them concerning best practices or
                       regulations.
                   •  Good practices
                          •  If people go from a lower-level
                              position to a higher level, make sure
                              you tell them upfront if you are going
                              to do a background check.
                          •  Least privilege: only give the
                              permissions needed to do your job.
                          •  Need to know: only give the
                              knowledge needed to do your job.
                          •  Separation of duties: defeats fraud.
                              This forces collusion (when people in
                              different departments have to
                              conspire to pull fraud off)
                          •  Job rotation & mandatory vacations:
                              helps detect fraud and defeats
                              collusion.  If you have to choose
                              between job rotation and mandatory
                              vacations to defeat collusion, job
                              rotation is a better option.
                          •  Use top-down (i.e., starting with
                              management) instead of bottom-up
                              (i.e., consensus-based) planning.
                              Bottom-up has no funding & no
                              authority.
                          •  Provide training and education
                                 •  Training: awareness/job skills.
                                 •  Education: decision-
                                     making/security management
                                     skills.