Free DAMA CDMP Governance Practice Questions: Policies Standards Rules and Controls

Topic snapshot

Sample questions

These are original IT Mastery practice questions aligned to this topic area. They are not official exam questions, copied live-exam content, or exam dumps. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Policies Standards Rules and Controls

A data governance council has approved enterprise data definitions, naming standards, and quality rules for customer data. Project teams still create local field names and discover conflicts during production readiness reviews, causing rework. The council wants better compliance without having the central governance team design every data model. Which adoption approach best addresses the problem?

Options:

• A. Allow local names if mappings are added after release

• B. Embed steward review and automated checks in delivery gates

• C. Ask database administrators to rename fields during maintenance

• D. Publish the standards and request project manager sign-off

Best answer: B

Explanation: Standards adoption improves when governance requirements are built into the processes where data is created, changed, and released. A steward review can confirm business meaning, while automated checks can detect naming or quality-rule issues early. This supports compliance without shifting model design to the governance council. It also creates a practical control point for exceptions, remediation, and evidence of adherence. Late cleanup or passive publication treats standards as advisory rather than operational controls.

• Publishing standards alone relies on awareness and voluntary behavior, so it does not prevent repeated noncompliance.
• Database administrator cleanup addresses symptoms after design decisions have already created rework.
• Post-release mappings document inconsistency but do not enforce the approved definitions and naming standard before use.

Question 2

Topic: Policies Standards Rules and Controls

A data governance council approved a customer data standard six months ago, but adoption remains inconsistent across sales, billing, and support. The standard has an assigned data owner, named stewards, and a policy requirement for auditable use in regulatory reporting. Teams say the standard is posted on the intranet, but project deadlines still lead to local exceptions and conflicting definitions. Which governance decision should the council make?

Options:

• A. Discipline teams that used conflicting definitions

• B. Republish the approved standard with a reminder email

• C. Define adoption controls, exception handling, monitoring, and escalation

• D. Ask the catalog administrator to lock the glossary term

Best answer: C

Explanation: Standards enforcement means embedding the standard into governance controls and operating routines so adoption can be verified and exceptions can be managed. In this situation, the council already has an approved standard, ownership, stewardship roles, and a regulatory reporting risk. The missing element is not more publication, but enforceable adoption: defined controls, evidence of use, exception approval, monitoring, and escalation when projects bypass the standard. Enforcement is not primarily punitive; sanctions may exist, but the governance purpose is to make the expected behavior clear, measurable, and accountable. Tool configuration can support enforcement, but it does not replace decision rights, stewardship review, and exception governance.

• Punitive reaction addresses past behavior but does not create a repeatable adoption mechanism or manage justified exceptions.
• Passive publication assumes awareness is enough, even though the scenario shows teams already know where the standard is posted.
• Tool-only control may protect a glossary term but cannot enforce project adoption, regulatory evidence, or cross-domain escalation by itself.

Question 3

Topic: Policies Standards Rules and Controls

A data governance council is reviewing four draft statements for a new customer data governance document set. Which statement belongs in the data policy rather than in a supporting standard, procedure, control, or implementation note?

Options:

• A. Data stewards review suspected duplicates every Friday morning.

• B. Customer country values must use ISO 3166-1 alpha-2 codes.

• C. Access reports are sampled monthly for unauthorized customer-data use.

• D. Customer data must have accountable ownership and approved business use.

Best answer: D

Explanation: A data policy expresses management intent, accountability, and expected behavior for a governed data domain. It should be broad enough to guide decisions across systems and business units, while leaving detailed requirements to lower-level documents. A standard defines required formats or rules, such as code sets. A procedure describes how people perform work. A control check verifies whether policy or standards are being followed. In this scenario, the statement about accountable ownership and approved business use belongs in the policy because it sets the governance expectation; the other statements translate that expectation into detail, execution, or assurance.

• Format detail belongs in a standard because it specifies an allowed value pattern for implementation.
• Steward activity belongs in a procedure because it names a recurring work step and timing.
• Assurance sampling belongs in a control because it checks compliance with access expectations.

Question 4

Topic: Policies Standards Rules and Controls

A data governance council is approving controls for customer data sets shared with analytics teams. Constraints: the data owner keeps decision rights for access exceptions, audit requires evidence that controls operate, releases must not include unclassified confidential fields, and prior violations must be remediated with accountable owners. Which governance decision best classifies the needed controls?

Options:

• A. Directive: access review; preventive: remediation workflow; detective: classification standard; corrective: release gate

• B. Directive: remediation workflow; preventive: classification standard; detective: release gate; corrective: access review

• C. Directive: release gate; preventive: access review; detective: remediation workflow; corrective: classification standard

• D. Directive: classification standard; preventive: release gate; detective: access review; corrective: remediation workflow

Best answer: D

Explanation: Data governance controls should be classified by their purpose. A directive control tells people what is expected, such as a data classification standard. A preventive control reduces the chance of a violation before it occurs, such as a release gate that blocks unclassified confidential fields. A detective control identifies possible violations after or during operation, such as periodic access reviews that create audit evidence. A corrective control restores compliance and accountability after an issue is found, such as a remediation workflow with owners and due dates. The key is not who performs the task, but what the control is intended to do in the governance process.

• Access review as preventive fails because a review primarily detects inappropriate access rather than blocking release by itself.
• Remediation as detective fails because remediation fixes a confirmed issue rather than identifying it.
• Standard as corrective fails because a standard directs expected behavior; it does not restore compliance after a violation.

Question 5

Topic: Policies Standards Rules and Controls

A data governance team has a documented control requiring business data owners to review access exceptions for confidential customer data each month and either approve a justified exception or escalate it to the governance council. Which monitoring evidence best shows the control is operating as intended?

Options:

• A. An approved data access policy naming the control owner

• B. Monthly logs showing reviewed exceptions, decisions, dates, and escalations

• C. A RACI matrix assigning review responsibility to data owners

• D. A workflow diagram showing the intended exception path

Best answer: B

Explanation: Control monitoring should verify performance, not only existence. For a governance control, strong evidence shows that the required activity occurred, by whom, when, and with what outcome. In this scenario, the activity is monthly review of confidential-data access exceptions, followed by approval or escalation. Logs with reviewed exceptions, decisions, dates, and escalations provide operational evidence that can be tested against the control requirement. Documents such as policies, RACIs, and workflow diagrams are important control design artifacts, but they do not prove that the control was performed in a specific period.

• Policy evidence confirms authorization and ownership, but it does not show monthly reviews actually happened.
• RACI evidence clarifies accountability, but assignment alone is not proof of control execution.
• Workflow evidence describes the intended path, but it does not demonstrate decisions or escalations occurred.

Question 6

Topic: Policies Standards Rules and Controls

A data governance council has approved a policy stating that enterprise reference data must be governed and consistently used. Two sales platforms still use different customer status values, causing inconsistent reporting. The teams need an approved list of allowed values, naming conventions, and criteria for requesting changes. Which governance artifact should be created or revised?

Options:

• A. Stewardship procedure

• B. Data governance charter

• C. Reference data standard

• D. Data quality issue log

Best answer: C

Explanation: A policy states the governance intent and authority, while a standard specifies the required details for consistent implementation. In this case, the policy already exists: enterprise reference data must be governed and consistently used. The missing artifact is the approved set of customer status values, naming rules, and change criteria. Those are standard-level requirements because they define what compliant reference data looks like across platforms. A procedure could describe the step-by-step workflow for requesting a change, but it would not be the primary artifact for defining the allowable values themselves.

• Charter confusion fails because a charter defines the governance body’s purpose, scope, authority, and membership, not customer status values.
• Issue-log focus fails because an issue log tracks problems and remediation status; it does not establish the approved reference data rules.
• Procedure overreach fails because a procedure may explain how to request a change, but the required values and conventions belong in a standard.

Question 7

Topic: Policies Standards Rules and Controls

A data governance team reviews a control for critical data quality issues.

Control summary:

• Assign each critical issue to a named data owner within 2 business days.
• Review open critical issues weekly in the stewardship forum.
• Send unresolved critical issues older than 10 business days to the Data Governance Council.

Finding: The issue was assigned to the data owner on day 1. Weekly reviews flagged it as open on days 7, 14, and 21. The stewardship lead kept it in the remediation backlog, and the council was not notified.

Which weakness is primarily indicated?

Options:

• A. Escalation weakness

• B. Monitoring weakness

• C. Control design weakness

• D. Ownership weakness

Best answer: A

Explanation: The primary failure is in escalation. The control had a clear trigger: unresolved critical issues older than 10 business days must go to the Data Governance Council. Ownership was assigned on time, and weekly monitoring occurred, so the control was not failing at those points. The weakness is that the stewardship lead kept the issue within the remediation backlog after the escalation threshold was met. In data governance, escalation ensures that issues requiring authority, prioritization, or cross-functional decision rights reach the appropriate forum instead of remaining only with operational teams.

• Design weakness does not fit because the control specifies timing, review, and escalation criteria.
• Ownership weakness does not fit because a named data owner was assigned on day 1.
• Monitoring weakness does not fit because weekly reviews repeatedly identified the issue as still open.

Question 8

Topic: Policies Standards Rules and Controls

A data governance council implemented a control requiring every new customer-data element to be classified before production use. Data owners approve classifications, stewards review completeness, and custodians only configure the catalog. An internal audit now asks for monitoring evidence that the control is operating, not just documented. Which evidence is the best governance decision to provide?

Options:

• A. The approved classification policy and stewardship RACI matrix

• B. A screenshot showing the catalog has a classification field

• C. Training attendance records for data stewards and owners

• D. Recent workflow records showing review, owner approval, timing, and exceptions

Best answer: D

Explanation: Monitoring evidence for a governance control should demonstrate actual operation against real events, not only the existence of policy language or tool configuration. Here, the control requires classification before production, with stewards reviewing completeness and data owners approving classifications. Strong evidence would show recent customer-data elements moving through that workflow, who performed each step, whether it occurred before production use, and how exceptions were logged or resolved. That connects the control design to accountable governance behavior and creates evidence suitable for audit or management review.

Documentation, catalog setup, and training can support the control environment, but they do not prove the control was executed for specific data changes.

• Policy documentation defines expectations and responsibilities, but it does not show that classifications were reviewed and approved for actual data elements.
• Catalog configuration proves a field exists, but it does not prove the field was completed, reviewed, or approved before use.
• Training attendance supports readiness, but it does not demonstrate control performance on recent production changes.

Question 9

Topic: Policies Standards Rules and Controls

A data governance council reviews adoption of a customer data standard requiring Customer Type to use an approved reference list. Training completion is 94%, each domain has a named data owner, and the standard supports a quarterly regulatory report. Adoption is only 51%.

Which governance decision is best?

Options:

• A. Repeat standards awareness training for all data stewards

• B. Reassign data ownership to the enterprise reporting team

• C. Block all nonconforming feeds from the regulatory report immediately

• D. Create time-bound exceptions with remediation plans and interim controls

Best answer: D

Explanation: Standards adoption metrics should be interpreted against the adoption barriers behind the number. Here, awareness is high and ownership is already assigned, so low adoption is not primarily a communications or ownership problem. The visible barrier is feasibility: legacy billing platforms cannot change values until scheduled releases. The related governance weakness is exception management because teams are using informal workarounds instead of approved, tracked exceptions. The best governance response is to approve time-bound exceptions, require remediation plans, define interim controls such as mappings or reconciliations, and monitor progress through the governance process. Immediate hard enforcement could damage a regulatory report without solving the root constraint.

• More training does not address the main barrier because steward awareness is already high.
• Changing ownership is unnecessary because each domain already has a named data owner.
• Immediate blocking treats the issue as simple noncompliance and ignores stated system feasibility constraints.

Question 10

Topic: Policies Standards Rules and Controls

A data governance council has approved a rule for customer phone numbers after repeated disputes between sales, service, and marketing teams. The rule specifies that all customer phone numbers must include a country code, be stored in E.164 format, and be validated at capture in every system that creates customer records. Which governance artifact should be created or revised to document this decision?

Options:

• A. Stewardship procedure

• B. Data quality scorecard

• C. Customer data standard

• D. Customer data policy

Best answer: C

Explanation: A policy framework separates broad intent from detailed, enforceable requirements. A data policy might state that customer contact data must be accurate, consistent, and fit for business use. The approved phone-number format and validation requirement is more specific: it defines how data must be represented and checked across systems. That belongs in a data standard, often supported later by procedures, controls, and quality measures. The standard gives projects, stewards, architects, and custodians a common rule to apply consistently.

• Policy rewrite is too broad because the council has already defined a detailed format and validation requirement, not a new principle.
• Stewardship procedure would describe the workflow for handling exceptions or changes, not the required data format itself.
• Quality scorecard would monitor conformance after implementation, but it would not define the mandatory rule.

Continue in the web app

Use IT Mastery for interactive DAMA CDMP Data Governance Specialist practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Try DAMA CDMP Data Governance Specialist on Web

Related focused pages

• Free DAMA CDMP Data Governance Specialist Full-Length Practice Exam
• Data Governance Foundations and Principles
• Governance Strategy Business Case and Value
• Governance Operating Model and Organization
• Roles Responsibilities and Decision Rights
• Governance Issue Management and Resolution
• Glossary and Metadata Governance
• Data Quality Governance
• Security and Compliance Alignment
• Master Reference and Architecture Governance
• Governance Metrics Maturity and Improvement
• Governance Program Operations