[Music] foreign and today we're going to discuss some interview questions for GRC jobs GRC basically stand for governance risk and compliance in this video I am going to discuss some few questions which give you a visibility about how to prepare for GRC interview this video I'm making in a two parts part one and part two and I'm also planning to make future videos on a GRC interview based on the feedback so if you're new to my channel do subscribe to my YouTube channel and click on the Bell icon to make sure you should not miss my future videos on the same topic my name is prabh Nair and for more information you can refer my LinkedIn profile so without wasting a time let's start with the first part thank you so here is the first question what is your understanding about GRC normally when you go for any interview the interviewer always start with the introduction of GRC they talk about what is GRC how GRC Works how jrc Implement in the organization what is your understanding about GRC and the reason why they ask this question they want to know whether you know the basics of GRC or not that is why I started my this session with the introduction of GRC so here is the response GRC stand for governance risk and compliance or governance risk management and compliance or governance risk compliance that is basically the full form of GRC we have so governance is a set of rules and policies processed that ensure corporate activities are aligned to support business goals that is what is called as a governance so let me show you one video which gave you better visibility about the governance just give me a second so there is a video and there's no sound but you just need to observe the video elements okay if you notice in this video the guy want to reach office he break the mirror yeah if you notice he has not followed any rule break the glass texting taking taxi there is a risk the way he took the taxi no rules nothing no one coming from anywhere even there is a rules has been given no one is following the people are coming they're jumping from the roof and coming to the meeting so what you have discovered in this video lack of governance governance is called as a system of organization structure policy and strategy and that entire thing was missing in the video so governance is all about the set of rules policy and process that ensure the activities are aligned to support the business goals let's take example we have a parenting governance parenting governance that how they manage the kids they created a fixed rule that okay morning 6 30 you have to wake up 7 30 you have to take a break fast rush for the school come back in the afternoon you have a fixed schedule to play your cricket games and all that there is a fixed schedule to complete your homework and then you have to sleep so Mom and Dad created this rules they have a particular Authority for their kids why they have these things because by this way they want to give a great life to the kids same like in the organization we're creating a policy we're creating an organization structure we're creating a strategy why because everyone I want them to go through a particular process by which we can able to create a value in the organization so presence of policy presence of strategy presence of organization structure and presence of the Matrix and measurement this is the example of the great system which is also called as a good governance okay so by governance we can able to address the issues in the video what we have seen there is a rule we can create we can appoint the police officials we can basically install the cameras by which we can Ensure we have a limited impact and we can able to create a value for the organization so governance that is why it's called as a set of operation a set of rules policy and process that ensure the corporate activities or activities are aligned to support the business goal second is called as a risk management risk management is all about managing a risk to an acceptable level it is a system by which we identify the risk analyze the risk evaluate the risk and treat the risk an ultimate goal is to reduce the risk to an acceptable level because risk cannot be eliminate and third part is called as a compliance compliance is basically involved about addending to the rules policy standard and law set forth by the Industries or government agencies one example I can give you suppose in India there is a regulatory Authority we have which is called as a irda irda okay so irda is basically used for the insurance sector now I am starting a new company which is called as a Insurance Services so as an insurance company I and I need to comply with the irda guideline so this is the agency who enforce the guidelines so any company who want to start Insurance Services they need to be follow the irda guideline so what happened we create a policy we creating a procedure we creating a strategy to make sure this should be abide with the irda guideline so I'm using a word abide you can use the word compliance so compliance is a set of process by which you abide with the international national internal external parameters compliance is not only about legal regulation compliance is all about the attendance to any kind of external or internal mandate if management said you we want this so we have implemented system and make sure we implement the system in such a manner which abide with their orders if RBI in India saying that you need to implement a strong fun a strong security for a financial system so we will introduce those controls by which we comply with the RBI guideline so governance risk management is a cycle governance is basically a set of operation which implement the risk management so that we can compliance with the legal regulatory requirement and provide the independent visibility to the board about the current structure so this is all about the GRC so let's move to the next interview question okay so next question what is the difference between secrecy and privacy the reason why the interviewer wished to ask this question because they won't like to know whether you know the basics of information security or not are you familiar with the regulations or not so that is the reason they ask this tricky question and if I am a CSO or if I am a risk consultant or risk manager I'm hiring for my job hiring for my department or hiring for my team I'm definitely going to ask this question because I would like to know whether you know the basics so how you handle this question so thin line difference between the secrecy and privacy is that privacy is the state of information which is limited to the individual and secrecy is a is a state of information which is related to the Enterprise or business let's take an example your health records your WhatsApp chat your banking records which is basically map with your individuals this is your privacy that is a state of information that must be with your individual companies business process company project details which is internal to the organization it is very secret it is very confidential that is basically called as a secrecy so secrecy is a state of information related to the Enterprise and privacy is a state of information which is related to the individual let's move to the next interview question okay so interview question three what is audit how many types of audit do we have in the organization we're talking about GRC it means it's all about managing governance risk management compliance I understand okay but the context here is that when it comes to the audit what is the role of audit because audit is all about checking the controls so sometime in hiring manager looking for the candidate his expectation or her expectation is that okay is the person aware about audits is a person is aware about different type of audits because sometime in the projects you need to review the audit reports okay so that is why I added this question in this video so what is audit how many type of audit do we have in the organization so audit is an objective unbiased evaluation of an organization auditing is defined as the verification activities such as inspections or examination of a process or system to ensure compliance to the requirement it can be anything example we have a system a we have a system B and so you have a system C I receive a instruction that okay prep do one thing can you just check is this system has all the necessary control as per the iso 27001 standard because they are claiming they are 27 000 when certified they claimed they have a CIA CSI Benchmark sorry CIS benchmarked so please can you check is this system is asked whether CI is Benchmark is the system as for 27001 so I will going to inspect the system I will going to check the controls in the system and compare against the controls what we have in 27001 if 27 0001 say the system must be protect with the password I will just check is the system configured with the password so that is how I am checking the presence and absence of the control okay so that is all about the audit but we have a different type of audit we have a first party audit which is called as an internal audit the internal audit is the third line of defense in the organization there's a two videos on the internal audit and how intermoded works I already made so you can check so internal audit is the audit it's also called as a first party audit it basically occurs when audit is performed within your organization by your own auditing resource okay so we have a third line of defense which is an internal audit and they are the one who audit your first line and second line which is your business assurance and I.T and provide the independent reports to the board they directly report to the board so you can say like that they are the eyes and ears of the management okay they audit not based on a certification they audit not based on a standard but they audit based on the set of sop procedures statement of procedure which is agreed by their stakeholders one example is in your company you have a change management process chain management process should be worked as per the SOB which is approved from your stakeholders so for me my primary document I will use is a change management sop and based on a change my sop I will check whether chain management team is basically working or not example in the SOP which is called statement of procedure it is mentioned the change need to be closed in three days so I will pick some sample and check whether the change was closed in three days or not so by this way we're just checking absence and presence of control we checking the risk associated with the process and provide the independent report to the board then we have a second party audit second party audit is the vendor audit so you have your vendor management team before you onboard any vendor suppose this is your company so you're planning to onboard our data center Services you're planning to onboard mssp so before you onboard you're doing the assessment of the vendors to make sure they compliance with your requirement I'm planning to onboard one AWS services or cloud services and all that but make sure they should be compliance with my regulation there should be compliance with my policies so we have a dedicated team who does the audit of the vendor okay so that is called as a second party audit so second party audit is performed by the supplier customers contractor often against the property requirements and all that then we have a third party audits third party audits is basically audit done by the independent parties like when you face as an audit like you face the iso 27001 or did you face a regulatory audits that is basically called as a third party audit so first party is the internal audit second party is your vendor audit when you audit the vendors and third party is the audit when You Face from the third party like ISO authorities ISO body audits regulatory Audits and all that so these are the different type of audits we have let's move to the next interview question yes this is a very tricky question interview question four if you are a security consultant you join a company you want to implement information security plan in the organization so how are you going to perform that how are you going to build the information security plan for an organization I also received this question in lot of insta and Linkedin so I thought I will add that question in this video so let's discuss this question so question document how to implement information security plan in the organization in this question the interviewer want to know your experience interview want to know whether you have a real experience of the information security or governance knowledge or not or you just read the book and cracked this round so they would like to know your knowledge you they would like to know your exposure on this particular area might be this particular question will take 30 to 40 minutes also because lot of discussion is going to be happen on this question where they will throw some scenarios they will basically you know give you some kind of a case studies and they will ask you how you handle the situation how you handle this how you add this in a plan with a limited budget how you add so this kind of a pointers they're going to ask with this question so here my response is the first step is to conduct a risk assessment to evaluate the current state of an organization instead of implementing anything new first try to understand what they have because risk assessment is a driving factor for any organization so suppose I join as a consultant in any company definitely I'm not going to implement something new there I need to know first what they have what is the gap what is the current state what is the desired State example I Join one company and they would their vision is to basically uh want automations the vision is a digital transformation but the current technology doesn't demand that digital transformation so the current state is basically a traditional servers okay old applications and their desired State they want a digital transformation okay they want a cloud so we basically prepare the strategy we need a Cloud solution we need a security we need a scripting we need a pen testing so this is basically the State this is something as a strategy plan we identify by which I can able to move from my current desire so for this the first thing is that conduct a risk assessment to evaluate the current state of an organization to understand what they have and what they need to achieve and also identify the loopholes then perform the Gap analysis between the current and Target state to determine the potential area of additional resource investment a good consultant is the one who bring the solution in a cost effective manner not necessary the first day you join the organization next day you basically approve the checkpoint firewall to be installed no understand what they have and what they need to achieve third map the alignment with the current information security strategy and program with the business need and corporate goals that's the most important thing business budget is 70 000 your budget is ninety thousand dollar does not make sense so make sure whatever your strategy we have it should be aligned with the business objective a good governance is the one where we have a strategic alignment of information security with the business objectives and then document all the information security business risk within the risk register indicate the compensating control submit with the business case to the management okay make sure when you convey the need of your solution you need to convey in a form of problem statement you need to make them explain in such a way that they can able to understand is it clear don't use any kind of a technical parameters use a normal parameters by which you can able to explain them so this is how you can able to implement the information security plan in the organization okay let's move to the next interview question okay very interesting question definitely the interview going to ask this question whether you're going for jrc job consulting jobs and all that what is risk management what are the phases of risk management so how you handle this see here the interview want to know whether you know the risk management skills how you handle the risk what is a way of defining the risk so that's something they're going to ask so your response will be see ultimate goal of the risk management is all about limiting a risk to an acceptable level risk management is a process by which we identifying analyzing evaluating and treating the risk risk management is all about managing a risk so interview might ask can we eliminate risk no risk cannot be eliminated risk can be only reduced to an acceptable level is it clear so in the risk management the first step is called as a risk identification team in Risk identification the first step is to identify the context what is the context of the business then identify the asset identify threats identify vulnerabilities which is associated with the assets always remember there's no necessary I'm going to patch all the vulnerability I really need to know what are the threats we have so one example is asset is my data center threat is basically ransomware or hacker vulnerability is like we discovered the weak password no backup has been taken so hacker is basically use this opportunity a weak password by which he performed the ransomware attack on the data center and my control my objective is to reduce this impact so in a risk identification we just identifying assets asset value identifying threats and identifying the vulnerability threat is an action and vulnerability is basically called as a weakness when we're talking about threats threats is basically formed from a three action one is called as an opportunity sorry motivation what motivate the attacker what is the opportunity he got and what is the capability he has we could not control the capability we could not control the motivation but what we can control is the opportunity which is a weakness in my asset so as I said this is my data center okay this is my data center and there is a hacker okay there is a probability that hacker is going to hack my data center so hacker is basically a threat and he discovered the weakness in my data center which is called as a weak password and through that he gained access to the system okay and what is the impact impact is disclosure of the data or he gain access to the data for which he does not have a permission so that is why the risk is always measured by likelihood into impact okay risk is basically measured by likelihood and impact likelihood basically means threat is going to exploit the vulnerability and if it happen what is the impact that is how we basically measure likelihood into impact so here the risk identification where we identify threats identify vulnerabilities identify asset value then the second stage is called as a risk analysis okay we identify risk but what is a level of impact we need to measure because it is not possible for us uh you know to address all the risk with the same level of control so we need to identify the impact we need to prioritize the impact of our different different assets so we have a two way to analyze the impact one is called as a qualitative and one is basically called as a quantitative okay example hacker hack into the server okay and there is a loss of forty thousand dollars so this is basically the quantitative quantitative impact where we can able to measure the value the hacker is it hack into the asset it has a big impact that is basically qualitative so here the impact has been categorized based on a high low and medium which is a qualitative impact is measured based on the numbers is called as a quantitative value so once we're done with that the next thing is basically called as a analysis evaluation sorry next is basically called as a evaluation where we're going to evaluate the results and then we basically take a call how to treat the risk we have option that we can avoid the risk okay now risk avoidance come into the picture in that case when the cost of opportunity is less but impact is basically very high example if I go for my cssp exam I know there is no much value I will get from the company the company is not going to sponsor my certification and in that area there is no other company who can offer me a job so here I'm going to invest also and if I fail there's no sponsorship and if I pass if my boss get to know he might fire me so it's better I will avoid the idea which bring the risk to the organization so it's better we avoid the risk second is basically called as a transfer transfer means we're transferring the financial impact to third party risk transfer we go in that case when likelihood is low but impact is basically high like insurance we take insurance not because every day we Face the threat we take insurance if tomorrow any point time any attack happen Okay it should not have a direct impact on my financial budget seem like a medical insurance we take why we take medical insurance so any point of time we get admit in the hospital with the help of insurance we can transfer the impact to third party companies so they will pay for us so that is called as a risk transfer third is basically called as a risk mitigation where we implementing a control to reduce the risk to an acceptable level that is called as a risk mitigation and finally we have a risk acceptance it is acceptance mean where the level of impact is less but opportunity is very high whether risk is a reward for me I know if I take this risk I will get a great return so then that case we will accept the risk so I know I have a seven companies in my area if I clear the exam I can switch to a new company and they're giving me a better hike so let's take a risk and go for the exam even if I fail in first attempt I can pass in a second attempt and within a one month of salary I can able to recover my cost so here the risk was the reward for me instead of liability is it clear so this is how we basically manage a thing so all this treatment is done based on a risk appetite of an organization risk appetite and risk tolerance of an organization okay how so this is basically called as a risk capacity and this is suppose we have a risk appetite so risk capacity is all about the level of risk the organization willing to accept to pursue the mission and vision risk appetite is a level of risk the organization willing to take for a particular project and risk tolerance is basically called as a deviation so if the risk is above the capacity it's better avoid the risk if the risk is basically below the capacity the tolerance level here we know we can apply the control and bring the risk below the appetite okay so after implementing control various below we bring the risk below the appetite we can basically accept the risk so risk which is left after implementation of a control so this is the risk which is left after implementing control this is called as a residual risk okay So based on a risk capacity risk appetite risk tolerance we basically evaluate and treat the risk so this is all from my site for the GRC jrc interview do let me know how do you find this video and if you find this video useful do share your network might be this video helpful for those aspirants who preparing for the GRC job my name is prabh Nair for more information you can basically refer my LinkedIn profile and if you're still not subscribed to my channel do subscribe to my YouTube channel and click on the Bell icon to make sure you should not miss my future videos on a similar topic thank you goodbye