Mechanisms exist to identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication.
Does the organization identify and document the supporting rationale for specific user actions that can be performed on a system without identification or authentication?