An organization just completed a security audit. Your division was cited for not conforming to X.509 requirements. What is the first security control you need to examine?