CISSP · Question #244
An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the fol
The correct answer is A. Revoke access temporarily.. When an employee is granted an extended leave of absence, the appropriate identity lifecycle management action is to temporarily revoke access, preserving the account for reinstatement upon return without permanently destroying it.
Question
An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?
Options
- ARevoke access temporarily.
- BBlock user access and delete user account after six months.
- CBlock access to the offices immediately.
- DMonitor account usage temporarily.
How the community answered
(28 responses)- A86% (24)
- B7% (2)
- C4% (1)
- D4% (1)
Why each option
When an employee is granted an extended leave of absence, the appropriate identity lifecycle management action is to temporarily revoke access, preserving the account for reinstatement upon return without permanently destroying it.
Temporarily revoking access disables the account while retaining it intact, which aligns with least privilege and account lifecycle management principles. This ensures the employee cannot access systems during their absence (reducing attack surface), while allowing seamless re-provisioning when they return. It is the most proportionate and reversible response to a known, HR-approved temporary absence.
Deleting the user account after six months is an overly destructive action that would require full re-provisioning upon return and may violate organizational policy for a formally approved leave, making it inappropriate as an immediate best action.
Blocking only physical office access ignores logical/digital access controls, leaving the employee's system accounts, VPN, and application access active, which fails to fully address the security risk of an extended absence.
Merely monitoring the account does not enforce least privilege or reduce the attack surface; an unused but active account during an extended absence remains a viable target for unauthorized access or credential compromise.
Concept tested: Account lifecycle management during employee leave of absence
Source: https://learn.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview
Topics
Community Discussion
No community discussion yet for this question.