Users gain access to information that is beyond their appropriate level of privilege.
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.