ࡱ>  9:;<=x  !#$%&'()*+,-./012345678?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry Fr Workbook MBD0004FBE2  Fa7a7Ole =  !"#$%&'(*-F!cover!Object 1  F'Microsoft Office Word 97-2003 Document MSWordDocWord.Document.89qOh+'0  4 @ L Xdlt|Christian, Michele  Normal.dotmChristian, Michele Data 81Table",CompObjyOlePres000>\8DdO zp<  C Ab48{ߌ[4yͰL8Dn8{ߌ[4yͰLPNG  IHDRO:EgAMA pHYs12N– IDATx}8e}{p#0rCG`9&r"D3KPxg`EF.oϼX̋ϼX̋ϼX̋ϼX̋ϼX̋ϼX̋0+놡y8ck+Sx脰:D[Q/[??HPTI5o HuoD1ճC ]^Qhz|`VOOay Z8n#ʬCR6RJUoZ篟tXܳCPZNa~FET5ېbns#n[.ZW>w9 |[FV,:xۧ/{k>qvD h"СP))F #ƟS)!GĎjJ3+Dbm5Ĕn~CZLCa#`m魜;?kWOV!Jm UKaܣj\$܄=O9FV"kTגyn- jVw!:j<ݜwAxND(ySzYKz>pRN=XT*QU/{o+T&iJ6YK~=H'?0Ou7-峭+5GdA:Vc&~E|OJӒ*X@UNHtc>Z󋄆4OgҨz/'~BQ1| .3SZ$N588l ՃbjU4&٢x/1fç#N-olKu!,O[\g(yϨh:\4{5q=~)|*Xpu0zc7C6Jg5}9AFtFqr74՚ d4ϣnVH A? 'bq„c|sB&IPݝ6m}궕i#:'PfC.4NUc31Zoj!4Oqf3]o"eLt W<'aM(>e5v M:_Y*y]Ɓ ďg%u =ԖIWqBYm]Gn 4<rф 傼;+ZܞQ |V^kɶ=KL)9#bчMBHdG tSs 6( W<ϖO3qͧTʴ[K` k߂cd ؑ/\^芊 >1_OO, λX%Z뤿6@qNgϗI3<=Α}M:skfwvA[" %cŖ=yTwt|P @Y9[jO==E /`1{zX Uѫc5qVxͤe+WbJkAmؗHv&5vmԜ0?0`OwjtkᾛMX;>_*I|p۫7QǢr&C"[m%Ls h6>%k^n{;8c,z'F3{?ͲQ{@?YM|R5\טT}dufx ]"H!' C~H)ӘDVi})"OҼFZL0+IO1&f>}OXwMZѺJnrtw2@v&O7>z?l3bS]';q:MyT'fEmS ű+HZOn,Fa `D7·(-$T*&󟟢ܣX^$Q;_MuKé(Uֆ1uCs1XGb6(kg3h١Rq"3n논%SRbKO,Ts~f~90C`QɨĬlYkTsL,'˼k N ۽ [rLc(>-ZA )ҟFJAt~O[~O)gA{'maQ aB3r#Sq#rО5$Pb=6 ՅZvѺEfD+1EѾDT $wV{cDyhK֚&{)t }5 EyTV\vj.AsTr ;21Vm|hY%!#n>q^: nI {N4}&8Zܚ6HȖ܊)*# zc۶7o= 1z E@l>}= ׌7EBe¦cБ~P {9dkwe5-|dBͫ7EQm]eU0kl\% ~߳zlLrGݠ5fq~Ê Mb஁՚;vpl_3N( a5LfH>&Qb0'=fbLO&߃uY+XPEDJW]3LLL UJ oYs_M'6($>LYcR31[mU %G9L'0.Xָ*vKZ߫Z?NFD>}2 >wV _U 7Q <\YhNh1U=H' x?BkS|blyjrrDTP,8pCwqm?dο"B_WeP]ڀk{e'bf0ݑ]'إ)ԮZg:ħ0nY-ˍ :*1稝 RjVWAN$(VT@W&iP?|opOj=@Z=Nx>;&=VSj'4 &*NwCvό5\4c=:_8~T`w Ci??ҍ}mkP3ZGuxkТ-q K@ $Gۖ [ѐZJدqЀau|'eM_͉v*l' xZ3NX:D2m΂-Dzwk1@t_xUڏ|G-U~lLKوĞڱeJ? /v|v܈k,'|`Lqu`a0QT'{KE!S$,kض'8NՀ88dRdy:7pbmd?uPs7a,zh4@2,|u m16j=yסhg9Ms5'.)lp*,Gxst% UgBu 3ggwhxy׃$Ӏ._)$/]uQI͟ἧ&O:@9T'>t~m 4~@sTodZ揥&"_ [$)(zuOoyqS]n?ħyx++W"%EUO{/`,P'^qbN -=8R/]uF<'PkViHguDvTq=4~9 E[:=S{uCrN2o3CU%^MtKs^çyG-VK26۲uYwg3ЀRuJnى| +ZL'm)D9,,ϧw։MɓnS.!#1N)rt#|nDX~ұDx:} hG"8DD5׀AOI` C*T ^NԢ#qoWD^Km^NJϩ 4FŖBӳ٦hz4y.4yҝ4dIB,^N,il xs EbD CFLE[% aQNƏ*żgQ% *k<s&Tq~)qgK#X nX|L )4tsl(%9y3ڏ|ڑhzKn%g|S&)\>נo@3([W`ЎD_$ WQ`-Ml[C *\Dn ^0Cxj}A-.O5Af7JhtY?`Z|?}H$=E[]g?N><$*hnY !*2S>||Ͼ"ey?\ꋆCXAE)qO_EP=)N r ڱWoK]>,g䓿rwo?ۏU\2!QAp4._~0HhSBY2@"XbjZãuE+N;{b7Oy ۥ1{i3;irMCPq?wf|`*gBQ mGCvEǡ2CD:Sqxtd?r/J,P'O0[߻la<о@cH'i0o1h篟~ 7c=KY}H9PQq| ? /ЮwTdml&=ʒè ,3 Yf*s}73lǜJ<[y|OOm:*KD؃0 >g/CMrwDESt,|&sonu!]{yCDP`;4}toS^OwG/1Յ3٧*N.@~Hnl|mI}E5I 3$LNW`UXBowN?vNLDw|.ݪ8J:*Vn_1 a7 ?A)wk*B6sX.tpיhbЏADgO[Q?{l5LQ<76ٍ$UolFLs )9i"p ]msPw'6/l6j;Bňj kƶhԽ3 X}RWv]Nat;΅bPWU9s5z8%w_DDGݓD:Jܡr̷Đ}`Dh._G.E>IF.b=b#>Cͥ'1]sWO?9:L $(qTO97h*h0SJAV\:Dh=ΰk^ZK4N4SoNNZX>! []'*R힓]0*OPqy{K/IT[g ."Onn|ul}^-a"4byrab/<^)Pt7nF`e"Rص d5t[2~DNlRӇ˥a>SAۿK#sU?=x7ǽ ḀG~uZ.w鞖1EL\/\f<Ѯ04ԺzzOgٮ1i{u^,WF]\85PEB9bYiӶ5l]a~Im9e%dDŽ!`bKewKtRoO+VO2.e OO?|e|Sx|$+cֹB}ҙS=Rx#Xc%K|B{C 7cԟ}@TX@bn"ˋZvQe(b^œi[}nKA,8R⪞GKj#Lz67 fPS=C# vQ7+wB&o\~l좢E} ٠Ds`/'ב4Qr)qik )e-1B\ϯǓ2|cx{%F9!s9Y¥r1<)\[NS΂ߏkat~\D/#.0mbp<((v`hĊ/]㾼fUxL,۹h-Dq|.&\ARfj\lzxbՉWxY>vH5+ a.2_~kF &_'4 <螦oUlFwIEEяⰫ3އ"x !I[= ߸N|gdd9s& McbTrC13u)\qy)`f/2&A-0Kt O%wV3>>"s":Y#ɟ~t N)3*#5Vi ĶޘUx煱;Ձpn_³mw<*҆SxyfM:O' .mj r>ҋ"n*NT4pN c \)1 {on^ WXdrqޑy0]{tVgź? *xntlo:p;Fݱ&-WJ]0\OXg>.)8u;":y۱=ǐ淖}/ѳ"p+e:&s&gNg<8fe[M蚧}xV8q$,;<?wvG8$g}-y;,*=Qxu`w*ޟ쿽p:^cWqxd]YbPT怚wRfE"za0Z1јa4U{IMхBI*PEq,.bPlvLMZzm;Q|FJL#qL wbKzo6\#|3g/FcF3VUxd1dy #UB|q|F,~`C5>fG11]˞#y=~hauucX!-q|ڻ >=':B~[h*NV|=Mɧ92Y (E* vfx %ߵ $+lgoaBgڍ18M@Ty-q =k ;p1N/JPIeUKrk /PPG" XE7@ ?)8֋(|& <]_EmE#æV\lވbSM/2( d|izy8 yeo'+-kF3X@iK;-^(۽#m6yܔO"7?T,G/QdōLꚃlcL˰ |F3P6"|>Zё.(#§1Ѫ)ħ1Ƿɵوth1ُ)ɱ?<>JA<+ ?t/d CWOC#+y+y+y+y+y+y+y+y+y+y+y+y+yWQ~?|q^R2j^%"Eh嘫g^|g^|g^|g^|g^|g>$pxW.>w@YoJѝSqzx:tn4W%sW䡽F1kymЉO2g?Y3:̤&bstU] |b`,Vl k& W(|2\i|\}1ɸK^9(vS>B |9 >7ç6NcBB"|Xgx>8.45ǧp| [Qj{cюefu ;)X&~Jȧ5'| Ơ#2C AT.gӷtⳋsN pCvm>x~l bj; T^x[T?\MԭӦ̾1=qYP)<< еl=P<a x; ӼO(I}@޹? c%T.% 缟pk%c藹}gy/^%+y+y+y+y+y+y+y+y~a/9\~+Gݝ?eY׷[b9Plz}qUyڿeƵѷ]b6 q'9ϏC! ryAo,㣇[xw"xse e; <qxψ> (U)s Otnx B=/bIrvtllO(L@G q)cڹ 5*>U洡P}ጟ欙S7e;¿?O(戾vİjہ񁣧95?ϰҾǑ>ֲ%p?DֱЯ|.1E!=~A 8nag(33}8^\QRs ]0v1Cٜ&ǁxS32{GTGܘ98\*>E@8;BJ`aIF|윟|wԗBg>k1#!CNRh}a'Q}ȪQսbNg~iRQ4Es>/l?xjc1G^2Qsɱ&O'x2E祊tTЊlOT` T,Ŷ%LF2ٲLML\zjhb zyJ,|" Bj9swF|w0oJs\HTTÁ~k-ՎHL>!?yY+$)Y:zoD V_>|c+@283c\R1o 9f+< l?vJ=Y-a42v$r1v#|Εs;Ͻw\n; oR|МL 2p\_)`l8[0DǜJ>-l*ĩ릿o2KVڶmaI_4 }{0 |Zk<|{@6y07MNу՘;6`1|.|B;D:9*Őz ^"L=F#Pv ˻5} O#?tg4 $|x p{y,eԍ&.,kMi뺞/5oHyvZu#ԣ1[Ɛ9oOLE+ޜ p0OBěRyvh ٵ_r*6'\'쌹'MeQ0OVog=U(T1izg墈4+ܴiE(n[9ZAZ|idE_UQ dԇp C)us iC.*9Kt|2n Ԏ^?7cP ͐ + uL ZIl/ٿD{% ȜTeN|}NIka l?L';y$*||FeuP-;v;{Rwfoyy`[? wzPGDw)A_o$Er>s´"0<< U۾A5?'~@ѿ?) e痺:P8;_(IPLm9-/9">^wɩmf:iCe=>BHg6a!*2GJ`B)sᳱcli/soȑͧʣؚ l)?m f#TL=scb>[=lCc[~>LafOTA?Uk3wNa1kf=2l˃( d>_jSb Pħ_myݧ>Kh.#*MNPħC{꽏GE/!O^në  6ё-u/ G'YŻ'|1ERYU؟xL"&i1ULdiqqY`t陓4>#v5A>ɠR|2lOv,ϲp@?HVr&2Hj-//ozĩϕ=Uy[g# E%,~o8+U;N.|ڽa?oϼk=983Ec"ZO#f{DHJY&RO;u0XB/v6v09ASigz{$s |q3HH`oӼf>sHeWdB߷SqTZ~O7xkhvuB)E(Z}UaRw}~؃W\5Ƙ 8;[w"GɊ_M_1`Fxw[7+}Θ1'սi GHSʍ{`;EČ/O8G fJt#A~y$ݏPp~t4y GzDϴπ06666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH N`N Normal,ndhCJOJQJ_HmH sH tH " pHeading 1,1 ghost,g,Ghost,ghost,g ,1ghost,Ghost +,h1,Chapter Number,Divider Page Text,og,Heading,Ghos,g1,Graphic @&CJ*2* Heading 2,2 headline,h,headline,h2,h headline,Heading 11,heading 1,H2,heading 2,Heading 12,oh,Header1,Heading 121,h g2,Heading 1211,Heading 12111,2 hheadline,01 Headline,Heading 13,Heading 121111,Heading 1211111,Heading 12111111,2 headline1,2 headline2@& #@5;020 Heading 3,3 bullet,b,2,bullet,SECOND,Bullet,Second,4 bullet,h3,BLANK2,B1,b1,blank1,3 dbullet,ob,bbullet,3 gbullet,dot,second,3bullet,Bulle,bdullet,heading 3,Bullet 1,3 dd,3 cb,3 Ggbullet,02 Bullet,bul,B,Heading 21,3 bbullet,Heading 211,3 bulle,h 2,Dot#F@&]#^F``B` Heading 4,4 dash,d,38[@&]8^[`nRn Heading 5,5 sub-bullet,sb,4[~@&][^~`fbf Heading 6,sub-dash,sd,5p @&]p^ `FF  Heading 7$$@&a$ CJ$OJQJNN  Heading 8$$x@&]a$5CJDA D Default Paragraph FontViV 0 Table Normal :V 44 la (k ( 0No List JJ center bold,cbo$dha$5@@ center plain,cp$a$bb col text,9 col text,ctdPP @CJ.". |col bullet,cb,Center Bold,col bulletcsb,u,cbbullet,C2 Col Bullet,cb 10pt,col bullet1,cb1,c,Center Bcbold,6 chart,Chart,chart @E^`EN!2N col dash,cd k@^`JBJ col heading,8 col heading,ch,Col Heading,8 col heading,8colheading,9 col heading,e,ColHead,C1 col heading,8colheading,C0 Col Heading$dPPa$ 5;CJZ!RZ col sub-bullet,csb ^`LQbL col sub-dash,csd^`FArF col sub-heading,csh;BB first,f,1#^#`CJ> > Footerd P2CJJ&J Footnote Reference6CJEHH*TT  Footnote Texthd^h`6CJPP footnote,fnhd^h`6CJLL harvey ball$a$ CJOJQJ>> Headerd P2CJBB note,no#^#`6CJRR numbered text,nt #^#`5;NN oversized graphic!]^@"@ paragraph,p"#d`#T2T source,so # ud^`u6CJ>B> step,st$8^8`5<!R< sub-heading,sh%;FbF table title&$da$5CJZ!Z trailer,7 trailer,t'x#$2/..).  Page NumberJJ TitlePageBottom)$da$CJXTX  Block Text*$yC]y^Ca$5;CJ$OJQJJJ File Name in Footer CJOJQJ^^ facing page #,fp,&@#$2/.5CJPK![Content_Types].xmlj0Eжr(΢Iw},-j4 wP-t#bΙ{UTU^hd}㨫)*1P' ^W0)T9<l#$yi};~@(Hu* Dנz/0ǰ $ X3aZ,D0j~3߶b~i>3\`?/[G\!-Rk.sԻ..a濭?PK!֧6 _rels/.relsj0 }Q%v/C/}(h"O = C?hv=Ʌ%[xp{۵_Pѣ<1H0ORBdJE4b$q_6LR7`0̞O,En7Lib/SeеPK!kytheme/theme/themeManager.xml M @}w7c(EbˮCAǠҟ7՛K Y, e.|,H,lxɴIsQ}#Ր ֵ+!,^$j=GW)E+& 8PK!Ptheme/theme/theme1.xmlYOo6w toc'vuر-MniP@I}úama[إ4:lЯGRX^6؊>$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 +_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] " 8@0(  B S  ? #2  hh^h`OJQJo(#2 n @@UnknownG* Times New Roman5Symbol3. * ArialABook AntiquaY Harvey BallsCourier New;WingdingsA BCambria Math@ "1hJK#fiK&,cY0dS2HX $P n2!xxChristian, Michele Christian, Michele        !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~on\ FT&" WMFC l EMF \KhC   % %   Rp@"CalibriHRO`2H@,$O`2H@ o.1@H <:o.1 ,%7.{ @Calibr ŗ`2s:Lt9'1z%1<:dv% % % !F(GDIC!b K  QOPl0 (Oppp@@@000 PPP```C k                                  H       "             [           &" WMFC m            8          ^                5   2                #    h                                          &" WMFC M                            &" WMFC -                                                                &" WMFC                                                                                                                                         &" WMFC                                               &" WMFC                                                                       &" WMFC                                                                                                                                                                           &" WMFC                                                                      &" WMFC m    &" WMFC M                                                          &" WMFC -                                                                                                           &" WMFC                                                                                                               &" WMFC                                                                                                    &" WMFC                                                                                                             &" WMFC                                                                                                 &" WMFC                                                                                                                             &" WMFC m                                                                                                              &" WMFC M                                                                                                                  &" WMFC -                                                                                                   &" WMFC                                                    & WMFC " FGDIC" % % % TTAEALP % %   n."System-- @"Calibri---,n,TA Op(Oppp@@@000 PPP```C k                                  H       "             [                       8          ^                5   2                #    h                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         ''--- 2 pn --NANIWordDocument SummaryInformation( DocumentSummaryInformation8 ,SummaryInformation(  bjbj΀ 0 $$$$$$$$8!% -% $'9%9%9%9%9%&&&'')')')')')')'^),v)'$&&&&&)'$$9%9%>'f&f&f&&$9%$9%''T) f&&''f&f&&&9%q=4$&R&'T'0'&v,f&v,&v,$&$&&f&&&&&&)')'f&&&&'&&&&v,&&&&&&&&& #:         h hjh U    dgd  .:p n) =!"#$% 44Microsoft Office Word@ʗ1@KhM@FJ@(Z4՜.+,0 hp  BOOZ-ALLEN & HAMILTON  TitleOh+'0H      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwyz{|}~ \p Andrew Westner Ba=  ThisWorkbook=-3%8o@"1Arial1rCalibri1rCalibri1rCalibri1 rArial1rArial1 rArial1rArial1rArial1rArial1rArial1 rArial1rArial1 rArial1rArial1rArial1 rArial1rArial1 rArial1 rArial1rArial1rArial1rArial1( r Arial Narrow1 rArial1rArial1(rArial1 rArial1 rArial1rArial1h>1,>1>1>111<rCalibri1>rCalibri1?rCalibri14rCalibri14rCalibri1 rCalibri1 rCalibri1rCalibri1rCalibri1 rCalibri1rTahoma"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)[$-409]d\-mmm\-yy;@ 0.0%                                        .  .  .  .  .  .  .  .  .  .  .  .  $  (   * ff + ) , * , #   P ! P " "  &   ) ` %       '    - a +  x@ @   x@ @    h  "x  x   x  )x  !x  x  |@ @   x@ @   *x   x@ @    x@ @    x@ @   8@ @   (x@ @   "x@ @   x@ @  8@ @  <@ @  8@ @    (@ @   "<@ @   8@ @    8@ @    8@ @    h@ @   |@ @   x@ @  x@ @  |@ @   |@ @    |@ @   |@ @   x@ @  x@ @  )|@ @  x@ @   x@ @   8@ @  *8@ @  Q@ @   "x@ @   "x@ @   Zx@ @   *x@ @  |@ @    x@ @   x@ @  x@ @  |@ @    x@ @   |@ @   x@ @    h@ @   "|@ @   x@ @  |@ @   h@ @          @   &x""  p  p  `  x )x  p""  p""  t""  p""  x"" *p""  x""     x  1 |  "<  x  x  x  x   x  *x   x  *x   h   (   h *8  "8 (8 *x   x  x  x   x   x   h   (   h "x@ @    h@ @   @ @   `@ @   x@ @   x@ @  x@ @  0@ @  x@ @  x@ @  x@ @   h@ @   x@ @  *x  "x  x@ @   `@ @ 7  `@ @ 7  `@ @ 7 8 8 "0@ @   @  x@ @  *x8 )x8     Q      @ *X "X  (  "x@ @   "x@ @   "x@ @  (8@ @  (8@ @  (8@ @  8@ @  8@ @  8@ @  8@ @  8 8@ @  8@ @  8@ @  8@ @  "x"  "x"@  "x "@  x"@ @   x"@ @   x "@ @  "x  )x  !x  x@ @  || }(}00\);_(*}(}00\);_(*}(}00\);_(*}<} 00\);_(*_)?_);_(}<} 00\);_(*_)?_);_(}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}(} p00\);_(*}-}= 00\);_(*}A}1 00\);_(*;_(@_) }A}2 00\);_(*?;_(@_) }A}3 00\);_(*23;_(@_) }-}4 00\);_(*}A}0 a00\);_(*;_(@_) }A}( 00\);_(*;_(@_) }A}8 e00\);_(*;_(@_) }}6 ??v00\);_(*̙;_(@_)    }}; ???00\);_(*;_(@_) ??? ??? ??? ???}}) }00\);_(*;_(@_)    }A}7 }00\);_(*;_(@_) }}* 00\);_(*;_(@_) ??? ??? ??? ???}-}? 00\);_(*}x}:00\);_(*;_(??? ??? ???}-}/ 00\);_(*}U}> 00\);_(*;_( }A}" 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}# 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}$ 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}% 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A} 00\);_(*23;_(}A}& 00\);_(*;_(}A} 00\);_(*ef;_(}A} 00\);_(*L;_(}A}  00\);_(*23;_(}A}' 00\);_(* ;_(}A} 00\);_(*ef ;_(}A} 00\);_(*L ;_(}A}! 00\);_(*23 ;_( +   2 P   133 + !3   !3 2 !3 + !3   !3 2 !3 + !3   !3 2 !3 + !3   !3 2 !3 + !3   !3 2 ! 20% - Accent1M 20% - Accent1 ef % 20% - Accent2M" 20% - Accent2 ef % 20% - Accent3M& 20% - Accent3 ef % 20% - Accent4M* 20% - Accent4 ef % 20% - Accent5M. 20% - Accent5 ef % 20% - Accent6M2 20% - Accent6  ef % 40% - Accent1M 40% - Accent1 L % 40% - Accent2M# 40% - Accent2 L湸 % 40% - Accent3M' 40% - Accent3 L % 40% - Accent4M+ 40% - Accent4 L % 40% - Accent5M/ 40% - Accent5 L % 40% - Accent6M3 40% - Accent6  Lմ % 60% - Accent1M 60% - Accent1 23 % 60% - Accent2M$ 60% - Accent2 23ٗ % 60% - Accent3M( 60% - Accent3 23֚ % 60% - Accent4M, 60% - Accent4 23 % 60% - Accent5M0 60% - Accent5 23 %! 60% - Accent6M4 60% - Accent6  23 % "Accent1AAccent1 O % #Accent2A!Accent2 PM % $Accent3A%Accent3 Y % %Accent4A)Accent4 d % &Accent5A-Accent5 K % 'Accent6A1Accent6  F %(Bad9Bad  %) Calculation Calculation  }% * Check Cell Check Cell  %????????? ???+ Comma,( Comma [0]-&Currency.. Currency [0]/Explanatory TextG5Explanatory Text % 0Good;Good  a%1 Heading 1G Heading 1 I}%O2 Heading 2G Heading 2 I}%?3 Heading 3G Heading 3 I}%234 Heading 49 Heading 4 I}%5( Hyperlink 6InputuInput ̙ ??v% 7 Linked CellK Linked Cell }% 8NeutralANeutral  e%"Normal 9Normal 2 :Noteb Note   ;OutputwOutput  ???%????????? ???<$Percent =Title1Title I}% >TotalMTotal %OO? Warning Text? Warning Text %XTableStyleMedium9PivotStyleLight168=,=,̙̙3f3fff3f3f33333f33333\` Cover(Purposei2 DashboardI Test CasesOut Of Scope ControlsSourcesLegend  Change Log!  ;U  _xlfn.IFERROR  ;V   ;  ; px4/"n-L'Š!6@=n-L'Š!6 ]xxuP[np+NB)RHqNhqC (5H79;ss˞53 #$!B  a95y {H"/}m>f>JleP 0 %$a LгPN'OО OR#RГ5z<]dhȨ(ȨȀ?$"O!3π&נ i|!;ľ~ #O!L_bfiV?uxM=)Tst,!@j,^ @So?$|1OkxII@Oژ4TS,ZC]qeD|G(T)5).*= c9+WkuRX_P=?H_"wC*`&+@(nVV?5}Q{YڼQJ(kqUp:HwI$ Y6 S1gj3+|pO}W xK#.rqH\n* Ip}b'0X PX^qNg&'1Oz^WEj>.6yuɼ{e_@}j| U|QCKeZQ1pM]]( FY/w$թN ǼV70Me/ಥKLMkV#2i^V}jbpGR"p Ҕ;92Py"@0ne;Sq#XlXf"ޗ;-& x7mt| SmL% M._z6WT֑MM/odjQԕhA3ؖe\L6gbbm'Ra+b¿'"Zj0u>_mI`s./.%O|^/&8;ğq4sM޾څ ρo8Զ](bGKIaY, ][AnҬJKy_PcdDŔ8\G/@)?2d#;B륽Eyh5/]%QڔS觍 @-Y'K]Xl捙j-/?xŸ4Ϭ,nlp` $۰?k&Y̨V Bԏs&7t:^2E+8 <m":vKT#|M>޻,$Z1Uza $iET+\#27Uof^`裷B2 #|./Bu~6 Q PYe['4'&vcbvPBJJ> ',gF`73Ȓ.K1{]D6̬>Qj"TnvS^GRƌ8,!9b>7cNitA_q% I+>頹bbݳrXTf%M]ļ~˾ݏ W43JK<*?%^6[ +EH:f*"Oz^ֻa-ߞ 7 w@D~GBͅrW({{34&0PZVOQ jC" X'@JgCd,O 4WhBt;yb^f0OciЉ%FBpѺ+Lј%R 8ݻ#GyB}l{|~\h΂W$% AZ鱄KD&{;3Y:V$ޏ7a(!"s6hy~ m]0)V̲L:]@6"{D,dH/6Ƙ ,eԩpa7:DHi*;^{!GΒaS^$?IoUAyo `/G]|"Ff} ]PU3XWQqJ9=9K9̉,oRv\o Qp7t\*{0-Wu8Ytb;އ,cʥkGjp/g pdydݤ^Np7!oI oJ7n_ڢaZ W0Jq >|ǃS2mQ L[@<3u@L0LuȱY%}fH@O{v:xnd?Ug'%Ư; uNc}nLR#zo~#SʞiΒ7?2c79L_nn|+-33 :İgg|cqHeQrhe{jbX 3qH0^A9`}e`B˛FpVnt߂ߑp҂]ׇ1L@uVWw*5wL~|нA61oRLqW ma XVu]SX*H YmKf-8p*g&{|g֊ M 6M?Xcj PXȺZa|5f@CH6BoCuVUue2h4a0dέv*[ڛQsT c,yڌt*7X"BUx\S-*wF+5Fihgoq:ɿ{饗uS° l5DLNh mE[^hbC?X|̮LfdqAi-kFL8KC]vDUinmiֶGac4LW"2?dd;WZXwxMfKT[`0lR Ey I_ .ةcI9^ >ER}E>4G JYӣ3pMQX<,4eۃ~ VbuITzڟضGFi1X^2UQQ8~N1$Y[B: ̼pe&?vK KČPtv8iF)xxōs9^Qi,K!ْP̼7] ^fhO4g+GU=-ۈo$x+U44@DCߐW^kv(Tqļo%߷x.'J^^ 8>AME }R*bA{=w8V!l 3բdC=srM z6lv̜vӳMr63hv()+IR~WS5XiFcZL^G}'tXu@|G!S s$ v/_qA ŋ+(Ը;o>-O m $бՔ}:Ni0JN5ȂC{a3AV3̱A$K )wTJ1k@;+#@dt"0/wҬXAmn:TdϬ;C^|'M@;|"\M)$(ЯC|_gϲIO85޹X/2<{-&ԭumVҿ!*WEE%S5,"0*]A#g,B*G{TBsO^"J=Au t7/O-]ŭ*eR9gVՈk7xx = S.hW+W)?۔iy(;Ep^ATVٻdτ991 epIE‘TLJ BL[zް|z7Z-c1)j ul@ 1`NvśPV@hRV#9pb&h\ n ÑCPxS.J}}I_ݸʖ" ?M~0Czu7v, ޜZW_rqq{<[(PH\sUKR/C: =e5G;'wR5zj1*LfP>Z,gR>m>w(#p#oF#l71t..6*yda L#cQ%KQvw[ d@aD|I7re>Fő c76S$w"$7dX6׌z4Avb}(3fmYH$dUFo\ifzUCG"7U8xd?!RDBcRւ%iʶw'h3?Fhח\$]Ef{:cӮ_6u]wA d !s6ԇ-ڋ P' ^/(M&5W0b -tvk{̋s&#&+vs'4o.~yFI4fO|3aCzIb!Q-R!gS.A'< [@iגaN=^O <؃}JJyoIc>=Um8o|$r-S[Ѡv Z8l53&TTw:-K2ӷrÅenCa".}V_%\;;cP95*ْ>RxW6΃چDG$-w|!8eGL٢!>^L [+ 'jh7dV᯻$pGϾCcSzX-9 LڳLAj;Al;xfhMr evL}P 82>yCE8r*_vZy i|)'Ur-v焃hX'C0Z<ʞoơ$g%VjQ6U]My.Xtpsƽཟ ہߝ͕\rDi$;SiG'#%UK% f:mg&Ƭ;f >G³X]U+|yV@\K_E8O@7 ;$Ƥؽ68߸]ZrwɎ=MVOC4'$Q >h&Dm $)-̇zAu;Un /w3CvQqL;."ݶ֩4ʽ22;ޔqۣμV`'/vС*N`(un;[M+͘阾)9~{[p * }ݨ r "J ! K"u{pTIi0íofxe%em3&G+p}?Q.e!Vjt$^-U74-R NIQM |o7aA<[*&"jXqIM#Rzhq_4`Y۰evo''U#ԇԍοž&CJ8k֙fj`lEu!Up+M1޶y>(:|B^{wů;-W}\717,qCD-ׄj :'v~`Ԛm`Xp7~]5XVݾD:l"WgsqxBAKTd] ՎiN+ߥ F\ڤ>ƽ9.Ѱ<6<0`70?r4w-d&B' a{aaÏMxJwM/#>.9n7KP O~~G;҄Upj٨S%^^m<5Wae;9V @9凶ߠ˺:mmj旖ӭ](4÷ucbZޥL1uLK#]L+%.$_R'ώdq9+jIC ws*R+`!-2|ODLdSk o/+b2L8Ȟh/cr{YZL&nz1â"9꺣cVldd73n#.c>ݐe^cRӍ1d|tV!/ 6+ 6mP-ώoMNթ$e5w0IIf"CPߏo. |Ӭv tlz[;{*B-'. Nj)(Tz哉T7̈́aE8˪"Bs40yv)X`mS +fxa<(|2F]{F>%9ٰt888p1ܕɳʶ3ݱ'ޱh?}=ಹ2͞("ܴ䆲rݵ!7ݱ%2]nň/2/8r;Zb5Fy kW3z |ruYNNyh ) Jp4y9BN.zfES.յWvDh mĹn s$B٧GDὐK_x\Tx ۙ-F<R">Vubw$YTII6z;gcdҗ '"= xn6a*jg/mDΒ>Da攷_a\Mz뭵!U 0|+JA,T ixd"jm 'GBXGtۨW52z[R.2.;rsAʴi0آէe-苼gCe;*?2OнIXp᧤6qߜL;Vh٫!7Rr Ѱ\WP0u} 'TV!(|`rQŚPuk]yc⛲箑8HIKZfC]tsD íxyM70Uƙ{xX<_~)/oǚ]? <nHiT\O;m(,u%T(T*WQQ%[RHITv/̙{/z|_ϯ˼Ҝ99>9̜32'=/1>ǃհշ [8Ǿʑ辱9<*YRڥg 'j)5h}1QB:ӗAf ݜ+d61]Jaio9$dnG}i{(R7@bJPפ8CvXtzɓTZZ-;w.~wJNjJPBw{I!ߊSK&%UiRu.Y\֊2LpJYG?&S;^iWJYK`+#{n J':?m9,UoIm鴍UG~5JƁao2-L~A-,eGN?sڬX'|UCw7um{iڲ5S^y]fʻ U:}((}j-˚?pvN7v&gw 4u})n}M-v'>GuGWث9;շYcR([C9{D ) jIAtEm3~rh皁)x&\rJLq𲊦5?[ݕPЈ}\15MI*CMp# Wq6KO, ^e u6$ `n 4>sY,k^ֺ8UM;أz%Jf!wNdʮقЌECW7儧Oy%{"ar9G~e\k$~Tؖڲpmq޶$M4w1+[bSf1 &N`g֌ܲc\y &Yr 9딙Aɱt x;+J{]QY4概&)ComsZ$OejM'~ xb>V"U=k"D}RMcLDOC3 f}vrlm3<)u:18s<K7Hl2i`IT2u\/דsGԦs%q~SO\buI Ȯ$=:y]n QASWggBl{^bӷӯE ؔ$Yn,UtK>6jJLMr /KxXeחȎ0)1ˏ kSkm;ywDWtX`G&kJ4MV$捁fN$[NַO-{_Ϊ\Ƶ!?潵Okb-hjȴ r M]S<5H~.˛cӅK^Ŝ*+Km\%;[GxbVgQbܪd7x涓?]qr~F^m_g DQ#b%wvؚ9MO4Nȍ齧qL)d$tޜ["֐㳒gF^6T?ɻqfS{y`[K6uA/N+""Dsܫd) YY?%)o`'ԁ?oVTƅyu): W5T{d/Z[W|obyBԽ_cuBӊ&3./g΋9=uSsJi͒'8x&w{lk66_~ڱ?s-7OX~9F"g996ÏNOZ"U㶙"+RU?Գ~k9NǼu,~}'5SԹJÍvū< >6ճМC~緡8|;-%/̴ܰ>/虾6G9Ϲ9Fi$rժ9OlǓX߹eTzb}A52.aE8LK"&NiϱxauY># dۣUH%=lt3wY?X;qzU%ZZT~ZdHTY׫G__zڀ*E.ע'zZ YiL |ݤ+S+TU.kFnoi20Wkh^qyV5̑ܝ =;*y)ebʇ-$ Y " ǏN=3Wl/;Uwǹ"_Mso]aE|GL^#@4y`%qc"%~z]W/t FjvziARC6&LzQe3͏S]ǖ^PLTvdj%M+^b(S_zݬ*G-&%"~@iod&z\Pɼ=-rC+0ku W=u÷G[CH[Iۤc0?" 'B[TJL2vSXIC+I{M??H@BI:6noG7@ 合c2yCByhFБ5)SżLjAI(XV 6&/))$%%aD"inn9r|r2FVVavڅp6y%M,v8ϱ%0s[in"\#҂S[SxD7O#qrR33\S&/ AQ.^0h{0 /@a.5RmD0yDW'/R8C+An,'>&.A[mj"I-O9QQZTPv6dMq(S@4!?$ L-O* F:iaax +:,( p8#DZ(L dǓ:8/ :2}{<Bf^_7ôOdlxlBB` "lyG&71OC)CU;Ba(;Óat710 `" <)*&gx#T9NSQF 5"#lH"\+`1aѓbϚSգaUǑDF$|9B5'%(F 0kõ$mk t<J # Aʛ ZucWfsDΓ GZ4Bգ3,ESe8Qh .Ń虡2i1,y1[ PưBe1b̴;(7yʐu%0¾³ R\ zC&KN NhP-Mz4B DF`m-g % TJMpJ hb9ZOU=Kv"XePHy#efe`GHФ D) a0P Ȧԣ'R̟OJ4.# d$+ "H?IkR@KޯCPgXȆ)*5X4B  _ARnbsF: 0DA]IO`|$ 5.}JUyDKQgDIgOhsr0;| I'=u")3P9$ EOSIj+H< E`S(y eIV:(%Gt iDG4xOa.n~#7ɿxm# C;G>Ԧf90ưűI΢yٹ()N03~ T8CX^ZiaDZ؎(b C ״$AP (9*85 }< L`c@Ul[#VBd'@Ʌ|@ɦ̍Cefa@!LaF䉈J 4'p%UVzo +M!p$`kDBଅĎb~2˨4Fa"gGbޖ!'{C BȠ<#"yBb|< ;9*Mvy"[bh} 3Bu1Lfx2j!;JuG'eG͠劲GE&XOg/fn<"8r9A/T?#&CyEE2VU<'*17G$]3ԙCĂ?Zȸb]#ӡ=/BW/WEAOmi7{Z4-X4#*~ O^TT2~'0?+_6<#|L͝öGFhe5y-6ԟ<ǖJqcK`l8ϱ%0s[i9sl qxBӽI(L u &)7WTX>0Hi7x&Ț.` \IТ:֯sA1c@?Bϯ0?KJ u*2*0b ?l/!ײ>f\CCr/%m DsXPg:C9? RgMuQȨ2> Damlx2V]є@Hf9 X,Oe [t伬2& ʗYز1J/I "xf "$'6 mvpptk8D-~ OvL OYW r^ ,::aH, {/݃>O6QIKj'3t&A@ဗE>E^ck1^Ht~  WxL\"$ j7## [>W 4bzIӂxPx5Jm(EAb`eqS)LO{G4zL"~xhg>J2X1HN"/9"TL2) ^MiQ(A8 $? VEw*AyChoSѐ4@DCڴnq3!"<?,#AKLlm-ğ(BI,-szkT]s6[ә_DH).;k+1ə݉͏kIE1yjV4u&C&7<=Lj^EwR7Ϥ(&ܝx*ItnԺ#\"! p)7kg΂Ԯ)RZj<>'qQPbOs&gb.Ll],(3weIdM4ۭONH:5~WԻn딏 (_ {TA@ȅaN`9=?Qnwq#rE? ~[{*w9 zO, Kү?eA¼V$OoiڊaxS~~8NZn;զNƗ _Ts `!ODkK sCJ+)V,E&KR|tOۀ\w3Wm-7h7XdO=#cVEELŲv+&sCG!}~89j_i }"Ucex uPUf3/ TPN7?r$(sR<}\x>>9S=n.3[P&RFuj^ N<'*<F[gYb?aij^GMg|ΰ#7Ey¯pr({oVȟ>ン, TK`uuG_7"+n+ ^N,6Jyd[T F=gt͙M qa- ;26~5y 6e >-հ{/*ĉ#ڿqu<:v7V D;6 kywwiCN!'>VW@Տ 'a`ůݮ_gّ_\GAn _sbǴJf!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ!}xJ%+3z A\$[WXϧ ďo<}2C *+&%;T_^|oiih~8=^wL';M?>; ]{]܃lx!+/tiz<Q*AL'B!r%ZѽiQ3 ~TF|b2]a{տDW/--SÓ^t(@@1tmkM7z.m9]“^5V׶S؈* 9P)KEm<2Yv<]aa)~ϊ"[Aa6rSs}vgXR#; rFe/O%trohF"QRٳX a3VeOqxZagM0Cyz '<}W hnR}g(iWj;m„D7e/wo_+/Ņ:yʎI﨓+.=}s*@{Yq-Ga8<=:s7s<O@aO $; Y6pÂ8Kח[k ý`f~[lҔ?%wp{ϋZH CMlzu~kO7k):+:/aհx OфXH ;ҭ+'dz$i;Lf8Gn/YT-Ӓ`8(Ӧ.݂ m|;3?8lӘIqQǾχW ̃2c5~__gaOvi9 o,ϰUkj[jo)8d.+q˧A<>%Xsۏ%Ί)Q^ @΍qKqƍ>}UjR/]ש.ue/3 <ʘ}RGy45X gOԂnsTx[~/Y|zk~-y TRQ &SI_HBz/lYkx><~`o2FpQ2G?O QrE텛'? sY9óy,?y=`2-gPW-@xЛG@ a@p(pZ]ӽ)!X3|sdgfOoS r]uAX)?`b&'kmœ(WHi.}|VꃰR߱.rW\ ),cmpJ];+Ox^ ~r+tx:@6( v<}$joG:uoxf5~O|woِz$k) !U{G6@J7˹!ͣrכ ecoGoDCUיvo"es49m>xvǛXM@; +u/VkӢc)=/2ʰdy7s34 !׍ 0qW1Vn [,p&[629iXI3+:{Iv=f`n5Lzp<;!4>elwX0:OhyO9*q{ z][^8OAqdu~<3Ka>,s .=xLU;%@dz [˧:BQ;h (@퐊WX\#&}Hi'F.odzڣ ᜖#Dmѐj5>W#vn҉9wnljBnz'#CPhm`-=`fHZ]#wQ(cCΔ dHUs~tCw1Df'&A⽹.xa ;|^,:ZH'w9g> #$$Dko % s_sh~A(]{4[_&ujI Fh `YuhAxLjZ W}kd:O,A<*S >βgI9̦:=<3eό=MG^TFPE4Kx$I?PWM߈jwRn튤Pww<4 6Q/'u" &шm9"uxR./Itp":uL'Gʛ+oK$\3Nj^r}-xk * m.'`6*o=~!*mhsAp$U͑H v b"`n 3vdELb+Tt{p@aC[g-Z~;x<7OqYckJoX*/Uн*Υxp23I%DFMI8+е8>'چkk [Ϗ 3,J65*ʁ&29zN6v{ m6#$*h5ҏ`RQ #XMGj>>q,`@v'PJm'i 212ueƦ4aKPAJ*)2>+Zɷ4%紳(5?s<|tआE6cɧs7.źx253͍FFs'< .k\&s]tGM= J6ڠf%"#_ҤTmD;6xz}}6TGVOj(@j~fVDGtZд҉(9'7-jL+z 7ZP5™rw,m5=g #L;*wZtk'4E t>UqlULIEa IQT* k?TdwEC4o7A@_ 1Plz[Gu $:X<ɢ&mR.Ӎ8׋a|k'uU#Je:XW4I_gynafl!T,~E6KSpQɅOY/C*BL`0jn;mxׂr*}ѡ4uojHzx3OM T߱r/:U8 ŊMJQramoktf-ݩN!6vRCc'ibyሲB#2 G pƩ 7+DџlnN~wҠ9F+CPCՁ9Ak\oݶ`4x7[khhNMVO JUӸ{P ?^@!* "lEaI_{LL0P’s~y iΗ/iOl5ѦjC#+2-`SJHRJ ҽpl3MȊC_ϵ]t_լ@@%lx-RYiv fB;$Z(2"u( 5bhRۇb1Mwh x? \&]IU!ʓsiR^i\&K5ã0)vYU20PYo*> ϯC 5*4qPI`^碷Sڐpz d)*V D渡}Uotvw}:8y,?UX>gBAfC6*5xy5i 6\*h`?@.O{!u> S'AF`!sw5rPUƞu0C+4Q"kt7U;L)v{:+$B6|OCo'LĂ^AE-f|5iH%&Vm-RbJKJUe]l'gW n4) ]k\d(9j$qh1nWn-/ ç1;$NϏ-$?2Uj<ڰy}DVj5G}>% ' jEX\ Lju=vJZܩXz} g_,U7;W#&vWv %xvBg2O= {2pxd}˳jbGlJ96E|r[f|v1~h'z 7tTdnr'X5#_URjT|/OE0@;ÓE6DZ}K>jʉ h 7 N#߅i> -='Ϩ8ވ cAAV15.s %,;}}O(mw&ҩbV':G b^- /C3 =(Su+Y GzUygĽxPFJˀ71x}RswB7R8˅發(V+5s/Q{%4\ BgwEa@YfA͆[ S,^p'6*Ym(2kz<;ᓼ [Hb~`$qUnĒVbYz FK#om <b=hZlxr kG_K"h"f5;$`t7آ"K_ۯ=! \v?Iq7@AlQDSL\ƕ>L6w\'ƕ.|x@6M>>+h@MuL8}8Q\(QtBGtC%GeI_'czǰc]F>T7fF>KN_Y]kEcjRFaq_xc]  32]<}|0g 3A\ُ(|wcdg-5% .C/_!a2x^34n<1|JL6o)&v  ؒV[{{~E&TI)q+?|Vl^<'0-z8HW[Y'QfH'y he koYU ʁWQhD%I7:Փv: IP1N@_H < >Б _A%ZVRȑ#w"z\_ܝ˰ҙ7e%ՅkD7;>U^ЛWl#H5 ُ3QH(=ـQ_* <>9) şE

{ EӶgzdL* QKvK U$'^}7,$Q42t`3$ #8q?ަ)~|ֲ'N{mqxMzO09Ny$Peu|le.C7"v3 #,o;Ҏ8H""RGp~"G36I;peKqp4N *>;>uV x6|iP<t@哮TsMC!mnzٲOxR4;㨭%PiB\X0qx4LY'LH&/{ZK?\*.2Zt`c' =r`ـXzoց5Cy ątplD`(>5*M$ՅS㝲]rƳ֞4oo/zk,fdz4}Ϲy5;໖ p><촠>UKx}^x*3`~]7Z]x1(Ǧ9Hh| v޾7Čz<Bpl+:Ғ+ ǚ{uՈTp'hu%FxUvI7DD_OFnPQÙCq E*gB녟wr~ |!6P9Z!NfGv9+atg5+ dO'vтyhT=rTE?>و!Zdѱɂ31İհzʰ±<,d #]akCJko_"EOǚ2#<1TjIm{oSZ]=$W%!ӤH>c!L%ٟfͱէ\䥱败:I&݆[x[StxːFg̍0ZArtd c<ˤ$Rz!k#%\]W@,i'GN_q*YI5bƔ:|' @KƗ^?>'#?Fٳ>"t:Ɠ<[ NR>ވZv )Eh>sS (W*N`}$ќ3Qe@^IRb\1ћb*TfMFbEҥ6Rc&6K1 MƌB%oRU|sxNMގ/ZU,%g5%ޣHpܮT19ԒjфMY4J[6 ֙'<< x3h&Q>ɽ7OhHDGgu -#)I#/rkxb[8$a״Ot^gMOZ2Lyp6L5ѹ6g,yqa2xiTxBQƽ떭`Vq$mcgk'DHa[aGuZȳy$̢؉NpG5d &K3utϡ߬g`NHPx4Ĉ4!QQ# !̏:Jr%$'wlwHdހo Ert=86W-%ZB>&~4;W=\ϹÛw: *.1-/ZON܉gp,7lxC> H9VAH4紸.>;'s=L< j{^ғl4@BQCwRR\m?A&9\ B2:vEpecHޞ 'gX9b:wl4gGg0^cfdx*\t;a]N0 #?9Cu9i@y8@^<"93?'nwBr@dwZ+' jH1v ?>Nmm 9=ns ;_v.:[ Gqc_'b~幞%@]sX.Nrj}NdUy$3yMhm|=TQ4?Ceuo fi,5< Ӎ|V>ֳ0S鱫!|)܌[Xs-:$kϵ<dߦFV]eNO>Mjy%ngxDP/EMۮd8_6 m{S<|~ǬlI:;( X3'V3lմ!|==ʻ巡<"k.֌F UߘxaO#tBq0^`~ڽ <hO_X %Cߚ˳gx0cXgJougL׉=RbCկ8.$w3ɠxag7?|->kC_8G:q^?kO~g:׿Ÿ%C?niO_? B忖!#Ÿe/+OΣ3Ӈ3D*GO ޶Ro+ 7{b  ^HI n ^HIPNG  IHDREye sRGBPLTEHtHtHttttHHHHtHHtHHHtHtHHHttHtttHtHHtHttttHttttttttHHHHtttHtߜ߿ttHttHtߜ߿ߜHߜt߿tߜtߜ߿z. ~IDATx ۶iͫdKGYnSnV)ًmU$|4pBUG& gٴu݄4T|N*6BnoSVVe/{sS̺OݛK2˖O RWPEbRnalvZMqB/%`.%D:JR߿e?B),*gQBE ȇ*\|2-.wBs)a.X']5.Q SD<\kMlOՄ`3*! v7?T^*BN܈)U 2*sQ^no"B}cZTGrklY/.V?>B?=̙/ډ40nc$?ȞB4Ts"0/s`y_>Nx4 cP Sqm<"|ޮv7[{D58!SNu<~u+AWՃm22z*;!*{dnhxOnZyrfKZ Jn[7hS5>az~Ѫ~5VV~ /S422ljCH3;zZYh}vHWKɱ=˗,f/?c]S3SgN?,SͪM9J̸NI1=o`/~D"Dzuv]LGta:F D Fśy5[l׀En]▦*d:֬<k1?39yk%bjIy@cV0ܥں.L'P IHmxZBA`LiΫg xW jF7g:!kt1"b/8c ?![ؖ$X=s9(H66lA.n)nȮ@qK6 ӉL'E6m[sŻ?yU+ QmXMnFg:Q2V%cm@1` cm:0_f:hcZ-~*3Vi WM;#c9#HWqd {*V`H͡'S순W0p2Q7#%cB%=Bd2`GqX mEƌ:) `-.7:\f+Fs cR1cr%T#;MdwJsco,ǵͿ˃ksNt\W"T̘$*ci1R7=rfh 4T|,f Hf$72=E೔:2"3"m3I{U-!As׳@T(FO^~LL;glIxd,E^-'_c{/ Txd,E~ >`αP#_!+-eTBM+dM+dMLmqzLdsfo-Ѐ^xp#̂0!E4)`#  HU9H(R#3VRݷ8_.Izr$S^~rϋeqPTF;.Ȃܷ,XȰ":e U]?b*o,3`sjQRw]Tnp,T5w0k]F1XQrX:斍==\? :e lͽYATFj78$gH -1)1[?8}7緟 2ƗJ8` U"ms}@(#+Ho,t-Җ/וRq+d g hCZrsRge3?.:ebkaT_[֥ Ul@ƪmib8bzw?&-y*rկUS/։vbd}6z!> ͊4:)F׋v"{1ao{/j[E;EUTCEń`3u{d`oE;uX. vhQE;s&2ٚZ<=)IENDB`S AA@A@   _1. The application audit log captures the sufficient information to establish what events occurred, the sources of the events and the outcomes of the events, for example: i) the date of the system event; ii) the time of the system event; iii) the type of system event initiated; and iv) the user account, system account, service or process responsible for initiating the system event.1. The identified audit events are captured in the application logs. " All successful login and logoff attempts. " All unsuccessful login and authorization attempts. " All identification and authentication attempts. " All actions, connections and requests performed by privileged users. " All actions, connections and requests performed by privileged functions. " All changes to logical access control authorities (e.g., rights, permissions). " System changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services. " Creation, modification and deletion of objects (e.g. files, directories and user accounts) " Creation, modification and deletion of user accounts and group accounts " Creation, modification and deletion of user account and group account privileges. " System startup and shutdown functions. " Modifications to administrator account(s) and administrator group account(s) including: i) escalation of user account privileges commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s). " Enabling or disabling of audit report generation services. " Command line changes, batch file changes and queries made to the system (e.g., operating system, application, database). " The audit trail shall be protected from unauthorized access, use, deletion or modification1. The application provides a capability to limit the total number of users sessions that can be opened in the entire application at the same time. 2. The application limits the number of concurrent sessions that can be opened by a single user to one. 3. The application automatically terminates a user session after 15 minutes of idle time. 4. A logical separation of duties is in place; if this is not feasible, an administrative policy is in place to enforce separation of duties. S1. All accounts found that have not authenticated in the past 90 days are disabled.r1. Test the application by attempting to authenticate with the published default password for any existing built-in account noted in Test ID #38, if such a default password exists. Note: This test will require the reviewer to research ahead of time built-in accounts and default passwords for the application used by the agency, which will be identified during the PSE.1. Examine the most recent code review results from the entire application. This can be provided as results from an automated code review tool, or a report that details vulnerabilities identified from a code review.1. Examine the most recent code review results from the entire application. This can be provided as results from an automated code review tool, or a report that details vulnerabilities identified from a code review. 2. Test the application by logging on the application and entering data larger than the application is expecting: " Very large number including large precision decimal numbers in numeric data fields. " Both negative and positive numbers should be included in numeric data fields. " Large amounts of data (at least 1024K) into the text fields. " If the application is a web-based application that utilizes query strings, testing should include passing at least 500 characters of data into the query string parameter. Percent (%)StatusPassFailInfoNot ApplicableBlank (Not Reviewed)Total Tests Performed # of Tests-SCSEM Results DashboardOut-of-Scope Reason=Control covered in operating system and network device SCSEMsTotal # Tests Available Test Method Test ExamineInterview Examine InterviewExamineInterview Examine Examine TestTestTest InterviewInterview TestExamine Interview1. Interview the Application Administrator to verify documented operating procedures exist for user and system account creation, termination, and expiration. 2. Examine a list of users added to the application within the past month and select a sample to determine the proper account authorization is in place. 3. Examine a list of recently departed personnel and verify that their accounts were removed or deactivated on all systems in a timely manner (e.g., less than two days). 1. If any actions are available without identification and authentication they are limited to general information that is publicly available. 2. For any other user actions that can be performed without identification and authentication, the agency has identified and documented specific user actions that can be performed on the information system without identification or authentication>Audit trails are periodically reviewed by security personnel. yThe auditing logs have been reviewed by security personnel within the time period identified in the system documentation.AC-13AU-6[Exceptions and violations are properly analyzed and appropriate actions are taken (AS 2.10)iExamine reports of that demonstrate monitoring of security violations, such as unauthorized user access. Interview Application Administrator and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed. xThe Application Administrator can provide system documentation identifying how often the auditing logs are reviewed. AU-80DISA Application Security Checklist V2 R1.1 3670Interview the application representative to demonstrate the application provides the users of time and date of the last change in data content. This may be demonstrated in application logs, audit logs, or database< tables and logs.HThe Application provides time stamps for use in audit record generation.YThe audit logs contain time and date of auditable events using the internal system clock.SC-100DISA Application Security Checklist V2 R1.1 3415Interview application representative to identify the length of time a user can be idle before the application will time out and terminate the session and require reauthentication.+IRS Publication 1075, October 2007 RevisionPNetwork connections are terminated at the end of a session or due to inactivity. Control ID.Covered in operating system and network SCSEMsCP-5MP-7SA-10 First M. Lastmonth d, yyyy - month d, yyyyCity, STAgency POC(s): Name: Telephone # Email Address(###) ###-#### x#####First.M.Last@xx.xxx NIST ControlNIST ID Session LockAccount ManagementLeast PrivilegeAccess EnforcementSeparation of DutiesUnsuccessful Login AttemptsSystem Use NotificationProtection of Audit InformationContent of Audit RecordsAudit Storage Capacity%Response to Audit Processing Failures'Supervision and Review  Access Control)Audit Monitoring, Analysis, and Reporting Time StampsBaseline ConfigurationConfiguration Change Control Monitoring Configuration ChangesAccess Restrictions for ChangeConfiguration SettingsLeast Functionality&User Identification and AuthenticationSession TerminationAuthenticator ManagementAuthenticator Feedback#Cryptographic Module AuthenticationDeveloper Security TestingSecurity Engineering PrinciplesUse of Cryptography Mobile CodeApplication PartitioningInformation RemnanceDenial of Service ProtectionBoundary ProtectionTransmission IntegrityTransmission ConfidentialityNetwork DisconnectSession AuthenticityInformation Input RestrictionsDInformation Input Accuracy, Completeness, Validity, and AuthenticityError Handling)Information Output Handling and RetentionFlaw RemediationUpdated the following; 1.) NIST mapping per test case - Clarification of one NIST control per test case. 2.) Added NIST 800-53A Test Methods (e.g. Test, Examine, Interview). 3.) Added Out-Of-Scope controls tab. 4.) Added Dashboard tab to automatically calculate the Test Case results. 5.) Added Sources tab to identify sources for the Test Case material. 6.) Added SCSEM disclaimer language.Pass / Fail / N/A / InfoDIRECTIONS FOR SCSEM USEThis SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented application software that is used to store, access, transmit or process Federal Tax Information (FTI). Applications may be client/server, standalone or web-based. Applications may be COTS or developed in-house by the agency. Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.Booz Allen HamiltonAC-22CM-9IA-8IR-8SC-28SC-32AC-21AU-13AU-14SA-12SA-13SA-14SC-25SC-26SC-27SC-29SC-30SC-31SC-33SC-34SC-16SI-13PM-1PM-2PM-3PM-4PM-5PM-6PM-7PM-8PM-9PM-10PM-11-Passwords are Encrypted Prior to Transmission~1. The application encrypts passwords before they are transmitted during authentication with FIPS 140-2 validated encryption. 1. Interview the application administrator to demonstrate passwords are encrypted before they are transmitted during authentication with FIPS 140-2 validated encryption. &The Application Sets the Character Set2The Application is Protected Against SQL Injection1. Examine the most recent code review results from the entire application. This can be provided as results from an automated code review tool.>The Application Does Not Contain Format String Vulnerabilities6The Application is Protected Against Command Injection]1. The code review results indicate the application is not vulnerable to command injection. 0http://www.owasp.org/index.php/Command_Injection/http://www.owasp.org/index.php/Integer_overflow4http://www.owasp.org/index.php/Format_string_problem9The Application is Protected Against Cross Site Scripting3http://www.owasp.org/index.php/Cross_Site_Scriptinga1. The code review results indicate the application is not vulnerable to cross site scripting. 5The Application is Protected Against Buffer Overflows1. The code review results indicate the application is not vulnerable to buffer overflows. 2. The application gives an error that indicates the error condition is being checked. 1. A documented set of security principles and coding standards exists and is followed by agency application developers. 2. The documented set of security design principles are consistent with NIST SP 800-27.A 1. Interview the application administrator to Identify all application features that require cryptography. 2. Verify the application is using FIPS 140-2 validated cryptographic modules. The National Institute of Standards and Technology s (NIST) FIPS 140-2 Vendor List is located at: http://csrc.nist.gov/cryptval/. FISCAM AS 2.1FISCAM AS 3.13>Administrators Receive System Security Updates Automatically = 1. Interview the application administrator to demonstrate deployment personnel (i.e., system administrators, database administrators, application administrators) are registered to receive notifications for updates to all the application components including and custom developed software.1. The application is currently under support (either through vendor support for COTS product, or in-house agency maintenance team), and maintenance is available to address any security flaws discovered in the application. 2. The application is current with vendor supplied updates. W1. Examine the Software Configuration Management (SCM) Plan or equivalent document. The SCM plan should contain the following: " Description of the configuration control and change management process " Types of objects developed " Roles and responsibilities of the organization 2. Interview the application administrator to identify key transactions that provide user access to application change functionality. 3. Inspect transaction reports of changes made to the application. For sample of changes, inspect documentation of changes made, validity, reasons, authorization, and user authority.1. The SCM plan contains a description of the configuration control and change management process, types of objects developed, and roles and responsibilities of the organization. 2. The transaction reports indicate changes to application functionality are authorized and appropriate.The application provides the ability to manually log off of the application. The application automatically logs off the user's account (AS 2.3.2)b1. Test the application by logging in as a < user and attempt to manually log out. If this option is not available, ask the Application Administrator to explain how this function is performed. 2. Examine system security settings or observe an idle user session to determine whether the application logs the user off after an elapsed period of idle time.The agency has implemented an account management process for the application. Access is limited to individuals with a valid business purpose (least privilege) (AS 2.4.3)q1. The application code or the access controls of supporting software provide appropriate controls preventing unauthorized users from performing transactions that require authorization. 2. For any resource that is granted to everyone, world, public or similar user, it is the stated intention that the resource be public such that everyone will be authorized access.  1. Interview the Application Administrator and determine how the application authorizes transactions. Determine which of the following applies to the application: " A transaction authorization mechanism is built into the application code. If so, ask the application developer to locate the modules in the code that perform the authorization function. Review these to assess their adequacy. " Transaction authorization controlled through file permissions established by the operating system or views enforced by the database software. If the application leverages the access controls of the database or operating system software, identify cases in which permissions are granted to everyone, world, public or similar user, or group for which all users would be authorized. Note: The actual code review need not occur on a production system so long as the code reviewed is equivalent to the production code. MDetermine if the application permits only authorized transactions. (AS 3.8) L FISCAM AS 3.8^1. A single user cannot request, test, verify, and move a single change request to production.R1. Examine the CM repository permissions to determine the rights granted to users.]Approved security configuration guidance is used to configure application security features. `1. Examine the agency security policy for security configuration of custom built applications. 1. Test the application by creating a new user account and attempt to create a password that does not conform to agency password policy.b1. The attempt to create the password fails because it does not conform to agency password policy.FISCAM AS 3.61. Inquire if management has prepared a separation of duties matrix or uses commercially available software to monitor segregation of duties. 2. Determine through inquiry, observation, and inspection how the application segregates users from performing incompatible duties. 3. For a selected sample of users, inspect their access profiles to determine whether the access is appropriate and if any of the users have access to menus with conflicting duties. FISCAM AS 4.1 FISCAM AS 4.2pUser access to transactions or activities that have separation of duties conflicts is appropriately controlled. F1. Inspect user administration policy to determine whether owner approval is required to access transactions or activities in their area of responsibility. 2. Interview administrators to determine that access authorization requests are reviewed for separation of duties prior to granting access. Inspect a representative form, noting approval and consideration of segregation of duties. 3. Interview owners and inspect documentation to determine whether appropriate procedures are in place to identify and remove or modify access as appropriate to ensure segregation of duties. FISCAM AS 4.4FISCAM AS 4.5FISCAM BP 1.4FISCAM BP 1.7FISCAM BP 1.8SI-12fUse the error messages generated from Test ID 63 as input into this check. Ensure that the application provides error-handling processes. The application code should not rely on internal system generated error handling. 1. Inspect the verbiage of the messages to ensure that the application does not provide information that can be used by an attacker. The Application Validates Input Input data are validated and edited to provide reasonable assurance that erroneous data are detected before processing (BP 1.5)21. Examine the most recent application test plan to determine if testing was performed for invalid input, including the presence of scripting tags within text fields, query string manipulation, SQL command, and invalid data types and sizes. 2. Test the application by logging on to the application and entering invalid data in input fields. If there are various user types defined within the system, this test should be repeated for all user types. 3. Identify key data input screens and observe edits and validations that occur on data prior to acceptance. User Accounts Are Disabled After 90 Days of Inactivity Inactive accounts and accounts for terminated individuals are disable or removed in a timely manner (AS 2.6.4)yBuilt-In Accounts Are Removed Security policies and procedures appropriately address ID and password management (AS 2.3)Default Passwords Have Been Changed Security policies and procedures appropriately address ID and password management (AS 2.3)The Application Does Not Contain Duplicate Accounts Application users are appropriately identified and authenticated (AS 2.2) Identification and authentication is unique to each user (AS 2.2)The Application Does Not Allow Blank Passwords Security policies and procedures appropriately address ID and password management (AS 2.3)~COTS products are configured to agency security configuration policy. Current configuration information is maintained (AS3.2)Application Changes and Upgrades are Assessed for Security Impact Changes are controlled as programs progress through testing to final approval. (AS 3.5)1. Examine the CCB process documentation to ensure potential changes to the application are evaluated to determine impact. An informal group may be tasked with impact assessment of upcoming version changes. ~Access rights to the CM repository are periodically reviewed. Access and changes to programs and data are monitored (AS 3.11)1. Interview the Application Administrator and verify how frequently the configuration management repository access permissions are reviewed. 2. Examine evidence of the most recent review of the CM repository access rights. A Software Configuration Management Plan Exists AS 3.1 Policies and procedures are designed to reasonably assure that changes to application functionality in production are authorized and appropriate, and unauthorized changes are detected and reported promptly (AS 3.1)The Agency Uses a Configuration Control Board (CCB) to Govern the Application. Authorizations for changes are documented and maintained (AS 3.4)+1. Interview the Application Administrator to determine if a configuration control board exists and identify the primary members. Ask if there is CCB charter documentation, and examine the documentation. 2. Interview the application administrator to determine how often the configuration control board meets. Ask if there is CCB charter documentation. The CCB cha< rter documentation should indicate how often the CCB meets. 3. Identify recent software modification and determine whether change request forms were used and if CCB approval is documented. Note: If there is no charter documentation, ask when the last time the CCB met, and when was the last release of the application. CCB's do not have to physically meet and the CCB chair may authorize a release based on phone and/or email conversations11. The agency has implemented a CCB for the FTI system and CCB charter documentation is available. 2. The CCB charter documentation indicates how often the CCB meets. 3. Software modifications made are approved by the CCB.Application accounts do not have excessive privileges. Access to the application is restricted to authorized users. (AS2.4) Access is limited to individuals with a valid business purpose (least privilege) (AS2.4.3) Master data are complete and valid.(BP 4.4)1. Identify the account(s) that the application uses to run. These accounts include the application processes (defined by Control Panel Services (Windows) or ps  ef (UNIX). Also for an n-tier application, the account that connects from one service (such as a web server) to another (such as a database server). 2. Examine the user groups in which each account is a member. List the user rights assigned to these users and groups and evaluate whether any of them are unnecessary. For example, if the user did not execute the transaction or activity within the expected time frame, processes should be in place to evaluate the continued need for access, and modify access accordingly.HThe application enforces user account lockout. The application locks the users account after a pre-determined number of attempts to log-on with an invalid password. The application may automatically reset the account after a specific time period (an hour to day) or may require an administrator to reset the account. (AS 2.3.2)The application does not permit non-privileged users the ability to perform any administrative tasks. User access to sensitive transactions or activities is appropriately controlled. (AS 2.6)SThe application enforces a separation of duties for sensitive administrator roles. User access to transactions or activities that have segregation of duties conflicts is appropriately controlled. There is an effective segregation of duties between the security administration function of the application and the user functions. (AS 4.3.3)1. Personnel who review and clear audit logs are separate from personnel that perform non-audit administration. 2. Personnel who create, modify, and delete access control rules are separate from personnel that perform data entry or application programming. 3. Personnel with security administration do not have access to input, process, or approve transactions; do not have access to more than application security administration functions and are prevented from accessing production data.1. Interview the Application Administrator to identify the following: " Personnel that review and clear audit logs " Personnel that perform non-audit administration. 2. Interview the Application Administrator to identify the following: " Personnel that create, modify, and delete access control rules " Personnel that perform either data entry or application programming. 3. Interview the Application Administrator to identify the following: " Personnel that have access as a security administratorEnsure identification and authentication information is protected by appropriate file permissions. Sensitive application resources (identification & authentication information) are adequately protected. (AS 2.7)Application Maintenance is in Place Applications are updated in a timely manner to protect against known vulnerabilities (AS 3.13)0DISA Application Security Checklist V2 R1.1 20204The Application Baseline Configuration is DocumentedN1. Examine the agency security policy for configuration of COTS applications. mThe Number of Application Logon Sessions is Limited Multiple log-ons are controlled and monitored (AS 2.3.4)|Sensitive Information Is Not Embedded In Application Code Sensitive application resources are adequately protected (AS 2.7)1. Examine application source code (including global.asa, if present), configuration files, scripts, HTML file, and any ascidia files to locate any instances in which a password, certificate, or sensitive data is included in the code. Clear Text Passwords are Not Displayed During Login Security policies and procedures appropriately address ID and password management (AS 2.3)gUser Interface is Separated from Data Storage Application boundaries are adequately protected (AS 2.1) FISCAM BP 1.5Source of the test objectivekDetermines which platform the test case is applicable to, either a COTS application, or custom application.Reviewer to include any supporting evidence to confirm if the test case passed., failed on not applicable As evidence, provide the following information for the following assessment methods: 1. Interview - Name and title of the person providing information. Also provide the date when the information is provided. 2. Examination - Provide the name, title, and date of the document referenced as the evidence. Also provide section number where the pertinent information is resident within the document (if possible). 3. Test - Provide a detailed description of the output observed. Ensure all supporting evidence to verify the test case passed or failed. If the control is marked as NA, then provide appropriate justification as to why the control is considered NA.J1. Separate libraries are maintained for program development and maintenance, testing, and production programs. 2. Source code is maintained in a separate library. 3. Access to all programs, including production code, source, code and extra program copies are protected by access control software and operating system features.D1. Examine libraries in use. 2. Verify that source code exists for a selection of production code modules by (1) comparing compile dates (2) recompiling source modules and (3) comparing the resulting module size to production load module size. 3. Test access to program libraries by examining security system parameters.z1. Users are prevented by the application from executing incompatible transactions, as authorized by the business owners. 1. Owners authorize users to have access to transactions or activities that cause segregation of duty conflicts only when it supports a business need. 2. Security administrators review application user access authorizations for segregation of duties conflicts and discuss any questionable authorizations with owners. 3. Owners periodically review access to identify unauthorized segregation of duties conflicts.|1. Process owners have identified the segregation of duty conflicts that can exist, and the roles and users with conflicts. < 1. Inspect documentation of roles and users with conflict. Determine if management uses commercially available software to determine segregation of duties violations. If so, determine if appropriate follow up action is taken. Review evidence of monitoring of control effectiveness. 1. Inspect documented procedures for approval of input data. 2. Inspect a selection of source documents (a sample is not required, but auditor could elect to choose one) and input files and determine whether the source data were approved for input.1. Documented approval procedures exist to validate input data before entering the system. 2. Approval procedures are followed for data input.1. Inspect documented procedures related to data entry error handling procedures. 2. Inquire of management to determine which key management reports are used to monitor input errors. 3. Select a sample of input error reports and inspect to note evidence of management review. As applicable, inspect subsequent data input reports to note where data was corrected and resubmitted for processing.W1. Procedures are established to reasonably assure that all inputs into the application have been accepted for processing and accounted for; and any missing or unaccounted for source documents or input files have been identified and investigated. The procedures specifically require the exceptions to be resolved within a specific time period.1. Inspect a recent error report and note whether suspense items are being corrected in a timely manner. 2. If there are any long-standing items on the suspense report, note management's reasons for not correcting them in a timely manner.1. Data input errors are identified in suspense or error reports and resolved or resubmitted in a timely manner (within the period specified in the procedures1. Select output/reports and output files from the audit area and inspect application access (if the output can be accessed on-line or other electronic form) or inspect distribution to determine whether the user has appropriate level of security clearance and is authorized to access1. Access to reports is restricted to those users with a legitimate business need for the information. 2. Users should have appropriate authorization for accessing reports, including the appropriate level of security clearance, where applicable.1. The agency establishes and documents mandatory security configuration settings for COTS applications. 2. The COTS application is compliant with the agency's security configuration policy.1. Interview the Application Administrator to determine what functionality is installed and enabled by default for the application. 2. Examine the configuration of the server the application runs on. Determine what software is installed on the servers. Determine which services are needed for the application by examining the system documentation and interviewing the Application Administrator. For example, if two web servers (IIS and Apache) are installed and only one is being used. 1. The application does not install with functionality which is unnecessary and enabled by default. Any functions installed by default that are not required by the application are disabled. 2. Services or software which are not needed are not present on the server.FISCAM AS 2.3FISCAM AS 2.3.41. Interview the application administrator to identify application modules that involve user or process sessions (e.g., a user may initiate a session with a web server, which in turn maintains sessions with a backend database server). 2. Examine the application configuration to determine if application provides system definable parameters for the following: -The total number of user sessions open for the entire application. -The total number of concurrent sessions that can be opened by a single user. -The total amount of idle time before the user session is forced to terminate. 3. If configuration parameters cannot be viewed, manually test conduct manual tests for the three items above. 4. If there is a business need for allowing multiple concurrent sessions opened by a single user, interview the application administrator to determine how it is monitored to ensure that segregation of duties conflicts are not created.  FISCAM AS 2.7FISCAM AS 2.6.4 FISCAM AS 2.3COTSCustom COTS/ Customt1. Interview the Application Administrator and verify that only the administrator can unlock locked user accounts. B1. Only administrators can unlock accounts that have been locked.91. The system's monitoring capability works as described.:1. Examine the application configuration to determine if an automated, continuous on-line monitoring and audit trail creation capability is present with the capability to immediately alert personnel of any unusual or inappropriate activity, or in the event the audit process fails and logs are not being written. 2Only an administrator can unlock locked accounts. CAudit trails cannot be read or modified by non-administrator users.DNotification is provided when audit logs are reaching near capacity..The system alerts in a low resource condition.>1. The actions performed were written to the transaction log.7Fuzz Testing is Performed Prior to Application Releases&http://www.owasp.org/index.php/Fuzzing1. The test plan includes fuzz testing procedures (using an automated fuzzer) and fuzz testing is performed prior to all application releases. Fuzz test procedures include testing the User Interface (testing all the buttons sequences / text inputs), the command-line options, the import/export capabilities, and for a web application, the URLs, forms, user-generated content, RPC requests, etc.XFederal Information Systems Control Audit Manual (FISCAM), GAO-09-232G February 2, 2009 ReferencesRA-1RA-2RA-3RA-5PL-1PL-2PL-3PL-4PL-6SA-1SA-2SA-3SA-5SA-6SA-7SA-9CA-1CA-2CA-3CA-5CA-6CA-7PS-1PS-2PS-3PS-4PS-5PS-6PS-7PS-8CP-1CP-2CP-3CP-4CP-6CP-7CM-1CM-8MA-1MA-2MA-3MA-4MA-5SI-1SI-3SI-4SI-5SI-9IR-1IR-2IR-3IR-4IR-5IR-6IR-7AT-1AT-2AT-3AT-4IA-1IA-4AC-1AC-17AC-18AC-19AC-20AU-1AU-7AU-11SC-1SC-12SC-15SC-17SC-19bReviewer Note: This test may overlap with the CM control tests executed as part of the MOT SCSEM. SA-4AU-5@Access restrictions for changes to the application are in place.0The application enforces agency password policy.W1. Interview the application administrator to determine if a logical separation between user interfaces and data exist within the application. 2. Examine locations of the components of the application such as web server, database server, and application server. 3. Review security plans for proper identification of application boundaries1. Interview the application administrator to login and demonstrate the application supports detection and/or prevention of communication session hijacking, i.e., integrity checks (e.g., hash algorithms, checksums).X1. The code review results indicate the application is not vulnerable to SQL injection. Reviewer Note: This test may also be performed by the DES as part of the disclosure review. Coordinate with the DES for the collection of evidence for this control.1. The agency establishes and documents mandatory security configuration settings for custom built applications. 2. The application is compliant with the agency's security configuration policy. 1. Interview the application administrator to determine if a documented set of security design principles and coding standards exists. 2. Examine the documented set of security design principles. 1. Interview the application administrator to determine if maintenance is readily available for the application and if the application is under vendor support to address security flaws identified in the application. 2. 1. Determine whether vendor supplied updates have been implemented. Note: The vendor maintenance aspect of this test does not apply to custom develope< d applications supported by agency personnel. This test requires the tester to research the current vendor supplied patch level.!AC-4AC-14AU-3CP-8,Control not selected in IRS Publication 1075CP-9CP-10IA-3IA-7MP-1MP-2MP-3MP-4MP-5MP-6PE-1PE-2PE-3PE-4PE-5PE-6PE-7PE-8PE-9PE-10PE-11PE-12PE-13PE-14PE-15PE-16PE-17PE-18PL-5SC-20SC-22 Control covered in the MOT SCSEMControl covered in the SDSEMSC-23SI-81. Examine the application to determine if there are any user actions that can be performed on the information system without identification or authentication.\User actions that can be performed without identification and authentication are documented.NIST SP 800-53AThe application employs authentication methods that meet the requirements of FIPS 140-2 for authentication to a cryptographic module.1. Examine the application or documentation describing the current configuration settings to determine if the authentication mechanism uses a FIPS 140-2 compliant encryption module.\1. The application's authentication mechanism uses a FIPS 140-2 compliant encryption module.[The application provides mechanisms to protect the authenticity of communications sessions.w1. Examine application design documentation, or other relevant documents; reviewing for session-level protection mechanisms and their configuration settings to be employed in the information system. Note: The focus of this control is the information system protecting communications at the session, versus packet, level by implementing session level protection where needed. 1. The application provides a capability to protect the authenticity of for session layer communication protocols used by the application..1. Examine a sample audit log from the application to determine if the application audit records capture 1) sufficient information to establish what events occurred; 2) sufficient information to establish the sources of the events; 3) sufficient information to establish the outcomes of the events.The application produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.Interview the Application Administrator and determine how user credentials are stored. 1. Examine the permission configuration of the file, folder or database table where the credentials are stored. 2. If user credentials are stored in a databases table, determine the encryption used on that table. Note: In many cases, local backups of the accounts database exist so these must be included in the scope of the review./Chttp://www.owasp.org/index.php/Canonicalization,_locale_and_Unicode.http://www.owasp.org/index.php/Buffer_OverflowEThe Application is Protected Against Canonical Representation Attacksm1. The code review results indicate the application is not vulnerable to canonical representation attacks. 'The Application Handles Errors Properly'The Application Fails in a Secure State1. Test results indicate that the application fails closed when a failure occurs, e.g., when the application, web server or database service is stopped: -Application data is still protected -The database requires authentication before returning data -The application source files cannot be accessed because the application is not operating -Data is not available because the application is not operational1. Examine previous application test plans to ensure system initialization, shutdown, and aborts keep the system in a secure state.1. Tests are conducted at least annually to ensure system initialization, shutdown, and aborts keep the system in a secure state.1. Examine previous application test plans to determine if testing was performed to verify security remains in place when an application failure occurs (e.g., the application, web server or database service is stopped).5The Application is Secure During Startup and Shutdown7Format strings are restricted to authorized personnel. Input data are approvedError handling procedures during data origination and entry reasonably assure that errors and irregularities are detected, reported, and corrected.OErrors are investigated and resubmitted for processing promptly and accurately.gAccess to output/reports and output files is based on business need and is limited to authorized users. FISCAM BP 3.5CNote: Format string vulnerabilities occur when specially crafted format strings passed to a function allow flow control information to be viewed or modified. In a worst-case scenario, format string vulnerabilities can allow an attacker to execute code of their choice on the system, resulting in complete system compromise.FISCAM AS 2.61. Log on as an unprivileged user. Examine the user interfaces (graphical, web, and command line) to determine if any administrative functions are available. Privileged functions include the following: " Create, modify and delete user accounts and groups " Grant, modify, and remove file or database permissions " Configure password and account lockout policy " Configure policy regarding the number and length of sessions " Change passwords or certificates of users other than oneself " Determine how the application will respond to error conditions " Determine auditable events and related parameters " Establish log sizes, fill thresholds, and fill behavior (i.e., what happens when the log is full) FISCAM AS 2.3.21. Test the application with a valid user account to verify if a user enters a password incorrectly more than three consecutive times. 2. Examine the application setting for account lockout if the setting exists.4The application displays an approved warning banner. FISCAM AS 2.9FISCAM AS 2.10 FISCAM AS 3.1FISCAM AS 3.4$Unneeded functionality is disabled. FISCAM AS 2.2FISCAM AS 3.2FISCAM AS 3.111. The configuration management repository access permissions are reviewed at least every three months. 2. The person reviewing the CM repository access should not have the authority to make changes. +Access to program libraries is restricted. SEffective monitoring controls are in place to mitigate segregation of duties risks.Incompatible transactions and activities have been identified. Application controls prevent users from performing incompatible duties Source #2FISCAM AS 2.3.21. The application provides the ability for a user to manually initiate a log out and the log out feature is reasonably accessible to the user. Note: Reasonable accessibility is defined as the user having a hyperlink or button which they can click to manually log off. It is also acceptable if the application automatically logs a user off after the closing of the application or web browser. 2. Idle application sessions are logged off after 15 minutes of inactivity. FISCAM AS 2.4.3<1. The Application Administrator can demonstrate that documented operating procedures exist. 2. The sampled accounts have the proper authorization in place in accordance with agency policy. 3. The list of active accounts does not contain personnel who have recently departed the agency or no longer need access.Note: This test case is only applicable to a database backend which stores FTI and accessed from a front-end interface such as a webpage. 1. Interview < the Application Administrator and determine the account used in the database connection string. 2. Examine the account used in the database connection string on the operating system to verify the type and privilege level of the account. FISCAM AS 2.71. Only administrators, and the application or OS process that access the information should have permissions to access identification and authentication information. 2. Database tables containing account credentials are encrypted.FISCAM AS 4.3.3JDatabase connections from the application use non-administrative accounts.WApplication Security and Development Checklist Version 2 Release 1.4, December 18, 20081. Examine previous application test plans to verify fuzz testing procedures are included and to determine if fuzz testing was performed prior to application releases. Note: Fuzz testing injects automatically semi-random data into a program/stack and detect bugs. It is important that all critical applications, most notably those facing the Internet or those that consume and parse files be fuzzed.Y1. All cryptographic functions used by the application use FIPS 140-2 validated modules. 4The Application Uses FIPS 140-2 Validated Encryption1. Separation is accomplished through the use of different computers, different CPUs, different instances of the operating system, different network addresses, or combinations of these methods, or other methods. Note: A separate physical machine is not required but is recommended.1. Interview the application administrator to determine if the application is periodically tested for security flaws. 2. Examine test results from recent application security testing.1. The test plan and results indicate that input validation was tested. 2. The invalid data is rejected by the application. The application performs validation checks for known good data and rejects data that does not meet the criteria.1. Interview the application administrator to demonstrate if the application sets the character set to reduce the possibility of receiving unexpected input that uses other character set encodings. 2. Test the application by viewing web pages to determine the character set. The character set could be found in the following locations: Perl After the last header look for print "Content-Type: text/html; charset=utf-8\n\n"; PHP. Look for the header() function before any content is generated header('Content-type: text/html; charset=utf-8'); Java Servlets. Look for the setContentType method on the ServletResponse object Objectname.setContentType ("text/html;charset=utf-8"); JSP. Look for a page directives <%@ page contentType="text/html; charset=UTF-8" %> ASP Look for Response.charset <%Response.charset="utf-8"%> ASP.Net Look for Response.ContentEncoding Response.ContentEncoding = Encoding.UTF8 Note: This test is for a web application only.1. The application sets the character set to reduce the possibility of receiving unexpected input that uses other character set encodings by the web application.4The Application is Protected Against Race ConditionsBhttps://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditions\1. The code review results indicate the application is not vulnerable to race conditions. J1. The user account is locked after three consecutive incorrect attempts.HThe Network Architecture Protects the Application From External Exposure7Code Reviews are Performed Prior to Application Release0DISA Application Security Checklist V2 R1.1 34200DISA Application Security Checklist V2 R1.1 34800DISA Application Security Checklist V2 R1.1 62100DISA Application Security Checklist V2 R1.1 31900DISA Application Security Checklist V2 R1.1 32400DISA Application Security Checklist V2 R1.1 33600DISA Application Security Checklist V2 R1.1 34500DISA Application Security Checklist V2 R1.1 34700DISA Application Security Checklist V2 R1.1 35000DISA Application Security Checklist V2 R1.1 33900DISA Application Security Checklist V2 R1.1 34000DISA Application Security Checklist V2 R1.1 34400DISA Application Security Checklist V2 R1.1 61400DISA Application Security Checklist V2 R1.1 36400DISA Application Security Checklist V2 R1.1 36800DISA Application Security Checklist V2 R1.1 36500DISA Application Security Checklist V2 R1.1 60900DISA Application Security Checklist V2 R1.1 61100DISA Application Security Checklist V2 R1.1 20200DISA Application Security Checklist V2 R1.1 40300DISA Application Security Checklist V2 R1.1 40400DISA Application Security Checklist V2 R1.1 50400DISA Application Security Checklist V2 R1.1 40100DISA Application Security Checklist V2 R1.1 60200DISA Application Security Checklist V2 R1.1 33800DISA Application Security Checklist V2 R1.1 34600DISA Application Security Checklist V2 R1.1 34100DISA Application Security Checklist V2 R1.1 33500DISA Application Security Checklist V2 R1.1 62400DISA Application Security Checklist V2 R1.1 62500DISA Application Security Checklist V2 R1.1 62600DISA Application Security Checklist V2 R1.1 33100DISA Application Security Checklist V2 R1.1 50100DISA Application Security Checklist V2 R1.1 50805DISA Application Security Checklist V2 R1.1 2060 31300DISA Application Security Checklist V2 R1.1 30100DISA Application Security Checklist V2 R1.1 31500DISA Application Security Checklist V2 R1.1 3340:DISA Application Security Checklist V2 R1.1 3700 3720 37400DISA Application Security Checklist V2 R1.1 30600DISA Application Security Checklist V2 R1.1 30705DISA Application Security Checklist V2 R1.1 3100 32300DISA Application Security Checklist V2 R1.1 34300DISA Application Security Checklist V2 R1.1 60400DISA Application Security Checklist V2 R1.1 21000DISA Application Security Checklist V2 R1.1 30900DISA Application Security Checklist V2 R1.1 32600DISA Application Security Checklist V2 R1.1 32500DISA Application Security Checklist V2 R1.1 33300DISA Application Security Checklist V2 R1.1 35100DISA Application Security Checklist V2 R1.1 35300DISA Application Security Checklist V2 R1.1 35400DISA Application Security Checklist V2 R1.1 35500DISA Application Security Checklist V2 R1.1 35600DISA Application Security Checklist V2 R1.1 35700DISA Application Security Checklist V2 R1.1 35800DISA Application Security Checklist V2 R1.1 35900DISA Application Security Checklist V2 R1.1 36000DISA Application Security Checklist V2 R1.1 36300DISA Application Security Checklist V2 R1.1 31203DISA Application Security Checklist V2 R1.1 APP31400DISA Application Security Checklist V2 R1.1 50600DISA Application Security Checklist V2 R1.1 51000DISA Application Security Checklist V2 R1.1 21300DISA Application Security Checklist V2 R1.1 30505DISA Application Security Checklist V2 R1.1 6050 5050r1. An automated mechanism is in place to warn the administrator. 2. The automated mechanism works as described.1. The following information is documented in the application configuration guide: " Versions of Compliers used " Build options when creating application/components " Versions of COTS Software Used as part of the application " For web applications, which browsers and what versions are supported All Known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. All Deployment configuration settings are documented in the Application Configuration Guide. Examples include: " Enc< ryptions Settings " PKI Certificate Configuration Settings " Password Settings1. Examine the application configuration guide or equivalent document to determine if information such as the following is documented: " Versions of Compliers used " Build options when creating application/components " Versions of COTS Software Used as part of the application " For web applications, which browsers and what versions are supported All Known security assumptions, implications, system level protections, best practices, and required permissions are documented in the Application Configuration Guide. All Deployment configuration settings are documented in the Application Configuration Guide. Examples include: " Encryptions Settings " PKI Certificate Configuration Settings " Password Settings 1. Error messages do not include variable names, variable types, SQL strings, or source code. Errors do not contain field names from the screen and a description of what should be in the field.1. Non-privileged users do not have the ability to perform the identified functions. Note: Results should specify which of the functions are not restricted to privileged users. W1. Test the application by logging into the application and performing selected actions. Then exit the application, and search for files recently created. For a Windows system: Use Windows Explorer to search for all files (*.*) created today, and then examine the times to narrow the scope of the files to examine. For a UNIX system: Enter: # touch -t 200301211020 /tmp/testdatefile 2. Ask the application administrator to demonstrate how the application clears and releases memory blocks.5DISA Application Security Checklist V2 R1.1 3110 60301. Rights assigned to the user(s) are necessary. " The account is not a member of the Administrators group (Windows) or has a User Identification (UID) of 0 (i.e., is equivalent to root in UNIX). " The account is not a member of the SYSAdmin fixed server role in SQL Server " The account does not have DDL (Data Definition Language) privileges, (create, drop, alter) or other system privileges. " There are no instances of unnecessary ownership or permissions.>1. The agency performs an impact analysis for the FTI system.Note: The results should specify the duplicates by name, unless they are too numerous to document, in which case a numerical count of the IDs is more appropriate.1. No passwords, certificates or sensitive data are embedded in the code. Note: The results should note specifically where the credentials or data were located and what resources they enabled.KPlatformSI 111. Test the application by logging into the application and performing several standard operations, noting if the application ever prompts the user to accept a cookie. 2. Log out, close the browser and check the cookies directory on the server (e.g., /Windows/cookies, /Windows/profiles/xyz/cookies, and the /Documents and Settings/xyz/cookies directories (where xyz is replaced by the Windows user profile name)). 3. If a cookie has been placed in either of these directories, open it (using Notepad or another text editor) and search for identification or authentication data that remains after to check for sensitive application data.5The Application is Protected Against Integer Overflowh1. The code review results indicate the application does not contain integer overflow vulnerabilities. e1. The code review results indicate the application does not contain format string vulnerabilities. 1. Procedures are documented for removing code when its no longer executed and ensuring unnecessary code is not included in a release. For a web-based application, the procedures include both .asp and .html files, to the extent they exist; for a database application, they include stored procedures; for a client server or distributed application they include the Visual Basic or C (or the programming language that is being used) modules. 4The Application is Tested Prior to Update or Upgrade1. Examine the list of application user accounts. 2. Test the application by attempting to create a new user account with the same name as an existing user account. 1. Test the application by attempting to create a new user account with a blank password. 2. Test the application by attempting to logon to the application with an existing user account, but leaving the password field blank.1. The new user account creation fails, a password is required to create an account. 2. The logon attempt fails, a password is required for identification and authentication to the application.1. All application user accounts are unique, there are no duplicate user accounts. 2. The new user account creation fails. The application provides a mechanism to ensure duplicate user account names are not created, e.g., using operating systems functions to manage user accounts.M2. The application uses a non-administrative account to access the database.1. Examine the locations of all format strings used by the application. Ask the Application Administrator to demonstrate format strings used by the application are restricted to authorized users.1. Logon to the application. Verify that the warning banner displayed is in compliance with IRS requirements. The user must accept the warning banner message before moving forward.V1. Log files have appropriate permissions assigned and permissions are not excessive.1. Examine the application documentation and ask the Application Administrator what automated mechanism is in place to ensure the administrator is notified when the application logs are near capacity. 2. If the Application Administrator or the documentation indicates a mechanism is in place, examine the configuration of the mechanism to ensure the process is present and executing.1. A code review was performed on the application prior to release into production using automated or manual code analysis techniques, or a combination of both. 2. Security flaws found during the code review are entered into a defect tracking system and monitored for mitigation.1. Interview the application administrator to determine the application audit log location. 2. Examine the permission settings of the log files. For a Windows system, the NTFS file permissions should be System  Full control, Administrators and Application Administrators - Read, and Auditors - Full Control. For UNIX systems, use the ls  la (or equivalent) command to check< the permissions of the audit log files. aThe Application Removes Authentication Credentials on Client Computers After a Session Terminates1. The design documentation covers many aspects of the application design but also documents the minimal security requirements for FTI, external interfaces, roles, access for the roles defined, and any unique security requirements..The Application Code is Separated from the FTIN1. Modification of format strings is restricted to authorized personnel only.31. The application is tested for security flaws on a periodic basis using automated vulnerability scanning methods, or manual control testing, or a combination of both. 2. Test results are documented, and security flaws found during the test are entered into a tracking system and monitored for mitigation.1. Examine results from the code review performed on the application prior to its release in production. Note: This test does not apply to COTS applications.hT1. Examine network diagram that depicts the location of the application server(s). S1. All externally accessible application servers are in a demilitarized zone (DMZ).:Unused Code and Libraries are Removed from the Application1. Examine application documentation to verify there is a documented process to remove code when it is no longer executed, and to ensure unnecessary code is not included into a release. 1. Procedures are documented for the testing for all patches, upgrades and application deployments that is required as part of the agency's configuration management process. 2. A test plan and procedures are created and updated each production application release.1. Examine the application's configuration management plan (or similar document) to verify procedures exist which address the testing and implementation process for all patches, upgrades, and application deployments. 2. Examine test plans for the last several application releases. AC-3Version Release DateSummary of ChangesName First ReleaseIA-2IA-5AC-2AC-7AC-8AU-9IA-6Test Objective Test StepsActual ResultsTest IDSC-2Tester:Date: Location:IRS Safeguard SCSEM Legend(Identification number of SCSEM test caseNIST ID'NIST 800-53/PUB 1075 Control IdentifierObjective of test procedure.6Detailed test procedures to follow for test execution.Expected ResultsLThe expected outcome of the test step execution that would result in a Pass._The actual outcome of the test step execution, i.e., the actual configuration setting observed. Pass/FailJReviewer to indicate if the test case pass, failed or is not applicable. Comments / Supporting EvidenceComments/Supporting EvidenceSC-13SC-4 AssumptionsTest Case Tab: Execute the test cases and document the results to complete the IRS Safeguard Computer Security review. Reviewer is required to complete the following columns: Actual Results, Comments/Supporting Evidence. Please find more details of each column below. CM-2CM-3CM-4CM-5CM-6CM-7SA-8SA-11SI-2SI-10SI-11AC-5AC-6AC-11AU-2SC-5SC-8SC-9SourceSC-7SC-18AU-41. Examine the list of application user accounts to identify all users that have not authenticated in the past 90 days. Note: If the user accounts used in the application are only operating system or database accounts this check is Not Applicable. { 1. Examine the list of application user accounts to identify any default built-in accounts (e.g., accounts with vendor names such as Oracle or Tivoli). Note: Built-in accounts are those that are added as part of the installation of the application software. These accounts exist for many common commercial off-the-shelf (COTS) or open source components of enterprise applications (e.g., OS, web browser or database software).  n1. All default built-in accounts have been removed from the application or disabled if they cannot be removed.Q1. All application default passwords have been changed from their default values.h1. Test the application by attempting to authenticate. Observe the screen output during password entry. ^1. The password is not displayed in clear text, it is blotted by characters, i.e., asterisks. 9The Application is Periodically Tested for Security Flaws21. Examine the application's design documentation.'Application Design Documentation ExistsRSecure Design Principles and Coding Standards are Used for Application Development1. Interview application administrator and examine application documentation to determine if mobile code is used. Verify the source of the mobile code and if it is signed. Note: If the application does not contain mobile code this test is not applicable. Mobile code includes the following: 1) ActiveX controls 2) Mobile code scripts executing in Windows Scripting Host (WSH) (e.g., JavaScript, VBScript downloaded via URL file reference or email attachments) 3) HTML Applications (e.g., hta files) downloaded as mobile code 4) Scrap objects (e.g., .shs and .shb files) 5) Windows and Microsoft Disk Operating System (MS-DOS) batch scripts (.cmd and .bat) 6) UNIX Shell Scripts 7) Binary executables (e.g., .exe files) downloaded as mobile code. 8) Java applets and other Java mobile code 9) VBA 10) LotusScript (e.g., Lotus Notes scripts) 11) PerfectScript (e.g., Corel Office macros) 12) Postscript 13) Mobile code executing in .NET Common Language Runtime1. Interview the application administrator or examine the application documentation to determine the location of the application code. 2. Examine the directory where the application code is located, to include both custom source code and COTS executable files.H1. The application code is not located in the same directory as the FTI.BThe Application Removes Temporary Objects and Clears Memory BlocksMobile Code is Used SecurelyStored Passwords are Encrypted1. Examine the configuration of the application software to determine if encryption settings have been activated to encrypt user IDs and passwords that are stored by the application.t1. User IDs and passwords stored by the application are encrypted using a FIPS 140-2 validated encryption mechanism.1. obs are not found; temporary files are deleted automatically upon application exit. 2. The application clears objects prior to releasing memory.1. No authentication credentials are found in the cookie file (e.g., user name, ID, password, or key properties) 2. If the application is a web-based application, Internet Explorer (IE) is set to warn the user before accepting a cookie. )1. Deployment personnel are registered to receive updates to all components of the application for example, Web Server, Application Servers, Database Servers. Also if update notifications are provided to any custom developed software, deployment personnel should also register for these updates. 1. The application uses integrity checks (e.g., hash algorithms, checksums) to detect errors in data streams of the application data transmitted over the network.2The Application Protects Against Session HijackingQ1. The application supports integrity checking mechanisms for file transmissions.6The Application Supports Integrity Checking Mechanisms1. Interview the application administrator to demonstrate the application supports mechanisms assuring the integrity of transmitted information, both incoming and outgoing files, such as parity checks and cyclic redundancy checks (CRCs).Number of test casesLast test case row:HExpected Results: The warning banner is compliant with IRS guidelines and contains the following 4 elements: - the system contains US government information - users actions are monitored and audited - unauthorized use of the system is prohibited - unauthorized use of the system is subject to criminal and civil penalties jNIST Special Publication 800-53, Recommended Security Controls for Federal Information Systems, Revision 3:Permitted Actions without Identification or AuthenticationgThe application terminates a network connection at the end of a session or a<=fter a period of inactivity#DESCRIPTION OF SYSTEM ROLE WITH FTInProvide a narrative description of this system's role with receiving, processing, storing or transmitting FTI.[The dashboard is provided to automatically calculate test results from the Test Case tab. The 'Info' status is provided for use by the reviewer during test execution to indicate more information is needed to complete the test. It is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of the review.=1. Examine audit logs and ensure the following events are captured in accordance with IRS Publication 1075: " All successful login and logoff attempts. " All unsuccessful login and authorization attempts. " All identification and authentication attempts. " All actions, connections and requests performed by privileged users. This auditing requirement also applies to data tables or databases embedded in or residing outside of the application. " All actions, connections and requests performed by privileged functions. " All changes to logical access control authorities (e.g., rights, permissions). " System changes with the potential to compromise the integrity of audit policy configurations, security policy configurations and audit record generation services. " Creation, modification and deletion of objects (e.g. files, dir      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmpqrectories and user accounts) " Creation, modification and deletion of user accounts and group accounts " Creation, modification and deletion of user account and group account privileges. " System startup and shutdown functions. " Modifications to administrator account(s) and administrator group account(s) including: i) escalation of user account privileges commensurate with administrator-equivalent account(s); and ii) adding or deleting users from the administrator group account(s). " Enabling or disabling of audit report generation services. " Command line changes, batch file changes and queries made to the system (e.g., operating system, application, database). " The audit trail shall be protected from unauthorized access, use, deletion or modificationAll FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). 1. Interview the application administrator to determine if FTI is transmitted by the application electronically across the agency's local area network (LAN) or over a wide area network (WAN) outside of the agency's LAN.1. If FTI is transmitted over a LAN or WAN it is encrypted with FIPS 140-2 validated encryption, using at least a 128-bit encryption key.Auditing is enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. 1. Test the application by having the Application Administrator login as an unprivileged user and perform actions to demonstrate the application creates transaction logs for access and modifications to FTI. 2. Review the audit log to verify the actions were written to the log.YUpdated SCSEM based on NIST 800-53 rev3 release. Updated for new Publication 1075 versionThe application adequately logs security-relevant events. Auditing is enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user. Application Security violations are identified in a timely manner. (AS 2.9)1. Mobile code is obtained from a trusted source, and is designated as trusted. The mobile code is digitally signed and the digital signature is properly validated by the client runtime environment prior to the execution. 2. Unsigned mobile code operating in a constrained environment has no access to local operating system resources and does not attempt to establish network connections to servers other than the application server. Note: The following mobile code types can be used without restriction: 1) JavaScript and VBScript when used in a browser 2) Portable Document Format (PDF) 3) Flash animations executing in the Shockwave Flash Plug-inSystem Hostname:The IRS strongly recommends agencies test all SCSEM settings in a development/test environment prior to deploying them in operational environments because in some cases a security setting may impact a system s functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the operational system configuration. Prior to making changes to the production system agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary. The IRS welcomes feedback and suggestions from agencies in regard to individual SCSEMs.{Safeguard Computer Security Evaluation Matrix (SCSEM) Application Security Controls Release IV July 30, 2010 Version 0.3a3 `9c |C|> p% e  )  A ;t" (*<1C:NJMO4V]+ghkm mC.n{fnnn#o[Foopjtww$xMbxx{0 ̉} EJ ,1Īaf ;@1sUWke$  L F  #v5BccB  +!#  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} $ } } $ }  } I} } $ +                           @                              0l*2# $ % & ' ( *  #X #9 $Y $: %Z %; &< &=& &>& & ? '9 '@ ' A (9 (@ ( A *xL**0|(  0 %O2 0S N Group 2Horizontal Rule"x ] `3|~vB 0B >?Line 3%O]``4|B 0 D)?Line 4Z 22]`4 0 JA 1?IRS Logop!]N`  $|(Word.Document.8>@£    '' yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'c(( yK First.M.Last@xx.xxxyK Nmailto:First.M.Last@xx.xxxyX;H,]ą'cggD  -r1  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C od,,LetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"d,,333333?333333?&<3U} m} $     @            p  q       @0$0$0$0$$$$$$>@A     "    wggD  7q=  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX333333?333333?&<3U} $|} |} |} $ |}  |} |} |} $ | J               @  }}}  ~      + ;U PassAZ. #DD B   + ;U FailAZ. #DD B   + ;U InfoAZ. #DD B   * ;U N/AAZ. #DD B   $@U@ ;U A[.? #DD B  #   %   # @U@  %      @U@  D .U@ ;@@B@"T>}}}|vSS1>@   w  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo  ; ;@@B@B@$C@Pass; ;@@B@B@$C@Fail; ;@@B@B@$CInfo{+{  {+{ {+{ {+{  {+{  {+{  {+{ {+{ {+{  {+{ {+{ {+{ {+{ {+{ {+{  Sheet2ggD   }JOVh4  dMbP?_*+%%"&CIRS Safeguards Application SCSEM &C&Pof&N&333333?'333333?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"PXX??&U} }  } $}  } } } $}  }  m } $} I} } $ } I-} $  }+  @    p   @ p@ @ p@ @ P@p@  LV LB LC L~ L L' LS L LT La LU o af g~ M? OD My M M M ] ] ]  ] ^MW ~ M@ OE cN Y M M O O O  ] ^MW ~ M@ OF Mx MM M O O f  ]3 ^MW ~ M@ OG MF M M M ] ] ]  ] ^MW ~ M@ OG MF M M M ] ] ]  ] ^MW ~ M@ OG MF MM M ] ] ]4  ]=  ^M  e ~ M@ OH Mw M M M ] ] ]  ] ^MW ~ M @ OH Mw Mh M ] ] ]  ] ^MW ~ M"@ OH Mw M h M ] ] ] ] ^MW  ~ M$@ OH Mw M h M ] ] ] ] ^MW  ~ M&@ OF Mx M M M ] ] ] ]  ]M_  ~ M(@ OF Mx M M M ] ] ] ]# ^M_  ~ M*@ OI MO M M M ] ] ] ] ^M_  ~ M,@ OI MO MM M ]  ] ]  ] ^M_ ~ M.@ OJ MP MM M ] ] ]5    ^M  of ~ M0@ O pk pp p q q q  q! rps ~ M1@ OK XQ YY M O  O O9  ]6 ^M_ ~ M2@ OK Xz YY M O O O  ] ^M` ~ M3@ OK Xz Y Y M O O O  ] ^M_ ~ M4@ OL yl pp p q q q  q rpz ~ M5@ OM X YY M O  O O7  ] ^M_ ~ M6@ ON Y` YY M O  O O   ] ^M_ ~ M7@ OO Y$ Y Y M O" O O(  ]) ^M_ ~ p8@ OP p% p p p q& q q'  q# rpz ~ p9@ OQ p* p+p p q- q q,  q. rpz ~ M:@ OR Ml MM M ] ] ]  ]  ^M  o^ ~ M;@ OS cm Y Y M O O O  ]  ^M  o^ ~ M<@ OS cm Y Y M O O O  ]  ^M  o^ ~ M=@ OT cn YY M O O O  ]$  ^M  o^ ~ M>@ OU co M M M ] ] ]  ]  ]M  o^ ~ M?@ OU co MM M ]a ] ]  ]  ]M  o^ Dl P !P "#P $P %&P '0 (0 )P *+P ,-` .` /01P 234` 5@ 60 78@9p:;<=>?~ M@@ OV Mp M Y M ] ] ] ]g ]M o^  ~ !M@@ !OV !cp !Y !Y !Y !O !O !O ! ] ! ]M ! o^! !~ "MA@ "OW "Mq "M""M "M "] "] "d " ] " ]M " o^" "~ #MA@ #OX #ML #M #M #M #N #N #N/ # N2 # NN # b%# #~ $MB@ $OX $ML $M $M $M $N $N $O0 $ O1$ NNb $~ %MB@ %OY %M/ %M %M %M %N %N %] % ]% NN\ %~ &MC@ &OZ &MM &M &M &M &N &N &O & O&& NN\ &~ 'MC@ 'OZ 'XM 'Y 'Y 'M 'N 'N 'O ' N' NN\ '~ (MD@ (OZ (XM (Y (Y (M (N (N (N ( N( NN_ (~ )MD@ )OZ )XM )Y )Y )M )N )N )N ) N) NN_ )~ *ME@ *OZ *XM *Y*N *M *Nb *N *N * N* NN_ *~ +ME@ +O[ +MR +M +Y +M +N +N +N + N+ NN\ +~ ,MF@ ,O\ ,pr ,p,p ,p ,t ,t ,t , t, ttu ,~ -MF@ -O] -cs -Y-Y -Y -N -N -N - N>- NN\ -~ .MG@ .O] .cs .Y.Y .Y .N .N .O? . N8. NN\ .~ /MG@ /O^ /Mr /M/M /M /N /N /Nh / N/ NN\ /~ 0MH@ 0O^ 0Mr 0M0M 0Y 0N 0N 0N 0 N;0 NN\ 0~ 1MH@ 1O_ 1Mh 1M1M 1Y 1N 1N 1N 1 N1 [[W 1~ 2MI@ 2O_ 2Mh 2M2M 2Y 2N 2N 2N 2 N2 VV_ 2~ 3MI@ 3O` 3c 3Y3Y 3Y 3N 3N 3N 3 N3 VV_ 3~ 4MJ@ 4Oa 4MW 4M4M 4Y 4N< 4N 4N 4 N4 VVW 4~ 5MJ@ 5Oa 5MW 5M 5M 5Y 5N 5N 5Nc 5 N5 VVW ~ 6MK@ 6Oa 6MW 6M6h 6Y 6N 6N 6N 6 N6 VVW ~ 7MK@ 7Ob 7Mi 7M7M 7Y 7N 7N 7N! 7 N7 VV_ ~ 8ML@ 8Ob 8Mi 8M8M 8Y 8N: 8N 8N) 8 N8 VV_ ~ 9ML@ 9Oc 9X{ 9Y9Y 9Y 9N 9N 9N 9 N9 VVW ~ :MM@ :Od :M :M:M :Y :N :N :N@ : NA: [[W ~ ;MM@ ;Oe ;M| ;M;M ;Y ;N ;N ;Nd ; N; VVW ~ <MN@ <Oe <M| <M<M <Y <N <N <N < N< VVW ~ =MN@ =Of =M} =M =M =Y =N =N =N = N= VVW =~ >MO@ >Of >M} >M >M >Y >N >N >N > N> VVW ~ ?pO@ ?Og ?p/ ?p0?p ?p ?t3 ?t ?t1 ? t? wwx ?D"l@@ ApBCDEFGHI`JKL0 M NOPQ0 RST@ U` VWXYZ[\]^_~ @MP@ @Oh @p @p@p @p @t @t @v @ t@ wwx @~ AM@P@ AOi AMC AMAi AY AN AN AN A NA VVW ~ BMP@ BOj BMu BM  BM BY BN BN BN B ]B [[_ ~ CMP@ COj CMu CM CM CY CN CN CN C NC VV_ ~ DMQ@ DOj DMu DM DM DY DN DN DN D OeD VV_ ~ EM@Q@ EOj EMu EMEM EY EN* EN EN E O+ E VV E jE E~ FMQ@ FOj FMu FMFM FY FN FN FN F O, F VV F jF ~ GMQ@ GOj GXu GYGY GY GN GN GN G O G jV G jG ~ HMR@ HOj HXu HYHY HY HN H] HN H O H VV H jH ~ IM@R@ IOj IXu IYIY IY IN I] IN I O I VV I jI ~ JMR@ JOj JXu JYJY JY JN J] JN J O J VV J jJ ~ KMR@ KOj KXu KYKY KY KN K] KN K O K VV K jK ~ LMS@ LOk LMv LMLM LY LN LN Lg L OL VVW ~ MM@S@ MOk MMv MMMi MY MN MN MN M NM VVW ~ NMS@ NOk NM( NMNM NY NN NN NN N NN VVW ~ OMS@ OOk OMv OMOM OY ON O] ON O OO VVW ~ PMT@ POk PXv PYPY PY PN P] PN P OP VVW ~ QM@T@ QOk QXv QYQY QY QN Q] QN Q O Q VV Q jQ ~ RMT@ ROl RX RYRY RY RN RN RN R NR VVj ~ SMT@ SOm SMt SM SM SM SN SN SNi S OS VVW ~ TMU@ TOm TMt TMTM TY TNB T] TNC T O-T VVW ~ UM@U@ UOm UMt UYUY UY UN. U] UNE U ZDU VVW VVW X Y Z [ \ ] ^ _ Dl` a b c d e |` a b c d e |Jx$T  4<(  4 4 A??NTaudit policyPicture 1NTaudit policy!]&`4ZR 4 C ]F! 4 d ZR 4 C ]F!" d ZR 4 C ]F!" d ZR 4 C ]F!`" d ZR 4 C ]F!" d ZR 4 C ]F!@" d ZR 4 C ]F!" d ZR  4 C ]F !" d ZR  4 C  ]F ! " d ZR  4 C  ]F !" d ZR  4 C  ]F !" d ZR  4 C  ]F !`" d >@`b֠ A    wU U %;@ N/ALBRAA&&;InfoLBRAA&&;@FailLBRAA&  ;@Pass;@Fail;Info{U{U &;@ 13{U{U &;{U{U &;@{{U zjz&;PŔ0PassLBRAA&{+{ {+{ {+{ GG yK 1http://www.owasp.org/index.php/Command_InjectionyK zhttp://www.owasp.org/index.php/Command_InjectionyX;H,]ą'c$FF yK 5http://www.owasp.org/index.php/Format_string_problemyK http://www.owasp.org/index.php/Format_string_problemyX;H,]ą'c\KK yK Chttps://www.owasp.org/index.php/Reviewing_Code_for_Race_ConditionsyK https://www.owasp.org/index.php/Reviewing_Code_for_Race_ConditionsyX;H,]ą'cy  Input Error5Please enter an accepted value: Pass, Fail, N/A, InfodPassFailN/AInfoNU  Sheet3ggD  $C˸S-  dMbP?_*+%&ffffff?'ffffff?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX333333?333333?&<3U} |} 8|} $ |      4 ~ Q ~ j 5~ R ~ S ~ T ~ U ~ y n~ s ~ K  ~ L  ~ M  ~ N  ~ V  ~ W ~ X ~ z n~ { n~ $ ~ % ~ & ~ ' ~ ( ~ ) ~ 8 ~ l ~ m ~ n ~ o ~ p ~ q ~ 9 ~D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& !"#$%&'()*+,-./0123456789:;<=>? t  ~ !2 !!~ "3 ""~ #4 #n#~ $5 $$~ %6 %%~ &6 &&~ '7 ''~ (m (n(~ )o )n)~ *p *n*~ +O ++~ ,q ,{,~ -P --~ .u .n.~ /D //~ 0E 00~ 1F 11~ 2G 22~ 3H 33~ 4I 44~ 5J 55~ 6v 66~ 7: 77~ 8; 88~ 9< 99~ := ::~ ;> ;;~ <s <<~ =t ==~ >u >>~ ?v ??~D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_ @w @@~ Ax AA~ B7 BB~ C CC~ D DD~ E EE~ F FF~ G GG~ H HH~ Iy II~ Jz JJ~ K{ KK~ L| LL~ M} MM~ N~ NN~ O OO~ P PP~ Q QnQ~ R RnR~ S SnS~ T TnT~ U UnU~ V VnV~ W WnW~ X XX~ Y YY~ Z ZZ~ [ [n[~ \ \\~ ] ]n]~ ^ ^^~ _ _n_~D@l&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&`abcdefghijklmnopqrstuvwxyz{|}~ ` `n`~ a ana~ b bnb~ c cnc~ d dnd~ e ene~ f* ff~ g+ gg~ h, hh~ i- ii~ j. jj~ k/ kk~ l0 ll~ m1 mm~ n nn~ o oo~ p pp~ q qq~ r rr~ s ss~ t tt~ u_ uu~ v  vv~ w! ww~ x" x y# y z8 z {| {n |} |n }~ }n ~Y ~ Z Dl&&&&&&&&&&&&&&&&&&&&&&&& [  n \  ]   n  n  n n n w n n n n x  n n ?  t { @  A  B   n n~2Z>@A  Sheet4ggD   9  dMbP?_*+%&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX??&U} I_|} $ |   ~ ~ ~ ~ ~ ~ ~ ~ 2~ >@|z Sheet5ggD    dMbP?_*+%%"&CIRS Safeguards Application SCSEM &C&Pof&N&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"8XX??&U} C} mK} 1B} m}B} B} mC} B} &D} IB} IE} AB} B} $ B ,X@X@@,H,@@@ ,@ , , ,  , [  k FGGGB V A\m @] A^ Bm Q~ kB Bm Q' lBB S A_B B T  A` B B a  Ab B U  Ac d  Ie f  Jn QjP f0&44:::&&&>@FCB J       Sheet6ggD  V*  dMbP?_*+%&#&CIRS Safeguards Application SCSEM &C&Pof&N&?'?(?)?MFreedom Import Printer$C odXXLetterDINU"CSMTJFreedom Import PrinterInputBinAUTORESDLLUniresDLLOrientationPORTRAITResolutionOption5PaperSizeA4PrintQualityLETTER_QUALITYColorModeColorTFSM"dXX??&U} $ |} m |} I:|} |} $ |' RG RH RI RJ~S$@T@ UK Sr~S4@T@ Un Sr~S>@T@ U Sr~lPB<<<>@A     Sheet7ggD P 8Safeguard Computer Security Evaluation Matrix (SCSEM) IRSJonathan Isner@5Y@@exu@47՜.+,D՜.+,HP X`hp x V  CoverPurpose Dashboard Test CasesOut ODocumentSummaryInformation8 CompObj)rf Scope ControlsSourcesLegend Change Log'Test Cases'!Print_Area%'Out Of Scope Controls'!Print_Titles'Test Cases'!Print_Titles  Worksheets Named RangesD(X`8 _PID_HLINKS_NewReviewCycleAkHmailto:First.M.Last@xx.xxxkHmailto:First.M.Last@xx.xxx#$Chttps://www.owasp.org/index.php/Reviewing_Code_for_Race_Conditionsvf5http://www.owasp.org/index.php/Format_string_problemfD1http://www.owasp.org/index.php/Command_Injection F&Microsoft Office Excel 2003 WorksheetBiff8Excel.Sheet.89q