매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certificate in Cybersecurity Analysis (CCA) 온라인 연습
최종 업데이트 시간: 2026년03월09일
당신은 온라인 연습 문제를 통해 IIBA IIBA-CCA 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 IIBA-CCA 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 75개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Ongoing, remote maintenance is one of the most effective ways to improve the security posture of embedded systems over time because it enables timely remediation of newly discovered weaknesses. Embedded devices frequently run firmware that includes operating logic, network stacks, and third-party libraries. As vulnerabilities are discovered in these components, organizations must be able to deploy fixes quickly to reduce exposure. Remote maintenance supports this by enabling over-the-air firmware and software updates, configuration changes, certificate and key rotation, and the rollout of compensating controls such as updated security policies or hardened settings.
Option B is correct because remote maintenance directly addresses the challenge of deploying updated firmware as issues are identified. Cybersecurity guidance for embedded and IoT environments emphasizes secure update mechanisms: authenticated update packages, integrity verification (such as digital signatures), secure distribution channels, rollback protection, staged deployment, and audit logging of update actions. These practices reduce the risk of attackers installing malicious firmware and help ensure devices remain supported throughout their operational life.
The other options are not primarily solved by remote maintenance. Limited CPU and memory are inherent design constraints that may require hardware redesign. Battery and component limitations
are also physical constraints. Physical security attacks exploit device access and hardware weaknesses, which require tamper resistance, secure boot, and physical protections rather than remote maintenance alone.
정답:
Explanation:
A cryptographic hash function supports data in transit primarily by providing integrity assurance. When a sender computes a hash (digest) of a message and the receiver recomputes the hash after receipt, the two digests should match if the message arrived unchanged. If the message is altered in any way while traveling across the network―whether by an attacker, a faulty intermediary device, or transmission errors―the recomputed digest will differ from the original. This difference is the key signal that the message was modified in transit, which is what option B expresses. In practical secure-transport designs, hashes are typically combined with a secret key or digital signature so an attacker cannot simply modify the message and generate a new valid digest. Examples include HMAC for message authentication and digital signatures that hash the content and then sign the hash with a private key. These mechanisms provide integrity and, when keyed or signed, also provide authentication and non-repudiation properties.
Option A is more specifically about authentication of origin, which requires a keyed construction such as HMAC or a signature scheme; a plain hash alone cannot prove who sent the message.
Option C is incorrect because keys are not “converted” from public to private.
Option D relates to confidentiality, which is provided by encryption, not hashing. Therefore, the best answer is B because hashing enables detection of message modification during transit.
정답:
Explanation:
NIST SP 800-30 describes risk using a classic risk model: risk is a function of likelihood and impact. In
this model, a threat-source may exploit a vulnerability, producing a threat event that results in adverse consequences. The likelihood component reflects how probable it is that a threat event will occur and successfully cause harm, considering factors such as threat capability and intent (or in non-adversarial cases, the frequency of hazards), the existence and severity of vulnerabilities, exposure, and the strength of current safeguards. However, likelihood alone does not define risk; a highly likely event that causes minimal harm may be less important than a less likely event that causes severe harm.
The second required component is the impact―the magnitude of harm to the organization if the adverse event occurs. Impact is commonly evaluated across mission and business outcomes, including financial loss, operational disruption, legal or regulatory consequences, reputational damage, and loss of confidentiality, integrity, or availability. This is why option D is correct: NIST’s definition explicitly ties the risk expression to the resulting impact on the organization.
The other options may influence likelihood assessment or control selection, but they are not the missing definitional element. Detection probability and control assurance relate to monitoring and governance; predisposing conditions can shape likelihood. None replace the
정답:
Explanation:
When analyzing a web-based business environment for potential cost savings, the Business Analyst must account for application vulnerabilities because they directly affect the organization’s exposure to cyber attack and the true cost of operating a system. Vulnerabilities are weaknesses in application code, configuration, components, or dependencies that can be exploited to compromise confidentiality, integrity, or availability. In web environments, common examples include insecure authentication, injection flaws, broken access control, misconfigurations, outdated libraries, and weak session management.
Cost-saving recommendations frequently involve consolidating platforms, reducing tooling, lowering support effort, retiring controls, delaying upgrades, or moving to shared services. Without including known or likely vulnerabilities, the analysis can unintentionally recommend changes that reduce preventive and detective capability, increase attack surface, or extend the time vulnerabilities remain unpatched. Cybersecurity governance guidance emphasizes that technology rationalization must consider security posture: vulnerable applications often require additional controls (patching cadence, WAF rules, monitoring, code fixes, penetration testing, secure SDLC work) that carry ongoing cost. These costs are part of the system’s “total cost of ownership” and should be weighed against proposed savings.
While impact severity and threat likelihood are important for overall risk scoring, the question asks what risk factor must be included when documenting the current state of a web-based environment. The most essential factor that ties directly to the environment’s condition and drives remediation cost and exposure is application vulnerabilities.
정답:
Explanation:
Cybersecurity regulations most commonly focus on the protection of personal data, because misuse or exposure can directly harm individuals through identity theft, fraud, discrimination, or loss of privacy. Privacy and data-protection laws typically require organizations to implement appropriate safeguards to protect personal information across its lifecycle, including collection, storage, processing, sharing, and disposal. In cybersecurity governance documentation, this obligation is often expressed through requirements to maintain confidentiality and integrity of personal data, limit access based on business need, and ensure accountability through logging, monitoring, and audits.
Demonstrating protection of personal data generally includes having a documented data classification scheme, clearly defined lawful purposes for processing, retention limits, and secure handling procedures. Technical controls commonly expected include strong authentication, least privilege and role-based access control, encryption for data at rest and in transit, secure key management, endpoint and server hardening, vulnerability management, and continuous monitoring for suspicious activity. Operational capabilities such as incident response, breach detection, and timely notification processes are also emphasized because regulators expect organizations to manage and report material data exposures appropriately.
While protecting applications, intellectual property, and ensuring continuity are important security objectives, they are not the primary focus of many cybersecurity regulations in the same consistent way as personal data protection. Therefore, the best answer is personal data of customers and employees.
정답:
Explanation:
Directories are commonly organized in a hierarchical structure, where each directory can contain sub-directories and files. In this hierarchy, the directory that contains another directory is referred to as the parent, and the contained sub-directory is referred to as the child. This parentCchild relationship is foundational to how file systems and many directory services represent and manage objects, including how paths are constructed and how inheritance can apply.
From a cybersecurity perspective, understanding parent and child relationships matters because access control and administration often follow the hierarchy. For example, permissions applied at a parent folder may be inherited by child folders unless inheritance is explicitly broken or overridden. This can simplify administration by allowing consistent access patterns, but it also introduces risk: overly permissive settings at a parent level can unintentionally grant broad access to many child locations, increasing the chance of unauthorized data exposure. Security documents therefore emphasize careful design of directory structures, least privilege at higher levels of the hierarchy, and regular permission reviews to detect privilege creep and misconfigurations.
The other options do not describe this standard hierarchy terminology. “Primary and Secondary” is more commonly used for redundancy or replication roles, not directory relationships. “Multi-factor Tokens” relates to authentication factors. “Embedded Layers” is not a st
정답:
Explanation:
Cloud service models are commonly described as stacked layers of responsibility. Software as a Service delivers a complete application to the customer, while the provider manages the underlying platform and infrastructure. Platform as a Service sits one level below SaaS: it provides the managed platform needed to build, deploy, and run applications without the customer having to manage the underlying servers and most core system software.
A defining feature of PaaS is that the provider supplies and manages key platform components such as the operating system, runtime environment, middleware, web/application servers, and often supporting services like managed databases, messaging, scaling, and patching of the platform layer. The customer typically remains responsible for their application code, configuration, identities and access in the application, data classification and protection choices, and secure development practices. This shared responsibility model is central in cybersecurity guidance because it determines which security controls the provider enforces by default and which controls the customer must implement.
Given the answer options, Operating System is the best match because it is a core part of the platform layer that PaaS customers generally do not manage directly. Load balancers and storage can be consumed in multiple models, including IaaS and PaaS, and subscriptions describe a billing approach, not the technical service layer. Therefore, option D correctly reflects what PaaS provides compared to SaaS.
Bottom of Form
정답:
Explanation:
An organization’s risk management strategy is a governance-level artifact that sets direction for how risk is managed across the enterprise. A core requirement in cybersecurity governance frameworks is clear accountability, including executive ownership for risk decisions that affect the whole organization. Assigning an executive responsible for risk management establishes authority to set risk appetite and tolerance, coordinate risk activities across business units, resolve conflicts between competing priorities, and ensure risk decisions are made consistently rather than in isolated silos. This executive role also supports oversight of risk reporting to senior leadership, ensures resources are allocated to address material risks, and drives integration between cybersecurity, privacy, compliance, and operational resilience programs. Without an accountable executive function, risk management often becomes fragmented, with inconsistent scoring, uneven control implementation, and unclear decision rights for accepting or treating risk.
Option A can be part of a strategy, but the question asks what should be addressed, and the most critical foundational element is enterprise accountability and governance.
Option B is too granular for a strategy; selecting controls for each IT asset belongs in security architecture, control baselines, and system-level risk assessments.
Option C is typically handled in incident response and breach management plans and procedures, which are operational documents derived from strategy but not the strategy itself. Therefore, the best answer is the assignment of an executive responsible for risk management across the organization.
정답:
Explanation:
Role-based access control assigns permissions to defined roles that reflect job functions, and users receive access by being placed into the appropriate role. The major operational and security benefit is that it simplifies and standardizes access provisioning. Instead of granting permissions individually to each user, administrators manage a smaller, controlled set of roles such as Accounts Payable Clerk, HR Specialist, or Application Administrator. When a new employee joins or changes responsibilities, access can be adjusted quickly and consistently by changing role membership. This reduces manual errors, limits over-provisioning, and helps enforce least privilege because each role is designed to include only the permissions required for that function.
RBAC also improves governance by making access decisions more repeatable and policy-driven. Security and compliance teams can review roles, validate that each role’s permissions match business needs, and require approvals for changes to role definitions. This approach supports segregation of duties by separating conflicting capabilities into different roles, which lowers fraud and misuse risk.
Option B is a real advantage of RBAC, but it is typically a secondary outcome of having structured roles rather than the primary “significant benefit” emphasized in access-control design.
Option C relates to identity lifecycle processes such as deprovisioning, which can be integrated with RBAC but is not guaranteed by RBAC alone.
Option D describes distributing tasks among multiple users, which is more aligned with segregation of duties design, not the core benefit of RBAC.
정답:
Explanation:
Designing an audit log report requires clarity on who is allowed to do what, which actions are considered security-relevant, and what evidence must be captured to demonstrate accountability. Access Control Requirements are the essential business analysis deliverable because they define roles, permissions, segregation of duties, privileged functions, approval workflows, and the conditions under which access is granted or denied. From these requirements, the logging design can specify exactly which events must be recorded, such as authentication attempts, authorization decisions, privilege elevation, administrative changes, access to sensitive records, data exports, configuration changes, and failed access attempts. They also help determine how logs should attribute actions to unique identities, including service accounts and delegated administration, which is critical for auditability and non-repudiation.
Access control requirements also drive necessary log fields and report structure: user or role, timestamp, source, target object, action, outcome, and reason codes for denials or policy exceptions. Without these requirements, an audit log report can become either too sparse to support investigations and compliance, or too noisy to be operationally useful.
A risk log can influence priorities, but it does not define the authoritative set of access events and entitlements that must be auditable. A future state process can provide context, yet it is not as precise as access rules for determining what to log. An internal audit report may highlight gaps, but it is not the primary design input compared to formal access control requirements.
정답:
Explanation:
An embedded system is a specialized computing system designed to perform a dedicated function as part of a larger device or physical system. Unlike general-purpose computers, embedded systems are built to support a specific mission such as controlling sensors, actuators, communications, or device logic in products like routers, printers, medical devices, vehicles, industrial controllers, and smart appliances. Cybersecurity documentation commonly highlights that embedded systems tend to operate with constrained resources, which may include limited CPU power, memory, storage, and user interface capabilities. These constraints affect both design and security: patching may be harder, logging may be minimal, and security features must be carefully engineered to fit the platform’s limitations.
Option C best matches this characterization by describing a small form factor and limited processing power, which are typical attributes of many embedded devices. While not every embedded system is “small,” the key idea is that it is purpose-built, resource-constrained, and tightly integrated into a larger product.
The other options describe different concepts. A secure underground facility relates to physical site security, not embedded computing. Being hard to remove is about physical installation or tamper resistance, which can apply to many systems but is not what defines “embedded.” Storing cryptographic keys in a tamper-resistant external device describes a hardware security module or secure element use case, not the general definition of an embedded system.
정답:
Explanation:
ITIL is a widely adopted framework that defines best-practice guidance for IT Service Management. Its focus is on how organizations design, deliver, operate, and continually improve IT services so they reliably support business outcomes. In cybersecurity and service delivery documentation, ITIL is often referenced because strong service management processes are foundational to secure operations.
For example, ITIL practices such as incident management, problem management, change enablement, configuration management, and service continuity help ensure security controls are implemented consistently and that deviations are identified, tracked, and corrected.
ITIL does not define how hardware systems interface securely with one another; that is more aligned with architecture standards, security engineering, and network or platform design frameworks. It also does not prescribe a universal set of components for every technology system; that belongs to reference architectures and enterprise architecture standards. Likewise, ITIL is not primarily a security requirements standard. While ITIL supports security governance through practices like risk management, access management, and information security management integration, it does not itself serve as a mandatory security control catalog.
From a cybersecurity perspective, ITIL contributes by promoting repeatable processes, clear roles and responsibilities, measurable service levels, and continual improvement. These elements reduce operational risk, improve response effectiveness, and strengthen accountability―key requirements for maintaining confidentiality, integrity, and availability in production environments.
정답:
Explanation:
Logging requirements in cybersecurity focus on ensuring the system can produce reliable, actionable records that support detection, investigation, compliance, and accountability. The most fundamental capability is the ability to record information about user access and actions within the system. This includes authentication events such as logon success or failure, logoff, session creation, and privilege elevation; authorization decisions such as access granted or denied; and security-relevant actions such as viewing, creating, modifying, deleting, exporting, or transmitting sensitive data. Good security logging also captures context like timestamp synchronization, user or service identity, source device or IP, target resource, action performed, and outcome.
This capability supports multiple operational needs. Security monitoring teams rely on logs to identify anomalies like repeated failed logins, unusual access times, access from unexpected locations, or high-risk administrative changes. Incident responders need logs to reconstruct timelines, confirm scope, and preserve evidence. Auditors and compliance teams require logs to demonstrate control effectiveness, segregation of duties, and traceability of changes.
The other options are not sufficient to satisfy logging requirements. Single sign-on can simplify authentication but does not guarantee application-level activity logging. Integration with specialized tools may be useful, but the solution must first generate the required events. Deployment model options do not address whether the system can create detailed audit trails. Therefore, the required capability is recording user access and actions in the system.
정답:
Explanation:
The principle of least privilege requires that users, administrators, services, and applications are granted only the minimum access necessary to perform authorized job functions, and nothing more.
Option A follows this principle because the administrator’s elevated permissions are limited in scope to the specific applications they are responsible for supporting. This reduces the attack surface and limits blast radius: if that administrator account is compromised, the attacker’s reach is constrained to only those applications rather than the entire enterprise environment.
Least privilege is typically implemented through role-based access control, separation of duties, and privileged access management practices. These controls ensure privileges are assigned based on defined roles, reviewed regularly, and removed when no longer required. They also promote using standard user accounts for routine tasks and reserving administrative actions for controlled, auditable sessions. In addition, least privilege supports stronger accountability through logging and change tracking, because fewer people have the ability to make high-impact changes across systems.
The other scenarios violate least privilege.
Option B grants excessive enterprise-wide permissions, creating unnecessary risk and enabling widespread damage from mistakes or compromise.
Option C provides “just in case” administrative access, which cybersecurity guidance explicitly discourages because it increases exposure without a validated business need.
Option D is overly broad because access to all HR files exceeds what is required for performance appraisals, which typically should be limited to relevant employee records only.
정답:
Explanation:
SSL and its successor TLS are cryptographic protocols designed to provide secure communications over untrusted networks. The encryption capability comes from the TLS protocol suite, which defines how two endpoints negotiate security settings, authenticate, exchange keys, and protect data as it travels between them. During the TLS handshake, the endpoints agree on a cipher suite, establish shared session keys using secure key exchange methods, and then use symmetric encryption and integrity checks to protect application data against eavesdropping and tampering. Because TLS specifies these mechanisms and the sequence of steps, it is accurate to say that encryption capability is provided by protocols.
Certificates are important but they are not the encryption mechanism itself. Digital certificates primarily support authentication and trust by binding a public key to an identity and enabling verification through a trusted certificate authority chain. Certificates help prevent impersonation and man-in-the-middle attacks by allowing clients to validate the server’s identity, and in mutual TLS they can validate both parties. However, certificates alone do not define how encryption is negotiated or applied; TLS does.
Passwords are unrelated to transport encryption; they are an authentication secret and do not provide session encryption for network traffic. “Controls” is too general: SSL/TLS is indeed a security control, but the question asks specifically what provides the encryption capability. That capability is implemented and standardized by the SSL/TLS protocols, which orchestrate key establishment and encrypted communication.