2026 New IIBA-CCA Dumps - Real IIBA Exam Questions
Dependable IIBA-CCA Exam Dumps to Become IIBA Certified
NEW QUESTION # 46
In the OSI model for network communication, the Session Layer is responsible for:
- A. transmitting the data on the medium.
- B. adding appropriate network addresses to packets.
- C. presenting data to the receiver in a form that it recognizes.
- D. establishing a connection and terminating it when it is no longer needed.
Answer: D
Explanation:
The OSI Session Layer (Layer 5) is responsible for establishing, managing, and terminating sessions between communicating applications. A session is the logical dialogue that allows two endpoints to coordinate how communication starts, how it continues, and how it ends. This includes controlling the "conversation" state, such as who can transmit at what time, maintaining the session so it stays active, and closing it cleanly when it is no longer needed. Because of this, option A best matches the Session Layer's core responsibilities.
In contrast, presenting data to the receiver in a recognizable form is the job of the Presentation Layer (Layer 6), which deals with formatting, encoding, compression, and often cryptographic transformation concepts. Adding appropriate network addresses to packets aligns to the Network Layer (Layer 3), where logical addressing and routing decisions occur, typically associated with IP addressing. Transmitting the data on the medium is handled at the Physical Layer (Layer 1), which concerns signals, cabling, and the actual movement of bits.
From a cybersecurity perspective, session management is important because weaknesses can enable session hijacking, replay, or fixation, especially when session identifiers are predictable, not protected, or not properly invalidated. Controls commonly include strong authentication, secure session token generation, timeout and reauthentication rules, and proper session termination to reduce exposure.
NEW QUESTION # 47
Violations of the EU's General Data Protection Regulations GDPR can result in:
- A. fines of €20 million or 4% of annual turnover, whichever is greater.
- B. mandatory upgrades of the security infrastructure.
- C. a complete audit of the enterprise's security processes.
- D. fines of €20 million or 4% of annual turnover, whichever is less.
Answer: A
Explanation:
The GDPR establishes a regulatory penalty framework intended to make privacy and data-protection obligations enforceable across organizations of any size. Under GDPR, the most severe administrative fines can reach up to €20 million or up to 4% of the organization's total worldwide annual turnover of the preceding financial year, whichever is higher. That "whichever is greater" clause is critical: it prevents large enterprises from treating privacy violations as a minor cost of doing business and ensures the sanction can scale with the organization's economic size and risk impact.
Cybersecurity governance and risk documents typically emphasize GDPR as a driver for enterprise risk management because the consequences extend beyond monetary fines. A confirmed violation often triggers regulatory investigations, mandatory corrective actions, and potential restrictions on processing activities. Organizations may also face indirect impacts such as breach notification costs, legal claims from affected individuals, reputational harm, loss of customer trust, and increased oversight by regulators and auditors.
From a controls perspective, GDPR penalties reinforce the need for strong security and privacy-by-design practices: data minimization, lawful processing, documented purposes, retention controls, encryption where appropriate, access control and least privilege, monitoring and incident response readiness, and evidence-based accountability through policies, records, and audit trails. Selecting option C correctly reflects GDPR's maximum fine structure and its risk-based deterrence model.
NEW QUESTION # 48
Information classification of data is a level of protection that is based on an organization's:
- A. need for access by employees.
- B. risk to loss or harm from disclosure.
- C. timing of availability for automated systems.
- D. retention for auditing purposes.
Answer: B
Explanation:
Information classification is the practice of assigning data a sensitivity level so the organization can apply protections that match the business impact if the information is exposed, altered, or becomes unavailable. The core driver for classification is the risk of harm-especially harm caused by unauthorized disclosure. If disclosure would result in regulatory penalties, reputational damage, competitive disadvantage, contractual breach, or harm to customers and employees, the data is classified at a higher level and requires stronger controls. These controls commonly include tighter access restrictions (least privilege and role-based access), stronger authentication, encryption at rest and in transit, stricter handling and sharing rules, audit logging, monitoring, and secure disposal requirements.
While retention can be influenced by compliance obligations, it is not what determines the classification level; retention policies typically reference classification but do not define it. "Need for access" is managed through access control decisions, which are applied after the data's sensitivity is understood; classification informs who should have access, not the other way around. "Timing of availability" relates to availability requirements and service resilience, which are important, but classification schemes primarily focus on sensitivity and potential damage from inappropriate exposure, with integrity and availability considerations often handled as additional impact dimensions.
Therefore, the best verified basis for information classification is the organization's assessment of risk of loss or harm from disclosure.
NEW QUESTION # 49
What is the first step of the forensic process?
- A. Reporting
- B. Collection
- C. Examination
- D. Analysis
Answer: B
Explanation:
The first step in a standard digital forensic process is collection because all later work depends on obtaining data in a way that preserves its integrity and evidentiary value. Collection involves identifying potential sources of relevant evidence and then acquiring it using controlled, repeatable methods. Typical sources include endpoint disk images, memory captures, mobile device extractions, server and application logs, cloud audit trails, email records, firewall and proxy logs, and authentication events. During collection, forensic guidance emphasizes maintaining a documented chain of custody, recording who handled the evidence, when it was acquired, how it was transported and stored, and what tools and settings were used. This documentation supports accountability and helps ensure evidence is admissible and defensible if used in disciplinary actions, regulatory inquiries, or legal proceedings.
Collection also includes steps to prevent evidence contamination or loss. Investigators may isolate systems to stop further changes, capture volatile data such as RAM before shutdown, use write blockers when imaging storage media, verify acquisitions with cryptographic hashes, and securely store originals while performing analysis on validated copies. Only after evidence is collected and preserved do teams move into examination and analysis, where artifacts are filtered, parsed, correlated, and interpreted to reconstruct timelines and determine cause and scope. Reporting comes later to communicate findings and support remediation.
NEW QUESTION # 50
What common mitigation tool is used for directly handling or treating cyber risks?
- A. Standards
- B. Control
- C. Exit Strategy
- D. Business Continuity Plan
Answer: B
Explanation:
In cybersecurity risk management, risk treatment is the set of actions used to reduce risk to an acceptable level. The most common tool used to directly treat or mitigate cyber risk is a control because controls are the specific safeguards that prevent, detect, or correct adverse events. Cybersecurity frameworks describe controls as measures implemented to reduce either the likelihood of a threat event occurring or the impact if it does occur. Controls can be technical (such as multifactor authentication, encryption, endpoint protection, network segmentation, logging and monitoring), administrative (policies, standards, training, access approvals, change management), or physical (badges, locks, facility protections). Regardless of type, controls are the direct mechanism used to mitigate identified risks.
An exit strategy is typically a vendor or outsourcing risk management concept focused on how to transition away from a provider or system; it supports resilience but is not the primary tool for directly mitigating a specific cyber risk. Standards guide consistency by defining required practices and configurations, but the standard itself is not the mitigation-controls implemented to meet the standard are. A business continuity plan supports availability and recovery after disruption, which is important, but it primarily addresses continuity and recovery rather than directly reducing the underlying cybersecurity risk in normal operations. Therefore, the best answer is the one that represents the direct implementation of safeguards: controls.
NEW QUESTION # 51
How should categorization information be used in business impact analysis?
- A. To determine the time and effort required for business impact assessment
- B. To identify discrepancies between the security categorization and the expected business impact
- C. To ensure that systems are designed to support the appropriate security categorization
- D. To assess whether information should be shared with other systems
Answer: B
Explanation:
Security categorization (commonly based on confidentiality, integrity, and availability impact levels) is meant to reflect the level of harm that would occur if an information type or system is compromised. A business impact analysis, on the other hand, examines the operational and organizational consequences of disruptions or failures-such as loss of revenue, inability to deliver critical services, legal or regulatory exposure, reputational harm, and impacts to customers or individuals. Because these two activities look at impact from different but related perspectives, categorization information should be used during the BIA to confirm that the stated security categorization truly matches real business consequences.
Using categorization as an input helps analysts validate assumptions about criticality, sensitivity, and tolerance for downtime. If the BIA shows that outages or data compromise would produce greater harm than the existing categorization implies, that discrepancy signals under-classification and insufficient controls. Conversely, if the BIA demonstrates limited impact, it may indicate over-classification, potentially driving unnecessary cost and operational burden. Identifying these mismatches early supports better risk decisions, prioritization of recovery objectives, and selection of controls proportionate to actual impact.
The other options describe activities that may occur in architecture, governance, or project planning, but they are not the primary purpose of using categorization information in a BIA. The key value is reconciliation: aligning security impact levels with verified business impact.
NEW QUESTION # 52
Which organizational area would drive a cybersecurity infrastructure Business Case?
- A. Finance
- B. Risk
- C. Legal
- D. IT
Answer: B
Explanation:
A cybersecurity infrastructure business case is typically driven by the Risk function because the justification for security investments is grounded in reducing enterprise risk to an acceptable level and aligning with the organization's risk appetite and regulatory obligations. Risk-focused teams (often working with the CISO and security governance) translate threats, vulnerabilities, and control gaps into business impact terms such as likelihood of adverse events, potential operational disruption, financial exposure, regulatory penalties, and reputational harm. This framing is what a formal business case requires: a clear problem statement, quantified or prioritized risk scenarios, expected risk reduction from proposed controls, and how residual risk compares to tolerance thresholds.
While IT usually leads implementation and provides architecture, sizing, and operational cost estimates, IT alone does not typically "drive" the business case without the risk rationale that explains why the investment is necessary and what enterprise outcomes it protects. Legal contributes requirements related to compliance, contracts, and breach handling, but it generally supports rather than owns investment prioritization. Finance evaluates budgeting, funding options, and return-on-investment assumptions, yet it relies on risk inputs to understand why the spend is warranted and what loss exposure is being reduced.
Therefore, the organizational area most responsible for driving a cybersecurity infrastructure business case-by defining the risk problem, articulating risk-based benefits, and enabling executive decision-making-is Risk.
Bottom of Form
NEW QUESTION # 53
Where business process diagrams can be used to identify vulnerabilities within solution processes, what tool can be used to identify vulnerabilities within solution technology?
- A. Penetration Test
- B. Vulnerability-as-a-Service
- C. Security Patch
- D. Smoke Test
Answer: A
Explanation:
Business process diagrams help analysts spot weaknesses in workflows, approvals, handoffs, and segregation of duties, but they do not directly test the technical security of the underlying applications, infrastructure, or configurations. To identify vulnerabilities within solution technology, cybersecurity practice uses penetration testing, which is a controlled, authorized simulation of real-world attacks against systems. A penetration test examines how a solution behaves under adversarial conditions and validates whether security controls actually prevent exploitation, not just whether they are designed on paper.
Penetration testing typically includes reconnaissance, enumeration, and attempts to exploit weaknesses in areas such as authentication, session management, access control, input handling, APIs, encryption usage, misconfigurations, and exposed services. Results provide evidence-based findings, including exploit paths, impact, affected components, and recommended remediations. This makes penetration testing especially valuable before go-live, after major changes, and periodically for high-risk systems to confirm the security posture remains acceptable.
The other options do not fit the objective. A security patch is a remediation action taken after vulnerabilities are known, not a method for discovering them. A smoke test is a basic functional check to confirm the system builds and runs; it is not a security assessment. Vulnerability-as-a-Service is a delivery model that may include scanning or testing, but the recognized tool or technique for identifying vulnerabilities in the technology itself in this context is a penetration test, which directly evaluates exploitability and real security impact.
NEW QUESTION # 54
Analyst B has discovered multiple attempts from unauthorized users to access confidential data. This is most likely?
- A. Hacker
- B. User
- C. IT Support
- D. Admin
Answer: A
Explanation:
Multiple attempts by unauthorized users to access confidential data most closely aligns with activity from a hacker, meaning an unauthorized actor attempting to gain access to systems or information. Cybersecurity operations commonly observe this pattern as repeated login failures, password-spraying, credential-stuffing, brute-force attempts, repeated probing of restricted endpoints, or abnormal access requests against protected repositories. While "user" is too generic and could include authorized individuals, the question explicitly states "unauthorized users," pointing to malicious or illegitimate actors. "Admin" and "IT Support" are roles typically associated with legitimate privileged access and operational troubleshooting; repeated unauthorized access attempts from those roles would be atypical and would still represent compromise or misuse rather than normal operations. Cybersecurity documentation often classifies these attempts as indicators of malicious intent and potential precursor events to a breach. Controls recommended to counter such activity include strong authentication (multi-factor authentication), account lockout and throttling policies, anomaly detection, IP reputation filtering, conditional access, least privilege, and monitoring of authentication logs for patterns across accounts and geographies. The key distinction is that repeated unauthorized attempts represent hostile behavior by an external or rogue actor, which is best described as a hacker in the provided options.
NEW QUESTION # 55
Which scenario is an example of the principle of least privilege being followed?
- A. An application administrator has full permissions to only the applications they support
- B. A manager who is conducting performance appraisals is granted access to HR files for all employees
- C. All application and database administrators have full permissions to every application in the company
- D. Certain users are granted administrative access to their network account, in case they need to install a web-app
Answer: A
Explanation:
The principle of least privilege requires that users, administrators, services, and applications are granted only the minimum access necessary to perform authorized job functions, and nothing more. Option A follows this principle because the administrator's elevated permissions are limited in scope to the specific applications they are responsible for supporting. This reduces the attack surface and limits blast radius: if that administrator account is compromised, the attacker's reach is constrained to only those applications rather than the entire enterprise environment.
Least privilege is typically implemented through role-based access control, separation of duties, and privileged access management practices. These controls ensure privileges are assigned based on defined roles, reviewed regularly, and removed when no longer required. They also promote using standard user accounts for routine tasks and reserving administrative actions for controlled, auditable sessions. In addition, least privilege supports stronger accountability through logging and change tracking, because fewer people have the ability to make high-impact changes across systems.
The other scenarios violate least privilege. Option B grants excessive enterprise-wide permissions, creating unnecessary risk and enabling widespread damage from mistakes or compromise. Option C provides "just in case" administrative access, which cybersecurity guidance explicitly discourages because it increases exposure without a validated business need. Option D is overly broad because access to all HR files exceeds what is required for performance appraisals, which typically should be limited to relevant employee records only.
NEW QUESTION # 56
What terms are often used to describe the relationship between a sub-directory and the directory in which it is cataloged?
- A. Primary and Secondary
- B. Multi-factor Tokens
- C. Parent and Child
- D. Embedded Layers
Answer: C
Explanation:
Directories are commonly organized in a hierarchical structure, where each directory can contain sub-directories and files. In this hierarchy, the directory that contains another directory is referred to as the parent, and the contained sub-directory is referred to as the child. This parent-child relationship is foundational to how file systems and many directory services represent and manage objects, including how paths are constructed and how inheritance can apply.
From a cybersecurity perspective, understanding parent and child relationships matters because access control and administration often follow the hierarchy. For example, permissions applied at a parent folder may be inherited by child folders unless inheritance is explicitly broken or overridden. This can simplify administration by allowing consistent access patterns, but it also introduces risk: overly permissive settings at a parent level can unintentionally grant broad access to many child locations, increasing the chance of unauthorized data exposure. Security documents therefore emphasize careful design of directory structures, least privilege at higher levels of the hierarchy, and regular permission reviews to detect privilege creep and misconfigurations.
The other options do not describe this standard hierarchy terminology. "Primary and Secondary" is more commonly used for redundancy or replication roles, not directory relationships. "Multi-factor Tokens" relates to authentication factors. "Embedded Layers" is not a st
NEW QUESTION # 57
Certificates that provide SSL/TLS encryption capability:
- A. can be purchased from certificate authorities.
- B. are similar to the unencrypted data.
- C. can provide authorization of data access.
- D. are for data located on thumb drives.
Answer: A
Explanation:
SSL/TLS relies on digital certificates to support encrypted communications and to help users trust that they are connecting to the correct server. A TLS certificate is typically an X.509 certificate that binds a public key to an identity, such as a domain name, and is digitally signed by a trusted issuer. In most public internet use cases, these certificates are issued by Certificate Authorities that browsers and operating systems already trust through pre-installed root certificates. Because of that trust chain, organizations commonly obtain certificates by purchasing or otherwise obtaining them from certificate authorities, which is why option B is correct.
During the TLS handshake, the server presents its certificate to the client. The client validates the certificate's signature chain, validity period, and that the certificate matches the domain being accessed. Once validated, TLS establishes session keys used to encrypt data in transit and protect it from eavesdropping and tampering. Certificates themselves are not "similar to unencrypted data," and they are not specific to thumb-drive storage; they are used to secure network communications. Certificates also do not primarily provide "authorization" to access data. Authorization is typically enforced by application and access control mechanisms after authentication. Certificates support authentication of endpoints and enable secure key exchange, which are prerequisites for secure transport encryption and trustworthy connections.
NEW QUESTION # 58
Which of the following control methods is used to protect integrity?
- A. Backups and Redundancy
- B. Biometric Verification
- C. Anti-Malicious Code Detection
- D. Principle of Least Privilege
Answer: D
Explanation:
Integrity means information and systems remain accurate, complete, and protected from unauthorized or improper modification. The Principle of Least Privilege is a direct integrity protection control because it limits who can change data and what changes they are allowed to make. Under least privilege, users, applications, and service accounts receive only the minimum permissions needed to perform approved tasks, and nothing more. This reduces the chance that an attacker using a compromised account can alter records, manipulate transactions, or change configurations, and it also reduces accidental changes by well-meaning users who do not need write or administrative rights.
Least privilege is commonly enforced through role-based access control, separation of duties, restricted administrative roles, just-in-time elevation for privileged tasks, and periodic access reviews to remove excess permissions. These practices are emphasized in cybersecurity frameworks because integrity failures often occur when excessive access allows unauthorized edits to sensitive data, logs, security settings, or application code.
The other options relate to security but are less directly tied to integrity as the primary objective. Biometric verification is an authentication method that helps confirm identity; it supports access control broadly, but it does not by itself limit modification capability once access is granted. Anti-malicious code detection helps prevent malware that could corrupt data, but it is primarily a detection/prevention tool rather than the foundational control for authorized modification. Backups and redundancy primarily support availability and recovery after corruption, not the prevention of unauthorized changes.
NEW QUESTION # 59
The opportunity cost of increased cybersecurity is that:
- A. the potential cost of implementing security will always be less than the potential risk from a breach of customer data.
- B. costs of meeting regulations are constantly increasing.
- C. cybersecurity adds considerably to the cost of developing new business systems.
- D. identifying and securing assets and systems requires resources that are therefore not available to other initiatives.
Answer: D
Explanation:
Opportunity cost is a core enterprise-risk and economics concept: when an organization allocates limited resources to one activity, it reduces what is available for other priorities. Increasing cybersecurity typically requires money, skilled personnel time, executive attention, tooling, and operational capacity. Those resources could otherwise be used for revenue-generating work such as new product features, customer experience improvements, system modernization, market expansion, or process automation. That tradeoff is exactly what option D describes, making it the correct answer.
Cybersecurity documents stress that risk treatment decisions must balance risk reduction against cost, feasibility, and business impact. While stronger security can reduce the likelihood and impact of incidents, it can also introduce friction (extra approval steps, stronger authentication, segmentation), slow delivery when changes require additional reviews, and demand ongoing operational effort (monitoring, patching, vulnerability remediation, access recertification, incident response testing). These impacts are not arguments against security; they are the reason governance processes prioritize controls based on the most critical assets, highest-risk threats, and compliance requirements.
Option A may be true in some cases, but it describes a direct cost, not the broader economic concept of opportunity cost. Option B is a trend statement and not the definition. Option C is incorrect because security spend is not always less than breach risk; organizations must evaluate cost-benefit and acceptable residual risk rather than assume a universal rule.
NEW QUESTION # 60
What is risk mitigation?
- A. Eliminating the risk by stopping the activity which causes risk
- B. Purchasing insurance against a cybersecurity breach
- C. Documenting the risk in full and preparing a recovery plan
- D. Reducing the risk by implementing one or more countermeasures
Answer: D
Explanation:
Risk mitigation is the risk treatment approach focused on reducing risk to an acceptable level by lowering either the likelihood of a risk event, the impact of that event, or both. In cybersecurity risk management, mitigation is accomplished by implementing controls and countermeasures such as technical safeguards, process changes, and administrative measures. Examples include patching vulnerable systems, hardening configurations, enabling multi-factor authentication, applying least privilege, network segmentation, encryption, improved logging and monitoring, secure development practices, and user awareness training. Each of these actions reduces exposure or limits damage if an incident occurs.
The other options describe different risk treatment strategies, not mitigation. Purchasing insurance is generally considered risk transfer, where financial impact is shifted to a third party, but the underlying threat and vulnerability may still exist. Eliminating risk by stopping the risky activity is risk avoidance; it removes the exposure by discontinuing the process, system, or behavior causing the risk. Documenting the risk and preparing a recovery plan aligns more closely with risk acceptance combined with contingency planning or resilience planning; it acknowledges the risk and focuses on recovery rather than reducing the probability of occurrence.
Therefore, the correct definition of risk mitigation is reducing the risk through implementing one or more countermeasures.
NEW QUESTION # 61
What is an external audit?
- A. A review of security-related measures in place intended to identify possible vulnerabilities
- B. A review of security-related activities by an independent party to ensure compliance
- C. A process that the cybersecurity follows to ensure that they have implemented the proper controls
- D. A review of security expenditures by an independent party
Answer: B
Explanation:
An external audit is an independent evaluation performed by a party outside the organization to determine whether security-related activities, controls, and evidence meet defined requirements. Those requirements are typically drawn from laws and regulations, contractual obligations, and recognized standards or control frameworks. The defining characteristics are independence and attestation: the auditor is not part of the operational team being assessed and provides an objective conclusion about compliance or control effectiveness.
Unlike a vulnerability-focused review (often called a security assessment or technical audit) that primarily seeks weaknesses to remediate, an external audit emphasizes whether controls are designed appropriately, implemented consistently, and operating effectively over time. External auditors usually test governance processes, risk management practices, policies, access control procedures, change management, logging and monitoring, incident response readiness, and evidence of periodic reviews. They also validate documentation and sampling records to confirm that what is written is actually performed.
Option B describes an internal assurance activity, such as self-assessment or internal audit preparation, where the security team checks its own implementation. Option C is closer to a financial or procurement review and is not the typical definition of an external security audit. Therefore, the best answer is the one that clearly captures an independent party reviewing security activities to ensure compliance with established criteria
NEW QUESTION # 62
Organizations who don't quantify this will likely miss opportunities toward achieving strategic goals and objectives:
- A. control effectiveness.
- B. cybersecurity budget.
- C. risk estimation.
- D. risk appetite.
Answer: D
Explanation:
Risk appetite is the amount and type of risk an organization is willing to pursue or retain in order to achieve its objectives. Cybersecurity and enterprise risk management guidance treats risk appetite as a strategic input because it shapes decision-making across portfolios, programs, and day-to-day operations. When risk appetite is quantified through measurable statements and thresholds, leaders can compare proposed initiatives against agreed limits and make consistent trade-offs between speed, cost, innovation, and protection.
If an organization does not quantify risk appetite, it often defaults to inconsistent behavior: some teams become overly cautious and reject beneficial initiatives, while others take uncontrolled risk because there is no clear boundary. Both outcomes can cause missed opportunities. Over-caution can delay digital transformation, cloud adoption, automation, and new customer capabilities. Under-defined boundaries can also lead to surprise losses, regulatory issues, and unplanned remediation that consumes budget and time-reducing the organization's ability to execute strategy.
Quantified risk appetite enables practical governance: it guides which risks can be accepted, which require mitigation, and which must be escalated for executive decision. It also supports prioritization of security investments by focusing resources on risks that exceed tolerance and allowing faster approval for activities that fall within appetite. In short, risk appetite is the strategic "north star" that aligns cybersecurity risk-taking with business goals, making option D the correct choice.
NEW QUESTION # 63
Which of the following should be addressed in the organization's risk management strategy?
- A. Assignment of an executive responsible for risk management across the organization
- B. Processes for responding to a security breach
- C. Acceptable risk management methodologies
- D. Controls for each IT asset
Answer: A
Explanation:
An organization's risk management strategy is a governance-level artifact that sets direction for how risk is managed across the enterprise. A core requirement in cybersecurity governance frameworks is clear accountability, including executive ownership for risk decisions that affect the whole organization. Assigning an executive responsible for risk management establishes authority to set risk appetite and tolerance, coordinate risk activities across business units, resolve conflicts between competing priorities, and ensure risk decisions are made consistently rather than in isolated silos. This executive role also supports oversight of risk reporting to senior leadership, ensures resources are allocated to address material risks, and drives integration between cybersecurity, privacy, compliance, and operational resilience programs. Without an accountable executive function, risk management often becomes fragmented, with inconsistent scoring, uneven control implementation, and unclear decision rights for accepting or treating risk.
Option A can be part of a strategy, but the question asks what should be addressed, and the most critical foundational element is enterprise accountability and governance. Option B is too granular for a strategy; selecting controls for each IT asset belongs in security architecture, control baselines, and system-level risk assessments. Option C is typically handled in incident response and breach management plans and procedures, which are operational documents derived from strategy but not the strategy itself. Therefore, the best answer is the assignment of an executive responsible for risk management across the organization.
NEW QUESTION # 64
What should organizations do with Key Risk Indicator KRI and Key Performance Indicator KPI data to facilitate decision making, and improve performance and accountability?
- A. Achieve, reset, and evaluate
- B. Prioritize, falsify, and report
- C. Challenge, compare, and revise
- D. Collect, analyze, and report
Answer: D
Explanation:
KRIs and KPIs are only useful when they are handled as part of a disciplined measurement lifecycle. Cybersecurity governance guidance emphasizes three essential activities: collect, analyze, and report. Organizations must first collect KRI and KPI data consistently from reliable sources such as vulnerability scanners, SIEM logs, IAM systems, ticketing platforms, and asset inventories. Collection requires defined metric owners, clear definitions, standardized time windows, and data quality checks so results are comparable across periods and business units.
Next, organizations analyze the data to understand what it means for risk and performance. Analysis includes trending over time, comparing results to targets and thresholds, correlating indicators to business outcomes, identifying outliers, and determining root causes. For KRIs, analysis highlights rising exposure or control breakdowns such as increasing critical vulnerabilities beyond SLA. For KPIs, analysis evaluates operational effectiveness such as mean time to detect and mean time to remediate.
Finally, organizations report results to the right audiences with the right level of detail. Reporting supports accountability by assigning actions, tracking remediation progress, and escalating when thresholds are exceeded. It also supports decision making by showing where investment, staffing, or control changes will have the greatest risk-reduction and performance impact. The other options are not standard, auditable metric management activities and do not reflect the established lifecycle used in cybersecurity measurement programs.
NEW QUESTION # 65
......
IIBA IIBA-CCA Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
Get Ready with IIBA-CCA Exam Dumps (2026): https://www.testvalid.com/IIBA-CCA-exam-collection.html
Realistic IIBA-CCA Dumps are Available for Instant Access: https://drive.google.com/open?id=1YXtw2920XMoBQfEPsM1ckHIwYJY5ZXwn