1-Tell me a little about yourself?
With virtually 5 years of experience IN IT, the last 3 as FISMA/C&A analyst WITH SMART THINK Corporation in Washington DC, I offer three key strengths that I believe are closely aligned to your needs for the position.
First-Worked on the phase of the RMF
Second-Developed and reviewed most of the artifacts such as SAR, SSP, PIA, PTA etc……
And third-Can work independently, lead or work as a TEAM MEMBER
Question to ask Interviewer???? And I’d love to hear more about what your need for this position. For instance, what do you consider the most pressing projects or issues I’d be tackling in the first 90 days on the job?
2-What were your responsibilities in the C&A team?
As a Certified Agent, I have assumed different roles including but not limited to: reviewed, analyzed and updated security plans (SSP); reviewed methods and tested procedures; accessed and evaluated in-place security controls and reported security assessment results (ST&E); provided finding and recommendation, prepared POAM, managed and controlled configuration, and monitored security controls.
3- Where did you work?
I have worked for SMART THINK a consulting firm specialized in IT security, IT audit
4- Did you do any scan? Scanning Tools? What did you do with the result?
I have not personally conducted any scanning but I have in depth knowledge and been exposed in how to install/configure, analyze the scan results and implement a process for addressing and identify vulnerabilities. Some scanning tools include Nessus scans and Nmap.
5- What are scans used for?
Scans are used to identify devices on networks (application/database)-IT environment that are open to known vulnerabilities.
6- What artifacts did you worked on?
I have worked on almost all the artifacts in the C&A process. To name a few, I worked on reviewing System Security Categorization, Analyzed and Updated System Security Plan, reviewed methods and tested procedures, accessed and evaluated security controls and reported security assessment results (ST&E), provided findings and issued recommendations and prepared POAM.
7- What are the most important security controls that you have implemented?
I have helped in implementing management, operational and technical controls in performing ST&E in the C&A process.
8- What it is a PTA? Have you worked on any PIA review team?
PTA: Privacy Threshold Assessment. Yes, I have
9- Who will draft the PIA?
A privacy impact assessment (PIA) usually is designed in a survey format and the certifying agent should work with the ISSO to discuss the best approach.
10- Did you have a security clearance?
NO but I am ready for any security clearance procedures.
11- What it is SP 800-60? FIPS199?
SP 800-60 is a special publication developed by NIST to assist federal governmentagencies to categorize information and information systems.
FIPS 199: Federal Information Processing Standard publication 199 developed again by NIST establishes security categories for both information and information systems
12- What is an Accreditation Boundaries?
Accreditation boundary according to NIST SP 800-37 regroups all components of an information system to e accredited by an authorizing official and excludes separately accredited systems, to which the information system is connected.
13- What are the C&A phases you know?
According to NIST, C&A process has 4 phases: Initiation, Certification, Accreditation and Monitoring.
14- What it is HSPD12?
HSPD12 stands for Homeland Security Presidential Directive 12. HSPD12 is a policy for a common identification standard for federal employees and contractors that require US government agencies to establish and follow a consistent standard for secure and reliable forms of identification issues by the federal government to its employees and contractors.
15- How will you handle a situation where you noticed a security violation by someone you know?
If there is a security breach by someone, I know I would report it to the ISSO for appropriate action to be taken.
16- What does POAM stand for?
POAM stands for Plan of Actions and Milestones
17- If you notice a POAM is 90 days overdue what who will you report this to as C&A agent?
If a POAM is 90 days due, I will report it to the system owner or the ISSO to have it updated.
18- What is a C&A Report CARD?
It is an annual self-report for FISMA and privacy information that agencies are required to prepare and submit to White House Office of Management and Budget.
19- What are the C&A report card grade?
The C&A report grade ranges from A for excellence and F for failure
20- Can an Inefficient POAM Management affect an agency report card?
Yes definitely. POAM is a document where all the vulnerabilities and below-standard security controls are identified and listed. It is the final document of the C&A process where GAO looked to determine what your plans are to reduce the risks to the systems. So a poor POAM management will affect an agency report card
21- What does OMB stands for?
OMB stands for Office of Management Office. It is an executive branch at the White House.
22-What OMB circular are you familiar with? OMB 123 and 130 Appendix III
I am more familiar with OMB 130 appendix III better than OMB 123.
23- What are C&A and FISMA? What is difference between the two acronyms?
C&A: Certification and Accreditation
FISMA: Federal Information System Management Act. C&A is a process in implementation FISMA which is a law
24- What is the leading C&A agency?
NIST is the leading C&A agency.
25- How do they call that leading agency documents?
The leading agency documents are called Special Documents.
26- Can you list 7 NIST SP you used in the PAST and what are they used for?
FISP 199 is used to identify and categorize information systems.
NIST SP 800-30 “Risk Management Guide for Information Technology System” addresses risk assessment for Federal agencies.
NIST SP 800-53 A “Guide for Assessing the Security controls in Federal Information system” provides guidance in the selection and configuration of security controls for federal information systems.
NIST SP 800-37 is used as a “Guide for the Security Certification and Accreditation of Federal Information Systems.
NIST SP 800-18 is used as a “Guide for developing security plan for federal information systems” NIST SP 800-34 “Contingency Planning for Information Technology Systems” is used for configuring contingency plan for information system if disruptive events occur.
NIST SP 800-60 “Guide for mapping types of information and information systems to security categories” and is used in conjunction with FIPS 199 to determine the security category of information systems.
27- Who do you report to?
I report to the ISSO.
28- Where you part of External Audit or internal Audit?
I was part of both external and internal audit.
29-Were you part of the C&A team?
Yes, I was part of a C&A process.
30- How many people were in your team?
There were 4 people in the team
31- Do you have a Certification?
No but I am actively working on becoming a Certified Information System Security Professional (CISSP)
32- Do you have a question for me?
What would the ideal person in this job accomplish on a weekly basis? What do you look for when considering someone for promotion?
To whom I will report?
Who will make the final hiring decision?
33- How do you handle adversity/Difficulty?
Look at adversity as a challenge and identify ways to apply your problem-solving skills to overcome it.
34- What is your Weakness?
I have come to realize that as C&A analyst, my greatest strength-which is my analytical skills-can sometimes be my greatest weakness if I over-rely on my logical relational side and don’t factor in the human equation in everything I do. What I’ve done to counter to make sure I ask for input from team members who offer different perspective.
35- What is considered your strongest character?
I have a number of strengths that would be of value to the position. As it relates to what we’ve discussed, I’d point to 3 keys factors.
May I ask, what kinds of goals are you targeting for the next 3 to 6 months?
36- How do you develop an SSP?
Before an SSP is developed, system needs to be categorized and control selected. Appropriate personnel need to be interviewed for the creation of the ssp.
37- What is an MOU/ISA?
Memorandum of understanding (MOOU) is an agreement between two system owner and focus more on responsibilities. Interconnection Security Agreement (ISA) is an agreement between system owner and more focus on how the interconnected systems will be secured. It is more technical.
38- How do you develop an SAR?
Through an ST&E-interview, examination and test.
39- How do you conduct and ST&E?
Interview Examination Testing
40- What is DMZ?
demilitarized zone, a computer or small subnetwork that sits between a trusted internal network, such as a corporate private LAN, and an untrusted external network, such as the public Internet.
41- What are the components of COSO?
The new COSO framework has two sub frameworks Enterprise Risk Management (ERM)
42- What are the components of COBIT?
The new COBIT 5 contains two big areas, a total of 5 domains and 37 processes:
COBIT 4.1 has 4 domains, 34 processes and 318 controls
43- What is SAS 70?
Statement on Auditing Standards No. 70 (SAS70). One of the most effective ways a service organization can communicate information about its controls is through a Service Auditor’s Report. Two types of reports are generated: Type 1(Description of controls) and type 2 (Description of controls and testing of control over six months).
44- What is SSAE 16?
Statement on Standards for Attestation Engagements 16 (SSAE16) has replaced SAS 70 and have three Service Organization Control (SOC) Reports SOC1 for any service organization, SO@ and SOC3 for cloud service provided base on the Trust Services Principles (TSP)- security, confidentiality, integrity, availability, and privacy.
45- What is firewall?
A firewall is a system (software or hardware) designed to prevent unauthorized access to or from a private network
46- What is LDAP?
It is a hierarchical database thus father to son, usually used for authentication. It is good for write once and read many time data storage.
47. Name the component of the OSI mode
Physical, data, network, transport, session, presentation, and application