IIBA-CCA Exam Questions

Business process diagrams help analysts spot weaknesses in workflows, approvals, handoffs, and segregation of duties, but they do not directly test the technical security of the underlying applications, infrastructure, or configurations. To identify vulnerabilities within solution technology, cybersecurity practice uses penetration testing, which is a controlled, authorized simulation of real-world attacks against systems. A penetration test examines how a solution behaves under adversarial conditions and validates whether security controls actually prevent exploitation, not just whether they are designed on paper.

Penetration testing typically includes reconnaissance, enumeration, and attempts to exploit weaknesses in areas such as authentication, session management, access control, input handling, APIs, encryption usage, misconfigurations, and exposed services. Results provide evidence-based findings, including exploit paths, impact, affected components, and recommended remediations. This makes penetration testing especially valuable before go-live, after major changes, and periodically for high-risk systems to confirm the security posture remains acceptable.

The other options do not fit the objective. A security patch is a remediation action taken after vulnerabilities are known, not a method for discovering them. A smoke test is a basic functional check to confirm the system builds and runs; it is not a security assessment. Vulnerability-as-a-Service is a delivery model that may include scanning or testing, but the recognized tool or technique for identifying vulnerabilities in the technology itself in this context is a penetration test, which directly evaluates exploitability and real security impact.

Business analysis is responsible for ensuring the solution is correctly understood in terms of business purpose, process flows, data handling, user roles, integrations, and non-functional requirements such as security and privacy. If the solution is not understood well enough, security risks will be missed early, leading to gaps that are expensive and difficult to correct later. This is why option C is the best answer: inadequate understanding prevents reliable identification of threats, sensitive data paths, trust boundaries, and misuse cases during requirements and design stages.

Cybersecurity documents emphasize ''security by design'' and ''shift-left'' practices, meaning risks should be identified and addressed before build and test. Business analysis contributes by eliciting and documenting security requirements, clarifying data classification and retention needs, defining user access and privilege expectations, identifying regulatory and policy constraints, and ensuring interfaces and third-party dependencies are known and assessed. BA also supports threat modeling inputs by providing accurate context about actors, workflows, and data movement, which are essential for identifying where controls like authentication, authorization, logging, encryption, and validation must exist.

Other options align to different roles or stages: budgets are governance and project management constraints, QA limitations are testing risks, and coding-introduced vulnerabilities are primarily addressed through secure coding standards, code review, and developer practices. BA's key cybersecurity risk is incomplete understanding that prevents correct security requirements and risk identification.

Cybersecurity regulations most commonly focus on the protection of personal data, because misuse or exposure can directly harm individuals through identity theft, fraud, discrimination, or loss of privacy. Privacy and data-protection laws typically require organizations to implement appropriate safeguards to protect personal information across its lifecycle, including collection, storage, processing, sharing, and disposal. In cybersecurity governance documentation, this obligation is often expressed through requirements to maintain confidentiality and integrity of personal data, limit access based on business need, and ensure accountability through logging, monitoring, and audits.

Demonstrating protection of personal data generally includes having a documented data classification scheme, clearly defined lawful purposes for processing, retention limits, and secure handling procedures. Technical controls commonly expected include strong authentication, least privilege and role-based access control, encryption for data at rest and in transit, secure key management, endpoint and server hardening, vulnerability management, and continuous monitoring for suspicious activity. Operational capabilities such as incident response, breach detection, and timely notification processes are also emphasized because regulators expect organizations to manage and report material data exposures appropriately.

While protecting applications, intellectual property, and ensuring continuity are important security objectives, they are not the primary focus of many cybersecurity regulations in the same consistent way as personal data protection. Therefore, the best answer is personal data of customers and employees.

Public and private key pairs are the foundation of asymmetric encryption, also called public key cryptography. In this model, each entity has two mathematically related keys: a public key that can be shared widely and a private key that must be kept secret. The keys are designed so that what one key does, only the other key can undo. This enables two core security functions used throughout cybersecurity architectures.

First, confidentiality: data encrypted with a recipient's public key can only be decrypted with the recipient's private key. This allows secure communication without having to share a secret key in advance, which is especially important on untrusted networks like the internet. Second, digital signatures: a sender can sign data with their private key, and anyone can verify the signature using the sender's public key. This provides authenticity (proof the sender possessed the private key), integrity (the data was not altered), and supports non-repudiation when combined with proper key custody and audit practices.

These mechanisms underpin widely used security controls such as TLS for secure web connections, secure email standards, code signing, and certificate-based authentication. A VPN may use public key cryptography during key exchange, but the key pair itself is specifically an encryption technology. IoT and network segregation are unrelated categories.

SSL and its successor TLS are cryptographic protocols designed to provide secure communications over untrusted networks. The encryption capability comes from the TLS protocol suite, which defines how two endpoints negotiate security settings, authenticate, exchange keys, and protect data as it travels between them. During the TLS handshake, the endpoints agree on a cipher suite, establish shared session keys using secure key exchange methods, and then use symmetric encryption and integrity checks to protect application data against eavesdropping and tampering. Because TLS specifies these mechanisms and the sequence of steps, it is accurate to say that encryption capability is provided by protocols.

Certificates are important but they are not the encryption mechanism itself. Digital certificates primarily support authentication and trust by binding a public key to an identity and enabling verification through a trusted certificate authority chain. Certificates help prevent impersonation and man-in-the-middle attacks by allowing clients to validate the server's identity, and in mutual TLS they can validate both parties. However, certificates alone do not define how encryption is negotiated or applied; TLS does.

Passwords are unrelated to transport encryption; they are an authentication secret and do not provide session encryption for network traffic. ''Controls'' is too general: SSL/TLS is indeed a security control, but the question asks specifically what provides the encryption capability. That capability is implemented and standardized by the SSL/TLS protocols, which orchestrate key establishment and encrypted communication.