Which choice below would NOT be considered an element of proper
user account management?

A.
A process for tracking access authorizations should be implemented.

B.
Periodically re-screen personnel in sensitive positions.

C.
The users’ accounts should be reviewed periodically.

D.
Users should never be rotated out of their current duties.

Explanation:
Organizations should ensure effective administration of users’
computer access to maintain system security, including user account
management, auditing, and the timely modification or removal of
access. This includes:
User Account Management. Organizations should have a process
for requesting, establishing, issuing, and closing user accounts,
tracking users and their respective access authorizations, and
managing these functions.
Management Reviews. It is necessary to periodically review user
accounts. Reviews should examine the levels of access each
individual has, conformity with the concept of least privilege,
whether all accounts are still active, whether management
authorizations are up-to-date, and whether required training
has been completed.
Detecting Unauthorized/Illegal Activities. Mechanisms besides
auditing and analysis of audit trails should be used to detect

unauthorized and illegal acts, such as rotating employees in
sensitive positions, which could expose a scam that required an
employee’s presence, or periodic re-screening of personnel.
Source: NIST Special Publication 800-14, Generally Accepted Principles
and Practices for Securing Information Technology Systems.