Which of the following is incorrect when considering privilege management?

A.
Privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed, should be identified and clearly documented.

B.
Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role.

C.
An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.

D.
Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

Explanation:
D: An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated. If any signifi cant or special privileges are needed for intermittent job functions, these should be performed using an account specifi cally allocated for such a task, as opposed to those used for normal system and user activity. Th is enables the access privileges assigned to the special account to be tailored to the needs of the special function rather than simply extending the access privileges associated with the users normal work functions. Page 46.