The following principles underlie the software security procedures described: (1) systems programmers and the software for which they are responsible should conform to a standardized systems development life cycle, which is widely recognized for applications programs and should apply equally to system software; (2) the security of application systems data should dictate system software security needs; (3) an owner of system software should ultimately be responsible for the control of and access to the software; (4) security considerations must be part of the system software selection process; (5) the data center manager has the major control function in systems software security; and (6) career paths and career reward (both managerial and nonmanagerial) should be available for technical personnel. Management's failure to enforce controls over the systems development life cycle can lead to significant exposure to loss. The source of these losses is most commonly found at the points of interactions and communication between system software and the application systems it is designed to support. Additionally, communication is needed between management and the technical staff as well as within the sfaff itself.