What must be documented to specify privileges granted to a user?

• A. Default deny-all.
• B. Annual audit of privileges.
• C. Documented approval by authorized parties specifying required privileges.
• D. Privilege assignment based on random selection.

Answer: (C)

Documenting who can access what and why is essential to enforcing least privilege and traceability. Under PCI DSS, access must be granted based on need-to-know and job function, and every privilege should be justified and approved by someone with authority before it is granted. The best choice captures this by describing a documented approval that specifies the required privileges, creating an auditable record of authorization and ensuring the access matches the user’s role and business need. Simply having a default deny-all status isn’t enough on its own to specify what privileges are granted, and an annual audit checks permissions after the fact rather than documenting the initial authorization. Granting privileges by random selection violates the need-to-know principle and proper control.