“Hello Luke,
You have been selected to be interviewed by the CISO about current information security practices within our US region Security Operations Center.
He will be in the office tomorrow, please make yourself available for a period of 1 hour.
Regards, John Smith, Information Security Data Officer”
“Great…” I thought. “Just what I need…an interrogation by a C-Level executive.”
As I walked into the conference room the next day I was greeted first by an individual I had not met before. He introduced himself as one of the company’s information security officers. He handed me his business card.
“John Smith, Information Security Data Officer, CISSP - ISSAP”
The guy who sent me the email.
He then guided his hands to a gentleman sitting on the other side of the conference room, “Luke, meet our new CISO.”
Without hesitation, I extended my arm out as the CISO raised himself off the chair and greeted me with a pleasant British accent and a firm handshake
“Hello there Luke, please to meet you, thank you for sharing your time with us.”
So far so good….
“Please don’t be nervous, you’re not in trouble” chuckled the security officer.
I laughed nervously. One of those laughs you force yourself to do out of fear.
“As you know, we’re in the process of being re-certified against the ISO 27001, and want to better prepare ourselves and our employees for when the auditors arrive in a few months. What we want to know from you is just how things work here in the SOC, and where we can fine tune some policies and procedures” continued the security officer. “So have a seat, and let’s begin.”
I sat down on the chair, folded my arms, and told myself to maintain eye contact, act natural, and not breakdown like a nervous lump. I can fake confidence pretty well.
“When you were first hired, what kind of training did you receive on our security practices here?”
“Ummm well I really had no previous experience in firewalls or Linux, so a lot of it was on the job training. I’d take tickets that I wasn’t really familiar with, and try to resolve it by looking at past…” I was cut off by the CISO.
“Not our specific devices. Tell us what training you received on how things work here in the SOC. By which I mean how to login to internal systems, what passwords you were told to use, how you generated your public/private keys, or even how to get into this building.”
The CISO’s tone had turned serious since the handshake.
I replied “Sure…so I was asked to generate my own keys using PuTTy by our SOC manager. He issued me a badge to get into the building, and a smart token to login to the initial systems. He also provided a quick lesson to all the new employees on how to actually login to the systems and look at customer devices.”
The security officer interjected, “So the manager showed you all this? Not our IT department who is in charge of issuing access?”
I thought I had gotten my manager in trouble, but had to be honest, “Right.”
The security officer scribbled something down on his notepad. That can’t be a good thing.
“So what about accessing our firewall systems and our customer systems. What passwords do you use?”
I thought this was a trick question, and decided to play along. “Uhhh, I don’t think I can give you that information,” I said kind of bravely.
They both laughed.
The CISO chimed in. “That’s a good answer Luke, and one that you should give the ISO auditor, because he will test you on whether you divulge this information. But it’s okay to tell us, we’re here to prepare you for just that kind of scenario.”
I explained how our password system works, the details of which I can’t go into in this post obviously.
“Okay thanks. It seems like some of the passwords are re-used. Has this ever changed?”
“Not since I’ve been here.”
Again, he scribbles something down on his notepad.
“Okay, last question: what security practices do you think can be improved around here? What improvements have been made in the past?”
This sounded like a total setup question. I thought by admitting what practices could be improved, I’d be pointing out our SOC’s weaknesses. I decided to keep my answer politically correct.
“Well, whatever security precautions are currently in place, can always be improved upon. Sometimes we found out our controls are not efficient in some places, after which our manager makes immediate actions to correct them by sending out an alert email.”
More scribbles on notepad.
“But you can’t think of anything specific?”
I broke down. “”Well there was one incident where a previous employee had residual access after getting new privileges…but that was corrected immediately!”
The security officer shot a look a the CISO. “Okay yeah, we remember that. Okay, good. Okay Luke, thank you for your time and your insight. This is going to help us better prepare for the ISO 27001. We will keep in touch if needed.”
I got up and left.
The whole ordeal may have been a bit nerve wracking, but while studying for the CISSP, I realized what just happened. My interrogation/interview was part of the role of the information security officer, and one of their jobs is to prepare the company (and it's employees) for security audits.
The key CISSP takeaway from this post would be the different roles a CISO and ISO play, and the importance of proper security practices in the workplace to be certified against the ISO 27001 standard.