“…[5,61 The authors and analysts are to be commended for their serious efforts in identiQing and mitigating system risks up front. In sharing their experiences, the authors pointed out difficulties such as: convincing auditors that old controls don't apply to new systems, reducing redundant controls, trading off privacy and data collection, and the need to compare vastly different approaches.…”