Seemingly obvious, but often difficult to do in practice. Essentially try to eliminate processes or situations where someone can access, change or use information assets without detection. For example network access and logging should be conducted by someone different from those authorised to use the data. If in doubt – no-one holds the keys to something from which they could gain.