Which choice below would NOT be considered an element of proper user account management?

A.
A process for tracking access authorizations should be implemented.

B.
Periodically re-screen personnel in sensitive positions.

C.
The users’ accounts should be reviewed periodically.

D.
Users should never be rotated out of their current duties.

Explanation:
Organizations should ensure effective administration of users’ computer access to maintain system
security, including user account management, auditing, and the timely modification or removal of
access. This includes: User Account Management. Organizations should have a process for
requesting, establishing, issuing, and closing user accounts, tracking users and their respective
access authorizations, and managing these functions. Management Reviews. It is necessary to
periodically review user accounts. Reviews should examine the levels of access each individual has,
conformity with the concept of least privilege, whether all accounts are still active, whether
management authorizations are up-to-date, and whether required training has been completed.
Detecting Unauthorized/Illegal Activities. Mechanisms besides auditing and analysis of audit trails
should be used to detect unauthorized and illegal acts, such as rotating employees in sensitive
positions, which could expose a scam that required an employee’s presence, or periodic re-screening
of personnel. Source: NIST Special Publication 800-14, Generally Accepted Principles and Practices
for Securing Information Technology Systems.