FITSAF Levels: Testing and Review | CISSP-ISSEP Exam Preparation

FITSAF Level for Testing and Review

Question

FITSAF stands for Federal Information Technology Security Assessment Framework.

It is a methodology for assessing the security of information systems.

Which of the following FITSAF levels shows that the procedures and controls are tested and reviewed.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

A.

FITSAF (Federal Information Technology Security Assessment Framework) is a methodology developed by the National Institute of Standards and Technology (NIST) for assessing the security of information systems. FITSAF provides a structured approach to assessing the security posture of an organization's information systems by defining a set of levels, each with increasing maturity and sophistication of security controls.

The five levels of FITSAF are as follows:

Level 1: Ad hoc - The organization does not have a formal security program or has only an informal ad hoc approach to security.

Level 2: Defined - The organization has defined basic security policies, procedures, and guidelines, but they may not be consistently implemented.

Level 3: Implemented - The organization has implemented security controls and procedures, but they may not be consistently applied across the organization.

Level 4: Managed and Measurable - The organization has a comprehensive security program that is managed and measurable, and the effectiveness of security controls is regularly reviewed and tested.

Level 5: Optimized - The organization has a continuous improvement process in place for its security program, and it uses metrics and data analysis to optimize its security controls and procedures.

Based on the above descriptions, it can be concluded that Level 4 (Managed and Measurable) is the FITSAF level that shows that the procedures and controls are tested and reviewed. At this level, the organization has a comprehensive security program that is managed and measurable, and the effectiveness of security controls is regularly reviewed and tested to ensure they are effective in mitigating identified risks.