Answered it by telling them to implement security at all levels. First, on the user access level, and then on the user access management level, to evaluate the user's rights. Also, implementing security groups to ensure no unauthorized access occurs.