Legislative and regulatory requirements relevant to computer security are outlined, including the Foreign Corrupt Practices Act of 1977 and the Privacy Act of 1974. The need for a comprehensive risk analysis and risk management policy is explained. Physical security, the first line of prevention and detection, can include building and parking lot security, physical access control, fire security/protection, housekeeping in computer and storage rooms, and the air conditioning system. Hardware security, the second line of defense, involves protecting the electric power, securing the terminals, and protecting sensitive data during transmission through such means as codes and voice verification. In software security, a fundamental deterrent is an internal auditor. In addition, systems and applications controls, data processing crime methods, detection methods, and countermeasures are outlined. A strong and effective personnel security policy, the fourth area of importance, must include careful screening of data processing personnel at hiring, clear rules of conduct, continued education, effective performance evaluation, promotion, and other policies to foster job satisfaction. Contingency and disaster recovery planning must be done in case of a computer calamity. Electronic data processing insurance is also important. A glossary, a 29-item bibliography, and an index are provided.