IIBA-CCA Exam Dumps : Certificate in Cybersecurity Analysis (CCA)

Transport Layer Security (TLS) strengthens the trustworthiness of application communications by ensuring that data exchanged over an untrusted network is not silently modified and is coming from the expected endpoint. While TCP provides delivery features such as sequencing and retransmission, TLS contributes to what many cybersecurity documents describe as “reliable” secure communication by addingcryptographic integrity protections. TLS uses integrity checks (such as message authentication codes in older versions/cipher suites, or authenticated encryption modes like AES-GCM and ChaCha20-Poly1305 in modern TLS) so that any alteration of data in transit is detected. If an attacker intercepts traffic and tries to change commands, session data, or application content, the integrity verification fails and the connection is typically terminated, preventing corrupted or manipulated messages from being accepted as valid.

This is distinct from merely being “stateful” (a transport-layer property) or “using TCP/IP” (a networking stack choice). TLS can run over TCP and relies on TCP for delivery reliability, but TLS itself is focused onconfidentiality, integrity, and endpoint authentication. Public/private keys and certificates are used during the TLS handshake to authenticate servers (and optionally clients) and to establish shared session keys, but the ongoing protection that prevents undetected tampering is the integrity check on each protected record. Therefore, the best match to how TLS ensures secure, dependable communication is the message integrity mechanism described in option B.

Anexternal auditis an independent evaluation performed by a party outside the organization to determine whether security-related activities, controls, and evidence meet defined requirements. Those requirements are typically drawn from laws and regulations, contractual obligations, and recognized standards or control frameworks. The defining characteristics areindependenceandattestation: the auditor is not part of the operational team being assessed and provides an objective conclusion about compliance or control effectiveness.

Unlike a vulnerability-focused review (often called a security assessment or technical audit) that primarily seeks weaknesses to remediate, an external audit emphasizes whether controls aredesigned appropriately, implemented consistently, and operating effectivelyover time. External auditors usually test governance processes, risk management practices, policies, access control procedures, change management, logging and monitoring, incident response readiness, and evidence of periodic reviews. They also validate documentation and sampling records to confirm that what is written is actually performed.

Option B describes an internal assurance activity, such as self-assessment or internal audit preparation, where the security team checks its own implementation. Option C is closer to a financial or procurement review and is not the typical definition of an external security audit. Therefore, the best answer is the one that clearly captures anindependent partyreviewing security activitiesto ensure compliancewith established criteria

Business analysis is responsible for ensuring the solution is correctly understood in terms of business purpose, process flows, data handling, user roles, integrations, and non-functional requirements such as security and privacy. If the solution is not understood well enough, security risks will be missed early, leading to gaps that are expensive and difficult to correct later. This is why option C is the best answer: inadequate understanding prevents reliable identification of threats, sensitive data paths, trust boundaries, and misuse cases during requirements and design stages.

Cybersecurity documents emphasize “security by design” and “shift-left” practices, meaning risks should be identified and addressed before build and test. Business analysis contributes by eliciting and documenting security requirements, clarifying data classification and retention needs, defining user access and privilege expectations, identifying regulatory and policy constraints, and ensuring interfaces and third-party dependencies are known and assessed. BA also supports threat modeling inputs by providing accurate context about actors, workflows, and data movement, which are essential for identifying where controls like authentication, authorization, logging, encryption, and validation must exist.

Other options align to different roles or stages: budgets are governance and project management constraints, QA limitations are testing risks, and coding-introduced vulnerabilities are primarily addressed through secure coding standards, code review, and developer practices. BA’s key cybersecurity risk is incomplete understanding that prevents correct security requirements and risk identification.