FISMA requires federal agencies to protect IT systems and data.
How often should compliance be audited by an external organization?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
Inspection of FISMA is required to be done annually.
Each year, agencies must have an independent evaluation of their program.
The objective is to determine the effectiveness of the program.
These evaluations include: -> Testing for effectiveness: Policies, procedures, and practices are to be tested.
This evaluation does not test every policy, procedure, and practice.
Instead, a representative sample is tested.
-> An assessment or report: This report identifies the agency's compliance as well as lists compliance with FISMA.
It also lists compliance with other standards and guidelines.
Incorrect Answers: B, C, D: Auditing of compliance by external organization is done annually, not quarterly or every three years.
The Federal Information Security Modernization Act (FISMA) requires federal agencies to establish and implement policies, procedures, and guidelines to ensure the security of their information and information systems. FISMA also mandates that agencies regularly evaluate and report on the effectiveness of their security controls to ensure the protection of their IT systems and data.
One of the requirements of FISMA is to conduct periodic audits and assessments to ensure compliance with security policies, procedures, and guidelines. These audits can be performed internally or by external auditors. However, FISMA does not specify a specific frequency for these audits to be conducted by an external organization.
The decision on how often to conduct external audits should be based on the agency's risk management strategy and the level of risk associated with its IT systems and data. For example, agencies with higher-risk systems or those that handle sensitive information may require more frequent external audits than agencies with lower-risk systems or less sensitive information.
Therefore, the correct answer to this question is A. Annually. This is because conducting an annual external audit is a widely accepted best practice in the industry and is often recommended by regulatory bodies. Annual audits can help agencies identify and mitigate security vulnerabilities in a timely manner, ensuring the ongoing protection of their IT systems and data.