IIBA Certificate in Cybersecurity Analysis IIBA-CCA CCA Exam Questions

Answer : C

In cybersecurity risk terminology, an event is an observable occurrence that can affect systems, services, or data. An event may be benign, harmful, intentional, or accidental. When a vulnerability is exploited accidentally---for example, a user unintentionally triggers a software flaw, a misconfiguration causes unintended exposure, or a system process mishandles input and causes data corruption---the occurrence is best categorized as an event. Cybersecurity documentation often distinguishes between the possibility of harm and the actual occurrence of a harmful condition. A threat is the potential for an unwanted incident, such as an actor or circumstance that could exploit a vulnerability. A threat does not require that exploitation actually happens; it describes risk potential. An agent is the entity that acts (such as a person, malware, or process) and may be malicious or non-malicious, but ''agent'' is not the term for the occurrence itself. A response refers to the actions taken after detection, such as containment, eradication, recovery, and lessons learned; it is part of incident handling, not the accidental exploitation.

Therefore, the term that represents the actual accidental exploitation occurrence is event, because it captures the real-world happening that may trigger alerts, investigations, and potentially incident response activities if impact is significant.

Answer : B

Ongoing, remote maintenance is one of the most effective ways to improve the security posture of embedded systems over time because it enables timely remediation of newly discovered weaknesses. Embedded devices frequently run firmware that includes operating logic, network stacks, and third-party libraries. As vulnerabilities are discovered in these components, organizations must be able to deploy fixes quickly to reduce exposure. Remote maintenance supports this by enabling over-the-air firmware and software updates, configuration changes, certificate and key rotation, and the rollout of compensating controls such as updated security policies or hardened settings.

Option B is correct because remote maintenance directly addresses the challenge of deploying updated firmware as issues are identified. Cybersecurity guidance for embedded and IoT environments emphasizes secure update mechanisms: authenticated update packages, integrity verification (such as digital signatures), secure distribution channels, rollback protection, staged deployment, and audit logging of update actions. These practices reduce the risk of attackers installing malicious firmware and help ensure devices remain supported throughout their operational life.

The other options are not primarily solved by remote maintenance. Limited CPU and memory are inherent design constraints that may require hardware redesign. Battery and component limitations are also physical constraints. Physical security attacks exploit device access and hardware weaknesses, which require tamper resistance, secure boot, and physical protections rather than remote maintenance alone.

Answer : B

Functional security requirements define what security capabilities a system must provide to protect information and enforce policy. They describe required security functions such as identification and authentication, authorization, role-based access control, privilege management, session handling, auditing/logging, segregation of duties, and account lifecycle processes. Because of this, user privileges are a direct and core concern of functional security requirements: the system must support controlling who can access what, under which conditions, and with what level of permission.

In cybersecurity requirement documentation, ''privileges'' include permission assignment (roles, groups, entitlements), enforcement of least privilege, privileged access restrictions, elevation workflows, administrative boundaries, and the ability to review and revoke permissions. These are functional because they require specific system behaviors and features---for example, the ability to define roles, prevent unauthorized actions, log privileged activities, and enforce timeouts or re-authentication for sensitive operations.

The other options are typically classified differently. System reliability and performance/stability are generally non-functional requirements (quality attributes) describing service levels, resilience, and operational characteristics rather than security functions. Identified vulnerabilities are findings from assessments that drive remediation work and risk treatment; they inform security improvements but are not themselves functional requirements. Therefore, the option best aligned with functional security requirements is user privileges.

Answer : B

Business analysts support cybersecurity compliance primarily by ensuring that security and privacy expectations are translated into clear, testable requirements that are built into the solution. This includes eliciting applicable organizational security policies, standards, and control objectives, then mapping them into functional and non-functional requirements such as authentication methods, role-based access, logging and audit trail needs, encryption requirements, session controls, data retention, and segregation of duties. When security policies are reflected in the solution requirements, they become part of the delivery lifecycle: they can be designed, implemented, validated in testing, and verified during acceptance. This creates traceability from policy to requirement to control implementation, which is essential for audits and for demonstrating due diligence.

Option A is typically the responsibility of governance, risk, and compliance functions or internal audit, not the BA. Option C is usually performed by security testing specialists, QA teams, or application security engineers using techniques like SAST, DAST, and penetration testing. Option D is largely an operational management and compliance enforcement function, supported by training, monitoring, and disciplinary processes. The BA's distinct contribution is ensuring policy-driven security controls are captured in requirements and embedded into the solution design and delivery artifacts.

Answer : C

An embedded system is a specialized computing system designed to perform a dedicated function as part of a larger device or physical system. Unlike general-purpose computers, embedded systems are built to support a specific mission such as controlling sensors, actuators, communications, or device logic in products like routers, printers, medical devices, vehicles, industrial controllers, and smart appliances. Cybersecurity documentation commonly highlights that embedded systems tend to operate with constrained resources, which may include limited CPU power, memory, storage, and user interface capabilities. These constraints affect both design and security: patching may be harder, logging may be minimal, and security features must be carefully engineered to fit the platform's limitations.

Option C best matches this characterization by describing a small form factor and limited processing power, which are typical attributes of many embedded devices. While not every embedded system is ''small,'' the key idea is that it is purpose-built, resource-constrained, and tightly integrated into a larger product.

The other options describe different concepts. A secure underground facility relates to physical site security, not embedded computing. Being hard to remove is about physical installation or tamper resistance, which can apply to many systems but is not what defines ''embedded.'' Storing cryptographic keys in a tamper-resistant external device describes a hardware security module or secure element use case, not the general definition of an embedded system.

Answer : B

A cryptographic hash function supports data in transit primarily by providing integrity assurance. When a sender computes a hash (digest) of a message and the receiver recomputes the hash after receipt, the two digests should match if the message arrived unchanged. If the message is altered in any way while traveling across the network---whether by an attacker, a faulty intermediary device, or transmission errors---the recomputed digest will differ from the original. This difference is the key signal that the message was modified in transit, which is what option B expresses. In practical secure-transport designs, hashes are typically combined with a secret key or digital signature so an attacker cannot simply modify the message and generate a new valid digest. Examples include HMAC for message authentication and digital signatures that hash the content and then sign the hash with a private key. These mechanisms provide integrity and, when keyed or signed, also provide authentication and non-repudiation properties.

Option A is more specifically about authentication of origin, which requires a keyed construction such as HMAC or a signature scheme; a plain hash alone cannot prove who sent the message. Option C is incorrect because keys are not ''converted'' from public to private. Option D relates to confidentiality, which is provided by encryption, not hashing. Therefore, the best answer is B because hashing enables detection of message modification during transit.

Answer : A

Designing an audit log report requires clarity on who is allowed to do what, which actions are considered security-relevant, and what evidence must be captured to demonstrate accountability. Access Control Requirements are the essential business analysis deliverable because they define roles, permissions, segregation of duties, privileged functions, approval workflows, and the conditions under which access is granted or denied. From these requirements, the logging design can specify exactly which events must be recorded, such as authentication attempts, authorization decisions, privilege elevation, administrative changes, access to sensitive records, data exports, configuration changes, and failed access attempts. They also help determine how logs should attribute actions to unique identities, including service accounts and delegated administration, which is critical for auditability and non-repudiation.

Access control requirements also drive necessary log fields and report structure: user or role, timestamp, source, target object, action, outcome, and reason codes for denials or policy exceptions. Without these requirements, an audit log report can become either too sparse to support investigations and compliance, or too noisy to be operationally useful.

A risk log can influence priorities, but it does not define the authoritative set of access events and entitlements that must be auditable. A future state process can provide context, yet it is not as precise as access rules for determining what to log. An internal audit report may highlight gaps, but it is not the primary design input compared to formal access control requirements.