Some really sensible guidance on security for applications where personal and / or valuable data is involved. I like the call for trusting users (critical in my experience) and the suggestion to verify through retrospective audit. Some clear pointers to setting up safe havens, which seem to help with the issues of multiple administrators on systems.
