Question No: 1

Based on which four factors can a Oracle Database Vault prevent access?
A. Time of day
B. IP address
. Pro!ram name
D. ustom"desi!ned factor
#. Values in a column
Answer: A, B, C, D
#$planation%
&ith Database Vault or!ani'ations can define authori'ation rules based on internal and e$ternal
factors( suchas ip address( time of day( application bein! used( authentication type( etc. Database
Vault rules can beassociated with over two do'en individual database commands( such as create
table( create view( drop tableand comes with many built"in factors( all of which can be e$tended
via APIs
Question No: 2
&hich of the followin! tas)s is the first tas) to perform when implementin! Oracle Database
Vault?
A. reate command rules
B. reate command rule sets
. reate protection realms
D. Define master )eys
Answer: C
#$planation%
*rom Vault Administrator +uide
&hat Are ,ealms?
After you create a realm( you can re!ister a set of schema ob-ects or roles .secured ob-ects/ for
realmprotection and authori'e a set of users or roles to access the secured ob-ects.
Question No: 3
&hy would you use an auto"open wallet Instead of a standard encryption wallet?
A. To save on stora!e space
B. To increase the level of security on your encrypted data
. To avoid manual Intervention to allow access to encrypted data after an automatic system
restart
D. 0ou must use an auto"open wallet with tablespace"based Transparent Data #ncryption .TD#/
Answer: C
#$planation%
Because wallet is closed after restart and it has to be opened a!ain for usin! TD#.
0ou must enable auto lo!in if you want sin!le si!n"on access to multiple Oracledatabases% such
access is normally disabled( by default. 1ometimes the obfuscated autolo!in wallets are called
211O wallets3 because they support sin!le si!n"on capability.
Question No: 4
&hich two of the followin! features or options !ive you the ability to set fine"!rained access
control?
A. Advanced 1ecurity Option
B.Oracle Database Vault
. Oracle Audit Vault
D. Virtual Private Database
#. Oracle 4abel 1ecurity
Answer: A, E
#$planation%
4abel 1ecurity is used to implement security based on data values in individual rows
Question No: 5
&hen will the chan!es in Database Vault access permissions ta)e effect?
A. Immediately
B. The ne$t time the database server is stopped and started
. After the ne$t database bac)up
D. After an A4T#, 101T#5 DBV is issued
Answer: A
#$planation%
han!es to Database Vault permissions ta)e effect immediately.
Question No: 6
0our customer wants to add an additional level of security to their data( based on values in
individual records.
They can specify a !roup of records for access control with a simple &6#,# clause. &hich
security feature or option will !ive them this capability for the lowest cost?
A. Advanced 1ecurity Option
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle Data 5as)in! Pac)
#. Virtual Private Database
*. Oracle 4abel 1ecurity
Answer: E
#$planation%
Oracle Virtual Private Database .VPD/. This feature restricts data access by creatin! a policy that
enforces a &6#,# clause for all 174 statements that 8uery the database. 0ou create and
mana!e the VPD policy at the database table or view level( which means that you do not modify
the applications that access the database.
Question No: 7
&hich of the followin! Is 9OT a responsibility defined within Oracle Database Vault?
A. Account 5ana!ement
B. Database Administration
. 1ecurity Administration
D. ,A Administration
Answer: B
#$planation%
0ou can add:delete and confi!ure Vault on ,A nodes. an mana!e accounts and security.
Question No: 8
&hat data mas)in! techni8ue ensures that a customer number !ets mas)ed to the same value
across all databases?
A. ondition"based mas)in!
B. ompound mas)in!
. Deterministic mas)in!
D. ,elationship mas)in!
Answer: C
#$planation%
5as)in! data usin! the same type of mas)in! for a data column in all tables of database and
even in multiple databases.
Question No: 9
&hen implementin! Transparent Data #ncryption .TD#/( which of the followin! answers
describes
the correct order of the listed operations?
A. reate a wallet( create a master )ey( and create tables that contain encrypted columns.
B. reate tables that contain encrypted columns( create a wallet( create a master )ey( and open
the wallet.
. reate a wallet( open the wallet( create a master )ey( and create tables that contain encrypted
columns.
D. reate a master )ey( create a wallet( open the wallet( and create tables that contain encrypted
columns.
Answer: A
#$planation%
1tep ;% reate the &allet
To create the wallet( use the A4T#, 101T#5 174 statement. By default( the Oracle wallet
stores
a history of retired master )eys( which enables you to chan!e them and still be able to decrypt
data
that was encrypted under an old master )ey
A4T#, 101T#5 1#T #9,0PTIO9 <#0 ID#9TI*I#D B0 2password3=
This statement !enerates the wallet with a new encryption )ey and sets it as the current
transparent data encryption master )ey.
Immediately after you create the wallet )ey( the wallet is open( and you are ready to start
encryptin! data.
Question No: 10
&hen is Transparent Data #ncryption invo)ed?
A. &hen tri!!ered by an administrator
B. Durin! all I>O operations
. Automatically in batches
D. Only when the data is initially loaded into the database
Answer: B
#$planation%
6ow Transparent Data #ncryption &or)s
Afterward( when a user enters data into an encrypted column( Oracle Database performs the
followin! steps%
?.,etrieves the master )ey from the wallet.
;.Decrypts the encryption )ey of the table from the data dictionary.
@.Ases the encryption )ey to encrypt the data the user entered into the encrypted column.
B.1tores the data in encrypted format in the database.
Question No: 11
Oracle Data 5as)in! Pac) allows you to perform which three actions?
A. Ase predefined mas) formats
B. Bac) up your data
. Preview sample data before mas)in!
D. Define application mas)in! templates
Answer: A, C, D
#$planation%
ItCs not a bac)up solution but it has an opportunity to share data( where sensitive information is
mas)ed.
Question No: 12
&hich of the followin! re8uires values in a specific column in tar!eted tables?
A. Database Vault realms
B. Database Vault command rules
. Virtual Private Database
D. 4abel 1ecurity
Answer: C
#$planation%
VPD Provides column"level security .column mas)in!/
Question No: 13
To implement a ri!orous separation of duties policy( you should have separate named accounts
defined for which three of the followin! areas?
A. Database account mana!ement
B. Database security mana!ement
. Batch users
D. Bac)up
Answer: A, B, D
#$planation%
Oracle Database Vault defines the followin! main responsibilities%
Account mana!ement. Account mana!ement entails creatin!( modifyin!( and droppin! user
accounts.
1ecurity administration. 1ecurity administration covers basic security tas)s such as creatin!
realms andcommand rules( settin! security policies for database usersC access( and authori'in!
database users for -obsthey are allowed to perform.
,esource mana!ement. ,esource mana!ement refers to mana!in! the database system but not
accessin!business data. It includes the followin! operations%
DBac)up operations re8uire a predefined time to perform the bac)up usin! predefined tools.
DTunin! and monitorin! operations re8uire on!oin! performance monitorin! and analysis.
DPatchin! operations re8uire temporary access only durin! the time the patchin! ta)es place
Question No: 14
&hich of the followin! statements about Transparent Data #ncryption .TD#/ is 9OT true?
A. *or a partitioned table( you can have some partitions in encrypted tablespaces and some in
non" encrypted tablespaces.
B. *or a partitioned table( you can encrypt a column in some partitions and not in others.
. A ran!e"based selection condition can use an inde$ with tablespace"based Transparent Data
#ncryption.TD#/.
D. An inde$ on a value in an encrypted tablespace does not have to be encrypted.
Answer: A
#$planation%
O,A";E@BF% an encrypted column cannot serve as a partitionin! column
ause% An attempt was made to encrypt a partitionin! )ey column or createpartitionin! inde$
with
encrypted columns.
Action% The column must be decrypted.
O,A";E@BG% encryption properties mismatch
ause% An attempt was made to issue an A4T#, TAB4# #H6A9+#
PA,TITIO9 I 1ABPA,TITIO9 command( but encryption properties weremismatched.
Action% 5a)e sure encryption al!orithms and columns )eys are identical. Thecorrespondin!
columns must be encrypted on both tables with the same salt andnon"salt flavor.
0ou can create an inde$ on an encrypted column if it has been encrypted without salt.
TD# tablespace encryption also allows inde$ ran!e scans on data in encryptedtablespaces. This
is not possible with TD# column encryption.
If you need to perform ran!e scans over inde$ed( encrypted(columns( then you should use TD#
tablespace encryption in place ofTD# column encryption.
Question No: 15
&hich two of the followin! are reasons to use Oracle Audit Vault?
A. To consolidate audit reports from multiple databases
B. To reduce the performance impact of auditin! across multiple databases
. To limit space re8uired for audit trails
D. To ensure consistent auditin! across multiple databases
Answer: A, C
#$planation%
Audit repository e$ists for Oracle database .,elease ?J.;.J.B/ to consolidate and mana!e audit
trail records.
By default( A,6IV#4O+ mode is enabled in the Audit Vault 1erver database. The
A,6IV#4O+ modecopies filled online redo lo!s to dis). This enables you to bac) up the
database while it is open and bein!accessed by users( and to recover the database to any desired
point in time. 0ou should monitor the dis)space usa!e for the redo lo!s
Question No: 16
The data in the primary database is encrypted usin! TD#. &ith which type of Data +uard
standby
must you have a wallet open on the standby server?
A. Physical standby
B. 4o!ical standby
. Both physical and lo!ical standby
D. 9either physical nor lo!ical standby re8uires an open wallet
Answer: C
#$planation%
Oracle Data +uard supports Transparent Data #ncryption .TD#/. If the primarydatabase uses
TD#( then each standby database in a Data +uard confi!uration musthave a copy of the
encryption wallet from the primary database. If you reset themaster encryption )ey in the
primary
database( then the wallet containin! the masterencryption )ey needs to be copied to each standby
database.
Question No: 17
In terms of security( what use case is a classic e$ample of separation of duties?
A. Denyin! users access to administrative functions
B. Denyin! mana!ers access to employee data
. Denyin! administrators access to data values
D. Allowin! administrators to bac) up data from only one department
#. Allowin! administrators to bac) up data from an entire enterprise
Answer: C
#$planation%
1eparation of duties is denyin! administrators access to data values.
Question No: 18
0our customer reali'es that they must implement more robust and fle$ible auditin! for their
enterprise databases. 6owever( based on the specific re8uirements of their particular industry(
they are concerned that they may not be able to achieve their !oals with Oracle Audit Vault.
&hich
three features does Oracle Audit Vault provide to allow them to achieve their very specific !oals?
A. 0ou can use Oracle Audit Vault to compare security policies with current settin!s on tar!et
databases.
B. 0ou can use Orade Audit Vault to create custom audit reports to span audit information from
multipledatabases.
. 0ou can use Oracle Audit Vault to provide custom auditin! for many different types of
databases.
D. 0ou can use Oracle Audit Vault to collect data from multiple types of databases.
Answer: B, C, D
#$planation%
This section provides !uidelines for selectin! the correct Oracle Audit Vault collectorfor the
source
databases from which you want to e$tract audit data. In brief( for OracleDatabase( the type of
collector that you select depends on the type of auditin! that youhave enabled in the source
database. The 5icrosoft 174 1erver( 1ybase A1#( and IB5DB; databases each use one
collector specific to each of these database products.
Question No: 19
6ow do you handle Oracle audit trails after the audit records have been inserted into Oracle
Audit
Vault?
A. Audit trails must be deleted manually
B. Oracle Audit Vault automatically cleans up audit trails after the audit records have been
inserted Into the Vault.
. 0ou cannot delete any audit trails when usin! Oracle Audit Vault.
D. 0ou schedule Oracle Audit Vault -obs to clean up audit trails on a scheduled basis.
Answer: B
#$planation%
Oracle Audit Vault is inte!rated with the DB51KAADITK5+5T pac)a!e on a sourcedatabase.
This inte!ration automates the pur!in! of audit records from the AADL and*+AK4O+L files(
and
from the operatin! system .aud and .$ml files after they havebeen successfully inserted into the
Audit Vault repository by the Audit Vault collector.
Question No: 20
han!in! the master )ey uses fewer resources than chan!in! table )eys.
A. T,A#
B. *A41#
Answer: A
#$planation%
han!in! the master )ey re8uires fewer resources than chan!in! the table )eys( which
re8uire re)eyin! the data.
Question No: 21
&hich four are Oracle Data 5as)in! Pac) primitives?
A. ,andom numbers
B. ,andom di!its I1
. ,andom ima!es
D. ,andom dates
#. ,andom strin!s
Answer: A, B, D, E
#$planation%
Asin! the Data 5as)in! Pac) sensitive data irreversibly replaced with realistic"loo)in!but
scrubbed data based on rules and templates. The ori!inal data cannot be retrieved(recovered(
orrestored. By mas)in! sensitive data it is no lon!er sensitive or sub-ectto re!ulatory
re8uirements
and can be shared with internal or e$ternal !roups.
The D5P offers uses an e$tensible format library for consistent mas)in! of fields. Theout"of"
thebo$ format library can be e$tended by customers and third"parties based onapplication
specific
best practices. The mas)in! rules are applied automatically acrossall databases in the enterprise
maintainin! referential inte!rity for applications.
Question No: 22
6ow many mas)in! operations must be performed to mas) si$ columns in a table?
A. 9one
B. One
. Three
D. 1i$
Answer: D
#$planation%
? per column
Question No: 23
&hich utili'es a two"tier architecture?
A. Advanced 1ecurity
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle 4abel 1ecurity
#. Oracle Data 5as)in! Pac)
*. Virtual Private Database
Answer: A
#$planation%
Advanced 1ecurity Option uses a two"tier architecture for )ey mana!ement.
Question No: 24
&hy would a mer!er or ac8uisition lead to the need for Oracle Audit Vault?
A. 4ar!er amounts of data would re8uire more resources for auditin!
B. 6etero!eneous databases could benefit from a centrali'ed audit repository
. Oracle Audit Vault can help identify differences in security schemes
D. Oracle Audit Vault can help to consolidate database schemas.
Answer: B
Question No: 25
0our customer wants to add an additional level of security to their data( based on values In
Individual records.
The !ood news is that they have a column in the tar!et table that lists the application role they
would li)e to use to control access. &hich security feature or option will !ive them this
capability in
the most efficient way?
A. Advanced 1ecurity Option
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle Data 5as)in! Pac)
#. Virtual Private Database
*. Oracle 4abel 1ecurity
Answer: D
#$planation%
&ith Oracle 4abel 1ecurity( you restrict user access to data by focusin! on row data( and
desi!nin! differentlevels of access based on the sensitivity of your data.
Question No: 26
6ow can you protect Oracle Database Vault Audit records?
A. By restrictin! access to the DBV.AADIT tables
B. 0ou donCt have to D Oracle Database Vault audit records are protected.
. &ith standard separation of duties
D. By definin! usin! the Audit role defined within Oracle Database Vault.
Answer: B
#$planation%
By default( Oracle Database Vault is enabled in the Audit Vault 1erver. Oracle
Database Vault restricts access to the data in the Audit Vault 1erver from any user(includin! users
who have administrative access. *or Oracle Audit Vault( OracleDatabase Vault protectsthe Audit
Vault 1erver by usin! a realm. To ensure that thedata in the Audit Vault 1erver is protected( do
not
disable Oracle Database Vault.
Question No: 27
&hich two of the followin! Oracle Audit Vault collectors re8uire the db to be open to start?
A. Operatin! system audit collector
B. Database audit collector
. ,edo collector
D. ODB collector
Answer: C, D
#$planation%
Applies to all collectors( as follows%
Oracle Database DBAAD( O1AAD( and ,#DO collectors. ontains monitorin! information
such
as whether the collector is active and how many records were sent. *or the ,#DO collector( the
1treams framewor) performs the actual collection( so the Oracle Audit Vault a!ent has no
)nowled!e of the collection.
9on"Oracle Database collectors. ontains a lo! of all collection operations for the 51174DB(
10BDB( and DB; collectors.
Question No: 28
&hich two of the followin! benefits of enhanced data security can increase the opportunities for
your solution?
A. 4ower costs for your development
B. +reater efficiency in usin! your solution
. Access to opportunities that re8uire some form of compliance
D. Added value for your solution
Answer: C, D
Question No: 29
&hich of the followin! encryption al!orithms is the default for Transparent Data #ncryption
.TD#/
tablespace encryption?
A. A#1?;E
B. A#1?M;
. A#1;NF
D. @D#1?FE
Answer: B
#$planation%
By default( TD# uses the A#1 encryption al!orithm with a ?M;"bit )ey len!th .A#1?M;/.
Question No: 30
&hich security re8uirements can affect companies re!ardless of their location in the world?
A. PI
B. 6IPAA
. I1O"MJJJ
D. +4BA
Answer: A
#$planation%
Payment ard Industry security standards can affect companies worldwide.
Question No: 31
&hich four types of a!ents are supported by Oracle Audit Vault for Oracle databases?
A. ,edo
B. Database audit files
. Oracle audit trail from O1
D. Operatin! system 1014O+ flies
#. ODB audit files
Answer: A, B, C, D
#$planation%
Audit Vault supports redo( database and operatin! system based auditin! for the Oracledatabase.
Question No: 32
6ow do you handle partitions with encrypted tablespaces?
A. 0ou cannot have partitions in encrypted tablespaces.
B. 0ou can have different partitions in different tablespaces( both encrypted and not encrypted.
. All partitions must be in the same encrypted tablespace.
D. 0ou can have partitions in multiple tablespaces( as lon! as all of them are encrypted.
Answer: B
#$planation%
0ou can have different partitions in different tablespaces( both encrypted and not encrypted.
Question No: 33
&hich component of Oracle Audit Vault may re8uire multiple instances per tar!eted database
server machine?
A. ollector
B. A!ent
. Orade Audit Vault 1erver
D. Orade Audit Vault consoiidator
Answer: A
#$planation%
0ou confi!ure one collection a!ent for each host and one or more collectors for eachindividual
source database. *or e$ample( if a host contains four databases( then youwould confi!ure one
collection a!ent for that host and one or more collectors for eachof the four databases. The
number of collectors that you confi!ure and the collectiona!ent that you use to mana!e them
depends on the source database type and the audittrails that you want to collect from it.
Question No: 34
The followin! actions are part of the data mas)in! process%
A. ,e"create mas)ed table copy O populate usin! renamed ori!inal table and mappin! table.
B. Disable constraints on table O rename table.
. Build mappin! table containin! ori!inal sensitive and mas)ed values usin! mas)in! routines.
D. Drop renamed table and mappin! table.
#. ,estore constraints based on ori!inal table O collect statistics.
In which order are these actions performed?
A. A"B""D"#
B. #"D""B"A
. A""#"B"D
D. "B"A"D"#
#. "A"B"#"D
Answer: E
#$planation%
The followin! basic steps !uide you throu!h the data mas)in! process( with references to other
sections for supportin! information.
,eview the application database and identify the sources of sensitive information.
Define mas) formats for the sensitive data. The mas) formats may be simple or
comple$ dependin! on the information security needs of the or!ani'ation.
*or more information( see 2reatin! 9ew 5as)in! *ormats3 and 2Asin! Oracle"supplied
Predefined 5as)in! *ormats3.
reate a mas)in! definition to associate table columns to these mas) formats. Data
mas)in! determines the database forei!n )ey relationships and adds forei!n )ey columns to
the mas).
*or more information( see 25as)in! with an Application Data 5odel and &or)loads3.
1ave the mas)in! definition and !enerate the mas)in! script.
Verify if the mas)ed data meets the information security re8uirements. Otherwise( refine
the mas)in! definition( restore the altered tables( and reapply the mas)in! definition until
the optimal set of mas)in! definitions has been identified.
lone the production database to a sta!in! area( selectin! the mas)in! definition to be used after
clonin!. 9ote that you can clone usin! #nterprise 5ana!er( which enables you to add mas)in! to
the #nterprise 5ana!er clone wor)flow. 6owever( if you clone outside of #nterprise 5ana!er(
you
must initiate mas)in! from #nterprise 5ana!er after clonin! is complete. The cloned database
should be controlled with the same privile!es as the production system( because it still contains
sensitive production data.
After clonin!( be sure to chan!e the passwords as well as update or disable any database lin)s(
streams( or references to e$ternal data sources. Bac) up the cloned database( or minimally the
tables that contain mas)ed data. This can help you restore the ori!inal data if the mas)in!
definition needs to be refined further.
*or more information( see 2lonin! the Production Database3.
After mas)in!( test all of your applications( reports( and business processes to ensure they are
functional. If everythin! is wor)in!( you can e$port the mas)in! definition to )eep it as abac)"
up.
After mas)in! the sta!in! site( ma)e sure to drop any tables named 5+5TKD5KTT before
clonin!
to a test re!ion. These temporary tables contain a mappin! between the ori!inal sensitive column
value and the mas) values( and are therefore sensitive in nature.
Durin! mas)in!( #nterprise 5ana!er automatically drops these temporary tables for you with the
default 2Drop temporary tables created durin! mas)in!3 option. 6owever( you can preserve
these
temporary tables by deselectin! this option. In this case( you are responsible for deletin! the
temporary tables before clonin! to the test re!ion.
After mas)in! is complete( ensure that all tables loaded for use by the substitute column format
or
table column format are !oin! to be dropped. These tables contain the mas) values that table
column or substitute formats will use. It is recommended that you pur!e this information for
security
reasons.
*or more information( see 2Deterministic 5as)in! Asin! the 1ubstitute *ormat3.
lone the database to a test re!ion( or use it as the new test re!ion. &hen clonin! the database to
an e$ternal or unsecured site( you should use #$port or Import. Only supply the data in the
database( rather than the database files themselves.
As part of clonin! production for testin!( provide the mas)in! definition to the application
database
administrator to use in mas)in! the database.
Question No: 35
&hich component of Oracle Audit Vault re8uires only one instance per tar!eted database server
machine?
A. ollector
B. A!ent
. Oracle Audit Vault 1erver
D. Oracle Audit Vault consolidator
Answer: B
#$planation%
0ou confi!ure one collection a!ent for each host and one or more collectors for eachindividual
source database. *or e$ample( if a host contains four databases( then youwould confi!ure one
collection a!ent for that host and one or more collectors for eachof the four databases. The
number of collectors that you confi!ure and the collectiona!ent that you use to mana!e them
depends on the source database type and the audittrails that you want to collect from it.
Question No: 36
0ou can encrypt any data type with tablespace encryption.
A. T,A#
B. *A41#
Answer: A
#$planation%
TD# tablespace encryption encrypts all data stored in an encrypted tablespace. This includes
internal lar!e ob-ects .4OBs/ such as B4OBs and 4OBs.
Question No: 37
&hich of the followin! statements is true about the relationship between an Oracle wallet and an
615 device?
A. 0ou !et additional security by havin! an Oracle wallet and an 615 device
B. The Oracle wallet provides more security than an 615 device
. 0ou can have either an Oracle wallet or an 615 device
D. 0ou create a master )ey in an Oracle wallet with an A4T#, 101T#5 command( but use a
hardware"specific command for the same function with an 615 device.
Answer: A
#$planation%
615 is a more secure alternative to the Oraclewallet. TD# can use 615 to provide enhanced
security for sensitive data. An 615 is used tostore the master encryption )ey used for TD#. The
)ey is secure from unauthori'edaccess attempts as the 615 is a physical device and not an
operatin! system file. Allencryption and decryption operations that use the master encryption )ey
areperformed inside the 615. This means that the master encryption )ey is nevere$posed in
insecure memory.
Question No: 38
Identify the two ways that Oracle Database Vault interacts with other Oracle security options and
features.
A. 0ou can use Oracle Database Vault with Advanced 1ecurity.
B. 0ou can use Oracle Database Vault with Oracle Audit Vault.
. 0ou cannot use Oracle Database Vault with a Virtual Private Database.
D. 0ou cannot use Oracle Database Vault with Oracle 4abel 1ecurity.
Answer: A( B
#$planation%
Oracle Audit Vault can collect the audit data for Oracle Database Vault. Transparent Data
#ncryption .part of Advanced 1ecurity/ complements Oracle Database
Vault in that it provides data protection when the data leaves the secure perimeter of the
database.
Question No: 39
0our customer is tryin! to decide which type of Transparent Data #ncryption .TD#/ to use. They
want to encrypt about GJP of the columns in a particular table( stored in a sin!le tablespace.
&hich type of encryption would you recommend?
A. olumn"based encryption because it typically performs better
B. Tablespace encryption because it typically performs better unless a very small portion of the
table is to be encrypted
. Tablespace encryption because it typically performs better in all cases
D. olumn"based encryption if some of the encrypted data is lar!e ob-ects( table"based
encryption if there are no lar!e ob-ects to be encrypted
Answer: B
#$planation%
0ou can encrypt a new tablespace while you are creatin! it( but you cannot encrypt an e$istin!
tablespace. As a wor)around( you can use the ,#AT# TAB4# A1 1#4#T( A4T#, TAB4#
5OV#( or use Oracle Data Pump import to !et data from an e$istin! tablespace into an
encrypted tablespace.
Question No: 40
omparin! Transparent Data #ncryption .TD#/ column"based encryption and Transparent Data
#ncryption .TD#/ tablespace"based encryption( which of the followin! statements is true?
A. &ith Transparent Data #ncryption .TD#/ column"based encryption( you cannot chan!e the
master encryption )ey with an A4T#, 101T#5 command.
B. &ith TD# column"based encryption( you cannot prevent encrypted data from havin! the same
distribution of characters that it has unencrypted.
. &ith Transparent Data #ncryption .TD#/ tablespace"based encryption( performance is
!enerally worse thancolumn"based encryption( because encryption is done at the I>O level.
D. &ith TD# tablespace"based encryption( data in the A9DO tablespace is encrypted.
#. &ith TD# tablespace"based encryption( data bloc)s that come from an encrypted tablespace
are stored unencrypted in temporary tables.
Answer: C
#$planation%
TD# column encryption affects performance only when data is retrieved from or inserted into an
encrypted column.
The total performance overhead depends on the number of encrypted columns and their
fre8uency
of access. The columns most appropriate for encryption are those containin! the most sensitive
data.
#nablin! encryption on an e$istin! table results in a full table update li)e any other A4T#,
TAB4#
operation that modifies table characteristics. Administrators should )eep in mind the potential
performance and redo lo! impact on the database server before enablin! encryption on a lar!e
e$istin! table.
A table can temporarily become inaccessible for write operations while encryption is bein!
enabled(
table )eys are bein! re)eyed( or the encryption al!orithm is bein! chan!ed.
Question No: 41
0our customer wants to be alerted whenever an unauthori'ed user tries to access sensitive data
in their database. &hich of the followin! is the easiest way to implement this capability with
Oracle
Audit Vault?
A. 0ou cannot do this with Oracle Audit Vault because you can use only predefined alerts.
B. reate a custom Oracle Audit Vault alert to report a failed lo!in attempt.
. reate a custom Oracle Audit Vault alert to report an attempt to view sensitive data.
D. ,un fre8uent reports on the Oracle Audit Vault repository to determine if any attempts had
been made to view sensitive data.
Answer: C
Question No: 42
To which two levels of data or!ani'ation can a Oracle Database Vault realm prevent access?
A. Table
B. olumn
. ,ows in a table
D. 1chema
#. Database
Answer: A, D
#$planation%
+uidelines for Desi!nin! ,ealms
reate realms based on the schemas and roles that form a database application
There are situations in which you may want to protect an ob-ect by a realm( but still enable
access
to ob-ects that are part of this realm"protected ob-ect. *or e$ample( suppose you create a realm
around a specific table.
6owever( you want users to be able to create an inde$ on this
Question No: 43
&hich three processes are included in the pre"mas)in! validation?
A. hec) space availability
B. hec) presence of default partitions
. #nsure formats donCt match column data types
D. &arn about chec) constraints
#. #nsure there are no uni8ueness constraints
Answer: A, B, C
#$planation%
Prior to mas) e$ecution( Oracle Data 5as)in! Pac) performs several pre"mas) validation
chec)s(
suchas validatin! that the mas) formats matches the table data types( chec)in! for space( to
ensure that themas)in! process is error"free.
Pre"5as)in! Validation #nsure uni8ueness can be maintained #nsure formats matchcolumn data
types hec) 1pace availability &arn about hec) onstraints hec) presenceof default
Partitions
Question No: 44
0our customer has been told by their auditors that they must implement the principle of least
privile!e across all their sensitive data( but they are not sure what this means. &hat e$planation
will best e$plain this principle?
A. 0ou should !rant system privile!es to the smallest number of administrators who really need
it.
B. All users will have the least amount of privile!e that will allow them to do their -obs.
. Access control will be implemented by the least number of administrators.
D. They should implement a separate set of security procedures to deny access to sensitive data(
and allow the least number of privile!ed users to avoid these procedures.
Answer: D
Question No: 45
&hat database security feature or option is used to enforce stron! authentication?
A. Advanced 1ecurity
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle 4abel 1ecurity
#. Oracle Data 5as)in! Pac)
*. Virtual Private Database
Answer: A
#$planation%
Oracle also recommends( if possible( usin! Oracle Advanced 1ecurity .an option to Oracle
Database #nterprise #dition/ with networ) authentication services .such as <erberos/( to)en
cards(
smart cards( or H.NJMcertificates. These services provide stron! authentication of users( and
provide better protection a!ainst unauthori'ed access to Oracle Database.
Question No: 46
Prior to Oracle Audit Vault ?J.;.@.;( what was the purpose of the
,#*,#16K&A,#6OA1#KDATA Audit Vault -ob?
A. To collect audit trail information from a!ents
B. To load collected Oracle Audit Vault rows into the repository
. To refresh audit statistics in the tar!et databases
D. To reset totals in the Oracle Audit Vault repository
Answer: B
#$planation%
,efreshes the data warehouse with the data in the raw audit data store since the last
refresh operation.
1tartin! with this release( the Oracle Audit Vault data warehouse is automatically refreshed with
incomin! audit data as it collects audit data. Because the warehouse is refreshed in real"time(
auditors can !enerate more accurate reports on audited activities.
Question No: 47
&hich three of the followin! are re8uirements that can lead to !reater security re8uirements?
A. PI
B. 1OH
. 6IPPA
D. &&*
#. I1O"MJJJ
Answer: A, B, C
#$planation%
By restrictin! administrator access to your Oracle databases( Oracle Database Vault helps you to
followcommon re!ulatory compliance re8uirements( such as the Payment ard Industry .PI/
Data 1ecurity1tandard .D11/ re8uirements( 1arbanes"O$ley .1OH/ Act( #uropean Anion .#A/
Privacy Directive( and6ealthcare Insurance Portability and Accountability .6IPAA/ Act.
Question No: 48
&hich of the followin! collectors can access audit records from more than one audit source?
A. DB;
B. 174 1erver
. 1ybase
D. Informi$
Answer: B
#$planation%
A database instance that has been confi!ured to send audit data to Oracle Audit Vault.
The audit data source consists of databases( applications( or systems that !enerateaudit data. *or
the current release of Oracle Audit Vault( the followin! databaseproducts are audit data sources%
Oracle Database
5icrosoft 174 1erver
1ybase A1#
IB5 DB;
Question No: 49
&hich of the followin! is 9OT an AVO,4DB command?
A. setup
B. startKa!ent
. addKsource
D. addKcollector
Answer: B
#$planation%
Audit Vault Oracle Database .AVO,4DB/ Atility ommands
avorcldb
addKcollector
addKsource
alterKcollector
alterKsource
dropKcollector
dropKsource
"help
setup
verify
Question No: 50
&hich of the followin! is 9OT a reason to audit data?
A. <now what is !oin! on before others tell you
B. Proactively protect data from unauthori'ed access
. Insure compliance with re!ulations
D. Become aware of access patterns on your data
Answer: B
Question No: 51
&hat Oracle technolo!y is used to implement reports in Oracle Audit Vault?
A. Oracle ,eport
B. 174QPlus
. Oracle Application #$press
D. #nterprise 5ana!er
Answer: C
#$planation%
The Audit Vault repository has an open schema that enables the use of business intelli!ence and
analysistools as well as sophisticated reportin! capabilities. The Oracle Audit Vault warehouse
can be accessed fromOracle BI Publisher( Oracle Application #$press( or any @rd party reportin!
tools. This further increases theability to !enerate custom reports for compliance and security
re8uirements.
Question No: 52
&hich two of the followin! features or options can be used to implement security based on data
values in individual rows?
A. Advanced 1ecurity
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle 4abel 1ecurity
#. Oracle Data 5as)in! Pac)
*. Virtual Private Database
Answer: D, F
#$planation%
Both Oracle Virtual Private Database .VPD/ and Oracle 4abel 1ecurity .O41/ enable you to
restrict the data that different users can see in database tables. But when should you use Virtual
Private Database and when should you use Oracle 4abel 1ecurity? Virtual Private Database is
effective when there is e$istin! data you can use to determine the access re8uirements. *or
e$ample( you can confi!ure a sales representative to see only the rows and columns in a
customer
order entry table for orders he or she handles. Oracle 4abel 1ecurity is useful if you have no
natural data .such as user accounts or employee IDs/ that can be used to indicate a tableCs access
re8uirements. To determine this type of user access( you assi!n different levels of sensitivity to
the table rows.
Question No: 53
*rom which four databases can audit records be collected by Oracle Audit Vault a!ents?
A. Oracle
B. 174 1erver
. DB;
D. 5y174
#. 1ybase
Answer: A, B, C, E
#$planation%
About Plannin! the 1ource Database and ollector onfi!uration
Plannin! the Oracle 1ource Database and ollector onfi!uration
Plannin! the 5icrosoft 174 1erver 1ource Database and ollector onfi!uration
Plannin! the 1ybase A1# 1ource Database and ollector onfi!uration
Plannin! the IB5 DB; 1ource Database and ollector onfi!uration
Question No: 53
&hich two of the followin! security options can produce reports of security violations?
A. Advanced 1ecurity Option
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle 4abel 1ecurity
#. Oracle Data 5as)in! Pac)
Answer: B, C
#$planation%
The DVK1#A9A401T role enables the user to run Oracle Database Vault reportsand monitor
Oracle Database Vault.
Question No: 54
*or a hi!h"profile financial company( what is the avera!e cost of a security breach( includin!
tas)s such as notification( fines and lost opportunities( accordin! to *orrester ,esearch?
A. L?J(JJJ per breach
B. L?JJ(JJJ per database
. LGN(JJJ if a financial application is breached
D. L@JJ per record breached
#. There is no direct cost.
Answer: D
Question No: 55
&hich of the followin! maintains referential inte!rity while securin! data?
A. Advanced 1ecurity Option
B. Oracle Database Vault
. Oracle Audit Vault
D. Oracle Data 5as)in! Pac)
#. Oracle 4abel 1ecurity
*. Virtual Private Database
Answer: D
#$planation%
Data mas)in!( on the other hand( is a methodolo!y intended to protect the content of data in
nonproduction environments while ensurin! it maintains the referential inte!rity of the ori!inal
production data.