IT Security Interview Questions‎ pg.2

22. Have you used Compliance Technologies such as NIST?

No, however I know what it is:

-NIST ( National Institute of Standards and Technology) Special Publication 800-53,  is part of the Special Publication 800-series that reports on the Information Technology Laboratory’s (ITL):
     and outreach

efforts in information system security, and on ITL’s activity with industry, government, and academic organizations.

Specifically, NIST Special Publication 800-53 covers the steps in the Risk Management Framework that address security control selection for federal information systems in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200.

23. Have you worked with SOC 2?

No, however I am familiar with it:

Officially, SOC standards for "Service Organization Control", which allows qualified practitioners (i.e., licensed and registered Certified Public Accountants) to issue SOC 1, SOC 2, and/or SOC 3 reports.

24. Can you tell me what SSAE16 is ?
-SSAE 16 is an enhancement to the current standard for Reporting on Controls at a Service Organization, the SAS70.

-All organizations are now required to issue their Service Auditor Reports under the SSAE 16 standards in an SOC 1 Report.

SOC1 (SSAE 16)  A SOC1 is a report on controls at a service organization that may be relevant to user entities' internal control over financial reporting.

SOC2 - A SOC2 report is based on the existing SysTrust and WebTrust principles. The purpose of a SOC 2 report is to evaluate an organization's information systems relevant to security, availability, processing integrity, confidentiality or privacy (mainly security and the AIC triad for data)

SOC3 - A SOC 3 report, like a SOC 2, is based on the existing SysTrust and WebTrust principles. The difference being, the report does not detail testing performed  and is meant to be used as marketing material.

25. Who needs to perform SSAE 16 (SOC 1) Audit?

If your Company (the ‘Service Organization’) performs outsourced services that affect the financial statements of another Company (the ‘User Organization’), you will more than likely be asked to provide an SSAE16 Type II Report, especially if the User Organization is publicly traded.
Some example industries include:
  • Payroll Processing
  • Loan Servicing
  • Data Center/Co-Location/Network Monitoring Services
  • Software as a Service (SaaS)
  • Medical Claims Processors

26. Can a Data Center be HIPAA compliant?
-there aren't official HIPAA compliance guidelines for data centers, there are several resources you can look to, for example asking to see the SOC1 report which follows the SSAE 16 and the SOC 2 report.

27. What are:
COBIT, COSO, ITIL, and ISO 27001

28. Have you worked with ISO standards?

29. Cryptography - Is the art of protecting information by changing it (encrypting it) into an unreadable format, called cipher text. Only those who possess a secret key can decipher (or decrypt) the message into plain text.
-Pretty Good Privacy because it's effective and free.

30. What is NAT?
-Network address translation (NAT) allows a router to modify packets to allow for multiple devices to share a single public IP address.

31. What is PAT?

-Port Address Translation (PAT), a type of network address translation. During PAT, each computer on LAN is translated to the same IP address, but with a different port number assignment.

PAT is also referred to as overloading, port-level multiplexed NAT or single address NAT.

32. What is TCP/IP?

-TCP/IP (Transmission Control Protocol/Internet Protocol) is the basic communication language or protocol of the Internet. It can also be used as a communications protocol in a private network (either an intranet or an extranet).

33. What is TCP?
-TCP stands for Transmission Control Protocol. Using this method, the computer sending the data connects directly to the computer it is sending the data it to, and stays connected for the duration of the transfer. With this method, the two computers can guarantee that the data has arrived safely and correctly, and then they disconnect the connection.

34. What is UDP?
-UDP stands for User Datagram Protocol. Using this method, the computer sending the data packages the information into a nice little package and releases it into the network with the hopes that it will get to the right place. What this means is that UDP does not connect directly to the receiving computer like TCP does, but rather sends the data out and relies on the devices in between the sending computer and the receiving computer to get the data where it is supposed to go properly.

35. What IP?

-Every computer or device on the Internet must have a unique number assigned to it called the IP address. This IP address is used to recognize your particular computer out of the millions of other computers connected to the Internet. When information is sent over the Internet to your computer how does your computer accept that information? It accepts that information by using TCP or UDP ports.

36. What are Ports?

-Ports work the same way. You have an IP address, and then many ports on that IP address. When I say many, I mean many. You can have a total of 65,535 TCP Ports and another 65,535 UDP ports. When a program on your computer sends or receives data over the Internet it sends that data to an ip address and a specific port on the remote computer, and receives the data on a usually random port on its own computer.

 <-------------------- --------------------> (IP Address)
0     1     2     3     4     5     ..     ..     ..     ..65531     65532     65533     65534     65535 (Ports)