Based on the author's experience in the development of a computer-security policy at Delaware University, he recommends procedures for the development of such a policy. He first recommends that contacts in all parts of the organization be used to form a grass-roots call for adoption that no single decisionmaker can ignore. Also, the interest of influential decisionmakers should be cultivated early in the process. An early independent legal review of the policy draft can provide an objective base for campus discussion of the policy, and the draft policy and its rationale should be heavily publicized to increase awareness of responsible computer use. Also, the scope of the policy should be limited, such that it covers only those systems that are of concern. The draft guidelines presented address user responsibilities, system administrator responsibilities, the misuse of computing and information resource privileges, user confidentiality and system integrity, penalties for misuse of computing and information resource privileges, and academic honesty. 43-item bibliography