Solved

general security questions for IT manager

Posted on 2006-07-19
11
685 Views
Last Modified: 2013-12-03
HI,

I'm the only techie person available to help interview these candidates for the position of 'IT Manager'. Can you give me a few good questions to ask, in the area of Microsoft Security and MS SQL Management/Security?

Thanks
0
Comment
Question by:MaritimeSource
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 5

Accepted Solution

by:
Dbergert earned 200 total points
ID: 17141402
I would ask them practicle steps on what they would do to lockdown, or harden an OS, webserver, Database Server, etc. and how they would design a secure network, system.  Group Policy for windows...  

Ask about experince with windows, linux, Unix, etc.  Webservers and Database servers.. and ask about "SQL Injection" and database permissions and security.

Security is also a "process" ... So...

So I would ask about monitoring, logs, configuration, patch managegment (WSUS - http://www.microsoft.com/windowsserversystem/updateservices/default.mspx)
Anti Virus, Anti Spyware, Firewalls, IDS, IPS, Configuraiton Mangment, Change Control, Incident Reporting and Issue Tracking
Developing Security Policies and procedures, etc.  Disaster Recovyer, Business Contununity Planning, Backup and Recovery

I would kind ask in a tone " What do you know about, or how would you use: xxxxxxxxxxx  " and see how many I don't knows, shruggs, or very excieted and detailed answers. in order to gauge comptenency.

These would be the topics and subject matter that I would look for in an IT Manager.

Let me know if you need any defination on any of these topics.



0
 
LVL 1

Assisted Solution

by:pterranova13
pterranova13 earned 150 total points
ID: 17141629
Also remeber to see if they have done previous deployments of Microsoft, SQL, ETC.......If so how they went, what problems they encountered....etc.

I was previously interviewing for my replacement, which I was an IT Manager for and so of my biggest concerns were making sure they had worked in my case a mutli-location scenario. Also a big topic for my previous company was were if the interviewee had previous migration experience and also was indepth with Active Directory, DFS, Disk Quotas.....File Share.

Disaster Recovery and LAN/WAN Security are big ones too. you want to make sure the person has knowledge, on different VPN, SSL, VLAN, Firewall Systems, Depending on type of equipment you are running maybe certs in either Cisco, MCSE, Checkpoint, etc.

Asking people what they feel their weak points and high point are either from a project they did, or just in general are always good questions to look at and see how they answer them and also how there demamenor is from them. If they constantly say oh yes i know and i know this....make them go more indepth into why and how. Maybe people out there can say yes they know this and that, but only know the basics.

Best of luck!!

0
 
LVL 19

Assisted Solution

by:CoccoBill
CoccoBill earned 150 total points
ID: 17144915
"I would ask them practicle steps on what they would do to lockdown, or harden an OS, webserver, Database Server, etc. and how they would design a secure network, system.  Group Policy for windows..."

I think this is a very good question, but probably not in the sense Dbergert provided it here. As I understood, you're looking for an IT Manager, not a security engineer. I assume Dbergert expects to hear detailed technical implementation steps for hardening a system, which from a technical person is indeed exactly what's desired. However, it's hardly imperative for a manager to have deep technical knowledge on the subject, he needs to know the basics of course but more importantly he needs to understand processes, risks and implications. Therefore, if a person looking to be hired as a manager gave a technical answer to that question, I would probably be looking for other candidates. The answer you want to hear is a risk oriented approach. A basic answer to the question might be:

Step 1: Identify your critical business systems and processes
Step 2: Identify the specific threats to your organization
Step 3: Evaluate the risks to your assets and probability of occurrence
Step 4: Determine appropriate actions to protect the assets (weigh the loss of assets vs the cost of implementing mitigating controls)
Step 5: Implement the chosen controls and verify that they meet the requirements
Step 6: Go to Step 1
0
 
LVL 1

Expert Comment

by:pterranova13
ID: 17145526
CoccoBill,

Wouldn't you feel that you would need to know more about the actual size of the team and how this IT manager would actually interact. For Example, i was an IT Manager for a Very Small company and i was their only IT person. I needed to know not only the Risk Oriented approach but also the technical side of things. Without know the tech stuff I would never have made it there. I think you commments are awesome and I absolutly agree with you on needing to have someone in a managerial role you would not want as technical but I don't think it would be a harmful thing either.

Aside from that i think what you wrote was right on and definitly something I would make note of in an interview process.

cheers!!!
0
 

Author Comment

by:MaritimeSource
ID: 17145541
the company is small... only 15 people. No other techy people are there, so technical skills are a huge plus.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 5

Expert Comment

by:Dbergert
ID: 17145597
There really isn't a definination of manager, so it really is a subjective term in this sense.  There are techinal managers, ops mangers, etc.  There are mangers in small companies and in large companies. This isn't defined.

I stated that I would ask them "practicle" steps not necessarily technical steps...  Given that the author wanted specific feedback on MS Security and SQL Sec I would assume that they didn't necessary have all of the Sec Analyst I, Sec Analyst II, DBA I, DBA I, SYSADMIN, NETADMIN,  etc.  staff that you might imply and that the manager would have to bring some of this expertise to the table.    Depending on the type of manager the answer might be a technical answer, a general answer, of a basic understanding.

The author also states "I'm the only techie person available to help interview these candidates for the position of 'IT Manager'."   so I assume that they are looking for someone with some technical understanding or skills.

If I was a small company, and got a big talk on Risk Assessment, I probably wouldn't hire them as a IT manager either :)

Bottom line is that the author will need to tailor these "ideas" to his situation and company as we don't have the organization's org chart here :)

You do bring up a *very good point* with the Risk Assessment and Mangment Process, esipically if the compnay is subject to SOX, 404,  provides SAS 70's, or is regulated.
I would add that would what buy in from senior managment on the RA processes, make sure that is "approved" and that is it at least updated annually

Some of the items I listed in the first post, are considered :  general, organization and logical controls.

If you would like to know more other then the steps the Bill identifed, you can look here: This is for the Financial Instucitons side of things and from the FFIEC, but has some very good universal knowledge : http://www.ffiec.gov/ffiecinfobase/booklets/information_security/infosec_toc.htm

If you want more formal methodologies you can look into ITIL, COBIT,  ISACA CISM certfifed , or even CISSP certfifed candidates.
Depending on your organization you might also want some input from Internal Audit or Audit Commitee as it realtes to IT for some additional requirements.

Good Luck !



0
 

Author Comment

by:MaritimeSource
ID: 17145766
Just to clarify, originally I said "I'm the only techie person available..." then in my last post I said "No other techy people are there". Actually I'm just a contractor for the company (doing programming), but there are no techy people currently at the company, so this manager needs to have a deep technical skill set.

Thanks
0
 
LVL 5

Expert Comment

by:Dbergert
ID: 17145792
That is what I thought :)  ,   Please refer to my first post and second post by pterranova13
0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 17146016
I agree with all of you, and of course, if he'll be the person responsible also for the technical implementations and maintenance, he will surely need to have lots of hands-on experience of most if not all used technologies. Then again, personally I think the job more closely describes an IT Administrator rather than a manager. This is no big issue, but would possibly help you better find the proper candidates, it would be clear to the applicants that deep technical knowledge is a requirement.

As of the questions to ask them, I would probably use past and current issues in the environment, and ask how and if they would be able deal with them. For instance, SQL migrations and database consolidation, SQL authentication and delegation of control best practises, patch management etc.
0
 
LVL 12

Expert Comment

by:GinEric
ID: 17175371
"How many machines that you have been responsible for have been virused, hijacked, or broken into?"
0
 
LVL 1

Expert Comment

by:pterranova13
ID: 17185134
MaritimeSource,

Have you began interviewing yet? How has it been going. Hope everyone was able to give you advice to help better the interview process.

Cheers,

pterranova13
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now