Security Interview Prep Series — 12. Governance, Risk and Compliance

1. Is There an Acceptable Level of Risk?

Yes, there is an acceptable level of risk, known as residual risk, which remains after applying mitigation measures.

• Acceptability: It depends on the organization’s risk appetite, compliance requirements, and the potential impact of the risk.
• Example: A company may accept minor phishing attempts as a risk but invest heavily to mitigate ransomware threats due to their higher impact.

2. How Do You Measure Risk? Can You Give an Example of a Specific Metric That Measures Information Security Risk?

Risk Measurement:

Formula: Risk = Threat x Vulnerability x Impact.

Metrics Example:

• Mean Time to Detect (MTTD): Measures how long it takes to identify a security incident.
• Risk Score: Assign scores to vulnerabilities based on CVSS (Common Vulnerability Scoring System).
• Downtime Costs: Quantify financial loss due to downtime from incidents.

3. Can You Give Me an Example of Risk Trade-Offs (e.g., Risk vs Cost)?

Scenario: Encrypting all communications for internal systems.

Trade-Off:

• Cost: Requires higher compute resources and specialized tools.
• Risk Mitigation: Reduces interception of sensitive data.

Decision: May prioritize encryption only for sensitive systems to balance cost and risk.

4. What Is Incident Management?

Incident Management involves detecting, analyzing, and responding to security incidents to minimize their impact.

Phases:

1. Identification: Detect the incident.
2. Containment: Limit its spread.
3. Eradication: Remove the threat.
4. Recovery: Restore systems and services.
5. Post-Incident Review: Analyze root causes and improve defenses.

5. What Is Business Continuity Management? How Does It Relate to Security?

Business Continuity Management (BCM): Ensures an organization can continue critical operations during and after a disruption.

Relation to Security: BCM includes risk assessments, disaster recovery, and contingency planning, which overlap with information security measures. Security breaches (e.g., ransomware) often trigger BCM processes.

6. What Is the Primary Reason Most Companies Haven’t Fixed Their Vulnerabilities?

1. Resource Constraints: Limited budgets or personnel to address vulnerabilities.
2. Complex Environments: Difficulty identifying all vulnerabilities in large, interconnected systems.
3. Prioritization Issues: Focus on business goals over security.
4. Lack of Awareness: Vulnerabilities may go unnoticed or unreported.

7. What’s the Goal of Information Security Within an Organization?

The primary goal is to protect the CIA triad:

1. Confidentiality: Prevent unauthorized access.
2. Integrity: Maintain accurate and unaltered data.
3. Availability: Ensure systems and data are accessible when needed.

8. What’s the Difference Between a Threat, Vulnerability, and Risk?

• Threat: A potential event or actor capable of causing harm.
• Example: Hackers or malware.
• Vulnerability: A weakness in a system that could be exploited.
• Example: Outdated software with unpatched vulnerabilities.
• Risk: The potential impact when a threat exploits a vulnerability.
• Example: Data breaches due to weak passwords.