What security policy element must be documented, in use, and known to all affected parties regarding monitoring access to network resources and cardholder data?

Having a formal security policy that is documented, in use, and known to all affected parties is essential for controlling access to network resources and cardholder data. This kind of policy provides the rules, responsibilities, and processes that govern how monitoring of access is performed, who is authorized, and how deviations are handled, ensuring consistent security practices across the organization. In PCI DSS, maintaining security policies and operational procedures that address information security for all personnel is required, and these must be documented, actively enforced, and communicated so everyone understands the monitoring expectations. The other options do not establish or communicate security controls or monitoring requirements for network resources and cardholder data.