FITSP-M 2 questions and answers with
solutions
CIO - ANSWER Most senior executive in an enterprise responsible for IT and computer systems
that support enterprise goals.
Chief Information Security Officer (CISO) - ANSWER Senior executive responsible for establishing
and maintaining the enterprise vision, strategy, and program to ensure information assets are
adequately protected.
Directs staff in identifying, developing, implementing, and maintaining processes across the
organization to reduce information and IT risks.
Risk Executive - ANSWER An individual or group within an organization that helps to ensure that
risk-related considerations for individual information systems, to include authorization
decisions, are viewed from an organization-wide perspective with regard to the overall strategic
goals and objectives.
Who designates a Senior Agency Information Security Officer (SAISO)? - ANSWER CIO
What is the CIO responsible for? - ANSWER -Designating the SAISO
-Developing and maintaining security policies, procedures, and control techniques
-Overseeing personnel with significant responsibilities for information security and ensuring
adequate training
-Assisting senior organizational officials concerning their security responsibilities
-Reporting annually to the Agency Head on overall effectiveness of the organizations
information security program
,Who determines the appropriate allocation of resources dedicated to the protection of
information systems supporting the organizations' missions and business functions? - ANSWER
The CIO and AO
Authorizing Official - ANSWER -A senior (federal) official or executive with the authority to
formally assume responsibility for operating an information system at an acceptable level of risk
to organizational operations.
-Has budgetary oversight
-Must be a government employee
-Assumes risk by signing ATO
Senior Agency Information Security Officer - ANSWER Official responsible for carrying out the
Chief Information Officer responsibilities under FISMA and serving as the Chief Information
Officer's primary liaison to the agency's authorizing officials, information system owners, and
information system security officers. Referred to as the CISO in some organizations
SecCM - ANSWER Security Focused Configuration Management
What are the three tiers of Organization Wide Risk Management and what roles are aligned to
them? - ANSWER Tier 1. Organization (Risk Executive)
Tier 2. Mission/Business Processes (Information Security Architect)
Tier 3. Information Systems (Information System Security Engineer)
Information System Security Officer - ANSWER Individual assigned responsibility by the senior
agency information security officer, authorizing official, management official, or information
system owner for ensuring that the appropriate operational security posture is maintained for
an information system or program.
Information System Security Engineer - ANSWER Individual assigned responsibility for
conducting information system security engineering activities.
, HIPAA and HITECH - ANSWER Protects/secures Personal Health Information (PHI).
Controls need to be in place to secure PHI during the collection, storing, or processing of data.
Used by any organization that is collection, storing, or processing PHI (hospitals, medial
providers, insurance companies, etc.)
HITECH came later and enhances HIPAA
Where are deficiencies and corrective actions documented? - ANSWER POAMS, which are kept
even after closed. If the issue happens again, the POAM is reopened.
M-06-19 - ANSWER Required potential breach of PII data to be reported within one hour of
discovery
All CONMON relies on Security Content Automation Protocol (SCAP).... True or False? - ANSWER
True
Who issues binding operational directives (BODs)? - ANSWER DHS
FISMA 2002 - ANSWER -Emphasized risk based policy for cost effective security.
-Requires agency program officials, CIOs, and IGs to conduct annual reviews of the Agency's
Security Information Program and report them to OMB.
FISMA 2014 - ANSWER Replaced subchapters 2 and 3 of FISMA 2002.
Primary purposes include:
-Assign responsibilities to the Secretary of Homeland Security, as that department did not exist
at the time of FISMA 2002.
-Formalized reporting of information security incidents and privacy breaches
solutions
CIO - ANSWER Most senior executive in an enterprise responsible for IT and computer systems
that support enterprise goals.
Chief Information Security Officer (CISO) - ANSWER Senior executive responsible for establishing
and maintaining the enterprise vision, strategy, and program to ensure information assets are
adequately protected.
Directs staff in identifying, developing, implementing, and maintaining processes across the
organization to reduce information and IT risks.
Risk Executive - ANSWER An individual or group within an organization that helps to ensure that
risk-related considerations for individual information systems, to include authorization
decisions, are viewed from an organization-wide perspective with regard to the overall strategic
goals and objectives.
Who designates a Senior Agency Information Security Officer (SAISO)? - ANSWER CIO
What is the CIO responsible for? - ANSWER -Designating the SAISO
-Developing and maintaining security policies, procedures, and control techniques
-Overseeing personnel with significant responsibilities for information security and ensuring
adequate training
-Assisting senior organizational officials concerning their security responsibilities
-Reporting annually to the Agency Head on overall effectiveness of the organizations
information security program
,Who determines the appropriate allocation of resources dedicated to the protection of
information systems supporting the organizations' missions and business functions? - ANSWER
The CIO and AO
Authorizing Official - ANSWER -A senior (federal) official or executive with the authority to
formally assume responsibility for operating an information system at an acceptable level of risk
to organizational operations.
-Has budgetary oversight
-Must be a government employee
-Assumes risk by signing ATO
Senior Agency Information Security Officer - ANSWER Official responsible for carrying out the
Chief Information Officer responsibilities under FISMA and serving as the Chief Information
Officer's primary liaison to the agency's authorizing officials, information system owners, and
information system security officers. Referred to as the CISO in some organizations
SecCM - ANSWER Security Focused Configuration Management
What are the three tiers of Organization Wide Risk Management and what roles are aligned to
them? - ANSWER Tier 1. Organization (Risk Executive)
Tier 2. Mission/Business Processes (Information Security Architect)
Tier 3. Information Systems (Information System Security Engineer)
Information System Security Officer - ANSWER Individual assigned responsibility by the senior
agency information security officer, authorizing official, management official, or information
system owner for ensuring that the appropriate operational security posture is maintained for
an information system or program.
Information System Security Engineer - ANSWER Individual assigned responsibility for
conducting information system security engineering activities.
, HIPAA and HITECH - ANSWER Protects/secures Personal Health Information (PHI).
Controls need to be in place to secure PHI during the collection, storing, or processing of data.
Used by any organization that is collection, storing, or processing PHI (hospitals, medial
providers, insurance companies, etc.)
HITECH came later and enhances HIPAA
Where are deficiencies and corrective actions documented? - ANSWER POAMS, which are kept
even after closed. If the issue happens again, the POAM is reopened.
M-06-19 - ANSWER Required potential breach of PII data to be reported within one hour of
discovery
All CONMON relies on Security Content Automation Protocol (SCAP).... True or False? - ANSWER
True
Who issues binding operational directives (BODs)? - ANSWER DHS
FISMA 2002 - ANSWER -Emphasized risk based policy for cost effective security.
-Requires agency program officials, CIOs, and IGs to conduct annual reviews of the Agency's
Security Information Program and report them to OMB.
FISMA 2014 - ANSWER Replaced subchapters 2 and 3 of FISMA 2002.
Primary purposes include:
-Assign responsibilities to the Secretary of Homeland Security, as that department did not exist
at the time of FISMA 2002.
-Formalized reporting of information security incidents and privacy breaches
