GCP Professional Cloud Security Engineer Practice Question
A hospital system ingests millions of patient encounters each night into a BigQuery dataset. Epidemiology researchers need to join this data with other public health datasets and perform aggregate analytics, but HIPAA requires that direct identifiers such as patient name and Social Security number (SSN) never be exposed to them. Compliance officers also insist that the original, fully-identified tables remain available to a limited group of clinicians. Which solution most effectively meets these requirements while minimizing ongoing operational effort?
Configure a recurring Sensitive Data Protection inspection job on the landing dataset that applies a de-identification template to tokenize detected PHI and writes the transformed output to a separate BigQuery table used by the research team.
Nightly export the dataset to Cloud Storage, run a custom Dataflow pipeline that replaces patient names and SSNs with random strings, then re-import the sanitized files into BigQuery for researchers.
Apply Data Catalog policy tags to the name and SSN columns and deny access to those tags for researchers, allowing them to query the original tables with those columns returning NULL.
Grant the research team the BigQuery Data Viewer role on the original tables and rely on Cloud Audit Logs to demonstrate compliance with HIPAA requirements.
A recurring Sensitive Data Protection (formerly Cloud DLP) inspection job can automatically detect built-in infoTypes such as PERSON_NAME and US_SOCIAL_SECURITY_NUMBER in the landing tables. By attaching a de-identification template that uses tokenization or format-preserving encryption, the job can write the transformed results into a separate de-identified BigQuery table that maintains referential integrity for analytics but removes direct identifiers from the researchers' view. Because the job is scheduled, new nightly ingests are handled automatically. Simply granting Data Viewer on the raw tables violates HIPAA, exporting to Cloud Storage for custom scrubbing adds unnecessary complexity and operational overhead, and Data Catalog policy tags hide entire columns rather than transform their values-preventing researchers from performing joins that rely on the identifiers. Therefore, the automated SDP inspection and de-identification workflow is the best fit.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Sensitive Data Protection (SDP) in GCP?
Open an interactive chat with Bash
How does tokenization work in Sensitive Data Protection?
Open an interactive chat with Bash
What are infoTypes in Google Cloud's Sensitive Data Protection?
Open an interactive chat with Bash
What is Sensitive Data Protection in GCP?
Open an interactive chat with Bash
What is tokenization, and how does it help with compliance?
Open an interactive chat with Bash
How do Data Catalog policy tags differ from data de-identification?
Open an interactive chat with Bash
GCP Professional Cloud Security Engineer
Ensuring data protection
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .