S.T.A.R.Interview

S.T.A.R [Situation - Task - Action - Result]

DISCLAIMER

• This document contains unedited notes and has not been formally proofread.
• The information provided in this document is intended to provide a basic understanding of certain technologies.
• Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
• Some websites and software may be flagged as malware by antivirus programs.
• The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
• The document is not a substitute for professional advice or expert analysis and should not be used as such.
• The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
• The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
• The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
• The author reserve the right to update or change the information contained in this document at any time without prior notice.

• Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
• It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
• Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
• It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
• It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
• It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

************************************************************************************************

S.T.A.R [Situation - Task - Action - Result]

Situation

Describe a specific event or a situation that you were in. The who, what, where, when etc. 

Task

Explain the task you had to complete, highlighting any specific challenges or constraints. 

Action

Describe the specific actions you took to complete the task, highlighting desirable traits the interviewer is after

Result

Close with the result of your efforts, including figures to quantify the result if possible.

************************************************************************************************

Dashboard

https://www.gouti1454.com/p/dashboard.html

Rationale for Dashboard

• Region Wise data
• Showcasing the overall - SLA or RAG [Red Amber, Green] status under two categories, to have a better holistic picture.
• Status - Done, next Status - Failed, Outstanding, cancelled and suppressed
• Breaking down the status on which are - Critical, Important and Non-critical, throws light on Severity.
• Resource wise data
• Understanding the cost involved as per resource type.
• Getting info on Mean time to repair MTTR- per resource involved and number of tickets status as per resource group.
• Statutory Wise Data
• The data sets are previewed through the statutory buckets, along with the calendar timeline and asset types involved.
• P-Index Wise Status
• The various categories of P-Index were listed by status, then by quarterly and finally their importance to understand the severity.

************************************************************************************************

What is : Governance / Risk / Compliance

• Governance 

• Combinations of Rules, processes and policies, that are used to achieve business goals. 

• RISK

• Foreseeing the negative outcomes. Manage the risk using risk treatment. 
• the possibility of something negative happening. It's the chance of harm, loss, or damage occurring.

• Compliance

• meeting the requirement set by internal or external sources, like meeting national regulatory laws - GDPR, PCI DSS and board requirements. 

• Quality:

•  The requirements that are accepted by the customer, end user. 
• Fitness for purpose
• Value for money
• Meeting expectations

Quality/ Governance/ Compliance

The successful implementation of Quality, Governance, and Compliance (QGC) frameworks requires a collaborative effort driven by the board of directors, but also actively supported and executed by management and all employees.

***********************************************************************************************

Say About yourself

    I recently finished my Master's degree in Cybersecurity from NTU, and I did a placement year at HM Land Registry. With 16 years of experience in quality and security assurance, I also completed a Master's in Business Law focusing on contract and corporate law. 

    My background includes a Bachelor's degree in Electronics and Communication Engineering. I've dedicated a lot of time to learning through my home lab setup and practice. You can find details about the projects I've worked on in my blog.

What Do you Bring to this role? 

or Why would we regret not hiring you?

• Strong Experience and Expertise:
• I bring over 16 years of experience in software quality and security assurance to the table, encompassing areas like risk management, project facilitation, auditing, and process improvement. My certifications and academic background solidify my expertise in various quality standards and frameworks.
• Leadership and Communication Skills:  
• I have developed my leadership and communication skills through leading and managing teams, developing and implementing processes, and facilitating training programs. This experience demonstrates my ability to connect effectively with individuals and groups.
• Data-driven Approach:
• I utilise data-driven methods to achieve results. My past projects involved using statistical analysis to improve goals and building regression and logistic models. This reflects my analytical approach to problem-solving.
• Passion for Knowledge Sharing:
• Sharing knowledge and empowering others is a passion of mine. This is evident in my blogging and internal training experience, where I've enjoyed fostering a culture of continuous learning and development.
• Adaptability and Diverse Skill Sets:
• My adaptability and ability to learn new skills quickly are demonstrated by my experience across diverse industries and roles, including my time as a receptionist at Travelodge. This broad range of experience allows me to bring a unique perspective and skillset to any challenge.

************************************************************************************************

Audit Life Cycle:

• Audit Planning:
• Audit Charter 
• Objective
• Expected outcomes 
• Audit Plan 
• The scope of the audit
• The periodicity of the audit
• Audit Selection
• Audit Scheduling
• Audit Execution:
• Performing Audit
• Audit Closure:
• Reporting
• Continual Improvement. 
• Tracking non-conformance 

Audit = Reasonable assurance never 100%

Finding evidence, show effectiveness, assurance 

********************

Audit planning:-

• Scope selection:
• Risk based approach: 
• audit scope based on identified risk areas.
• Project Phase Alignment: 
• The audit scope aligns with the current project phase (e.g., initiation, execution, closure).
• Addressing Past NC's: 
• Based on the previous non-conformances and weaknesses
• Meeting External Certification Requirements: 
• The audit scope ensures compliance with external certification standards.

• Audit Plan communication and review 
• Clear Communication: 
• The finalized audit plan is effectively communicated to all stakeholders for review.
• Approval Process: 
• The audit plan undergoes a formal approval process.
• Scheduling and Confirmation: 
• Audit dates and auditee availability are reviewed and confirmed.
• Finalized Schedule Published: 
• The final audit schedule is published to all relevant parties.

Conducting Audit :-

• Pre-Audit Preparation
• Status of previous Non-conformances, weakness and observations.
• Offline data analysis, if required.
• Conducting Audit
• Interacting with Auditee
• Gathering evidence based on the scope of the audit.
•  Using defined checklist, processes 
• Nc’s Communications
• Agreeing with auditee the Non-conformances, weakness and observations if any.
• If any, non agreement. Having internal meetings with relevant stakeholders, to arrive at a decision.
• Audit Reporting 
• Publishing the agreed upon NC’s, weakness and observations 
• Publishing with the expected date of closure and responsible person for closure.
• Risk tracker
• Updating the risk tracker, based on the Audit findings  for any potential risks.
• Continual Improvement
• Tracking the NC’s, weakness and observations to closure.
• Root cause analysis for the audit findings. 
• Identifying any training, improvement plans based on the Audit findings. 

***************

Audit Preparation for external certification: 

(Timeline 6 months):

• Assigning Single Points of Contact (SPOCs): 
• Identify SPOCs for each project to ensure clear lines of communication and ownership.
• Resource Risk Assessment: 
• Evaluate the risk of key personnel leaving the organization before the audit.
• Succession Planning: 
• Identify backup resources to mitigate the risk of SPOC departure.
• Tailored Project Training: 
• Provide targeted training to team members based on their specific project roles and responsibilities.
• Audit Gap Analysis and Readiness Review:
• Conduct Gap Analysis: 
• Identify any discrepancies between current practices and the external certification standards.
• Develop RAG Status Report: 
• Clearly communicate the findings of the gap analysis using a Red-Amber-Green (RAG) status system to indicate the severity of each gap.
• Track Remediation Progress: 
• Monitor the progress of closing identified gaps until all issues are resolved.

************************************************************************************************

Risk, Threat and Vulnerability

• Vulnerability is a weakness or flaw in a system, application, or network.

• Threat is anything that could potentially exploit a vulnerability and cause harm.

• Risk -the possibility of something negative happening. It's the chance of harm, loss, or damage occurring.

Managing Org Risk: 

Risk = Threats * Vulnerabilities 

Zero-Day Attack

Vulnerabilities found in wild -> Unaware = Public + Vendor 

Then after the period Vendor is aware -> Unaware = Public

Vendor  released patches -> aware = Public

https://www.gouti1454.com/p/risk-manage.html

**************************************************************************************

Sample Questions:

Tell us about your knowledge and experience with risk management and how you have applied it in your work

In my professional experience, I have developed a strong understanding of risk management and its application in various contexts. Risk management involves foreseeing potential negative outcomes and taking proactive measures to mitigate these risks. It encompasses identifying, assessing, prioritizing, and managing risks to minimize their impact on organizational objectives.

In my work, I have consistently applied risk management principles to safeguard against potential threats and uncertainties. This includes identifying potential risks related to projects, processes, or operations, and developing strategies to address them effectively. By foreseeing potential challenges and implementing risk treatment plans- Avoidance, Transfer, Mitigation, Acceptance. This follows the Risk Management Cycle - 

Appraising risks - Risk Identification (Infosec Risk assessment), Addressing identified risks (Infosec Risk Treatment), and keeping those risks under constant observation(Risk tracking).

**************************************************************************************

Break down Complex Issues: 

Breaking down technical security concepts for non-technical users

• Use Analogies: 
• Compare technical security concepts to everyday situations. 
• For example, you could compare encryption to a locked safe where only the intended recipient has the key.
• Visual Aids: Use diagrams, charts, and other visual aids to illustrate concepts.

Describe a time when you had to explain a complex issue to someone who was not a specialist in the field

 The role of quality assurance involves clarifying the ambiguity present in the process steps. The level of explanation of the same concepts varies depending on the hierarchy level, including project team members, project team leads, project managers, and business heads.

It is important to explain the quality process to project team members who may not be familiar with it, as the data collected from them will be used for further decision analysis. Breaking down requirements to a basic level of understanding is a crucial step. Understanding the knowledge and experiences of the audience is essential for effective communication.

The project team members understand coding well, but the defects they introduce lead to more rework and consume time. The number of defects injected by developers per 1000 lines of code determines the code defect density. It is necessary to ask team members how these defects and rework can be reduced. Their recommendations can be listed and implemented to see results in the coming months.

This translates to defect reduction and reduced rework for managers, resulting in cost savings for the business head due to faster delivery and higher customer satisfaction. A bug-free product delivered on time contributes to overall customer satisfaction.

Examples

Use Analogies: 

Compare technical security concepts to everyday situations. 

For example, you could compare encryption to a locked safe where only the intended recipient has the key.

Visual Aids: Use diagrams, charts, and other visual aids to illustrate concepts.

**************************************************************************************

Training

Describe your experience preparing and delivering a professional presentation or training to a group.

In my experience, I have prepared and delivered professional presentations and training sessions covering topics such as Quality Management, Risk Management, Compliance Requirements, and External Assessments. These training sessions are tailored to suit the specific needs and expertise levels of different groups, including fresh graduates, team members, project managers, and business heads.

During these sessions, I carefully select examples that resonate with each group, aiming to enhance understanding and foster engagement through interactive discussions rather than mere explanations. The topics covered typically include the fundamentals of Quality Management, Compliance Requirements, Risk Management, Internal Audits, and External ISO Audits. 

**************************************************************************************

Legal Documents into Process and policies

Can you tell us about a time when you had to read and interpret legal documents and regulatory guidance and apply it to operational processes and policies.

I've been tasked with interpreting legal contracts outlined in the Statement of Work agreements between customers and service providers. This involves understanding Service Level Agreements, penalties, deliverables, timelines, and quality checkpoints. I collect and interpret these legal terms according to the relevant laws mentioned in the Statement of Work. My background includes a Master's in Business Law, which aids in deciphering these terms accurately.

Additionally, in my role at HM Land Registry, I ensure that potential procurement suppliers adhere to GDPR requirements. I meticulously verify these requirements against GDPR standards to maintain compliance.

**************************************************************************************

Timeline / Deadline is met: 

Describe a situation where you had to proactively plan and organize your time and resources to meet a deadline or target?

Can you describe a time when you had to manage multiple priorities in a pressured working environment?

As a Deputy Quality Manager, meticulous planning of activities was essential. My responsibilities included publishing monthly health indicators (such as PCI score, PCSAT score, timely data submissions for productivity, billing time, attrition rates, defects, and risks), conducting monthly compliance audits, facilitating projects, delivering project training, reviewing documents, attending project meetings, and handling ad-hoc requests.

To manage these tasks efficiently, I developed a comprehensive tracker that listed recurring activities along with their deadlines. I also included ad-hoc activities in this tracker, adhering to the Plan-Do-Check-Act (PDCA) cycle.

The data needed to be collected by the 10th of each month, with additional data submissions required every three months. The data review process had to be completed by the 15th of the month, and the final business leaders' review was scheduled for the 20th. I designed the tracker using formulas to automatically calculate the respective deadlines for each project and each type of required data.

I sent reminder emails at the beginning of the month and published a weekly RAG (Red, Amber, Green) status report, highlighting projects that had submitted their data, those pending clarification, and those that had not yet submitted. After the second reminder, I escalated non-submissions to senior management for their attention.

Throughout this process, I maintained constant communication with project managers, ensuring they were aware that the data status was being tracked and would be reported as incomplete until all required information was provided. This transparency helped prevent misunderstandings.

When deviations from organizational targets occurred, I gathered root cause analyses and uploaded the findings to the IPM tool for review by business leaders. During business review meetings, where senior project managers presented their analyses, I was responsible for reporting on any governance and compliance-related issues.

By communicating the status of data collection clearly and promptly, and by keeping senior management informed of any delays or missing data, I helped ensure that data was received on time. This system of collaboration and communication established a robust process that consistently met monthly deadlines.

************************************

How have you demonstrated your skills in data analysis and reporting in a previous role?

************************************

How do you manage conflicts in the role ?

While I was working in HCL tech, as deputy quality manager I have managed the conflicts arising from implementation of quality standards. 

My responsibility is to ensure compliance with ISO 9001:2015, TL9001, As9100 and CMMI, along with various data collection from the respective teams to publish monthly Health Index and dashboard. 

For example, when any new projects are created in the system, my task is to take monthly data and apply the minimum criteria for the projects to get into the Project compliance index. Once the project comes into the Project compliance index, it will be subjected to monthly health indicators. 

My task is to reach out to the respective project managers about the new project and collect the details of the project start date, end date & resources count and inform them that this project will come into Project compliance index. 

Project managers who are aware of this process will initiate the call and the due compliance of the process steps will be followed. 

There are few project managers, who are not aware will ask for an exception to remove from these process steps.

I will initiate a meeting with the project manager and explain the process steps involved and what are the various steps to be taken. I will offer any training required for the project manager and the teams to understand the process and assuring any further assistance required. The meeting minutes are captured and any action items are captured and tracked to closure. 

If the project manager still wants an exception, I will collect his concerns and the rationale for it.

Next step, after collecting the concerns, I will initiate the next round of discussion with the project manager, the senior manager and the business head. Explaining the mandate from the organization to implement process compliance steps for this project, which meets the minimum criteria required. 

Providing them that all the required training and facilitation will be provided from my side. If any bandwidth issues arise, I suggest where the PM present is required, and what are the tasks that can be shared with the  team leads and for certain types of data collection team members can be delegated. If the proposed solution was accepted by the stakeholders, the same will be documented and records will be created. 

If the stakeholders request for a waiver, I will follow the escalation mechanism by initiating meetings with my line of senior managers and the project team stakeholders.

Whatever the outcome this will finally be accepted from both sides and the same will be documented and published across the department.

********************************************************

How would you ensure the Trust's compliance with data protection legislation?

How would you approach the task of maintaining and updating the Trust's Information Asset Register?

How would you go about planning and conducting the annual desktop cyber security exercises?

How would you approach the task of reviewing vulnerability reports and raising areas of risk with the MPFT Digital Service Development Team?

**************************************************************************************

Explain your understanding of good governance and its importance

Effective governance refers to the combination of rules, processes, and policies employed to achieve business objectives. It involves foreseeing and managing risks to prevent negative outcomes, thereby mitigating the possibility of harm, loss, or damage. Compliance entails meeting internal or external requirements, such as national regulatory laws like GDPR or PCI DSS, as well as board mandates.

Quality is determined by meeting the expectations and requirements of customers and end-users, ensuring fitness for purpose, value for money, and meeting expectations. In essence, quality governance and compliance involve the successful implementation of frameworks that prevent problems before they occur, requiring collaboration from the board of directors, management, and all employees. Good governance is essential for ensuring transparency, accountability, and ethical conduct within an organization, thereby fostering trust among stakeholders and promoting sustainable growth

**************************************************************************************

 

Tell us about your educational background and how it has prepared you for your career

My educational background has been instrumental in shaping my career path and equipping me with the necessary knowledge and skills to excel in my field. I hold a Master's degree in IT Security from Nottingham Trent University, where I acquired a deep understanding of cybersecurity principles, risk management methodologies, and compliance frameworks. This program provided me with a solid foundation in information security, governance, risk, and compliance (GRC), which are essential aspects of my professional endeavor.

Additionally, I pursued a Master of Business Laws (MBL) degree from the National Law School of India University, which enhanced my understanding of legal frameworks, regulatory requirements, and contract management. This legal education has been particularly valuable in interpreting legal documents, understanding regulatory guidance, and applying them to operational processes and policies in my professional roles.

Furthermore, my Bachelor's degree in Electronics and Communication Engineering from Anna University, Chennai, laid the groundwork for my analytical and problem-solving abilities. It provided me with a strong technical foundation and honed my critical thinking skills, which are indispensable in navigating complex technical challenges and devising innovative solutions.

Overall, my educational journey has equipped me with a diverse skill set encompassing technical expertise, legal acumen, and analytical prowess, all of which have been instrumental in my career progression and success.

**************************************************************************************

Quality: 

what is Quality

• The requirements needed by the customer, end user. 
• Preventing Problems Before They Occur. 

When defects are found internally and not passed on to customer or end user, the quality of the product or service meets the requirements of the customer.

• E.g when defects are passed on to end user, Boeing fights crashed due to design in flaw and using an automatic control, the same not communicated properly in manual or pilots training.
• The Boeing 737 MAX crashes are a stark example of how design flaws and inadequate communication can lead to disastrous consequences. Here are some sources you can explore for more information:
• Official Reports:
• National Transportation Safety Board (NTSB): The NTSB investigated both the Lion Air Flight 610 and Ethiopian Airlines Flight 302 crashes and published detailed final reports. These reports provide comprehensive analyses of the accident sequences, including the role of MCAS and the lack of pilot training on its functionality.

• Ethiopian Accident Investigation Bureau (AAIB): The AAIB also investigated the Ethiopian Airlines crash and published its own final report. While broadly agreeing with the NTSB findings, it placed additional emphasis on the role of Boeing's communication and training practices. The Seattle Times: This article provides a comprehensive overview of the crashes and their aftermath, including the role of MCAS, pilot training, and Boeing's response.

• E.g. UK post office software bugs, which allowed to prosecute innocent post masters approx 800 nos.
• BBC Panorama investigation: In 2019, BBC Panorama broadcast a documentary titled "The Great Post Office Scandal," which explored the problems with the Horizon system and their impact on postmasters. You can watch the documentary or read transcripts online. Independent Inquiry: In 2021, the UK government announced an independent inquiry into the Horizon scandal. The inquiry is ongoing, and you can find updates on its website

************************************************************************************************

Quality Policy: 

Quality policy is like high level mission statement and sets the overall direction. 

Example : We will meet customer requirements on time and defect free.

Definition: In a corporate context, a policy is a high-level statement that outlines the organization's goals, values, and expectations.

• Example (IT context):

• Policy: "All employees must use strong passwords and avoid sharing them with anyone."

• Standard: "Passwords must be at least 8 characters long and include a combination of uppercase and lowercase letters, numbers, and symbols."

• Procedure: "To change your password, log in to the company portal, go to 'Account Settings,' click 'Change Password,' and follow the on-screen instructions."

• Guidelines: "Consider using a password manager to generate and store strong passwords securely. Change your password regularly, especially after suspicious activity."

************************************************************************************************

Quality Objective

These are the measurable, actionable steps to translate the quality policy into reality.

On time delivery.

Reduce customer complaints by 20% within the next 6 months.

Customer satisfaction 

Achieve a 99.5% on-time delivery rate for all orders by Q3.

************************************************************************************************

Quality Management System 

QMS contains following details

• Quality Manual

• Processes, templates, checklists, procedures, process flowcharts.

• PDCA- Plan, Do, Check, Act - Entry, task, verify, Exit

• Project Life cycles : Contract, Proj startup, Proj Planning, Proj monitor & control, Proj Closure, Proj retrospection. 
• Life cycle models: Development, Testing, Maintenance, Production support, Staff augmentation, Agile

• Common process for entire org and specific process for each department/ business.  
• Stakeholders: Human resources, Administration, LAB

************************************************************************************************

Questions

• What Motivated to apply for this role?
• What will you bring to this role?
• Any questions?

• Framework : Logical structure - like
• Standards: Method to Implementation & meetings the requirements.
• Policy:
• Procedure:
• Guidance/ Guidelines:

************************************************************************************************

About The Company

• Gas : Our Values
• Enter an environment where you’ll give and
• take Ownership,
• to make Progress
• with Simplicity
• Gas comprises two businesses,
• Gas Transmission and
• Gas Metering.
• Company's history
• Gas and Metering business (now  Gas Transmission).
• Key Projects
• Future grid is an ambitious programme which seeks to build a hydrogen test facility in Northern England.

************************************************************************************************

S.T.A.R., #STAR,  Interview,