Free DAMA CDMP Governance Practice Questions: Security and Compliance Alignment

Topic snapshot

Sample questions

These are original IT Mastery practice questions aligned to this topic area. They are not official exam questions, copied live-exam content, or exam dumps. Use them for self-assessment, scope review, and deciding what to drill next.

Question 1

Topic: Security Privacy Ethics and Compliance Alignment

A marketing analytics team wants to combine loyalty purchases, web behavior, and support transcripts to predict customers likely to cancel. The data owner for loyalty data approved retention analysis, but support transcript ownership is unclear, sentiment fields may reveal sensitive health or financial hardship, and the privacy notice does not mention automated profiling. What is the best governance decision before production use?

Options:

• A. Pause production and require ethical/privacy review with defined ownership

• B. Let the analytics team anonymize transcripts and deploy

• C. Ask IT security to approve access controls only

• D. Proceed because the retention purpose has business value

Best answer: A

Explanation: Ethical data governance evaluates whether data use is appropriate, transparent, and accountable, not only whether it is technically possible or commercially valuable. Here, the proposed use expands from retention analysis into automated profiling using data with unclear ownership and possible sensitive inferences. A governance response should pause production use long enough to confirm decision rights, assess privacy and ethical risks, communicate with affected stakeholders where needed, and define any limits on use. The goal is not to block analytics indefinitely, but to ensure the initiative has accountable approval, appropriate notice, and controls aligned to responsible use. Technical safeguards may be part of the outcome, but they do not replace governance review when purpose, ownership, and stakeholder impact are unresolved.

• Business value alone does not resolve consent, transparency, ownership, or sensitive inference concerns.
• Analytics-led anonymization may reduce risk, but the team should not decide production use limits when decision rights are unclear.
• Access control approval addresses confidentiality, but ethical review also considers purpose, fairness, notice, and stakeholder impact.

Question 2

Topic: Security Privacy Ethics and Compliance Alignment

A financial services company receives a regulatory inquiry about a campaign analytics dataset that contains customer contact details. Governance policy classifies the data as Confidential, requires data owner approval for each access purpose, requires exceptions to be documented and reviewed quarterly, and allows custodians to provision access only after approval. Which governance evidence would BEST support the control test?

Options:

• A. A current IAM group export listing users with read access

• B. An access certification package linking classification, purpose, owner approval, exception status, and provisioning record

• C. A data steward email stating that marketing needs the dataset

• D. A catalog page showing the dataset classification and glossary terms

Best answer: B

Explanation: Audit and regulatory evidence should prove that the governance control operated as designed, not merely that access exists. For a Confidential dataset, the strongest evidence connects the policy requirements to an actual access decision: classification, approved business purpose, accountable data owner sign-off, exception status, and the custodian’s provisioning action. That chain supports both decision rights and control execution. Technical access listings, catalog metadata, and informal business statements can support the review, but they do not by themselves show that the required governance approval and exception process occurred.

• IAM export only shows who currently has permissions, but not whether access was approved for a stated purpose.
• Steward email may provide context, but it is not formal evidence of data owner approval or exception review.
• Catalog metadata supports classification and definition control, but it does not prove access approval or provisioning compliance.

Question 3

Topic: Security Privacy Ethics and Compliance Alignment

A retailer’s loyalty program notice says identifiable purchase history is used to calculate rewards and improve inventory planning. A business unit proposes sharing the same purchase histories with an insurance partner to help set individualized wellness premiums, without updating the notice or seeking approval through the responsible-use review. Which ethical governance risk is most directly created by the proposal?

Options:

• A. Algorithmic bias from unrepresentative training data

• B. Unexpected reuse beyond the stated purpose

• C. Excessive collection for the loyalty program

• D. Weak technical custody of the database

Best answer: B

Explanation: Ethical data governance evaluates whether a proposed use remains consistent with the purpose, context, and expectations under which data was collected. Here, purchase history was collected for rewards and inventory planning, but the new use would affect insurance pricing, a materially different and higher-impact context. That creates purpose creep or unexpected reuse, especially because the notice is not being updated and no responsible-use review is planned. Excessive collection would focus on gathering more data than needed at the time of collection; bias would require evidence about unfair model outcomes or training data; custody would concern technical administration or safeguards. The central issue is the change in use and decision impact.

• Excessive collection does not fit because the scenario does not say the loyalty program collected unnecessary data.
• Algorithmic bias is not established because no facts describe skewed training data, proxy discrimination, or disparate outcomes.
• Technical custody is not the main issue because database administration and access safeguards are not the decisive facts.

Question 4

Topic: Security Privacy Ethics and Compliance Alignment

An audit of a customer analytics mart found that access was approved by platform administrators from informal manager emails, lineage from the CRM source to derived marketing segments is incomplete, and no business role is accountable for the data set. The mart supports regulated customer communications, so the business must provide repeatable evidence of control and traceability. Which governance decision BEST addresses the weakness?

Options:

• A. Require administrators to retain all access request emails

• B. Assign accountable business ownership and stewarded control evidence

• C. Purchase a catalog tool for the analytics mart

• D. Ask the analytics team to redraw the ETL diagrams

Best answer: B

Explanation: The audit points to a governance weakness, not only a missing technical artifact. Informal access approval, incomplete lineage, and no accountable business role mean decision rights and evidence responsibilities are unclear. A DAMA-aligned response is to establish accountable business ownership, assign stewardship responsibilities, and define the control evidence needed for regulated use, such as approved access decisions, classification or purpose rules, and maintained lineage. Technical teams and tools may help execute the controls, but they do not by themselves create accountability or governance authority.

The key distinction is that custodians operate platforms, while owners and stewards are accountable for business decisions and governance evidence.

• Retaining emails preserves weak evidence but does not create formal approval authority or repeatable controls.
• Redrawing ETL diagrams may improve documentation, but it does not resolve ownership or access decision rights.
• Buying a catalog can support metadata management, but a tool cannot replace assigned accountability and governed processes.

Question 5

Topic: Security Privacy Ethics and Compliance Alignment

A bank wants to use legally collected customer transaction data to train a model that predicts financial stress and triggers targeted product offers. Privacy confirms the notice permits analytics, security confirms only approved analysts can access the data, and the business case shows strong revenue potential. A data steward is concerned the use may exploit vulnerable customers and create unfair outcomes. What governance response best fits the situation?

Options:

• A. Restrict access to the data to fewer analysts

• B. Approve the initiative because privacy notice permits analytics

• C. Prioritize the initiative because the revenue case is strong

• D. Submit the proposed use for ethical data-use review

Best answer: D

Explanation: Ethical data governance evaluates whether a data use is fair, transparent, accountable, and aligned with organizational values, even when the data was collected legally and access is controlled. In this scenario, privacy compliance and security access control have already been checked, but the proposed use could exploit financially stressed customers or produce unfair impacts. That concern belongs in a responsible-use or ethics review forum, typically involving business, risk, legal/privacy, data governance, and relevant stewardship roles. The key distinction is that privacy asks whether the organization may use the data under applicable obligations, security asks who can access it, and business-value review asks whether the use is worthwhile. Ethical review asks whether the use should proceed and under what safeguards.

• Privacy-only approval fails because lawful or permitted use does not resolve potential unfairness or customer harm.
• Access restriction addresses confidentiality but not whether the analytic purpose is responsible.
• Revenue prioritization treats business value as sufficient, ignoring ethical impacts and stakeholder risk.

Question 6

Topic: Security Privacy Ethics and Compliance Alignment

A customer analytics team wants to reuse support-call transcripts to train a churn model. The transcripts are classified as Restricted because they may contain personal data and payment references. The classification standard allows internal reuse only when the approved purpose, minimum necessary data, retention, masking, and access controls are documented. What governance decision is needed before the transcripts can be shared?

Options:

• A. Update the business glossary definition for transcripts

• B. Approve the permitted use and required controls

• C. Let the analytics project manager accept the data risk

• D. Ask the platform administrator to grant read-only access

Best answer: B

Explanation: Security classification is a governance trigger, not just a technical label. For Restricted data, reuse must be authorized against the classification standard and privacy obligations before the data is shared. The needed decision should confirm the approved purpose, minimum necessary data, masking or de-identification needs, retention, access controls, and accountable owner or approver. Technical teams may implement access controls after approval, but they do not decide whether the secondary use is allowed. A glossary update may help metadata quality, but it does not authorize use of sensitive data.

• Read-only access is still access to Restricted data and does not establish an approved purpose or privacy basis.
• Project risk acceptance is not a substitute for governance authority over classified data reuse.
• Glossary maintenance improves shared meaning but does not decide whether sensitive transcripts may be reused.

Question 7

Topic: Security Privacy Ethics and Compliance Alignment

A healthcare insurer wants to reuse call-center notes collected for service resolution to build a model that flags members as “likely to delay care” and prioritizes outreach. The source data includes sensitive health context, and members were not told that notes would be used for predictive targeting. Legal counsel says the use may be allowed if controls are added. What is the most appropriate governance response before production use?

Options:

• A. Ask the data steward to update the business glossary entry

• B. Route the initiative for responsible-use review and define use limits

• C. Approve the model because legal counsel found a possible basis

• D. Proceed after masking direct identifiers in the notes

Best answer: B

Explanation: Ethical data governance goes beyond minimum legal permission. Reusing data for a materially different purpose, especially when sensitive health context and predictive targeting are involved, should trigger responsible-use review before operational deployment. Governance should examine purpose compatibility, fairness, transparency, stakeholder expectations, potential harm, and whether the intended action is appropriate. It may also require member communication, restricted uses, monitoring, or a formal exception. Technical controls such as masking can reduce privacy risk, but they do not by themselves resolve transparency, consent expectation, or impact concerns. Legal permissibility is an input to governance, not a substitute for governance judgment.

• Masking alone reduces exposure of identifiers but does not address changed purpose, member expectations, or downstream impact.
• Legal basis alone is insufficient because responsible use includes fairness, transparency, and harm assessment.
• Glossary maintenance may support clarity later, but it does not authorize sensitive predictive use or define limits.

Question 8

Topic: Security Privacy Ethics and Compliance Alignment

A marketing analytics team requests direct access to production customer records to build a churn model. The dataset includes email addresses, dates of birth, purchase history, and opt-out indicators. The customer domain has an accountable data owner, but the catalog does not clearly document whether the legacy opt-out field supports this new analytics purpose. Policy requires minimum necessary access, privacy review for new uses of personal data, and monitoring for approved sensitive-data access. Which governance decision is BEST?

Options:

• A. Approve raw access because the project has clear business value

• B. Restrict raw access and require owner/privacy review before masked, monitored access

• C. Deny all access until the entire catalog is fully remediated

• D. Have the data custodian provision access after logging the request

Best answer: B

Explanation: Privacy and security governance should balance business value with accountable decision rights and risk controls. Here, the request involves personal customer data, a new analytics purpose, and unclear metadata about opt-out meaning. The data owner should confirm business authorization and acceptable use, while privacy review should assess purpose compatibility and minimum necessary data. Direct production access to identifiers is not justified from the stated facts, so masked or pseudonymized access with monitoring is the better governed path once approvals are complete. Logging alone is an operational control, not a substitute for governance approval. The key takeaway is that governance enables appropriate use, not unrestricted use or blanket denial.

• Business urgency does not override policy requirements for privacy review, minimum necessary access, and accountable approval.
• Custodian action confuses technical provisioning with decision authority over sensitive customer data use.
• Blanket denial overreacts to the metadata gap; governance can approve controlled use after targeted review and risk treatment.

Question 9

Topic: Security Privacy Ethics and Compliance Alignment

An internal audit finds that several business domains handle the same customer data differently. One domain treats it as confidential and applies consent checks and retention limits; another stores and shares it under a less restrictive category. The audit report cites inconsistent interpretation of policy, not a tool failure. What is the best governance remediation?

Options:

• A. Use the data governance council to standardize handling decisions

• B. Run a one-time cleanup of records with inconsistent labels

• C. Let each domain document its local handling rationale

• D. Ask system administrators to align access settings in each platform

Best answer: A

Explanation: Audit findings about inconsistent data handling point to a governance control problem: unclear or unevenly applied decision rights, policy interpretation, classification, and accountability across domains. The appropriate response is to bring the issue through the governance forum with authority to resolve cross-domain conflicts, confirm the common interpretation of policy, assign data owners and stewards to remediation actions, and monitor controls or exceptions. Technical changes may be needed later, but they should follow the approved handling standard. Local documentation alone does not resolve conflicting treatment of the same data, and one-time cleanup does not prevent recurrence. The key is to convert the audit finding into governed decisions, accountable remediation, and repeatable compliance evidence.

• Access settings only treats the symptom as a platform configuration issue, but the audit cites inconsistent policy interpretation.
• Local rationale preserves domain variation instead of resolving the cross-domain conflict.
• One-time cleanup may correct some records, but it does not establish a repeatable governance control.

Question 10

Topic: Security Privacy Ethics and Compliance Alignment

A bank’s marketing analytics team wants to combine customer transaction history and mobile app behavior to infer likely life events for targeted offers. Legal counsel says existing consent likely permits analytics, and security has approved role-based access. The data spans retail banking and credit cards with separate owners, and no criteria exist for approving sensitive inferences. Which governance response is best?

Options:

• A. Allow the project because legal consent and access are approved

• B. Run a governance-led responsible-use review with owners and stewards

• C. Let marketing proceed after documenting expected revenue benefits

• D. Have IT security mask direct identifiers before modeling begins

Best answer: B

Explanation: Responsible data use is broader than minimum legal permission or technical access. In this scenario, the proposed use creates sensitive inferences across domains, and ownership is split between business areas. A governance-led review brings the proper decision makers together: data owners for accountability, stewards for meaning and quality context, and governance representatives for policy alignment. The review should define purpose limits, assess potential customer harm or unfairness, decide transparency requirements, and record approval conditions or denial. Security masking and legal review may be useful controls, but they do not replace governance accountability for whether the use is appropriate.

• Legal permission only fails because consent and access do not answer whether sensitive inference is appropriate or transparent.
• Masking identifiers reduces some privacy risk but does not address inferred sensitivity, purpose limits, or cross-domain decision rights.
• Revenue justification measures business benefit but does not evaluate customer impact, fairness, or accountable approval.

Continue in the web app

Use IT Mastery for interactive DAMA CDMP Data Governance Specialist practice with mixed sets, timed mocks, topic drills, explanations, and progress tracking.

Try DAMA CDMP Data Governance Specialist on Web

Related focused pages

• Free DAMA CDMP Data Governance Specialist Full-Length Practice Exam
• Data Governance Foundations and Principles
• Governance Strategy Business Case and Value
• Governance Operating Model and Organization
• Roles Responsibilities and Decision Rights
• Policies Standards Rules and Controls
• Governance Issue Management and Resolution
• Glossary and Metadata Governance
• Data Quality Governance
• Master Reference and Architecture Governance
• Governance Metrics Maturity and Improvement
• Governance Program Operations