S.T.A.R.Interview

S.T.A.R [Situation - Task - Action - Result]

DISCLAIMER

• This document contains unedited notes and has not been formally proofread.
• The information provided in this document is intended to provide a basic understanding of certain technologies.
• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
• Some websites and software may be flagged as malware by antivirus programs.
• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
• The document is not a substitute for professional advice or expert analysis and should not be used as such.
• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

************************************************************************************************

S.T.A.R [Situation - Task - Action - Result]

Situation

Describe a specific event or a situation that you were in. The who, what, where, when etc. 

Task

Explain the task you had to complete, highlighting any specific challenges or constraints. 

Action

Describe the specific actions you took to complete the task, highlighting desirable traits the interviewer is after

Result

Close with the result of your efforts, including figures to quantify the result if possible.

************************************************************************************************

Dashboard

Rationale for Dashboard

• Region Wise data
• Showcasing the overall - SLA or RAG [Red Amber, Green] status under two categories, to have a better holistic picture.
• Status - Done, next Status - Failed, Outstanding, cancelled and suppressed
• Breaking down the status on which are - Critical, Important and Non-critical, throws light on Severity.
• Resource wise data
• Understanding the cost involved as per resource type.
• Getting info on Mean time to repair MTTR- per resource involved and number of tickets status as per resource group.
• Statutory Wise Data
• The data sets are previewed through the statutory buckets, along with the calendar timeline and asset types involved.
• P-Index Wise Status
• The various categories of P-Index were listed by status, then by quarterly and finally their importance to understand the severity.

************************************************************************************************

What is :

• Governance 

• Combinations of Rules, processes and policies, that are used to achieve business goals. 

• RISK

• Foreseeing the negative outcomes. Manage the risk using risk treatment. 
• the possibility of something negative happening. It's the chance of harm, loss, or damage occurring.

• Compliance

• meeting the requirement set by internal or external sources, like meeting national regulatory laws - GDPR, PCI DSS and board requirements. 

• Quality:

•  The requirements that are accepted by the customer, end user. 
• Fitness for purpose
• Value for money
• Meeting expectations

• Quality/ Governance/ Compliance:

• The successful implementation of Quality, Governance, and Compliance (QGC) frameworks requires a collaborative effort driven by the board of directors, but also actively supported and executed by management and all employees.

************************************************************************************************

Say About yourself

    I recently finished my Master's degree in Cybersecurity from NTU, and I did a placement year at HM Land Registry. With 16 years of experience in quality and security assurance, I also completed a Master's in Business Law focusing on contract and corporate law. 

    My background includes a Bachelor's degree in Electronics and Communication Engineering. I've dedicated a lot of time to learning through my home lab setup and practice. You can find details about the projects I've worked on in my blog.

What Do you Bring to this role? / Why would we regret not hiring you?

• Strong Experience and Expertise:
• I bring over 16 years of experience in software quality and security assurance to the table, encompassing areas like risk management, project facilitation, auditing, and process improvement. My certifications and academic background solidify my expertise in various quality standards and frameworks.
• Leadership and Communication Skills:  
• I have developed my leadership and communication skills through leading and managing teams, developing and implementing processes, and facilitating training programs. This experience demonstrates my ability to connect effectively with individuals and groups.
• Data-driven Approach:
• I utilise data-driven methods to achieve results. My past projects involved using statistical analysis to improve goals and building regression and logistic models. This reflects my analytical approach to problem-solving.
• Passion for Knowledge Sharing:
• Sharing knowledge and empowering others is a passion of mine. This is evident in my blogging and internal training experience, where I've enjoyed fostering a culture of continuous learning and development.
• Adaptability and Diverse Skill Sets:
• My adaptability and ability to learn new skills quickly are demonstrated by my experience across diverse industries and roles, including my time as a receptionist at Travelodge. This broad range of experience allows me to bring a unique perspective and skillset to any challenge.

************************************************************************************************

Audit Life Cycle:

• Audit Planning:
• Audit Charter 
• Objective
• Expected outcomes 
• Audit Plan 
• The scope of the audit
• The periodicity of the audit
• Audit Selection
• Audit Scheduling
• Audit Execution:
• Performing Audit
• Audit Closure:
• Reporting
• Continual Improvement. 
• Tracking non-conformance 

Audit = Reasonable assurance never 100%

Finding evidence, show effectiveness, assurance 

********************

Audit planning:-

• Scope selection:
• Risk based approach: 
• audit scope based on identified risk areas.
• Project Phase Alignment: 
• The audit scope aligns with the current project phase (e.g., initiation, execution, closure).
• Addressing Past NC's: 
• Based on the previous non-conformances and weaknesses
• Meeting External Certification Requirements: 
• The audit scope ensures compliance with external certification standards.

• Audit Plan communication and review 
• Clear Communication: 
• The finalized audit plan is effectively communicated to all stakeholders for review.
• Approval Process: 
• The audit plan undergoes a formal approval process.
• Scheduling and Confirmation: 
• Audit dates and auditee availability are reviewed and confirmed.
• Finalized Schedule Published: 
• The final audit schedule is published to all relevant parties.

Conducting Audit :-

• Pre-Audit Preparation
• Status of previous Non-conformances, weakness and observations.
• Offline data analysis, if required.
• Conducting Audit
• Interacting with Auditee
• Gathering evidence based on the scope of the audit.
•  Using defined checklist, processes 
• Nc’s Communications
• Agreeing with auditee the Non-conformances, weakness and observations if any.
• If any, non agreement. Having internal meetings with relevant stakeholders, to arrive at a decision.
• Audit Reporting 
• Publishing the agreed upon NC’s, weakness and observations 
• Publishing with the expected date of closure and responsible person for closure.
• Risk tracker
• Updating the risk tracker, based on the Audit findings  for any potential risks.
• Continual Improvement
• Tracking the NC’s, weakness and observations to closure.
• Root cause analysis for the audit findings. 
• Identifying any training, improvement plans based on the Audit findings. 

***************

Audit Preparation for external certification: 

(Timeline 6 months):

• Assigning Single Points of Contact (SPOCs): 
• Identify SPOCs for each project to ensure clear lines of communication and ownership.
• Resource Risk Assessment: 
• Evaluate the risk of key personnel leaving the organization before the audit.
• Succession Planning: 
• Identify backup resources to mitigate the risk of SPOC departure.
• Tailored Project Training: 
• Provide targeted training to team members based on their specific project roles and responsibilities.
• Audit Gap Analysis and Readiness Review:
• Conduct Gap Analysis: 
• Identify any discrepancies between current practices and the external certification standards.
• Develop RAG Status Report: 
• Clearly communicate the findings of the gap analysis using a Red-Amber-Green (RAG) status system to indicate the severity of each gap.
• Track Remediation Progress: 
• Monitor the progress of closing identified gaps until all issues are resolved.

************************************************************************************************

Risk, Threat and Vulnerability

• Vulnerability is a weakness or flaw in a system, application, or network.

• Threat is anything that could potentially exploit a vulnerability and cause harm.

• Risk -the possibility of something negative happening. It's the chance of harm, loss, or damage occurring.

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

https://www.gouti1454.com/p/risk-manage.html

**************************************************************************************

Breaking down technical security concepts for non-technical users

• Use Analogies: 
• Compare technical security concepts to everyday situations. 
• For example, you could compare encryption to a locked safe where only the intended recipient has the key.
• Visual Aids: Use diagrams, charts, and other visual aids to illustrate concepts.

Describe a time when you had to explain a complex issue to someone who was not a specialist in the field

 The role of quality assurance involves clarifying the ambiguity present in the process steps. The level of explanation of the same concepts varies depending on the hierarchy level, including project team members, project team leads, project managers, and business heads.

It is important to explain the quality process to project team members who may not be familiar with it, as the data collected from them will be used for further decision analysis. Breaking down requirements to a basic level of understanding is a crucial step. Understanding the knowledge and experiences of the audience is essential for effective communication.

The project team members understand coding well, but the defects they introduce lead to more rework and consume time. The number of defects injected by developers per 1000 lines of code determines the code defect density. It is necessary to ask team members how these defects and rework can be reduced. Their recommendations can be listed and implemented to see results in the coming months.

This translates to defect reduction and reduced rework for managers, resulting in cost savings for the business head due to faster delivery and higher customer satisfaction. A bug-free product delivered on time contributes to overall customer satisfaction.

Examples

Use Analogies: 

Compare technical security concepts to everyday situations. 

For example, you could compare encryption to a locked safe where only the intended recipient has the key.

Visual Aids: Use diagrams, charts, and other visual aids to illustrate concepts.

**************************************************************************************

Describe your experience preparing and delivering a professional presentation or training to a group.

In my experience, I have prepared and delivered professional presentations and training sessions covering topics such as Quality Management, Risk Management, Compliance Requirements, and External Assessments. These training sessions are tailored to suit the specific needs and expertise levels of different groups, including fresh graduates, team members, project managers, and business heads.

During these sessions, I carefully select examples that resonate with each group, aiming to enhance understanding and foster engagement through interactive discussions rather than mere explanations. The topics covered typically include the fundamentals of Quality Management, Compliance Requirements, Risk Management, Internal Audits, and External ISO Audits. 

**************************************************************************************

Can you tell us about a time when you had to read and interpret legal documents and regulatory guidance and apply it to operational processes and policies.

I've been tasked with interpreting legal contracts outlined in the Statement of Work agreements between customers and service providers. This involves understanding Service Level Agreements, penalties, deliverables, timelines, and quality checkpoints. I collect and interpret these legal terms according to the relevant laws mentioned in the Statement of Work. My background includes a Master's in Business Law, which aids in deciphering these terms accurately.

Additionally, in my role at HM Land Registry, I ensure that potential procurement suppliers adhere to GDPR requirements. I meticulously verify these requirements against GDPR standards to maintain compliance.

**************************************************************************************

Describe a situation where you had to proactively plan and organize your time and resources to meet a deadline or target

In preparation for external audits, I initiate planning approximately six months before the scheduled commencement date. Initially, a tentative audit date is circulated via email, along with the identification of selected projects. Following this, readiness reviews are conducted with each project to assess their preparedness and identify any gaps or non-conformances. These non-conformances are documented and tracked, with estimated closure dates set and actual closure dates recorded.

To provide visibility into progress, a Red-Amber-Green (RAG) status report is published weekly. This report indicates the readiness of projects for audits, allowing stakeholders to stay informed and make necessary adjustments. Additionally, any identified risks are logged in a risk register, and corresponding risk treatment plans are implemented to mitigate potential issues. This proactive approach ensures that deadlines and targets are met effectively and efficiently.

**************************************************************************************

Explain your understanding of good governance and its importance

Effective governance refers to the combination of rules, processes, and policies employed to achieve business objectives. It involves foreseeing and managing risks to prevent negative outcomes, thereby mitigating the possibility of harm, loss, or damage. Compliance entails meeting internal or external requirements, such as national regulatory laws like GDPR or PCI DSS, as well as board mandates.

Quality is determined by meeting the expectations and requirements of customers and end-users, ensuring fitness for purpose, value for money, and meeting expectations. In essence, quality governance and compliance involve the successful implementation of frameworks that prevent problems before they occur, requiring collaboration from the board of directors, management, and all employees. Good governance is essential for ensuring transparency, accountability, and ethical conduct within an organization, thereby fostering trust among stakeholders and promoting sustainable growth

**************************************************************************************

Tell us about your knowledge and experience with risk management and how you have applied it in your work

In my professional experience, I have developed a strong understanding of risk management and its application in various contexts. Risk management involves foreseeing potential negative outcomes and taking proactive measures to mitigate these risks. It encompasses identifying, assessing, prioritizing, and managing risks to minimize their impact on organizational objectives.

In my work, I have consistently applied risk management principles to safeguard against potential threats and uncertainties. This includes identifying potential risks related to projects, processes, or operations, and developing strategies to address them effectively. By foreseeing potential challenges and implementing risk treatment plans- Avoidance, Transfer, Mitigation, Acceptance. This follows the Risk Management Cycle - 

Appraising risks - Risk Identification (Infosec Risk assessment), Addressing identified risks (Infosec Risk Treatment), and keeping those risks under constant observation(Risk tracking). 

**************************************************************************************

Tell us about your educational background and how it has prepared you for your career

My educational background has been instrumental in shaping my career path and equipping me with the necessary knowledge and skills to excel in my field. I hold a Master's degree in IT Security from Nottingham Trent University, where I acquired a deep understanding of cybersecurity principles, risk management methodologies, and compliance frameworks. This program provided me with a solid foundation in information security, governance, risk, and compliance (GRC), which are essential aspects of my professional endeavors.

Additionally, I pursued a Master of Business Laws (MBL) degree from the National Law School of India University, which enhanced my understanding of legal frameworks, regulatory requirements, and contract management. This legal education has been particularly valuable in interpreting legal documents, understanding regulatory guidance, and applying them to operational processes and policies in my professional roles.

Furthermore, my Bachelor's degree in Electronics and Communication Engineering from Anna University, Chennai, laid the groundwork for my analytical and problem-solving abilities. It provided me with a strong technical foundation and honed my critical thinking skills, which are indispensable in navigating complex technical challenges and devising innovative solutions.

Overall, my educational journey has equipped me with a diverse skill set encompassing technical expertise, legal acumen, and analytical prowess, all of which have been instrumental in my career progression and success.

**************************************************************************************

Relevant experience, skills or knowledge to support your application

**************************************************************************************

Quality: 

what is Quality

• The requirements needed by the customer, end user. 
• Preventing Problems Before They Occur. 

When defects are found internally and not passed on to customer or end user, the quality of the product or service meets the requirements of the customer.

• E.g when defects are passed on to end user, Boeing fights crashed due to design in flaw and using an automatic control, the same not communicated properly in manual or pilots training.
• The Boeing 737 MAX crashes are a stark example of how design flaws and inadequate communication can lead to disastrous consequences. Here are some sources you can explore for more information:
• Official Reports:
• National Transportation Safety Board (NTSB): The NTSB investigated both the Lion Air Flight 610 and Ethiopian Airlines Flight 302 crashes and published detailed final reports. These reports provide comprehensive analyses of the accident sequences, including the role of MCAS and the lack of pilot training on its functionality.

• Ethiopian Accident Investigation Bureau (AAIB): The AAIB also investigated the Ethiopian Airlines crash and published its own final report. While broadly agreeing with the NTSB findings, it placed additional emphasis on the role of Boeing's communication and training practices.The Seattle Times: This article provides a comprehensive overview of the crashes and their aftermath, including the role of MCAS, pilot training, and Boeing's response.

• E.g. UK post office software bugs, which allowed to prosecute innocent post masters approx 800 nos.
• BBC Panorama investigation: In 2019, BBC Panorama broadcast a documentary titled "The Great Post Office Scandal," which explored the problems with the Horizon system and their impact on postmasters. You can watch the documentary or read transcripts online.Independent Inquiry: In 2021, the UK government announced an independent inquiry into the Horizon scandal. The inquiry is ongoing, and you can find updates on its website

************************************************************************************************

Quality Policy: 

Quality policy is like high level mission statement and sets the overall direction. 

Example : We will meet customer requirements on time and defect free.

Definition: In a corporate context, a policy is a high-level statement that outlines the organization's goals, values, and expectations.

• Example (IT context):

• Policy: "All employees must use strong passwords and avoid sharing them with anyone."

• Standard: "Passwords must be at least 8 characters long and include a combination of uppercase and lowercase letters, numbers, and symbols."

• Procedure: "To change your password, log in to the company portal, go to 'Account Settings,' click 'Change Password,' and follow the on-screen instructions."

• Guidelines: "Consider using a password manager to generate and store strong passwords securely. Change your password regularly, especially after suspicious activity."

************************************************************************************************

Quality Objective

These are the measurable, actionable steps to translate the quality policy into reality.

On time delivery.

Reduce customer complaints by 20% within the next 6 months.

Customer satisfaction 

Achieve a 99.5% on-time delivery rate for all orders by Q3.

************************************************************************************************

Quality Management System 

QMS contains following details

• Quality Manual

• Processes, templates, checklists, procedures, process flowcharts.

• PDCA- Plan, Do, Check, Act - Entry, task, verify, Exit

• Project Life cycles : Contract, Proj startup, Proj Planning, Proj monitor & control, Proj Closure, Proj retrospection. 
• Life cycle models: Development, Testing, Maintenance, Production support, Staff augmentation, Agile

• Common process for entire org and specific process for each department/ business.  
• Stakeholders: Human resources, Administration, LAB

************************************************************************************************

Questions

• What Motivated to apply for this role?
• What will you bring to this role?
• Any questions?

• Framework : Logical structure - like
• Standards: Method to Implementation & meetings the requirements.
• Policy:
• Procedure:
• Guidance/ Guidelines:

************************************************************************************************

About The Company

• Gas : Our Values
• Enter an environment where you’ll give and
• take Ownership,
• to make Progress
• with Simplicity
• Gas comprises two businesses,
• Gas Transmission and
• Gas Metering.
• Company's history
• Gas and Metering business (now  Gas Transmission).
• Key Projects
• Future grid is an ambitious programme which seeks to build a hydrogen test facility in Northern England.

************************************************************************************************

S.T.A.R., #STAR,  Interview,