You must have an access control systems into the DB, if any, and into the OS, with an appropriate privilege separation. Any authentication mechanism used in the whole system must use strong cryptographic algorithms/mechanisms; multi-factor authentication may be desirable. You should make a pentest or a security audit in order to make sure that you detect, priorice and fix all the issues that the system may have and that it complies with the current legislation. At the network level, you should implement a DMZ with one or two firewalls. I forgot to mention an IPS or IDS, which the interviewer explained to me.