New 2026 FITSP Auditor Practice Test Bank with 250
Questions and Correct Answers/ FITSP Auditor
Practice Questions with 100% Correct Answers
What elements are components of an information system?
a) Hardware and software
b) Interconnected systems
c) People
d) All of the above - ANSWER-All of the above
What are some of the threats that the information system faces?
a) Environmental disruptions
b) Human errors
c) Cyber-attacks
d) All of the above - ANSWER-All of the above
During what phase of the SDLC should the organization consider the security
requirements (mark all that apply)?
a) Initiation Phase/Development/Acquisition Phase
b) Implementation Phase
c) Operation/Maintenance Phase
d) System Disposal Phase - ANSWER-Initiation Phase/Development/Acquisition
Phase, Implementation Phase, Operation/Maintenance Phase< System Disposal
Phase
The PIA, BIA, and Security Categorization are all done in this phase of the SDLC
pg. 1
,a) Initiation
b) Development/Acquisition
c) Implementation
d) Operations/Maintenance
e) Disposal - ANSWER-Initiation
Security Reauthorizations are conducted during which phase of the SDLC?
a) Initiation
b) Development/Acquisition
c) Implementation
d) Operations/Maintenance
e) Disposal - ANSWER-Operations/Maintenance
Which approach involves continually balancing the protection of agency
information and assets with the cost of security controls and mitigation strategies?
a) Risk Management Approach
b) Change Management Approach
c) Configuration Management Approach
d) Software Development Life Cycle - ANSWER-Risk Management Approach
Which of the following must be assigned to government personnel only (select all
that apply)?
a) Senior Information Security Officer
b) Information System Architect
c) Information System Security Engineer
d) Authorizing Official - ANSWER-SISO and AO
pg. 2
,Place the 4 components of risk management in the correct order.
a) Monitor
b) Frame
c) Respond
d) Assess - ANSWER-Frame, Assess, Respond, Monitor
The following are the possible outcomes of the Authorization Decision (mark all
that apply):
a) Authorization to Operate
b) Interim Authorization to Operate
c) Not Authorized to Operate
d) Interim Authorization to Test - ANSWER-ATO and Not Authorized to Operate
List the 6 steps of the RMF process?
a) Categorize, Select, Implement, Assess, Authorize, Monitor
b) Initiate, Select, Implement, Operate, Authorize, Monitor
c) Categorize, Select, Implement, Assess, Monitor, Disposal
d) Categorize, Select, Develop, Assess, Authorize, Monitor - ANSWER-
Categorize, Select, Implement, Assess, Authorize, Monitor
What NIST Special Publication superseded the original Special Publication 800-30
as the source for guidance on risk management?
a) SP 800—34r1
b) SP800—30rl
c) SP 800-39
pg. 3
, d) SP 800—37r1 - ANSWER-SP 800-39
The risk management processes, at the information system level, link to risk
management processes at the organization level through what newly defined role in
the RMF?
a) Head of Agency (Chief Executive Officer)
b) Risk Executive (Function)
c) Chief Information Officer
d) Senior Information Security Officer
e) Authorizing Official Designated Representative - ANSWER-Risk Executive
(Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
to determine if the necessary and sufficient
security controls have been appropriately selected and allocated.
a) Risk Assessment
b) Due Diligence
c) Gap Analysis
d) Capital Planning - ANSWER-Gap Analysis
The following legislation requires federal agencies to establish capital planning
and investment control policies and procedures when procuring information
technology:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER-Clinger-Cohen Act
pg. 4
Questions and Correct Answers/ FITSP Auditor
Practice Questions with 100% Correct Answers
What elements are components of an information system?
a) Hardware and software
b) Interconnected systems
c) People
d) All of the above - ANSWER-All of the above
What are some of the threats that the information system faces?
a) Environmental disruptions
b) Human errors
c) Cyber-attacks
d) All of the above - ANSWER-All of the above
During what phase of the SDLC should the organization consider the security
requirements (mark all that apply)?
a) Initiation Phase/Development/Acquisition Phase
b) Implementation Phase
c) Operation/Maintenance Phase
d) System Disposal Phase - ANSWER-Initiation Phase/Development/Acquisition
Phase, Implementation Phase, Operation/Maintenance Phase< System Disposal
Phase
The PIA, BIA, and Security Categorization are all done in this phase of the SDLC
pg. 1
,a) Initiation
b) Development/Acquisition
c) Implementation
d) Operations/Maintenance
e) Disposal - ANSWER-Initiation
Security Reauthorizations are conducted during which phase of the SDLC?
a) Initiation
b) Development/Acquisition
c) Implementation
d) Operations/Maintenance
e) Disposal - ANSWER-Operations/Maintenance
Which approach involves continually balancing the protection of agency
information and assets with the cost of security controls and mitigation strategies?
a) Risk Management Approach
b) Change Management Approach
c) Configuration Management Approach
d) Software Development Life Cycle - ANSWER-Risk Management Approach
Which of the following must be assigned to government personnel only (select all
that apply)?
a) Senior Information Security Officer
b) Information System Architect
c) Information System Security Engineer
d) Authorizing Official - ANSWER-SISO and AO
pg. 2
,Place the 4 components of risk management in the correct order.
a) Monitor
b) Frame
c) Respond
d) Assess - ANSWER-Frame, Assess, Respond, Monitor
The following are the possible outcomes of the Authorization Decision (mark all
that apply):
a) Authorization to Operate
b) Interim Authorization to Operate
c) Not Authorized to Operate
d) Interim Authorization to Test - ANSWER-ATO and Not Authorized to Operate
List the 6 steps of the RMF process?
a) Categorize, Select, Implement, Assess, Authorize, Monitor
b) Initiate, Select, Implement, Operate, Authorize, Monitor
c) Categorize, Select, Implement, Assess, Monitor, Disposal
d) Categorize, Select, Develop, Assess, Authorize, Monitor - ANSWER-
Categorize, Select, Implement, Assess, Authorize, Monitor
What NIST Special Publication superseded the original Special Publication 800-30
as the source for guidance on risk management?
a) SP 800—34r1
b) SP800—30rl
c) SP 800-39
pg. 3
, d) SP 800—37r1 - ANSWER-SP 800-39
The risk management processes, at the information system level, link to risk
management processes at the organization level through what newly defined role in
the RMF?
a) Head of Agency (Chief Executive Officer)
b) Risk Executive (Function)
c) Chief Information Officer
d) Senior Information Security Officer
e) Authorizing Official Designated Representative - ANSWER-Risk Executive
(Function)
Applying the first three steps in the RMF to legacy systems can be viewed as a
to determine if the necessary and sufficient
security controls have been appropriately selected and allocated.
a) Risk Assessment
b) Due Diligence
c) Gap Analysis
d) Capital Planning - ANSWER-Gap Analysis
The following legislation requires federal agencies to establish capital planning
and investment control policies and procedures when procuring information
technology:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER-Clinger-Cohen Act
pg. 4
