What is a suitable compensating control when segregation of duties concerns exist between IT support staff and end users?

The choice of reviewing transaction and application logs as a compensating control when there are segregation of duties concerns between IT support staff and end users is particularly effective because it allows for continuous monitoring of activities that could be potentially harmful or unauthorized. This control provides oversight of actions taken within the system, enabling organizations to detect and investigate any suspicious or inappropriate activities.

By regularly reviewing logs, an organization can identify unusual patterns or behaviors that may indicate a breach of established duties or an abuse of access permissions. This process not only helps in maintaining accountability but also serves as a deterrent against potential misconduct, knowing that actions are being monitored.

The importance of this control lies in its ability to mitigate risks associated with having a single individual possess both the ability to make configuration changes and access sensitive data. By observing transaction logs, the organization can ensure that all changes made by IT staff are within policy guidelines and that the end users do not misuse their access rights.

Other options mentioned may provide some level of security but do not directly address the risk associated with segregation of duties concerns in the same effective manner. For example, restricting physical access can limit unauthorized personnel from accessing systems but does not monitor the actions taken by users within those systems.