Transcript of interview with ISM
Auditor: Thanks for meeting with me today. I’d like to discuss your security awareness training program for employees. Can you walk me through the current training curriculum?
ISM: Absolutely. All new employees are required to complete our Information Security Essentials course within their first 2 weeks. It covers data handling, social engineering, password policies, incident reporting and more.
Auditor: What about ongoing security awareness for existing employees?
ISM: We require annual security refresher training. This covers new cyber risks, policy updates, and emerging threats like phishing and ransomware. Completion is tracked and reported to management.
Auditor: That’s great. Are there any other ways you promote security awareness among employees?
ISM: Yes, we send regular company-wide emails about new threats or issues to watch out for. I also give live presentations at All Hands meetings which are recorded for our intranet.
Auditor: Excellent. Let’s discuss your policies and procedures around secure software development. What SDLC controls do you have in place?
ISM: We integrate security from design through deployment. Threat modeling, static code analysis, dynamic scanning, staged rollouts, and automation help remove risks in our pipeline.
Auditor: What security requirements do you have for third-party software your developers may leverage?
before use. Purchased software goes through procurement checks on the vendor and ISM: We mandate open source scanning for risks, licensing and vulnerabilities security testing. Legal reviews any provided agreements.
Auditor: Great overview. Let’s move on to chat about your security incident response plans…
Auditor: How do you identify and classify security incidents when they occur?
ISM: We have an established severity matrix based on impact and urgency. Incidents are assigned an S1 to S4 rating which guides response. Events feed into our SIEM solution and ticketing system.
Auditor: What forensic capabilities do you have to investigate incidents?
ISM: Our forensic toolkit includes endpoint monitoring, IT asset inventory, netflow analysis and sandbox detonation. We can retrieve time-sequenced data like logs and packet captures for analysis.
Auditor: How are incidents communicated internally and externally as needed?
ISM: We have defined escalation paths and stakeholders. Internal comms follow our crisis response plans. For external notification, we work with legal and PR teams to disclose per regulations.
Auditor: Could you outline the steps in your incident response plan?
ISM: Our playbooks cover triage, investigation, containment, eradication, recovery, and post-mortem reviews. We aim to quickly isolate and remove threats while preserving evidence.
Auditor: Finally, what types of security exercises do you conduct to validate preparedness?
ISM: We run tabletop exercises annually with executives to test decision making. Technical teams participate in red team/blue team drills to practice response capabilities. Lessons learned produce improvements.
Auditor: Do you face any challenges in getting other teams to adhere to security policies and requirements?
ISM: There can be some initial resistance to new policies but we focus on education and bridging gaps collaboratively. Demonstrating risk data helps gain buy-in. Persistent issues may require CISO or executive involvement. But generally teams understand the need once communicated.
Auditor: How are security training completion rates tracked across the organisation?
ISM: Our LMS generates reports on completion percentage rates per department. I review these regularly and follow up with managers on any lagging or problematic areas to improve adherence. We’ve set a company-wide 90% target.
Auditor: How do you receive and remediate security concerns raised by employees?
ISM: Employees can submit confidential security reports which feed into our vulnerability management system. Concerns are risk rated and handled promptly. I meet with individual employees as needed to understand issues for remediation.