IIBA IIBA-CCA Practice Test Questions Answers

A Business Analyst documents current technology in the “as-is” state because business processes are rarely isolated; they depend on applications, interfaces, data exchanges, identity services, and shared infrastructure. From a cybersecurity perspective, replacing one solution can unintentionally change trust boundaries, authentication flows, authorization decisions, logging coverage, and data movement across integrated systems. Option B is correct because understanding the current technology landscape helps identify where security impacts may occur across the value chain, including upstream data providers, downstream consumers, third-party services, and internal platforms that rely on the existing system.

Cybersecurity documents emphasize that integration points are common attack surfaces. APIs, file transfers, message queues, single sign-on, batch jobs, and shared databases can introduce risks such as broken access control, insecure data transmission, data leakage, privilege escalation, and gaps in monitoring. If the BA captures current integrations, dependencies, and data flows, the delivery team can properly perform threat modeling, define security requirements, and avoid breaking compensating controls that other systems depend on. This also supports planning for secure decommissioning, migration, and cutover, ensuring credentials, keys, service accounts, and network paths are rotated or removed appropriately.

The other options are less precise for the question. Training is not the core driver for documenting current technology. Governance requirements apply broadly but do not explain why current tech must be included. Data classification is important, but it is a separate activity from capturing technology dependencies needed to assess integration security impacts.

In NIST-style risk assessment,overall likelihoodis not a single guess; it is derived by considering two related likelihood components. First isthe likelihood that a threat event will be initiated. This reflects how probable it is that a threat actor or source will attempt the attack or that a threat event will occur, considering factors such as adversary capability, intent, targeting, opportunity, and environmental conditions. Second isthe likelihood that an initiated event will succeed, meaning the attempt results in the adverse outcome. This depends heavily on the organization’s existing protections and conditions, including control strength, system exposure, vulnerabilities, misconfigurations, detection and response capability, and user behavior.

Option A matches this structure: analysts evaluate bothattack initiation likelihoodandinitiated attack success likelihoodto reach an overall view of likelihood. A high initiation likelihood with low success likelihood might occur when an organization is frequently targeted but has strong defenses. Conversely, low initiation likelihood with high success likelihood might apply to niche systems that are rarely targeted but poorly protected.

The other options are incomplete or misplaced. Risk impact is a separate dimension from likelihood, and mitigation strategy is an output of risk treatment, not an input to likelihood. Site traffic and commerce volume can influence exposure but do not define likelihood by themselves. Past experience and trends are useful evidence, but they support estimating the two likelihood components rather than replacing them.

Information classificationis the formal process of evaluating the data an organization creates or holds and assigning it a sensitivity level so the organization can apply the right safeguards. Cybersecurity policies describe classification as the foundation for consistent protection because it links thepotential harm from unauthorized disclosure, alteration, or lossto specific handling and control requirements. Typical classification labels include Public, Internal, Confidential, and Restricted, though names vary by organization. Once data is classified, required protections can be specified, such as encryption at rest and in transit, access restrictions based on least privilege, approved storage locations, monitoring requirements, retention periods, and secure disposal methods.

This is not avulnerability assessment, which focuses on identifying weaknesses in systems, applications, or configurations. It is also not aninternal audit, which evaluates whether controls and processes are being followed and are effective. Option D,information categorization, is often used in some frameworks to describe assigning impact levels (for example, confidentiality, integrity, availability impact) to information types or systems, mainly to drive control baselines. While related, the question specifically emphasizes assessing data and deciding thelevel of protectionbased on risk from disclosure, which aligns most directly withclassificationprograms used to govern labeling and handling rules across the organization.

A strong classification program improves security consistency, supports compliance, reduces accidental exposure, and helps prioritize controls for the most sensitive information assets.

KRIs and KPIs are only useful when they are handled as part of a disciplined measurement lifecycle. Cybersecurity governance guidance emphasizes three essential activities:collect,analyze, andreport. Organizations must firstcollectKRI and KPI data consistently from reliable sources such as vulnerability scanners, SIEM logs, IAM systems, ticketing platforms, and asset inventories. Collection requires defined metric owners, clear definitions, standardized time windows, and data quality checks so results are comparable across periods and business units.

Next, organizationsanalyzethe data to understand what it means for risk and performance. Analysis includes trending over time, comparing results to targets and thresholds, correlating indicators to business outcomes, identifying outliers, and determining root causes. For KRIs, analysis highlights rising exposure or control breakdowns such as increasing critical vulnerabilities beyond SLA. For KPIs, analysis evaluates operational effectiveness such as mean time to detect and mean time to remediate.

Finally, organizationsreportresults to the right audiences with the right level of detail. Reporting supports accountability by assigning actions, tracking remediation progress, and escalating when thresholds are exceeded. It also supports decision making by showing where investment, staffing, or control changes will have the greatest risk-reduction and performance impact. The other options are not standard, auditable metric management activities and do not reflect the established lifecycle used in cybersecurity measurement programs.

ITIL is a widely adopted framework that definesbest-practice guidance for IT Service Management. Its focus is on how organizations design, deliver, operate, and continually improve IT services so they reliably support business outcomes. In cybersecurity and service delivery documentation, ITIL is often referenced because strong service management processes are foundational to secure operations. For example, ITIL practices such as incident management, problem management, change enablement, configuration management, and service continuity help ensure security controls are implemented consistently and that deviations are identified, tracked, and corrected.

ITIL does not define how hardware systems interface securely with one another; that is more aligned with architecture standards, security engineering, and network or platform design frameworks. It also does not prescribe a universal set of components for every technology system; that belongs to reference architectures and enterprise architecture standards. Likewise, ITIL is not primarily a security requirements standard. While ITIL supports security governance through practices like risk management, access management, and information security management integration, it does not itself serve as a mandatory security control catalog.

From a cybersecurity perspective, ITIL contributes by promoting repeatable processes, clear roles and responsibilities, measurable service levels, and continual improvement. These elements reduce operational risk, improve response effectiveness, and strengthen accountability—key requirements for maintaining confidentiality, integrity, and availability in production environments.