Transcript of interview with CISO

SECURITY MANAGEMENT
ACCESS CONTROL
VULNERABILITY MANAGEMENT

Auditor: Thank you for taking the time to meet with me today. As part
of the ISO 27001 audit, I’d like to discuss how your organisation
handles access controls for information systems. Could you walk me
through the key controls in place?

CISO: Of course. We utilise role-based access controls enforced by

Active Directory group policies. Employees are granted least privilege
access tied to their job roles. We regularly review access and revoke
when no longer needed such as for departing employees.

Auditor: That’s great to hear. Are there established procedures for

provisioning and deprovisioning user access?

CISO: Yes, we have formal onboarding and offboarding checklists that

IT staff follow to grant or revoke access when an employee joins or
leaves. Access request tickets also document when new access is
approved.

Auditor: Excellent. And how often do you review user accounts and
access permissions to identify unauthorised or dormant access?

CISO: We run automated reports monthly to show stale accounts and

privilege creep. Account owners have to verify or remove access. We
also do quarterly entitlement reviews of all high risk systems.

Auditor: That covers some key points around access controls. Let’s
move on to how you manage security configurations for servers,
workstations and other endpoints. Could you outline some of the
standards and procedures in place?

CISO: Sure, managing secure configurations is critical for us. We utilise

the CIS benchmarks to harden OS settings and have a gold build
standard for workstations and servers…

Auditor: Let’s discuss vulnerability management. What processes do

you have to scan for vulnerabilities and prioritise patching?
CISO: We utilise Tenable.io to perform weekly vulnerability scans on all
systems. Critical and high risks are patched within 15 days. We use
dedicated windows for production systems.

Auditor: How do you secure sensitive data at rest and in transit across
your infrastructure?

connections are encrypted TLS 1.2 or greater. We mandate SSH, VPNs,

and HTTPS. CISO: For data at rest, we leverage disk and database
encryption. In transit, Sensitive data is anonymised for non-production
use.

Auditor: What physical security controls are in place for corporate

facilities and data centers?

CISO: We use layered controls including fences, alarms, CCTV, guards,

badges, and biometric readers. The data center has mantraps and
environment monitoring. Facilities are audited annually.

Auditor: Explain your backup and recovery processes for critical

systems and information assets.

CISO: Daily incremental backups to disk onsite, weekly fulls to tape

offsite. We have documented recovery plans with RTOs and RPOs.
Disaster recovery tests are run twice a year to validate capabilities.

Auditor: How do you evaluate security risks when adopting cloud

services or working with vendors?

CISO: Third-party risk assessments are completed analysing data

sensitivity, access needs and vendor security posture. Information
security terms are incorporated into contracts. Cloud deployments
follow our secure architecture guidelines.

Auditor: How do you ensure collaboration between security teams like

IT, HR, legal, facilities etc?

CISO: We have regular meetings between department security liaisons

to discuss issues and initiatives. I meet individually with each
executive regularly. Security committees with cross-functional
representation are used for policy and control oversight.
Auditor: What mechanisms exist for security teams to escalate issues
or concerns?

CISO Security teams can directly engage my office on any roadblocks

or concerns. We have an internal ticketing system to track security
escalations and risks if collaboration breaks down. I report up through
the infrastructure steering committee on issues needing executive
visibility.

Auditor: How are conflicts between business objectives and security

priorities resolved?

CISO: We always aim to enable business needs securely. If there are

conflicts, we perform risk assessments jointly to understand tradeoffs.
Data-driven rationale focusing on business impacts drives decisions.
We may implement additional monitoring and review. Executive
oversight helps align on approach if needed

Transcript of interview with CISO

COMPLIANCE
DATA BREACH
SECURITY POSTURE
Interviewer: Thank you for speaking with us, Sophia. Can you start by
telling us a bit about your role at CloudCore Networks and your vision
for the company’s security posture?

Sophia Martinez (CISO): Absolutely. As the Chief Information Security

Officer at CloudCore Networks, my primary responsibility is to develop
and implement our information security strategy. My vision is to create
a security environment that not only protects our data but also
enhances our ability to deliver secure and reliable services to our
clients. I believe that security should be an enabler for business
growth, not just a checkbox for compliance.

Interviewer: That’s a great perspective. Given the recent data breach,

how would you assess CloudCore’s current security posture? What
were the main factors that contributed to the breach?

Sophia Martinez: Our security posture has strong foundations—we

have robust network defenses, a dedicated security operations team,
and compliance with major frameworks like ISO 27001. However, the
breach highlighted several areas where we need to improve. The main
factors contributing to the breach were inconsistent enforcement of
multi-factor authentication, especially for senior-level administrative
accounts, and a lapse in phishing awareness. The attacker exploited
these weaknesses, gaining access through compromised credentials.

Interviewer: How has the organisation responded since the breach?

What immediate actions have you taken?

Sophia Martinez: Right after discovering the breach, our first step was
to contain the incident by revoking compromised credentials and
isolating affected systems. We’ve since expanded MFA enforcement to
all administrative accounts without exception and have increased our
investment in advanced threat detection technologies. We’ve also
initiated a company-wide review of access permissions to ensure that
the principle of least privilege is strictly applied. Importantly, we’re
doubling down on our phishing awareness training to help employees
better recognise and report suspicious activity.

Interviewer: Looking forward, what changes do you envision for

CloudCore’s security strategy to prevent future incidents?

Sophia Martinez: Moving forward, I’m focused on building a more

adaptive security framework that can respond to evolving threats in
real-time. This includes expanding our use of AI-driven threat
detection, increasing automation in our incident response processes,
and integrating security into every stage of our software development
lifecycle. Additionally, I’m pushing for more cross-departmental
collaboration because security isn’t just the responsibility of the
security team—it’s everyone’s job. I believe that by fostering a
security-first culture and continuing to invest in cutting-edge
technologies, we can turn these challenges into strengths.

Interviewer: That’s an inspiring approach. Any final thoughts on what

you’d like your team or the company to focus on as we move past this
breach?

Sophia Martinez: My key message to the team is that this breach is a

learning opportunity. We need to stay vigilant, continuously improve
our defences, and never become complacent. I also want us to keep
our communication channels open—whether it’s reporting a suspicious
email or discussing a potential vulnerability, every input counts. We’re
in this together, and by working as a cohesive unit, we can not only
recover but come out stronger.

Interviewer: Thank you, Sophia. Your insights are invaluable.

Sophia Martinez: Thank you. It’s a team effort, and I’m confident we’ll
navigate through this successfully.

Transcript of interview with DBA

DATA SECURITY
IT MANAGEMENT
RISK ASSESSMENT
Auditor: I’d like to understand how database security is handled here.
Could you give me an overview of your database architecture?

DBA: Sure. We utilise a mix of open source and commercial databases

depending on the use case. Databases are hosted on segmented
servers according to sensitivity level and access requirements.

Auditor: Good overview. And how are the databases secured

technically?

DBA: Minimised open ports, encrypted connections, CIS benchmark

hardening of the servers. The databases themselves have encryption,
access controls, and stored procedures to limit exposure.

Auditor: Great to hear. I’m here to have a collaborative discussion

about your database controls. If any gaps arise, I’ll work through
practical recommendations with you. Does that sound good?

DBA: Absolutely, I appreciate you taking that approach. I’m open to

constructive feedback on how we can evolve our database security
measures.

Auditor: Glad we’re aligned. Could you outline your strategies for
securing database credentials and controlling access?

DBA: Of course. We utilise a privileged access management solution to

rotate credentials and control access to database shells. Access is
granted based on least privilege principles…

Here are 5 additional mock interview questions continuing the friendly

database security discussion:

Auditor: What controls do you have in place for monitoring database

activity?

events. Logs feed into our central SIEM. We have a baseline of

expected activity DBA: Database logging is enabled, as well as triggers
for sensitive modification and alert on anomalies.

Auditor: Could you explain your backup and recovery strategies for
databases?
DBA: Daily differential backups, weekly full backups with retention
policies. Critical databases have replicas for high availability. We
practice restores and have documented recovery plans.

Auditor: What is your approach to database patching and vulnerability

management?

DBA: We classify and test patches in dev environments before rolling

out. Vulnerability scans are performed periodically to identify risks. We
have a window for production patching.

Auditor: How do you evaluate and secure new database technologies

before adoption?

DBA: Our architecture review board assesses capabilities, security,

supportability before approval. Security is configured prior to
production use per our standards.

Auditor: Finally, what database-specific training exists for your team?

DBA: Vendor training on database hardening, logging, encryption

features. Our DBAs are certified on the platforms we use. Security is
always emphasised.

Auditor: Are there any difficulties aligning database management

needs with security controls?

DBA: At times we have to balance performance and availability needs

with strict security controls. With consultation, we usually find solutions
like selective encryption or tiered access models.

Auditor: How are database permission conflicts between security team

and business users handled?

DBA: We aim to provide the access required for business functions

while adhering to least privilege principles. Disagreements are
resolved collaboratively through access reviews.

Auditor: Is database activity monitoring effective for security incident

alerting?
DBA: Yes, the database logs provide excellent visibility along with our
security monitoring capabilities. We are able to quickly detect and alert
on anomalous queries or privilege misuse.

Transcript of interview with DPO

PRIVACY
DATA PROTECTION
COMPLIANCE
Auditor: Thank you for meeting with me today. I’d like to understand
your organisation’s data protection strategy and controls. Could you
give me an overview of your data privacy policies?

DPO: Absolutely. We have comprehensive data protection policies

aligned to regulations like GDPR that outline data subject rights, lawful
processing, consent requirements and more.

Auditor: Great start. How do you perform data discovery and

classification?

DPO: Our data owners classify information assets based on sensitivity.

Data maps outline what we collect and process. Anything containing
personal data is specially tagged.

Auditor: Excellent. And how is data access controlled?

DPO: Role-based access controls enforced by our IT team. Encryption

for data at rest and in transit. Analytics data is anonymised and
minimised before use.

Auditor: That covers some key points. I’m here to have a collaborative
discussion on how your DPO program operates. If I identify any areas
of non-conformance, I’ll discuss with you first to clarify and work out
recommendations before finalising audit findings. Does that align with
your expectations?

DPO: Absolutely, I appreciate you taking that approach! I’m sure we’ll
have an open and beneficial dialogue about our data policies and find
ways to strengthen our program. Shall we move on to retention and
disposal next?

Auditor: Yes, that would be great. How do you manage data retention
and secure destruction?

DPO: We have defined retention schedules based on legal and

business needs. Disposal procedures like shredding for physical data
and wiping for digital assets are enforced…

Auditor: How do you perform privacy impact assessments for new

initiatives involving personal data?
DPO: Our PIA process evaluates risks early in projects, recommends
controls, documents decisions, and obtains approvals before launch.

Auditor: What is your approach for performing security risk

assessments focused on data protection?

DPO: Our infosec team partners with me to do annual DPIAs analysing

threats, evaluating controls, and mitigating high risks to sensitive data.

Auditor: How do you ensure any data processors or third parties

comply with your data policies?

DPO: Contracts mandate compliance to our standards. Vendors

complete security assessments providing evidence of compliance
which is validated by audit.

Auditor: Could you explain your data breach response plan and how it
is regularly tested?

DPO: Our incident response plan has specific steps for breaches
including notification timelines. We test annually with breach
simulation exercises across teams.

Auditor: What privacy and security training and awareness exists for
employees?

DPO: New hires are trained on data policies. Existing staff retake the
course annually. We share reminders on data handling via email,
intranet, and presentations.

Auditor: What are the processes if other teams do not cooperate with
data protection efforts?

DPO: I engage directly with responsible executives to escalate

roadblocks. Demonstrating regulatory risk exposure, financial impacts,
and reputation harms helps motivate compliance. As a last resort,
formal warnings may be issued recommending employment action.

Auditor: How are data protection responsibilities communicated across

business units?

DPO: Our data protection policies outline the requirements per role. I
conduct training on proper data handling, legal obligations, and
incident reporting. Data owners and line managers are accountable for
disseminating and enforcing within their teams.

Auditor: What security collaboration exists with legal/compliance

groups?

DPO: We have joint responsibility along with legal for data protection
oversight. Our departments review policies and controls together. We
also liaise on incident response, regulator interactions, and advice to
the business regarding data practices.

Transcript of interview with Facilities

Manager
PHYSICAL SECURITY
FACILITY MANAGEMENT
COMPLIANCE
Auditor: I’d like to discuss how physical security considerations are
handled for company facilities. Could you outline some of the physical
access controls in place?

Manager: Absolutely. Our buildings use layered security including

guards, badging, biometrics, cameras and alarm systems. Sensitive
areas have additional restrictions and monitoring in place.

Auditor: Good to hear. And how is access granted and revoked to

facilities and restricted sones?

Manager: Access is provisioned based on HR system data and manager

approvals. Terminations, transfers and other employment changes
trigger automated disabling of badges and credentials.

Auditor: Excellent. Regarding contractors or visitors, what controls are

in place?

Manager: Contractors are sponsored by employees and must check-

in/out with guards. Visitors are screened, badged and escorted.
Background checks are performed as needed per policy.

Auditor: That covers some key items. How would you describe
collaboration with other internal teams like HR, IT and security groups?

Manager: We maintain close coordination to align on threats, respond

to incidents, adjust policies and improve controls. Regular working
sessions ensure we are aligned.

Auditor: How often are physical security controls and procedures

reviewed and tested?

Manager: We perform audits at least annually including attempts to

circumvent controls. Penetration testing is done biannually. Reviews
help us continue improving protections.

Auditor: What training exists for facilities staff on physical security

policies and emergency response?

Manager: Initial and annual training on guard duties, monitoring,

access controls and emergency protocols. Drills ensure preparedness
to enact procedures.
Auditor: How are new facility projects or renovations evaluated for
security risks?

Manager: Our team conducts thorough risk assessments of designs,

entrances/exits, lighting, alarm placement and other factors before
finalising plans.

Auditor: What security mechanisms safeguard equipment rooms,

utilities and other restricted infrastructure?

Manager: Multi-factor authentication, video surveillance,

logger/watcher entry rules. Critical utilities have additional fail-safe
controls to prevent disruption.

Transcript of interview with Help Desk

OPERATIONAL SECURITY
INCIDENT RESPONSE
TRAINING
Auditor: I’d like to understand the help desk’s role in information
security. How are user security incidents and requests handled?
Help desk: We have defined escalation procedures for different
incident types. These are documented and involve the information
security team as needed.

Auditor: Good to know. How are access requests and provisioning

changes managed?

Help desk: Employees submit tickets for new access which we vet and
approve based on established protocols. Proper provisioning channels
are followed per security guidance.

Auditor: Excellent. What verification is done for users requesting

password resets or account unlocks?

Help desk: Identity is confirmed verbally or via token-based methods.

For highly privileged accounts, in-person verification occurs before
resetting credentials.

Auditor: Great overview so far. How does the help desk team stay
current on security policies and procedures?

Help desk: We undergo regular security training from the infosec team.
Knowledge base articles outline our protocols so new hires get up to
speed quickly.

Auditor: What role does the help desk play in security awareness and
education for end users?

Help desk: We provide best practice guidance on password policies,

phishing risks, data handling, and other areas when working with
users.

Auditor: How are help desk systems and tools secured to prevent
unauthorised access?

Help desk: Access follows least privilege principles. Controls like MFA,
logging, and endpoint security help safeguard help desk infrastructure.

Auditor: What mechanisms exist for confidential incident reporting or

whistle blowing?

Help desk: Users can submit anonymous tickets detailing concerns

which get routed to infosec and legal teams through secure channels.
Auditor: How could help desk practices better align with organisational
security initiatives?

Help desk: Increased collaboration through regularly scheduled

working sessions with infosec. Potential cross-training opportunities as
well.

Auditor: Finally, does the help desk participate in any security drills or
exercises?

Help desk: We are involved in annual incident response simulations to

validate our procedures and coordination with other teams.

Transcript of interview with ISM

SECURITY MANAGEMENT
TRAINING
INCIDENT RESPONSE
Auditor: Thanks for meeting with me today. I’d like to discuss your
security awareness training program for employees. Can you walk me
through the current training curriculum?

ISM: Absolutely. All new employees are required to complete our

Information Security Essentials course within their first 2 weeks. It
covers data handling, social engineering, password policies, incident
reporting and more.

Auditor: What about ongoing security awareness for existing

employees?

ISM: We require annual security refresher training. This covers new

cyber risks, policy updates, and emerging threats like phishing and
ransomware. Completion is tracked and reported to management.

Auditor: That’s great. Are there any other ways you promote security
awareness among employees?

ISM: Yes, we send regular company-wide emails about new threats or

issues to watch out for. I also give live presentations at All Hands
meetings which are recorded for our intranet.

Auditor: Excellent. Let’s discuss your policies and procedures around

secure software development. What SDLC controls do you have in
place?

ISM: We integrate security from design through deployment. Threat

modeling, static code analysis, dynamic scanning, staged rollouts, and
automation help remove risks in our pipeline.

Auditor: What security requirements do you have for third-party

software your developers may leverage?

before use. Purchased software goes through procurement checks on

the vendor and ISM: We mandate open source scanning for risks,
licensing and vulnerabilities security testing. Legal reviews any
provided agreements.

Auditor: Great overview. Let’s move on to chat about your security

incident response plans…

Auditor: How do you identify and classify security incidents when they
occur?

ISM: We have an established severity matrix based on impact and

urgency. Incidents are assigned an S1 to S4 rating which guides
response. Events feed into our SIEM solution and ticketing system.
Auditor: What forensic capabilities do you have to investigate
incidents?

ISM: Our forensic toolkit includes endpoint monitoring, IT asset

inventory, netflow analysis and sandbox detonation. We can retrieve
time-sequenced data like logs and packet captures for analysis.

Auditor: How are incidents communicated internally and externally as

needed?

ISM: We have defined escalation paths and stakeholders. Internal

comms follow our crisis response plans. For external notification, we
work with legal and PR teams to disclose per regulations.

Auditor: Could you outline the steps in your incident response plan?

ISM: Our playbooks cover triage, investigation, containment,

eradication, recovery, and post-mortem reviews. We aim to quickly
isolate and remove threats while preserving evidence.

Auditor: Finally, what types of security exercises do you conduct to

validate preparedness?

ISM: We run tabletop exercises annually with executives to test

decision making. Technical teams participate in red team/blue team
drills to practice response capabilities. Lessons learned produce
improvements.

Auditor: Do you face any challenges in getting other teams to adhere

to security policies and requirements?

ISM: There can be some initial resistance to new policies but we focus
on education and bridging gaps collaboratively. Demonstrating risk
data helps gain buy-in. Persistent issues may require CISO or executive
involvement. But generally teams understand the need once
communicated.

Auditor: How are security training completion rates tracked across the
organisation?

ISM: Our LMS generates reports on completion percentage rates per

department. I review these regularly and follow up with managers on
any lagging or problematic areas to improve adherence. We’ve set a
company-wide 90% target.

Auditor: How do you receive and remediate security concerns raised by

employees?

ISM: Employees can submit confidential security reports which feed

into our vulnerability management system. Concerns are risk rated and
handled promptly. I meet with individual employees as needed to
understand issues for remediation.

Transcript of interview with It Manager

COMPLIANCE
DATA BREACH
IT MANAGEMENT
SECURITY POSTURE
Interviewer: Raj, thank you for joining us today. Could you start by
describing your role at CloudCore Networks and your main
responsibilities?
Raj Patel (IT Manager): Sure, I’m the IT Manager here at CloudCore,
which means I’m responsible for overseeing our entire IT
infrastructure. This includes managing our network, servers, and cloud
environments, as well as ensuring that our systems run smoothly and
securely. My role involves coordinating with various teams, including
security, to implement technology solutions that support our business
goals.

Interviewer: Given your role, how did you experience the recent data
breach? What were your initial thoughts when it was discovered?

Raj Patel: When the breach was first discovered, it was a wake-up call
for all of us. The initial alert came from our automated monitoring
systems, which flagged unusual database activity. My first thought was
to identify the scope of the breach and work with the Security
Operations Center to isolate the affected systems. It was clear early on
that a compromised credential was involved, and our priority was to
cut off the attacker’s access as quickly as possible.

Interviewer: What do you think were the primary technical weaknesses

that allowed the breach to occur?

Raj Patel: Technically speaking, the breach exploited a couple of key

weaknesses. One was a misconfiguration in our firewall that
inadvertently allowed broader access than intended, creating an entry
point for the attacker. Additionally, our multi-factor authentication
setup was inconsistently applied across administrative accounts, which
allowed the attacker to bypass this critical security layer once they had
the credentials. Finally, while we do have robust monitoring, the
system failed to prioritise the alert effectively, delaying our response.

Interviewer: Since the breach, what steps have you taken to improve
CloudCore’s IT security measures?

Raj Patel: We’ve made several immediate changes. First, we reviewed

and tightened all firewall rules and configurations to close any gaps
that could be exploited. We’ve also expanded our MFA requirements to
include all accounts without exception, ensuring that even if
credentials are compromised, additional barriers exist. On the
monitoring side, we’re refining our alert prioritisation to ensure that
high-risk activities get immediate attention. We’ve also implemented
stricter access controls and are conducting a comprehensive review of
all administrative privileges.
Interviewer: From your perspective, what are the key challenges that
CloudCore faces in maintaining a secure IT environment?

Raj Patel: One of the biggest challenges is keeping pace with the
evolving threat landscape. Cyber threats are becoming more
sophisticated, and attackers are always looking for new ways to exploit
vulnerabilities. Another challenge is balancing security with operational
efficiency. For example, while tightening access controls is crucial, it
can also slow down workflows if not managed properly. We need to
find the right balance between robust security measures and
maintaining a seamless user experience.

Interviewer: What are your long-term goals for CloudCore’s IT security?

How do you plan to achieve them?

Raj Patel: Long-term, my goal is to build a resilient IT infrastructure

that can withstand a wide range of cyber threats. This includes
investing in more advanced security technologies, such as AI-driven
anomaly detection and automated response systems. I also want to
focus on building stronger partnerships across departments. Security
isn’t just the responsibility of the security team; it’s a shared
responsibility across IT, operations, and even our end-users. To
achieve this, I’m advocating for more integrated security processes
and continuous training to keep everyone engaged and aware of their
role in protecting our systems.

Interviewer: Thanks for your time, Raj. Any final thoughts on how
CloudCore can better prepare for future challenges?

Raj Patel: My final thought is that we need to stay proactive rather

than reactive. Continuous improvement should be our mantra—
whether it’s updating our technology, revisiting our policies, or
educating our team, there’s always room to do better. By staying
ahead of potential threats and fostering a culture of security
awareness, I’m confident we can navigate through any challenges that
come our way.

Interviewer: Thanks again, Raj. Your insights are really helpful.

Raj Patel: You’re welcome. It’s all about teamwork and staying ahead
of the curve.
Transcript of interview with Legal
COMPLIANCE
DATA PROTECTION
RISK MANAGEMENT
Auditor: I’d like to discuss how legal considerations relate to
information security. How are security requirements incorporated into
client & vendor contracts?

Manager: Information security terms like confidentiality, data handling,

access restrictions, and liability are included in our standard contracts
based on templates we’ve developed.

Auditor: Good to hear. And what review process exists for new
technologies or partnerships with security impacts?
Manager: We complete due diligence and risk assessments on vendors.
Contracts go through an approval workflow including security and
compliance teams to ensure appropriate clauses are present.

Auditor: Excellent. How does legal advise internal teams regarding

security regulations and obligations?

Manager: We provide training to various departments on relevant

regulations whenever new policies or controls are introduced.
pertaining to their data practices and systems. Ad-hoc legal guidance
is given

Auditor: That covers some key points. Lastly, how would you describe
collaboration between legal and infosec teams?

Manager: Very open communication and tight partnership. We support

security’s initiatives while ensuring adherence to regulations. Joint
response on incidents as well.

Auditor: What role does legal play in security risk assessments and
vulnerability disclosure?

Manager: We advise on risk assessment methodologies to align with

legal obligations. For vulnerabilities, we help guide responsible
disclosure balancing transparency and liability concerns.

Auditor: How are potential security-related legal issues escalated and

addressed?

Manager: Infosec teams flag items to legal through designated

channels. We provide guidance to mitigate risks while maintaining
compliance obligations.

Auditor: What security expertise and background exists within the legal
team?

Manager: Some team members specialise in data privacy and IT

regulations. We pursue ongoing education on technical topics to
strengthen legal-infosec collaboration.

Auditor: How could security-related legal practices be improved?

Manager: Additional data mapping and records of processing activities
could better demonstrate compliance evidence if ever questioned.
More proactive risk analysis as well.

Transcript of interview with Network

Engineer
NETWORK MANAGEMENT
SECURITY ARCHITECTURE
OPERATIONAL SECURITY
Auditor: I’d like to discuss the network security controls you have in
place. Could you give me an overview of your network architecture?

Network Engineer: Certainly. We utilise a segmented architecture

based on business units and system types. Critical assets are in a
separate sone with ACLs limiting access. Edge firewalls provide
filtering.
Auditor: Good to hear. How do you monitor and protect against
malicious network activity?

on known bad signatures. We also capture netflow data and use a SIEM
for Network Engineer: Intrusion detection sensors analyse traffic
patterns and alert visibility. Access to monitoring tools is tightly
controlled.

Auditor: Excellent. And could you outline some of your network access
and authentication controls?

Network Engineer: 802.1x and Radius enforce access policies and

restrictions on ports. Wireless uses WPA2 encryption at minimum. VPN
concentrators allow MFA protected remote access into business
systems. The network is fully switched with protected infrastructure
management.

Auditor: That provides a solid baseline. I’m here to have an open

discussion about network security. If any potential gaps arise, I’ll work
through recommendations with you. Does that sound good?

Network Engineer: Absolutely, I welcome the feedback on improving

our security posture. Our network is constantly evolving and I want to
stay ahead of emerging threats.

Auditor: Could you outline your remote access capabilities and security
controls?

Network Engineer: VPN access with MFA for employees. Site-to-site

VPNs with partners using encryption and mutual authentication.
Remote access is restricted based on least privilege and logged.

Auditor: What protections do you have against DDoS attacks or

network flooding scenarios?

Network Engineer: Our internet edge has DDoS prevention scrubbing

high volume attacks before they hit internal infrastructure. Rate
limiting and ACLs also help minimise impact.

Auditor: How do you perform vulnerability scanning and penetration

testing on the network environment?
Network Engineer: Quarterly internal and external vulnerability scans,
including from wireless perspectives. Annual third-party pen testing
under the guidance of our infosec team.

Auditor: What capabilities exist for network traffic monitoring, capture

and analysis?

Network Engineer: We utilise full packet capture and taps to feed

network detection systems. Flow data gives us visibility into
communications between systems.

Auditor: Finally, could you speak about the redundancy built into the
network in case of device failure?

Network Engineer: Redundant internet links, load balancing firewalls,

cluster router configurations. We design availability into the
architecture for high uptime. Maintenance is scheduled to limit impact.

Auditor: How are network access issues escalated and resolved with
security teams?

Network Engineer: We engage infosec on access change tickets if there

are questions or potential risks. My team meets regularly with security
to review network ACLs and firewall rules for appropriate controls.

Auditor: Do network changes ever get pushed back due to security

concerns?

Network Engineer: Yes occasionally, we then work jointly to determine

alternative solutions. An example is implementing a DMZ or additional
monitoring rather than opening access.

Auditor: Is collaboration effective between network and security ops

teams?

Network Engineer: Collaboration is generally strong as the groups need

to work very closely. Minor misalignments on priorities which are
worked through. Overall we support each other in enabling secure
network operations.
Transcript of interview with System
Administrator
IT MANAGEMENT
SECURITY ARCHITECTURE
ACCESS CONTROL
Auditor: Thanks for taking the time to speak with me today. I’d like to
discuss the controls you have in place for managing system security
configurations. Could you walk me through your configuration
hardening standards?

SysAdmin: Sure, we utilise industry standard benchmarks like CIS and

NIST to lock down settings for OS, firewalls, databases and more
according to best practices. We keep gold images to simplify patching
and deployment.

Auditor: Excellent. And how do you ensure consistency and compliance

with those standards?
SysAdmin: Our configuration management system scans new systems
against the gold benchmark to validate before production. We also run
monthly audits to identify any drift or issues.

Auditor: Great to hear. I’m here to understand how your systems are
secured in an open discussion. If any gaps arise, I’ll work with you on
practical recommendations. Does that sound agreeable?

SysAdmin: Absolutely, I look forward to the constructive feedback on

where we can improve. We take a continuous learning approach to
security and compliance here.

Auditor: Glad we’re on the same page. Could you tell me about how
you perform patch management and keep systems up-to-date?

SysAdmin: Of course. We classify patches by criticality. Critical and

security updates are applied on a 2 week cycle to production after
testing…

Auditor: What tools and capabilities do you utilise for monitoring and
logging system activity?

SysAdmin: We deploy Sysmon for endpoint logging and have a SIEM

collecting logs centrally. Critical systems utilise process monitoring to
detect malicious changes.

Auditor: Could you outline the key controls you have in place to secure
privileged access to systems?

SysAdmin: Minimising standing privilege access, enforcing MFA for

admin accounts, using privilged access management tools for just-in-
time elevation. Logs are closely monitored.

Auditor: What is your approach to infrastructure automation and

configuration management?

SysAdmin: We utilise Ansible and Terraform to automate deployment,

configuration, and management based on code. This reduces human
errors and enforces standards.

Auditor: How do you control and track system-level changes to ensure

they are authorised and audited?
SysAdmin: Change requests are documented and approved in our
ticketing system. Changes made are logged and compared to tickets
for audit purposes.

Auditor: Finally, how do you ensure disaster recovery capabilities for

critical systems?

SysAdmin: Documented recovery plans, regular backups to secondary

sites. Annual DR tests validate ability to meet RTO/RPO with failover.
Gaps are addressed in remediation plans.

Auditor: Do you have any difficulties implementing security guidance

from infosec teams?

SysAdmin: Generally no, we view security collaboration as necessary

and beneficial. There can be tension around legacy systems where
controls introduce availability/performance risks. But with consultation
we determine workarounds.

Auditor: How are priority conflicts between operations and security

handled?

SysAdmin: Health and availability needs take precedence where

reasonable. We perform risk analysis jointly and identify solutions
together - perhaps delaying patches, implementing compensating
controls or accepting risks with approval.

Auditor: Are there any gaps in training or knowledge transfer between

sysadmin and infosec teams?

SysAdmin: Knowledge sharing occurs informally via meetings and

tickets. More formalised cross-training could be beneficial though to
expand skills. Shadowing and job rotations could help strengthen the
partnership and understanding between our teams.
Transcript of interview with Typical
Employee
TRAINING
OPERATIONAL SECURITY
DATA SECURITY
Auditor: I’d like to understand the security culture from an individual
contributor perspective. In your experience, how well does security
awareness permeate through the organisation?

Employee: I think there is pretty strong top-down emphasis on security

here. Training reminds us of policies and best practices. Managers also
enforce secure behaviour through oversight.

Auditor: That’s great to hear. And do you feel empowered to identify

and raise security concerns or incidents?

Employee: Yes absolutely. The open door policy with leadership makes
it comfortable to voice concerns. I know reporting mechanisms exist
anonymously also without fear of retaliation.

Auditor: Excellent. From your interactions, do IT and security teams

solicit feedback to improve controls and experiences?
systems. I’ve also been involved in focus groups to assess new controls
before Employee: Occasionally surveys request input and feedback on
policies and rollout, which I appreciate.

Auditor: That’s good collaboration. Lastly, are there any gaps you
perceive in security practices either at an organisational or individual
level?

Employee: Potentially improved security for our WiFi networks and

guest policies. Other than that, I think continuous training and
awareness smooths any rough edges in employee behaviour over time.

Auditor: What tools or systems do you use daily that are critical for
your productivity?

messaging are hugely important for communication. The VPN for

remote access Employee: The ERP system for managing orders and
inventory. Email and instant enables working from home.

Auditor: Have you noticed any recurring operational challenges related

to security controls?

Employee: The VPN can be slow during peak usage times, likely due to
the MFA requirements. Other than minor annoyances like that, no
major issues come to mind.

Auditor: Are there any areas of the business more reluctant to adopt
security best practices in your experience?

Employee: Generally no - company-wide training sets consistent

expectations. Sales teams tend to push back more when
securityprocesses impact deals, but compliance is still mandated.
Transcript of interview with Vendor Partner
VENDOR MANAGEMENT
COMPLIANCE
RISK MANAGEMENT
Auditor: I’d like to discuss how security considerations are handled in
your relationship with our organisation. Could you describe the policies
and controls your organisation has in place?

Vendor: Absolutely. We maintain comprehensive information security

policies and technical controls aligned to standards like ISO 27001.
This includes access controls, encryption, vulnerability management,
risk assessments and more.

Auditor: Great to hear. And how are our security requirements

incorporated into the services or products you provide?

Vendor: We review all contracted security terms to ensure compliance.

Your CISO is provided validation of our controls via assessment reports
and certifications. We also accommodate any audits or risk reviews.

Auditor: Excellent. How is important security-related communication

handled between our organisations?

Vendor: We have regular status updates on programs, issues, and

initiatives. Any critical vulnerabilities or incidents would be reported to
your security team based on the contractual notification requirements.

Auditor: That covers the key points. To summarise - you have the
appropriate internal security posture, align to our policies
contractually, and maintain open communication channels for risk
management. Is that correct?
Vendor: Yes, that accurately represents our security relationship. We
take our clients’ requirements very seriously and aim to enable their
programs through our information security capabilities and practices.

Auditor: What training and awareness exists for your employees on

adhering to client security policies and handling sensitive data?

Vendor: Annual security training is mandatory for all employees. Those

dealing with customer data receive additional training on data
handling, privacy and confidentiality.

Auditor: How do you perform background checks on your personnel

prior to assigning them to our account?

Vendor: Standard background checks include criminal history,

employment verification and education confirmation. We can
accommodate other screening based on your policies and data
sensitivity.

Auditor: What access controls do you have around the systems,

applications or devices specific to our environment?

Vendor: Access is granted based on least privilege principles and

business needs. We implement controls like MFA, activity monitoring,
and privileged access management on your assets.

Auditor: Could you describe the secure development practices that go

into the software or applications provided to us?

Vendor: We follow standardised SDLC processes including security

reviews, static/dynamic analysis, vulnerability testing etc. Security is
built into designs and threat modeling occurs.

Auditor: Finally, what periodic reporting can you provide to

demonstrate ongoing compliance?

Vendor: We can provide artifacts like risk assessments, security

reports, audit results, and remediation status on a recurring basis
contractually.