During a security audit, it is discovered that a contractor has access to customer databases that were not required for their project. Which step should be taken first to mitigate the risk?
Revoking access immediately stops the unauthorized access and reduces risk.
Why this answer
The immediate priority is to revoke the contractor's access to the unauthorized customer databases to stop any potential data exfiltration or misuse. Access controls follow the principle of least privilege, and any discovered over-provisioning must be corrected instantly to contain the risk. Delaying revocation for notification, assessment, or logging leaves the sensitive data exposed to an unauthorized user.
Exam trap
ISC2 often tests the candidate's ability to prioritize containment over investigation or notification, trapping those who choose risk assessment or logging first instead of immediate access revocation.
How to eliminate wrong answers
Option A is wrong because notifying the contractor's manager does not remove the active access; the contractor can still query or exfiltrate data while the notification is processed. Option C is wrong because performing a risk assessment is a secondary step that should occur after access is revoked; leaving access in place during assessment violates the security principle of containment. Option D is wrong because logging access for evidence is important for forensics but does not mitigate the ongoing risk; the access must be terminated first to prevent further unauthorized actions.