COMPLETE SECURITY FOR A COMPUTER SYSTEM IS POSSIBLE ONLY WHEN INFORMATION IS PROCESSED IN A COMPUTER WHICH IS DEVOTED TO A SINGLE APPLICATION, CONTAINED IN A SECURE PHYSICAL ENVIRONMENT, AND INDEPENDENT OF ANY TERMINALS OR OTHER COMPUTERS OR DEVICES. THIS IS NOT PRACTICAL IN THE COMPUTER SYSTEMS OF 1977-1985. BUSINESS COMPUTER PLANS INDICATE INCREASING USE OF TERMINALS, DISTRIBUTED PROCESSING, AND DATA BASES WITH LARGE MULTIPROGRAMMED PROCESSORS. THE SECURITY CONSIDERATION, THEN, IS TO ACHIEVE SOME ACCEPTABLE LEVEL OF SECURITY. CONSIDERING THE LARGE NUMBER OF PEOPLE WHO WILL HAVE ACCESS TO TERMINALS, THERE MUST BE EFFECTIVE WAYS OF CONTROLLING ACCESS TO THE FILES WHICH WILL BE PRESENT ON LARGE CENTRAL PROCESSORS CONNECTED TO COMMUNICATIONS CIRCUITS. SYSTEM USERS, GENERALLY THE ORGANIZATION WHICH IS SPONSORING THE DATA SYSTEM OR WHOSE MEMBERS ARE USING THE COMPUTER, SHOULD BE RESPONSIBLE FOR THE SECURITY OF THEIR INFORMATION. DETERMINING THE LEVEL OF SENSITIVITY OF THE INFORMATION BEING PROCESSED IS THE FIRST AND BASIC STEP IN THE INFORMATION SECURITY PROCESS. MANAGERS OF SYSTEMS DEVELOPMENT, SYSTEM MAINTENANCE, COMPUTER PROCESSING, AND TELECOMMUNICATIONS SERVICES MUST PROVIDE A VARIETY OF PROTECTIVE MECHANISMS, INCLUDING APPROPRIATE MEASURES FROM EACH OF THE LEVELS OF PROTECTION, GENERALLY DESCRIBED AS THE FOLLOWING: LEVEL 1--PHYSICAL PROTECTION, LEVEL 2--ORGANIZATIONAL NCJ-59507. --IN GERMAN. (KMD) SECURITY ELEMENTS, AND LEVEL 4--ENCRYPTION OF SENSITIVE INFORMATION. THE VARIETY OF PROTECTIVE ELEMENTS FROM THE FOUR CONCENTRIC LEVELS MAY BE VIEWED AS A MENU OF PROTECTIVE DEVICES. MANAGERS OF SYSTEMS DEVELOPMENT ACTIVITIES, IN CONCERT WITH THE FUNCTIONAL SYSTEMS USER, MUST SELECT FROM THE VARIETY OF PROTECTIVE FEATURES TO PROVIDE AN OVERALL LEVEL OF PROTECTION FOR THE SYSTEM OR OPERATION COMMENSURATE WITH THE SENSITIVITY OF THE INFORMATION BEING PROCESSED. (RCB)