How should changes to security roles be tracked and approved?

• A. Changes are tracked in security administration logs with approvals required
• B. Changes are made informally
• C. Changes are logged only if someone complains
• D. Changes are never recorded

Answer: (A)

Formal change management for security roles requires that every modification to access privileges is tracked in security administration logs and must receive a documented approval before it takes effect. The logs should record who requested the change, who approved it, when it was made, and exactly what permissions were added or removed. Requiring approvals creates accountability and prevents unilateral or inappropriate privilege grants, which helps reduce the risk of privilege escalation and supports separation of duties. This audit trail is also critical for compliance, audits, and incident investigations. Other approaches fall short: making changes informally lacks accountability; logging only if someone complains misses many changes and offers no comprehensive record; and never recording changes leaves no trace for review or regulatory requirements.