Proper use of encryption and key management.
User responsibilities and managing system/application access.
Management direction for security.
