Mechanisms exist to restrict access to databases containing sensitive/regulated data to only necessary services or those individuals whose job requires such access.
Does the organization restrict access to databases containing sensitive/regulated data to only necessary services or those individuals whose job requires such access?