An independent security audit should have been performed on the protocol and results reviewed by the product methodologist. In the case that no audit has been performed, the methodologist will apply subjective judgement of the protocol based on assessment of the criteria above and communications with the team.