1) My question: Do you log when an admin accounts gets created and do you alert on it?

Their answer: We do not have an active directory system, we just have five Admin accounts created on each workstation and server.

My thoughts: They have no Active Directory--nor any Identity and Access Management system whatsoever!

2) My question: The most common way a bad guy is going to try and break into your network and get their hands on your customers' information would be leveraging advanced malware. Walk me through how you protect against this threat model.

Their answer: We have never had a malware problem to date, and we use a top anti-virus/endpoint security product to stop malware.