DAC are characterized by many organizations as:

A.
Need-to-know controls

B.
Preventive controls

C.
Mandatory adjustable controls

D.
None of the choices

Explanation:
Access controls that are not based on the policy are characterized as discretionary
controls by the US government and as need-to-know controls by other organizations.
The latter term connotes least privilege – those who may read an item of data are
precisely those whose tasks entail the need.