Which of the following is less likely to help in assessing identification and authentication controls?

A.
A current list of authorized users and their access

B.
Passwords that are changed at least every 90 days

C.
Inactive user identifications disabled after a specified period of time

D.
A process in place for reporting incidents

Explanation:
Reporting incidents is more related to incident response capability
(operational control) than to identification and authentication (technical control).