IIBA-CCA IIBA Certificate in Cybersecurity Analysis (CCA) Free Practice Exam Questions (2026 Updated)

“Strengthen the security from lessons learned” fits theremediationstage because it focuses on eliminating root causes and improving controls so the same incident is less likely to recur. In incident management lifecycles,responseis about immediate actions to contain and manage the incident (triage, containment, eradication actions in progress, communications, and preserving evidence).Detectionis the identification and confirmation stage (alerts, analysis, validation, and initial classification).Recoveryis restoring services to normal operation and verifying stability, including bringing systems back online, validating data integrity, and meeting recovery objectives.

After the environment is stable, organizations conduct a post-incident review and then implement corrective and preventive actions. That work is remediation: closing exploited vulnerabilities, hardening configurations, rotating credentials and keys, tightening access and privileged account controls, improving monitoring and logging coverage, updating firewall rules or segmentation, refining secure development practices, and correcting process gaps such as weak change management or incomplete asset inventory. Remediation also includes updating policies and playbooks, enhancing detection rules based on observed attacker techniques, and training targeted groups if human factors contributed.

Cybersecurity guidance emphasizes documenting lessons learned, assigning owners and deadlines, validating fixes, and tracking completion because “lessons learned” without implemented change does not reduce risk. The defining characteristic is durable improvement to the control environment, which is why this activity belongs toremediationrather than response, detection, or recovery.

A cryptographic hash function supports data in transit primarily by providingintegrity assurance. When a sender computes a hash (digest) of a message and the receiver recomputes the hash after receipt, the two digests should match if the message arrived unchanged. If the message is altered in any way while traveling across the network—whether by an attacker, a faulty intermediary device, or transmission errors—the recomputed digest will differ from the original. This difference is the key signal that the messagewas modified in transit, which is what option B expresses. In practical secure-transport designs, hashes are typically combined with a secret key or digital signature so an attacker cannot simply modify the message and generate a new valid digest. Examples include HMAC for message authentication and digital signatures that hash the content and then sign the hash with a private key. These mechanisms provide integrity and, when keyed or signed, also provide authentication and non-repudiation properties.

Option A is more specifically about authentication of origin, which requires a keyed construction such as HMAC or a signature scheme; a plain hash alone cannot prove who sent the message. Option C is incorrect because keys are not “converted” from public to private. Option D relates to confidentiality, which is provided by encryption, not hashing. Therefore, the best answer is B because hashing enables detection of message modification during transit.

AnAccess Control List (ACL)is a structured, system-maintained list of authorization rules that specifieswho or what is allowed to access a resourceand what actions are permitted. In many operating systems, network devices, and applications, an ACL functions as an internal table that maps identities such as user IDs, group IDs, service accounts, or even device/terminal identifiers to permissions like read, write, execute, modify, delete, or administer. When a subject attempts to access an object, the system consults the ACL to determine whether the requested operation should be allowed or denied, enforcing the organization’s security policy at runtime.

The description in the question matches the classic definition of an ACL as a computerized table of access rules tied to login IDs and sometimes the originating endpoint or terminal context. ACLs are central to implementingdiscretionary access controland are also widely used in networking (for example, permitting or denying traffic flows based on source/destination and ports) and file systems (controlling access to folders and files).

AnAccess Control Entry (ACE)is only a single line item within an ACL (one rule for one subject). A “Relational Access Database” is not a standard security control term for authorization tables. A “Directory Management System” manages identities and groups, but it is not the same as the enforcement list attached to a specific resource. Therefore, the correct answer isAccess Control List.

In cybersecurity guidance,employees are often described as the first and last line of defensebecause human actions influence nearly every stage of an attack. They are thefirst linesince many threats begin with user interaction: phishing emails, malicious links, social engineering calls, unsafe file handling, weak passwords, and accidental disclosure of sensitive information. A well-trained user who recognizes suspicious requests, verifies identities, and reports anomalies can stop an incident before any technical control is even engaged.

Employees are also thelast linebecause technical protections such as firewalls, filters, and endpoint tools are not perfect. Attackers routinely bypass or evade automated defenses using stolen credentials, living-off-the-land techniques, misconfigurations, or novel malware. When those controls fail, the organization still depends on people to apply secure behaviors: following least privilege, protecting credentials, using multifactor authentication correctly, confirming out-of-band requests for payments or data, and escalating unusual activity quickly. Incident response, containment, and recovery also depend on humans making correct decisions under pressure, following documented procedures, and communicating accurately.

Cybersecurity documents emphasize that a strong security culture, regular awareness training, role-based education, clear reporting channels, and consistent policy enforcement reduce human-enabled risk and turn employees into an effective security control rather than a vulnerability.

Designing an audit log report requires clarity onwho is allowed to do what, which actions are considered security-relevant, and what evidence must be captured to demonstrate accountability.Access Control Requirementsare the essential business analysis deliverable because they define roles, permissions, segregation of duties, privileged functions, approval workflows, and the conditions under which access is granted or denied. From these requirements, the logging design can specify exactly which events must be recorded, such as authentication attempts, authorization decisions, privilege elevation, administrative changes, access to sensitive records, data exports, configuration changes, and failed access attempts. They also help determine how logs should attribute actions to unique identities, including service accounts and delegated administration, which is critical for auditability and non-repudiation.

Access control requirements also drive necessary log fields and report structure: user or role, timestamp, source, target object, action, outcome, and reason codes for denials or policy exceptions. Without these requirements, an audit log report can become either too sparse to support investigations and compliance, or too noisy to be operationally useful.

A risk log can influence priorities, but it does not define the authoritative set of access events and entitlements that must be auditable. A future state process can provide context, yet it is not as precise as access rules for determining what to log. An internal audit report may highlight gaps, but it is not the primary design input compared to formal access control requirements.

Public and private key pairs are the foundation ofasymmetric encryption, also calledpublic key cryptography. In this model, each entity has two mathematically related keys: apublic keythat can be shared widely and aprivate keythat must be kept secret. The keys are designed so that what one key does, only the other key can undo. This enables two core security functions used throughout cybersecurity architectures.

First,confidentiality: data encrypted with a recipient’s public key can only be decrypted with the recipient’s private key. This allows secure communication without having to share a secret key in advance, which is especially important on untrusted networks like the internet. Second,digital signatures: a sender can sign data with their private key, and anyone can verify the signature using the sender’s public key. This provides authenticity (proof the sender possessed the private key), integrity (the data was not altered), and supports non-repudiation when combined with proper key custody and audit practices.

These mechanisms underpin widely used security controls such as TLS for secure web connections, secure email standards, code signing, and certificate-based authentication. A VPN may use public key cryptography during key exchange, but the key pair itself is specifically anencryption technology. IoT and network segregation are unrelated categories.

Transport Layer Security (TLS) strengthens the trustworthiness of application communications by ensuring that data exchanged over an untrusted network is not silently modified and is coming from the expected endpoint. While TCP provides delivery features such as sequencing and retransmission, TLS contributes to what many cybersecurity documents describe as “reliable” secure communication by addingcryptographic integrity protections. TLS uses integrity checks (such as message authentication codes in older versions/cipher suites, or authenticated encryption modes like AES-GCM and ChaCha20-Poly1305 in modern TLS) so that any alteration of data in transit is detected. If an attacker intercepts traffic and tries to change commands, session data, or application content, the integrity verification fails and the connection is typically terminated, preventing corrupted or manipulated messages from being accepted as valid.

This is distinct from merely being “stateful” (a transport-layer property) or “using TCP/IP” (a networking stack choice). TLS can run over TCP and relies on TCP for delivery reliability, but TLS itself is focused onconfidentiality, integrity, and endpoint authentication. Public/private keys and certificates are used during the TLS handshake to authenticate servers (and optionally clients) and to establish shared session keys, but the ongoing protection that prevents undetected tampering is the integrity check on each protected record. Therefore, the best match to how TLS ensures secure, dependable communication is the message integrity mechanism described in option B.

SSL/TLS relies ondigital certificatesto support encrypted communications and to help users trust that they are connecting to the correct server. A TLS certificate is typically anX.509 certificatethat binds a public key to an identity, such as a domain name, and is digitally signed by a trusted issuer. In most public internet use cases, these certificates are issued byCertificate Authoritiesthat browsers and operating systems already trust through pre-installed root certificates. Because of that trust chain, organizations commonly obtain certificates by purchasing or otherwise obtaining them from certificate authorities, which is why option B is correct.

During the TLS handshake, the server presents its certificate to the client. The client validates the certificate’s signature chain, validity period, and that the certificate matches the domain being accessed. Once validated, TLS establishes session keys used to encrypt data in transit and protect it from eavesdropping and tampering. Certificates themselves are not “similar to unencrypted data,” and they are not specific to thumb-drive storage; they are used to secure network communications. Certificates also do not primarily provide “authorization” to access data. Authorization is typically enforced by application and access control mechanisms after authentication. Certificates supportauthenticationof endpoints and enable secure key exchange, which are prerequisites for secure transport encryption and trustworthy connections.

Ongoing, remote maintenance is one of the most effective ways to improve the security posture of embedded systems over time because it enables timely remediation of newly discovered weaknesses. Embedded devices frequently run firmware that includes operating logic, network stacks, and third-party libraries. As vulnerabilities are discovered in these components, organizations must be able to deploy fixes quickly to reduce exposure. Remote maintenance supports this by enabling over-the-air firmware and software updates, configuration changes, certificate and key rotation, and the rollout of compensating controls such as updated security policies or hardened settings.

Option B is correct because remote maintenance directly addresses the challenge ofdeploying updated firmwareas issues are identified. Cybersecurity guidance for embedded and IoT environments emphasizes secure update mechanisms: authenticated update packages, integrity verification (such as digital signatures), secure distribution channels, rollback protection, staged deployment, and audit logging of update actions. These practices reduce the risk of attackers installing malicious firmware and help ensure devices remain supported throughout their operational life.

The other options are not primarily solved by remote maintenance. Limited CPU and memory are inherent design constraints that may require hardware redesign. Battery and component limitations are also physical constraints. Physical security attacks exploit device access and hardware weaknesses, which require tamper resistance, secure boot, and physical protections rather than remote maintenance alone.

Integritymeans information and systems remain accurate, complete, and protected from unauthorized or improper modification. ThePrinciple of Least Privilegeis a direct integrity protection control because it limits who can change data and what changes they are allowed to make. Under least privilege, users, applications, and service accounts receive only the minimum permissions needed to perform approved tasks, and nothing more. This reduces the chance that an attacker using a compromised account can alter records, manipulate transactions, or change configurations, and it also reduces accidental changes by well-meaning users who do not need write or administrative rights.

Least privilege is commonly enforced through role-based access control, separation of duties, restricted administrative roles, just-in-time elevation for privileged tasks, and periodic access reviews to remove excess permissions. These practices are emphasized in cybersecurity frameworks because integrity failures often occur when excessive access allows unauthorized edits to sensitive data, logs, security settings, or application code.

The other options relate to security but are less directly tied to integrity as the primary objective.Biometric verificationis an authentication method that helps confirm identity; it supports access control broadly, but it does not by itself limit modification capability once access is granted.Anti-malicious code detectionhelps prevent malware that could corrupt data, but it is primarily a detection/prevention tool rather than the foundational control for authorized modification.Backups and redundancyprimarily support availability and recovery after corruption, not the prevention of unauthorized changes.

Privileged account management refers to the governance and operational controls used to administer accounts that haveelevated permissionsbeyond standard user access. Privileged accounts can change system configurations, create or modify users, access sensitive datasets, disable security tools, and administer core infrastructure such as servers, databases, directories, network devices, and cloud consoles. Because misuse of privileged access can quickly lead to large-scale compromise, cybersecurity frameworks treat privileged access as a high-risk area requiring stronger safeguards than normal accounts.

The definition in option A is correct because it captures the core purpose of privileged account management:establishing and maintaining access rights and controlsspecifically for roles that must perform administrative or support functions. In practice, this includes ensuring privileges are granted only when justified, scoped to the minimum necessary, and reviewed regularly. It also includes controls such as separation of duties, approval workflows, time-bound elevation, credential vaulting, rotation of privileged passwords and keys, multifactor authentication, and detailed logging of privileged sessions for monitoring and audit.

Option B is too broad because privileged account management is a specialized subset of identity and access management focused on elevated access. Option C is incorrect because privilege is defined by permissions, not job title. Option D describes an authentication concept, not the full management lifecycle of privileged access.

When analyzing a web-based business environment for potential cost savings, the Business Analyst must account forapplication vulnerabilitiesbecause they directly affect the organization’s exposure to cyber attack and the true cost of operating a system. Vulnerabilities are weaknesses in application code, configuration, components, or dependencies that can be exploited to compromise confidentiality, integrity, or availability. In web environments, common examples include insecure authentication, injection flaws, broken access control, misconfigurations, outdated libraries, and weak session management.

Cost-saving recommendations frequently involve consolidating platforms, reducing tooling, lowering support effort, retiring controls, delaying upgrades, or moving to shared services. Without including known or likely vulnerabilities, the analysis can unintentionally recommend changes that reduce preventive and detective capability, increase attack surface, or extend the time vulnerabilities remain unpatched. Cybersecurity governance guidance emphasizes that technology rationalization must consider security posture: vulnerable applications often require additional controls (patching cadence, WAF rules, monitoring, code fixes, penetration testing, secure SDLC work) that carry ongoing cost. These costs are part of the system’s “total cost of ownership” and should be weighed against proposed savings.

While impact severity and threat likelihood are important for overall risk scoring, the question asks what risk factor must be included when documenting the current state of a web-based environment. The most essential factor that ties directly to the environment’s condition and drives remediation cost and exposure isapplication vulnerabilities.

Asecurity information and event management system (SIEM)is designed to centralize and analyze security-relevant data to supportthreat detection, compliance reporting, and incident management. SIEM platforms ingest logs and telemetry from many sources such as servers, endpoints, network devices, firewalls, intrusion detection systems, identity providers, cloud services, and business applications. They normalize and correlate these events so analysts can identify suspicious patterns that would be difficult to see in isolated logs, such as repeated failed logins followed by a successful login from an unusual location, privilege escalation, lateral movement indicators, or abnormal data access.

Cybersecurity operational guidance emphasizes SIEM value in three main areas. First,detection and alerting: correlation rules, behavioral analytics, and threat intelligence enrichment help surface high-risk activity. Second,incident response support: SIEM provides timelines, evidence preservation, triage context, and query capabilities that help responders scope and contain incidents. Third,compliance and audit readiness: centralized log retention, integrity controls, and reporting demonstrate that monitoring and control requirements are operating.

The other options do not match the definition. SaaS is a delivery model, not a specific security monitoring capability. A threat risk assessment is a process, not a software product for event collection and correlation. A CASB focuses on governing and protecting cloud application usage, whereas SIEM focuses on cross-environment event aggregation, correlation, and security operations monitoring.

Anexternal auditis an independent evaluation performed by a party outside the organization to determine whether security-related activities, controls, and evidence meet defined requirements. Those requirements are typically drawn from laws and regulations, contractual obligations, and recognized standards or control frameworks. The defining characteristics areindependenceandattestation: the auditor is not part of the operational team being assessed and provides an objective conclusion about compliance or control effectiveness.

Unlike a vulnerability-focused review (often called a security assessment or technical audit) that primarily seeks weaknesses to remediate, an external audit emphasizes whether controls aredesigned appropriately, implemented consistently, and operating effectivelyover time. External auditors usually test governance processes, risk management practices, policies, access control procedures, change management, logging and monitoring, incident response readiness, and evidence of periodic reviews. They also validate documentation and sampling records to confirm that what is written is actually performed.

Option B describes an internal assurance activity, such as self-assessment or internal audit preparation, where the security team checks its own implementation. Option C is closer to a financial or procurement review and is not the typical definition of an external security audit. Therefore, the best answer is the one that clearly captures anindependent partyreviewing security activitiesto ensure compliancewith established criteria

Logging requirements in cybersecurity focus on ensuring the system can produce reliable, actionable records that support detection, investigation, compliance, and accountability. The most fundamental capability is the ability torecord information about user access and actionswithin the system. This includes authentication events such as logon success or failure, logoff, session creation, and privilege elevation; authorization decisions such as access granted or denied; and security-relevant actions such as viewing, creating, modifying, deleting, exporting, or transmitting sensitive data. Good security logging also captures context like timestamp synchronization, user or service identity, source device or IP, target resource, action performed, and outcome.

This capability supports multiple operational needs. Security monitoring teams rely on logs to identify anomalies like repeated failed logins, unusual access times, access from unexpected locations, or high-risk administrative changes. Incident responders need logs to reconstruct timelines, confirm scope, and preserve evidence. Auditors and compliance teams require logs to demonstrate control effectiveness, segregation of duties, and traceability of changes.

The other options are not sufficient to satisfy logging requirements. Single sign-on can simplify authentication but does not guarantee application-level activity logging. Integration with specialized tools may be useful, but the solution must first generate the required events. Deployment model options do not address whether the system can create detailed audit trails. Therefore, the required capability is recording user access and actions in the system.

Non-repudiation is a security property that providesverifiable evidenceof an action or communication so that the parties involved cannot credibly deny their participation later. In web security, it most commonly means being able to provewho sent a message or performed a transactionand, in many cases, that the message was received and recorded. This is why option D is correct: it captures the idea of giving the receiver proof of the sender’s identity and giving the sender evidence that the message or transaction was delivered or accepted.

Cybersecurity guidance typically associates non-repudiation withdigital signatures, strong identity binding, and protected audit evidence. A digital signature uses asymmetric cryptography so that only the holder of a private key can sign, while anyone with the public key can verify the signature. When combined with trusted certificates, accurate time sources, and protected logs, this creates strong accountability. Non-repudiation also depends on maintaining the integrity of supporting evidence, such as tamper-resistant audit logs, secure log retention, and controlled access to signing keys.

It is different from confidentiality (encryption of traffic), and different from integrity alone (preventing unauthorized modification). It is also different from authorization and auditing, which support accountability but do not, by themselves, provide cryptographic-grade proof that a specific entity performed a specific action. Non-repudiation is especially important for high-trust transactions such as approvals, payments, and legally binding communications.

ITIL is a widely adopted framework that definesbest-practice guidance for IT Service Management. Its focus is on how organizations design, deliver, operate, and continually improve IT services so they reliably support business outcomes. In cybersecurity and service delivery documentation, ITIL is often referenced because strong service management processes are foundational to secure operations. For example, ITIL practices such as incident management, problem management, change enablement, configuration management, and service continuity help ensure security controls are implemented consistently and that deviations are identified, tracked, and corrected.

ITIL does not define how hardware systems interface securely with one another; that is more aligned with architecture standards, security engineering, and network or platform design frameworks. It also does not prescribe a universal set of components for every technology system; that belongs to reference architectures and enterprise architecture standards. Likewise, ITIL is not primarily a security requirements standard. While ITIL supports security governance through practices like risk management, access management, and information security management integration, it does not itself serve as a mandatory security control catalog.

From a cybersecurity perspective, ITIL contributes by promoting repeatable processes, clear roles and responsibilities, measurable service levels, and continual improvement. These elements reduce operational risk, improve response effectiveness, and strengthen accountability—key requirements for maintaining confidentiality, integrity, and availability in production environments.

KRIs and KPIs are only useful when they are handled as part of a disciplined measurement lifecycle. Cybersecurity governance guidance emphasizes three essential activities:collect,analyze, andreport. Organizations must firstcollectKRI and KPI data consistently from reliable sources such as vulnerability scanners, SIEM logs, IAM systems, ticketing platforms, and asset inventories. Collection requires defined metric owners, clear definitions, standardized time windows, and data quality checks so results are comparable across periods and business units.

Next, organizationsanalyzethe data to understand what it means for risk and performance. Analysis includes trending over time, comparing results to targets and thresholds, correlating indicators to business outcomes, identifying outliers, and determining root causes. For KRIs, analysis highlights rising exposure or control breakdowns such as increasing critical vulnerabilities beyond SLA. For KPIs, analysis evaluates operational effectiveness such as mean time to detect and mean time to remediate.

Finally, organizationsreportresults to the right audiences with the right level of detail. Reporting supports accountability by assigning actions, tracking remediation progress, and escalating when thresholds are exceeded. It also supports decision making by showing where investment, staffing, or control changes will have the greatest risk-reduction and performance impact. The other options are not standard, auditable metric management activities and do not reflect the established lifecycle used in cybersecurity measurement programs.

Information classificationis the formal process of evaluating the data an organization creates or holds and assigning it a sensitivity level so the organization can apply the right safeguards. Cybersecurity policies describe classification as the foundation for consistent protection because it links thepotential harm from unauthorized disclosure, alteration, or lossto specific handling and control requirements. Typical classification labels include Public, Internal, Confidential, and Restricted, though names vary by organization. Once data is classified, required protections can be specified, such as encryption at rest and in transit, access restrictions based on least privilege, approved storage locations, monitoring requirements, retention periods, and secure disposal methods.

This is not avulnerability assessment, which focuses on identifying weaknesses in systems, applications, or configurations. It is also not aninternal audit, which evaluates whether controls and processes are being followed and are effective. Option D,information categorization, is often used in some frameworks to describe assigning impact levels (for example, confidentiality, integrity, availability impact) to information types or systems, mainly to drive control baselines. While related, the question specifically emphasizes assessing data and deciding thelevel of protectionbased on risk from disclosure, which aligns most directly withclassificationprograms used to govern labeling and handling rules across the organization.

A strong classification program improves security consistency, supports compliance, reduces accidental exposure, and helps prioritize controls for the most sensitive information assets.