DO management should: Develop policies and procedures for performing the quarterly review and reauthorization of privileged OS access, which specify: How to document the review of user access for continued appropriateness and the resulting determinations. Assignment of individual(s) responsible for performing the review(s) across the various privileged OS domains/groups/accounts, who are independent of the access they review and are of the appropriate authority. Identification/Inventory of the privileged OS domains/groups/accounts that are subject to review, to include any privileged OS service groups/accounts.