📋 Ensuring Compliance - PCSE Practice Questions

Implement compliance controls, Assured Workloads, audit frameworks, and regulatory requirements.

10Questions Available
1Exam Domains

Practice Compliance Questions Now

Start a timed practice session focusing on Ensuring Compliance topics from the PCSE question bank.

Start PCSE Practice Quiz →

PCSE Compliance Question Bank (10 Questions)

Browse all 10 practice questions covering Ensuring Compliance for the PCSE certification exam. Each question includes the full answer and a detailed explanation to help you understand the concepts.

  1. Question 1Ensuring Compliance

    Which Google Cloud tool provides pre-configured compliance workloads for frameworks like FedRAMP, HIPAA, and PCI DSS?

    ACloud Console
    BAssured Workloads
    CCompliance Reports Manager
    DSecurity Command Center
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Assured Workloads creates compliance-controlled environments with pre-configured settings (data residency, personnel controls, encryption) aligned to specific regulatory frameworks.

  2. Question 2Managing Security Operations

    How do you ensure comprehensive audit logging for compliance in GCP?

    ALogging is automatic and complete
    BEnable Data Access audit logs (disabled by default), export to BigQuery/SIEM for analysis, set up log-based alerts, and use Access Transparency for Google admin access visibility
    COnly Admin Activity logs matter
    DUse third-party logging only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Audit logs: Admin Activity (always on — resource creation/deletion/modification), Data Access (off by default — reads, must enable explicitly — can be high volume), System Event (Google-initiated). Export: org-level log sink → BigQuery (analysis), Cloud Storage (archive), SIEM (real-time). Access Transparency: see when Google support accesses your resources. Access Approval: require your approval for Google access.

  3. Question 3Ensuring Compliance

    How do you run regulated workloads (FedRAMP, HIPAA) on Google Cloud?

    AAny GCP project is compliant
    BAssured Workloads — creates a compliance-controlled environment with automatic enforcement of data residency, encryption, personnel access controls, and service restrictions for specific compliance frameworks
    CUse a separate GCP account
    DCompliance is not Google's responsibility
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Assured Workloads: create folder with compliance controls. Frameworks: FedRAMP High/Moderate, HIPAA, ITAR, CJIS, IL4/IL5. Controls: data residency (restrict regions), CMEK enforcement, Access Approval required, service restrictions (only compliant services allowed), org policies auto-applied. Monitoring: SCC compliance dashboard. Shared responsibility: Google provides infrastructure compliance, you configure workload compliance.

  4. Question 4Ensuring Compliance

    How do you configure audit logging for SOX compliance?

    ADefault logging is sufficient
    BEnable Data Access logs for all services, export to immutable storage (locked GCS bucket), retain for required period, and implement alerts for privileged access to financial systems
    COnly log admin actions
    DSOX doesn't require logging
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    SOX logging: 1) Enable Data Access audit logs (reads/writes to financial data). 2) Org-level log sink → GCS bucket with retention lock (immutable — cannot be deleted during retention period). 3) BigQuery for analysis (who accessed financial data, when, what). 4) Alert: privileged access to financial systems, role changes on financial projects. 5) Access Transparency: Google access to financial data. 6) Retain: per SOX requirements (typically 7 years).

  5. Question 5Ensuring Compliance

    How do you prepare for a compliance audit of your GCP environment?

    AExport all logs right before the audit
    BMaintain continuous compliance: SCC compliance reports, immutable audit logs (retention-locked GCS), access reviews (IAM Recommender), and documented security controls mapping to framework requirements
    CLet auditors access your GCP console
    DAudits are Google's responsibility
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Audit preparation: 1) Continuous compliance: SCC reports (CIS, NIST, PCI — always current). 2) Evidence: audit logs in retention-locked GCS (immutable), BigQuery for analysis. 3) Access reviews: IAM Recommender findings, PAM usage reports. 4) Control mapping: document how GCP controls map to compliance framework requirements. 5) Architecture: diagrams, data flow maps. 6) Testing: regular control testing results. 7) Remediation: tracking of open findings.

  6. Question 6Ensuring Compliance

    How do you implement HIPAA compliance for healthcare applications on GCP?

    AUse any GCP service
    BSign BAA with Google, use only HIPAA-eligible services, encrypt PHI with CMEK, enable audit logging, implement access controls, and use VPC-SC to protect data boundaries
    CHIPAA only applies to on-premises
    DEncryption alone satisfies HIPAA
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    HIPAA on GCP: 1) BAA: Business Associate Agreement with Google (required). 2) Eligible services: only use services covered under BAA (BigQuery, GCS, Cloud SQL, GKE, etc.). 3) Encryption: CMEK for PHI. 4) Access: IAM least privilege, MFA. 5) Audit: Data Access logs enabled, immutable export. 6) VPC-SC: protect PHI data boundaries. 7) DLP: scan for PHI exposure. 8) Backup: PITR, cross-region for DR. 9) Training: workforce HIPAA training.

  7. Question 7Ensuring Data Protection

    How do you implement immutable storage for regulatory compliance?

    ARegular GCS buckets are sufficient
    BCloud Storage retention policies with bucket lock — once locked, objects cannot be deleted or overwritten until the retention period expires, even by project owners or Google
    CUse versioning only
    DStore on-premises for immutability
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Immutable storage: 1) Retention policy: minimum retention period (e.g., 7 years). Objects can't be deleted until period expires. 2) Bucket lock: permanently lock the retention policy (cannot be reduced or removed — even by org admin). 3) Object hold: event-based or temporary hold on individual objects. Use: regulatory compliance (SEC 17a-4, HIPAA), audit logs, legal hold. Warning: bucket lock is PERMANENT — test thoroughly before locking.

  8. Question 8Ensuring Compliance

    What is GCP's approach to regulatory compliance?

    ANo compliance support
    BComprehensive compliance program: 100+ certifications (ISO 27001, SOC 2, PCI DSS, HIPAA, FedRAMP), Compliance Reports Manager, Assured Workloads, and transparency reports
    COnly SOC 2
    DOnly for government
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    GCP compliance: ISO 27001/27017/27018, SOC 1/2/3, PCI DSS, HIPAA (BAA available), FedRAMP (High), GDPR, CCPA, and industry-specific (HITRUST, CJIS). Tools: Compliance Reports Manager (download audit reports), Assured Workloads (automated compliance controls), Access Transparency (Google access logs), and Security Command Center (compliance dashboards — CIS, PCI DSS, NIST). Customer responsibility: shared responsibility model applies.

  9. Question 9Ensuring Compliance

    How do you implement data privacy controls for GDPR compliance on GCP?

    AGoogle handles GDPR compliance
    BDLP for PII discovery, Cloud KMS for encryption, data residency controls (EU region), access logging, right to erasure via DML, and Data Processing Addendum with Google
    COnly encrypt data
    DGDPR doesn't apply to cloud
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    GDPR on GCP: 1) DPA: Google Data Processing Addendum (legal). 2) Data residency: EU regions only (org policy + regional resources). 3) PII discovery: Cloud DLP scan. 4) Encryption: CMEK for control. 5) Access: IAM + VPC-SC + audit logs. 6) Right to erasure: BigQuery DML DELETE, GCS object deletion. 7) Data portability: BigQuery export, GCS download. 8) Breach notification: SCC + alerting. 9) Privacy by design: minimize data collection.

  10. Question 10Ensuring Compliance

    How does Google Cloud demonstrate compliance with SOC 2, ISO 27001, and PCI DSS?

    ACustomer must verify everything independently
    BThird-party audit reports available through Compliance Reports Manager
    CCompliance is not available
    DGoogle provides a self-assessment only
    Show Answer & Explanation
    Correct Answer: B
    Explanation:

    Google Cloud undergoes regular third-party audits. Compliance Reports Manager (in Cloud Console) provides access to SOC 2/3, ISO 27001, PCI DSS, and other audit reports.

Key Compliance Concepts for PCSE

complianceassured workloadsaudithipaapcigdprregulatory

PCSE Compliance Exam Tips

Ensuring Compliance questions in PCSE are typically scenario-based. Focus on service-level decision making aligned to official exam objectives. Priority concepts: compliance, assured workloads, audit, hipaa, pci, gdpr.

What PCSE Expects

  • Anchor your answer in select the most practical, secure, and scalable answer for the stated scenario.
  • Compliance scenarios for PCSE are frequently mapped to Domain 5 (~20%), so read the objective carefully before picking controls or architecture.
  • Expect multi-service scenarios where Compliance interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated service question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Professional) and managed-service best practices.

High-Value Compliance Concepts

  • Know the core Compliance building blocks cold: compliance, assured workloads, audit, hipaa.
  • Review the edge-case features and limits for pci, gdpr; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how Compliance pairs with Data Protection, Security Operations in real deployment patterns.
  • For PCSE, explain why the chosen Compliance design meets reliability, security, and cost expectations better than the alternatives.

Common PCSE Traps

  • Watch for answers that partially solve the requirement but miss operational constraints.
  • Questions in Compliance often include distractors that look correct for Compliance but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two Compliance implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Compliance (~20%) outcomes for PCSE?
  • Can you explain security and access boundaries for Compliance without relying on default-open assumptions?
  • Can you describe how Compliance integrates with Data Protection and Security Operations during failure, scaling, and monitoring events?

Exam Domains Covering Compliance

Domain 5Compliance~20%

Related Resources

🎯 Free PCSE Mock Exam📝 Data Protection Questions📝 Security Operations Questions

More PCSE Study Resources

← PCSE Study Hub30-Day Study PlanFull Practice Exam