Good point when you write: However, each organization needs to understand their business and may stress more importance on one of the principles over another.

A problem I see is that far too many organizations want a cookie cutter ‘best practices’ approach, rather than really understanding what their specific security needs are.

Ben