The security of an information system maay be modelled by a matrix whose elements are decision rules and whose row and column indices are users and data items respectively. A set of four functions are used to access this matrix at translation and execution time. Distinguishing between data dependent and data independent decision rules enables one to perform much of the checking of security once at translation time rather than repeatedly at execution time. The model is used to explain security features of several existing systems, and serves as a framework for a proposal for general security system implementation within today's languages and operating systems. Keywords: security, privacy, access control confidentiality, operating systems, access management, data banks, management information systems.