During a post-incident review you discover that one senior administrator temporarily stopped event logging on several production servers, made unauthorized changes, and then re-enabled logging to hide the activity. Management wants to implement a control that prevents any single individual from both altering system settings and validating the related audit information. Which of the following actions BEST satisfies this goal?
Install host-based intrusion detection on each server and alert when the logging service is stopped.
Enforce 15-character complex passwords for all privileged accounts and require rotation every 90 days.
Assign log collection and analysis to a security operations group that has no server administration privileges, while system configuration remains with the existing administrators.
Copy all server logs to write-once, read-many (WORM) storage so they cannot be altered after the fact.
The issue is an insider threat enabled by one person holding conflicting duties. Applying separation of roles divides those duties so that the team that manages and reviews audit logs is different from the team that administers the servers. Because the log reviewers have no rights to change configuration, and the server admins have no rights to purge or alter logs, collusion would be required to repeat the attack. Copying logs to WORM media, enforcing complex passwords, or adding a host-based IDS harden security, but none of those measures by themselves stop an administrator from both disabling logging and later certifying that systems are compliant-only a clear separation of duties does.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does separation of duties mean in IT security?
Open an interactive chat with Bash
What is WORM storage, and why is it not sufficient in this scenario?
Open an interactive chat with Bash
How does host-based intrusion detection work, and why is it not enough here?