FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. Which of the following FITSAF levels shows that the procedures and controls have been implemented?
A.
Level 2
B.
Level 1
C.
Level 5
D.
Level 3
E.
Level 4
Explanation:
The following are the five levels of FITSAF based on SEI’s Capability Maturity Model (CMM). Level 1. The first level reflects that an asset has documented a security policy. Level 2. The second level shows that the asset has documented procedures and controls to implement the policy.
Level 3. The third level indicates that these procedures and controls have been implemented. Level 4. The fourth level shows that the procedures and controls are tested and reviewed. Level 5. The fifth level is the final level and shows that the asset has procedures and controls fully integrated into a comprehensive program.
What is FITSAF?
FITSAF stands for Federal Information Technology Security Assessment Framework. It is a methodology for assessing the security of information systems. It provides an approach for federal agencies. It determines how federal agencies are meeting existing policy and establish goals. The main advantage of FITSAF is that it addresses the requirements of Office of Management and Budget (OMB). It also addresses the guidelines provided by the National Institute of Standards and
Technology (NIsT).
What is the Capability Maturity Model?
The Capability Maturity Model (CMM) is a service mark owned by Carnegie Mellon University (CMU) and refers to a development model elicited from actual data. The data was collected from organizations that contracted with the U.S.
Department of Defense, who funded the research, and they became the foundation from which CMU created the Software Engineering Institute (SEI). Like any model, it is an abstraction of an existing system. Unlike many that are derived in academia, this model is based on observation rather than on theory. When it is applied to an existing organization’s software development processes, it allows an effective approach toward improving them. Eventually it became clear that the model could be applied to other processes. This gave rise to a more general concept that is applied to business processes and to developing people.
Reference: The CISSP and CAP Study Guide, Contents. "Understanding Certification and Accreditation"
Correct answer is D