What is a suitable compensating control when segregation of duties concerns exist between IT support staff and end users?

When segregation of duties concerns exist between IT support staff and end users, reviewing transaction and application logs serves as a suitable compensating control. This approach provides a way to monitor and audit activities carried out by both IT support and end users, helping to identify any unauthorized or inappropriate actions that may occur. By regularly reviewing logs, potential security incidents can be detected early, maintaining accountability and ensuring that both groups operate within established guidelines. This is essential for minimizing risk when complete segregation of duties cannot be implemented, as it helps to provide oversight of interactions between users and support staff.

The other options, while beneficial in various contexts, do not directly mitigate the risks associated with the lack of segregation of duties. For instance, restricting physical access is primarily focused on physical security and does not address the potential for misuse of privileges in the digital domain. Performing background checks can help ensure that trustworthy individuals are hired but does not provide ongoing oversight after hiring. Locking user sessions after inactivity serves to prevent unauthorized access from unattended systems but does not specifically address the risk related to the interaction between IT support and end users regarding their duties and access.