. . . . "They all need to review continuously the security policies, practices and technology controls they have in place, including but not limited to encryption, access controls and authentication." . . . .