To assess effectively the security needs of an organization and to evaluate and
choose various security products and policies, the manager responsible for computer and network security needs some systematic way of defining the requirements
for security and characterizing the approaches to satisfying those requirements. This
is difficult enough in a centralized data processing environment; with the use of
local and wide area networks, the problems are compounded.