When should an access list NOT be updated?

The correct choice highlights an important practice in maintaining access lists, emphasizing that they should not be updated on a fixed schedule such as biennially. Access lists should be dynamic and responsive to changes in personnel, security incidents, or training cycles.

When personnel changes occur, such as hiring, resignations, or role changes, access lists must be updated immediately to reflect the new state of security clearance and access needs. Similarly, after any security incident, it's crucial to review and potentially revise an access list to ensure that any vulnerabilities or unauthorized access points are addressed promptly. Additionally, access lists should be evaluated at the end of training cycles to include new personnel who have completed training or to remove access for individuals who have not continued in their positions.

Not limiting the update of access lists to a fixed timeframe—like every two years—ensures that security measures remain relevant and effective, adapting to the ongoing nature of personnel and security changes. This flexibility is fundamental to maintaining robust security protocols.