The organization should have policies describing the various security zones and their restrictions (e.g. computer room: contractors must be supervised, contractors must be screened before contract award etc.). Security Zone definitions should be linked to the security matrix detailing which job roles are allowed (least privilege principle) within a defined security zone including definitions on whether they require supervision.