Mechanisms exist to enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes.
Does the organization enforce configuration restrictions in an effort to restrict the ability of users to conduct unauthorized changes?