Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Ensuring Data Protection practice sets

PCSE Ensuring Data Protection • Complete Question Bank

PCSE Ensuring Data Protection — All Questions With Answers

Complete PCSE Ensuring Data Protection question bank — all 0 questions with answers and detailed explanations.

100
Questions
Free
No signup
Certifications/PCSE/Practice Test/Ensuring Data Protection/All Questions
Question 1easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?

Question 2mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They need to rotate the key automatically every 30 days. What must they configure?

Question 3easymultiple choice
Read the full Ensuring Data Protection explanation →

Which Google Cloud service provides near-real-time logs when Google administrators access your customer content?

Question 4mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company stores API keys in Secret Manager. They want to automatically rotate the secret every 60 days and have a Cloud Function triggered after each rotation to update dependent services. What is the correct approach?

Question 5hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company has a Cloud Storage bucket containing CSV files with sensitive data. They want to use Cloud DLP to scan the files for personally identifiable information (PII) and automatically redact (replace) any detected credit card numbers before the data is used by downstream analytics. What type of job should they create?

Question 6mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to enforce that all new Cloud Storage buckets are created only in the europe-west1 region to meet data residency requirements. Which method should they use?

Question 7hardmultiple choice
Read the full Ensuring Data Protection explanation →

A financial services company uses BigQuery for analytics and needs to implement column-level security such that users with the role 'data_scientist' can see the last four digits of credit card numbers, while the full number is visible only to 'data_owner'. What approach should they use?

Question 8mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to use Cloud KMS with a key that is protected by a Hardware Security Module (HSM) and meets FIPS 140-2 Level 3. Which key type should they create in Cloud KMS?

Question 9easymultiple choice
Read the full Ensuring Data Protection explanation →

What is the purpose of the Cloud DLP InfoType detector CREDIT_CARD_NUMBER?

Question 10mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to ensure that Google does not store the key material. What must they do?

Question 11hardmultiple choice
Read the full Ensuring Data Protection explanation →

An engineer needs to destroy a Cloud KMS key immediately due to a security incident. They disable the key and then schedule destruction. What is the default waiting period before the key is permanently destroyed?

Question 12mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Assured Workloads to meet FedRAMP High compliance in the US. They need to ensure that data cannot be moved outside the US region. Which control should they use?

Question 13mediummulti select
Read the full Ensuring Data Protection explanation →

A security engineer wants to ensure that sensitive data in BigQuery is masked for analysts but visible in full to data stewards. Which two components must be used together? (Choose TWO.)

Question 14hardmulti select
Read the full Ensuring Data Protection explanation →

A company wants to implement automatic de-identification of sensitive data stored in Cloud Storage using Cloud DLP. They need to scan new objects as they are uploaded and apply a transformation to remove credit card numbers. Which three resources must they create? (Choose THREE.)

Question 15easymulti select
Read the full Ensuring Data Protection explanation →

Which two statements correctly describe Cloud KMS key versions? (Choose TWO.)

Question 16mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization wants to encrypt data at rest using customer-managed keys on Compute Engine persistent disks. They need to provide the key material with each API call, and Google should never store the key. Which encryption approach should they use?

Question 17easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer wants to automatically rotate a database password stored in Secret Manager every 30 days. The new password should be generated and stored in Secret Manager without manual intervention. Which approach meets these requirements?

Question 18mediummultiple choice
Read the full Ensuring Data Protection explanation →

A healthcare company stores patient data in BigQuery and needs to mask sensitive columns like SSN and email for analysts who do not need to see the actual values. They want to apply consistent masking across queries without modifying the underlying data. Which feature should they use?

Question 19hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud KMS with an HSM key for encryption of sensitive data. The compliance team requires that the key material never leaves the HSM boundary. They plan to use the key for symmetric encryption/decryption. Which key purpose should they specify when creating the key?

Question 20easymultiple choice
Read the full Ensuring Data Protection explanation →

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) such as credit card numbers and social security numbers. The scanning must be performed on a schedule (every week). Which GCP service and resource should they use?

Question 21mediummultiple choice
Read the full Ensuring Data Protection explanation →

A financial institution is required to store customer transaction data within the European Union to comply with GDPR data residency requirements. They want to prevent users from creating resources in any region outside the EU. Which organization policy constraint should they use?

Question 22mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud KMS with automatic rotation enabled for a symmetric key. The rotation period is set to 90 days. After 90 days, a new key version is created. The compliance team asks: what happens to data encrypted with the old key version?

Question 23hardmultiple choice
Read the full Ensuring Data Protection explanation →

A security administrator wants to receive near-real-time logs whenever a Google Cloud support engineer accesses their customer content. Which GCP service provides this capability?

Question 24mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to de-identify a dataset containing customer phone numbers. They need to replace each phone number with a consistently masked value that preserves the format (e.g., XXX-XXX-1234) but cannot be reversed. Which de-identification transform should they use?

Question 25easymultiple choice
Read the full Ensuring Data Protection explanation →

An organization wants to use a FIPS 140-2 Level 3 validated hardware security module (HSM) to protect encryption keys in Cloud KMS. Which key protection level should they choose when creating a key ring?

Question 26hardmultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer accidentally deleted a Cloud KMS key version. The key version is in the state DESTROY_SCHEDULED. How long does the engineer have to cancel the destruction before the key material is permanently destroyed?

Question 27mediummultiple choice
Read the full Ensuring Data Protection explanation →

A data scientist needs to access a secret stored in Secret Manager from a Compute Engine VM. The VM has the default service account attached. Which IAM role should be granted to the service account to allow reading the secret?

Question 28mediummulti select
Read the full Ensuring Data Protection explanation →

A company needs to enforce that all data stored in Cloud Storage and BigQuery is encrypted with customer-managed keys (CMEK). Which TWO actions should they take? (Choose two.)

Question 29hardmulti select
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data before loading it into another BigQuery dataset for analysis. Which THREE components must be configured? (Choose three.)

Question 30mediummulti select
Read the full Ensuring Data Protection explanation →

A company needs to meet the EU data boundary requirements for Assured Workloads, ensuring that data processing and storage remain within the European Union. Which TWO configurations are required? (Choose two.)

Question 31easymultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to encrypt data at rest in Cloud Storage using a key that they manage and rotate periodically. They also need to ensure that the key material is stored in a FIPS 140-2 Level 3 validated HSM. Which encryption option should they use?

Question 32mediummultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to store database credentials and API keys securely in GCP. The solution must support automatic rotation of secrets at a defined schedule and trigger a Cloud Function after each rotation to update dependent applications. Which service should they use?

Question 33hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to scan a BigQuery table containing customer data. They want to de-identify credit card numbers so that the first 12 digits are masked with 'X' and the last 4 digits remain visible. Which de-identification transform should they use?

Question 34easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to enforce that all new Compute Engine disks are created in a specific geographic region to meet data residency requirements. Which organization policy constraint should they use?

Question 35mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They want to rotate the key automatically every 90 days. What must the security engineer configure to achieve this?

Question 36hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses CMEK with Cloud HSM to encrypt a BigQuery table. The security engineer accidentally deleted the key in Cloud KMS. The key is now in a 'pending destruction' state with a grace period of 24 hours. Which action should the engineer take to restore the key and avoid data loss?

Question 37mediummultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to ensure that sensitive columns in BigQuery are automatically masked for certain users. For example, the email column should show only the domain for users with a specific role. Which two services must be configured together?

Question 38mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company needs to store sensitive API keys in Secret Manager and ensure that only a specific service account can access the latest version of a secret. Which IAM permission is required for the service account to read the secret value?

Question 39hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to use Cloud DLP to inspect Cloud Storage buckets for phone numbers that match a custom pattern (e.g., +1-XXX-XXX-XXXX). The pattern is not covered by built-in infoTypes. How should the engineer configure the DLP job?

Question 40easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to view logs of Google Cloud support engineers accessing their data to meet compliance requirements. Which GCP feature should they enable?

Question 41mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to enforce that all BigQuery datasets are created in the 'US' multi-region to comply with data residency policies. Which organization policy constraint can achieve this?

Question 42hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to rotate the key used for an existing disk without recreating the disk. What must the engineer do?

Question 43mediummulti select
Read the full Ensuring Data Protection explanation →

A security engineer needs to implement de-identification of sensitive data in a Cloud Storage bucket using Cloud DLP. They want to inspect the data for credit card numbers and then replace them with a tokenized value that preserves the format for downstream processing. Which TWO actions should they take? (Choose two.)

Question 44hardmulti select
Read the full Ensuring Data Protection explanation →

A company must comply with regulatory requirements that restrict data access by Google Cloud support and engineering staff. They need to log all Google admin access to their data and also require explicit approval before access is granted. Which TWO features should they combine? (Choose two.)

Question 45mediummulti select
Read the full Ensuring Data Protection explanation →

A company wants to use Cloud KMS to encrypt data in Cloud Storage with a key that is automatically rotated every 30 days. They also want to ensure that the key material is stored in a HSM. Which TWO resources must they create? (Choose two.)

Question 46mediummultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer wants to encrypt data at rest in Cloud Storage using a key that Google manages but the customer can control the key material. They need to rotate the key automatically every 90 days. Which encryption option should they choose?

Question 47easymultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to store API keys and database credentials in a central, auditable service with versioning and IAM access control. Which GCP service should they use?

Question 48mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to scan a BigQuery table for sensitive data. They want to automatically mask credit card numbers in query results for users who are not data stewards. Which approach should they use?

Question 49hardmultiple choice
Read the full Ensuring Data Protection explanation →

A financial institution must store data in specific EU regions to comply with GDPR. They want to prevent users from creating resources in other regions. Which organization policy should they set?

Question 50mediummultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to audit all administrative actions performed by Google support engineers on their GCP project. Which service provides near-real-time logs of such access?

Question 51easymultiple choice
Read the full Ensuring Data Protection explanation →

Which Cloud KMS key purpose should be used to encrypt and decrypt data directly?

Question 52mediummultiple choice
Read the full Ensuring Data Protection explanation →

An engineer needs to schedule automatic rotation of a symmetric key in Cloud KMS every 30 days. The key is currently enabled. What should they do?

Question 53hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud HSM to protect their cryptographic keys. They need to ensure that the key material never leaves the HSM. Which key purpose is supported by Cloud HSM keys?

Question 54easymultiple choice
Read the full Ensuring Data Protection explanation →

A data engineer wants to use Cloud DLP to scan a Cloud Storage bucket for personally identifiable information (PII). Which resource should they create to run this scan?

Question 55mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to de-identify a BigQuery column containing US Social Security Numbers (SSNs) by replacing them with a consistent token that can be reversed if needed. Which Cloud DLP de-identification transform should they use?

Question 56hardmultiple choice
Read the full Ensuring Data Protection explanation →

A security team wants to automatically rotate a database password stored in Secret Manager every 60 days and notify the operations team when a new version is created. Which approach should they use?

Question 57easymultiple choice
Read the full Ensuring Data Protection explanation →

What is the default grace period before Cloud KMS permanently destroys a key version that has been scheduled for destruction?

Question 58mediummulti select
Read the full Ensuring Data Protection explanation →

A company is subject to ITAR regulations and needs to ensure that all data stored in GCP remains within the United States. They also require FIPS 140-2 Level 3 validation for encryption keys. Which two services should they use together to meet these requirements? (Choose 2)

Question 59hardmulti select
Read the full Ensuring Data Protection explanation →

A security engineer needs to enforce column-level masking on a BigQuery table such that: (1) users with role 'data_analyst' see masked values, (2) users with role 'data_scientist' see plaintext values, and (3) the masking is applied automatically without modifying the underlying table. Which three components must they configure? (Choose 3)

Question 60mediummulti select
Read the full Ensuring Data Protection explanation →

An organization stores sensitive data in Cloud Storage and wants to use Cloud DLP to automatically scan new objects for PII as they are uploaded. Which two resources are needed? (Choose 2)

Question 61mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization wants to ensure that all new resources created in Google Cloud are restricted to a specific set of regions to meet data residency requirements. Which policy should they use?

Question 62easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to automatically rotate a database password stored in Secret Manager every 60 days. Which approach meets this requirement with minimal operational overhead?

Question 63hardmultiple choice
Read the full Ensuring Data Protection explanation →

A financial services company must encrypt data at rest in Cloud Storage using keys that are generated and stored on-premises, and Google must never have access to the key material. Which encryption approach should they use?

Question 64mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company is using Cloud DLP to inspect a BigQuery table containing customer PII. They want to redact all credit card numbers found in a column by replacing them with a token that preserves the format (e.g., last 4 digits visible). Which de-identification transform should they use?

Question 65easymultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to store API keys for external services. Which Google Cloud service is designed for secure storage of secrets such as API keys, passwords, and certificates?

Question 66mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to enforce that all Compute Engine disk encryption uses keys managed by their own HSM on-premises, with keys provided per API call. Which encryption type should they choose when creating a persistent disk?

Question 67hardmultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer notices that a Cloud KMS key was accidentally deleted. The key had a pending destruction period of 24 hours. What is the maximum time window to recover the key after the deletion request?

Question 68mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to audit when Google administrators access their customer content stored in GCP. Which service provides near-real-time logs of such access?

Question 69easymultiple choice
Read the full Ensuring Data Protection explanation →

A data engineer wants to classify columns in BigQuery containing sensitive data like email addresses and apply data masking so that users see only masked values (e.g., 'j***@example.com'). Which feature should they use?

Question 70mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company using Cloud KMS wants to automatically rotate a symmetric encryption key every 90 days. What is the correct way to configure this?

Question 71hardmultiple choice
Read the full Ensuring Data Protection explanation →

A healthcare organization uses Cloud DLP to scan a Cloud Storage bucket containing medical records. They want to inspect for sensitive data such as patient names and SSNs, but only on new objects added after a certain date. Which DLP configuration should they use?

Question 72mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to store cryptographic keys that must be protected in a FIPS 140-2 Level 3 validated hardware security module (HSM). Which Google Cloud service should they use?

Question 73mediummulti select
Read the full Ensuring Data Protection explanation →

A company needs to enforce data residency in the European Union for all GCP resources. Which TWO actions should they take? (Choose two.)

Question 74hardmulti select
Read the full Ensuring Data Protection explanation →

A security team wants to ensure that a Cloud KMS key is rotated automatically every 30 days and that previous key versions are available for decryption for at least 6 months. Which THREE steps should they take? (Choose three.)

Question 75mediummulti select
Read the full Ensuring Data Protection explanation →

A company wants to use Cloud DLP to de-identify sensitive data in a BigQuery table. They need to replace credit card numbers with a token that preserves the format and also mask email addresses by showing only the first character. Which TWO de-identification transforms should they use? (Choose two.)

Question 76easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted using keys that they manage and rotate on a schedule they control. The keys must be stored in a FIPS 140-2 Level 3 validated HSM. Which encryption approach should they use?

Question 77mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses BigQuery to store sensitive customer data. They want to restrict access to certain columns (e.g., email and SSN) so that only authorized users see the actual values, while other users see a masked version. Which approach should they use?

Question 78hardmultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to store API keys and database credentials in a secure, centralized service that supports automatic rotation and integrates with Cloud Functions. The solution must provide fine-grained access control at the secret version level. Which service should they use?

Question 79mediummultiple choice
Read the full Ensuring Data Protection explanation →

A healthcare organization must ensure that Protected Health Information (PHI) stored in Cloud Storage buckets is not inadvertently shared. They want to automatically scan all new objects added to the bucket for sensitive data and log findings. Which approach should they use?

Question 80mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company wants to enforce that all new Cloud Storage buckets are created in only the europe-west1 region. Which organization policy constraint should they use?

Question 81easymultiple choice
Read the full Ensuring Data Protection explanation →

What is the purpose of Cloud HSM?

Question 82hardmultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer wants to enable Access Transparency for their organization. After enabling it in the Admin Console, they notice that some access logs are missing. What is the most likely reason?

Question 83mediummultiple choice
Read the full Ensuring Data Protection explanation →

An engineer needs to configure automatic key rotation for a symmetric encryption key in Cloud KMS. They have set the rotation period to 90 days. What happens to the old key material after rotation?

Question 84easymultiple choice
Read the full Ensuring Data Protection explanation →

Which Cloud DLP transform should be used to replace sensitive data with a token that preserves the format and length of the original data for reversible de-identification?

Question 85mediummultiple choice
Read the full Ensuring Data Protection explanation →

After deleting a Cloud KMS key version, an engineer receives an error when trying to decrypt data that was encrypted with that key version. The key version was deleted 12 hours ago. What is the most likely cause?

Question 86hardmultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to inspect BigQuery tables for sensitive data. They want to automatically de-identify the data as it is inserted into a new table using a DLP de-identification template. Which approach should they use?

Question 87mediummultiple choice
Read the full Ensuring Data Protection explanation →

An organization needs to comply with ITAR regulations. They want to ensure that all data processed by their GCP resources remains within the United States. Which service should they use?

Question 88mediummulti select
Read the full Ensuring Data Protection explanation →

A company wants to automatically rotate secrets stored in Secret Manager every 30 days. They have set up a Pub/Sub topic and a Cloud Function to perform the rotation. Which TWO actions are required to complete the configuration? (Choose two.)

Question 89hardmulti select
Read the full Ensuring Data Protection explanation →

A security engineer is designing a data residency strategy for a healthcare organization that must keep all data within the European Union. They plan to use Assured Workloads to meet this requirement. Which THREE additional controls should they implement to further enforce data residency and protect data? (Choose three.)

Question 90mediummulti select
Read the full Ensuring Data Protection explanation →

A company is using Cloud KMS with software keys for encryption. They want to increase security by using an HSM backend without changing their existing key rings or key names. Which TWO steps should they take? (Choose two.)

Question 91easymultiple choice
Read the full Ensuring Data Protection explanation →

A security engineer needs to ensure that all data stored in Cloud Storage buckets and BigQuery tables is encrypted at rest using keys that the organization generates and manages on-premises. The keys must not be stored by Google. Which key management approach should they use?

Question 92mediummultiple choice
Read the full Ensuring Data Protection explanation →

A company uses Cloud KMS to manage encryption keys for data at rest. They want to automatically rotate a symmetric key every 90 days. The key is used to encrypt Cloud Storage objects and BigQuery tables. What is the correct approach to achieve automatic rotation?

Question 93hardmultiple choice
Read the full Ensuring Data Protection explanation →

An organization stores sensitive customer data in BigQuery tables. They need to enforce column-level security such that users in the 'support' group see a masked version of email addresses (e.g., j***@example.com), while managers see the full email. Which approach should they use?

Question 94mediummulti select
Read the full Ensuring Data Protection explanation →

A company must store API keys and database credentials securely in Google Cloud. They need automatic rotation of these secrets every 30 days, with notifications sent to a security team after each rotation. Which services should they use? (Choose TWO).

Question 95mediummulti select
Read the full Ensuring Data Protection explanation →

A company is deploying a multi-region application that must store data only within the European Union to comply with GDPR data residency requirements. They also need to ensure that Google Cloud administrators cannot access customer content. Which two controls should they implement? (Choose TWO).

Question 96hardmulti select
Read the full Ensuring Data Protection explanation →

A company uses Cloud DLP to inspect data in Cloud Storage and BigQuery for sensitive information such as credit card numbers and social security numbers. They want to de-identify the data using format-preserving encryption (FPE) so that the masked data retains the same format (e.g., a 16-digit number still looks like a credit card number). Which two configurations should they use? (Choose TWO).

Question 97mediummulti select
Read the full Ensuring Data Protection explanation →

A company wants to use Cloud KMS to protect sensitive data. They have a requirement that the key material must be stored in a FIPS 140-2 Level 3 validated HSM. They also need to be able to create and use asymmetric keys for signing. Which two steps should they take? (Choose TWO).

Question 98easymulti select
Read the full Ensuring Data Protection explanation →

A company needs to detect and redact sensitive data such as email addresses and phone numbers from documents stored in Cloud Storage. They plan to use Cloud DLP. Which two resources must they create first? (Choose TWO).

Question 99hardmulti select
Read the full Ensuring Data Protection explanation →

A company is designing a key destruction process for Cloud KMS. They need to ensure that after a key is destroyed, the ciphertext encrypted with that key becomes permanently undecryptable. They also need to allow a 7-day recovery window in case of accidental destruction. Which three steps should they take? (Choose THREE).

Question 100mediummulti select
Read the full Ensuring Data Protection explanation →

A security team needs to monitor and log all Google Cloud administrator access to customer data stored in Cloud Storage and BigQuery. They want to receive near-real-time alerts when such access occurs. Which two services should they use together? (Choose TWO).

Practice tests

Scored 10-question sessions with instant feedback and explanations.

PCSE Practice Test 1 — 25 Questions→PCSE Practice Test 2 — 25 Questions→PCSE Practice Test 3 — 25 Questions→PCSE Practice Test 4 — 25 Questions→PCSE Practice Test 5 — 25 Questions→PCSE Practice Exam 1 — 20 Questions→PCSE Practice Exam 2 — 20 Questions→PCSE Practice Exam 3 — 20 Questions→PCSE Practice Exam 4 — 20 Questions→Free PCSE Practice Test 1 — 30 Questions→Free PCSE Practice Test 2 — 30 Questions→Free PCSE Practice Test 3 — 30 Questions→PCSE Practice Questions 1 — 50 Questions→PCSE Practice Questions 2 — 50 Questions→PCSE Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Configuring Access Within a Cloud Solution EnvironmentEnsuring Data ProtectionManaging Operations in a Cloud Solution EnvironmentConfiguring Network SecuritySupporting Compliance Requirements

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Ensuring Data Protection setsAll Ensuring Data Protection questionsPCSE Practice Hub