nerdexam
(ISC)2

CISSP · Question #244

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the fol

The correct answer is A. Revoke access temporarily.. When an employee is granted an extended leave of absence, the appropriate identity lifecycle management action is to temporarily revoke access, preserving the account for reinstatement upon return without permanently destroying it.

Submitted by javi_es· Mar 5, 2026Identity and Access Management

Question

An employee of a retail company has been granted an extended leave of absence by Human Resources (HR). This information has been formally communicated to the access provisioning team. Which of the following is the BEST action to take?

Options

  • ARevoke access temporarily.
  • BBlock user access and delete user account after six months.
  • CBlock access to the offices immediately.
  • DMonitor account usage temporarily.

How the community answered

(28 responses)
  • A
    86% (24)
  • B
    7% (2)
  • C
    4% (1)
  • D
    4% (1)

Why each option

When an employee is granted an extended leave of absence, the appropriate identity lifecycle management action is to temporarily revoke access, preserving the account for reinstatement upon return without permanently destroying it.

ARevoke access temporarily.Correct

Temporarily revoking access disables the account while retaining it intact, which aligns with least privilege and account lifecycle management principles. This ensures the employee cannot access systems during their absence (reducing attack surface), while allowing seamless re-provisioning when they return. It is the most proportionate and reversible response to a known, HR-approved temporary absence.

BBlock user access and delete user account after six months.

Deleting the user account after six months is an overly destructive action that would require full re-provisioning upon return and may violate organizational policy for a formally approved leave, making it inappropriate as an immediate best action.

CBlock access to the offices immediately.

Blocking only physical office access ignores logical/digital access controls, leaving the employee's system accounts, VPN, and application access active, which fails to fully address the security risk of an extended absence.

DMonitor account usage temporarily.

Merely monitoring the account does not enforce least privilege or reduce the attack surface; an unused but active account during an extended absence remains a viable target for unauthorized access or credential compromise.

Concept tested: Account lifecycle management during employee leave of absence

Source: https://learn.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview

Topics

#access provisioning#user lifecycle management#leave of absence

Community Discussion

No community discussion yet for this question.

Full CISSP Practice