Installation, security, and technical requirements should be developed to assure secure operating systems. Three issues involved in certifying a system as secure -- semantic, technological, and administrative issues -- are reviewed. The three basic elements of protection discussed are isolation, controlled access, and identification. Design approaches available to achieve these elements of protection are discussed and illustrated. The paper also reviews the problems involved in failure testing. It notes that future efforts need to be spent on model development, production methodology, and automated test tools. Diagrams are presented.