IIBA-CCA Exam Dumps - IIBA Cybersecurity Analysis Questions and Answers

When a system processes multiple information types with different security categorizations, cybersecurity standards require the system’s overall security categorization to reflect thehighest impact levelamong those information types. This is commonly called thehigh-water markapproach. The reason is straightforward: the system is only as secure as the protection applied to the most sensitive or most mission-critical data it handles. If the system were categorized at the lowest impact value, an attacker could target the weaker control baseline and still reach higher-impact information, creating an unacceptable gap in confidentiality, integrity, or availability protection.

In practice, categorization evaluates the potential impact of loss for each of the three security objectives and then selects the highest level for each objective across all information types handled by the system. That resulting system categorization then drives control selection, assurance activities, and the rigor of monitoring and incident response expectations. This approach also supports consistent governance: it prevents under-protecting systems that contain a mix of low and high sensitivity information and aligns control strength with worst-case business impact.

Segregating data across systems can be a valid architecture decision to reduce cost or scope, but it is not the required categorization rule; it is an optional design strategy that must be justified and implemented securely. Merging categories or using the lowest value contradicts risk-based protection principles and would likely fail compliance and audit scrutiny.

Anexternal auditis an independent evaluation performed by a party outside the organization to determine whether security-related activities, controls, and evidence meet defined requirements. Those requirements are typically drawn from laws and regulations, contractual obligations, and recognized standards or control frameworks. The defining characteristics areindependenceandattestation: the auditor is not part of the operational team being assessed and provides an objective conclusion about compliance or control effectiveness.

Unlike a vulnerability-focused review (often called a security assessment or technical audit) that primarily seeks weaknesses to remediate, an external audit emphasizes whether controls aredesigned appropriately, implemented consistently, and operating effectivelyover time. External auditors usually test governance processes, risk management practices, policies, access control procedures, change management, logging and monitoring, incident response readiness, and evidence of periodic reviews. They also validate documentation and sampling records to confirm that what is written is actually performed.

Option B describes an internal assurance activity, such as self-assessment or internal audit preparation, where the security team checks its own implementation. Option C is closer to a financial or procurement review and is not the typical definition of an external security audit. Therefore, the best answer is the one that clearly captures anindependent partyreviewing security activitiesto ensure compliancewith established criteria