As usual, I agree with much of what you say. However, it is impractical for any organisation of size to restrict access out of hours on a “by exception” basis because, sadly, most data miscreants tend to have higher level access privileges and duties that require constant access.

You rightly suggest that forensically sound preservation of log files is tremendously challenging but intelligent corroboration can be achieved by combining pieces of information. Of course the criminal level of guilt is “beyond reasonable doubt” rather than the lower [and sometimes more convenient] civil level of “on the balance of probability.”

In addition to the measures you mention there are other practical measures to prevent data leakage and I have recently published a public domain paper for free download on my website at http://tinyurl.com/6eblad