= Beware self-evaluations because the individual involved may be conflicted and ill-qualified.

= Don't procrastinate on required testing. Leave time for remediation.

= Coordinate compliance efforts with security efforts.

= Build security into processes, not add it on.

= Address compliance continuously, not at the annual review time.