CRISC Certified in Risk and Information Systems Control – Question105

FISMA requires federal agencies to protect IT systems and data. How often should compliance be audited by an external organization?

A.
Annually
B. Quarterly
C. Every three years
D. Never

Correct Answer: A

Explanation:

Explanation:
Inspection of FISMA is required to be done annually. Each year, agencies must have an independent evaluation of their program. The objective is to determine the effectiveness of the program. These evaluations include:

  • Testing for effectiveness: Policies, procedures, and practices are to be tested. This evaluation does not test every policy, procedure, and practice. Instead, a representative sample is tested.
  • An assessment or report: This report identifies the agency’s compliance as well as lists compliance with FISMA. It also lists compliance with other standards and guidelines.

Incorrect Answers: B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.