The Chief Information Security Officer (CISO) is researching ways to reduce the risk associated with administrative access of six IT staff members while enforcing separation of duties. In the case where an IT staff member is absent, each staff member should be able to perform all the necessary duties of their IT co-workers. Which of the following policies should the CISO implement to reduce the risk?
A. Require the use of an unprivileged account, and a second shared account only for administrative purposes.
B. Require role-based security on primary role, and only provide access to secondary roles on a case- by-case basis.
C. Require separation of duties ensuring no single administrator has access to all systems.
D. Require on-going auditing of administrative activities, and evaluate against risk-based metrics.