The Chief Information Security Officer (CISO) is researching ways to reduce the risk associated
with administrative access of six IT staff members while enforcing separation of duties. In the case
where an IT staff member is absent, each staff member should be able to perform all the
necessary duties of their IT co-workers. Which of the following policies should the CISO implement
to reduce the risk?

A.
Require the use of an unprivileged account, and a second shared account only for
administrative purposes.

B.
Require role-based security on primary role, and only provide access to secondary roles on a
case-by-case basis.

C.
Require separation of duties ensuring no single administrator has access to all systems.

D.
Require on-going auditing of administrative activities, and evaluate against risk-based metrics.