Owners should implement InfoSec requirements to control access. A topic-particular standard should be identified and presented to any relevant party. Considerations include identifying the entities that need access, physical and application security, authorization levels, and logging. Access control rules should be implemented by mapping appropriate access rights and restrictions to entities. Consistency with classification and physical security should be considered, as well as dynamic access control factors.