7.2.1—An access control model is defined and includes granting access as follows: Appropriate access depending on the entity’s business and access needs.