The technology-side requirements: access controls, encryption, audit logging, automatic logoff, and transmission security. We implement them as part of everyday IT management so compliance and operations are the same system, not competing projects.