Which three things must be considered for the design, planning, and implementation of access control mechanisms?