With all the hype going on about biometrics, smart cards, and other "failsafe" access control measures, how do you know what to evaluate, test, and implement? How do you know what system is right for your organization? Before can you answer that, you have to determine whether or not your organization has an Identity Management Policy. If you do, is it sufficient? Is it accurate? Is it Feasible? Is it realistic? And best of all, has it been fully tested? If you do not have an Identity Management Policy, than how do you create one? Where do you start?