FITSP Auditor Questions and answers
with solutions
The following legislation requires federal agencies to establish capital planning and investment
control policies and procedures when procuring information technology:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Clinger-Cohen Act
The following legislation requires federal agencies to appoint a Chief Information Officer:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Clinger-Cohen Act
The following legislation requires federal agencies to develop, document, and implement an
agency-wide information security program:
a) E-Government Act of 2002, Section 208
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Federal Information Security Management Act (FISMA)
The following legislation requires federal agencies to prepare Privacy Impact Assessments (PIAs)
when developing or procuring new information technology:
a) E-Government Act of 2002, Section 208
b) Federal Information Security Management Act (FISMA)
,c) Privacy Act, 1974
d) Clinger-Cohen Act - ANSWER E-Government Act of 2002, Section 208
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an
independent external auditor, to conduct the evaluation on their behalf:
a) E-Government Act of 2002, Title I
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Federal Information Security Management Act (FISMA)
The Secretary of what department or agency was delegated the responsibility by FISMA to
prescribe standards and guidelines pertaining to federal information systems
to improve the efficiency of operation or security of Federal information systems:
a) Department of Homeland Security (DHS)
b) Defense Department
c) Commerce Department
d) National Security Agency - ANSWER
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to
the system, or at least every three years. This guidance also requires federal agencies to re-
authorize information systems every three years.
a) OMB Circular No. A-123- Management Accountability and Control
b) OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources
c) OMB Circular No. A-127, Financial Management Systems
,d) OMB Circular No. A-136, Financial Management Reporting Requirements - ANSWER OMB
Circular No. A-130, Appendix III, Security of Federal Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select
two):
a) Commerce
b) DHS
c) Justice
d) OMB - ANSWER DHS and OMB
What is the required frequency of FISMA reporting feeds for CFO Act agencies?
a) Monthly
b) Quarterly
c) Semi-annually
d) Annually - ANSWER Monthly
Which law directed the Secretary of Health and Human Services to develop standards for
protecting electronic health information?
a) AARA
b) HITECH
c) HIPAA
d) ePHI - ANSWER HIPAA
Current regulations still require the re-authorization of Federal information systems at least
every three years.
a) True
, b) False - ANSWER False
As part of monitoring the security posture of agency desktops, OMB requires Federal agencies
to
use vulnerability scanning tools that leverage the protocol.
a) SNMP
b) SMTP
c) SCAP
d) LDAP - ANSWER SCAP
Following the loss of 26 million records containing Pll at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following except:
a) Encryption of all data on mobile computers/devices
b) Permits remote access only with two-factor authentication, for which one factor is provided
by a device separate from the computer gaining access
c) Use a "time-out" function for remote access and mobile devices requiring user
reauthentication after 30 minutes of inactivity
d) Encryption of all server backup tapes - ANSWER Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all Federal agencies to adopt a standard,
government-wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive is called:
a) Real-ID Act
b) HSPD-12 - Common Identification Standard
c) Critical Infrastructure Protection Act
d) HSPD 24 - Biometrics to Enhance National Security Act - ANSWER HSPD-12 - Common
Identification Standard
with solutions
The following legislation requires federal agencies to establish capital planning and investment
control policies and procedures when procuring information technology:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Clinger-Cohen Act
The following legislation requires federal agencies to appoint a Chief Information Officer:
a) E-Government Act of 2002
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Clinger-Cohen Act
The following legislation requires federal agencies to develop, document, and implement an
agency-wide information security program:
a) E-Government Act of 2002, Section 208
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Federal Information Security Management Act (FISMA)
The following legislation requires federal agencies to prepare Privacy Impact Assessments (PIAs)
when developing or procuring new information technology:
a) E-Government Act of 2002, Section 208
b) Federal Information Security Management Act (FISMA)
,c) Privacy Act, 1974
d) Clinger-Cohen Act - ANSWER E-Government Act of 2002, Section 208
The following legislation requires each agency with an Inspector General to conduct an annual
evaluation of agency's information security program, or to appoint an
independent external auditor, to conduct the evaluation on their behalf:
a) E-Government Act of 2002, Title I
b) Federal Information Security Management Act (FISMA)
c) Government Information Security Reform Act (GISRA)
d) Clinger-Cohen Act - ANSWER Federal Information Security Management Act (FISMA)
The Secretary of what department or agency was delegated the responsibility by FISMA to
prescribe standards and guidelines pertaining to federal information systems
to improve the efficiency of operation or security of Federal information systems:
a) Department of Homeland Security (DHS)
b) Defense Department
c) Commerce Department
d) National Security Agency - ANSWER
The following OMB guidance established the requirement for federal agencies to review the
security controls in each system when significant modifications are made to
the system, or at least every three years. This guidance also requires federal agencies to re-
authorize information systems every three years.
a) OMB Circular No. A-123- Management Accountability and Control
b) OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources
c) OMB Circular No. A-127, Financial Management Systems
,d) OMB Circular No. A-136, Financial Management Reporting Requirements - ANSWER OMB
Circular No. A-130, Appendix III, Security of Federal Automated Information Resources
The Federal Information Security Modernization Act of 2014 (FISMA 2014) formally assigns
information security responsibilities to which of the following agencies/departments (select
two):
a) Commerce
b) DHS
c) Justice
d) OMB - ANSWER DHS and OMB
What is the required frequency of FISMA reporting feeds for CFO Act agencies?
a) Monthly
b) Quarterly
c) Semi-annually
d) Annually - ANSWER Monthly
Which law directed the Secretary of Health and Human Services to develop standards for
protecting electronic health information?
a) AARA
b) HITECH
c) HIPAA
d) ePHI - ANSWER HIPAA
Current regulations still require the re-authorization of Federal information systems at least
every three years.
a) True
, b) False - ANSWER False
As part of monitoring the security posture of agency desktops, OMB requires Federal agencies
to
use vulnerability scanning tools that leverage the protocol.
a) SNMP
b) SMTP
c) SCAP
d) LDAP - ANSWER SCAP
Following the loss of 26 million records containing Pll at the Department of Veteran Affairs,
OMB released M-06-16 Protection of Sensitive Agency Information. This memo required all of
the following except:
a) Encryption of all data on mobile computers/devices
b) Permits remote access only with two-factor authentication, for which one factor is provided
by a device separate from the computer gaining access
c) Use a "time-out" function for remote access and mobile devices requiring user
reauthentication after 30 minutes of inactivity
d) Encryption of all server backup tapes - ANSWER Encryption of all server backup tapes
This Homeland Security Presidential Directive requires all Federal agencies to adopt a standard,
government-wide card to reduce identity fraud, protect personal privacy, and provide for
authentication. This directive is called:
a) Real-ID Act
b) HSPD-12 - Common Identification Standard
c) Critical Infrastructure Protection Act
d) HSPD 24 - Biometrics to Enhance National Security Act - ANSWER HSPD-12 - Common
Identification Standard
