Precisely. This has been and will remain a project managed in the Standard Big-5 Consultancy style and, as you're observing, it will have the Standard Random Outcome in terms of actual usability or worth. Yes, your security concerns are completely valid. And yes, as you'd think, they ARE phenomenally obvious and very old news to anyone who's ever actually studied and practised IT Audit/Secure Design. By "old" I mean that formal written recommendations on preventing this sort of thing haven't had to change much since the 60s. However, this skillset/training/awareness is NOT part of industry-standard Big-5 consultancies' "Methodologies" -- they merely conform to their methodologies and plod mechanically through tick-a-box "project management" in isolation from the systems' business and realworld realities. And so it is quite literally outside their systems' universes. They get money for jam but they deliver jumble. Can I suggest that you add weight to your Security argument by forwarding this recent event, which at least provides a realworld example of the enormous potential impact on People (you may need to define this last term for them) of irresponsibly poor security architecture: State of California warns of massive ID theft due to physical Exposure of Health-Care Patients' private information: 1.4 million identities stolen (via WebNymph) cheers Sal http://go-blog-go.blogspot.com