Professional Documents
Culture Documents
Topics / Professional development / T op 30 securit y audit or int erview quest ions and answers f or 2019
Professional development
Incident Response
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 1/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
T his question is a warm-up to the rest of the interview, which will help
you to show the interviewers that you know what the benefits and
positive effects of security audits are.
T his question seeks to find out how much you know about site
assessments, threat assessments and general site surveys. You can expect
to find similar questions to this in an interview, with special focus on
your understanding of the expectation of your job role.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 2/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
T his question will test your knowledge of VMs and whether you have ever
used them before. You might find that the questions are more vendor-
specific, so if you only have experience with VMWare then you should look
at alternatives such as Hyper-V and Xen and familiarize yourself with
them.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 3/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
T he interviewers are looking to find out how experienced you are with
VMs and if you know what their usefulness would be in your day-to-day
work, if any. While a security auditor might not use VMs every day, it is
definitely worth your while to have a working knowledge of VMs and how
to use them. You might find yourself conducting audits of these
environments, as they are very popular as an on-premise solution for
companies big and small.
First you need to establish a project scope, which tells you what you are
looking for and where you will be looking. T he next item is your intended
goal: What are you hoping to achieve during this assessment? Next, you
need to specify your team. Who will you need to have working with you
and what are their special skills?
Once you are on-site, you can start documenting the systems that are in
place and look at their external-facing vulnerabilities via the Internet.
Find out what is visible through scans and look at any potential
vulnerabilities that an attacker might be able to use to gain access. From
there you can start looking at applying well-known tools that exploit
weaknesses on the local network, as well as general security checks such
as password strength and frequency of password changes.
After all of these avenues have been tested and documented, you can
start making recommendations and compiling a report. All of your
findings will go into the final report and will be looked at when you
discuss the findings with your client.
You don’t have to go into full details about what the process is, but you
will need to show the interviewers that you are familiar with the process.
Remember that not everyone holds the same standards or uses the same
methods, so be sure to explain in general terms where possible. If the
interviewers want more details, then you can get more specific.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 4/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
While it is tempting to fix every bug and update every outdated computer
that you come across, you are not on-site to do that kind of work. During
a threat assessment, your primary goal is to document and compile
information. T here are IT personnel that are responsible for all of these
elements, and if they are not maintaining the environment to a healthy
standard then the report needs to show this so that it can be corrected. If
you fix every glitch that you come across, then there would be no need for
remedial action. Worse still, you could fix an issue on the network and
then unintentionally break another system. It is best to leave the actual
repairs and remedial action to those that are appointed by yourself or
the client after the scope of the assessment has been properly looked at.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 5/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
If you have any additional challenges that you are looking forward to
taking on, then be sure to mention those as well. You want to make this a
personal answer, as it shows how much this kind of work means to you as
well as what your perceptions are of the role. And you might have goals
that you wish to accomplish that the role simply doesn’t offer. T his is a
good time to find out all of these facts, as you want to push yourself and
grow in any new position that you take up professionally during the
course of your career.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 6/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
Sometimes you need to create more than one single report because the
contents of each one will be worded differently depending on who the
recipient is going to be. Executives will generally receive a report that is
in plain non-technical terms but explains the operational and financial
impact in terms that most management and executive figures are familiar
with. T he technical reports are generally prepared for the technical
executives and management, although some organizations have technical
capabilities in multiple departments. Each report is different, and each
company’s requirements will differ from site to site.
If you are able to show the interviewers that you understand how a
standard report is generated, then you demonstrate your ability to follow
a uniform methodology that yields consistent results. T his is generally
what they are looking for, but you should also reiterate that you
understand the dynamic nature of businesses and that each organization
has its own requirements and expectations from a security audit. Don’t be
afraid to show off your adaptability when dealing with audit reports and
assessment documentation.
T his question seeks to find out how you prioritize systems that need to
be audited. How you arrive at your explanation will largely be determined
by the kinds of work you have done in the past, especially relating to on-
site security audits. Make sure that you rationalize your explanation and
go into detail when you need to.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 7/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
T his is a basic technical question; you can expect many similar questions
that ask for fundamental security explanations. T his helps the interviewer
understand what level of knowledge you have.
T he interviewers want to know what kind of knowledge you have and how
you keep yourself updated. T here are literally hundreds of other
examples of information security sources out there, so choose your
favorite and talk about some of the reasons why you enjoy their content.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 8/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
Interviewers who want to know how much practical experience you have
might ask you questions like this. T his is a great opportunity to let them
know what you would do when faced with such a scenario, or even better,
if you have actual examples of issues of the scenarios that they pose to
you.
In fact, most security issues are handled internally if a company has the
necessary resources. External auditors are normally only brought in to
confirm a suspicious finding or to perform tasks that the internal
auditors might not be equipped to deal with.
Senior/advanced security
auditor questions
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 9/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
Senior security auditors are professionals that have been in the industry
for five to 10 years and possess a lot of practical and theoretical
knowledge on how systems work, how they are compromised and how
they are best protected. Some senior security auditors have been a part of
a larger team and have taken on management and leadership roles and
are probably looking to fill a position as either a technical lead or as a
manager or advisor to a department. Professionals that are at this level
of skill are valuable assets to a company, as their hands-on experience
and practical knowledge can save a lot of time and money during an audit
or investigation.
T he main point that you need to get across is that the investigation and
the specified outcome requirements will determine the scope and areas
of interest to the investigator. T he scope will be defined before you start,
so any items that need to be added to the scope will be discussed before
the proceedings on-site will begin.
Share your positive experiences that you have from working on-site at
your company or at your client’s business locations. Keep your
experiences relevant to the question being asked and go ino as much
detail as you can so that the benefits of your actions are clearly
articulated.
T his is an important question if you are applying for a position that has
team lead prospects. If you don’t have any experience with leading a team,
then you should at least have managerial experience in a related field or a
lot of experience as a security auditor that you can apply to the role that
you are applying for. You need to have a solid understanding of how the
entire auditing process unfolds from beginning to end, and how to
compile reports and findings as you come across them during the course
of your investigations.
T here are many other differences that you can bring up in the interview if
you are asked. However, the basics should be enough to illustrate your
practical knowledge of the difference between the two operating
systems. How your auditing process is affected by each of these operating
systems will depend on the findings that you are pursuing, so be sure to
ask follow-up questions so that you know that you are answering the
specifics of their questions.
Encryption uses a series of keys which are used when encrypting and
decrypting data. T he keys perform changes to unencrypted data by
applying cyphers. You can think of encryption as being used to secure
sensitive information.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 11/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
T he other problem with using a cloud provider is that you do not actually
know what the hosting facility is like or how secure it is unless you have
actually met with a company representative in person and gone to the
hosting site. T his is why only reputable vendors should be used, where
the location and security of the site can be verified and visited if
necessary.
T hink about some of the challenges that you have faced when mistakes
were made. Remember how you dealt with them and specify the
corrective steps that you took to resolve the issue. T he fact that you were
able to correct the issue and learn from it normally goes a long way in an
interview, so try to keep things as detailed or as compressed as the
interviewer encourages you to.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 12/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
You can generally do this until you get right to the top of the
management structure within a company. If things escalate that far, then
it means that there is usually some kind of systemic issue within the
organization, which should be raising concern. If an auditor is unable to
complete the work that has been agreed upon because of a lack of
cooperation, then the terms of the audit need to be renegotiated by the
management structures so that the audit can be handed over to another
company or carried out properly and with the full cooperation of the
company in question.
T hese are loose guidelines, because all companies have their own set of
escalation policies that they follow when trying to get uncooperative
people to assist with audits. Be sure to relay your own personal
experience to the interviewers, as they are likely to be curious about how
you have dealt with such a situation before and what steps you personally
took to resolve it.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 13/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
How deep your audits go will depend on the level of security auditing
that you do. T he interviewer will generally steer you towards the
direction of the role’s requirements, but you might find yourself talking
about more advanced threats such as these if the interviewer sees fit to
do so.
Conclusion
Becoming a security auditor requires attention to detail and a systematic
approach to record-keeping. You will need to look at the bigger picture
whenever you are conducting a security audit as you slowly build up the
reports and presentations that your clients need you to put together for
them.
Remember that the more questions you practice with, the more chance
you have of carrying yourself confidently in the interview. T here are many
more questions that you can practice with than these thirty examples! We
recommend that you take a look at Skillset.com, which has more than a
hundred thousand practice questions related to various certifications.
T he list of cert-related questions includes is vast, with PMP, CISSP, CEH,
CHFI, Network+ and Security+ being just a few examples of what you can
expect to find before your next big interview.
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 14/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
Cybersecurity interview
guide
Ace your next interview with tips from our free
ebook, “How to stand out, get hired and
advance your career.”
DOWNLOAD NOW
Sources
1. OWASP
2. T op T en Project, OWASP
Author
VIEW PROFILE
Graeme Messina
Graeme is an IT professional with a special interest in computer forensics and computer
security. When not building networks and researching the latest developments in network
security, he can be found writing technical articles and blog posts at InfoSec Resources and
elsewhere.
Website
Leave a Reply
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Websit e
Post Comment
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 15/17
3/27/22, 2:36 PM Top 30 security auditor interview questions and answers for 2019 - Infosec Resources
Related Articles
Professional development
Newslet t er
Get the latest news, updates and offers straight to your inbox.
Subscribe
https://resources.infosecinstitute.com/topic/top-30-security-auditor-interview-questions-and-answers-for-2019/ 17/17