��>� w������tuv���������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������� T8�����\pMichael Caruso B�a�=   � ThisWorkbook���=xiL;�$8�@�"��1���Arial1��Calibri1��Calibri1��Calibri1���Arial1���Arial1���Arial1���Arial1��Arial1���Arial1���Arial1���Arial1���Arial1� �Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1�>�1�4�1�<�Calibri1�?�Calibri1��Calibri1� �Calibri1��Calibri1,>�Calibri1>�Calibri1�>�Calibri1h>�Cambria1��Calibri1� �Calibri1��Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1,8�Calibri18�Calibri1�8�Calibri1� �Arial1�>�1�4�1�<�Calibri1�?�Calibri1h8�Cambria1��Calibri1� �Calibri1��Arial1�<�Arial1�<�Arial1� �Arial1 ���Segoe UI"$"#,##0_);\("$"#,##0\)!"$"#,##0_);[Red]\("$"#,##0\)""$"#,##0.00_);\("$"#,##0.00\)'""$"#,##0.00_);[Red]\("$"#,##0.00\)7*2_("$"* #,##0_);_("$"* \(#,##0\);_("$"* "-"_);_(@_).))_(* #,##0_);_(* \(#,##0\);_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* \(#,##0.00\);_(* "-"??_);_(@_)� m/d/yyyy;@,�'[<=9999999]###\-####;\(###\)\ ###\-####�0.0�� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � �� � � � �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� �� � � �� �� �� �!� �� � � �� �� � � �"� ff��� �� ff��� � +� �� � )� �� � ,� �� � *� �� �#� �� �� �� �$� �� �� �� �%� �P� �� �P@ @ � �&� �P � �� �P � �'� � � �� � @ @ � �'� �� �� �� �(� �� �)� �� � � �� �� � � �*� �`� �� �`� �+� �� �� �� � � � � � � � � � � � �  � � � �  � �,� ���� �� ���� � � �� �-� �� �� �� �.� �a>� �� �a@  � �/� �� �� �� � @� � ? �� � @ �� � `@ � � ? @ � � � � `� � x� �x� � `�@ � � `��� � h? ?  � h? � � ` �?  � ` �� � `? ?  � <��� �8��� � 4!��� �0��� � 4!!��� �8!��� �0!!��� �0� ��4��� �4? �� �0��� �4��� � � � ���� �8? �� �8��� � x? �7 � x@ �7 � x��7 � x? � � x@ � � x�� �8 �@ � �x? ? � �x@ ? � �x�? � � x? @ � � x� � x�@ � � x@ �� � x��� �8? @ � �8� �x� � � � P� � x? ? � � x@ ? � � x�? � � x? �� �p? �, �x��, �x? �, �x@ �, �x��, �x? ? , �x@ ? , �x�? , � x? �, � x@ �, � x��, � x@ ? , � x�? , � x? �, � x@ �, � x��, �x��, � x!��, �p��, � x? ? , � x��, � ���� �8@ ? � � <@ ? � �8� � <� �  �@ ? , �  ��? , � � �  �, �  ��@ , �  �, �  ��@ , �  �, �  ��@ , � �? �, �  �@ �, �  ���, ��? ?  ��@ ?  ���?  � �? @  �� ���@  ��? � ��@ � ���� ��? �7 ��@ �7 ����7 ��? �� ����� �0�@ �� �0���� �0��@ �� �1���� �2�@ �� �2���� �2 �� ��� ��? �, ��@ �, ����, �0�@ �� �0�@ �� ��@ �� �0��@ �� �0��@ �� ��@ �, �  �� �(a � �  �� � �@ �7 � ���7 � �? @ � � �� � ��@ � � �@ �� � ���� � �� � �? �7 ��? �, ��@ �, ����, � �� �2�@ ? � �2��? � �2 �� �2�� �2��@ � �3�@ �� �3���� ��? ?  ��@ ?  ���?  � �? ? � � �@ ? � � ��? � ��? � ��@ � ���� � �? �� ��? � ��@ � ���� � �? �� � �@ �� � ���� ��? @  �� ���@  ����, �  � � ��?  �0�@ �� �0��@ �� � �� � �? ? , � �? @ , �0 �? @ , � 8��� � ����� � ����� � �x@ @ � � � p@ @ � � � x@ @ � � �x@ @ � � �(x@ @ � � ��@ @ � � ��@ @ � � ��4��� � �4? �� � �0��� � �4��� � � 0��� � �� 4��� � � 8��� � �8��� � �? �� � ��? �� �  8��� � � ||1�=�+}A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef ;_(@_) }A} )\ ###\-L;_(@_) }A} )\ ###\-L;_(@_) }A}  )\ ###\-L;_(@_) }A}" )\ ###\-L;_(@_) }A}$ )\ ###\-L;_(@_) }A}& )\ ###\-L ;_(@_) }A}( )\ ###\-23;_(@_) }A}* )\ ###\-23;_(@_) }A}, )\ ###\-23;_(@_) }A}. )\ ###\-23;_(@_) }A}0 )\ ###\-23;_(@_) }A}2 )\ ###\-23 ;_(@_) }A}4 )\ ###\-;_(@_) }A}6 )\ ###\-;_(@_) }A}8 )\ ###\-;_(@_) }A}: )\ ###\-;_(@_) }A}< )\ ###\-;_(@_) }A}> )\ ###\- ;_(@_) }A}@ ��)\ ###\-��;_(@_) }�}B }�)\ ###\-�;_(@_) � � � �}�}D )\ ###\-�;_(@_) ???� ???� ???� ???�}-}J �)\ ###\-}A}L a�)\ ###\-�;_(@_) }A}N )\ ###\-;_(@_) }A}P )\ ###\-�?;_(@_) }A}R )\ ###\-23;_(@_) }-}T )\ ###\-}(}V  )\ ###\-}�}W ??v�)\ ###\-�̙�;_(@_) � � � �}A}Y }�)\ ###\-��;_(@_) }A}[ e�)\ ###\-��;_(@_) }x}`���)\ ###\-���;_(�� �� ��}�}b ???�)\ ###\-�;_(???� ???�  ???� ???�}-}e )\ ###\-}U}g )\ ###\-;_( }-}i ��)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}���)\ ###\-}(}�  )\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}��)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(} �)\ ###\-}(} �)\ ###\-}(} �)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(}�)\ ###\-}(}��)\ ###\-}(} )\ ###\-}(} )\ ###\-}(} )\ ###\-�9� +��� � !%�9�  �� ?333� !%�9� � *�� !%�9� +���  �� !%�9� +���  �� !%�9� +���  �� !%� 20% - Accent1�M�� 20% - Accent1 ef� �%�20% - Accent1 2� 20% - Accent2�M�"� 20% - Accent2 ef� �%�20% - Accent2 2� 20% - Accent3�M�&� 20% - Accent3 ef� �%�20% - Accent3 2� 20% - Accent4�M�*� 20% - Accent4 ef� �%�20% - Accent4 2� 20% - Accent5�M�.� 20% - Accent5 ef� �%�20% - Accent5 2� 20% - Accent6�M�2� 20% - Accent6  ef� �%�20% - Accent6 2� 40% - Accent1�M�� 40% - Accent1 L� �%�40% - Accent1 2� 40% - Accent2�M�#� 40% - Accent2 L� �%�40% - Accent2 2� 40% - Accent3�M�'� 40% - Accent3 L� �%�!40% - Accent3 2�" 40% - Accent4�M�+� 40% - Accent4 L� �%�#40% - Accent4 2�$ 40% - Accent5�M�/� 40% - Accent5 L� �%�%40% - Accent5 2�& 40% - Accent6�M�3� 40% - Accent6  L� �%�'40% - Accent6 2�( 60% - Accent1�M� � 60% - Accent1 23� ����%�)60% - Accent1 2�* 60% - Accent2�M�$� 60% - Accent2 23ږ� ����%�+60% - Accent2 2�, 60% - Accent3�M�(� 60% - Accent3 23� ����%�-60% - Accent3 2�. 60% - Accent4�M�,� 60% - Accent4 23� ����%�/60% - Accent4 2�0 60% - Accent5�M�0� 60% - Accent5 23� ����%�160% - Accent5 2�2 60% - Accent6�M�4� 60% - Accent6  23� ����%�360% - Accent6 2� 4Accent1�A��Accent1 O� ����%�5 Accent1 2� 6Accent2�A�!�Accent2 PM� ����%�7 Accent2 2� 8Accent3�A�%�Accent3 Y� ����%�9 Accent3 2� :Accent4�A�)�Accent4 d� ����%�; Accent4 2� <Accent5�A�-�Accent5 K� ����%�= Accent5 2� >Accent6�A�1�Accent6  F� ����%�? Accent6 2�@Bad�9��Bad ��� ���%� ABad 2�B Calculation���� Calculation �� �}�%������ ���C Calculation 2�D Check Cell��� Check Cell �� ����%�???��???��???� �???��E Check Cell 2�F�� ��Comma�G��(�� Comma [0]�H��&��Currency�I��.�� Currency [0]�JExplanatory Text�G�5�Explanatory Text ��%�KExplanatory Text 2� LGood�;��Good �� �a�%� MGood 2�N Heading 1�G�� Heading 1 I}�%O��O Heading 1 2�P Heading 2�G�� Heading 2 I}�%�?��Q Heading 2 2�R Heading 3�G�� Heading 3 I}�%23��S Heading 3 2�T Heading 4�9�� Heading 4 I}�%�U Heading 4 2�V��4�� Hyperlink  ��� WInput�u��Input ��̙� �??v�%������ ��� XInput 2�Y Linked Cell�K�� Linked Cell �}�%����Z Linked Cell 2� [Neutral�A��Neutral ��� �e�%�\ Neutral 2���"��Normal� ]Normal 2� ^Normal 3� _Normal 4� `Note�b� �Note ���������� ��� aNote 2� bOutput�w��Output �� �???�%�???��???��???� �???�� cOutput 2�d��$��Percent� eTitle�1��Title I}�%� fTitle 2� gTotal�M��Total �%O�O�� hTotal 2�i Warning Text�?� � Warning Text ���%�jWarning Text 2�X��TableStyleMedium2PivotStyleLight16`��" Dashboard�@Results�Q Instructions�b Test Cases�Appendix� Change Log������&!  ;]   ;   ;   ;'   ;   ;   ;\   ;���Sf^fH�( @������ �0 �5b�-!ODw�30@Gbe� �n�!ODw�30@Gbe�PNG  IHDR��<q�sBIT|d� IDATx^}`�`SJsH� JH��"�� btJww� `�ynw]^O�9��f�3 o�7��𿴾gN��3�R+[V]ò2 -EcYt�޸!V66�+�-{mUu?RN}>_:ϭ��՛ֳ*ի�d~=qك۽rn}L=Q")))�,g%6�$.�(~f8x|G�=1�%1� "�;KaL!w�8يZdy(%,"ZB�f鴵�(�4\JV--� 8+x9|�o�=y�w�Oևo1|WF�o�9�h4�dqp56kWP�8>�7J( })�'�$8\�t�"\&�{r9|)��4� �JSkW�MjJBve |�>xW�?�3_T;F� ߶3>�b'{�j�-&VK)X�ܒ�[wBD86Xۊ�NORK�,"�*JK�z[6,goóIF7x�,bڮ~)w�-έf0�aC[cwnݱHGbo^rΓƠw @?�"�< /7�*kTK7e+600hG�K/)Xj\�Ir�`7VFd �0�|˗0o[мl�;�޻u3~�Y�+�#�#� ݈Je�-N�J�*"ݛ֔ƕ}�&0X ��!%?��"�c6^^^jR]J�|K�8gK keeج_)eݬ�tTz�_XAz ��VWӻE-�� f|rJH�1�9&UDG�.LXDI${J�30� o"Ψ"zɪ}`2E]Wz-%��;Yj�?`}ŔwX�#Io�G�>m e�ŻO�0q{He,H}Hs$M^xa�RT�2u�YuB�:DY:i_�#?�;� �CG�-C`סO/spC�nO� �5�� ~`_o]Gɗv�"� ^żd\צҶ{>�?�Հ܉�5~vyd~D7Gt���1痲sH~uwC:K�e\x+D⁰仡]doP_Kh$Rĭ{V�;ӆu.�2%�FZV/'�% ˹γWeEnߌF� ߢ^i߶1Xg!Oi ^� ],&Z׷uW|g[��kko^3cuDBy�䎋c^򍪚�$ٓ$fljK2 {K@�=yB bSI��ݭj�4Ho �M�� �7tl�+I�]'eڢmK�:34�5P�5g 8}LEloun탽l'�01�1XO�%R`~C)T4j�6`9�kE�r$X}Pa\Zש$H(I cz�8߮إmS} zH �1yVvd[=q�3�@ӍQnT�.zL��M!L�?t�8w�9� o =n�I̝w0_�k�;#|O�:sAS{:h|ч�ZV/+-G� �dJ�2/�&>nW� Zʜ-G��,<0ƯS,9�$r%t_E zs�,�>tml�+f�|%_ D�>⵼N� �6�?O�?Q � U;PA2 R� � xH�"}ֿ8Y� **�!mGȗ)Xv�9�;[��2 �lCsӹVB�+N?�0]���.]~ÜU*�&0 JDRP|hkeܜ `Rcf�>$ɪ�7<�+A�e 0G2�$�;Ag�2HI�9)Cț~ue)ɛ~�% ϟfB� x�%> �soL�=yDAwym]��0Mo�* �;^AV}4@�y%�$_k�n�)nBa`X�*rGvLIaZ7MeΓr;ުƁew�i� G�k@�?(6lĈ>[� � �:@d�ߍ_̇J�ud�|`�2CFK~r� כ߭�C7qd7iS'iO]xG~B/-xݨ_'�tq/ �: 76wɟkk&%мO_H�_)otCw%y�rn(�3��5GA��,ÿ[.Q5Q�7 #z1oP/_ݓ^ع}{G_Wuym���fK�>oLӘs�,z`�K0St@_TGb1M)C�(� DB�? U[�+H �H)W�&��rD!w�zC'E,jQ�!|�@~X3Jj�8ove�qr-5�'k{N�;u`BD�0w|6�&�_/HLQEz6�)Vմ�ѷP�E�Gk�8:L`Xxn�7�*�-ںx�:�?`06ʖ/�]��JBݦU�:o;(c�0�25^5ߐW^H�X]o��+Z~[� L2}r ׃GO���ltc!�9�pŰ�>*@H%kPH�i�pA%�� oՓmWI~.͔ݫxm3sp2 s5=Z~m7�-'/hX �0/Э�GMv}9Đz_�H�7.�x|˄ߍPmCiiX~z~e$��5 篷�+vK �,� �8.O� @/eL�L:mkWP� )gYI4 ͰNV]J� <4(� yHcown,�Ki�KR.S�%CA|X/ʬ]�"ƮN=�e 4�Bk�ۦC�mQsos��Y rd�CgL͸�7b-\�w,1ֵ g_C�&i]cPH.s�)\�,H_� ` `d?6J0R<� `�>E Hf{p0g+x|Wl�9w&�P#0Y�):4�&�t�/ޒU�x`�p KƆH�:C�̃D�% B�6��5gn/�zbAf�> rfҤ 5�QGkeJV=y�w̍:@?Co2A0ߏzECs=5�vxz/(sL8e{N� �5lXouUy$]J�>г�m�$&��.@=>�+� e㴑pV,/Ni�4�6�!opu�1A#�6hվ�Yk!^>x+�?g찭S�g&� >k˼AV#�5\=n� �,� `jF_l^Sz4�.;ay~860K�H[��gK^�?�10zai ,X`�g+��~� !T@=%__ӄ)�0.MgJ�?{w_� md�� �%d|?Tω�4W��&fv򛡆5kWOMҼV�`|Ń94ss�1�Xbk�3Ǒ%;a�A�*A�)�>~]jJ2|5rQ NP�<s�4Dn�~�(�& s� T/n{~փLZkO� �tGY�}:hCy�>}ʲ��,尪P?$ڲT2mնĹ�;帿7ρ%綊�<\M:N��އ\�)g�� m��!M}�*ǻa^&� Cwlp h�:M&i <1T0,٥�0h%=�}jwJ-�>�܌W.�~ܨջN)�TSL_eI󷾕4T�+�(.(JVOck>[� &~}@vE�-&>�SkZU;Gk|Oy.^-_}�/�.7�{�2 \ƞ#�QJϵ�RuVzg7� �,� 'Icp\�>{3�1݇Ӂr²Ѳֽ�|5ea'�;+价�!97�WQ͚:j�9�=� �9Hh�#Eo �Q5cJ?q7�$__ >ytik>}f�vX�6�~D!�+7�P^�Mcҋڜa�""=YbHD�~:�,?wE )x"`��3QitOU|�*Za(�t(� I�يfsI[ݣ?H Caֿ>V |38c�({�7SB#˱fKZu�x�=IdkOADtuiL_M`7(� F0Q.bJM@� �8Jp�#iN5f dv_ ܼf-to![(d�%B=?~�$a�b�夡Sߕ [g EKֽkbw5oڜrq߹V@G߁;pdP'�W�3 V\֧\p� j`iûɅ[e1kUJ!|>� � =m*˟̼60oT~[`�GX#HJE�9�/,��*`Wf�$�zl(,� Ow�z<�ȑrꮭ| @/faj>p�6+`,.J z_U]j�2�!O0q1�CpVG>@o&�wpi ';b%�'Vi-� l�?{쫈<(|1Q5*�+� i|֭�Sޘ�A8�>R�Ɉ�1�R� ݧ�%H}V陫a*mհ� zIzFH�$2ZL�6~怖If{Š�Lep[I�<@gx`Mn·!ǾX�b+uCױqɺ8YFá� Kf# `yW+FGm5�d`0D?I3䑘ۿrUk|qNrg潨O1O�'e\D4VC]'ĽG��1Wb@\ ʋR &�A*]�=��!u �JcxN�6Q� �9SwT�--M�ǟB�>[ϲ�4`���ک5��3KUG^�sr� 4h�$N=-HR_W�$խ˹qS�n8BƊ]�ⅲ޲R�%֫y�c�6CJMm�-_{懳�'җz] 1~A |P ;XrZ#�?oE�``]W�4H^vN7K�.�*wFJ26~k9n ci.f�6ۼ�:ㇿ&VMP{U�-�$ރZn=0^� ׶miKfu]uٻcۢ^wm[ґ�݉.C-�:Ȓـ &A@g u9ɌS�)�:D*<��`mFzZD.Ŗr)�(Kwkr3Sj��9z�sx*�>xKL � KBwlq2s IDAT�bch͜{i}�DYr��/lf�`q1t&yU lBH͂� Cjmrŭw:]�@]V@N3�)y �xO@�8�T\2�H�4gx br=8W�/'ۏ>*� qN�oD=AD�ebk�.LOt� �,X��-%@��R�9nx�$ޑB�#I׃?@ouz5Z� �#zo.KW\rbwxS̿�e"߱W!FKcXU ��2q� Sgl`b�%�mҵ��)5�%[[9񤸜�,)�Jky�7ڋUJ<ɮ[� mfRiZI6R�)Rk Ћ{CR{]�$�%%�*Xiy_��'� ݑ̿귕:zicD{� Z�5�0y` ��zOI󄎎Oq_�O[~¯fq�2?a�܍��(=CmA�J-np6WQ�: k�/�B�ztDc Ⱦ� e&=]D� qf֑g�%,G\]�AqDL�EnBU��)|VѮކ.aY4y6|l�@ɭHjyJ �;ҥ�5U�>dycjjgeR Pf��S LBZ�('�9�1iCn u.JPa�/�;�<~� � /5�&{d�kgY)\`jlBJ�]͸ nlKd֬QVܯ.}_�G�3�X�-�+N5o_Olh b �%Pa֯Jo~6lhՁX@Y'�5lUd��2L{g)}A<~'�z�2$#�<-j*BPT�$u{\k�9~űe�iK{J�0�5ԯrq/Cc/E`鮙� k~E6�29DiE# FE�!jee#n]Urc {� �&e�>H x&p{�jy)�3褴ǪJ~ӽK�M?S�0y)��hhfCus̪YUN� lK#J.zg��,Bq}ە0��6T\�']ʑ�8Y;],'�$eYڥrj ì -Y1ݸAI^��1Rʧ앣jQ�w;W5C%61EJ#-LjRyhI�6lϰE��:�Y�3�&Bk =^߭ | H =N*r�*mՂr/aNhf�2� EsoGWe�4 s~|~ t`ːkB�62v�á���ǰ0GR�'n]!wo#�&� Ą�6^!JUF<* P�3D.+U�V&�5= �+�4h\�Mmj!�W� g�12s�*\#Ћt��";�5�S�l1֑o>~Eg�(S,reל@Rm�-`&@�uИAQ�(l�7ێp3z,eZ?*;Y��+S-��&Hj^ҿF xjY�pÙƞs�:_,}%A~ ,�'ˁ�eWW֫�/wQ:= I�=R�>g.l�:��=ͦKQdP/2kf ]U,�5><#؁J̴ͤ9OU�bKRIu6I rH<s�35`@l�Hy\[H]q?v�.7_$� M˪넒�ZKI4+�6 vRf58AO3OJW�dnVՕ�#a"L '} qr�cunצZll LO�#�n�'gZ&v�� 5`�SbxY}Rb� t^ ߇q�ZԮ)�.A�0l;N(a5w�+�-� �6[KU� PqB%�-bX��43� v�-V�>}\Sz ϗ y 8y1�;58&T� @� bL׺b3f*�?o;�.Cn,… eJBRZ)CL� Ľ�,y*�%�=H_�>J%}Pf/�"iڳ!8]�9_ݺ[ԼZ�}kXoV�T5^�=;o[[4Q� cn*ŒPuF/j=|[miQD2S�){�4y��*2�K�~eldZ�$,k $p{t̩U  y]t[iKB͊ff�!.B@�;�&6vt'Z_L_y�^�`� y��׬]ccVEUĻPS耭>s�>N`R�3}Sx+fݑH~erbKG0� *?0�.^O �[$2) ̫b\qez ki�;gzK!yGrB]�/4lu(�0UXZ�Nsv͝2BkkeəP�5AfGF� ?AءR GZ �;N+3m僣�a�0Rj�,-EY �oX�;Z'X{kI c_Δ@H=X˔@�ԉ]&�*Cn$!>b`�Ɗ@�L�S[�!Fc*m� Dnar0X P%P �[+ ˫X�?ӻ�Zˎea\n� ض�/�6u7դ�7u��?Y�>oXFy^?sdL\C1 �8Qy�4+CWbFæK=W�<�8R>ޜ2|Jڸl�,J% d,.6GScM�0� :Ex11`�\wpaH ��Ҡb)9q%H�-Kg{ �0P�pƇ#!�W}�� BNZŅ k�#_s0 k�uL76 [�Y*&�9P�( gj6�&TWSI�24ws�{�>󴥘?< ǵ€ 7a bt~X$v��b\\ ,4kEUulf5�s�`�,d%�(oY #,@.wϷjJG�'Jg �< ǰ�!8�:�+�sR@� �!@I�2cn�' �]�:,p� ��!ϵ~'^E/멐-�0X`�Lflu �M�+L֗Fe62n E�4�/<ɝx5u�du"�78jN�}��3ve&q݊u+~��NUeHrLEjtoB� JzZ�1ٔ۴�,U�" KJBB�( {!O+":IA2ֺիSF?�'x S`@'xF_sQOw�J m�lh5�Ov`" =�IW�iOJە� ;h�QFR2xQ14o˺�L2ES[#=�7rS�-`B�#^UsS�(��w �%:�8TvrILoyt0)(�ʰ�7V�5wHT��:aߴ~J� D� 5Ϭ%�ij,{q�>P5ݼ@:6v�2� 0KR^Z3�/u!Z|�'[�#�z $'m6r�p<~*Rui� �$tM�Az!tz�_{ߐ�w#bhNZq7;Yw9\~�M�6ȋ0Z�v`0[�0I�4� ["�%_}sx�;}A W�7,8�H>{9�<@:Co_gŒ�픲K�#1�P�6Wz|�__f>�?�r�:[�S� )�Oa,iH鉶6�(z SHi^w r�*UQko�!�>uYmz2RU쟐Q3�� T0B� ?�fx�yS � �,j�Q(Z$}7'�(Ld]Uw�8ixf�m4H�$Y9HYH�;Pj}:%2fDZ�-H_$K[�nq�m T� \ ~kC5v �%^7da'`Yc`/`M�1`S�Lmd2 PyO45dKuV�FQrCHJK  �;L FpA&Q&zJ%|F�r\M6�:A��7͗�*�N2}_�?JCr�=�ӡY�- -_M$[bQg5L��. �9CKPꑶʶz�)�".AU�/Etå}�, {Kr ̋Hh)\�ܧo?YR 6æ)P=�6 YVjTw�%JBe�wlTyU v0E���5=rHB|� qm�z {<�j|SQqM�?TZK�:� UPW�.K� X�"yfju��=�3� 8ːr⢭3!M�߉>8@Lƒ c�?e;_T�Cn IDAT�+ u NJq�. >HYUqxI�0\#I�!)RUe�026�s@ޫCrRYI;�W^ SR�5Tk�&� �gCvW@_]%>Y$gi`� �3�&_},GI@ dWCT�7m�)r/M@JwʞQlZ|Z*9o�M1Fʌu1Udg�ITa��5`i9NBԌ@:3dK%eFmTMȍV� QBc|_|�%PX�Rz (EkNε�'η2Ln"^s G�Hjo�:T8+�:$' !Xh�9c�2`]JWA=G `k� ~~fn p'@�6�>=Zޡ�._� �2nS�4�L̴E�?�6uT: |Q0x S39YBT ;Z�L�CL-lM'=q`2)WYl�XK#W�>d�F~J ,0LJ?N�3BI%.FbƮ� �]I�:2U)l&��3`uo�o\�3��8:�4_�o%� @*oہzHta x�]~t}<]8SV&~ژLJ���s1x{QN^*J'�2Ep:�2ZDd�2np�/$N^ZC^=U- Ju`��>dMلVˢs�bwK_8*(kȺkU uK|Z{ߑnG�qlL^�$E3H�y24EDbܛ'W:�#*hEgʬC΀ԃYvkI3I�op?zh7⣑|�=?K 6#nN۶l%}�X:% ڽ�E ]Jh|cV�zOouW I=�"�SIw*uSom-j*Ҍr&h]J>v]l~!O�;> �4�]T&U:(V:چ|Ҁ�P2>`\jx�69H~�5�).b)�PN@jP� uc�7N�8w7hW�weܤr�$�� BZ!�2@�0o@�9[%1�a� :�+Cq�hpwgXH~N.aJ�oxhwp��0�:ZM�,L, : 5�7AG'ϐ"QPEp[9 E�#eMu*\2�=rZu;� �~�,_ '?�@A� ʯv(.U�4~^ju V"_Lm�G{u� q\N�rCMesd'*R6Q� �Š)j.�,ڡ2׉E� xӋP\q�*v#ke6`UP�eTJ�#&Y�>~R -��bD@�00XU_w2��*��3��"Xq./K�_R�P�&�( W8>Of6�ZOw�/XB�;M~5rM�$g±� {T.h��@nCZ�J zJƛB\�>βb` pڌZ�<�h\u�{2K̻�k�2q2 � N<�>N>XT=Qd`t�>�$Ac'�=�ض�{�Yt(�.#�vp~^j�� Nz"Q �5!�wr^�*�_L׃uRǶzYx� Bcsh�<$ftJԌ�4�;C6ï�x48mBD@n'U{k4N&�2H HSJӿ8#�,�*�x^IzKJf[EK~�6q�bT-ފk� ‰E_�,LTqgkq�35K7aAGɯ>\dßٴ{w�`Q/GXS1[2HT�:ҰV�(�� L~�)Gpns�5C�U�H�+Y �_�;qfث!`�0A�(l��!�'+G n?� �fG(G<|*C@�'M�љ{T]y R9$i�z٬I[fFt2� 䪅��)�=?|7JYOt��%e�?!k�[\�)?D|�#KHcqNbu9 n+uIuG4KlM/�&%B@J�8go%�(7 ?P#S^o/c{��3|SIn+CIW�#Y5o�;|^N]�*G� sF=|,ҴvuOIHV8�8:Y�M6Bb��B}a���;6Ej?4�(`�*t`AUРvf|�[뇍HdBlC�q��:ӣ$� S NJϩ�2hg�?7iy}Ƴ�-x*Y)wm ?�~v�X3S[[�A BD�#�.&ݥkz<�+~sdɎF0FUL؈.� ppWn^NҸ�->P{=�JP�z{խYM򊔃d"-kx�qbL�5 (@`�*KNM7d5YVlḽ>Jx_`@C 0}��8#�?A� �+gh4OPSTAA�1/&�:WJ7�&Y˱`'_ �_� E6Sjp@KoD&ei�;PY}'8�<2]:�M|��*fp>5E{¼1k�Ǹy<�;x>��>0~15%Ė}7^��Ta�=5p�Ѱ¹7�??l1֧5ؘٿg����$gcQDp_�u7K(H|8 ~\p8�;�7ˑ0d֛Mn#zHO`eM�Y�/� ��IUFis�\U��(tQ^mZ#)�/khV�'}N'i9{ ۧ.c\�h^3ռ%+? #;6-3dN�'P�$�!u!B�ݞd;~w��-~�ls� A#~j8�)Y5vvq�TT� BL�*[HT !ʐ$�/k 'e�?�E}FDA;i|YzdߝlS&x_ s7R%}[�r�V*ѰݸkwXط�6iMN3�-ŗ� �/�9LqF*n>"?ݳ#<'e^�od�B_BiP��xH\�9��.9IBaВyhh鬹`"Пud� Tnh�9v%hP"!p L%jipX�'pCy-� �g8VY^w=tuZ~0e58Q0DN^4KotQT�'�/`]a�2}�>ˊ˾dASTFIx�>tu �.|ӜX=;߲:99�*i� ϭxy[)[QHzr�0�>`EG!9YpN#�gxXRjd+�ar�9ҫ�5IMh,S� �dzA]|n�:�Bb" e�4�3el� 8"\&�&ݥ?xXfp11�,M"Q=1@0dƁll�>�S�*ƺܱ<BXٚ�_AE}�h�1B�}4�? @�� Kӡ]CPZzu��gټԏU�<*iEbCb53Sn>NP k%�dyy)Aʅ,��,Ze~B?,�r�+6� _ij�%Ŝ׉!W��@�Bqw�')�IE.�5z�R�|`e�% 'HFk� Ye�$n1IA�kV1�%DͱI�bT#�hn0wʝvo){wK矁mT�m|� >�<> Ѯ)e�Edx�>W'�js /o8IU\ky\xvrYڲp!^e~s\�>�3|h��7w�mܟpTl�7^ \-O$[�8;�,t�r�5�%M�*S˜?�:E{cR#wǍPJz��9-ţf��Bs,lj!}{bL�:1c'RV2x]�� Q9� L�8 ĘZMLM�$�L*K`nd7YeU)Y}=F� %7�-H_-wVQlgkɛ%x7��!�n�)@#�Q�_FmuRN�% Ut3߉3y�(`PgDf�rHB] �!!�&8^~� pW%�2P�8A�:܏ xTE�N�qy�H� �(�0�:��:ā~u w�mWVݳA�SRx!iz;m�\a*�8vZvCf yYE՞�.{g��?�-i6zXyØ\7؍OBhei�6M��2r08yh; k'{Iw8Jm4 4dyZr|VP8LAţ�3,tjA_�4 f}]-,SJ)�, _�.c RajAvX ˦�T-�:\߶|Ы� �kfFJU8tA_.ޮa6\Jkz�2\l\�JmHس}8o�9�2�2 "R�fISG�4{�S�\�2&��3y2kdqZWܡ%HVN:B_HJy�l)NJ��%aFBEeߢ�Ri+ĬG�F�'*�>R0PrMN+[V�(�i_�&.6IX[Sn]o�ڔ6ڛ5fzF[|C�زb�6LIV�;qp)C2?Q q{:���2�zJӺ6Bk r�爄\>�ڔ1oW>��1J_A�8O:cu\~W;s@M|:6W$2)LHvxS�jJ~󅲦{rfWbu([Q�1,Wd]nVA Ѹ�2mLA�́y,/ۼC�ʛU��);Zc�7rWhQ3}VRTO�/ej`֍@PEB�#0 oܞz~ d:0�n~ce1�.1T� �J0l�"�"EiOZYN"�v56a%�2d�QN � =VtZBO*�,�;�33g3q\�ηZ]Pz�"R Nϗ4W h(S}�(\“�ɧswt�9> p(1nbMBg\�DU%,st_{\p;U5�&�$2C>Xt6q�ܕP*.Ji�yW>d�X�7C�:�#x�9� s;Sz<�-M BN~yy�:_T[-#V�zBDnʛX_4FmH6D>Jf.�;f�0 ˍFz:ߤgYi�9ԞHV_XD̑꬙]4yΛiYU@jO�#x�$PӳlGϐ�$f}Խf%�?(cLB۞�ȓc5!`~SbH�?jryUU16O29p?�$7J=>t$s᭒�>zٖː�x٬�>&}�Ϸ[F,zΌiVJ>],�a_ӉK:Dמ�#�Ĥ}~S g&ӋlQS+,Zf;jF�+ FL� a}}⇥zy1E3Iq�9/oQ䘟H�'1S7%uHZoƢϒE-!F1�2*�7U8u�@�/�\X)�ή3]cBYR�;y 2TTog,T4�ר�[ǭ[b\V?� /N~E:ݘɗ6Ϻ�?aav`�� Hs� X �'�c� 4�64|X$�ё&S�6sR蓉o]ÓUxJ��J�4&kzLߖD�*CVS|KۇT�laJ0p�fA�36cf =Jqd_OSg�3 >4ȗa@*n v׿M;v\�4�.Y?){S>�a6~�I�x�H� 8ӈmmfpoi3ԛ�,�dPF.�M7| x)}?o׸kn'^�=v�4Da�"6Qu�09XLZ �FZR���3U'YyכCfJr�a!_t�G� �=||5+��mkrw�-RH})Lŏ;b3k6R~ѱ I&ARSޭ�;Pք@RG� ~uo{"jCڒ^�7�,ڸ۬"tdH$S�g�gEDG�65oSw��;ogxZ��QV93� |Z~tweBA�=�0~ q0vu^6QqL¤4D˵[kz_(,Qӳ�=�2OuE'�*�$�[AR�;w:hw�:X0M68D+wL l W܁͵^=Iý?MiM]b�+:G"�8� �JbXڞLVUw{w��uVQGT'rśwt��<�>E�)[� �?GST�0\oTu0sa)�?R�-Ǭa=īE�%2L�&m�6\#Ysl35w~S|HZr u�&��ƾ�)Z~ZLM�fhi�ۀq؊� zHnԇT́Bs{@�qn�[Z˼`$;pSV�-:u{�g p�+��q`+�>\]o�Z_}|;lP;uy�)� )rKLlzB^��Lv:R:�(i�1NGjSwl� Z6i@]1NrX0֯*>�,E*H%�,<&R�/ .򩛅Mp�+YV|5ެI\�#�#z<�2e*5B �/s/bfV�*]O�|�)3�!s@[�x �"w.�ђBWE0)c !S/T�=ze�$᣹f0Z!&gͶ!͂T/i{�-wɘV� U"��7 ~StO54d C7}#�#-H[�<$KB|ROۦkD�/� g(9l� O��$¨�V%Zc_P Yyy&~cA.%k~ӕU UD}W�?sAH� èlI?NDH>B'vDFYW KkH) UIwn#*iW�/�>9�!U�'�/\ʰ|�8�P�)e�;>Ypʏ@3@_E�T]6)h�#&8؇0�('F#�T:Q_�8A#~UJA~a�ifu8C� ~[KÍhj�*k�'�8W!|XBlFf$2cꂆ*{�Cjbi/İʁUL@fG6P�;eU#P�-n&)Gi@,Iv)I?�6#'dǤ:�4��UU~SAv �)GHGy-4�-|�.�3�@U0Elv|gLj_5+ddF݅ � +oq=@k#!%B�[Z�1yIgrŔu�hl�:ѻͤ�(�&j�0pK[Y.5&[|Crf_P0�8m%/Q;�?|cNk[Ӗ]/DXY�"Y(cP(E|�&SKd� o]R� 6�4S]ܧl1sU[8.mx^z:'�}�N t󙀼�XLg�-|�:όMp`vC�HlQv>!�7�<�0L1=u $�R%�GxA\s�2C�6sS&kc�)8c bWOz Mti� 9 �(*O�5 �@TnOeEWxƔ%YP �#q� ƣF�3fHz�-�vu_�CZc6ij?Ԫ�;S�5w^�!Y�9S�/�6UnФa;kh5Xl,+{�;X`N6v�]Ù J�?Hx~�6=*N>#g�5�:�YWCl�+׌@�0ݤl4`"�/�>txWa�3c{ 4խ9G�/I�=�-0P[ꅭY�OmfJ��!QKL(ؖmc\0ERM"?;XٓckS�)?v/%Kw)JpL4tT+{�?xʘG�)c�|seհ�07!GB�V�-Z�6U9$ "�4˱v4˄GD _(]H.3i) (| @Q%QgK_@C)y(2 !�>�$ٶ�<� !j ;#歱;W|y4Gk�rH >kO*OBs3c�GE�+*1rz߷ [no� ?h|O8h(?Q}ɼ=�k�%_N�XK}K @i�:z԰i^� �BS�1g}TBR$( njcQ`<.e>֥`b�$&Cה5f|�)-b�5Z3l|� [$D�2�=a8O�= ug" NjVޠtsM�'�,�85⊊e tɼ~@J0�v07dx@mwbYV�&)f� Y�7(B CJ΄/<�i)@yk�h>�u\ꩽ�J}p QvRl{kwh2�"P M%�!\bx2@z� � `xH"5Z|<�Σnm�j VY`':���1�%P,߰\BϔJ}tW�-_�)3mznUbfr�&J�bj�5ݔc~'9arx/�6 Q�8[udU96� K:/ITH?c۾́Yl�&Wv}��.,ujj@R.W5"급L`Slb^c�/OD`R��(ՑUk-[$oyg}t-G�3N�"g� � �11r[JRLD|QG~EKa�iqf �N蔶N~DiҲMstpI~uuWg+T`�_��16Xג" @vdtyp ,9kAȥipߣ#ְݕմө<ң=bbwV�&r_;I2JCy�*YՃ�Ƅ�,r.�.&`VRuQ�3BBЊ�-^�9ζXr.畕x"x$ψߙR� @n~};�/�.,-N$9yڛO�ʘ9آe�?2�;;\ݯo}�4G1�{;�*QyxDHr;2* 'ͥ X_qDT"suC2ezSG}\IUBG#�IQ9�A *U�MI:Ʒ])@rr"8?]bSOf�4 c�:m�?lױ ��픱�>DҜ?�7uf�=)ҥϣ;�(UWKS� yKzJ�d� �/i6�3OdfZe{R�-YS-� �$߻sC\6��Zrjr6�1_AC�>�'*�4�ѥ߶mNxS[�5!~U m{ti)aڷI)� vFyٔ{6R(�)?~ܵ}\m�>m�z}�)=t^}_-̧pD'nRUh�}d܇.·��!�:"=>j\HY��'{!b6ᇂ`T�6)3�tlGd�4s/ϔɗՄʼ@3xc՛|ʷ/B�#�Bk�#ys�Uev� JwXM��-&#vp|He�`N\"D9If7�,_G4IOrub ~mES^k׮١U;J�t �����*�4i�0oE@r�8KQoPf*]"ʳ-O贵T,KG̽u)4G=c!ȕ9 /%x8� ޻_I=�☓4Edy4S�G�)pxYi]SUBSYS parameter is  ACF2 Note: Some may specify SUBSYS=****ACF2-14NSystem exits specified on the system are authorized, approved and appropriate.�Procedures: Review the  -- LOCAL EXITS SPECIFIED ON THIS SYSTEM --- section of the ACF SHOW ACTIVE report. For exits not = NONE, inquire of appropriate systems personnel as to (a) the purpose of the system exit (b) the business justification for the system exit (c) the system users responsible for maintaining the system exit (d) how ACF2 administers security to control logical access to the system exit code.=Procedures: All exits are properly justified and documented.ACF2-15AC-4Interview Test FTI Data FlowRAssess the file-level labeling of sequential access ("flat") files containing FTI.BProcedures: 1. Identify which sequential access ("flat") files on the system contain FTI (whether solely FTI or commingled). These could be Physical Sequential (DSORG=PS) files, or members of Partitioned Dataset (PDS - DSORG=PO) files. 2. Determine if the naming convention of the files identifies them as containing FTI.~All sequential access ("flat") files containing FTI are named to clearly identify them as containing FTI (wholly or in part). ACF2-16ZAssess the file-level labeling of databases (or other direct access files) containing FTI.�Procedures: 1. Identify which databases (or other direct access files) on the system contain FTI. 2. Determine if the naming convention of the files identifies them as containing FTI.rAll databases (or other direct access files) containing FTI are named to clearly identify them as containing FTI. ACF2-17_Determine if FTI commingled with non-FTI within databases / data tables are clearly identified.dProcedures: For databases (or other direct access files) which contain FTI: 1. Determine if FTI data is commingled with non-FTI data, and at what level, i.e., database, table, element. If FTI data is not commingled with non-FTI data, this test is Not Applicable. 2. If FTI data is commingled, determine if FTI within the data tables are clearly identified.1. If FTI data is not commingled with non-FTI data, this test is Not Applicable. 2. If FTI data is commingled with non-FTI data, FTI data within the data tables are labeled at the level that separates from non-FTI data, i.e., database, table, element. ACF2-18]Determine if auditing is activated within the database and on all data tables containing FTI.�Procedures: For databases (or other direct access files) which contain FTI: Determine if auditing is activated within the database and on all data tables containing FTI.�Auditing is activated within the database and all data tables containing FTI. Auditing must be enabled to the extent necessary to capture access, modification, deletion and movement of FTI by each unique user.ACF2-19AC-5mALLOCATE (ALLOC) or WRITE authority to core MVS operating system libraries are restricted to MVS programmers.�Procedures: Obtain the Access Rules (report) from the security officer for each of the critical SYS1 datasets: -SYS1.LINKLIB -SYS1.LPALIB -SYS1.MIGLIB -SYS1.NUCLEUS -SYS1.PARMLIB -SYS1.PROCLIB -SYS1.SVCLIB -SYS1.UADS -SYS1.VTAMLIB -SYS1.VTAMLST Through inquiry of the security officer, determine the name and job function of each user listed separately or within a Group on the Access Control List. Determine whether users having ALLOC or WRITE authority have a need for this level of access. bExpected Results: Only systems programmers should have ALLOC or WRITE authority to these datasets.ACF2-20AC-6UADS{UserIDs defined in SYS1.UADS are limited to IBMUSER, and to authorized emergency, disaster recovery, and systems personnel.<1. Consult with the ACF2 Security Administrator and verify that UserIDs defined in the TSO User Attribute Dataset (SYS1.UADS) are restricted to IBMUSER, and to authorized emergency, disaster recovery, and systems personnel. 2. List TSO users defined to SYS1.UADS dataset. Verify that these users are defined to ACF2 �UserIDs defined the TSO User Attribute Dataset (SYS1.UADS) are limited to IBMUSER, and to authorized emergency, disaster recovery, and systems personnel. The emergency, disaster recovery, and systems personnel are defined to ACF2.ACF2-21MEnsure ACF2 verifies access requests initiated by any system / started tasks.�Procedures: Review the STC OPTION setting under  OPTIONS IN EFFECT section of ACF2 GSO Control Options. STC OPTION denotes whether or not a system/started task must be authenticated by ACF2 before access to any dataset is permitted. �Expected Results: STC OPTION=ON (STC OPTION=OFF denotes that ACF2 will not authenticate access request initiated by a system/started task, regardless of the access rules established for the specific system resource.)ACF2-22�Entries included on  MAINTENANCE LOGONIDS/PROGRAMS/LIBRARIES are restricted to the minimum programs required to perform DASD maintenance or other related operations.�Procedures: Review the  MAINTENANCE LOGONIDS/PROGRAMS/ LIBRARIES (MAINT record) section of the CA-ACF2 Control Options (GSO Record). �Expected Results: Verify with appropriate systems personnel that: - All entries in the table are used for DASD maintenance or other related functions. - All program entries in the table are (1) exclusively maintained in ACF2-protected libraries, and (2) are accessible by authorized logonid(s) to<  perform activities commensurate with the existing user job function (e.g. DASD management)***. - All program entries are included in the  LOGGED PROGRAMS section of the CA-ACF2 Control Options (GSO Record).ACF2-23�Programs and libraries specified in  TAPE BYPASS LABEL PROGRAMS/LIBRARIES are authorized and approved by appropriate system personnel, as needed, to bypass tape-label verification in order to perform inherent job functions.�Procedures: Review the  TAPE BYPASS LABEL PROGRAMS/LIBRARIES (BLPPGM Record) section of the CA-ACF2 Control Options (GSO Record). �Expected Results: Interview appropriate system personnel and evaluate the justification for authorizing tape BLP capabilities for all programs specified.ACF2-24$To determine if MODE is set to ABORT�Procedures: Review the MODE setting specified in the CA-ACF2 Control Options (GSO Record). This will be the first line of the SHOW ALL output. MODE=ABORT denotes ACF2 denies access to a dataset unless explicitly defined/permitted by the dataset access rule. All access violations are logged. MODE= LOG denotes ACF2 permits all access attempts to datasets, regardless of the dataset access rules. All access violations are logged. MODE=QUIET denotes ACF2 permits all access attempts to datasets, regardless of the dataset access rules. However, access violations are not logged. MODE=WARN denotes ACF2 permits all access attempts to datasets, regardless of the dataset access rules. All access violations are logged and an access-violation message is sent to user s terminal. MODE=RULE is deemed a selective mode, where conditional actions can be executed if the existing access rule does not permit the user s request to access to dataset.!Expected Results: MODE = ABORT ACF2-25SDecompile authorities are restricted to logonids with SECURITY or AUDIT attributes.�Procedures: Review the DECOMP AUTHORITY setting of the ACF2 GSO Control Options. (denotes the types of users authorized to decompile (but not alter) and display access/resource rules regardless of restrictions placed by scope records.) 7Expected Results: DECOMP AUTHORITY = SECURITY, AUDITACF2-26YListing Infostorage records are restricted to logonids with SECURITY or AUDIT attributes.WProcedures: Review the INFO LIST AUTHORITY setting of the ACF2 GSO Control Options. (denotes the logonid attributes authorized to display the records (e.g. GSO records, resource rules, scope records, entry records) stored in the Infostorage database. Also, scoped users can list all Infostorage database records, except for resource rules.) 9Expected Results: INFO LIST AUTHORITY = SECURITY, AUDITACF2-27VUID string modifications are restricted to logonids with SECURITY or AUDIT attributes.�Procedures: Review the UID setting under  RULES/DIRECTORY RESIDENCY OPTIONS section of ACF2 GSO Control Options. (UID denotes a string of concatenated fields that controls the definition of each user s UID record. The string composition is derived from the existing Field Definition Record (FDR). Each field should be reviewed to determine which users can alter (ALTER=) specific fields in the string - - thereby potentially altering access authorities granted to users. ) 2Expected Results: Consequently, UID string alterations should be restricted to users with unscoped SECURITY or AUDIT attributes. Furthermore, the RESTRICT attribute should be used in conjunction with SECURITY or AUDIT with each of the field definitions specified in the UID string. SECURITY or AUDIT.***ACF2-28>The SECURITY and ACCOUNT privileges are adequately controlled.�Procedures: Using the LIST IF command or the SL report, document who has the SECURITY or the ACCOUNT privilege. Inquire of appropriate personnel the justification for each user assigned these privileges. -SECURITY attribute allows: (1) access all datasets, protected programs and resources; (2) maintain all records in the Infostorage database; and (3) change and display logonid records. -ACCOUNT- The ACCOUNT attribute permits users to insert, catalog, and delete logonids (unless restricted or  scoped by the SCPLST logonid field). Users with the ACCOUNT attribute only, cannot catalog or change logonid records for users with both the ACCOUNT and SECURITY attributes. �Expected Results: SECURITY and ACCOUNT privileges have been granted to a limited number of users with a security responsibility.ACF2-292The NON-CNCL privileges are adequately controlled.�Procedures: Using the LIST IF command or the SL report, determine who has the NON-CNCL privilege. Inquire of appropriate personnel the justification for each user or login ID assigned this privilege. The NON-CNCL attribute specifies ACF2 cannot terminate or  cancel a user s request to access a dataset to which the user is not explicitly authorized through an access rule set. However, ACF2 logs all uses of NON-CNCL authority. �Expected Results: No more than 3 or 4 such users should be found, and these should be used for emergency purposes (e.g. started task IDs, assigned to FIRECALL IDs) only. In< addition, their usage should be reviewed.ACF2-301The READALL privileges are adequately controlled.KProcedures: Using the LIST IF command or the SL report, determine who has the READALL privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (READALL grants the user the authority to open any file for READ and EXEC regardless of the rules and only applies to datasets.) mExpected Results: The READALL privilege should be limited to security Started Tasks and Emergency logonids.ACF2-31-The AUDIT privilege is adequately controlled.wProcedures: Using the LIST IF command or the SL report, determine who has the AUDIT privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (AUDIT grants the user the authority to display logonid records, access rules, resource rules, and Infostorage records (e.g. GSO record), and all ACF2 system control options.) oExpected Results: The AUDIT privilege should be restricted to security auditors and/or security administratorsACF2-32/The MAINT privileges are adequately controlled.vProcedures: Using the LIST IF command or the SL report, determine who has the MAINT privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (MAINT grants the user the authority to execute any program defined in the MAINT GSO;  MAINTENANCE LOGINIDS/PROGRAMS/LIBRARIES . Without logging or access rule verification.) �Expected Results: Only maintenance jobs having a business need to manage/maintain the logonids, programs, or libraries listed in the MAINT GSO section should be assigned this privilege. ACF2-332The TAPE BLP privileges are adequately controlled.0Procedures: Using the LIST IF command or the SL report, determine who has the TAPE-BLP privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (The TAPE-BLP attribute permits users to bypass label processing (BLP) when accessing tape datasets.) �Expected Results: Limited access should be granted to this privilege and restricted to personnel routinely tasked with performing tape management job functions.ACF2-341The ALLCMDS privileges are adequately controlled.Procedures: Using the LIST IF command or the SL report, determine who has the ALLCMDS privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (The ALLCMDS attribute permits users to circumvent the ACF2 restricted command list.) �Expected Results: Limited access should be granted to this privilege and restricted to personnel routinely tasked with performing job functions requiring use of ALLCMDS privilege. Evaluate delegation of this privilege for reasonableness. ACF2-351The REFRESH privileges are adequately controlled.�Procedures: Using the LIST IF command or the SL report, determine who has the REFRESH privilege. Inquire of appropriate personnel the justification for each user or Login ID assigned this privilege. (The REFRESH attribute permits users to issue the ACF2 REFRESH operator command from the operator console. Consequently, users can apply dynamic changes to records (e.g., GSO record) maintained in the Infostorage database.) �Expected Results: Limited access should be granted to this privilege and should be restricted users (e.g., security administrators) routinely tasked with applying changes to records (e.g. GSO record) maintained in the Infostorage database.ACF2-36OThe RULE_VLD privileges are included in the Security Administrators LID Record.jProcedures: LIST each logonid record that has the SECURITY privilege and verify that the RULE-VLD attribute is present. (The RULEVLD attribute denotes all user access (in particular, access by data owners and users with the SECURITY attribute) to datasets and resources must be explicitly permitted by the access rules established for the dataset or resource.) |Expected Results: The RULEVLD attribute should be included in the logonid record for logonids with the SECURITY attribute.ACF2-37=FTI datasets are restricted to users having a  need to know .�Procedures: 1. Obtain the Access Rules (report) from the security officer for each FTI dataset. Note: The applications programmer or production control group may have to assist in identifying all FTI datasets. 2. Through inquiry of appropriate personnel, (data security, programming, data center operations) determine the name and job function of each user listed separately or within a group on the access control list. Determine whether users having access is appropriate and based on need to know and the least privilege concept. Given the nature of these datasets, even READ access maybe inappropriate. Ensure that no rule grants default or Global READ access to these data sets. Note: Data Security, Systems and Application Programmers, Data Center Operations, and Production Control typically do not need to have routine access to these datasets. FIRECALL or EMERGENCY IDs are the preferred control to grant temporary access to FTI datasets.�Users have access as appropriate and based on need to know and the least privilege concept. FIRECALL or EMERGENCY IDs are the control used to grant temporary access to FTI datasets.ACF2-38hAccess to the ACF2 distribution libraries (the files from which the product is installed) is controlled.+Procedures: 1. Obtain the Access Rules (report) from the security officer for ACF2 distribution libraries (generally denoted by the high level prefix CAI.*) 2. The ACF2 distribution libraries contain the load modules for the ACF2 software product. Examples of ACF2 load modules include the ISPF (Interactive System Productivity Facility) interface panels, macros, or vendor-developed JCL (Job Control Language) procedures. 3. Through inquiry of the security officer, determine the name and job function of each user listed separately or within a Group on the Access Control List. Determine whether users having access is appropriate and based on a need to know, least privilege concept. Only systems programmers tasked with routinely maintaining the ACF2 system product should have access to these datasets.VOnly systems programmers tasked with routinely maintaining the ACF2 system product have access to these datasets. Note: System installation files should not be accessible on a production system. If installation files are not accessible from the production system, this test is Not Applicable Note: The high-level prefix may be site-specific.ACF2-39>Access to the ACF2 databases and files is properly restricted.�Procedures: Obtain the Access Rules (report) from the security officer for each ACF2 security database (including backups) using the high level prefix: SYS1.ACF* or applicable high-level prefixes for the following datasets/libraries: -SYS1.ACF2.RULES -SYS1.ACF2.LOGINIGS -SYS1.ACF2.INFOSTG -SYS1.ACF.BKLIDS -SYS1.ACF.BKRULES -SYS1.ACF.BKINFO Through inquiry of the security officer, determine the name and job function of each user listed separately or within a Group on the Access Control List. #Expected Results: NO users should have ALLOC or WRITE access to these files No users should have direct access to these files. Note: Access to these files can be granted for emergency purposes using a FIRECALL or EMERGENCY ID. Note: The high-level prefix and file names may be site-specific.ACF2-40APF List and Linklist libraries_WRITE and ALLOCATE authority will be restricted for all libraries in the APF list and Linklist.�Procedures: 1. Review the active SYS1.PARMLIB(IEAAPFxx) to identify all active APF authorized libraries. 2. R< eview the active SYS1.PARMLIB(IEAAPFxx) to identify all active APF authorized libraries. 3. Obtain and review the Access Rules report from the security officer for SYS1.LINKLIB, SYS1.SVCLIB, and the libraries listed in the two active PARMLIB members, to determine if they are properly controlled. 4. Ensure that all APF libraries reside on the volumes specified. UExpected Results: WRITE and ALLOCATE authorities are restricted for these libraries. ACF2-41AC-7OTerminal sessions are cancelled after three (3) unsuccessful password attempts.�Procedures: Review the LOGON RETRY COUNT setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. (LOGON RETRY COUNT denotes the maximum number of unsuccessful password attempts allowed before a terminal session is cancelled.)'Expected Results: LOGON RETRY COUNT=3ACF2-42WPassword violations accumulated by batch jobs are counted toward the MAX-PSWD ATTEMPTS.oProcedures: Review the PSWD-JES setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options.Expected Results: PSWD-JES=ONACF2-43JUser logonids are disabled after three (3) unsuccessful password attempts.Procedures: Review the MAX PSWD ATTEMPTS setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. (MAX PSWD ATTEMPTS denotes the maximum number of unsuccessful password attempts allowed before a user s logonid is suspended/disabled.) 'Expected Results: MAX PSWD ATTEMPTS=3ACF2-44AC-8zThe system shows a IRS-approved screen-warning banner that outlines the consequences /penalties for misusing the system. TProcedures: Review warning banner online to ensure compliance with IRS requirements.HExpected Results: The warning banner is compliant with IRS guidelines and contains the following 4 elements: - the system contains US government information - users actions are monitored and audited - unauthorized use of the system is prohibited - unauthorized use of the system is subject to criminal and civil penalties ACF2-45AU-11�The organization retains audit records for [an organization-defined time period] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements."Confer with the Systems Programmer and Information Assurance Manager (IAM) to determine the site policy and procedures for dumping (backing up) SMF data and creating duplicate backups to prevent data loss. Determine that the site data retention policy is in accordance with IRS guidelines.BPolicy and procedures exist for backing up and retaining SMF data.ACF2-46AU-12)Checks to see if auditing is implemented.�Confer with the Information Assurance Manager (IAM) and System Administrator (SA). Verify that auditing is enabled. If the auditing is not enabled then this is a finding.Auditing is implemented.ACF2-47AU-2@The use of powerful programs and utilities is routinely logged. �Procedures: Review the  LOGGED PROGRAMS (LOGPGM record) section of the CA-ACF2 Control Options (GSO Record). Although access rules and other options (e.g. GSO Control Options such as (a) (b) and (c) specified above) control the use of these programs, the LOGPGM record provides a facility to produce audit trails that log all datasets accessed by any of these programs. Determine if the use of programs specified under the following GSO Control Options are logged accordingly: �Expected Results: (a)  Restricted Program Names (b)  Maintenance Logonids/Programs/Libraries (c)  Tape Bypass Label Processing/Libraries ACF2-48>ACF2 security records are properly recorded in SMF audit logs.�Procedures: Review the ACF2 COMMON setting under  SYSTEM PARAMETERS IN EFFECT ;  SMF RECORD NUMBERS section of ACF2 GSO Control Options. Verify that all ACF2 SMF record types are assigned an SMF record number.Expected Results: All ACF2 SMF record types should be assigned an SMF record number. The following are commonly used ACF2 SMF record numbers. PASSWORD=220 DATASET VIO=221 LID JOURNAL=222 RULE JOURNAL=223 LID TRACE=224 TSO COMMAND=225 INFO JOURNAL=226 RESOURCE VIO=227 ACF2 COMMON=230ACF2-49OAudit trails are generated for READ and above access attempts to FTI data sets.>Procedures: 1. Request the System Administrator to generate an ACF2 data set access report for FTI data sets. 2. Review the report and verify that access to the FTI data sets is properly logged, and is restricted to authorized personnel. Using the previously obtained list of users authorized to access FTI data sets, verify that: a. Users logged as accessing FTI data sets are on the list of authorized users; b. No accesses to FTI data sets are logged for users not on the list; c. Logging records include READ accesses, as well as Write/Allocate accesses. +Access to FTI data sets is properly logged.ACF2-50SYS1.PARMLIB(SMFPRMxx)<Auditing is configured to capture security-relevant events.�Procedures: Review SYS1.PARMLIB(SMFPRMxx) [xx=00 or production suffix) 1. Ensure that, at a minimum, all IBM (00-127), all ACF2 SMF record types (as defined in the ACFFDR, default 230), and TSOMON (199) SMF record types are written. 2. Request documentation for any record types appearing in a NOTYPE(nn) parameter. Note: Some records, such as (NOTYPE(4:5,16,19:20,34:36,40:41,69,99), may be suppressed for performance reasons. 3. If SMF exits IEFU83, IEFU84, IEFU85 are listed, verify with the Systems Programmer the functions performed by the exits. Ensure that they do not suppress required SMF record types. 4. Verify that the system SMF data sets specified in DSNAME(SYS1.MANx,...) exist and are written to. }1. IBM (00-127), all ACF2 SMF record types (as defined in the ACFFDR, default 230), and TSOMON (199) SMF record types are written. . 2. Documentation exists for any record types appearing in a NOTYPE(nn) parameter. 3. If SMF exits IEFU83, IEFU84, IEFU85 are listed, they do not suppress required SMF record types. 4. The system SMF data sets (SYS1.MANx) exist and are written to. ACF2-51AU-4�The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.zInterview Information Assurance Officer (IAO) or systems programmer to determine if log storage is sufficient to meet IRS logging and retention requirements. Review the size of the SMF data (SYS1.MANx) files, the %-utilization, and the schedule with which the files are dumped (backed up) and cleared. IRS Publication 1075, section 9.3, requires log data retention for 6 years. [SMF data (SYS1.MANx) files are managed adequately to prevent the loss of system audit data< .ACF2-52AU-5nThe information system alerts appropriate organizational officials in the event of an audit processing failure With the systems programmer, ensure that the system issues console alerts when the SYS1.MANx files approach critical threshold. Verify that the operations staff has standing instructions to notify the appropriate personnel, and that procedures have been established to dump the SMF data.uAppropriate console alerts are issued, and procedures exist to notify personnel and to manage the backup of SMF data.ACF2-53AU-6�The organization supervises and reviews the activities of users with respect to the enforcement and usage of information system access controls. (1) The organization employs automated mechanisms to facilitate the review of user activities.2Confer with the Information Assurance Manager (IAM). Verify that procedures are in place to review audit logs on a regular, periodic basis, and that these procedure are followed (i.e. that the reviews are performed). Inquire whether automated data review and reductions tools are available and/or in use.SAudit logs are reviewed on a regular basis. Automated tools are used if available.ACF2-54AU-7TThe information system provides an audit reduction and report generation capability.�Confer with the Information Assurance Manager (IAM) and the System Administrator (SA) to determine what SMF data audit reduction and reporting tools are available (in addition to standard z/OS SMF reporting mechanisms.).Data reduction tools are available and in use.ACF2-55AU-8�The information system provides time stamps for use in audit record generation. (1) The organization synchronizes internal information system clocks [Assignment: organization-defined frequency]./Confer with the Systems Programmer and Information Assurance Manager (IAM) to determine the site policy and procedures for setting, verifying, and synchronizing the system clock. Inquire whether the system clock is set to GMT+0 with a Time Zone offset, or whether the system clock is set to local time.�Policy and procedures exist for setting and periodically synchronizing the system clock. Note: Audit data (SMF) time stamps should reflect GMT time.ACF2-56AU-9wThe information system protects audit information and audit tools from unauthorized access, modification, and deletion. Determine in which library (SYS1.LINKLIB, etc.) the system audit data reporting tools reside. Obtain an access rules report for this library. Identify personnel who have access to the files and utilities. Ensure that no personnel have excessive access permissions.OAccess to the audit reporting tools is restricted to the appropriate personnel.ACF2-57�The audit trail shall be protected from unauthorized access, use, deletion or modification. The audit trail shall be restricted to personnel routinely responsible for performing security audit functions. �Procedures: 1. Request the System Administrator to generate an ACF2 data set access report. Review the report and verify that access to the SMF data sets (SYS1.MANx) is restricted to authorized personnel. �Access to the SMF data sets (SYS1.MANx) is restricted to authorized personnel. The general user community has no access at all to these data sets. No user has the direct ability to write to, allocate, or delete these data sets.ACF2-58IA-2aEnsure logonids submitting batch jobs are authenticated through designation of the JOB attribute.�Procedures: Review the JOB CHECK setting under  OPTIONS IN EFFECT section of ACF2 GSO Control Options. (JOB CHECK denotes whether or not logonids submitting batch jobs are authenticated through designation of the JOB attribute)!Expected Results: JOB CHECK=YESACF2-597Determine if ACF2 is used for TSO user logon validationProcedures: Review the UADS setting under  OPTIONS IN EFFECT section of ACF2 GSO Control Options. (UADS denotes whether or not the User Attribute Dataset (UADS) is used for TSO logon procedures; UADS=BYPASS denotes that UADS dataset is bypassed and TSO logons are authenticated by CA-ACF2 through active TSO fields defined in each CA-ACF2 logonid record; UADS=USE denotes that user TSO sessions are authenticated through SYS1.UADS. If UADS is used, review procedures for the control and maintenance of the UADS dataset (SYS1.UADS). )Expected Results: UADS=BYPASSACF2-60FPasswords are required for all logonids (except for STC and RESTRICT).tProcedures: Review the PSWD REQUIRED setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options.%Expected Results: PSWD REQUIRED=YESACF2-61hACF2 displays the date and time of the user s last system access whenever the user logs on to the systemLProcedures: Review the NOTIFY setting under  SYSTEM PARAMETERS IN EFFECT ;  OTHER section of ACF2 GSO Control Options. (NOTIFY denotes whether or not information displayed about the user s last login date and time will verify that unauthorized user of their logonid has not occurred since the user s last authentic logon session.) Expected Results: NOTIFY=YESACF2-62IA-3fThe information system identifies and authenticates specific devices before establishing a connection.�Confer with the System Programmer to verify that devices connecting to the system (JES NJE/RJE connections, SSH connections to USS, etc.) are identified and authenticated before the connection is allowed.PDevices are required to authenticate before connection to the system is allowed.ACF2-63IA-4GUser accounts that are inactive for a period of 90 days will be revoked�Confer with the security administrator to review the system security settings, to verify the configuration for revoking (or suspending) inactive user accounts. 1. Obtain the ACF2 Super List Report for all logonids defined to the installation. Review the right hand most column that is a date field. Identify all logonids with date of last access exceeding 90 days from date of the review. 2. Verify that the logonids are revoked (i.e., ensure SUSPEND or CANCEL fields are specified in the logonid record) after a period of inactivity has expired. 3. Determine if policies and procedures are established to revoke inactive logonids after a specified period (e.g. 30, 60, or 90 days) has elapsed.�User accounts that are inactive for a period of 90 days are revoked. The CANCEL or SUSPEND field values are specified in logonids with the  Date of Last Access field exceeding 90 days from the date of the security review.ACF2-64cRevoked / deactivated user-ids are archived; they are not deleted, and are not re-issued / re-used< .�Confer with the Information Assurance Manager (IAM) to determine the site policy and procedures for handling revoked / deactivated user-ids.ACF2-65IA-5.Users are permitted to change their passwords.qProcedures: Review the PSWD ALTER setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options."Expected Results: PSWD ALTER=YESACF2-66cPassword expiration warning is 5-14 days before the password change interval (MAXDAYS) is enforced.vProcedures: Review the PSWD WARN DAYS setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options./Expected Results: PSWD WARN DAYS= [5-14 days]ACF2-670Minimum password length is eight (8) characters.�Procedures: Review the MIN PSWD LENGTH setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. (MIN PSWD LENGTH denotes the minimum number of characters required for establishing a user password.)$Expected Results: MIN PSWD LENGTH=8ACF2-68CPasswords are prohibited from being equivalent to a user s logonid.oProcedures: Review the PSWD-LID setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options.Expected Results: PSWD-LID=YESACF2-69wPasswords must contain alphanumeric characters, with a minimum of one (1) numeric character or (1) special character. qProcedures: Review the following settings under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options.xExpected Results: REQ ALPHBET CHAR=YES [forces at least one alpha] REQ NUMERIC CHAR=YES [forces at least 1 numeric] ACF2-70FPassword history prohibits the reuse of passwords for six generations.rProcedures: Review the following settings under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. �Expected Results: PSWD HISTORY=YES [forces password history of 4] EXTENDED PASSWORD HISTORY=ACTIVE [forces extended password history] EXTENDED PASSWORD HISTORY #=2 (or more) [specifies number of extra stored - 4+2=6]ACF2-71GPasswords are prohibited from being composed of all numeric characters.tProcedures: Review the PSWD NUMERIC setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. #Expected Results: PSWD NUMERIC=YESACF2-72>Passwords are prohibited from containing repeating characters.xProcedures: Review the REPEAT PAIR CHAR setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options. %Expected Results: REPEAT PAIR CHAR=0ACF2-73;Reserved words are utilized to enforce password complexity. Procedures: Review the PSWD RESERVE WORD setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options, and the entries listed in the RESERVED WORD PREFIX LIST for common acronyms, prefixes, software system names, abbreviations, company names, etc. �Expected Results: PSWD RESERVE WORD=YES RESERVED WORD PREFIX LIST contains common acronyms, prefixes, software system names, abbreviations, company names, etc.ACF2-74tUsers are forced to change passwords at next logon whenever someone other than the user changes the user s password.qProcedures: Review the PSWD FORCE setting under  PASSWORD OPTIONS IN EFFECT section of ACF2 GSO Control Options !Expected Results: PSWD FORCE=YESACF2-75LPassword change interval  MAXDAYS is appropriately set between 30-90 days.�Procedure: Obtain a user logonid (LID) report for general users and for a selected group of privileged users (e.g. Security Administrators, MVS Programmers/Support, Data Center Operations). Review the value specified MAXDAYS field associated with the aforementioned logonids selected. (MAXDAYS denotes the number of days allowed between password changes before the password expires.) DExpected Results: 90 - For standard users 60 - For privileged usersACF2-76�Users are prohibited from changing their passwords for at least 15 days after a recent change. Meaning, the minimum password age limit shall be 15 days after a recent password change. hProcedure: Obtain a user logonid (LID) report for general users and for a selected group of privileged users (e.g. Security Administrators, MVS Programmers/Support, Data Center Operations). Review the value specified MINDAYS field associated with the aforementioned logonids selected. (MINDAYS denotes the number of days required between password changes.) Expected Results: 15 ACF2-77�Users shall commit passwords to memory, avoid writing passwords down and never disclose passwords to others (e.g., with a co-worker in order to share files).GProcedures: Interview the Information Assurance Manager (IAM). Verify that policies and training are in place to ensure that users protect passwords appropriately. If possible, walk through the office areas and ensure that passwords are not written down (e.g. look for sticky-notes, passwords taped to keyboard bottoms, etc.)XPolicies and training are in place to ensure that users protect passwords appropriately.ACF2-78~Passwords shall not be automated through function keys, scripts or other methods where passwords may be stored on the system. �Procedures: Interview the Information Assurance Manager (IAM). Verify that policies and training are in place to ensure that users understand that passwords will not be automated or stored in clear text on the system.�Policies and training are in place to ensure that users understand that passwords will not be automated or stored in clear text on the system.ACF2-79lDefault vendor passwords shall be changed upon successful installation of the information system product. �Procedures: Interview the System Administrator (SA) and Information Assurance Manager (IAM). Verify that procedures are in place requiring that default passwords for installed products are changed as part of the installation process.YDefault passwords for installed products are changed as part of the installation process.ACF2-80�The organization manages information system authenticators by: (i) defining initial authenticator content; (ii) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; (iii) changing default authenticators upon information system installation; and (iv) changing/refreshing authenticators periodically.�Confer with the Information Assurance Manager (IAM) to determine the site policy and procedures for issuing and disseminating initial user passwords, and for requiring and enforcing periodic system-w< ide password change.zThe site should have adequate procedures in place for initial password dissemination, and forces periodic password change.ACF2-81IA-6Check to see if the feedback from the information system provides information that would allow an unauthorized user to compromise the authentication mechanism. Displaying asterisks when a user types in a password is an example of obscuring feedback of authentication information."Interview Information Assurance Officer (IAO) or System Administrator (SA) and ask if any applications or services display the user or service account password during input or after authentication. Note: The TSOTWX and TSO2741 settings are no longer listed in the ACF2 GSO Control Options.�The information system obscures feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals.ACF2-82PUsers are prohibited from entering their username and password on the same line.@Procedures: Review the QUICK LOGON setting under  TSO RELATED DEFAULTS ACTIVE section of ACF2 GSO Control Options. (QUICK LOGON denotes whether or not users can enter their passwords and logonids on the same line. YES indicates the password value will not be masked and will be displayed in plain text when entered.) "Expected Results: QUICK LOGON=NOACF2-83IA-7�Checks to see if the information system employs authentication methods that meet the requirements of applicable laws, Executive Orders, directives, policies, regulations, standards, and guidance for authentication to a cryptographic module.�Interview the System Administrator (SA) or Information Assurance Officer (IAO) to determine if FIPS 140-2 encryption is used for the authentication module.XThe authentication module is encrypted with a FIPS 140-2 compliant cryptographic module.ACF2-84SC-10?User logons are terminated if wait time exceeds two (2) minutesbProcedures: Review the LOGON WAIT TIME setting under  TSO RELATED DEFAULTS ACTIVE section of ACF2 GSO Control Options. (LOGON WAIT TIME denotes the number of seconds used by ACF2 to time user responses and to subsequently abort the logon if the wait time parameter is exceeded. Settings exceeding 120 seconds should be evaluated for appropriateness.) 5Expected Results: LOGON WAIT TIME= [60-120 seconds]ACF2-85�The information system automatically terminates a remote session after 15 minutes of inactivity. (1) Automatic session termination applies to local and remote sessions.�Confer with the Information Assurance Manager (IAM) and System Administrator (SA). Verify that interactive sessions (TSO, TPX, SSH, etc.) are terminated after a period of inactivity in accordance with IRS guidelines.CInteractive sessions are terminated after 15 minutes of inactivity.ACF2-86SC-2�The information system separates user functionality (including user interface services) from information system management functionality.�Interview the Information Assurance Manager (IAM) and System Administrator (SA). Determine whether privileged users have separate accounts for performing day-to-day user activities than those used for performing privileged functions/tasks.`Privileged personnel should not use the same logon IDs for both normal and privileged functions.ACF2-87SC-23bThe information system provides mechanisms to protect the authenticity of communications sessions.�Interview the Information Assurance Manager (IAM), System Administrator (SA), and Network Systems personnel. Determine what capabilities the system has to prevent network session hijackingGThe system should provide protection against network session hijacking.ACF2-88SC-4CAUTOERAS feature is specified for FTI datasets and related volumes.�Procedures: Review the -- AUTOMATIC ERASE VOLUMES -- setting under  OPTIONS IN EFFECT section of ACF2 GSO Control Options. (AUTOERAS denotes the type of datasets and volumes where physical erasure is performed during deletion (scratch).) �Expected Results: Volume name(s) specified for FTI datasets and/or a naming pattern/masking composition that represents FTI dataset name(s).ACF2-89SC-5�The information system protects against or limits the effects of denial of service attacks. (1) The information system restricts the ability of users to launch denial of service attacks against other information systems or networks. (2) The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.�Interview the Information Assurance Manager (IAM), System Administrator (SA), and Network Systems personnel. Determine what capabilities the system has to detect and prevent inbound and/or outbound flooding-based denial of service attacksRThe system should provide protection against flood-type denial of service attacks.ACF2-90Network Documentation�Checks to see if all FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). �Procedures: Obtain a network diagram that depicts all access points used to process, store and transmit FTI  noting firewalls, routers, and switches where applicable. Interview the System Administrator (SA) or Information Assurance Officer (IAO) to determine if all connections to the Mainframe are via *SSH or *Other communications methods using tunneling via or equivalent FIPS encryption. FTI is encrypted when traversing communication lines (e.g. T1, T3, ISDN) using encryption solutions including, but not limited to: Triple DES, SSL, TLS, or Secure IP Tunneling (VPN using IPSEC). Evaluate viable encryption alternatives for appropriatenesspThe organization employs FIPS 140-2 validated cryptographic mechanisms to prevent unauthorized disclosure of information during transmission across the agency's LAN and WAN. FTI is encrypted when traversing communication lines (e.g. T1, T3, ISDN) using encryption solutions including, but not limited to: Triple DES, SSL, TLS, or Secure IP Tunneling (VPN using IPSEC).ACF2-91SI-2)System Software Maintenance Documentation�Checks to see if the system is kept current with vendor updates, especially security related updates, and that maintenance is received, evaluated, and installed on a regular schedule.�Procedures: Interview the System Administrator (SA) to determine how often vendor s< oftware updates, especially security related updates, are received, evaluated, and applied to the system. Review system maintenance documentation if available.�The system is kept current with vendor updates, especially security related updates. Maintenance is received, evaluated, and installed on a regular schedule.1Note: Programs that should be maintained as  RESTRICTED PROGRAMS NAMES (PPGM record) are those programs that do not initiate standard system services (e.g. open SVCs). Consequently, these programs can circumvent ACF2 / System Administrator (SA)F intercept points and compromise system security. Placing the aforementioned programs on the  RESTRICTED PROGRAM NAMES list restricts the use and delegation of such programs to users with the PPGM, NON-CNCL, or unscoped SECURITY attribute. Note: Programs specified in PPGM should be stored in CA-ACF2-protected libraries (e.g. *MASPZAP is stored in SYS1.MIGLIB) to prohibit unauthorized users from (a) reading and copying these programs into unsecured libraries; and (b) executing the copied programs under an uncontrolled name (i.e., not included on PPGM list). �Note: If NOSORT=YES and a $NOSORT statement is specified in an access rule set, ACF2 sorting of rules from most specific to most general is suppressed. Consequently, general rules placed before specific rules could inadvertently supersede the specific rules appearing later on in the access rule set. Therefore, a setting of YES should be justified by and discussed with the data owner or security administrator responsible for the rule set.�To ensure optimal protection of tape and DASD datasets, RESVOLS, SECVOLS, and TAPE DSN configuration should be evaluated collaboratively to determine the residual or collective impact of dataset protection enforced by CA-ACF2 access rules. ^Note: Due to inherent weaknesses in ACF2 password security controls, some installations may deploy (with installation-specific configurations) the NEW PSWD VALIDATE exit routine to enforce a more granular level of password controls, such as enforcing alphanumeric password composition requirements and enhancing password-history parameter controls. ]Note: Document here the file names of the sequential access ("flat") files which contain FTI.fNote: Document here the file names of the databases (or other direct access files) which contain FTI.Note: Document how FTI labeling is done at the table/row/element level. Note: FTI labeling requirements are: a. FTI needs to be tagged at the application, database, data profile, data table, data column and row, or even data element level. b. If an agency has a database that is composed entirely of FTI, labeling at the database level would be sufficient. c. If an agency has FTI commingled with other information in a database, FTI has to be labeled at the level that separates from non-FTI data (i.e. data table, data element).�Note: Document how table / element level auditing is done, what audit elements are collected, and where and how the audit data are stored.LNote: The logonids specified in these program entries are required to have the NON-CNCL or the MAINT attribute to ensure proper program execution. Consequently, these logonids allow users to execute these programs and circumvent explicit access rules (i.e., dataset authorization checking) and logging/auditing facilities specified for libraries that store these programs. Therefore, to mitigate the risk of unauthorized activities occurring without detection, the aforementioned entries should be specified under the  LOGGED PROGRAMS section of the ACF2 Control Options (GSO Record).Note: The GSO BLPPGM record grants a program the authority to use tape bypass label processing (BLP). This option is enforced at the program level  whether or not BLP authority is provided to users. In addition, the BLPLOG field, specified as  TAPE BLP section of CA-ACF2 GSO Control Options, logs all uses of BLP (i.e., TAPE BLP = LOG)  either by (a) a program authorized in the GSO BLPPGM record; or (b) a user authorized through the TAPE-BLP or TAPE-LBL attribute specified on the user s logonid record.[Note: Auditing is enabled by default in ACF2, and cannot be turned off within the product.�Note: Document how device identification and authentication is accomplished, and the relevant software and configuration settings (JES2/3 NJE and RJE definition parameters, ACF2 settings, SSH daemon config parameters, etc.).�Note: A general rule of thumb for mainframe systems is that the system should be no more than 3 months out of date with regular maintenance. Security maintenance should be applied as soon as possible after being received from the vendor.DUpdated warning banner language based on the IRS.gov warning banner."Updates: -Cover: Reorganized the Tester and Agency POC information cells, to better reflect possible multiple POCs. -Test Cases: a. Changed Column G header to "Pass / Fail / N/A", to more accurately reflect the four possible status indicators. Updated column headings to be consistent across all the Technical SCSEMs. b. Added conditional formatting to the status cells, and included summary cells at the bottom of the checks. c. Added control names to the NIST ID cells. Primary control is listed in black; any secondary controls are listed in GRAY. d. Changed the primary control for several findings where there was a better fit than the currently assigned control -Legend: Updated the Pass/Fail row to reflect the three possible status indicators (above). -Test IDs: 0.3 (cont.)�Updates (cont.): -Test IDs: -Test ID #7 Changed control to IA-2 (from AC-5) -Test ID #s 10, 12, 13, 14, 20, 22, 23: Changed control to IA-3 (from IA-2) -Test ID #25 Changed control to IA-2 (from CM-3) -Test ID #27 Changed control to AC12 (from AC-10) -Test ID #s 29, 30, 31: Changed control to IA-5 (from PMG-x) -Test ID #32 Changed control to CM-3 (from SM-2) -Test ID #33 Changed control to AC-14 (from AC-3 - switched) -Test ID #34 Changed control to MA-3 (from SM-2) -Test ID #36 Changed control to AC-6 (from CM-3) -Test ID #44 Changed control to IA-6 (from CM-3) -Test ID #62 Changed control to CM-3 (from AC-3) -Test ID #63 Changed control to SC-4 (from CM-3 - switched) -<Test ID #64 Changed control to SA-5 (from SS-2) -Test ID #77 Changed control to AC-5 (from SC-2) -Test ID #80 Changed control to SC-9 (from SC-3) -Test ID #81 Changed control to AU-9 (from SAMG) -Test ID #s 82-90, 92-95: Changed control to AU-2 (from SAMG-x) -Test ID #91 Changed control to AU-3 (from SAMG-x) <Updates: -Cover: Added SCSEM disclaimer language -Dashboard: Added test case calculations -Test Cases: a. Updated NIST test case method on old to new test cases b. Added test method column -Out of Scope Controls: Newly added worksheet to identify out of scope controls -Sources: Added worksheet for source documentsXUpdated SCSEM based on NIST 800-53 rev3 release Updated for new Publication 1075 version@Added data analysis checks; modified and updated numerous checksUpdate to new template.Booz Allen Hamilton�% DISA STIG for ACF2 �% SCSEM Version: 1.2 �% Released: February 12, 2013hMinor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.�% NIST Control Name&Full name which describes the NIST ID.NIST Control Name Session LockAccount ManagementAccess EnforcementInformation Flow EnforcementSeparation of DutiesLeast PrivilegeUnsuccessful Login AttemptsSystem Use NotificationAudit Record RetentionAudit GenerationAuditable EventsAudit Storage Capacity%Response to Audit Processing Failures%Audit Review, Analysis, and Reporting%Audit Reduction and Report Generation Time StampsProtection of Audit Information8Identification and Authentication (Organizational Users)(Device Identification and AuthenticationIdentifier ManagementAuthenticator ManagementAuthenticator Feedback#Cryptographic Module AuthenticationNetwork DisconnectApplication PartitioningSession AuthenticityInformation in Shared ResourcesDenial of Service ProtectionFlaw Remediation*Transmission Integrity and Confidentiality SC-8 SC-9�Z �?��{[��ci��? �� ��C N C�� *����/J��?���R� �*�  �m�� / �$� p)�a,�&2g<%REoL�@W9b[[aaZ f�m�6v/K{ 8 y �� 0�}�R_�[9�� Ԧ�ά ����^���� �� p��my�4��?��OI�� h����"b��]�&kRs��t���g�cc��B����� T8� ,C(�0Y3  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�"d���?�?�&��cU} $ �} � �} $ �} $�} $ �,;;�����h@�@ � � � � ���������������@�@���� z� ������������� � y� ������������� �"������������� � �� ������������� � 0� ������������� � 1� ������������� �"�������������� � �� ������������� � �{� ������������� � �|� ������������� � �}� ������������� � �~� ������������� � �� ������������� �" �������������� � �� ������������� � �� �-����������� � �� �-����������� � �� �.����������� � �� �-����������� � �x� �-����������� � �A� �-����������� � ���� � �E� ������������� �"�������������� � � � ������������ � � � ������������ � � � ������������ � � � ������������ � �� ������������ �"�������������� � � � ������������ �BX22&222&222222&22222222&22222& �!�"�#�$�%�&�'�)�`*�`+�`� � � ������������ � !� � !������������ � "� � "������������ � #�� #������������ �$ ���� � %�F�% ���� � &�m� &�o�& ���� � '�n� '�p� )�� *�� +��J�2222 .� � �( � �� �  � �A�:?��?�:�The official logo of the IRSPicture 1The official logo of the IRS"�PK!�9^�[Content_Types].xmlAN�0EH�%NY tA�*T0�'E2�� JMN� vi{ɖz$cȢ*%�2�-uAg�>zӶ/�3[0߀:r5�a8�>GT�8W�r>wOo?aΫ�Uv_��PK!�+2m��drs/picturexml.xmlU[o�0~�`r @%U4۪�.`ؑ&HU{iʓ}}߹C�*ͤ(qx`DE%k&6%2!�&\ Z�C� "V*B`(qk̶}]#Jn�o#UG l��x(R_o%n)5ރgr>�)h\�4XpQOWڷAG�$JZWl0hi r7#�,�F{'�&�49Έ#�q3n˪ݳ^ |w� ��$P/A:�0ϊ�� R$UpF�0~}a5X�;a�S�d['wG�r�s�ݖ�/ӹYOm׌CuIU�W/Ue5U{)j@e�9.[!HiR}�(3:x: he^`m`P�0dQ`T�ҭ{tBŢ*ܸ@NY),f��0'A}N���?ۖY��Ƀ|؋tr׋K4YN�2k�EꚊi �7رJI-sUwCOǧ�0 x�>i��^h�eVX�!QFN˧A�a~AyHwL�1 Kl_|e��-pH�1C+qv g?�dg���PK!+ܹv�drs/downrev.xmlT]O�0M��1N:F6)d!~EAv�vi L��z9:հ ZW- L^Rjp3ԹlF?`6qnzԗh7�*1�.PI�3-j��*�%ϭp0bdJ򇝼NJGZ/~�|KQ�.��sNAD aJ]�2� t�/�Ŭ� }3P�.x/ ^�0&}FaMGvpq<�(�("���PK-!�9^�[Content_Types].xmlPK-!�� 1_rels/.relsPK-!�+2m��.drs/picturexml.xmlPK-!+ܹv�Mdrs/downrev.xmlPK��� �b pi�]& `��>�<d���w��&&y��K� SafeguardReports@IRS.govy��K� Xmailto:SafeguardReports@IRS.govyX;H�,]ą'c��''y��K� *http://www.irs.gov/uac/Safeguards-Programy��K� lhttp://www.irs.gov/uac/Safeguards-ProgramyX;H�,]ą'c:''Link to IRS Safeguards ������d ?Identify OS or App Version and include Service Packs and Buildsae�X 3Insert unique identifier for the computer or deviceBuds�H #Insert tester name and organization ode�O *Insert City, State and address or building� Sheet1gg����\ T8� &F_N  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�"d���?�?�&��cU} $ �h�k��k�k�k�k�k��k ��k �@  �@ �@ �@�@�@�@ �@ �@��`�`�`� �H� ������������� � �� ������������� � �s� ������������� �"�������������� � �t� ������������� � �u� ������������� �"�������������� � �q�������q� �r� ���� � �G� ������r�� � �!� �� �� oppppptq� �" �% { �;} � B�! {V@� D D �% {V@ �;}�B�� �J� ��� v� zxtq����� � �I� ��� w� nytq����� � ����� �� �� tq� sssss � ���� |+~�;} � �PassAZM}�7%��P D�%��B�tq������ � ���� | +~�;} � �FailAZM}�7%��F D�%��B�tq������ � ���� |+~�;} � �InfoAZM�7%��I D�%��B�tq������ � ���� *��;} � �N/AAZ��tq������ �"lmmmmmuq������ �sssss � � �  �0�222&22&FT�FFP���h&>�<ds��r�w�  ����;� ������ �N/AAZAZAZD�%����������� ���������;������� �N/AAZAZAZD�%����������� �����  ����;� ������ �N/AAZAZAZD�%����������� ����{+{ {+{{+{ � Sheet4gg����\ T8� !Waa  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�"d���?�?�&��cU} $ �} $ �} $ �!������������������� �@ �@ � �@�@�@��@�@��@��@�@��@�����@�� �%� ������������� � �N� ������������� � �� ������������� � ��� ������������� �"�������������� � �K� ������������� � �L� ������������� � �M� ������������� �"������������� � �&� ������������� � �;� � O�  � � P� ���������� � <�   �  6�           � �3� � 4� � �7� � Q� � � �R����������� � � S����������� � �8� � T� � � U����������� � �=� � V� � � W����������� �  v�   �  >�          � �w� � X� � � Y����������� � �:� � Z� � � �[����������� � � �^����������� � � �\����������� � � ]����������� � �@� � _� � � `����������� �B� X2222&222&2H<HHH<<H<H<HH<H<<<<H �@� ?�   �  9�           �\�PH ��0�( � �>�<d��A �w� Sheet6gg����\ T8�  gFh|f�0�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�">���?�?�&��cU} $ �} ��} ��} I �} m �} m�} I �} ��} �} $ �} �} � �} $ �tt � g  � @ � � �  � � �  � � � � � � �  � �  � � � � �  �  � � � �  �  � � � � � �3������������ � � #� 5� � � B� �� � �  �  '�  C� �� �� 6� �� �� �� ����!� � �� �� 7� �� �� �� �� ����� � �� �� 7� �� �� �� ����� � �� �� 8� �� �� �� �� ����!� � �� �� 8� �� �� �� �� ����!� � �� �� 8� �� �� �� �� ����!� � �� �� 8� �� �� �� �� �� �� �  ! �� �� �� 8� �� �� �� �� �� �� � ! �� �� �� 8� �� �� �� �� �� �� � ! �� �� �� 8� �� �� �� �� �� ��!� � �� �� 8� �� �� �� �� �� ��!� � �� �� 8� �� �� �� �� �� ��!� � �� �� 8� �� �� �� �� ����!� � �� �� 8� �� �� �� �� �� �� �  ! �� �� �� 9� �� �� �� �� �� �� �   �� �� �� 9� �� �� �� �� �� �� �   �� �� �� 9� �� �� �� �� �� �� �   �� �� �� 9� �� �� �� �� �� �� �    �� �� �� :� �� �� �� ����!� � �� �� ;� �� �� �� �� ����#� � �� �� ;� �� �� �� �� ����!� � �� �� ;� �� �� �� �� �� �� �  !! �� �� �� ;� �� �� �� �� �� �� �  !" �� �� �� ;� �� �� �� �� ����!� � �� �� ;� �� �� �� �� ����!� � �� �� ;� �� �� �� �� ����!� � �� �� ;� �� �� �� �� ����!� � �� �� ;� �� � � ���!� � � �� ;� �� � � ���!� � � �� ;� �� �  �  ���!� �DBl.�~�~���������������~��������~~ � ! � " � # � $ �% � & �' �( �) �* � + �, � - �. � / �0 �1 �2 �3 �4 � 5 �6 � 7 �8 � 9 �: �; �< �= �> � ? ��  � �� ; � ��  �  � � ��!� � !� !�� !;!� !�� !� !� !�!��!� � "� "�� ";"� "�� "� "� "�"��!� � #� #�� #;#� #�� #� #� #�#��!� � $� $�� $;$� $�� $� $� $�$��!� � %� %�� %;%� %�� % � %!� %"�%��!� � &#� &�� &;&� &�� &$� &%� &&�&��!� � ''� '�� ';'� '�� '(� ')� '*�'��!� � (+� (�� (;(� (�� (,� (-� (.�(��!� � )/� )�� );� )0� )�� )1� )2� )3�)��� � *4� *5� *<� *�� *�� *6� *7� *8�*��!� � +9� +5� +<� +�� +�� +:� +;� +<�+��!� � ,=� ,5� ,<� ,�� ,�� ,>� ,?� ,@�,��!� � -A� -B� -=-� -�� -C� -D� -E�-��!� � .F� .G� .>.� .�� .H� .I� .J�.��!� � /K� /L� /?/� /�� /M� /N� /O� /�� � / !#/ �� 0P� 0Q� 0@� 0�� 0�� 0R� 0S� 0T�0��$� � 1U� 1Q� 1@� 1�� 1�� 1V� 1W� 1X�1��!� � 2Y� 2Q� 2@2� 2�� 2Z� 2[� 2\�2��!� � 3]� 3Q� 3@� 3^� 3�� 3_� 3`� 3a�3��!� � 4b� 4c� 4A4� 4�� 4d� 4e� 4f�4��!� � 5g� 5h� 5B5� 5�� 5i� 5j� 5k�5��!� � 6l� 6m� 6C6� 6�� 6n� 6o� 6p�6��!� � 7q� 7r� 7D7� 7�� 7s� 7t� 7u�7��!� � 8v� 8w� 8E8� 8�� 8x� 8y� 8z�8��!� � 9{� 9|� 9F9� 9�� 9}� 9~� 9�9��!� � :� :|� :F:� :�� :�� :�� :��:��!� � ;�� ;�� ;G� ;�� ;�� ;�� ;�� ;��;��!� � <�� <�� <G� <�� <�� <�� <�� <��<��!� � =�� =�� =G� =�� =�� =�� =�� =��=��!� � >�� >�� >G� >�� >�� >�� >�� >��>��!� � ?�� ?�� ?H?� ?�� ?�� ?�� ?�� ?�� � ? $? ��D�l~~~~~~~~~����~~���~�~~~~~~~����@ �A �B �C �D �E �F �G �H �I �J � K �L � M � N � O �P �Q � R �S � T �U � V �W �X �Y � Z � [ �\ � ] �^ � _ � � @�� @�� @I@� @�� @�� @�� @��@��� � A�� A�� AIA� A�� A�� A�� A��A��� � B�� B�� BJ� B�� B�� B�� B�� B��B��!� � C�� C�� CJ� C�� C�� C�� C�� C��C��!� � D�� D�� DJ� D�� D�� D�� D�� D��D��!� � E�� E�� EJ� E�� E�� E�� E�� E��E��!� � F�� F�� FJ� F�� F�� F�� F�� F��F��!� � G�� G�� GJ� G�� G�� G�� G�� G��G��!� � H�� H�� HJ� H�� H�� H�� H�� H��H��!� � I�� I�� IJ� I�� I�� I�� I�� I��I��!� � J�� J�� JJ� J�� J�� J�� J�� J��J��!� � K�� K�� KJ� K�� K�� K�� K�� K��K��"� � L�� L�� LJL� L�� L�� L�� L��L��!� � M�� M�� MJM� M�� M�� M�� M��M��!� � N�� N�� NJN� N�� N�� N�� N��N��!� � O�� O�� OJO� O�� O�� O�� O��O��!� � P�� P�� PJP� P�� P�� P�� P��P��!� � Q�� Q�� QJQ� Q�� Q�� Q�� Q��Q��!� � R�� R�� RKR� R�� R�� R�� R��R��� � S�� S�� SK� S�� S�� S�� S�� S��S��!� � T�� T�� TLT� T�� T�� T�� T��T��� � U�� U�� UM� U�� U�� U�� U�� U��U��!� � V�� V�� VMV� V�� V�� V�� V��V��!� � W�� W�� WNW� W�� W�� W�� W��W��!� � X�� X� XOX� X�� X� X� X�X��!� � Y� Y� YP� Y�� Y�� Y� Y� Y�Y��!� � Z � Z � ZQZ� Z�� Z � Z � Z �Z��!� � [� [T� [S� [� [�� [� [� [�[��� � \� \� \R� \� \�� \� \� \� \�� � \ %\ �]� ]4�]0 �DLl~~����������~~~~~~~�~�~~~�~��6` � a � b � c � d � e � f � � `�$� a�� b� � c�� d�� e� f ��x��0� h�( � �R� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� � C ������]F! d ��ZR� �  C ����� �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d ��ZR� �  C �����  �]F ! d �>�<Z��� A �w�\ \ ����;�\ d � ���������*����Pass����;�\ d � ���������?���@Fail����;�\ d � �������������Info{+{\ {+{\ {+{\ ������/  %ad\ �/  %ef\� Sheet2gg����\ T8� {�/�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�"d���?�?�&��cU} $ �} $ �} $ �����������������@ �@ �@ � ��@�@�@�����@�@�@��� �(� ������������� � �)� ������������� � �a� ������������� � �b� ������������� � �c� ������������� � �/� ������������� �"�������������� � �� ������������� � �.� ������������� � �d� ������������� � �e� ������������� � �f� ������������� � �-� ������������� � �,� ������������� � �g� ������������� � �h� ������������� � �i� ������������� � �j� ������������� �"�������������� � �*� ������������� � �+� ������������� � �k� ������������� � �l� ������������� �"�������������� �4l�222222&22222222222&2222>�<d����A �w� Sheet7gg����\ T8� <�  dMbP?_*+�%���# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M.EPSONDCB139�P�� od��Letter����GIS4DINU"�4:�/Q�SMTJ�{F0BEC2A9-F2E2-478D-97C9-17823E280395}InputBinFORMSOURCERESDLLUniresDLLOrientationPORTRAITResolutionOption360PaperSizeA4ColorModeColor24bppCollateOFFMediaTypePLAINV4DM�"G���?�?�&��cU} $ } mT} m���k������� � � � � ���������� �2� ���� �/� �0� �1� �D�%$@&@@@� '5� .�%4@&@P@� '&� .�%>@&@� )'� .� *(~ &@� +)� .�%D@&@� )*� .�%�?(@� )+� .�%�?(@� ',� . %�?~ (�@� ,-� .� �^@��,@� /2� .� ����� ����� �������������0f�82228222<2 �PH@� �0�( � � >�<d��A �w� Sheet8gg����\ �Oh+'0� hp����� � � ��� IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075�The IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may impact a systems functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Michael CarusoMicrosoft Excel@/p+@s@g^k ��՜.+,D՜.+,�@ `h|�� ���� � � securityOffice of SafeguardsInternal Revenue Service  DashboardResults Instructions Test Cases Appendix Change LogAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'Test Cases'!Print_Area'Test Cases'!Print_Titles  Worksheets Named Ranges�0v~��_PID_LINKBASE _PID_HLINKS_NewReviewCycle�AThttp://www.irs.gov/uac/Safeguards-ProgramA *http://www.irs.gov/uac/Safeguards-Program7 mailto:SafeguardReports@IRS.gov  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�������������������������������������������������������������������������������������������������������������������������������      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abc���efghijk���mnopqrs�����������������������������������������������Root Entry�������� �F���Workbook������������X�SummaryInformation(����dDocumentSummaryInformation8������������l