GDSA Practice Questions: Data Discovery, Governance, Mobility, and Data-Centric Security Domain

Correct answer (C): A defensible architecture must account for business workflows. When controls block legitimate collaboration without tuned policy or approved exceptions, users often turn to unmanaged channels. The best answer is to align DLP with classification and approved sharing workflows, then monitor exception use. That preserves strong protection while reducing operational pressure that drives shadow IT.

Why the other options are wrong:
- Option A: Broadly loosening rules weakens protection and shifts too much reliance onto user behavior instead of controlled, approved workflows.
- Option B: Rigid blocking without workflow-aware exceptions is what created the shadow IT problem. Security that users cannot practically follow often increases unmanaged data movement.
- Option D: Manual archive retrieval may reduce some sharing, but it is operationally heavy and does not directly address workflow-aligned DLP tuning or sanctioned external exchange paths.

Correct answer (A): The requirement is visibility into database behavior, especially privileged activity and anomalies. Database Activity Monitoring is designed for that purpose. It provides auditability and detection for direct connections and trusted application activity. A database firewall is more appropriate when the primary goal is enforcement and blocking, which the scenario explicitly does not prioritize yet.

Why the other options are wrong:
- Option B: A database firewall is primarily an enforcement control. It can be useful later, but it is not the best initial fit when the stated need is visibility rather than blocking.
- Option C: A WAF protects web application traffic, but it does not replace database-specific monitoring for direct admin connections or SQL activity within trusted paths.
- Option D: Encryption helps protect data at rest, but it does not provide the query-level visibility needed to detect misuse by authenticated users.

Correct answer (B): This scenario requires protecting data on mobile endpoints without eliminating mobility. The best architecture is managed mobility controls that combine device encryption, remote wipe, managed app restrictions, and prevention of unmanaged sharing paths. That approach addresses both device loss and local data leakage while preserving the business need for offline mobile access.

Why the other options are wrong:
- Option A: VPN protects network transport, but it does not control what happens to data once it is on the device or copied into unmanaged apps.
- Option C: Gateway encryption and training are not enough to control local app sharing, device loss, or unmanaged storage paths on the endpoint.
- Option D: This would sharply limit business mobility and does not match the requirement to support mobile use rather than ban it.

Correct answer (A): The scenario requires both governance and detective capability. Classification and ownership allow sharing rules to reflect business sensitivity, while logging and alerting on unusual bulk access provides visibility into misuse and exfiltration attempts. This balances collaboration needs with defensible monitoring instead of relying on a blanket prohibition or a transport-only control.

Why the other options are wrong:
- Option B: A full ban may reduce risk, but it does not balance the stated collaboration requirement and often creates pressure for unmanaged workarounds.
- Option C: VPN routing may centralize connectivity, but it does not provide repository-level governance or visibility into oversharing and bulk download behavior.
- Option D: Encryption helps confidentiality, but it does not replace ownership-based sharing rules or detection of suspicious access volume.

Correct answer (B): Effective DLP design starts with understanding where sensitive data resides, how it is classified, and which business workflows legitimately move it. Without that foundation, DLP rules are often too broad, too narrow, or disruptive to business operations. In this scenario, discovery plus classification plus flow mapping is the defensible first step because it lets the architect scope policies to the right data and channels while preserving valid payment-processor traffic.

Why the other options are wrong:
- Option A: This is a common mistake. Tuning after deployment may eventually help, but starting with broad keyword rules without discovery and business flow mapping usually creates false positives and business disruption.
- Option C: Encryption is valuable, but it does not solve the immediate design problem. It also does not tell the team where sensitive data is or how it legitimately moves through email and web channels.
- Option D: This may reduce some egress quickly, but it is too blunt for the stated goal of minimal disruption. It also does not establish a defensible, data-centric basis for long-term policy design.

Correct answer (A): Database activity monitoring is designed to provide visibility into database queries, access patterns, privileged actions, and anomalous behavior. It supports detection and investigation without making inline enforcement the primary architectural goal. That aligns with the requirement for visibility and forensic value while minimizing operational risk to database availability.

Why the other options are wrong:
- Option B: A database firewall is focused on policy enforcement for database traffic and query behavior. It may be valuable in other cases, but it is not the best match when the primary goal is visibility without adding inline dependency.
- Option C: Email DLP addresses one exfiltration channel, not direct visibility into database queries, privileged behavior, or application-driven access.
- Option D: A reverse proxy can help with web application access patterns, but it does not provide the database-level visibility requested in the scenario.

Correct answer (B): The requirement is preventive and inline: enforce approved SQL behavior before execution. A database firewall is the best fit because it can filter or block database traffic based on allowed patterns before the traffic reaches the database. Database activity monitoring remains valuable for visibility, but the scenario already has monitoring and explicitly needs enforcement rather than more after-the-fact review.

Why the other options are wrong:
- Option A: Monitoring is helpful, but the scenario already has that capability. It does not provide the requested inline prevention of suspicious SQL behavior.
- Option C: Endpoint DLP addresses data movement from hosts, not SQL injection attempts between the application tier and the database.
- Option D: Protecting exported reports may be useful elsewhere, but it does not mitigate inline database request abuse from the application tier.

Correct answer (A): DLP policy quality depends on knowing which data is sensitive, where it resides, and how it moves. The most defensible first step is to discover and classify the data, map its flows, and then apply DLP policies by channel. That sequencing improves detection accuracy, aligns controls to real business workflows, and reduces disruption from poorly targeted blocking.

Why the other options are wrong:
- Option B: Network egress DLP can help, but deploying it before classification usually creates noisy or incomplete policies and misses non-network channels such as endpoint actions.
- Option C: Encryption is useful for confidentiality, but it does not identify sensitive content, define business rules, or replace classification and DLP policy design.
- Option D: A reverse proxy may improve visibility for one channel, but it does not solve the broader problem of unknown data locations, unknown sensitivity, and multiple leakage paths.

Correct answer (B): The key requirement is policy enforcement and blocking of unauthorized query patterns across both application-driven and direct database access. A database firewall is the best architectural fit because it is designed to allow or block database traffic and SQL behavior based on policy. A WAF remains useful for HTTP-layer threats, but it does not replace database-specific enforcement when direct connections exist.

Why the other options are wrong:
- Option A: Database activity monitoring improves visibility and auditability, but the requirement is to enforce policy by blocking unauthorized queries.
- Option C: Another WAF tier still focuses on web application traffic and will not control direct database connections from administrators or internal tools.
- Option D: Encryption protects data in transit, but it does not enforce which queries are allowed or denied once an authenticated session is established.

Correct answer (B): The immediate requirement is to enforce allowed database behavior from a predictable application workflow. A database firewall is the best fit because it is designed to apply policy to database traffic and query behavior, helping prevent unexpected commands from a compromised application tier. Monitoring alone would not provide the same preventive control for this specific objective.

Why the other options are wrong:
- Option A: Database activity monitoring would improve visibility, but the stated goal is to prevent unexpected queries from reaching the database, not just to alert after they occur.
- Option C: Endpoint DLP is useful for data movement from user systems, but it does not address malicious or unauthorized database queries from the application tier.
- Option D: Encryption protects stored data confidentiality, but it does not enforce which queries a compromised application server may send to the database.