GCP Professional Cloud Security Engineer Practice Question
A healthcare provider stores daily HL7 message archives in a Cloud Storage bucket and ingests selected fields into a BigQuery dataset for analytics. Compliance requires that all protected health information (PHI) be discovered and replaced with cryptographically generated tokens that can later be re-identified for patient care. Data engineers need fresh, de-identified data every night with minimal ongoing maintenance. Which solution best satisfies these requirements while aligning with HIPAA obligations?
Enable VPC Service Controls around the project, export the datasets to on-premises, run an open-source scrubbing script, then import the sanitized files back to BigQuery each morning.
Use Object Lifecycle Management to delete the original Cloud Storage archives after 24 hours and rely on default encryption; analysts query the remaining BigQuery tables directly.
Create an inspection template for common PHI infoTypes, pair it with a de-identification template that uses CryptoDeterministicConfig protected by Cloud KMS, and schedule a Cloud DLP job trigger to process the Cloud Storage bucket and BigQuery dataset nightly, writing the transformed output to a separate analytics project.
Apply BigQuery column-level security tags to every column that might contain PHI and grant analysts only the Data Viewer role on an authorized view of the original tables.
A Cloud DLP (Sensitive Data Protection) job trigger can automatically inspect both Cloud Storage objects and BigQuery tables on a schedule. By referencing an inspection template that uses the built-in PHI infoTypes and pairing it with a de-identification template that applies CryptoDeterministicConfig (or format-preserving encryption) with a wrapped Cloud KMS key, each PHI element is replaced by a consistent surrogate value. Because the key is retained in Cloud KMS, the process is reversible when clinicians must recover the original data. Job triggers run without manual intervention, writing the transformed results to a separate BigQuery dataset or Storage location that analysts can query. The alternative options either do not perform reversible de-identification, fail to cover both storage systems, or rely on ad-hoc processes that increase operational overhead and compliance risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Cloud DLP and how does it help with sensitive data protection?
Open an interactive chat with Bash
What is CryptoDeterministicConfig and how is it used in de-identification?
Open an interactive chat with Bash
How do Cloud DLP job triggers automate data processing workflows?
Open an interactive chat with Bash
What is CryptoDeterministicConfig used for in Cloud DLP?
Open an interactive chat with Bash
How does Cloud DLP inspection templates identify PHI in data?
Open an interactive chat with Bash
Why is Cloud KMS important for data de-identification in this solution?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .