Practice PCSE Supporting Compliance Requirements questions with full explanations on every answer.
Start practicing
Supporting Compliance Requirements — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A healthcare organization is required to protect Protected Health Information (PHI) stored in Cloud Storage. They want to automatically detect and redact PHI before storing it. Which Google Cloud service should they use?
2A company needs to retain audit logs for 7 years to meet compliance requirements. By default, Cloud Audit Logs are retained for 30 days. What should they do to retain the logs for 7 years?
3A financial institution is deploying a payment application on GKE that must comply with PCI DSS. They need to isolate the cardholder data environment (CDE) from other workloads and ensure only authorized services can communicate. Which combination of controls should they implement?
4An organization handles ITAR-controlled data and must restrict Google personnel access to the underlying infrastructure. Which Google Cloud product should they use to enforce this restriction?
5A company must implement a data retention policy that prevents any modification or deletion of stored log files for 5 years. Which Cloud Storage feature should they use?
6A company processes personal data of European Union residents on GCP. They need to ensure that data processing is limited to specific purposes and that data subjects can exercise their rights (access, rectification, erasure). Which actions should they take to comply with GDPR?
7A security engineer wants to test a web application hosted on Compute Engine for vulnerabilities. According to Google Cloud's Acceptable Use Policy, which of the following is true regarding penetration testing?
8A company using BigQuery for analytics needs to comply with the right to be forgotten (erasure) under GDPR. A data subject requests deletion of their personal data. What is the correct approach to delete data from BigQuery audit logs that contain the data subject's information?
9Which Google Cloud compliance certification requires the customer to sign a Business Associate Agreement (BAA) with Google?
10A government contractor needs to deploy workloads on GCP that meet FedRAMP High baseline requirements. They want to enforce resource location restrictions and access controls for Google personnel. Which product should they use?
11Which of the following is a customer responsibility under the Google Cloud shared responsibility model?
12A company wants to enforce that all Cloud Storage buckets created in their organization have a retention policy for compliance. If a bucket is created without a retention policy, it should be automatically remediated. Which approach should they use?
13A company is migrating a PCI DSS-compliant application to GCP. They need to meet encryption requirements for cardholder data. Which TWO options satisfy PCI DSS encryption requirements? (Choose two.)
14An organization must comply with ITAR regulations. They use Assured Workloads with the ITAR regime. Which THREE controls are automatically enforced by this regime? (Choose three.)
15A company processes healthcare data and has signed a BAA with Google Cloud. They need to implement controls for HIPAA compliance. Which THREE actions should they take? (Choose three.)
16A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) while maintaining HIPAA compliance. They have executed a Business Associate Agreement (BAA) with Google. Which additional step is required to ensure that PHI is properly classified and protected?
17A financial institution must store audit logs for 7 years to comply with PCI DSS requirements. By default, Cloud Audit Logs are retained for 30 days. What is the most cost-effective way to retain audit logs for 7 years?
18A company subject to EU GDPR must implement the right to erasure (right to be forgotten) for personal data stored in BigQuery audit logs. The logs include query text that may contain personally identifiable information (PII). What is the correct approach to anonymize or delete PII from BigQuery audit logs?
19A government contractor needs to deploy a workload on Google Cloud that complies with FedRAMP High and ITAR (International Traffic in Arms Regulations). They require that Google personnel cannot access the infrastructure and that data residency is restricted to the United States. Which Google Cloud solution should they use?
20Which Google Cloud service provides the ability to enforce data retention policies on Cloud Storage objects to prevent deletion or modification for a specified duration?
21A company must process credit card transactions on Google Cloud and achieve PCI DSS compliance. They want to minimize the scope of the cardholder data environment (CDE). Which architectural approach should they take?
22A company needs to ensure that all data stored in Cloud Storage is encrypted at rest using keys that they generate and manage themselves. They also need to rotate the keys every 90 days. Which encryption option should they use?
23A security engineer needs to audit changes to IAM policies across their Google Cloud organization. Which audit log type should they enable to capture IAM policy changes?
24Which Google Cloud service is specifically designed to help customers meet compliance requirements by creating a folder with pre-defined organization policies, resource location restrictions, and access controls?
25A multinational corporation uses Google Cloud and must comply with GDPR. They want to process personal data for a new purpose that was not originally disclosed to data subjects. What is the correct course of action under GDPR?
26A security team wants to monitor for compliance drift in an Assured Workloads folder that enforces FedRAMP High controls. Which Google Cloud service should they use to detect violations of organization policies?
27A company is required to perform penetration testing on their Google Cloud infrastructure. According to Google Cloud's policy, which statement is true regarding penetration testing?
28A healthcare company stores de-identified patient data in BigQuery for analytics. They must comply with HIPAA and ensure that re-identification is not possible. They also need to be able to join data on a per-patient basis for longitudinal studies. Which TWO strategies should they implement? (Choose 2)
29A company is designing a PCI DSS-compliant environment on Google Cloud. They need to isolate the cardholder data environment (CDE) and log all access to it. Which THREE actions should they take? (Choose 3)
30A multinational company must comply with GDPR and needs to ensure that personal data is processed in a manner that respects data subject rights. Which TWO of the following are required under GDPR? (Choose 2)
31A healthcare organization is migrating to Google Cloud and needs to store Protected Health Information (PHI) in Cloud Storage. They have signed a Business Associate Agreement (BAA) with Google. Which additional step is REQUIRED to ensure HIPAA compliance for the data stored?
32A financial institution is deploying a PCI DSS-compliant web application on Google Cloud. They need to isolate the cardholder data environment (CDE) from other environments and protect the web application against common web attacks. Which combination of services meets these requirements?
33A company is using Assured Workloads to enforce FEDRAMP_HIGH compliance. They need to ensure that only US-based personnel from Google can access their data. Which configuration setting within the Assured Workloads folder should they enable?
34A data subject requests the deletion of their personal data from a Google Cloud project under GDPR. This data is stored in BigQuery audit logs that are retained for 30 days by default. What is the correct approach to fulfill this request?
35Which Google Cloud service can automatically classify and de-identify sensitive data such as credit card numbers and health records before it is stored in Cloud Storage?
36A company needs to store financial records for 7 years to meet regulatory requirements. They want to ensure that once written, the records cannot be modified or deleted by anyone, including cloud administrators. Which Cloud Storage feature should they enable?
37A security engineer needs to run a penetration test against their Google Cloud environment. According to Google's Acceptable Use Policy, which of the following is true regarding penetration testing?
38A company is implementing GDPR compliance and wants to ensure that personal data is pseudonymized in BigQuery. They plan to use Cloud DLP to tokenize data before loading. Which approach should they take to minimize changes to existing SQL queries?
39A healthcare organization needs to ensure that all access to ePHI in Cloud SQL is logged for HIPAA compliance. They have enabled audit logs. What additional step is required to ensure logs are retained for at least one year?
40An organization is using Assured Workloads to enforce ITAR compliance. They need to ensure that all resources are deployed in specific US regions and that Google personnel access is restricted. They also want to monitor for any configuration changes that violate compliance policies. Which service should they use for monitoring compliance drift?
41Which Google Cloud compliance certification is most relevant for a company that processes credit card transactions and needs to demonstrate secure handling of cardholder data?
42A company wants to encrypt data at rest in Cloud Storage using their own keys. Which Cloud service should they use to manage these keys?
43A company is deploying a PCI DSS-compliant application on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated and that only authorized services can communicate. Which TWO services should they use? (Choose 2)
44A financial institution needs to comply with GDPR data subject rights. They must ensure that personal data in BigQuery can be anonymized for analytics while still allowing joins on pseudonymized identifiers. Which THREE services or features should they consider? (Choose 3)
45A company is using Assured Workloads with the FEDRAMP_HIGH regime. They need to restrict where resources can be created and monitor for compliance violations. Which TWO settings should they configure? (Choose 2)
46A healthcare organization is migrating workloads to Google Cloud and needs to process Protected Health Information (PHI) under HIPAA. Which step is required before storing PHI in any GCP service?
47A financial institution is required to retain records of all transactions for 7 years under regulatory compliance. They are using Cloud Storage for archive data and need to ensure that objects cannot be deleted or overwritten during the retention period. Which feature should they use?
48A company is deploying a PCI DSS-compliant application on Google Cloud. They need to ensure that the Cardholder Data Environment (CDE) is isolated from other resources and that only authorized services can communicate with it. Which combination of controls should they implement?
49A company subject to GDPR receives a request from a data subject to delete all personal data from BigQuery audit logs. The logs contain query execution details with user identifiers. How can the company comply with the right to erasure (right to be forgotten)?
50A company using Google Cloud wants to conduct a penetration test on their infrastructure. According to Google's acceptable use policy, what must they do before testing?
51A company handles Controlled Unclassified Information (CUI) and needs to deploy a workload that complies with ITAR (International Traffic in Arms Regulations). They plan to use Assured Workloads. Which compliance regime should they select when creating the Assured Workloads folder?
52A company is using BigQuery to store analytics data and wants to ensure that data is retained for exactly 365 days after ingestion, then automatically deleted. How can they achieve this with minimal operational overhead?
53A company needs to store audit logs for a minimum of 5 years to meet compliance requirements. Cloud Logging retains logs for 30 days by default. Which approach should they take?
54A company has deployed an application in Assured Workloads with the FEDRAMP_HIGH compliance regime. They need to ensure that Google Cloud personnel cannot access their data. Which additional control should they enable?
55A company wants to ensure that data stored in Cloud Storage is encrypted at rest using keys that they generate and manage on-premises. Which encryption method should they use?
56A company is subject to PCI DSS and needs to protect a web application that processes credit card data. They want to block common web attacks such as SQL injection and cross-site scripting (XSS). Which Google Cloud service should they use?
57A company is using Assured Workloads to meet EU data residency requirements (EU_REGIONS_AND_SUPPORT). They want to monitor compliance drift when changes are made to the environment. Which service should they use?
58A company needs to implement data pseudonymisation to comply with GDPR. They are using BigQuery for analytics. Which TWO services can help them pseudonymise data in transit before it enters BigQuery?
59A company is deploying a workload that must comply with FedRAMP High. They are using Assured Workloads. Which THREE controls are automatically enabled when they select the FEDRAMP_HIGH regime?
60A company is implementing PCI DSS compliance on Google Cloud. They need to ensure that cardholder data is encrypted in transit and at rest. Which TWO encryption controls are required by PCI DSS?
61A healthcare organization is migrating PHI workloads to Google Cloud and needs to encrypt data at rest with keys that are generated and managed within their own on-premises hardware security module (HSM). Which encryption approach should they use?
62A company needs to retain critical financial records for 7 years to comply with SEC regulations. They choose to store the records in Cloud Storage. Which feature should they enable to ensure the records cannot be deleted or overwritten before the retention period expires?
63A multinational company is using Assured Workloads to meet EU_Regions_and_Support compliance. They need to ensure that only EU-based Google personnel can access the customer's data for support purposes. Which configuration should they enable?
64A financial institution is deploying a PCI DSS-compliant cardholder data environment (CDE) on Google Cloud. They need to segment the CDE from other environments and restrict data egress from the CDE. Which two services should they use together? (Choose the best combination.)
65An organization wants to run a penetration test on their Google Cloud environment to validate security controls. According to Google's Acceptable Use Policy, which of the following is true regarding penetration testing?
66A company that stores protected health information (PHI) in Google Cloud wants to run a BigQuery query to identify and classify sensitive data such as patient names and social security numbers. Which Google Cloud service should they use?
67An organization subject to GDPR receives a data subject request for erasure ('right to be forgotten'). The data subject's information is stored in BigQuery audit logs. What is the implication for the audit logs, and what should the organization do?
68A company using Assured Workloads with the FedRAMP High compliance regime wants to monitor for configuration changes that could cause the environment to become non-compliant. Which tool should they use to detect compliance drift?
69A company is implementing a HIPAA-compliant environment on Google Cloud. They need to ensure that all access to protected health information (PHI) is logged and monitored. Which TWO steps should they take? (Choose two.)
70A company subject to PCI DSS is building a cardholder data environment (CDE) on Google Cloud. They need to encrypt cardholder data at rest and in transit. Which THREE measures should they implement? (Choose three.)
71A company uses Assured Workloads with the FEDRAMP_HIGH regime. They want to enforce resource location restrictions and restrict Google personnel access. Which TWO capabilities should they enable? (Choose two.)
72A company needs to comply with GDPR requirements for data subject rights. They must be able to provide data subjects with access to their personal data and rectify inaccuracies. Which TWO Google Cloud services can assist with these requirements? (Choose two.)
73A company is implementing a data retention policy to comply with regulatory requirements. They need to retain certain BigQuery data for 7 years and ensure it cannot be deleted before the retention period ends. Which THREE steps should they take? (Choose three.)
74A company is designing a PCI DSS-compliant architecture on Google Cloud. They need to ensure that the cardholder data environment (CDE) is isolated from other environments and that all access to the CDE is logged. Which THREE controls should they implement? (Choose three.)
75A company is subject to SOC 2 compliance and wants to demonstrate that they have implemented proper access controls on Google Cloud. Which TWO IAM best practices should they follow? (Choose two.)
The Supporting Compliance Requirements domain covers the key concepts tested in this area of the PCSE exam blueprint published by Google Cloud. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCSE domains — no account required.
The Courseiva PCSE question bank contains 75 questions in the Supporting Compliance Requirements domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Supporting Compliance Requirements domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included