CompTIA DataSys+ DS0-002: Data and Database Security

Topic snapshot

Sample questions

These original IT Mastery practice questions are aligned to this topic area. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Data and Database Security

A DBA is reviewing a security audit for a customer database. The application connects only from 10.20.4.0/24, and administrators connect only through the VPN subnet 10.30.8.0/24. No other clients require direct database access.

Exhibit: Audit summary

Which action is the best next step?

Options:

• A. Keep the endpoint public and require stronger passwords

• B. Increase the frequency of failed-login alerts

• C. Create a daily suspicious-connection report

• D. Restrict database access to the approved subnets

Best answer: D

Explanation: Attack-surface reduction is appropriate when a service is reachable by systems that have no business need to connect. In this case, monitoring is already detecting repeated failed logins, but the database port is still exposed to the entire internet. The stronger control is to limit network reachability to the application subnet and VPN subnet, such as with firewall rules, security groups, or network ACLs. Monitoring remains useful for detection, but it does not remove the unnecessary exposure.

The key takeaway is to eliminate avoidable access paths before relying on alerts to manage predictable unwanted traffic.

• More alerts may improve detection, but it does not reduce who can attempt to reach the database.
• Daily reporting summarizes suspicious activity after the fact and leaves the public entry point open.
• Password-only hardening helps authentication, but it still permits unnecessary connection attempts to the database service.

Question 2

Topic: Data and Database Security

During a quarterly database access review, the DBA must identify the authorization risk that needs immediate remediation. The review date is April 10, 2026.

Exhibit: Access review excerpt

Options:

• A. Revoke SELECT from mlee because analysts should not query databases.

• B. Remove EXECUTE from app_orders_svc because service accounts are risky.

• C. Enable audit_ro because audit accounts should remain available.

• D. Disable temp_vendor7 and remove its elevated SalesDB privileges.

Best answer: D

Explanation: Authorization reviews look for accounts that can still access data after their approved need has ended, especially when they retain powerful roles. In the exhibit, temp_vendor7 is still enabled on April 10 even though it expired on March 31, and the approved need says the vendor contract ended. The db_owner privilege is also broader than typical temporary vendor access, so the risk is not just account aging; it is continued elevated authorization. The appropriate remediation is to disable the account and remove or revoke the unnecessary privilege according to the access management process. Valid service, analyst, and disabled audit accounts do not show the same evidence of unauthorized or excessive access.

• Disabled audit account is not an active authorization risk because it cannot currently be used for database access.
• Service account privilege is justified by its approved application need and is limited to procedure execution.
• Analyst read access matches the stated BI reporting need and does not show expired access or elevated ownership.

Question 3

Topic: Data and Database Security

A company is configuring governance controls for a customer database. The requirements state that EU customer PII must remain in EU-hosted storage and backups, invoice records must be retained for 7 years, inactive support records must be deleted after 2 years, and unmasked PII must not be exported to unmanaged file shares. Which implementation best satisfies these requirements?

Options:

• A. Encrypt the database and allow global replication for availability

• B. Classify sensitive fields, enforce EU residency, apply record-level retention, and enable DLP export controls

• C. Retain all customer records indefinitely to simplify audits

• D. Mask PII only in reports and allow database exports for administrators

Best answer: B

Explanation: Governance controls should map directly to the data’s sensitivity, location rules, retention schedule, and allowed movement. In this scenario, EU PII needs residency enforcement across storage and backups, not just encryption. Different record types have different retention periods, so record-level or policy-based retention is needed instead of one blanket rule. DLP controls are also required because the risk includes exporting unmasked PII to unmanaged locations. The strongest implementation combines classification, residency controls, retention policies, and DLP enforcement rather than treating the issue as only encryption, auditing, or report masking.

• Encryption alone protects confidentiality but does not ensure EU residency or prevent unmanaged exports.
• Indefinite retention conflicts with the stated 2-year deletion requirement for inactive support records.
• Report-only masking leaves database exports exposed and does not address retention or residency.

Question 4

Topic: Data and Database Security

A company is moving a customer database to a cloud-hosted DBaaS platform. The data includes EU customer PII, and the compliance requirement states that all primary data, replicas, backups, and failover copies must remain within EU jurisdictions. The DBA must support disaster recovery without violating the residency requirement. Which design choice best meets the requirement?

Options:

• A. Store production data in the EU and global backups worldwide

• B. Encrypt the database and replicate backups to a US region

• C. Use a global read replica and restrict access with RBAC

• D. Deploy primary, replica, backups, and failover only in EU regions

Best answer: D

Explanation: Data residency concerns where data is stored and processed, not only who can access it. In this scenario, the requirement explicitly covers primary data, replicas, backups, and failover copies. The compliant design keeps all of those copies inside approved EU jurisdictions, including DR targets. Encryption, RBAC, and access logging are useful security controls, but they do not make storage in an unapproved region compliant when the residency rule prohibits that location. The key takeaway is to apply residency controls to every persistent copy, including backups and replicas.

• Encryption alone protects confidentiality but does not satisfy a rule that forbids storage outside EU jurisdictions.
• Global backups violate the stated requirement because backups are explicitly included in the residency scope.
• RBAC on replicas controls authorization, but it does not solve the location requirement for a global replica.

Question 5

Topic: Data and Database Security

A hospital reporting database must allow clinicians to view patient records only when the clinician is assigned to the patient, the record is tagged for that clinic location, and the request is made from an approved hospital network during the clinician’s shift. Which authorization design best meets this requirement?

Options:

• A. Role-based access control group

• B. Database ownership chaining

• C. Shared service account

• D. Attribute-based access control policy

Best answer: D

Explanation: Attribute-based access control (ABAC) is the best fit when authorization depends on multiple attributes at decision time. In this scenario, the database must evaluate user attributes (assigned clinician), resource attributes (patient record and clinic location), and environmental or context attributes (network and shift time). A simple role such as clinician is not specific enough because two users with the same role may need different access based on assignment, location, or time. The key takeaway is that ABAC supports context-aware authorization beyond static group membership.

• Role-only access fails because a clinician role cannot by itself enforce patient assignment, location, network, and shift constraints.
• Shared account use weakens accountability and cannot express per-user contextual authorization.
• Ownership chaining controls object access paths within a database, not dynamic access decisions based on user and environment attributes.

Question 6

Topic: Data and Database Security

A DBA is reviewing a quarterly security audit for a database account used by a vendor ETL job. The vendor contract ended last month, but the nightly load still appears in audit reports.

Exhibit: Audit excerpt

Which interpretation is best supported by the exhibit?

Options:

• A. The ETL server is an unauthorized source

• B. The SQL code contains an injection flaw

• C. The expired account is still able to authenticate

• D. The database encryption key was exposed

Best answer: C

Explanation: The core audit issue is account lifecycle enforcement. The account is marked expired, but the login history shows successful authentications after that date. Because the source host is the approved ETL server and the SQL review found no dynamic SQL, the exhibit does not support an unauthorized-host or SQL injection conclusion. A reasonable next action would be to disable or lock the expired vendor account, confirm whether any exception was approved, and review the post-expiration activity for unauthorized data access. The key takeaway is that an expired account finding becomes a security concern when audit evidence shows it can still be used.

• Unauthorized source is not supported because the source host is identified as the approved ETL server.
• SQL injection is not supported because the SQL review specifically found no dynamic SQL.
• Key exposure is not supported because the exhibit contains no credential, key, or encryption-storage evidence.

Question 7

Topic: Data and Database Security

A database administrator is reviewing an access request for a third-party analytics vendor. The vendor needs visit counts by clinic and month, not patient-level details. Which interpretation and action is best supported by the exhibit?

Exhibit: Data dictionary and handling note

Table: patient_visits
patient_id       Internal patient key
patient_name     Patient full name
date_of_birth    Patient birth date
diagnosis_code   Clinical diagnosis code
treatment_notes  Clinical notes
clinic_id        Clinic identifier
visit_date       Date of visit
payment_token    Card token, not a PAN

Policy: PHI is health information linked to a person or patient visit.
External analytics access must use minimum necessary data.

Options:

• A. Grant read-only access because the vendor is not modifying records.

• B. Treat only patient_name and date_of_birth as regulated data.

• C. Provide aggregated counts and suppress patient identifiers and clinical details.

• D. Prioritize PCI DSS controls because payment_token appears in the table.

Best answer: C

Explanation: PHI handling applies when health information is linked to a person or patient visit. In this table, diagnosis codes and treatment notes are clinical data, and the patient and visit fields can link that data to an individual or visit. Because the vendor’s stated need is aggregate counts by clinic and month, the control selection should follow minimum necessary access: provide aggregated output and suppress or mask patient identifiers and clinical details. Read-only access is not enough when the user does not need row-level PHI. The presence of a card token does not make PCI DSS the primary issue here, especially because the exhibit states it is not a PAN.

• Read-only access fails because confidentiality controls still matter even when data cannot be changed.
• Identifiers only fails because diagnosis codes and treatment notes become PHI when linked to patient or visit data.
• PCI focus fails because a token that is not a PAN does not outweigh the visible PHI handling requirement.

Question 8

Topic: Data and Database Security

A DBA is troubleshooting a user’s failed attempt to update tables in OrdersDB. The organization requires database permissions to be governed through federated SSO and IAM group membership.

Exhibit: Access review excerpt

What is the best next action?

Options:

• A. Request approved IAM group membership for DB-Orders-Admin

• B. Replace the user’s client SSL certificate

• C. Share a service account that already has write access

• D. Create a local database user with write permissions

Best answer: A

Explanation: Federated database access separates authentication from authorization. In the exhibit, the identity provider token is accepted, so the user successfully authenticated through SSO. The failure occurs because the user is not in the IAM group mapped to write access for OrdersDB. Since local database users are limited to service accounts, granting a direct local user permission would bypass centralized identity governance. The proper administrative path is to use the IAM approval process to add the user to the correct federated group, which then maps to the needed database role. Certificate changes would not address a missing role mapping.

• Local user grant bypasses the stated governance model and creates unmanaged database authorization.
• Service account sharing violates accountability because multiple people would use the same identity.
• Certificate replacement targets connection trust, but the error shows successful token authentication and missing role authorization.

Question 9

Topic: Data and Database Security

A company is deploying a customer database that must be reachable by application servers in a perimeter network and by DBAs using the corporate VPN. The database must not accept direct connections from the public internet. Which configuration best meets this requirement?

Options:

• A. Block all inbound database traffic and use only local console access

• B. Open the database port to the internet and require strong passwords

• C. Place the database server in the perimeter network with the web servers

• D. Allow the database port only from the application subnet and VPN DBA subnet

Best answer: D

Explanation: Database network exposure should be limited with firewall and port-security rules that allow only required sources to reach the database listener. In this scenario, the application servers and VPN DBA subnet are the only approved connection sources, so the database port should be permitted from those networks and denied from the public internet. A perimeter network is appropriate for systems that need controlled external reachability, such as web or application tiers, but the database itself should usually remain in a more restricted internal segment. Authentication and encryption are still important, but they do not replace network-level access control.

• Database in perimeter network increases exposure by placing sensitive data services closer to internet-facing systems.
• Internet-open database port relies too much on credentials and leaves the listener exposed to scanning and attack.
• Console-only access is overly restrictive because the application servers and DBAs have a stated need for network connectivity.

Question 10

Topic: Data and Database Security

A DBA is preparing a daily reporting database for a clinical operations dashboard. The source tables include patient names, dates of birth, medical record numbers, diagnosis codes, and appointment notes. Analysts only need counts by clinic, month, and diagnosis category. The DBaaS environment is approved for the organization’s region, but identifiable health data must not be exposed to analysts. Which action is the BEST professional decision?

Options:

• A. Publish de-identified aggregate reporting tables with restricted access

• B. Replicate the raw source tables and require analyst confidentiality training

• C. Mask only payment fields before loading the reporting database

• D. Encrypt the reporting database and grant analysts full read access

Best answer: A

Explanation: Patient identifiers combined with diagnosis codes and appointment notes should be handled as PHI and PII. Because analysts only need aggregate counts, the DBA should reduce exposure by publishing de-identified or aggregated reporting tables and restricting access to those reporting objects. Encryption and an approved region are important baseline controls, but they do not by themselves satisfy the requirement to keep identifiable health data away from analysts. The control selection should follow the data category and the business need: minimum necessary access, de-identification where possible, and role-based access to the derived reporting dataset.

• Raw replication exposes identifiers and health details that analysts do not need.
• Encryption only protects storage and transmission but still allows authorized analysts to view PHI.
• Payment masking focuses on PCI-type data and ignores patient identifiers and clinical data.

Continue with full practice

Use the CompTIA DataSys+ DS0-002 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.

Try CompTIA DataSys+ DS0-002 on Web View CompTIA DataSys+ DS0-002 Practice Test

Related focused pages

• Free CompTIA DataSys+ DS0-002 Full-Length Practice Exam
• Database Fundamentals
• Database Deployment
• Database Management and Maintenance
• Business Continuity
• Data Integration

Free review resource

Use the full IT Mastery practice page above for the latest review links and practice page.