Which steps ensure timely revocation of access when an employee leaves or changes roles?

• A. HR/IT triggers, disable accounts, revoke tokens, and perform audit.
• B. Wait 24 hours before revoking access to confirm with HR.
• C. Only disable accounts at end of year and notify team.
• D. Passwords should be changed monthly to manage access.

Answer: (A)

Coordinated HR/IT triggers ensure timely revocation by starting the process as soon as a personnel action is recorded. Disabling accounts blocks sign-ins immediately, revoking tokens and active sessions cuts off any ongoing access to systems or data, and performing an audit provides verification and traceability that all access was removed and nothing was missed. This combination minimizes the risk of unauthorized access after departure or role change and supports accountability.

Delay-based or incomplete approaches fail to address immediate access removal: waiting 24 hours creates a window of opportunity for access to continue; delaying until year-end is far too slow; and simply changing passwords monthly doesn't revoke existing access or tokens and doesn't handle role-based permissions or account deactivation.