If the organization has only one IT person, then it's hard to enforce segregation of duties. But all is not lost; even though true segregation is not feasible, corporations can do a good job "watching the watcher." I suggest having a strong log management capability implemented to keep a record of all transactions.
But it's not enough to just log the actions. It's critical that organizations store the data somewhere that the IT administrator cannot gain access and tamper with it. The first thing a bad guy does is try to cover his or her tracks, which means eliminating log records. So the log device needs to be protected and the IT person can't have access.
A few organizations are now offering log management services in which the logging platform resides "in the cloud" or via a hosted service, which provides the type of segregation necessary to keep things separate. To be clear, this wouldn't necessarily provide true segregation of duties (since the IT person is still doing all the functions), but it will provide an audit trail and the ability to investigate an issue if some malfeasance is suspected.
This was first published in February 2009