Free GDSA Data Discovery, Governance, Mobility, and Data-Centric Security Practice Test 2026 — GIAC Defensible Security Architect Questions

This free GDSA Data Discovery, Governance, Mobility, and Data-Centric Security practice test covers data classification, discovery, DLP, governance, encryption, rights management, and data-centric security controls. Each question includes a detailed explanation with defensible-architecture context — perfect for GDSA exam prep.

Key Topics in GDSA Data Discovery, Governance, Mobility, and Data-Centric Security

6 Free GDSA Data Discovery, Governance, Mobility, and Data-Centric Security Practice Questions with Answers

Each question below includes 4 answer options, the correct answer, and a detailed explanation. These are real questions from the FlashGenius GDSA question bank for the Data Discovery, Governance, Mobility, and Data-Centric Security domain (14% of the exam).

Sample Question 1 — Data Discovery, Governance, Mobility, and Data-Centric Security

A manufacturer has had several recent data leaks through email attachments and USB copies. Leadership wants the security team to deploy broad DLP controls immediately, but the team does not yet know which files contain sensitive data, where those files reside, or which business processes move them. What is the best first architectural step?

  1. A. Conduct data discovery and flow mapping, classify sensitive data, and then tune channel-specific DLP policies (Correct answer)
  2. B. Deploy network egress DLP immediately and block large outbound transfers until classifications mature
  3. C. Encrypt all file shares immediately and defer formal classification until incident volume decreases
  4. D. Add a reverse proxy for collaboration tools and tune upload alerts before labeling the data

Correct answer: A

Explanation: Correct answer (A): DLP policy quality depends on knowing which data is sensitive, where it resides, and how it moves. The most defensible first step is to discover and classify the data, map its flows, and then apply DLP policies by channel. That sequencing improves detection accuracy, aligns controls to real business workflows, and reduces disruption from poorly targeted blocking. Why the other options are wrong: - Option B: Network egress DLP can help, but deploying it before classification usually creates noisy or incomplete policies and misses non-network channels such as endpoint actions. - Option C: Encryption is useful for confidentiality, but it does not identify sensitive content, define business rules, or replace classification and DLP policy design. - Option D: A reverse proxy may improve visibility for one channel, but it does not solve the broader problem of unknown data locations, unknown sensitivity, and multiple leakage paths.

Sample Question 2 — Data Discovery, Governance, Mobility, and Data-Centric Security

A healthcare organization stores regulated records in on-premises databases accessed by both application service accounts and database administrators. The security team needs better visibility into queries, privileged actions, and unusual access patterns for investigations, but the database owners do not want a new inline control that could affect availability. Which control is the best fit?

  1. A. Implement database activity monitoring to log queries, privileged actions, and anomalous access patterns (Correct answer)
  2. B. Implement a database firewall to block unexpected database commands before they reach the server
  3. C. Implement email DLP to inspect attachments leaving the user mail system for regulated content
  4. D. Implement a reverse proxy to mediate user access to the web application before login

Correct answer: A

Explanation: Correct answer (A): Database activity monitoring is designed to provide visibility into database queries, access patterns, privileged actions, and anomalous behavior. It supports detection and investigation without making inline enforcement the primary architectural goal. That aligns with the requirement for visibility and forensic value while minimizing operational risk to database availability. Why the other options are wrong: - Option B: A database firewall is focused on policy enforcement for database traffic and query behavior. It may be valuable in other cases, but it is not the best match when the primary goal is visibility without adding inline dependency. - Option C: Email DLP addresses one exfiltration channel, not direct visibility into database queries, privileged behavior, or application-driven access. - Option D: A reverse proxy can help with web application access patterns, but it does not provide the database-level visibility requested in the scenario.

Sample Question 3 — Data Discovery, Governance, Mobility, and Data-Centric Security

A retailer has a legacy web application that sends a small, predictable set of SQL statements to a backend database. Security already has acceptable audit logging, but the team is concerned that a compromised application server could issue ad hoc queries the application never normally uses. Which architectural control is the best choice for the immediate goal?

  1. A. Deploy database activity monitoring to alert when unusual queries are executed against the database
  2. B. Deploy a database firewall to enforce allowed query patterns from the application tier (Correct answer)
  3. C. Deploy endpoint DLP to block analysts from copying exported reports to removable media
  4. D. Deploy full-disk encryption on the database servers to protect records stored on disk

Correct answer: B

Explanation: Correct answer (B): The immediate requirement is to enforce allowed database behavior from a predictable application workflow. A database firewall is the best fit because it is designed to apply policy to database traffic and query behavior, helping prevent unexpected commands from a compromised application tier. Monitoring alone would not provide the same preventive control for this specific objective. Why the other options are wrong: - Option A: Database activity monitoring would improve visibility, but the stated goal is to prevent unexpected queries from reaching the database, not just to alert after they occur. - Option C: Endpoint DLP is useful for data movement from user systems, but it does not address malicious or unauthorized database queries from the application tier. - Option D: Encryption protects stored data confidentiality, but it does not enforce which queries a compromised application server may send to the database.

Sample Question 4 — Data Discovery, Governance, Mobility, and Data-Centric Security

A financial services company found that several database administrator accounts were used after hours to browse customer records. Administrators still need broad access for maintenance tasks, but security needs better oversight without disrupting operations. What is the best architectural improvement?

  1. A. Reduce database access with role-based rules where possible and add database activity monitoring for privileged workflows (Correct answer)
  2. B. Encrypt database files and backups more aggressively so privileged queries reveal less sensitive information
  3. C. Place a web application firewall in front of the customer portal to inspect incoming user requests
  4. D. Route administrator sessions through the perimeter firewall so database traffic stays inside one network zone

Correct answer: A

Explanation: Correct answer (A): The best improvement combines stronger access governance with visibility into privileged behavior. Least-privilege design reduces unnecessary exposure, and database activity monitoring provides detection and investigative value when privileged accounts are used or abused. This directly addresses the scenario's concern about legitimate accounts being misused while maintaining operational access where necessary. Why the other options are wrong: - Option B: Encryption helps protect stored data, but it does not prevent or reveal misuse of valid privileged database sessions. - Option C: A web application firewall protects HTTP-facing applications, not direct oversight of database administrator behavior. - Option D: Network routing changes do not provide the needed governance or database-level visibility into privileged browsing of records.

Sample Question 5 — Data Discovery, Governance, Mobility, and Data-Centric Security

Security discovers payroll spreadsheets on several legacy file shares. Access groups are inherited broadly, no business owner is assigned, and retention requirements are unclear. The goal is sustainable risk reduction rather than a temporary emergency block. What is the best next architectural action?

  1. A. Assign data owners, classify the files, define retention and access rules, then tighten permissions and monitoring (Correct answer)
  2. B. Deploy network DLP at the Internet edge and wait to see which employees attempt to send the files outward
  3. C. Encrypt the file shares immediately and leave inherited permissions unchanged until business units complain
  4. D. Move the spreadsheets into a new database platform and assume structured storage resolves the governance issue

Correct answer: A

Explanation: Correct answer (A): The root problem is missing governance: no ownership, no classification, unclear retention, and overbroad access. A defensible architecture should establish ownership and policy first, then enforce those rules with tighter access and monitoring. That creates sustainable control aligned to business sensitivity and legal obligations instead of relying on a single technical workaround. Why the other options are wrong: - Option B: Egress DLP may catch some exfiltration attempts, but it does not address unclear ownership, excessive internal access, or retention obligations. - Option C: Encryption protects stored files but does not fix who can access them, how long they should be kept, or who is accountable for them. - Option D: Changing the storage platform does not automatically establish ownership, retention policy, or correct access governance.

Sample Question 6 — Data Discovery, Governance, Mobility, and Data-Centric Security

A hybrid enterprise stores project documents in SaaS workspaces and cloud object storage. Teams need to collaborate with selected external partners, but security has poor visibility into overshared content and abnormal bulk downloads. Which architectural choice best balances collaboration with defensible control?

  1. A. Use data classification and ownership to drive sharing rules, while logging and alerting on unusual bulk access across repositories (Correct answer)
  2. B. Disable all external sharing from SaaS and cloud storage, then allow rare exceptions through manual ticket review
  3. C. Force all users through the corporate VPN before accessing SaaS or cloud repositories from managed endpoints
  4. D. Encrypt all documents before upload and treat unusually large download activity as a storage management concern

Correct answer: A

Explanation: Correct answer (A): The scenario requires both governance and detective capability. Classification and ownership allow sharing rules to reflect business sensitivity, while logging and alerting on unusual bulk access provides visibility into misuse and exfiltration attempts. This balances collaboration needs with defensible monitoring instead of relying on a blanket prohibition or a transport-only control. Why the other options are wrong: - Option B: A full ban may reduce risk, but it does not balance the stated collaboration requirement and often creates pressure for unmanaged workarounds. - Option C: VPN routing may centralize connectivity, but it does not provide repository-level governance or visibility into oversharing and bulk download behavior. - Option D: Encryption helps confidentiality, but it does not replace ownership-based sharing rules or detection of suspicious access volume.

How to Study GDSA Data Discovery, Governance, Mobility, and Data-Centric Security

Combine these GDSA Data Discovery, Governance, Mobility, and Data-Centric Security practice questions with hands-on lab work and the SANS SEC530 course. The GDSA exam emphasizes practical defensible-architecture decisions, so always ask which option is most defensible, most resilient, and aligned with Zero Trust principles.

About the GDSA Exam

Other GDSA Domains

Start the free GDSA Data Discovery, Governance, Mobility, and Data-Centric Security practice test now | 10-question quick start | All GDSA domains | All Sample Tests