Information Security Analyst Interview Questions & Answers

Question 1. What Are The Practical Solutions?

Answer :

• Mark information sensitive documents accordingly to warn the user.
• Restrict printing of documents to only certain hierarchies of documents.
• Have a clear desk policy for all information that is business sensitive.
• Ensure a procedure for hardcopy record keeping, archiving and secure destruction is in place. 

Question 2. What’s The Difference Between Encoding, Encryption, And Hashing?

Answer :

Encoding is designed to protect the integrity of data as it crosses networks and systems, i.e. to keep its original message upon arriving, and it isn’t primarily a security function. It is easily reversible because the system for encoding is almost necessarily and by definition in wide use.

Encryption is designed purely for confidentiality and is reversible only if you have the appropriate key/keys. With hashing the operation is one-way (non-reversible), and the output is of a fixed length that is usually much smaller than the input.

Question 3. How Do You Change Your Dns Settings In Linux/windows?

Answer :

Here you’re looking for a quick comeback for any position that will involve system administration (see system security). If they don’t know how to change their DNS server in the two most popular operating systems in the world, then you’re likely working with someone very junior or otherwise highly abstracted from the real world.

Question 4. Why Are Vendors/subcontractors A Risk?

Answer :

Vendors/Subcontractors often have as much or more access to company systems without the training or monitoring of their use. Often there is no exit strategy on contract completion. Vendors/Subcontractors can also be people working from home such as recruiters, data analysts etc. Vendors can also be providers of cloud services, software developers and other like services. Data is often communicated via email and rarely do companies check to ensure virus protection etc. is in place nor have a process to ensure data is securely removed from vendor assets post project. 

Question 5. When Does A Person Become An Information Security Risk?

Answer :

PEOPLE are often referred to as ‘insider’ risks. Either employees or subcontractors/vendors, become a security risk when they, either knowingly or unknowingly through their own behavior, work in a way that creates a risk to information security.

Examples include; sharing passwords, talking about clients on face book and chat rooms, losing assets such as laptops etc. 

Question 6. What Practical Asset Controls Can Be Put In Place ?

Answer :

• Password protection– stringent not ad hoc or ‘sloppy’
• Virus and malware protection software – test regimes for software including cloud technology usage
• Do not allow staff to upload software anto mobile devices.
• Strict policies and protocols around the use of CDs, DVD or USB Drives, smart phones, laptops, iPads etc. – anything that could hold confidential data 

Question 7. What Are The Actual Risks Associated With Assets?

Answer :

• COMPUTERS – data loss through network and hardware failure , breach of systems and hardware infection

• HACKERS/MALWARE/VIRUS – infect computer software and hardware incl. mobile hardware 

Question 8. What Are Asset Risks?

Answer :

ASSETS are mostly the hardware and software used by the organisation but are also buildings and other data storage areas

• COMPUTERS/OTHER DEVICES AND COMPUTER NETWORKS including cloud networks that store digital data. This includes access to computers and computer network.
• DATA stored on computers, other devices and computer network.
• BUILDINGS where computers and networks are held
• MOBILE ASSETS such as laptops, phones etc. are also assets

Question 9. How Do You Classify Information Security Risks Across An The Organisation?

Answer :

Its best classified according to the nature of risks:

1. ASSETS SECURITY RISK
2. PEOPLE SECURITY RISK
3. OPERATIONAL RISK
4. COMMUNICATIONS SECURITY RISK