a breeze. That's not really a technical job based on what they laid out so I think the questions might be more senior level security response types.

If you have done RMF, DRP and IR then it should be a breeze. Good luck!