The checklist is divided into subgroups, each preceded by a summary of the key problems found in that area. The risks and attendant control measures are identified as ''critical;' other concerns of lesser importance and their controls are identified as ''recommended.' Areas covered include management issues related to policies, strategies, and accountability; personnel considerations; administrative controls; the physical environment; physical access and theft prevention; moving and transferring equipment; and personal computer maintenance and repair. Additional areas are media control, backups and contingency planning, data access controls, the personal computer-mainframe connection, security in local area networks, encryption, software and documentation control, liability concerns, and auditing. (Author abstract modified)