Scenario: An employee left your company. You find out that they still have remote access to internal systems. What should be your immediate action?

A. Disable their accounts

B. Monitor their activities

C. Notify higher management

D. Change the internal system passwords

Answer:  A

Explanation:

A. Disable their accounts

In the CISSP "Order of Operations," the first priority when discovering an unauthorized access path is Containment.

• Why it's the Answer: Disabling the account is the fastest and most effective way to stop the "bleeding." Until the account is disabled, the former employee (or anyone who has compromised their credentials) can exfiltrate data, plant backdoors, or delete files.

• The Policy: This action should be part of a standard Offboarding Checklist. In many organizations, this is automated so that when HR changes the employee status to "Terminated," a signal is sent to the Identity Provider (like Active Directory or Okta) to disable access immediately.

B. Monitor their activities

Monitoring is a Detective Control, but once you know an access is unauthorized, you must move to Corrective/Preventative Controls.

• The Risk: While monitoring might give you "evidence" of what they are doing, it does nothing to protect the organization's assets in real-time. You are essentially watching a crime happen without stopping it.

• The Exception: The only time you would prioritize monitoring over disabling is in a law enforcement-led "honeypot" operation, which is rare and requires specific legal guidance. For the CISSP exam, always choose the action that protects the asset first.

C. Notify higher management

Communication is vital, but it is not the first action.

• The Logic: Following the incident response lifecycle, you "Act" to contain the threat and then "Report." If you spend thirty minutes drafting an email to the C-Suite before disabling the account, the employee could have already deleted a critical database.

• The Process: Secure the system, then follow the communication plan outlined in your Incident Response Plan (IRP).

D. Change the internal system passwords

Changing "system" passwords (like the root or admin passwords) is a massive undertaking that can cause significant business disruption.

• The Misalignment: If the employee is using their own account to log in, changing the system's administrative passwords won't stop them. You are attacking the wrong side of the problem.

• The Better Way: You only rotate shared service account passwords if you have reason to believe the departing employee stole those specific credentials. Disabling the individual's account is the targeted, precise surgical strike needed.

Key Takeaway for the CISSP Exam

Deprovisioning Best Practices:

• Immediate Revocation: Access should be cut off at the exact time of termination.

• Account Disabling vs. Deletion: It is usually better to disable an account initially rather than delete it. This preserves the metadata and file ownership, which may be needed for forensic investigations or to reassign the data to a successor.

• Orphaned Accounts: These are accounts that remain active after a user has left. Regular Access Reviews are the primary control used to find and kill these "ghost" accounts.