Security decisions should be an integral part of the entire planning, development, and operation of a computer application. This guideline describes the technical and managerial decisions that should be made in order to assure that adequate controls are included in new and existing computer applications to protect them from natural and human-made hazards and to assure that critical functions are performed correctly and with no harmful side effects. The multifaceted nature of computer security is described, and differences in security objectives, sensitivity levels, and vulnerabilities that must be considered are identified. Fundamental security controls such as data validation, user identity verification, authorization, journalling, variance detection, and encryption are discussed as well as security-related decisions that should be made at each stage in the life cycle of a computer application. These include questions about security feasibility and risk assessment that should be asked during initial planning, decisions that should be made during the design, programming and testing phases, controls that should be enforced during the development process, and security provisions that should be enforced during the day-to-day operation of the system.