PCSE · topic practice

Ensuring Data Protection practice questions

Practise Google Professional Cloud Security Engineer Ensuring Data Protection practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Ensuring Data Protection

What the exam tests

What to know about Ensuring Data Protection

Ensuring Data Protection questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Ensuring Data Protection exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Ensuring Data Protection questions

20 questions · select your answer, then reveal the explanation

A security engineer needs to ensure that all customer data stored in Cloud Storage is encrypted at rest using keys that the organization manages and rotates themselves. Which encryption option should they use?

A company uses Cloud KMS with a key purpose of ENCRYPT_DECRYPT. They need to rotate the key automatically every 30 days. What must they configure?

Which Google Cloud service provides near-real-time logs when Google administrators access your customer content?

A company stores API keys in Secret Manager. They want to automatically rotate the secret every 60 days and have a Cloud Function triggered after each rotation to update dependent services. What is the correct approach?

A company has a Cloud Storage bucket containing CSV files with sensitive data. They want to use Cloud DLP to scan the files for personally identifiable information (PII) and automatically redact (replace) any detected credit card numbers before the data is used by downstream analytics. What type of job should they create?

An organization needs to enforce that all new Cloud Storage buckets are created only in the europe-west1 region to meet data residency requirements. Which method should they use?

A financial services company uses BigQuery for analytics and needs to implement column-level security such that users with the role 'data_scientist' can see the last four digits of credit card numbers, while the full number is visible only to 'data_owner'. What approach should they use?

A company wants to use Cloud KMS with a key that is protected by a Hardware Security Module (HSM) and meets FIPS 140-2 Level 3. Which key type should they create in Cloud KMS?

What is the purpose of the Cloud DLP InfoType detector CREDIT_CARD_NUMBER?

A company uses Customer-Supplied Encryption Keys (CSEK) for Compute Engine persistent disks. They want to ensure that Google does not store the key material. What must they do?

An engineer needs to destroy a Cloud KMS key immediately due to a security incident. They disable the key and then schedule destruction. What is the default waiting period before the key is permanently destroyed?

A company uses Assured Workloads to meet FedRAMP High compliance in the US. They need to ensure that data cannot be moved outside the US region. Which control should they use?

A security engineer wants to ensure that sensitive data in BigQuery is masked for analysts but visible in full to data stewards. Which two components must be used together? (Choose TWO.)

A company wants to implement automatic de-identification of sensitive data stored in Cloud Storage using Cloud DLP. They need to scan new objects as they are uploaded and apply a transformation to remove credit card numbers. Which three resources must they create? (Choose THREE.)

Which two statements correctly describe Cloud KMS key versions? (Choose TWO.)

An organization wants to encrypt data at rest using customer-managed keys on Compute Engine persistent disks. They need to provide the key material with each API call, and Google should never store the key. Which encryption approach should they use?

A security engineer wants to automatically rotate a database password stored in Secret Manager every 30 days. The new password should be generated and stored in Secret Manager without manual intervention. Which approach meets these requirements?

A healthcare company stores patient data in BigQuery and needs to mask sensitive columns like SSN and email for analysts who do not need to see the actual values. They want to apply consistent masking across queries without modifying the underlying data. Which feature should they use?

A company uses Cloud KMS with an HSM key for encryption of sensitive data. The compliance team requires that the key material never leaves the HSM boundary. They plan to use the key for symmetric encryption/decryption. Which key purpose should they specify when creating the key?

A data engineer needs to scan a Cloud Storage bucket for personally identifiable information (PII) such as credit card numbers and social security numbers. The scanning must be performed on a schedule (every week). Which GCP service and resource should they use?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Ensuring Data Protection sessions

Start a Ensuring Data Protection only practice session

Every question in these sessions is drawn from the Ensuring Data Protection domain — nothing else.

Related practice questions

Related PCSE topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the PCSE exam test about Ensuring Data Protection?
Ensuring Data Protection questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Ensuring Data Protection questions in a focused session?
Yes — the session launcher on this page draws every question from the Ensuring Data Protection domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other PCSE topics?
Use the topic links above to move to related areas, or go back to the PCSE question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the PCSE exam covers. They are not copied from any real exam or dump site.