Skip to content

Governance, Risk & Compliance interview questions

Frameworks, audits, risk assessment, data protection law and security policy — the GRC side of security.

51 questions questions in this set
Once your data is in the cloud, is securing it entirely the provider's responsibility?

No. Cloud runs on a shared responsibility model: the provider secures the underlying infrastructure ('security of the cloud'), but you remain responsible for your data, identity and access management, configuration, and — for IaaS — the OS and patching ('security in the cloud'). The large majority of cloud breaches are customer-side misconfigurations like public buckets and over-permissive IAM, not provider failures. Assuming the provider secures your data is how those breaches happen.

Mid-levelCloudGovernance, Risk & Compliance
The full answer
Does using a VPN make you anonymous online?

No. A VPN encrypts traffic to the VPN server and hides your IP from the destination, but the provider can see and may log your activity, and logins, cookies, and browser fingerprinting still identify you. It moves trust from your local network/ISP to the VPN operator — that's privacy from the local network, not anonymity. Tor and strict operational discipline are different tools for a different goal.

JuniorNetworkingGovernance, Risk & Compliance
The full answer
You pull a pre-trained model from a public hub to run in production. What do you verify first?

A third-party model is a supply-chain dependency: verify it comes from a trusted source with matching checksums/signatures, that its license permits your use, and that the file format won't execute arbitrary code on load (prefer safe serialization over pickle-style formats). 'It loads' and 'download speed' say nothing about trust, and assuming public models are safe ignores real poisoning and deserialization risks.

Mid-levelAI & LLM SecurityGovernance, Risk & Compliance
The full answer
Developers paste customer PII into a third-party LLM API to draft support replies. What's the concern and action?

Sending customer PII to an external API exposes it to a third party's processing and retention and can breach privacy obligations. Minimize and redact what's sent, confirm the provider's data-use/retention terms and a data-processing agreement (or no-training guarantees), or move to a private deployment for sensitive data. Key length is irrelevant, and sending more PII increases the exposure.

Mid-levelAI & LLM SecurityGovernance, Risk & Compliance
The full answer
You're handing a forensic disk image to legal. What ensures its integrity and admissibility?

Evidentiary integrity rests on hashing the image at acquisition (e.g., SHA-256) and verifying the hash later to prove it's unaltered, maintaining a documented chain of custody, and analyzing a working copy so the original stays pristine. Renaming the file does nothing for integrity, and compressing it to save space neither proves integrity nor helps admissibility. Touching the original risks spoliation that can get the evidence thrown out. Hash, document custody, and work on a verified copy.

Mid-levelDFIR (Forensics & Incident Response)Governance, Risk & Compliance
The full answer
An auditor asks for evidence that access reviews happen quarterly. What do you provide?

Auditors test for evidence, not intent: show the access-review policy, dated records of each review with approver sign-off, and confirmation that flagged access was revoked and verified. A verbal confirmation proves nothing repeatable, a promise to start next quarter shows the control was not operating in the audit period, and an org chart describes reporting lines, not access decisions. Only the dated, attributable artifacts demonstrate the control operated as designed across the whole period.

Mid-levelGovernance, Risk & ComplianceIdentity & Access Management
The full answer
Leadership says 'we have backups, so we're covered for disaster recovery.' What do you clarify?

Backups are necessary but not sufficient: disaster recovery and business continuity are the tested capability to restore operations within agreed recovery time and recovery point objectives (RTO/RPO), which requires a documented plan, mapped dependencies, runbooks, and validated restores — not just the existence of backup files. Agreeing they're the same conflates a data copy with an operational capability. DR isn't merely buying insurance, which transfers financial loss but doesn't restore systems. And backups don't make a DR plan unnecessary — untested backups routinely fail when they're finally needed. The clarification: DR must be exercised, not assumed.

Mid-levelGovernance, Risk & ComplianceDFIR (Forensics & Incident Response)
The full answer
A system passes the compliance checklist, but you can see a real security gap. What's the right stance?

Frameworks set a minimum bar and can be fully met while real risk remains, so a passed checklist doesn't mean secure: raise the gap, assess its risk, and drive treatment regardless of the compliance status. Concluding it's secure because compliance passed is a dangerous conflation of two different things. Removing the gap from the report is misrepresentation and potentially fraud. Waiting for the next audit cycle knowingly leaves a real exposure open. The mature stance treats compliance as evidence of a floor, not a ceiling, and acts on risk you can actually see.

SeniorGovernance, Risk & Compliance
The full answer
Teams handle data inconsistently — some over-protect trivial data, some expose sensitive data. What foundational control helps?

Inconsistent handling usually means there's no shared definition of sensitivity, so the foundational control is a data classification scheme (e.g., public/internal/confidential/restricted) with defined handling, storage, and sharing requirements per level, letting teams apply proportionate controls. Encrypting nothing 'to keep things simple' or treating all data as public strips protection from data that needs it. Deleting all data older than a day destroys records the business and the law require. Only a classification scheme aligns the strength of controls to the actual sensitivity of the data.

Mid-levelGovernance, Risk & Compliance
The full answer
An employee leaves the company. What's the GRC-relevant control to verify?

Leaver risk is lingering access, so the control to verify is timely deprovisioning of every access path — directory accounts, SSO, VPN, privileged and service credentials, and third-party SaaS — reconciled against the joiner/mover/leaver (JML) process. Assuming HR handles it all without verification leaves gaps no one owns. Keeping the account active 'in case they come back' is standing, unmonitored risk. Disabling only email ignores the many other systems the person could still reach. The point is to verify access is actually and fully removed, not to trust that it was.

Mid-levelGovernance, Risk & ComplianceIdentity & Access Management
The full answer
You want to reduce PCI DSS scope. What's the standard approach?

PCI DSS scope covers systems that store, process, or transmit cardholder data plus anything connected to or able to affect them, so effective network segmentation isolates the cardholder data environment (CDE) and removes unrelated systems from scope, shrinking cost, effort, and risk. Encrypting every server doesn't define a boundary and connected systems stay in scope; adding untargeted firewalls everywhere isn't segmentation if it doesn't restrict and validate the data flows; and stopping people reading card numbers aloud is hygiene, not a scoping control. The systemic answer is to control where cardholder data lives and what can reach it.

SeniorGovernance, Risk & ComplianceNetworking
The full answer
A team identifies a new risk. As the GRC analyst, what do you do with it?

Governance means the risk is captured and managed, not informally handled: record it in the risk register with assessed likelihood and impact, assign an accountable owner, decide and document the treatment (mitigate, transfer, accept, or avoid), and set a review date. Fixing it yourself on the spot skips ownership, prioritisation, and tracking, and may not even be your call. Ignoring it until it becomes an incident is negligent, and emailing everyone creates noise but no accountability or follow-through. The register turns a one-off observation into a tracked, owned, revisited decision.

Mid-levelGovernance, Risk & Compliance
The full answer
A vendor sends you a SOC 2 report. What should you actually check?

A SOC 2 report only assures you if you actually read it: confirm it's the right type (Type II tests operating effectiveness over time, Type I only design at a point), check the scope and which Trust Services Criteria it covers, that the period is current and has no gap, what opinion the auditor gave (unqualified vs qualified), and review the noted exceptions plus the complementary user-entity controls (CUECs) you're responsible for. Merely confirming the report exists — or judging it by its cover logo or page count — tells you nothing about the vendor's actual control effectiveness or your residual obligations.

SeniorGovernance, Risk & Compliance
The full answer
`npm audit` flags a critical CVE in a transitive dependency used in production. What's the right response?

Transitive code runs in your app, so a critical CVE is your risk. Assess whether the vulnerable code path is actually reachable, then remediate by bumping or overriding the version (or mitigating) and verify in production. Ignoring it because it's transitive leaves a known hole an attacker can exploit. Suppressing the audit just hides the warning. Reinstalling node_modules pulls the same vulnerable version. Track it through SCA, don't silence it.

Mid-levelWeb SecurityGovernance, Risk & Compliance
The full answer
Leadership wants employees to access sensitive data from personal phones. As architect, what's a balanced control?

Balance usability and risk: enforce conditional access tied to device posture and isolate corporate data in a managed container (MAM/MDM) so it can be controlled and selectively wiped without taking over a personal device. Unrestricted access risks leakage on unmanaged, possibly compromised endpoints. An outright ban pushes people to insecure workarounds like forwarding data to personal email. And emailing attachments scatters sensitive data uncontrollably across devices you can never reclaim.

SeniorIdentity & Access ManagementGovernance, Risk & Compliance
The full answer
Leadership wants to buy one 'next-gen' product to 'solve security.' How do you respond as architect?

No single product stops every attack, so mature security layers independent controls — defense-in-depth — so the failure of one does not mean compromise. Map the proposed spend to the actual gaps across identity, network, endpoint, data and detection, and keep the complementary controls already working. Betting everything on one tool creates a single point of failure, and ripping out existing controls to replace them reduces coverage. Declining to spend at all ignores real gaps.

SeniorGovernance, Risk & Compliance
The full answer
A team says 'the database is encrypted at rest, so we're secure.' As architect, what's the gap?

Encryption at rest defends exactly one threat — physical or disk theft — and does nothing against a compromised application, stolen credentials, or sniffed traffic, because the database decrypts transparently for any authorized query. A sound design also requires TLS in transit, strong authentication and authorization, and proper key management with separation of duties. Doubling the at-rest encryption adds cost without changing the threat model, and encrypting only the backups leaves the live data and its access paths exposed.

SeniorCryptographyGovernance, Risk & Compliance
The full answer
A team is about to build a new payment feature. When and how should threat modeling happen?

Threat modeling is cheapest and most effective at design time, before code locks in decisions: walk the data flows, enumerate threats with a framework like STRIDE, and bake in mitigations, then revisit as the design evolves. Doing it only post-incident or at the annual pentest finds problems after they are expensive to fix and already exposed. And relying on 'careful developers' is a hope, not a repeatable, auditable control.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
A business unit wants to push customer PII into a new SaaS vendor next week. What does the architect require first?

Sending PII to a third party extends your trust boundary, so first run a vendor security assessment — data handling, encryption, access controls, certifications like SOC 2 / ISO 27001, sub-processors, breach-notification terms — and put a data-processing agreement (DPA) in place before any PII flows. A pricing contract or a sales rep's verbal word is not due diligence. And a 'polished website' tells you nothing about how the vendor actually protects data; you remain accountable for it.

SeniorGovernance, Risk & Compliance
The full answer
The board asks, 'Are we secure?' How should a CISO answer?

'Secure' is not binary; a CISO communicates in business-risk language: the most material risks, how current controls reduce them relative to the board's risk appetite, planned investments, and the residual risk being accepted. An absolute 'yes' is false assurance that collapses the moment an incident happens. 'No, we'll never be secure' is technically true but unhelpful and signals no command of the problem. A shopping list of firewalls and tools conveys spending, not risk or outcomes the board can actually govern.

SeniorGovernance, Risk & Compliance
The full answer
You confirm a breach exposing customer PII, and legal hesitates to disclose. What does the CISO drive?

Breach handling is governed by law and contract: work with legal to meet mandatory notification timelines (such as GDPR's 72 hours to the supervisory authority) and inform affected parties accurately. Concealment risks far larger fines, regulatory action, and reputational damage when it surfaces later. Dumping raw, unverified technical details prematurely can mislead customers and aid attackers. Scapegoating an individual employee is neither accurate, lawful, nor effective crisis management — it deflects from the organization's accountability.

SeniorGovernance, Risk & Compliance
The full answer
The board wants security 'metrics.' Which is most meaningful to report?

Board-level metrics should connect to risk and outcomes: detection and response times (MTTD/MTTR), patching-SLA adherence on critical systems, control coverage, and how residual risk trends against appetite. The number of attacks blocked by the firewall, antivirus signature counts, and total emails received are vanity numbers — they sound impressive but tell leadership nothing about whether risk is going down. The board governs risk, so metrics must let them see the trend and decide.

SeniorGovernance, Risk & Compliance
The full answer
A phishing simulation shows 30% of staff clicked the link. What's the constructive response?

A 30% click rate is a baseline to improve, not a list of people to punish: pair role-based training and a frictionless report button with technical defenses (MFA, email filtering, least privilege) so a single click doesn't lead to compromise, and track the trend over time. Publicly shaming employees suppresses the reporting you depend on. Declaring the workforce hopeless removes a control you should be strengthening. Another scary all-staff email isn't a measurable intervention and doesn't change behavior.

Mid-levelGovernance, Risk & ComplianceThreat Intelligence
The full answer
With a limited budget, how should a CISO decide what to fund?

Security spend should follow risk, not hype: use a risk assessment to direct money where business impact and likelihood are highest and current control coverage is weakest, then measure the reduction you achieve. Buying whatever the popular vendor sells ignores your actual threat profile and often funds shelfware. Spreading the budget evenly underfunds the few areas that matter most. Copying competitors assumes their risk profile equals yours, which it rarely does.

SeniorGovernance, Risk & ComplianceThreat Intelligence
The full answer
Why should a CISO run incident-response tabletop exercises BEFORE an incident?

Tabletops rehearse the human and decision side of IR — who has authority to declare an incident, how legal/PR/exec communication flows, and where the playbook breaks — so the first time you make those calls isn't during a real crisis. It's far cheaper to find gaps in a drill than mid-breach. They are not a hollow compliance checkbox, they're not for assigning blame for past incidents, and they are cross-functional, not SOC-only — leadership has to practice the decisions only they can make.

Mid-levelGovernance, Risk & ComplianceDFIR (Forensics & Incident Response)
The full answer
A legacy system can't be patched, and the business won't fund replacement this year. What's the CISO's correct action?

When you can't remediate, you manage the risk: reduce exposure with compensating controls (network segmentation, tightened access, enhanced monitoring), quantify the residual risk, and have the accountable business owner formally accept it with a defined review date. Unilateral shutdown oversteps the CISO's authority and harms the business. Ignoring it because it can't be fixed is negligence. Omitting it from the risk register hides accountability, breaks audit trails, and means no one is on record owning the decision.

SeniorGovernance, Risk & Compliance
The full answer
A key SaaS vendor announces a breach that may include your data. What are the CISO's first moves?

A vendor breach is your incident too: invoke incident response to scope which of your data and integrations were exposed, rotate any shared secrets, API keys and SSO trust, evaluate your own regulatory notification duties, and hold the vendor to disclosure. Passively waiting for the vendor cedes control of your own timeline and obligations. A public contract termination is premature theatrics before you even know your exposure. Assuming you're unaffected skips exactly the assessment that regulators and your own customers expect.

SeniorGovernance, Risk & ComplianceDFIR (Forensics & Incident Response)
The full answer
Someone fixed a prod issue by clicking in the console, but the infrastructure is managed by Terraform. What's the problem and fix?

The manual console change is configuration drift: the next terraform apply can silently revert the fix, and the change also bypassed peer review and audit. Reconcile it by codifying the change in Terraform, running plan/apply so code and reality match, and adding guardrails against ad-hoc console edits (least-privilege console access, SCPs, drift detection). Doing nothing leaves a landmine for the next apply. Deleting the Terraform state is destructive and can orphan or duplicate resources. Abandoning Terraform throws away reproducibility, review, and audit trails.

Mid-levelCloudGovernance, Risk & Compliance
The full answer
A business-critical production service looks vulnerable to a memory-corruption exploit that might crash it. What do you do?

Rules of engagement usually exclude DoS on production, and an unplanned crash causes real business damage and can void the engagement. Verify scope first; if a destructive proof-of-concept isn't authorized, prove the vulnerability through safer means and clearly document the likely impact. Firing the exploit for a screenshot is reckless. Running it repeatedly for 'reliability metrics' multiplies the outage. Skipping it silently hides a serious, exploitable risk from the client.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
You're wrapping up an engagement where you uploaded webshells and created test accounts. What must you do?

Professional engagements end with full cleanup and an artifact inventory, so you don't leave new attack surface or muddy the client's environment. Leaving shells or accounts for the client to find is negligent and dangerous — a real attacker could reuse them. Keeping a backdoor 'for next time' is unethical and likely illegal. Deleting your own activity logs destroys the audit trail the client needs to validate the test and reconstruct what you did.

Mid-levelGovernance, Risk & Compliance
The full answer
During testing you find indicators that a REAL attacker is already inside the client's environment. What now?

Discovering an active intrusion is an out-of-band emergency: the rules of engagement should define an escalation path, so invoke it immediately, preserve evidence, and avoid contaminating an active incident. Continuing to test can interfere with the real attacker or destroy the very evidence responders need. Trying to evict the attacker yourself is out of scope, risky, and may tip them off. Waiting until the final report could mean days of ongoing breach and data loss.

SeniorDFIR (Forensics & Incident Response)Governance, Risk & Compliance
The full answer
For an authorized social-engineering test, which pretext is acceptable?

Social-engineering tests must stay within agreed, ethical pretexts: realistic enough to be useful but without coercion, impersonating authorities, or exploiting personal or medical situations. A generic IT password reset agreed in the rules of engagement is fair game. Impersonating a real employee's sick child or threatening someone with being fired causes genuine psychological harm. Pretending to be law enforcement impersonates authorities and is often illegal even with a signed engagement.

Mid-levelGovernance, Risk & Compliance
The full answer
You have SQL injection on a production app and could dump the entire customer database to prove impact. What's the responsible proof?

Prove the vulnerability without harming the client or hoarding their data: show you can read arbitrary data via the DB version, schema, or a single redacted sample, then stop. Dumping the full PII dataset creates breach-notification and data-handling liability for both parties. Dropping a table is destructive and well beyond proof-of-concept. Encrypting the database and demanding a bounty is extortion, not testing — it is a crime, not a finding.

Mid-levelWeb SecurityGovernance, Risk & Compliance
The full answer
Mid-engagement you discover an exploitable host that is clearly NOT in the agreed scope. What do you do?

Authorization defines the engagement, so testing outside the agreed scope is potentially illegal and breaches the rules of engagement no matter how tempting the target. Document what you saw, stop, and obtain written client approval before going further. Exploiting for 'more findings' is never a justification for unauthorized access. Quietly exploiting it if you think you won't be caught is both unethical and a crime, and self-extending the scope strips the client of informed consent.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
Your report has 30 findings. How should you present them to be most useful to the client?

A useful report drives remediation: rank by business risk (likelihood × impact), surface the exploit chains that lead to critical compromise, and give actionable fixes for each finding. Alphabetical ordering buries what matters under what happens to start with 'A'. Longest-writeup-first rewards verbosity over severity. Dropping the lows hides real risk and the patterns the client needs for defense-in-depth, leaving them with a falsely reassuring picture.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
A critical unauthenticated RCE patch is out for an internet-facing server, but the team fears downtime. How do you proceed?

An internet-facing, unauthenticated RCE is emergency-grade: shrink the exposure window with a tested, staged or rolling deploy, and add compensating controls (restrict access, WAF rules) in the meantime. Waiting for the quarterly window leaves a wormable hole open for weeks. Blind production patching during business hours with no testing risks an outage and a botched rollback. Trusting the perimeter firewall does nothing — the service is already exposed and the exploit needs no credentials.

SeniorNetworkingGovernance, Risk & Compliance
The full answer
You're rolling out MFA and executives demand an exemption 'for convenience.' How do you handle it?

Executives are exactly the accounts attackers want (BEC, wire fraud), so exempting them inverts the risk model. Solve the friction, not the control: deploy phishing-resistant FIDO2/passkeys that are faster than codes. Caving to the exemption guts the program's credibility and leaves your highest-value accounts unprotected. Killing the MFA project abandons a top-tier control. Quietly enabling it behind their backs destroys trust and accountability.

Mid-levelIdentity & Access ManagementGovernance, Risk & Compliance
The full answer
You discover the application logs full credit-card numbers and passwords in plaintext. What's the fix priority?

Sensitive data should never reach logs: redact or mask at the source first to stop the bleeding, then remediate the historical logs and tighten access. PCI DSS forbids storing full PANs and CVVs this way, and passwords should never be logged at all. 'Internal' logs are still a prime breach target. Encrypting or ACLing the store still leaves cleartext secrets sitting in logs for anyone with read access — backups, SIEM pipelines, and admins all see them.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
What is the NIST AI Risk Management Framework and how does it structure AI governance?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, risk-based framework for governing trustworthy AI across its lifecycle. Its core is four functions: Govern (culture, policy, accountability — and it runs through the others), Map (context and risk identification), Measure (assess and track risks), and Manage (prioritize and respond). It also defines trustworthiness characteristics — valid and reliable, safe, secure and resilient, accountable and transparent, explainable, privacy-enhanced, and fair. It complements technical lists like the OWASP LLM Top 10 at the program level.

SeniorAI & LLM SecurityGovernance, Risk & Compliance
The full answer
Explain the categories of security controls and give examples of each.

Controls are classified two ways. By type: administrative (policies, training, procedures), technical/logical (firewalls, MFA, encryption), and physical (locks, badges, cameras). By function: preventive (stop an event — MFA, access control), detective (find an event — SIEM, IDS, audit logs), corrective (fix after — restore from backup, patch), deterrent (discourage — warning banners), and compensating (an alternative when the primary control isn't feasible). Defence in depth layers these so no single control failure leads to compromise.

Mid-levelGovernance, Risk & Compliance
The full answer
What are the core GDPR principles, and what is the breach notification timeline?

GDPR Article 5 sets seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. For a personal data breach, the controller must notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware (Article 33). If the breach is likely to result in a high risk to individuals, the controller must also notify the affected data subjects without undue delay (Article 34).

Mid-levelGovernance, Risk & Compliance
The full answer
How do governance, risk, and compliance differ, and how do they relate?

Governance is how leadership sets direction, defines accountability, and aligns security with business objectives — the policies, roles, and oversight that say what 'good' looks like. Risk management is the process of identifying, assessing, treating, and monitoring threats to those objectives. Compliance is demonstrating adherence to obligations — laws, regulations, contracts, and internal policy. Governance drives risk decisions; risk informs which controls you need; compliance evidences that those controls meet required standards. Compliance is an outcome of good GRC, not a substitute for security.

SeniorGovernance, Risk & Compliance
The full answer
Explain HIPAA basics: PHI, the Security Rule safeguards, and who must comply.

HIPAA (the US Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI). The Privacy Rule governs use and disclosure of PHI; the Security Rule applies to electronic PHI (ePHI) and requires three categories of safeguards — administrative, physical, and technical. It applies to covered entities (providers, health plans, clearinghouses) and to business associates that handle PHI on their behalf, bound by Business Associate Agreements. The Breach Notification Rule sets obligations to notify individuals, HHS, and sometimes the media.

Mid-levelGovernance, Risk & Compliance
The full answer
What is an ISMS under ISO/IEC 27001, and what role does Annex A play?

ISO/IEC 27001 specifies the requirements for an Information Security Management System (ISMS): a risk-based, top-down framework of policies, processes, roles, and continual improvement (Plan-Do-Check-Act) governing how an organisation manages information security. Annex A is a reference catalogue of controls. You don't apply them all blindly — you run a risk assessment, decide which controls are needed, and document the include/exclude decisions with justification in a Statement of Applicability (SoA).

SeniorGovernance, Risk & Compliance
The full answer
Name and explain the core functions of the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework organises cybersecurity outcomes into core functions. In CSF 2.0 there are six: Govern (the new overarching function for strategy, roles, risk decisions, and oversight), Identify (understand assets and risks), Protect (safeguards to limit impact), Detect (find events), Respond (act on incidents), and Recover (restore capabilities). They are not strictly sequential — they run continuously and together describe a full lifecycle of managing cyber risk.

Mid-levelGovernance, Risk & Compliance
The full answer
Explain PCI DSS basics: what it protects, who it applies to, and scope reduction.

PCI DSS (Payment Card Industry Data Security Standard) is a security standard maintained by the PCI Security Standards Council that applies to any organisation that stores, processes, or transmits cardholder data. It is organised around control objectives covering a secure network, protection of stored cardholder data, vulnerability management, strong access control, monitoring/testing, and an information security policy. Scope is everything in the cardholder data environment (CDE) — so segmentation, tokenisation, and not storing data you don't need are the main ways to shrink scope.

Mid-levelGovernance, Risk & Compliance
The full answer
How would you design and measure a security awareness and training program?

Treat awareness as behaviour change, not an annual checkbox. Make it role-based (a developer needs different content than finance), continuous rather than a once-a-year slideshow, and grounded in real risks like phishing, social engineering, and data handling. Reinforce it with phishing simulations, just-in-time nudges, and clear reporting channels. Measure outcomes — phishing report rates, click rates, time-to-report — not just completion percentages. Build a culture where people report mistakes without fear, because fear suppresses reporting.

Mid-levelGovernance, Risk & Compliance
The full answer
Explain the difference between security KPIs and KRIs, with examples.

A KPI (Key Performance Indicator) measures how well a security activity is performing against its objective — for example mean time to detect, patch SLA compliance, or percentage of systems with MFA. A KRI (Key Risk Indicator) is a forward-looking signal that risk exposure is increasing toward an unacceptable level, with a threshold that should trigger action — for example the number of overdue critical patches, count of unmanaged devices, or failed access reviews trending up. KPIs tell you how you're doing; KRIs warn you about where you're heading.

SeniorGovernance, Risk & Compliance
The full answer
Explain SOC 2 Type I vs Type II and the Trust Services Criteria.

A SOC 2 Type I report assesses whether a service organisation's controls are suitably designed at a single point in time. A Type II report goes further: it tests whether those controls operated effectively over a review period, typically 3 to 12 months. Both are based on the AICPA Trust Services Criteria — Security (the required common criteria), plus optional Availability, Processing Integrity, Confidentiality, and Privacy.

Mid-levelGovernance, Risk & Compliance
The full answer
Walk me through how you assess and manage third-party (vendor) risk.

Treat vendor risk as a lifecycle, not a one-off questionnaire. Inventory your third parties and tier them by criticality and data sensitivity. Run due diligence proportional to tier — review SOC 2 / ISO 27001 reports, security questionnaires, pen-test summaries, and the data and access involved. Bake controls into the contract (security requirements, right to audit, breach notification, data handling, subprocessors). Then monitor continuously, not just at onboarding, and have a clean offboarding process to revoke access and recover or destroy data. Fourth-party (subprocessor) risk matters too.

SeniorGovernance, Risk & Compliance
The full answer
What are access reviews (recertification), and why do they matter?

Access reviews (recertification) are periodic checks where an accountable owner confirms each person's access is still justified, and revokes what isn't. They're the backstop that catches privilege creep, orphaned accounts, and entitlements granted for a project that ended. The control only works if a knowledgeable owner — usually the manager or resource owner — actually scrutinizes access rather than rubber-stamping it, and if revocations are enforced.

Mid-levelIdentity & Access ManagementGovernance, Risk & Compliance
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.