diff --git a/SecurityPolicy.html b/SecurityPolicy.html
index 04f77e4..7897f91 100644
--- a/SecurityPolicy.html
+++ b/SecurityPolicy.html
@@ -191,8 +191,8 @@ deriving from the above principles.
 
 <h4><a name="1.4.1">1.4.1.</a> The Security Policy Document </h4>
 <p>
-This Security Policy is part of the configuration-control specification
-for audit purposes (DRC).
+This Security Policy is part of the Configuration-Control Specification
+for audit purposes (DRC-A.1).
 It is under the control of Policy on Policy for version purposes.
 </p>
 
@@ -210,7 +210,11 @@ This Policy explicitly defers detailed security practices to the
 The SM says how things are done.
 As practices are things that vary from time to time,
 including between each event of practice,
-the SM is under the direct control of the Systems Administration team.
+the SM is under the direct control of the
+<span class="change">
+<s>Systems Administration team</s>
+applicable team leaders.
+</span>
 It is located and version-controlled on the CAcert wiki.
 </p>
 
@@ -354,7 +358,11 @@ one systems administrator present.
 
 <p>
 There is no inherent authorisation to access the data.
-Systems Administrators are authorised to access
+Systems Administrators
+<span class="change">
+and Application Engineers
+</span>
+are authorised to access
 the raw data under the control of this policy.
 All others must not access the raw data.
 All are responsible for protecting the data
@@ -486,7 +494,10 @@ of software has become known
 an emergent local exploit may also be deemed to be an emergency).
 Application of patches in this case may occur as soon as possible,
 bypassing the normal configuration-change process.
-The systems administration team leader must either approve the patch,
+The systems administration team leader must either approve the patch
+<span class="change">
+or
+</span>
 instruct remedial action, and refer the case to dispute resolution.
 </p>
 
@@ -502,44 +513,12 @@ independent of filed disputes.
 
 <h3><a name="3.3"> 3.3.</a> Application </h3>
 
-<p class="change">
+<p>
 Systems administration is to provide a limited environment
 to Applications Engineers in order to install and maintain
 the application.
 </p>
 
-<ul class="q">
-   <li> insert SSH / non-unix in SM? </li>
-   <li> move all below to &sect;7 </li>
-</ul>
-
-<p>
-<s>
-Software assessment takes place on various test systems
-(not a critical system). See &sect;7.
-Once offered by Software Assessment (team),
-system administration team leader has to
-approve the installation of each release or patch.
-</s>
-</p>
-
-<p>
-<s>
-Any changes made to source code must be referred
-back to software assessment team
-and installation needs to be deferred
-until approved by the Software Assessment Team.
-</s>
-</p>
-
-<p>
-<s>
-Requests to systems administration for ad hoc queries
-over the database for business or similar purposes
-must be approved by the Arbitrator.
-</s>
-</p>
-
 <h3><a name="3.4"> 3.4.</a> Access control </h3>
 
 <p>
@@ -576,31 +555,31 @@ authorisations on the below access control lists
   <td>Access Engineers</td>
   <td>control of access by personnel to hardware</td>
   <td>exclusive of all other roles </td>
-  <td>Board of CAcert (or designee)</td>
+  <td><span class="change">Access team leader <s>Board of CAcert (or designee)</s></span></td>
  </tr><tr>
   <td>Physical Access List</td>
   <td>Systems Administrators</td>
   <td>hardware-level for installation and recovery</td>
   <td>exclusive with Access Engineers and Software Assessors</td>
-  <td>Board of CAcert (or designee)</td>
+  <td><span class="change">systems administration team leader <s>Board of CAcert (or designee)</s></span></td>
  </tr><tr>
   <td>SSH Access List</td>
-  <td>Systems Administrators</td>
+  <td>Systems Administrators <span class="change">and Application Engineers </span></td>
   <td>Unix / account / shell level</td>
   <td> includes by default all on Physical Access List </td>
   <td>systems administration team leader</td>
- </tr><tr>
-  <td>Support Access List</td>
-  <td>Support Engineer</td>
-  <td>support features in the web application</td>
-  <td> includes by default all systems administrators </td>
-  <td>systems administration team leader</td>
  </tr><tr>
   <td>Repository Access List</td>
-  <td><span class="change">Application Engineers</span><s>Software Assessors</s></td>
-  <td>change the source code repository <span class="change">and install patches to application</change></td>
+  <td>Application Engineers</td>
+  <td>change the source code repository and install patches to application</td>
   <td>exclusive with Access Engineers and systems administrators</td>
   <td>software assessment team leader</td>
+ </tr><tr>
+  <td>Support Access List</td>
+  <td>Support Engineer</td>
+  <td>support features in the web application</td>
+  <td> includes by default all <span class="change">Application Engineers <s>systems administrators</s> </span> </td>
+  <td><span class="change"><s>systems administration</s> support</span> team leader</td>
 </tr></table>
 
 
@@ -648,14 +627,14 @@ must be strictly controlled.
 Passphrases and SSH private keys used for entering into the systems
 will be kept private
 to CAcert sysadmins
-<span class="change">and Application Engineers</span>
+and Application Engineers
 in all cases.
 </p>
 
 <h5> <a name="4.1.1.1">4.1.1.1.</a> Authorized users </h5>
 <p>
 Only System Administrators
-<span class="change">and Application Engineers</span>
+and Application Engineers
 designated on the Access Lists
 in &sect;3.4.2 are authorized to access accounts,
 unless specifically directed by the Arbitrator.
@@ -908,7 +887,7 @@ infrastructure is not available.
 
 <p>
 Software assessment team is responsible
-for the security <span class="change">and maintenance</span> of the code.
+for the security and maintenance of the code.
 </p>
 
 <h3> <a name="7.1"> 7.1. </a> Authority </h3>
@@ -921,7 +900,7 @@ See &sect;3.4.2.
 
 <h3> <a name="7.2"> 7.2. </a> Tasks </h3>
 <p>
-The primary tasks <span class="change">for Software Assessors</span> are:
+The primary tasks for Software Assessors are:
 </p>
 <ol><li>
     Keep the code secure in its operation,
@@ -929,8 +908,6 @@ The primary tasks <span class="change">for Software Assessors</span> are:
     Fix security bugs, including incidents,
   </li><li>
     Audit, Verify and sign-off proposed patches,
-  </li><li>
-    <s>Guide Systems Administration team in inserting patches,</s>
   </li><li>
     Provide guidance for architecture,
 </li></ol>
@@ -940,10 +917,10 @@ Software assessment is not primarily tasked to write the code.
 In principle, anyone can submit code changes for approval.
 </p>
 
-<p class="change">
+<p>
 The primary tasks for Application Engineers are:
 </p>
-<ol class="change"><li>
+<ol><li>
     Installing signed-off patches,
   </li><li>
     Verifying correct running,
@@ -1022,9 +999,10 @@ any Member that requests it.
 <h3> <a name="7.6"> 7.6. </a> <s>Handover</s> <span class="change">Production</span> </h3>
 
 <p class="change">
-Application Engineers are roles within Software Assessment
-team that are approved to install into production the
+The Application Engineer is a role within Software Assessment
+team that is approved to install into production the
 patches that are signed off.
+<s>
 Once signed off, the Application Engineer
 commits the patch from the development repository
 to the production repository,
@@ -1033,6 +1011,7 @@ into the running code.
 The Application Engineer is responsible for basic
 testing of functionality and emergency fixes,
 which then must be back-installed into the repositories.
+</s>
 </p>
 
 <p class="change">
@@ -1040,36 +1019,6 @@ Requests to Application Engineers for ad hoc queries over the database for busin
 </p>
 
 <p>
-<s>
-Once signed off,
-software assessment (team leader)
-coordinates with systems administration (team leader)
-to offer the upgrade.
-Upgrade format is to be negotiated,
-but systems administration naturally has the last word.
-Software Assessors are not to have access
-to the critical systems, providing a dual control
-at the teams level.
-</s>
-</p>
-
-<p>
-<s>
-If compilation and/or other processing of the
-application source code in the version control system
-is necessary to deploy the application,
-detailed installation instructions should also be
-maintained in the version control system and offered to the
-System Administrators.
-</s>
-</p>
-
-<p>
-<s>
-Systems administrators copy the patches securely
-from the software assessment repository
-onto the critical machine.
-</s>
 See &sect;3.3.
 </p>
 
@@ -1380,7 +1329,7 @@ All external inquiries of security import are filed as disputes and placed befor
 Only the Arbitrator has the authority
 to deal with external requests and/or create a procedure.
 Access Engineers, systems administrators,
-<span class="change">support engineers</span>,
+support engineers,
 Board members and other key roles
 do not have the authority to answer legal inquiry.
 The Arbitrator's ruling may instruct individuals,
@@ -1409,7 +1358,6 @@ All arrangements must be:
           Assured Organisations, in which
           all involved personnel are Assurers,
       </li></ul>
-  </li><li>
   </li><li>
     with Members that have the requisite knowledge
     and in good contact with the team leader(s),