The computer security myths are that (1) the primary problem is one of computer crime and (2) computer security problems can only be stopped by someone who is technically sophisticated. The first perception is a myth because the majority of computer security problems do not come from malevolent computer criminals outside the organization but from employees who regularly use the system carelessly, unaware of what is required to safeguard computer-based records. Further, much can be done to ensure computer security by a nontechnical manager. A conceptual understanding of the technical material is more than enough. Hardware security can be enhanced by (1) training employees to treat the computer equipment carefully, (2) maintaining good environmental controls in the computer area, and (3) providing adequate workspace around terminals and computer so that employees will not be tempted to pile the area with papers and close off cooling vents. Software security should include making backup copies of the software and storing them in a safe place. Only authorized persons should prepare software for the system, and no software should be used in the system until it has been adequately tested. Site security involves the primary considerations of site choice, computer room design, and the establishment of computer access procedures. Procedures for safeguarding security should encompass controlling input, designing the system for control, file security, and protecting processing capability. Good documentation acts like a road map which enables a programmer to work with a program without a lot of expensive learning time. Proper documentation for the use of the system is important for security. The implementation of a computer security program should be based upon a risk analysis, which catalogues threats to the system, measures damage that would result from a realized threat, and assesses the probability that the threat will be realized. The appendixes list seven selections for further reading and provide a glossary.