First, a security survey should be conducted. The management style of the organization will determine whether the approach is quantitative, qualitative, or a combination of the two. Then a plan should be developed, including short-term and long-term programs leading to the implementation of effective security controls, The testing of these controls, and establishment of a feedback system. Crises to plan for include equipment failure; damage to software, files, and documentation; absence of key personnel; inaccessibility or loss of major company assets; severe damage or destruction of the facility; and denial of services to users. To protect against these threats, a plan should be developed to protect data files, computer programs, and computer documentation through inhouse backup and alternate files; to maintain contact with organizations or departments supported by the computer system; and to coordinate with mutual aid organizations. The plan must be written clearly and concisely and be well indexed. Footnotes are included.