•
                                                                                                      •
                                             –
                                                   –
                                                                –
                                   –
                              –
                                        –
                        –
                   –
                                                                                     –
              –
                                                                                                –
                                                                                          –
                                                                      –
                                                                           –
                                                                                –
   Operating
                                                         ref:
                                                                                                      Some
                                                                           use
                                                                      use
                                                                                                               Design
                                   give
                   cost
                                                                                                lock
                                                                                keep
   Systems
                                        check
                                                   design
                        should
                   of
                                             default
                                                                                     de-skill
                                                                                          restrict
                                                                                                               of
   —
                                                                legislate
                                                                                                the
                                                         Saltzer
              minimize
                                                                                                      other
                                        for
                                   each
                        be
                                                         +
                              mechanisms
                                                   should
                                                                           passwords
   Protection
                                                                                          access
                                             should
                                                                                designers
                                                                      encryption
                                                                                     systems
              shared
                                                   be
                                                                                          to
                                        current
                                   process
                                             be
                                                                           (in
                                                                                                computer
                              should
                                                                                                      protection
                                                                                away
                                             no
                   circumvention
                                                                                                               Protection
                                                         Schroeder
                              be
              access
                                                   public
                                                                                                room
                                                                                          system
                        psychologically
                                                                                from
                                                                           general
                                                                                     operating
                                        authority
                                             access
                                   minimum
                                                         Proc.
                   should
                              simple,
                                                                                final
                                                                                     staff
                   be
                                                                                                               System
                                                                                                      mechanisms:
                                                                                                (prevent
                                                                                          software
                                                         IEEE
                                   possible
                        acceptable
                   high
                              uniform
                                                                                system!
                                                         Sept
                                                                                                people
                                                         75
                              and
                                   authority
                                                                           challenge/response)
                                                                                                from
                              built
                              in
                              to
                                                                                                tampering
                              lowest
                                                                                                with
                                                                                                the
                              layers
                                                                                                hardware)
   99