Evaluation should include establishing or following
authentication policy
access control (i.e., rights and permissions)
audit policy.