Of course, that clearly has an effect on the administrator's ability to enforce policy, so that may not be the best option.
Ultimately, I recommend a "trust, but verify" approach, which means gradually increasing levels of access to the administrator, as he/she proves trustworthy. First, provide access to firewalls and network devices, and then over time to servers and other devices that need to be managed. This is just one way to do it.
At the same time, I would implement a log management system, which pulls the logs from all the managed devices and stores them in a cryptographically sound fashion. I would provide read-only access to this information to all the company's administrators. Then, in the event of a compromise, the logs will help piece together what happened.
Having the logs stored in a separate environment also ensures that a bad actor can't tamper with them and hide the artifacts of the breach. Again, trust the administrator to do the right thing, but also be able pull the data that can verify it.
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.