general security questions for IT manager

Posted on 2006-07-19
Last Modified: 2013-12-03

I'm the only techie person available to help interview these candidates for the position of 'IT Manager'. Can you give me a few good questions to ask, in the area of Microsoft Security and MS SQL Management/Security?

Question by:MaritimeSource
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +2

Accepted Solution

Dbergert earned 200 total points
ID: 17141402
I would ask them practicle steps on what they would do to lockdown, or harden an OS, webserver, Database Server, etc. and how they would design a secure network, system.  Group Policy for windows...  

Ask about experince with windows, linux, Unix, etc.  Webservers and Database servers.. and ask about "SQL Injection" and database permissions and security.

Security is also a "process" ... So...

So I would ask about monitoring, logs, configuration, patch managegment (WSUS -
Anti Virus, Anti Spyware, Firewalls, IDS, IPS, Configuraiton Mangment, Change Control, Incident Reporting and Issue Tracking
Developing Security Policies and procedures, etc.  Disaster Recovyer, Business Contununity Planning, Backup and Recovery

I would kind ask in a tone " What do you know about, or how would you use: xxxxxxxxxxx  " and see how many I don't knows, shruggs, or very excieted and detailed answers. in order to gauge comptenency.

These would be the topics and subject matter that I would look for in an IT Manager.

Let me know if you need any defination on any of these topics.


Assisted Solution

pterranova13 earned 150 total points
ID: 17141629
Also remeber to see if they have done previous deployments of Microsoft, SQL, ETC.......If so how they went, what problems they encountered....etc.

I was previously interviewing for my replacement, which I was an IT Manager for and so of my biggest concerns were making sure they had worked in my case a mutli-location scenario. Also a big topic for my previous company was were if the interviewee had previous migration experience and also was indepth with Active Directory, DFS, Disk Quotas.....File Share.

Disaster Recovery and LAN/WAN Security are big ones too. you want to make sure the person has knowledge, on different VPN, SSL, VLAN, Firewall Systems, Depending on type of equipment you are running maybe certs in either Cisco, MCSE, Checkpoint, etc.

Asking people what they feel their weak points and high point are either from a project they did, or just in general are always good questions to look at and see how they answer them and also how there demamenor is from them. If they constantly say oh yes i know and i know this....make them go more indepth into why and how. Maybe people out there can say yes they know this and that, but only know the basics.

Best of luck!!

LVL 19

Assisted Solution

CoccoBill earned 150 total points
ID: 17144915
"I would ask them practicle steps on what they would do to lockdown, or harden an OS, webserver, Database Server, etc. and how they would design a secure network, system.  Group Policy for windows..."

I think this is a very good question, but probably not in the sense Dbergert provided it here. As I understood, you're looking for an IT Manager, not a security engineer. I assume Dbergert expects to hear detailed technical implementation steps for hardening a system, which from a technical person is indeed exactly what's desired. However, it's hardly imperative for a manager to have deep technical knowledge on the subject, he needs to know the basics of course but more importantly he needs to understand processes, risks and implications. Therefore, if a person looking to be hired as a manager gave a technical answer to that question, I would probably be looking for other candidates. The answer you want to hear is a risk oriented approach. A basic answer to the question might be:

Step 1: Identify your critical business systems and processes
Step 2: Identify the specific threats to your organization
Step 3: Evaluate the risks to your assets and probability of occurrence
Step 4: Determine appropriate actions to protect the assets (weigh the loss of assets vs the cost of implementing mitigating controls)
Step 5: Implement the chosen controls and verify that they meet the requirements
Step 6: Go to Step 1
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.


Expert Comment

ID: 17145526

Wouldn't you feel that you would need to know more about the actual size of the team and how this IT manager would actually interact. For Example, i was an IT Manager for a Very Small company and i was their only IT person. I needed to know not only the Risk Oriented approach but also the technical side of things. Without know the tech stuff I would never have made it there. I think you commments are awesome and I absolutly agree with you on needing to have someone in a managerial role you would not want as technical but I don't think it would be a harmful thing either.

Aside from that i think what you wrote was right on and definitly something I would make note of in an interview process.


Author Comment

ID: 17145541
the company is small... only 15 people. No other techy people are there, so technical skills are a huge plus.

Expert Comment

ID: 17145597
There really isn't a definination of manager, so it really is a subjective term in this sense.  There are techinal managers, ops mangers, etc.  There are mangers in small companies and in large companies. This isn't defined.

I stated that I would ask them "practicle" steps not necessarily technical steps...  Given that the author wanted specific feedback on MS Security and SQL Sec I would assume that they didn't necessary have all of the Sec Analyst I, Sec Analyst II, DBA I, DBA I, SYSADMIN, NETADMIN,  etc.  staff that you might imply and that the manager would have to bring some of this expertise to the table.    Depending on the type of manager the answer might be a technical answer, a general answer, of a basic understanding.

The author also states "I'm the only techie person available to help interview these candidates for the position of 'IT Manager'."   so I assume that they are looking for someone with some technical understanding or skills.

If I was a small company, and got a big talk on Risk Assessment, I probably wouldn't hire them as a IT manager either :)

Bottom line is that the author will need to tailor these "ideas" to his situation and company as we don't have the organization's org chart here :)

You do bring up a *very good point* with the Risk Assessment and Mangment Process, esipically if the compnay is subject to SOX, 404,  provides SAS 70's, or is regulated.
I would add that would what buy in from senior managment on the RA processes, make sure that is "approved" and that is it at least updated annually

Some of the items I listed in the first post, are considered :  general, organization and logical controls.

If you would like to know more other then the steps the Bill identifed, you can look here: This is for the Financial Instucitons side of things and from the FFIEC, but has some very good universal knowledge :

If you want more formal methodologies you can look into ITIL, COBIT,  ISACA CISM certfifed , or even CISSP certfifed candidates.
Depending on your organization you might also want some input from Internal Audit or Audit Commitee as it realtes to IT for some additional requirements.

Good Luck !


Author Comment

ID: 17145766
Just to clarify, originally I said "I'm the only techie person available..." then in my last post I said "No other techy people are there". Actually I'm just a contractor for the company (doing programming), but there are no techy people currently at the company, so this manager needs to have a deep technical skill set.


Expert Comment

ID: 17145792
That is what I thought :)  ,   Please refer to my first post and second post by pterranova13
LVL 19

Expert Comment

ID: 17146016
I agree with all of you, and of course, if he'll be the person responsible also for the technical implementations and maintenance, he will surely need to have lots of hands-on experience of most if not all used technologies. Then again, personally I think the job more closely describes an IT Administrator rather than a manager. This is no big issue, but would possibly help you better find the proper candidates, it would be clear to the applicants that deep technical knowledge is a requirement.

As of the questions to ask them, I would probably use past and current issues in the environment, and ask how and if they would be able deal with them. For instance, SQL migrations and database consolidation, SQL authentication and delegation of control best practises, patch management etc.
LVL 12

Expert Comment

ID: 17175371
"How many machines that you have been responsible for have been virused, hijacked, or broken into?"

Expert Comment

ID: 17185134

Have you began interviewing yet? How has it been going. Hope everyone was able to give you advice to help better the interview process.



Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses
Course of the Month10 days, 7 hours left to enroll

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question