To start with, we'd like to know if you have a qualified third party performing regular penetration tests.

Please specify the date when the test was last performed.

Alright, so you have a formal information security program?

Now, do you have a set process to review user access?

Alright, so how do you dispose expired media?