16. Access to information, information processing facilities, and business processes should be controlled on the basis of employees requirements.

17. Access control rules should take account of policies for information dissemination and authorization.

18. NIST Special Publication 800-53 Recommended Security Controls for Commercial Information Systems.

19. The primary characteristic of the SABSA model is that everything must be derived from an analysis of the users requirements for security.

20. COBIT includes best practices, measures, and processes organizations can implement to standardize (and theoretically improve) IT management.