Recruitment still going on for the Job - JOB DETAILS
Candidate Name: Priya S.
Slot Time: 11:30 AM – 12:15 PM
Mode: Virtual Interview (Zoho Meet)
Location: Chennai
Panel Members: 2 (Compliance Lead + Security Analyst)
ROUND: Technical + Behavioral (Single Panel)
Q1: “Can you walk us through how you’d implement a PCI DSS compliance framework in an organization that’s never done it before?”
Candidate's Answer:
"Sure. I’d start with a gap assessment comparing current controls against PCI DSS requirements. Then I’d classify systems handling cardholder data, create a compliance roadmap, train relevant teams, and enforce policies around encryption, storage, and monitoring. Regular internal audits and ASV scans would follow. Also, I’d document everything for audit purposes."
Correct Answer: ✅ Well-structured. Hit key areas: gap assessment, scope definition, training, encryption, documentation, and scanning.
Feedback: Strong awareness of PCI lifecycle. Could’ve mentioned SAQ/DSS levels or QSA involvement.
Panel Score: 8.5/10
Q2: “What’s the difference between ISMS and QMS? Can you give practical examples where both were implemented?”
Candidate's Answer:
"ISMS is about managing information security risks; QMS is about maintaining quality standards. For example, in my previous org, ISMS was used for access control and DLP policies, while QMS tracked ticket resolution metrics and SLA adherence."
Correct Answer: ✅ On point. ISMS (like ISO 27001) = security. QMS (like ISO 9001) = process quality.
Feedback: Good basic distinction with practical linkage. Could've dived deeper into governance or certification paths.
Panel Score: 7/10
Q3: “How would you create a RACI matrix for incident response?”
Candidate's Answer:
"I’d list all stakeholders – Security Team, IT Ops, Management, Legal. Then I’d define who’s Responsible (Security), Accountable (CISO), Consulted (Legal), and Informed (Mgmt/HR). For each phase—detection, triage, containment, recovery—I’d assign roles."
Correct Answer: ✅ Yep. Defined structure and used the RACI framework correctly.
Feedback: Clear thinking. Bonus if she had mentioned automating this with a ticketing or IRM tool.
Panel Score: 9/10
Q4: “What kind of reports does RBI require from PA/PG entities, and how frequently?”
Candidate's Answer:
"I think there’s a quarterly reporting on cybersecurity posture and annual audits for compliance with SAR PSS PAPG norms."
Correct Answer: ❌ Partially correct. RBI expects regular cyber incident reporting (within 6 hours), quarterly compliance status, IT Committee meetings, and annual independent audits.
Feedback: Needs deeper knowledge of RBI mandates. Only scratched the surface.
Panel Score: 4/10
Q5 (Behavioral): “Tell us about a time you discovered a compliance issue. What did you do?”
Candidate's Answer:
"In my last job, we realized customer PII was being stored without masking. I raised it during a team audit, escalated it with evidence, and worked with DevOps to implement encryption at rest. We later updated our ISMS policies accordingly."
Correct Answer: STAR format followed: Situation, Task, Action, Result.
Feedback: Real incident, clear action. Shows ethics and initiative. Strong behavioral answer.
Panel Score: 9/10
Overall Interviewer Feedback
Technical Feedback:
-
Good grasp on PCI DSS, ISMS, QMS
-
RBI knowledge not at expected level
-
Strong on frameworks, but needs sharpening on Indian regulatory timelines
-
Could benefit from more exposure to automation tools or dashboards for compliance tracking
Communication & Soft Skills:
-
Speaks confidently and clearly
-
Used real-life examples well
-
Actively listened and clarified questions
-
Could show more ownership tone during leadership-type answers
