At what level of decision-making do you think the criteria for deciding who gets access to what should be defined? Is this primarily a question for management to resolve or can staff decide it? Which issues should be addressed by whoever made the decisions on access and security?
