邢唷��>� �� T8�衫��\pMichael Caruso B�a�= �ThisWorkbook��=xiL;�$8�@�"��1��Arial1��Calibri1��Calibri1��Calibri1��Arial1��Arial1��Arial1��Arial1��Arial1��Arial1��Arial1��Arial1��Arial1� �Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1��Arial1�>�Calibri1�4�Calibri1�?�Calibri1��Calibri1� �Calibri1��Calibri1,>�Calibri1>�Calibri1�>�Calibri1��Calibri1h>�Cambria1��Calibri1� �Calibri1��Calibri1�4�Calibri1� �Calibri1��Calibri1��Calibri1,8�Calibri18�Calibri1�8�Calibri1��Arial1�>�颁补濒颈产谤颈1�4�颁补濒颈产谤颈1�<��Calibri1�?�Calibri1h8�Cambria1��Calibri1� �Calibri1��Arial1�<��Arial1�<��Arial1� �Arial1 ��Segoe UI"$"#,##0_);$"$"#,##0$!"$"#,##0_);[Red]$"$"#,##0$""$"#,##0.00_);$"$"#,##0.00$'""$"#,##0.00_);[Red]$"$"#,##0.00$7*2_("$"* #,##0_);_("$"* $#,##0$;_("$"* "-"_);_(@_).))_(* #,##0_);_(* $#,##0$;_(* "-"_);_(@_)?,:_("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_)6+1_(* #,##0.00_);_(* $#,##0.00$;_(* "-"??_);_(@_)� m/d/yyyy;@,�'[<=9999999]###\-####;$###$\ ###\-####�0.0�� !� �� "� �� #� 攆f�� 攆f�� +� �� )� �� +� �� ,� �� *� �� $� �� %� �� &� �P� �� P � �'� �P� �� P� �(� � � �� €� �(� �� )� �� *� �� +� �`� �� `� �,� �� -� �� .� �� /� �a>� �� a � �0� �� @� � ? �� @ �� `@ � � ? @ � � � � `� � x� �x� � `�@ � � `�� h? ? � h? � � ` �? � ` �� `? ? � <�� 8�� 4!�� 0�� 4!!�� 8!�� 0!!�� 0� ��4�� 4? �� 0�� 0�� 4�� 8? �� 8�� x? �7 � x@ �7 � x��7 � x? � � x@ � � x�� 8 �@ � �x? ? � �x@ ? � �x�? � � x? @ � � x� � x�@ � � x@ �� x�� 8? @ � �8� �x� � � � P� � x? ? � � x@ ? � � x�? � � x? �� p? �, �x��, �x? �, �x@ �, �x��, �x? ? , �x@ ? , �x�? , � x? �, � x@ �, � x��, � x@ ? , � x�? , � x? �, � x@ �, �x��, �x��, �x!��, �p��, � x? ? , � x��, � �� 8@ ? � � <�@ ? � �8� � <�� @ ? , � ��? , � €� � �, � ��@ , � �, � ��@ , � �, � ��@ , � �? �, � �@ �, � ��, ��? ? ��@ ? ��? � �? @ �� @ ��? � ��@ � �� ? �7 ��@ �7 ��7 ��? �� 1�@ �� 1�� 1��@ �� 3�� 2�@ �� 2�� 2 �� ? �, ��@ �, ��, �1�@ �� 1�@ �� @ �� 1��@ �� 1��@ �� @ �, � �� )q €� � �� @ �7 � ��7 � �? @ � � �� @ � � �@ �� ? �7 ��? �, ��@ �, ��, � �� 2�@ ? � �2��? � �2 �� 2�� 2��@ � �4�@ �� 4�� ? ? ��@ ? ��? � �? ? � � �@ ? � � ��? � ��? � ��@ � �� ? �� ? � ��@ � �� ? �� @ �� ? @ �� @ �2 �� , � � � ��? �1�@ �� 1��@ �� ? ? , � �? @ , �1 �? @ , � 8�� 4�� 4? �� 0�� x@ @ � � x@ @ � � x@ � � 8@ @ � � 0@ @ � � p@ @ � �0@ @� � �� x@ @ � � x@ @ � � 8@ @ � � 0@ @ � � p@ @ � � x@ � � 0@ @� � x@ @� � �? �� ? �� 8�� ||;Hj葈A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef;_(@_) }A} )\ ###\-ef ;_(@_) }A} )\ ###\-蘈;_(@_) }A} )\ ###\-蘈;_(@_) }A} )\ ###\-蘈;_(@_) }A}" )\ ###\-蘈;_(@_) }A}$ )\ ###\-蘈;_(@_) }A}& )\ ###\-蘈 ;_(@_) }A}( )\ ###\-23;_(@_) }A}* )\ ###\-23;_(@_) }A}, )\ ###\-23;_(@_) }A}. )\ ###\-23;_(@_) }A}0 )\ ###\-23;_(@_) }A}2 )\ ###\-23 ;_(@_) }A}4 )\ ###\-;_(@_) }A}6 )\ ###\-;_(@_) }A}8 )\ ###\-;_(@_) }A}: )\ ###\-;_(@_) }A}<� )\ ###\-;_(@_) }A}> )\ ###\- ;_(@_) }A}@ ��)\ ###\-�俏�;_(@_) }�}B 鷠�)\ ###\-蝌�;_(@_) � � � �}�}D )\ ###\-ゥ�;_(@_) ???� ???� ???� ???�}-}K �)\ ###\-}A}M a�)\ ###\-骑�;_(@_) }A}O )\ ###\-;_(@_) }A}Q )\ ###\-�?;_(@_) }A}S )\ ###\-23;_(@_) }-}U )\ ###\-}(}W )\ ###\-}�}Z ??v�)\ ###\-�虣�;_(@_) � � � �}A}\ 鷠�)\ ###\-�€�;_(@_) }A}^ 渆�)\ ###\-�霚�;_(@_) }-}c )\ ###\-}x}e��)\ ###\-膊��霚�;_(膊�� 膊�� 膊��}�}h ???�)\ ###\-蝌�;_(???� ???� ???� ???�}-}k )\ ###\-}U}m )\ ###\-;_( }-}o ��)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}� ��)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}� )\ ###\-}(}���)\ ###\-}(}� )\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}���)\ ###\-}(}� ��)\ ###\-}(} ��)\ ###\-}(} ��)\ ###\-}(} ��)\ ###\-}(} ��)\ ###\-}(} ��)\ ###\-}(} ��)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(} 膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(}膊�)\ ###\-}(} ��)\ ###\-}(}��)\ ###\-}(} )\ ###\-}(} )\ ###\-}(}" )\ ###\-�9�+��€� !%�9� ��?333� !%�9�€�*�� !%�9�+�� !%�9�+�� !%�9�+�� !%� 20% - Accent1�M�� 20% - Accent1ef苕��%�20% - Accent1 2�4��20% - Accent1 2� 20% - Accent2�M�"� 20% - Accent2ef蜍��%�20% - Accent2 2�4��20% - Accent2 2� 20% - Accent3�M�&� 20% - Accent3ef腭��%�20% - Accent3 2�4��20% - Accent3 2� 20% - Accent4�M�*� 20% - Accent4ef溥��%�20% - Accent4 2�4��20% - Accent4 2� 20% - Accent5�M�.� 20% - Accent5ef陬��%�20% - Accent5 2�4��20% - Accent5 2� 20% - Accent6�M�2� 20% - Accent6 ef��%�20% - Accent6 2�4��20% - Accent6 2� 40% - Accent1�M�� 40% - Accent1蘈柑��%�40% - Accent1 2�4��40% - Accent1 2� 40% - Accent2�M�#� 40% - Accent2蘈娓��%�40% - Accent2 2�4��40% - Accent2 2� 40% - Accent3�M�'� 40% - Accent3蘈劁��%�!40% - Accent3 2�4��40% - Accent3 2�" 40% - Accent4�M�+� 40% - Accent4蘈汤��%�#40% - Accent4 2�4��40% - Accent4 2�$ 40% - Accent5�M�/� 40% - Accent5蘈忿��%�%40% - Accent5 2�4��40% - Accent5 2�& 40% - Accent6�M�3� 40% - Accent6 蘈��%�'40% - Accent6 2�4��40% - Accent6 2�( 60% - Accent1�M� � 60% - Accent123暢��%�)60% - Accent1 2�4��60% - Accent1 2�* 60% - Accent2�M�$� 60% - Accent223跂��%�+60% - Accent2 2�4��60% - Accent2 2�, 60% - Accent3�M�(� 60% - Accent323淖��%�-60% - Accent3 2�4��60% - Accent3 2�. 60% - Accent4�M�,� 60% - Accent423睜��%�/60% - Accent4 2�4��60% - Accent4 2�0 60% - Accent5�M�0� 60% - Accent523捦��%�160% - Accent5 2�4��60% - Accent5 2�2 60% - Accent6�M�4� 60% - Accent6 23��%�360% - Accent6 2�4��60% - Accent6 2�4Accent1�A��Accent1O伣��%�5 Accent1 2�(�� Accent1 2�6Accent2�A�!�Accent2繮M��%�7 Accent2 2�(�� Accent2 2�8Accent3�A�%�Accent3浕Y��%�9 Accent3 2�(�� Accent3 2�:Accent4�A�)�Accent4€d��%�; Accent4 2�(�� Accent4 2�<�Accent5�A�-�Accent5K��%�= Accent5 2�(�� Accent5 2�>Accent6�A�1�Accent6 鳀F��%�? Accent6 2�(�� Accent6 2�@Bad�9��Bad��俏��%� ABad 2� ��Bad 2�BCalculation��Calculation�蝌��鷠�%�� C Calculation 2�0�� Calculation 2�D Check Cell�� Check Cell�ゥ��%�???��???��???� �???��ECheck Cell 2�.��Check Cell 2�F€�� Comma�G€��(�� Comma [0]�HComma 2�I€��&��Currency�J€��.��Currency [0]�KExplanatory Text�G�5�Explanatory Text��%�LExplanatory Text 2�:��Explanatory Text 2� MGood�;��Good�骑��a�%�NGood 2�"��Good 2�O Heading 1�G�� Heading 1I}�%O伣��PHeading 1 2�,��Heading 1 2�Q Heading 2�G�� Heading 2I}�%�?Э��RHeading 2 2�,��Heading 2 2�S Heading 3�G�� Heading 3I}�%23暢��THeading 3 2�,��Heading 3 2�U Heading 4�9�� Heading 4I}�%�VHeading 4 2�,��Heading 4 2�W€��4�� Hyperlink ��XHyperlink 2�Y Hyperlink 2 2� ZInput�u��Input��虣��??v�%�� [Input 2�$��Input 2�\Linked Cell�K��Linked Cell�鷠�%��€��] Linked Cell 2�0�� Linked Cell 2�^Neutral�A��Neutral��霚��渆�%�_ Neutral 2�(�� Neutral 2�€��"��Normal� `Normal 2�a Normal 2 2� bNormal 3�c Normal 3 2�;�� Normal 3 2�%� dNormal 4� eNote�b� �Note��膊��膊��膊� �膊��fNote 2�"��Note 2�gNote 3�hOutput�w��Output�蝌��???�%�???��???��???� �???�� iOutput 2�&��Output 2�j€��$��Percent� kTitle�1��TitleI}�%�lTitle 2�$��Title 2� mTotal�M��Total�%O伣�O伣��nTotal 2�$��Total 2�oWarning Text�?��Warning Text��%�pWarning Text 2�2��Warning Text 2�X��TableStyleMedium2PivotStyleLight16`�eJ Dashboard�瀓Results�鍈Instructions�姃 Test Cases��Appendix� Change Log��UsersMichael CarusoDocumentsProjectsSafeguardsWR 02-Meth DevTasksSCAP and SCSEM UpdatesNIST SP 800-53 REV3 Control Table.xlsx800-53 REV3Y,��! ;S ; ; ;' ;% ; ;S ;��縎fNf�8�@��€€€�� 皈�0�5b�-!ODw�30@Gb姗� 緲n�!ODw�30@Gb姗�塒NG IHDR��<q�sBIT|d� IDATx^靰`曞�闺`儜J簊擧� JH�垐�"�� bJww弳�豟柆�髖摞nw踋娺繌^铑O炵�9徣��f�3鹂黲�7�泚�屠鬄皿看韭gN摄�蹼�3�R拻姈+[V]芘谫貌2 -E抍㈠Yt�薷!V66�+�-{m駣U謚曜?R玁}>鷂:檄��痴浿尘*皑铁斋鲍�揹▇=鋛瓐顿冔角裷鮪坿扔测鮈=崠睊敎")))产�,黦别别%6谚忉�$镑.忭�(贰<湧b�"衽笀画1猂q�銎剫W�^滛宕c粀锕蜍V砜牏�髝U疦潑s~洺汫廱�>~f8x瘭箌G�=1�%1� 墘"�懜;KaL!w墸�8谫娊Z硒膁y枑(镶%,"ZB€�宖嶉吹徘�(儭笚�4猏J歏--� 8+x9垘|喉�o�=y蛟�w�O謬氵o1|栲WF�o机�9�雋4�椾dq鰌56┾k╓堡糚簶�8卺>�7J茹( })釕�'�つ$姯崟8衆�洆鰐�"\&�严渎蛖r9|)��4� �JS弁kW�MjJ誃v塭裹箌濯�>x網�?襞�3€踺譥T螂;亸� 帓叨3>�b'{Ｘ�j�-&隫桗K)喙鶻�軖�€[wBD86嶺巅妧捗�NOR挼鲹饙鱇�,"�*敂JK┞�縵[6煾,go苊矷F墠7x�,b诋仭~)w�-圄宋瓫f崫0�商a纩C穬c嗹wn荼際G痓o锟^r嵛撈犽w @?�"�</7�*璳T匥懀7e+600榟G�婁K/挏)ч萖蒵\�軮箁�`7╒F町匙d阊 �0�|藯0鰋[切糽�;�锿藁u3~�Y�+腧�#�#�熭圝给鄀�-N�J�*"輿謹茣}�&0益苗遴闺X搥��!拌%?餂��"�c6璣^^jR]J�緗K�8g糑kee熵邮)e莠�t矟T畓牴�_X课A蛕 ��垆椡㑇W籈-檐��f|遛觬鶭H�1�9&眲U扗繥�.爴LX“кD軮${朖�30� o"唯挙"珃瑟}`2怑蒞z惮-%�巼�;袅妊銕Yj�?褛`}旘碲wX�#餓胦�擥�墐粙胥>m e�捙籓�0缟q{He,H焳Hs$M^x痑�R⿲T雠�2u�Yu銪�:睅鳧Y:i狓_�#?�;� �耵憨C琉G�-硳C缾/s灪pC�nO� �5�� 掷獈`頮o]G飮蓷藇�"� ^偶d\爪叶妖{骶>纨瘿�?稽�栞諃硧軌�5~y瞿桎鈊鴡D7毑t��1鐥矚sH儈uwC:K�钜e蔦箈+D€鈦皰浠d靜隤_侗柄Kh$R沫銂V与�;訂u晜.�2鴽%�锟贔ZV/'峭�%斯熐晌砏e駧柴鳨璶斵邔繤�撷^騣叨1楷曍鑈!O敏恁i 昢ㄕ� ]龔,&Z駸追uW皘蹰韌瑬[��kk胦鉤3豤鲝鷘璂By�囦帇c^򍪚�$贀$毎f菈K2 往K@�=yB奚髌bSI��莪咊㳠懍�4Ho �淢���7t鴏懬�+伐I瓓�沱事]'e冖mK鏅�:34崮�5P�5緂8}慙湻Eloun韮絣'�01�1X琌�%愌R`躺羽鱺餋穩)T4俲�跳6`9�k硫E�巖郭饓$X鴠Pa競庬轡Z砖$笱譎(I 鋍z窎�8弋廿mS縸zH �1y罺墖蛌鮠諿=鋛�3�鬇訊Q彟餹T�.輟L瑎��M!L�?t�8w�9� o =n�I虧w0恁颻�k�;#|O�:s睇傾S{:議|褔�ZV/+-G� �dJ�2/�&>n螂榃� Z簌蕼-G�祿�,<0漂徣S,睒9�$遰%t甠E钶棷栱镛棰趕�,�>飔ml�+鹒寬�|%_霥鹾�>嚲厢测导<镺iuj� �ī汾�€βU/皋磃9賬zP抭槖W-体 N�考/黼UV襜j補s拦h9陒i嵐Y4醬� 迄鎸s�9笾p_骾鷚o绫燹﨡磽饕攥� {&痷jd� 褅梓�%$<2峐柱燔00�%`G 彁�=Z试袍彗MG錕\镒闑0塔R6:`摨滷妶5癶楋剨'吧�XT3狛A� �9S�%V鴡' ^鸏�4褶�5怂�荍�*緍钰]眩咟查0td霾馲€t�6e埓婧� \JB}�JPヅ�F昁藲冪�-酳H谥� o€�-偑d#.殳┮䲟9�@� s衙Pln,}羞�m�"呠d9€k9轠蝉(敭姿-5<癧穘}浀i髯�ㄘ羁c濕?簆_坬E菈蟋"`S[丒q閥_%v簍� 楰渀.��0d賒疰�2浍�2M瞲�)E�"G葔雡鋗堟N�'{Э%o€�?sMc�9b�8Vr€U�<m�,X�$� >胱N佬��6�?ЮO�?蠶帔 � 齍黪养;餚跘2氮R緲氟� 醐�x矵�"擅}挚8Y� **�!m嘒迫葪)扻v�9�;鯷��2 湥�鎙C剆伛庸V鸅�+N?�0]��.他铐埯轢~疵湹孶*攼�&0熃J鰷怐橌RP|h襨韊軠嶁`鵕c鵩�>滨脸$飞辞蝠�7罢<€�+A�卐0G2�$�;Ag�灈2HI�9せ)C喝泘ue)吧泘�% 蠠fB� x�€%償> �愻so寯L�=曆y洡DAwy]��0M鉶�*鑻�;^脱袮V}4@�y%庤�$舴鬫k�萵�)nB煹a騚閄�*鷕G免鎣L鉏柝黙猌7鵐績e逦搑;蕺苼e看燅輜浶�筰�G�k@�?(6l膱嫮>[�婀噯��:魼胬d�焘澾崚瀇虈嘕�劯u觗殶线�坾繾�2CF厅K~櫔r� 毁易涍瓙�塁7鵴d7iS硞渽'耰哋]喆xG麻脋B/-x莰_'�q/妨�:76猛熑藈蔁k鰇&%屑O守_咨H�_髶)otC踳%y�r鵱(�3��5GA趿可��,每[.縌轰5猀�7 #z1鮫麧P/娬輷^徹箎{G嚶颻W€趿陁ym囫��摕�f居K�>昽栵L訕s�,攝`�乔K嘟0佃St掲@_齌ⅷGb1M)C�(鴱邶� DB�?葵躑颷幨�+鱄�H)W�&��噐睤!w�zC'E,j螿鉅マ�!|�@踾帑X3J媕�8掗ov枤e嬧�q燈弪輗粢-5�'k繏舺N�;楚抲`B烡�0恮朋閨6�&�_/矵氀LQ‥z6�)砎钫代阼�逊馪�E�Gk�8:L`X穢n呶�7魺�*�-钰汗瀤�:捩�?`06蕱/�綸��JB荭桿�:独お琶o;(c�0呙�2䲢5殺戯鉤5浏邜W縙繦珔�X鵠醥��+縕鈁� 怢2蘿塺 僄O��l塼頲!�9�p虐�>嘤*@妙襀%kPH�i�彗pA遮%Γ�� 衞據m陥W烮~頋.蛿︔xm3鑣寅p葑2 s5惘=Z憕m晔7�-'/薶X ⅷ�0/协�幄鉍垦Mv}9膼z尘_�帔桯�7.�x抾に勥嵵PmC焛嬥i擒X泘z襼e$戻��5 掄绡窊�+vK �,� �8.O� 匑/eL铫�L:mkW历谑锗P�)旖g鋂糏4 韧癗V]J轿� <4(�yHc饘own,�咾i�棟K驉R.柿S�%CA|X淈/尸醈�"畾橐擭=�e 4�疊k�郐C庥�m換so蝧��鱕醨d�C喻g跮羔�7廱-暛\�w,1值g隷寪C�&齣韨]綾關H.s�)电\�,H_� 歚馺閐堲涿?6J0R<� 嬇`�>E H廸禂{p0€g+榵堝毶|W甽�9w&�腜#0Y�):4�&�t�/迴U�x`�p 糑犉咹�:C�饤虄狣�% 樫B那�6��5例gn/�榆zb寷Af�> r糵驙洫钜も5�Q帔Gk鯅e蹯JV=趛�w焯崜:@?C挃o€2汚0眠弞ECs=猝5�v紉豪鄗/(sL8樹e{N� �5l揦夊ou芔题穣$]J�>谐�m�$坂&ｋ��.@=>�+翔� 愦憄V,/N澢i�4嫤布�6�!opu烖�1A#�6七h伢站�Yk钀!鮚>鷛+�?g彀璖�g犸&� 鷽>蚹思砬AV#�5椂衆瘑=n政�挘�,� `蔶呁跢_罓鱨^Sz4�.;a鷜韣860氎K�扝[�璋�兄僩K^鐛恝笖蝣�?�10庯鵽╝连i ,X鴱`�熬橏峠+��~� 迢!餞@攀=%_摚綍㥮觿)�0鄲.M嬟J�?爗崥嬨栮鴚_� 掁殂辪d妣域�� %磀|?饗叅T蠅�鲔4W礄��&鉬襳驔5kW覱M壹V滜�`箌斛暁沌概兿94s瘁迳s�1�X蚝悴罨b杒�3嗲戄弩%;a�A�*A�澵)�>涍欲韧~玗齤J2|5r嗹Q 汵P�<s怅�4Dn胂�~�(�弃&稔鑫苨�壃T〖/n佈{~骞謨嗷麣LZ渣k� �牥tGY�}:hCy�>翱爙词蝉沪�丑�,冲蔼昉缚?$蹿蚕淭2筸尘罢赌归雭�;濒涘缚捼7┫佲%皑涚秺�<鱘M:鏝燍��迖蟎�)儭g�蹊� m�睥�!罬�*蚯唤a╚&巶� C䎱胂蚻蟨喁h�:偁贛& <1T0,佶�0勿萮%=�}豭wJ-�>零走�佝紗屝隬.锎�~塄栈N粊)件轩�T淪L燔鱛摵e奍蠓緯4T�+�(.(汮VO寜ck>騕�&~铥}臔v孍�-筵&>�淪k砕芔;龒麅鉍k|倿Oy.胪譤-稷_枫}�/�.7�{�2洷\撈灻#�QJ系�RV飨z鮣7� 悓怆�,�'I餭騪\�>瞷3�黥1飮雾廨嚥钣乺嗦惭测碍肋纸闃�瞸5鋏胊齿'痴�;+颁环�!憦词9飞癫滨埸7啇�W愚赒蜌:j�9�=枽�屌鷽 �9H啘媓澄�#侠Eo �観酝5Ｋ尊c馢?栶駋7�$__彑>y鈚踚雓>峿f�煣v€X鄭�6�~D!�+7�P^�廙歝覌跍a�""燎=Y朾耠朒D饎契�瞺:�,?靪E )x"`��3慟抜袄tO縐攟�*Za(诞�峵(� I�賷f靤旾[荩?H C鸻眶>喾V亰 |┲3櫽氅8匦c�({�7盾SB#伤笨fK壆Z纼u�x互€�=揑恝d駅O蒁t漸iL睛_愚M`7(� 穳F0凲.囑胋JM@� �8瘷阷�爾#i鏝5說廳爒拂喗謃掮紒芗忼f-飔o![(蘢�%B=?啊~偟◢�$媋�b咇�澶Н邥絒哨齡EK旚纸韷誯至b燋5痮跍籸鉸嶀吖V@G邅忶;餻dP'�壦稺幜�3V跸礬支€\亜硃� 薺`猧没蓞[鱡1躪UJ!|>� � =m*撬熃焾В碳6剬0猳T~[嫺`‖�頖X#H認E�9�/鈿,��*擿Wf�$�篾貁l挼湇(,� 躉w�噯<��厝戂鰎戤|@/f媋皾j>p�6+痐,.蒍榸_U]jォ�2屳�!婳罌仒0晀1�C蹼p甐贕>@o&�w灐p遡傕 ';轲b%岟�'Vi-� 攍�?{飓垕<(揍陓罘1Q5*�+€顦�i檫|汁�S迾�釧8稠�>R�掓蓤�1姺�篱郣�螺Г�磪桖%H軁V橀櫕鳐a*m瞻�坺I挓zFH麏�$2轟L�6蝵ㄦ€栺I戼鈌枷{聤缩�颚稆L€ep閬[I�<@g厁`Mn螄!蔷门X噬�b+锂u桟妆q蜕邯8YF谩� Kf# 摯`y稺+欪FG幣5繌撁�驅涨`0慏狂?I3鋺樭可詒Uk|抭Nr鷿g娼∣1飲O�'璭\D搪4婜VC誊]'慕鸊��1Wb啭@閺\ 蕥R羶 &�鼤束敊蹵*槀]�=��!焨帞�Jc選塏�6Q呠��9SwT篾�-轺-M�磽菬晙菳�>奫喜丑耻�尝词4癭诲�皷��讴憣侎5��3菿U怃蔊◎^蟥�s柑r厽� 4鎕�$噥盢=-侶R鲟_W�$窄逝斯q遨饫昐髧�鏽8B茒雷]抻�酪鈪膊薏鹕R�%谥珤y�觉c�6CJM沵�-_鼂鎳晨�'狸荠ヒ棧瑉] 1~堷槐緼纜P;扻r兙擹#緯�冴?oE�喷``]煟W�4慔^泌vN懎飫沈7K�.壣�*w淔J26~k9懙n<夆a�-慳瞧�:瞿G.E�/瓿鈐/.6 �O�3E胇�=賖�?Z�> 戓嵗鴆螬i驸.涴篺�6奂鲳�:镜銍咳&豓澓MP蓒U�-�$迌Z銉屪n=0^壉� 礤锥miK廸u峕蕌倩c邰纷^鑧袷m衮蚚覒�輭.C-厬�:葤⑤犢€&A懞揁蟝 u9瓷屵S�)鴲�:D*憻<��鶓渿`緛蹩鵰牨Fz垒ZD.艝彧r)�(K塳r3赟j��9觶�sx*�>xKL幒 � K覤wl蓂2s IDAT�梑兘ch┩渰汖i}�DY肃r��/lf�絺`抭1觮&膛y譛lB疕缹蛡� 魿圇抝m涻r暸w枣:樷疹]苈斫�▽垦轅沒V@臢3�)€貀埑閫 €其�xO@发曷�8�T\2�H炧�4gx槄呭袼 €墝鴣癰r=當8籛憼嘎�/'蹚>*�蒌q釴穸�oD=匒瓺�釢e厦慂bえk�.LO矋攖厭� �,X��-%滰狙��兄R�9绣n┐б鄝鯅x�$宿憦る蹷铲捊�#盜變徔?@猳u﹨罇甭z紘5芞��#z﹐.KW骆\r絙w秫x椅S樘傀�襡"阮弑W!箩FKcX餟�铍�2� Sg膦l渀b�%�m业��)5�%[算[9瘠笢�,)�J垉ky�7趮UJ<虻巧甗�mf朢iZ聋I6R�)R苉灦袐箋CR{殮鸧向�$�%%�*嶺i鋣_��'�輵觐從炭店窌:z沬c葅� 镔Z�5蜱�0y`��zO彊塈󄎎烽O鹎鄎刜�僌[鶁衣蕴f緬q�2?a翰�軑��(=燙胢鐰�J暣-斿婚np6繵Q�:姾衚�/�章嵪B�z猼雽誅c 染� 鈋&=奭旸� 胵駀謶€g�%,貵\]�A︹q釪L�E簄B瓭U��幵)|荲旬鰷迒.aY4y6騻|焞�驉@森狯Hjy凧�;谣�5U�>卍y獗⒓觕癜楀黬j湧ge銻錉 P櫗f�掾�孲瘪铂球LZ�('�9�1戕iCn冬u.J鳳玜�/�;�<~�� /5�&{檇�蚹gY揆)洉\`jlBJ�]透 n鈒Kd燓局琎V墀.}_�芹赊G�3�壨X觏�-鋳�+繬鶌睉5鏾蒧珙肾O錶hb 瓲�%P盿织慗磑齸阝髪6l斫田h亰羡X龴'�5l垾罸d€��2釲{吜鬵)}幘蠥<珇'�嚉z�2$暭#�蛐<-j*樣髽跙PT�$炏u鈡\k�9讆疟玡�鴌諯檣擓J�0珠崇�5櫞辕rq/Cc埈敞埶/奅`楫櫍� 衚杶E6�29Di嚏E# F棍蘀�帡萌!jee#n儵帞]ˉ膨rc 帉検鄘��&e�>H ﹛&璸葅�j閥)劓�3瑜寸┣濲~咏攱�岍M?癝�0y奋)��峢h縡蹭翪箄s兲蟉逗懱遁U具镹叆�lK#揓.zg��,顱q}价曕0��6T璡┇�'覿蕬�8Y;灨蟾],'�$eY讠rj 鳑矛皫檳 -Y1紘莞凈狝煶碔觀��1R失鞎阩Q鰢�wɑ;W鰫5桟%61EJ釞#-侺jR歽鱤侷�6峫橄癊傏��:�Y�3�&妊煮狓踢Bk =較攮蛗 H骇=覰*r�*mフ偝r/aNh齠�2�鸈s詏G罻e缉�4冯犤s~€寍~ t`藧kB�62v�谩��前芍0GR疙�飴'n圿!w摚莖#€�&举� 撃剣�6^!肑烾麱<�* 繮�3D.礄+U菝�朧&�5=涝�+�4録\�Mm軎j!�<鑜�}�<%%屏窶朽攔瑳瘮NEn獚怳a?庍袳��苶9�[7Uu賍g�扭r剚鸑澼威%3{y:\~抃係鷕�d"v_d昔d馼λ喹F架D薑悰黢L4llAOh囂T.hKI錄j诲�鵴#�.佥t�u性-筰蔙睑礸鄡擠ㄖO覧��,�)粴磠试猛晌&Ke@M櫺じm>W�幣雊�12壏s�*殝\#袐t�胨�";�5�S潄佧钭�陬殊錶1謶凔鷒>~E臁龷�(S稊,晔鰎e缸溈魼R爉�-`&@�晆袠麬碤偅挃�(⒔簂�7蹘錺3z,鍡eZ?*;Y��+溟怱-��&H痡^铱F x鈐Y盗�飌脵茷誷�:鸀_,蝳%珹~邹,剠�'伣�eWW肢喎�/賥晰玅Θ:=I牪�=�>龖俫.髄�:�飦�=墔紪挺浣KQ卍埘P艰/冽▽2kf 薦视U,�5><#撠丣亭檀9OU�筹躡R蜪倍u6Iз佤r濰<縮�3€5`@l�氄H蚌<啅鞍Y)U猅攥艴l隠饟fT$v苋繮s[Sv禋咩吕J隸$%藆徕a~閿�恜a湱鋬€栻qe)鐬(E@/陆�2俘鑌�騆]暒@羓疞6�媡砽哻b�)�-\:�*__k籩睩z硘S�悔5��:哻^軇榛笳y�=3Cw!瘑]v鯺D砽簶5`}9uJ�#�!藹g�-n0騝娅`u󶴽\c+磀"s眽�S娑⿻O憤!謇椳Ox#P�8节>y鏫[H]q鶜?髒给�.7誣$＜� M椝雱捿�Z綤困津I偅4+�焊6︗ 檝稻R歠58AO摉3OJ諻�dn鵙日曔�#觓潴"L 曄'} q觬�cun爪肸铔l韑 LO觏�#�n�'実Z箤&v��5暁砢�S顒bxY▆R釕桥詁� t隵 邍q�Z援)�.焻锖A�0鈒;芅(a5�+�-��6[孠U�Щ嗙P繠%錃�-b萖��43� v绸鞚鹌镫�-V�>}猏Sz 蠗梗y 8債銀1�;5應8&棛鏣懤�禓� b朙缀垒b3骹*�?o;�.Cn,舐叀濓嫬 eJ晝B漅芞)箥C<鮆#�/�=矚劕�焕劂瘂旲黑聳緩瞺滓値Q巻撯嶲R�X軇�财�,臯癢>贺L櫔伧� 慕�,y*�%�=H_�>J%}砅魜釠f/�"陂i诔!8榏�9劄_嫅钶篬约Z�巬kX韔轛廀�啘爺貊T5巛^�=簥;o囀賉鲪[4Q� ∈cn*邓撓槁孭凹觰F/j冡=鞔皘[m樽i坚襋顳2S�){�4y��*2偁�轷憞K�篾馋~el襠妍睛罿┼�$,k砀 $鰌{瀟箟泰経釋y鷺]倀[掊塱悚鯘K釨⿶厺蛫ff�刊!旯霭.轱癇@�;�&騹殒6蘶t'Z跎緞呟L崱_藋尕�^�`泺� y��底琞c蔯橵璄孶幕P礢鑰擇>s曐�>枹N`敉R�3}秉凷x拑+攆輵H鲶~韊rbぞK馟0� *?簥獗0�.俾^瑕O 灔旀€�赱$2) ㄌ玝覾磓妪e契z 沅ki�;g焭K嵼!y朑⑩錌鉣ま撖螓完�/逑袜4lu(�0U劼XZ�鸑﹕v蜐2鍮k舓e聂櫜浲P�5A琭覩嬁耨F菌�?A炟 G骦 �;N+揎3m鍍ｐ泽€�a�0R齾j�,-屽闥ㄌ �oX堡犰�;Z'X{纊萸I鬰_螖袬H=X缢擛�詨]&�*徳Cn茏$受!嫶>b`�茒@纮�L�S弪[�!Fc铠铁*m� 餌垞猲ar0淴齈%麕P �[拊+ 渌珝晛X�?踊害�Z藥嚗ea澩\嶓蕁� 囟�/�6挜u7莱栅�7u��?Y�>oXFy燆猑?焥dL\鯟1踬鞁 �8Qy�4+岰Wb忙K=W�<�8棋匯>蜣滜2|諮橼负l�鲧,J蒡%丘潗d瑧埂,で.6G鯯cM幸�0▊� 佈:Ex11`�\wp偯aH��跻燽)9q%H�-K璯{ �0圥�p┥茋#!�W}夫<萵f ��?琾L竟VWa涭睎&<冄郭�>�� B€NZ醵磁叄 €k�#_┎s0侣 k�鴘L76 [�Y*&�9燩�(熋€镍€ 絮g鮦澿6摨倞�&闠WSI�24対w卻�黻藍�>腕触槒?< 堑嘘聙斢7a b艨tX$卾��抌╘\拈 ,4k孍釻ul埦襢5�s�`�,鑔綂%�(験 #,澥@.w裣穓赡JG敺�'躂炚g�< 前呧鲄�!8嗐�:�+�s滃R@��!搼@I€�2阮蚦n�' �媇�:,寘p� ��!Ｏ祽~'^艵４/氅惂-鉅�0圶鞌`挵�擫偦鹒刲u�M�+廘謼禙旡抏溟62飊 E�4鯁€�/<繈黑蓾坸5u�沝檜"崨�78j楴�}蒴��3渧猠&躺q輮u椶勤+~嫨�樂�夸NUe鰤HrLEjt羲o塀憨� 匤z鏩�1€贁椔鄞�,U�"矅囸鋮蠯〞JB丅�( 剜{!O+"€:I嘇2趾斋S頕?�'x畾 S礰@'xF_s燪O湭逄榳�J 汏m�lh5�Ov敺ー" =�I肳宣靵麜�奿嶰J愶蹠� ;僪�蚎FR2x縌14o悤ｄ撕�㎜2ES[门#=�7rS�-璥歃B�#綹嫽U惼s蟂叄�(��€槆鍂�%唷:攻呠�8嚔察蛌r隝溎纴Lo亂t0)腴(�拾�7案V獛�5wHT�暌�:叽~騄� 諨� 5犀%�嵜ij,镎{q�>P5菁鼲:6﹣鮲�2�攤惼0朗颔KR^睇Z害3州�/躸挡屿!Z�'[�#�隶z $'m6r�áp<莮*Rui� �$聇M骀�Az!瞭z�儋_{邜�劽w#煊b徖骽NZq7;Yw9\~�慚�6葖0廧�v嫎`0羀�0I�4� ["�%_s铨蕏�;鮹 W�7懂,8�H>輠骋9妤�<@婔:轈鶠憃_豨聦�呿敳K屙�#1�P�6Wz|�縚_f蒋>�?�噐�:[�S毕螽�)�Oa,読鹣H欈铽叢6�(z S塇i^賥 r攪�*UQk宱�睗!�>uY黥犍mz2鞷氮U鞜惣Q3�率痃滐� T0朐B驸�?晳�薴x�y鮏 � �,j�€Q(諾$伶}梆7'�(浔Ld]U﹚�8ixf�4犫H�朴$Y9H幎Y嶩�;P﹋亇:駫%2fD錤诼�-H蝊$K[畣艘�昻噏�mT� €\ ~k廊至谻5编v �%^棤7ヨda'`睎哬插鷆`/渷鑐峂�1`S毗鶃�﨤峬d櫽2帇必P峺O45疖d桲嘹饀礦�嚉埀矲Q鴕C€HK捧讫宇�;L FpA&Q&纙%墊F�r蚛M6�:A��7椾綮�*�N2}閮_�?JC扂�=�印<穬N}� ^冗@^澎捖,煲朏+栅{#(4.�a珆啵� &z\鶕r就<﹦(�4u"lt叆�.]7E�64箢A剸�/x�>峐蹬�-遽 -鎋愶丮獢$[〗鴅Qg5祖摲↙��.貅 �9藩C睰P陸秴锸秡�)�".凙U�/Et物敲}�, 灡{臟r 虌嚥Hh)凉\�犥с拑▊簅?耏匝RΨ6忙)匬=捆卺�6 YVjT珰橑�%JBe�wlT抷U v0廍��5=rH荁|� q騧�z {<�雑|SQ辯癕�?颰梈畸K�:�U随軵W�.K� 裍�"鄭y纅ju牮岑��=愾�3�8藧鋜猗3!M霃�邏>8阗@繪茠 c�?e彐;_T�Cn IDAT蟥�+ uN櫂翥Jq�. >HY剌U紂坸I犗�0骪#圛�!)R淯€e�026炤锫�赕滌瀞@瞢C滆邕禀時襌徕嘿YI;�W^ SR�5T鏺�&祴� �gC裿W@誣瘈闀鉣%>Y$gi`澲��3�&禵},怠┓G闕@ 蒬€W機T�7m�)r/轒@w宸蕿Q尵靓Z鼖屿飶|瑝Z*9o�M1旻蕦魎1U詃g�澰鞩Ta涞��5`i9鐽B菰孈:罅3纃肒%emTM叭嶐閂偖� 鬛Bc憟惚襹_|�%蚉X�颮辁z (Ek頝鍍蔚�'阄窋2溥L彨桒n"^遱G槧�H攋o�:T8+狊�:飩$偣' !Xh�€9弭筅c�2杓忠`廬JW圓=驡鑐犞k� ~穨辈靎n 惽p曖'佃@�6艾�>=嶑Z￡�._�隶 �2秐S�4吤麻�L檀狲E�?犖�6u綯: |Q暥0膞皎S3敺⑻9Y態T;Z兘�鯛L�隒袻-lM'=q`2)潔侓W哇Y紲l逄�礨糊K#W�>⒖d�F~┙滼,0昵噵?恢N�3丅I%.扚b飘� �]蔍棅滗�:2︰)l濈鈸&��3`u蕂�o戺\�3��8惌:�4捥_�妎%犻� 孈*o曐亃H獚t郺 x�格]~t樌}<]澐8SV&尩~葳樍L艼��璼枘1x撝鐊璔N^*J'党�2Ep:�2Z阊D礵�2n诽猛p�/$N^Z緾脖烧^=裊-箔齁誹`��>d麺噘匋V奢怂�欣纀檞K_8*(k竻群唊U uK鎽貄囎Z{邞涰搉G簧�遢罀qㄌlL^畺�$笝€E櫦3H�祔2缁4霦Db軟铍'W:寪�#*h凟g旃钍珻樜€驮僘vkI3岻⒊圁�挓耩o阷驽?嫵zh7猓憒�=?рK 6#辬N邵秎偣%}�X庚耘:% 枨嶷絿�E 蒥Jh|搛cV劧漳�z傧顛OouWI=够侠�"阔�蒘岭愄w*uSo焟-髢j*ψ覍r灀€&緃]J>躹芣恖虀!O�;缂>帗 �4�氳屴]T&U:(V:幠趩兄蘾逡€�劐P嫢2>`焅jゴ�6缴9侓H崀�5�).尵愖b)�裀枽N慆@j烤轕� 坲cＵ�7㎞�8衱7h扺�﹫硍我e埭媟�$�老� B肸!紜�2瘥@毼�0剜o祽@�嫊9[%1�Ⅶ瑏� 皜:我�+Cq凗�hp鉾g釾跦爚N.孂a铞J�袄ox欓h桎w蝡��0�:豘骤覯�,L, : 5�7皺A頖'认愒"睈Q鳳Ep[9毳嵲E�#eM胾*丹猏2亠�=璻Zu;� �<铌纴宔*�炂%薆殱癅��牣嫚�X�^诱淐棎於於a蔠綸� eW洇S陠4執豥柨漫w酋獇呪岖�dＵQ娻w�/^X狟坜延7謦{�&樈嗢�a臖赡c駲覅=O��1 賐趉栬瓻ノA*�痃i崢B砯B钱軚簣�!M蟂羋yA徟9jn�蜮�惼\旻]撺鎑匁硧Oya)鈈'{蔁戔辘&m梜槎麜悁秙�d|竃鮙=嚊噪3纼赊�<�5礽邪zr槖�;@BΛ 刁玘�$S[晹燣菪�2�+m9魆﹐礗5i登駷2鰘+厑9%媪2∑伒�茬� T恋綞OaJ婙餷�=梠薿;幩(滉隽�-驉��,R��1B朔扒稍fX,7g椼╗@�5柿rm 愢$z羕Ay衁*牎扇O: N/窄琁啒宧]1瓴t?K=皌凊員HG�呛辱髆曉G舣�8{b*泘>~�,洜_'?�籃爬A�曵佂獖曱资v(惘.炢�4墡~^砵顠u V嫇"_Lm�G{u囼�q\N�咻rC錗e醩d'泽*恝R6€帋Q廓烓� �艩免)璲.�,凇侓髢2讐E� x莱┈媴癙q�*愐容枕竩#k飸脞e6崂`UP�e帉璗竴尷�#∷&搜Yｅ�>~R 连-��b龄D@�00XU喀萆㥮さ黥棟葁ヌ2��*��3�则�"X罕梵q.核/K�癬R�凁P�&�(鉝8>O對f熗6�Z斧絆瘏栟w�/X汢窋�;M戔~5鴕M�$錱澛苯瞟�噧 {T.h�嚯�@绷nC慫�攱騄瓲焭J茮垇魾癌\�>镂瞓騚塸⑼趯吜Z�<�h耚雮唾u�聓2K袒�﹌�2灁q2婜� 嶯<墘曀�>N瓑>XT=糖Qd踐僼�>鹜�$Aヽ'�=�囟�耻€{�鲻豗绩嫮t(�.#�晇p~^j骂�� €N妟"婔Q �5!€�稍誻翆r^�*�_阋變uR嵌毫zYx� B筵csh狎纣�<$f恭tJ繚詫�4�;C6茂匆�勽x48阡m狼艬濪@n'U{巏斌4訬&�2荋惢HSJ钣繋棖8#�,�*�孢x^I攢峼KJ滴[陙E寘盞~�6顕q�躡T-迠馉k� 幝墳E_�,灟LTqgkq�3犚5囅K7κaAG槗莎>\Ⅲ⑾耫琶煀檽曵俅{蘷�榒Q/G閄罶玖1[2丠櫌T�:野V�(关��Lυ戛~�)皝Gpn媠�5餋獯�U兤�塇壚�+蘗鹪俏�_擔�;酝qf孬!`�0A�(l�瑛�!�'+缆亱鯣鰡€n?� �f棾仂G(G<|*C@�订'分M�褭{繲]y 9$靑�z︖佻I鶾fF焧2�夆洫吚��)�=?|7J妭YO徹t€��%仙e�?徘!k�[繺�)?倓D|�#K熞HcqN瓚恽bu9っ籲+uI鷘℅4孠條M/Е�&%瀸炢B@侸�8哀坓鈕惛%�(7?駹P鯂#S^o/c{��3永億董SI躲糿+CIW�#Y5o�蜥;黝韡誑廬�*岀G� s怓=|,暀€掖vu剫O逫菻兝V8喁�8:餣�M6B哹��<薵rS邦哾:頺�Ta$�)�礫e槌�*t颁坸甉晏A*n`猙餓O&榳X9儔^[5|虄5^J嬴�/柺jH\;掄X0踎T=(]|シy妏.:�i结3诿F寱鼘窃#夜j!�b�9墅;偞g圝樕C︰�J钲﹐0O叚�>畀B題a��;6禘癹龏イ鳏?4�(`�*t`A寺U牷鱲f諀杸蔗�綶惦噸Hd欱lC�q��:加釔$锬� 撨閭SNJ烯笠�2hg揍旛晟�?7i歽}瞥�獘崊斞-x鏁*叅Y)w鮩圹洰?�軂痸沟綍劽�渽X涗3黃[痆�A 寪諦蝙D�#�.骓褐&荪kz<�+~sd嗌幉伾F0FUL貓.�豴p磿鸬Wn衈N腋剾舡�->Pㄒ{鯎=�J晪�z醷窄YM櫹密皎򊔃d"毒-k玿嗮�疼q鵥镟麏塋�5(鏎`稁�*K籒M7d5YVll汰>圝x_`踪@C0}�磬�8#�?崈A簤��+胓當h4OP鵖TA沩A�1/&�:WJ7�&Y吮`'_ �_椙� 蜤6罶嗾jp@揔閛D&e旌i�;P鄼Y}'8�<2红]:�M|穽��*塔f藀疚>5嶦撝舺崧驾1蝥趉�闯涨缚獃<�;x>��>办0鎫1滧迟5%臇晑7騘��礣痑�厗=5濒摆譸涓�寻鹿蟪鷴钯7�?瘪赌?宭1支苍碍5貥迟縢迟�旋勑罢�砷��$ゼg嫊cQDp_�u7K(H|8 ~€\ふp8�;�7秶捕藨铗0奄d堆譀塎n#zHO昤斘e锶贛�Y翻�/驍�繑 ��IUχFi巗�\U��(t婹^镍mZ#)�/khV�'秨'瞚9{屌郄.錭\�h^3占冺%+? #;6斎-3dN�'P�$缔�!u!簿蛘B鯉�轂瞕;~w�致�-蠓杶緛�觢s� €A黧緣#貇梛8�)壠Y5奄蛌v玉q�TT� BL�*[瘨H盩伒!菩蕫$�/k 奘 '閑�?ぇ�E蛚哂FD;i鑭Y畡錉z鏳€邼妉婼栴续&x_ s7R%}[�r�V*镅咂跹皹抉佪个kwX胤ㄑ�6iMN3�-徟楋�鼕�/�9Lq＋郌*縩>"?捷厂#奥<'e^泴�獙od�B_BiP��x盚僜�9��.9I螧莂晷抷h飄楝筦在"珣袩u揹�T妌獚h�9v%h奝"偻!緋 L愵%頹i抪峏�'咦蟊憄Cy-� �g8VY^w=tuZ~0鈋58㏎0DN^真4K琽阾Q条曘T�'�/`]a箦�2}�>駴鴽晁娤司锶dA嘢綯F吭I麦衢x�>t杣 �.|撚滀X=;卟傳:9砻9�*渋€�嫦xy簬[)[犰Q疕縵r�0�リ>颼逧逩!9甕pN#�gxX鍾j䥇刣+�a鮮�9耀�5塈岙Mh,S� �d枾z衲A]柊鼃n氲魷�撡:箶弰�荁b"繊墢釗e�4�3朽檈l� 蠛唢8"彙齖&�&荪?畑Xfp11瞀�,M"骧鱍=1鏎0d苼鰈﹍�>埦岩��*埰骇窜辫<柶BX贇€�鬫A剸篍}�瞙�1顱�<桛爉\能唘穈� 闾戄菭�/+My撤窏垿沗膜�(C囨弣U�>}辙4缆陸�?揁�漯� K印]丬CPZz仧u�灰�g偌徳彑U�<*i摮鬍b睠b53瘣Sn>鞱P瑸幃躪%�鈊堬yy)A蕝,��,颶踞醾賓~褂B?,�農�+6�鸰某橃�%∨溑讐!W��@�燘髊淌w纂�'棝)�IE.吢�瑹藐5亗搝�璕�|莁薳痖�%熒 'H€劈Fk� 癥e�$n1檵I錋�钕k實闢1�%D捅<牯Ws铓霭�佪?稼赐{G�t鵸G�e�S9w�)忮.w��;世飾藎dT^{�,ē瓬&脟偦M�饾�孏f�'岶稳﨑1頻�(短Y� [�}�FW驠邪]x�$ J椧.槏O�4獣RNk郕S钟^N#€�+RO��/�*菳縡�*箼I�345m€畚悒dD�$�资穗5菽��$慌誕睫�1*-�<鴻>I�bT#梻�hn0緒蕽杤卭)澴{舧K鐭乵T�m|櫤� >�<烬潶> 旬燒)e�熂烛E羸鹸�>W'�j塻 /o8↖徹U\k畒\x劇鱻vr蚶頨欄瞤!媈e~蛟賡\丈�>�3|秇洣��7緒�夝m犥焢Tl�7刕 \-朞$縖�8;�,t�躵�5�%锪槶M�*S藴?垥�:E葅蚦R#w辞嵢蚉Jz閬��9-牛f撚��鶥s审,l噅!}褅胋班L惣�:1c'RV2晉]��標 Q9� L�8 臉ZMLM�$�鲯澴L*K`黱d7Y潌eU)Y}灘=荈�%鲈7陔�-H韄-€wV蔘觢汍湏gk斏涇%趚东7瓣��!�n�)訞#�Q�㥮F囚乵u琑鸑�%Ut骁3緹囘墾3y�(`PDf�rH偰B魟] 撩�!!槬獨�&8^~� p枬椥W畾%�2絇�8A�:忨 x珶翚TE�丯窦�qy�逪� �(�0�:碉��:炷亖羻亊u 醱�m簯鉝V莩A�SR箈!iz;m�\a*�8vZ遶钙CfyYE諡�.{车g��?�-i6z錢怇畒脴\7貚OB€h纄襥�6鶗M憹��2r过潘08倅癶;€啉k'{Iw煶8瑒Jm44乨嶼r|V厓錚8盠嗀牛�3簝,t慾蜛箔馹�4 f}鱙濑-,SJ龏)�,_�.cRajAvX甩�T-推现�:\镞稙|蝎� 澘�k胒龝FJU8t罙_.蕻a6\燄Jk賨�2擔\l\�J綊m蒆爻}8盍璷�9�2�2 "玆�坒買SG婶�4硔�蔛�袍\�2&�南�3y2恔d嫵qZW堋%H忪郪N:挐B穾_HJy�l儸)N鵍��%aFBE嶑歟撷�Ri+忕撃珿�紽�'*�>R€0璓r綧N+[誚�(�奎渋_龍瑾�&.6IX[Sn勤]责o�在旐6跊獍艨5鎓zF[|C緫�搀b�6肔I鼰嫛V�;憦q昿)栻C燈2?Q嫺 q魅{蜒:��2�z枽J雍6Bkr�鐖刓>�≮攲1oW>��1J_A�8䴖O:cu\~淲;鉺蒑饵|:6W$闻2)馤H祐xS绛�緅J~殷叢齬f網嵷鯾([Q�1,犒捳W⿴d婈]nVA 煅涪�2梳mL窦A�燂敉侂,款/碹级C�蕸邃U��);齔措c�7欕鮮騑浩hQ3}孷RTO�/e谊爅鯚`謲霡PEB咤�#疼0硜o誊瀸z~ 觗:月枏0�攏溯~ce1�.1€� �鼝祯慗0l鋿�"�"蜤槊駃OZ瓔YN鶛趄"懀�媣56摞a%�2d�捇鞶鍺绘� 鏋=Vt郱B繭*�,�煿赈鲰;稌�3跎3g陷3q禱�湱畏Z]墜Pz�"R霆N蠗4彵鱓 (S笉彿騷�(轡聯�骚s墂t�9> p(1n玝覤g蒤�D襏%,st_緖沩祧\p⊕挥;U5�&濐�$2C啵>X嵳廓鄑6乹�軙朠カ*.酛莍�y胬燱腧>芼�萖�7C泛鸲�:�#榵避�9� 鈙;S蓏<�-M B郚~yy�:_缟骉瀃伬-#V魑�z鳄B粍浺Dn斒浢箧X_4嶧评mH6荄呢掌>鳭怕f.�;僨�0嵭藣F邵豌觶:撙gYi�9祈菰灦H晡V淿文X綝虘戡櫼]4y鱼螞鶄iY警︰艪醞傒霹巹O�#搙�$P映l螱蠍陂�$f}越f%鼍�?累(cLB蹫�葥撽c圩5!榒~橲b丠�?阩r謞域UU16O榴29p?�$7楯=>t$s岘捇�>眙啽z贃锛藧�x佻�>&}�溜懅柘穂F,絲螌i鞻滼>鋆,�補蚠坑墫鯈K:D诪�#�鄜S g&計l€QS麁+鳂,嶛Zf;薺湺F殗咖举类�+ FL� a兓鷠}鈬z靷y1鴮E3I琿吻�9/緯oQや槦巰H�'1S7%啡uHZo脾蠏轊-!孳鼺悾1�2*�7U凤8鉼�柭袬�/�\槹X)�紕萎3蟏cBY稷R�复途讁 2蟃og,汿4�й专�[黔礫岜b運璙潯嶒?� /N~潏E呹:ぽ樈楇6邳専虾�?aav�鰭�瘙侶s颜� X �'�揷� 4﹦�64墊嗢X$�詈褢煻喌&廠洔�6sR欒搲瑘o肃]脫袍鮑畑婮��J酎�4&堽k寊蠰邧藾濃�*幄訡V坂S|K蹏T夰竹�la偭怞鞅0珒p�fA�36阠哮黜薴=Jqd_OS妯g�3 嬻>曒4葪a另@*麟nv卓刖M;v齖�4�.Y?)堖{琒>�冲鸻兰测冲袄颈6巭�<鵋z摡~/V废砼窉陽萶&v╧Bq漖*濯B薂�d殆{X�1驦$�6F瞀�H3蔘T*R!铚閇!其}鴚挻軽J#椄j籗Tsf饤)裇粱�"躬攧OY鏪瞳Xe�%>驣�x�H�8皈訄鞁閙鎶mf淂p汎嵷o焛3詻�,崙龤�dPF.�酠7|卵暂痦辺)}汒?o赘謐摋n鑫'衲靆�=绡v�4Daハ�"6ζ餛攗�09蘕惩LZ邦 �FZR戡��3榿U概'Ⅳ資讻C嫎f訨溄r�a!玲鵢t�G� �=捸|櫼|5+��m穔rw�-淗蓕釕)L艔顽;抌煠3k6R邁锕驯 I刳&AS蕲�;烶謩@R鵊�球~uo顊哥"j浥C趻^�7ξ�,诟郜诹"t鯂舴dH$飰轘�g�窞g嵩馝諨扜�65魉oSw��;恢o圄睹gx碘Z��轖柱V钟93� |糧~鼇而鐃聆脀eBA�=�0~憅0vu^6QqL陇4D浉匏礫隇k贬z_(,Q映�=菔�2菔泥OuE'λ鉄�*惽力�$�[轆禦�;賥:h珉睑w�:蝽峏0M饱68貲+w獿 l掩 W〖軄偷踍贱=鶬媒?M阨鶰]b�+:G辱"�8埉� �塉bX涄濴纾隫疷w邗{鉾��u玍烸鑱逩糡禈'r埙炁泈浘鋞��<刊�>E�)起慬礉� �?S婽匙�0oTu厠0湏sa)�?R�-乾a=墨雇E�亣%2L�&乵�6篭铯#崘姙Y舫sl35w~S|HZ騬閡�&⿹��称锯仅�懢)Z~鏩LM�fh嬯i锍�珶忽踿蟩貖� z橦檔試婽虂鍮s过{忔ˊ拦�眇n�[縕繝思怼媊$;S砺岢V�-:趗檣�g p�+��q`+�>\非]溿曟o�Z缫_}很|瑰;lP€;轳u莥�)� )r諯荓閘绛zB^��推慙扅渧除鬁:獗R佤:�(i�1亠N墍罣jSwl� 軿6爡i踮@檐蘛1荖槉rX€0织*>�,镑諩*禜%谤�惫产罢,糍<&琑�/ .亲唑吶M絧鳟�+殢YV|5谲蕃I呩谮\湟�#醯蓝�#鰖<�2燥e*囉鯕魂5慨B �/鵶/b瞗愃霕V�*慮O龙圇�缂莬异�)椼溕3�!s@[煡�x �"w.�褣譈焀濫0熌)c !闟/T�=嬩蛕e�$茚９f0踆嚭!&醙毻惰抒曬!柣蛡T/i鐊�-妛蓸妤V�蔝"��7殯~St鬙5啐4d撥C▕柨7}┟#�#-酘齕�<$K瑽蓔RO痕D�/�€ g(9瀕�籓��$篓�V%Zc_偳PYy井聐&畘c吭A.%k~<鼸畴Q茈 �;￡C媷df$<eB+<�8綪弯� f�2犯j$弈尳~檪癘寳釽嚒洄缇c厴嚾淴洦欰x嫟轀#鮟貑a渽�7褒得籇劥訒繳载U趸D皱}鳺�?s櫝侫庩H�衙╨I湇绔?髣ND鯤挛>B'vDFYW K巏H)癠I摌抴n蓰抄#*i潏閃�/�鎻>9�!誙鼬痴�'�/縗笔蔼�8査�<恊>P�)e�;>℡p蕪@3咢_E�T飩匃癩6)h�#犎&8嗶貒0�('F#�T:金Q_诫�8A#剘險奐A龂~a�萯fu8C�鈤圉濤[K脥妸奾酤鼝瑜j�*k�'�8W!|X鵅筶Ffエ$2逆c陚嘅*{�鰿抌i汏/陌蕘餟L@К倜鲏魺揋6酿P�;e齍钕#P�-阁n&)G蚷煼@,惬Iv)倫I?�6つ#'断黡凰扦Д:�4��晝UU~棴SA绢v�)€GHG靬-喭4Ц顓�-|�.�3枉�@襏0鮁耱l塿|詆獿j剾_5+揎d颂d韸F輩 �<s3嫓�3梟2%￡_$s�,)_��!朸董+簘顶鴊$n�魣w�+蟳J�f.麤(槹T�_∏�;s�7?LX 蕜l 娩菗"s�0�圦/鋓3猽M箴=�+乗 � �!s浫F沈R�/H桬�袳Io=鴔V�纱=I欆UQ�T竕+N�AΤJ_.{淛姼z'�铯痹B�0€8糖P嘸慩涏2�瓄~ü {鸏W縻蟰bz�<*jrF趧抛jV迪8茾/镊Q衶x莚鬞mG婉庠鐈~.琷迺贵�+猁尶�"柧f缰陀G_>他 +oq織=旲k#啜!%B�[贷Z罗�1yIg恫r蹬旈寀焿�hl�:ρ粨亭垗�(�&j�0珣p窴[爯Y锘.5&瑰[|Crf_隤0�8黰%/Q地;�?|cNk幠[柇璜铫哇訓抅/崏DXY�"Y(c店P(E墬判|�&海S跭d� o]薘浣�6�4S棎锸掌隴堙l1熴sU禰各8.莔雱x^z:銓'�▆丸�轓望 t洙󙀼�X禠塯�-|�:蠈頜p`vC�HlQv>!�7�<�0綥1孄堚=u灙$�R%�頖x贏\狑s�2遭C�6sS&胟ㄚc�)8迈c 龔謦WOz M瀟i钕� 9潆 �(*芆�5 �鼭晖@鵗nOeE歐x茢%釿猷P �#q�疲F�3Hz�-�v譽_�郈Zc6i廅j?元�;S晪�5w帘^�!瞃睕勘庨芾�9<H筬749否棕m�:岙�84鮟��8�s鋭覬稖l+攢禲K♀�. 岠a呆Rcd�r1�2Tm⿺柭郜丅Y9徳起v翑嶵�1顩�;N 预鮷覮x噝霷棳/﨨&�"~頫Y-騣玈A夻i売D��穹蜊螪g7�(�涔W灞D+嗄R2侗濍浧瑜,�5&┈��3簣"鐕ワ糺妛谓偹�兺L1S╈/豇(��!$�0"��>帻碨�/�6Un肖a;砶顭h惦5X竘婺,+{�;X碻N6v�赍]娒欨诽J熘�?Hx燈~砉�6=*甆壔>#g�5�:﹦�圷WC鉲捗�+栕孈晨�0糨そl4`"仢�/�>稿譼劖坸军鞼a�3c{4今樥9G�/I�=�-0橮[陞Y�墻迦Om狨fJ弭��!怮鞬L(遑杕c\0E潄R珫M"?牦;擷贀c弱緆S�)?v/%蒏w)J詐L4偂tT+{�?竫蕵G�)ひ琮c垾�䙡箂e瞻钄�0蜊黛7!滸毢髭諦�強V�-Z�6U嬞9崵$婐"�4吮v4账凣D 嗧_(甝.3i) (質挼 Q%QgK驑_@C)鴿y(2с!�>惭矌谤痴�$迟赌�<晻� !j矟;#姝闭;清W眧騳殝櫔4Gk�rH>k鬼O*漁艬s3c�G佬E�+*ワ耥1rz叻耗喞[n噊�?h攟O迨8h璋(垴?轧Q尿}橱杉=涙麋�k�%_驽N堐�驺XK}昁 @唅�:z幧园i摝櫡^� �B睸�1g}TB揜$(瑡菍cQ`<.e涇傣腼>唹又蚥暑�$&C讛5耭佘|�)-疹嘼氯�5Z3l|� 闧$D�2喢�=踑8O�=ug晱η" 敤髑嬱V逘ts稭�'�,�85鈯娕et祦杉~疈ブ罦0�v晾07癲x@酂mwbY剟V�&)f�Y�冸7(鼴 CJ蝿/亿<�i)傐@yшk�超h>�<㏑|1磵 � Ω湪m6g4V壡b�蓭柃�8擹鯍,�嚺>潋妘噯\堦┙脉踺艟�J电}p 腝vRl{kw㭎2�"P M%�!醆bx2跕z褰� � 嗙`x豀"5芞|<�危杷nm�搳梨j V俌`':��1�%P,甙韁罛蠑J}tW�-�)斦3mz鵱幡U礲fr�&泌Jウ�b鑷j�5波お佥攃膪~'9抋rx/黉�6∝鰵匭�8[ud鼝U96� 鮇娴:/I涬T怘锉?c攫勍亸鵜l�&齏v}��.€,姃椁uj窒j斡@闉R.W5"旮壄L粱栤恨寒颼琒辧b^c�/O烂D`R鴫��(諔潟砋牢轸硒裎k-[禆$撴鹢縴g}t■-G�3埡N�"ゞ簻� ��11r€骩溌肆JRL怐|Q夶G~E奒a�iq吡鉬�N钄禢~欴恑也M︔s磐t靝償~黝uu鑇g+T`�搳_撲��16郮讙" 鞞v莇t痽塸 ,碧9臆kA溉p撸#产职輹调翱闭蹿萤堮<愐：=b赃b騱玍�&日r_;I2J瑢證y�*赮諆�萜勬�,碀r.�.嫹&`VR樳uQ�3養B袏韱�-鴁�9味X蓃.鐣晉"蘹$蠄欜R€�@ユn羱};�/谟�.,-燦$顖9y跊鼇O�蕵屏9婵丌e�?徍2�;锆;盶惤莜o┎}倦楛锿�4G1�抺;�*錛嶁yxDHr;2*牲'庭歑_q螪T祭"suC2鹐zS果G娅}裓篚襂U汢G#�IQ9�A苁*瑐苗楿�<攐鮭�5玅/X输Jtq涂秛�┮貁赥\肏m吸襸1娆'悿*m�1晜襪^4�硯�硌负褂锡k�莛w�)U﹝蚖鎛賅g煲mf麕綂d饠撩�&61厵/��靜gd&娝E苚k�0雪 =)*w UIM_9�*U換�╗>MI:品絔冘)@鵵殜岧"8?宂b銼Of�4蒫�:m瞌�?l妆��頂贬�>鯠钭尮粢溚?�7u鵩镥�=)谣駟渌瞟希€王;�(涤霼扺馣辅鳶～� K銁瞠J�僤� �/i6�3Od眆繸篹忳提銥{Rヴ�-Y繱-��$呋s青毥麮\葸殓堝6��╖檙鋔緍鱽殷6�1_珹C嵁�>�'戩*皺忢�4仧�靴叨噈N騲蛮S橻�5!旡曧弤筻揢 m{ti)a诜巴I)� v洋諪y贁{6R(�)栥?藒艿}\m︼�>尭m�z尿}培�)嚎=渑t櫜謂紏_饞-Йp阏D'较n欜RU砼耯�鄛d車.敟呗讽��!�:"=>万j黒HY瀸��'{!b6度轻噦`�6)3�tl跥d�4ョ餾釣/栂斏椪勪始頏憎3鮴c酎諞|史/B�#�烞琸�#俾ys�U唼蟑ev姳�著JwXM獪�娗茉嗨�-鹧魜&#p|He�媊N\"D9I庺7�,_G4渴IO瑀u恇剘mEぱ荛蘏簁桩佟U獛∏;J�t ��*�4i�0竜忣E@╮�8耢袺鳓Q傹oPf*]"驔食妰-O巵掕吹筎逝,K镍G探榰)4锕G=c!葧9澤/%陿鏋箸瀤8� 鷬柁籣鋭I撝羸=�扁槗4珫Edy4S�G�)挧p皺縳Y禂i襗<颕旤溟邟�塲%��$旦I昙DR��盖愝粢儆莮I\笲�9壑�5亖i#�)zS币e嶉輛�槍*g�4~|��f魖/贌笿暙d�=4╳羨w!pw!pw!pw!p�垿侢crj;IEND瓸`�3��A�@@� �� NOTICE:General Testing InformationAgency Name:Test Location: Test Date:Name of Tester:StatusTotalPassFailName:Org:Title:Phone:E-mail:Test IDTest MethodExpected ResultsActual ResultsIgnore fields below)Test (Automated SCAP & Manual Test Cases)Test (Manual Test Cases Only) INSTRUCTIONS:N/AAutomatically CalculatedInfoFinal Test Results%Blank AvailableTest (Automated) Test (Manual)CompleteAll SCSEM TestsNIST IDDo not edit belowInstructionsTest Cases Legend:Notes/EvidenceAppendixSCSEM Sources:@Out of Scope Controls - Physical Security or Disclosure ControlsMReason: Tested in the Safeguard Disclosure Security Evaluation Matrix (SDSEM)GReason: Tested in the Management, Operational and Technical (MOT) SCSEM4Out of Scope Controls - Policy & Procedural ControlsQReason: Not required by Publication 1075. See Publication 1075 for more details.VersionDateDescription of Changes Change Log Test CasestInput of test results starting with this row require corresponding Test IDs in Column A. Insert new rows above here. First ReleasekMapping of test case requirements to one or more NIST SP 800-53 control identifiers for reporting purposes.�% Test Method:�% Test Objective;Reference to the authority which the test case was derived.�% Status �% Test ID �% NIST ID�% Policy Location:�% Test ProcedureshProvides a description of the acceptable conditions allowed as a result of the test procedure execution.�% Reference (Ref.)�% Notes/EvidenceOS/App Version:Test Objective ReferenceAuthor.Agency Representatives and Contact InformationLThis SCSEM was designed to comply with Section 508 of the Rehabilitation Act6 Use this box if all SCSEM tests were conducted.Testing Resultstests in the Test Cases tab. This table calculates all Introduction and Purpose:tPre-populated number to uniquely identify SCSEM test cases. The ID format includes the platform, platform version dand a unique number (01-XX) and can therefore be easily identified after the test has been executed.rThe test case is executed by Interview, Examine or Test methods in accordance with the test methodology specified qin NIST SP 800-53A. In test plans where SCAP testing is available, Automated and Manual indicators are added to Wthe Test method to indicate whether the test can be accomplished through the SCAP tool.oDescription of specifically what the test is designed to accomplish. The objective should be a summary of the test case and expected results.yApplicable to Microsoft Windows and Internet Explorer, this field will identify the location of the configuration setting$in the Group or Local Policy Editor.uA detailed description of the step-by-step instructions to be followed by the tester. The test procedures should be Rexecuted using the applicable NIST 800-53A test method (Interview, Examine, Test).zThe tester shall provide appropriate detail describing the outcome of the test. The tester is responsible for identifyingeInterviewees and Evidence to validate the results in this field or the separate Notes/Evidence field.zThe tester indicates the status for the test results (Pass, Fail, Info, N/A). "Pass" indicates that the expected results ywere met. "Fail" indicates the expected results were not met. "Info" is temporary and indicates that the test executionttest subject is not capable of implementing the expected results and doing so does not impact security. The tester 7must determine the appropriateness of the "N/A" status.ris not completed and additional information is required to determine a Pass/Fail status. "N/A" indicates that the vAs determined appropriate to the tester or as required by the test method, procedures or expected results, the tester nmay need to provide additional information pertaining to the test execution (Interviewee, Documentation, etc.)YThis SCSEM was created for the IRS Office of Safeguards based on the following resources.o�% IRS Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (August 2010)v�% NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems and Organizations (August 2009)�AC-1, AC-14, AC-18, AC-19, AC-20, AC-22, AT-3, AT-4, AU-1, AU-7, AU-11, CA-1, CA-2, CA-3, CA-5, CA-6, CA-7, CM-1, CM-2, CM-3, CM-4, CM-5, �CM-6, CM-7, CM-8, CM-9, CP-1, CP-2, CP-4, CP-6, IA-1, IR-3, IR-7, IR-8, MA-1, MA-2, MA-3, MA-4, MA-5, PL-1, PL-2, PL-4, PL-5, PL-6, PM-2, RA-1, �RA-2, RA-3, RA-5, SA-1, SA-2, SA-3, SA-4, SA-5, SA-6, SA-7, SA-8, SA-10, SA-11, SC-1, SC-5, SC-7, SC-12, SC-15, SC-17, SC-18, SC-19, SC-32, *SI-1, SI-4, SI-5, SI-7, SI-9, SI-10, SI-110Please submit SCSEM feedback and suggestions to Obtain SCSEM updates online at SafeguardReports@IRS.gov)http://www.irs.gov/uac/Safeguards-Program1A. All SCSEM Test Results1B. Overall SCSEM Statistics&Section 1 is automatically calculated.�The 'Info' status is provided for use by the tester during test execution to indicate more information is needed to complete the test.sIt is not an acceptable final test status, all test cases should be Pass, Fail or N/A at the conclusion of testing.�% Expected Results�% Actual ResultsDevice Name:Office of SafeguardsInternal Revenue Service�The IRS strongly recommends agencies test all Safeguard Computer Security Evaluation Matrix (SCSEM) settings in a development or test�environment prior to deployment in production. In some cases a security setting may�impact a system s functionality and usability. Consequently,�it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration�should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data�files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.�Agencies should use this SCSEM to prepare for an upcoming Safeguard review, but it is also an effective tool for agencies to use as part of internal �periodic security assessments or internal inspections to ensure continued compliance in the years when a Safeguard review is not scheduled. Also the �agency can use the SCSEM to identify the types of policies to have in place to ensure continued compliance with IRS Publication 1075.^Test cases should be performed in conjunction with the Data Warehouse SCSEM where appropriate. InterviewAC-2AU-6SC-10AC-5AU-9Interview/ ExamineAU-8CM-7SI-2AC-3AC-6AU-2AU-12SC-2IA-5Test Procedures?Verifies FTI is encrypted when in transit across a WAN or LAN. �1. Confirm whether all FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). �1. All FTI data in transit is encrypted when moving across a Wide Area Network (WAN) and within the agency s Local Area Network (LAN). NVerify the agency has implemented an account management process for the VPN. �1. Interview the DB Administrator to verify documented operating procedures exist for user and sy<� stem account creation, termination, and expiration. U1. The DB Administrator can demonstrate that documented operating procedures exist. �Verify that audit trails are periodically reviewed by security personnel. Exceptions and violations are properly analyzed and appropriate actions are taken.1. Interview DB Administrator and ask for the system documentation that states how often audit logs are reviewed. Also, determine when the last audit logs were reviewed. 2) Examine reports that demonstrate monitoring of security violations, such as unauthorized user access. �1. The DB Administrator can provide system documentation identifying how often the auditing logs are reviewed. The auditing logs have been reviewed by security personnel within the time period identified in the system documentation.HVerify that automatic session termination applies to all DB connections.�1. Interview the DB administrator and review DB configurations to determine if there is a session termination after no more than15 minutes of inactivity.e1. The DB system terminates a session if there is a period of inactivity of no more than 15 minutes.�Verify that the DB system enforces a separation of duties for sensitive administrator roles. There is an effective segregation of duties between the administration functions and the auditing functions of the DB system.�1. Interview the DB Administrator to identify the following: " Personnel that review and clear audit logs " Personnel that perform non-audit administration such as create, modify, and delete access control rules; DB user access management.q1. Personnel who review and clear audit logs are separate from personnel that perform non-audit administration. CAudit trails cannot be read or modified by non-administrator users.�-Interview the DB administrator to determine the application audit log location. -Examine the permission settings of the log files. 1. For a Windows system, the NTFS file permissions should be System Full control, Administrators and Application Administrators - Read, and Auditors - Full Control. or 1. For UNIX systems, use the ls la (or equivalent) command to check the permissions of the audit log files. V1. Log files have appropriate permissions assigned and permissions are not excessive.@The DB provides time stamps for use in audit record generation. �1. 'Interview the DB administrator to demonstrate the application provides time and date of the last change in data content. This may be demonstrated in application logs, audit logs, or database tables and logs.\1. The audit logs contain time and date of auditable events using the internal system clock.%Unneeded functionality is disabled. t1. Interview the DB Administrator to determine what functionality is installed and enabled by default for the application. 2. Examine the configuration of the server the DB runs on. Determine what software is installed on the servers. Determine which services are needed for the DB by examining the system documentation and interviewing the Application Administrator. 1. The DB does not install with functionality which is unnecessary and enabled by default. Any functions installed by default that are not required by the application are disabled. 2. Services or software which are not needed are not present or disabled on the server.�Verify that the latest database software configuration has been backed up. The SA, with the support of the DBA, shall backup the database software configuration after every database software upgrade.�Verify that audit data is archived and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years.�1. Interview the DBA to determine if audit data is captured, backed up, and maintained. IRS practice has been to retain archived audit logs/trails for the remainder of the year they were made plus six years.�Verify that the database audit data is reviewed at a minimum bi-weekly. The database audit data shall be reviewed at a minimum bi-weekly. This review process shall check for any intrusive activity and any anomalous activity.�1. Interview the DBA. Ask if the audit trail is reviewed at a minimum bi-weekly for anomalies to standard operations or unauthorized access attempts.J�% IRS IRM 10.8.4, IT Security, RDBMS Security Configurations (August 2010)B�% DISA Generic Database Security Checklist, Version 8, Release 1.6�AC-21, AU-13, AU-14, CP-3, CP-8, CP-9, CP-10, IA-8, PE-9, PE-10, PE-11, PE-12, PE-13, PE-14, PE-15, PM-1, PM-3, PM-5, PM-6, PM-7, PM-8, �PM-9, PM-10, PM-11, SA-12, SA-13, SA-14, SC-16, SC-20, SC-22, SC-25, SC-26, SC-27, SC-28, SC-29, SC-30, SC-31, SC-33, SC-34, SI-8, SI-13�AT-1, AT-2, CP-7, IR-1, IR-2, IR-4, IR-5, IR-6, MP-1, MP-2, MP-3, MP-4, MP-5, MP-6, MP-7, PE-1, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PE-16, OPE-17, PE-18, PM-4, PS-1, PS-2, PS-3, PS-4, PS-5, PS-6, PS-7, PS-8, SA-9, SI-12Update to new template.Booz Allen Hamilton�This SCSEM is used by the IRS Office of Safeguards to evaluate compliance with IRS Publication 1075 for agencies that have implemented a SQL{1. The audit trail is reviewed at a minimum bi-weekly for anomalies to standard operations or unauthorized access attempts. Verify that SQL Server software service pack is no earlier than the current service pack version minus one. Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. Bug Fix Patches should be applied as needed.Verify that the latest SQL Server software patches and hotfixes are applied. Each organization responsible for the management of a database shall ensure that the DBMS version has all appropriate patches applied. Bug Fix Patches should be applied as needed.�-Visit the below link: http://www.microsoft.com/technet/security/current.aspx 1. Verify that your SQL Server installation is up to date by searching the latest security bulletins.-1. The latest security patches are installed.AU-4Test6Verify that the OS is running the latest available and tested version and Service Pack level of Windows Server 2000, Windows Server 2003 or Windows XP. The latest available and tested version and Service Pack level of Windows Server 2000, Windows Server 2003 and Windows XP operating system shall be employed.eWindows XP 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://support.microsoft.com/kb/322389 Windows Server 2000 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://support.microsoft.com/kb/260910/en-us Windows Server 2003 1. Verify that the latest available and tested Service Pack is installed by visiting the below link and consulting with the system administrator. http://support.microsoft.com/kb/889100=1. The latest available and tested Service Pack is installed�Verify that the SQL Server support expiration date is not within six months time. Each organization responsible for the management of a database shall ensure that unsupported DBMS software is removed or upgraded to a supported version prior to a vendor dropping support. The DBA shall request upgrade, through <� procurement, immediately upon notification of a MS SQL Server expiration date that is within the six-month window.�-Visit the link below: http://support.microsoft.com/lifecycle/search/ 1. Search for the appropriate version of SQL Server and verify that support for it will not expire within six months.G1. Support for the installed version will not expire within six months.�Verify that logon auditing is enabled. The DBA shall ensure that all database connection failures are audited. Where possible, the DBA shall ensure that both successful and unsuccessful connection attempts are audited. Verify that auditing is configured and implemented on all DBMS software and the host operating systems that the DBMS software runs on. The SecSpec shall assure that auditing is configured and implemented on all DBMS software and the host operating systems that the DBMS software runs on.rT-SQL: 1. At least one row is returned. 2. For each row returned that "value" is "1". Enterprise Manager: 1. N/ALVerify that file rollover capability is enabled on SQL Server audit traces. Verify that SQL Server is configured to halt if a failure in audit file rollover occurs. The DBA shall enable the file rollover capability on SQL Server audit traces. The DBA shall configure SQL Server to halt if a failure in audit file rollover occurs.rT-SQL: 1. At least one row is returned. 2. For each row returned that "value" is "6". Enterprise Manager: 1. N/A�Verify that updates and deletes of the audit data are being audited. The DBA shall ensure that database audit trail information is audited for all update and deletion operations.GFor audit data stored in files: -Determine the location of the audit file(s). If a custom audit trace is being used, the audit data is stored in a file specified in the trace definition. If C2 auditing is being used, then the audit data is stored in the \mssql\data directory for default instances of SQL Server or the \mssql$instancename\data directory for named instances of SQL Server. -Browse to the audit data file using Windows Explorer. -Right-click the file and select Properties. -Select the Security tab. -Click the Advanced button. -Select the Auditing tab. 1. Verify the Everyone group with the following auditing entries: - Successful - Delete - Successful - Change Permissions - Successful - Take Ownership - Failure - Traverse Folder / Execute File - Failure - Delete - Failure - Change Permissions - Failure - Take Ownership For audit data stored in a table: 2. If C2 auditing is enabled, then this test passes. Otherwise, continue. -Verify that a custom audit trace is being used and that the following code is specified in the trace definition: Declare @on bit Set @on = 1 exec sp_trace_setevent TraceID, 114, 10, @on exec sp_trace_setevent TraceID, 114, 11, @on exec sp_trace_setevent TraceID, 114, 12, @on exec sp_trace_setevent TraceID, 114, 14, @on exec sp_trace_setevent TraceID, 114, 15, @on exec sp_trace_setevent TraceID, 114, 21, @on exec sp_trace_setevent TraceID, 114, 22, @on exec sp_trace_setevent TraceID, 114, 23, @on exec sp_trace_setevent TraceID, 114, 28, @on exec sp_trace_setevent TraceID, 114, 35, @on exec sp_trace_setevent TraceID, 114, 41, @on�1. The Everyone group has the following auditing entries: - Successful - Delete - Successful - Change Permissions - Successful - Take Ownership - Failure - Traverse Folder / Execute File - Failure - Delete - Failure - Change Permissions - Failure - Take Ownership 2. A custom audit trace is being used and the following code is specified in the trace definition: Declare @on bit Set @on = 1 exec sp_trace_setevent TraceID, 114, 10, @on exec sp_trace_setevent TraceID, 114, 11, @on exec sp_trace_setevent TraceID, 114, 12, @on exec sp_trace_setevent TraceID, 114, 14, @on exec sp_trace_setevent TraceID, 114, 15, @on exec sp_trace_setevent TraceID, 114, 21, @on exec sp_trace_setevent TraceID, 114, 22, @on exec sp_trace_setevent TraceID, 114, 23, @on exec sp_trace_setevent TraceID, 114, 28, @on exec sp_trace_setevent TraceID, 114, 35, @on exec sp_trace_setevent TraceID, 114, 41, @on �-Browse to C:\winnt\system32\config\appevent.evt using Windows Explorer. -Right-click the file and select Properties. -Select the Security tab. -Click the Advanced button. -Select the Auditing tab. 1. Verify the Everyone group has the following auditing entries: - Successful - Delete - Successful - Change Permissions - Successful - Take Ownership - Failure - Traverse Folder / Execute File - Failure - Delete - Failure - Change Permissions - Failure - Take Ownership1. The Everyone group has the following auditing entries: - Successful - Delete - Successful - Change Permissions - Successful - Take Ownership - Failure - Traverse Folder / Execute File - Failure - Delete - Failure - Change Permissions - Failure - Take Ownership�Verify that the parameter REMOTE ACCESS is disabled. The DBA shall disable the REMOTE ACCESS parameter (set to 0) unless replication is in use on the database or the requirement is fully justified and documented in appropriate ELC documentation.rT-SQL: 1.The values for config_value and run_value are 0 unless replication is in use. Enterprise Manager: N/A�Verify that the parameter SCAN FOR STARTUP PROCS is disabled. The DBA shall disable the SCAN FOR STARTUP PROCS parameter (set to 0) unless fully justified and documented in appropriate ELC documentation.UT-SQL: 1. The values for config_value and run_value are 0. Enterprise Manager: N/AeVerify that SQL Server uses Windows authentication only. The DBA shall ensure that only the host-based authentication method is implemented since only that method meets C2 requirements. Windows and Windows Active Directory provide a Windows security identifier (SID) to SQL Server that provide the ability to audit activity by individual database accounts.kT-SQL: 1. config_value is "Windows NT Authentication". Enterprise Manager: 1. "Windows only" is selected.Verify that file permissions are set properly for database files. The SA/DBA shall restrict access to all directories created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts. The SA/DBA shall restrict access to all files created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts.$T-SQL: 1. The only permissions are the following or less: - full control - Administrators - full control - SYSTEM - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: 1. N/A�Verify that all database files exist on a volume separate from the SQL Server executable volume. The DBA shall have the data files on a separate volume from the executable and parameter files.�Verify that user-defined stored procedures are stored in an encrypted format. Custom application and GOTS application software source code objects shall be encrypted within the database, where available as a DBMS feature, in accordance with industry (cissecurity.org) and government (csrc.nist.gov/pcig) best practice recommendations. The DBA shall ensure that custom application and GOTS source code objects are encrypted within the database when possible.�Verify that user-defined extended procedures do not exist. The DBA shall prevent creation and use of user-defined extended stored procedures. The DBA shall remove all extended stored procedures that are not required from the database and host system.�Verify that system-defined extended stored procedures are restricted from use. The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only unless fully justified and documented with the IT Security Specialist.�Verify that user access to DBA views and tables is denied. The DBA shall ensure that access to DBA views and tables is restricted to DBAs and ba<� tch processing accounts.�Verify that the use of CmdExec and ActiveScripting job steps are restricted to DBAs. Jobs can be used to automate administrative procedures as well as T-SQL procedures. CmdExec and ActiveScripting job steps issue or can issue operating system commands and shall be restricted to use by DBAs. Access to the host operating system poses a security risk. The DBA shall restrict use of CmdExec and ActiveScripting job steps to DBAs.�Verify that backup files for databases are secure. To ensure backup file protection, access permissions to backup files shall be restricted to SAs. Restore permissions on databases shall be restricted to DBAs and database owners.#T-SQL: 1. The only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: N/A�Verify that application owner accounts are disabled/locked when not in use. The DBA shall ensure that custom application owner accounts are disabled/locked when not in use.�Verify that when connecting to linked databases, the connection is authenticated using the current user's identification and password. Linked or remote servers shall only be configured to use Windows authentication. The capability to preserve a user s identification, and, therefore, maintain DAC integrity, is currently available only in a Windows 2000 or later environment where the connections can be protected with Kerberos and account delegation can be used. When linking SQL Server databases, the connection shall be authenticated using the current user s identification and passwords or certificates. The DBA shall configure linked servers to use the user s current authentication to access the remote database.�Verify that version numbers, SQL Server-related or otherwise, are not present in database instance names. The DBA shall not include a version number, SQL Server-related or otherwise, in the SQL Server production database instance names.sT-SQL: 1. The version number, SQL Server-related or otherwise, is not in the server name. Enterprise Manager: N/A�T-SQL: 1. There is a database named "master" and that the filename for it is "master.mdf". 2. There is a database named "model" and that the filename for it is "model.mdf". 3. There is a database named "msdb" and that the filename for it is "msdb.mdf". 4. There is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. All databases present are located in their own separate database files. Enterprise Manager: N/A�Verify that all databases are named correctly. Databases shall be named in accordance with IRM 2.5.7, Data Name Standards, using a name descriptive enough to identify the function of the data contained within the database.�Either test method: 1. Only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. The first character of the name is alphabetic (A-Z). 3. The name does not start with a verb. 4. The length of the name is less than 30 characters long. 5. The name is unique. 6. The name is clear and accurate to reflect a condensed version of the data description.*Verify that all DBMS administrator passwords are required to be changed every 60 days. The DBA shall ensure that database administrator account passwords are changed every 60 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.�This procedure should be performed by the system administrator. All database administrator accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 60 days or less (but not 0).?1. "Maximum password age" is set to 60 days or less (but not 0)Verify that all DBMS user passwords are required to be changed every 90 days. The DBA shall ensure that database user account passwords are changed every 90 days or more frequently and shall implement scripts, profiles, or other controls as necessary to enforce this requirement.This procedure should be performed by the system administrator. All database user accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Maximum password age" is set to 90 days or less (but not 0).@1. "Maximum password age" is set to 90 days or less (but not 0).�Verify that the password for the SA account is password protected. The default SA password, used to connect as administrator, shall be changed from the default installation value. Leaving the default password unchanged could result in unauthorized accounts accessing the server as sa, which provides them full database administration privileges. The DBA shall password protect the SQL Server sa pseudo database account. The DBA shall change the SQL Server sa pseudo database account default password.4T-SQL: 1. "0" is returned. Enterprise Manager: N/A�Verify that all DBMS account passwords are not reused within three password changes. The DBA shall ensure that database account passwords are not reused within three password changes.lThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Password Policy. 1. Verify that "Enfore password history" is set to 3 or more.21. "Enfore password history" is set to 3 or more.�Verify that all DBMS accounts are limited to three failed logons before they become locked. Where available, the DBA shall limit database account logons to three failed logons before they become locked.lThis procedure should be performed by the system administrator. All database accounts must be checked. -Open the Group Policy Object Editor for the appropriate GPO. -Expand Computer Configuration. -Expand Windows Settings. -Expand Security Settings. -Expand Account Policies. -Select Account Lockout Policy. 1. Verify that "Account lockout threshold" is set to 3.+1. "Account lockout threshold" is set to 3.�Verify that the DBMS is not installed on a Microsoft Windows domain controller or backup domain controller. The installation of a DBMS on a host platform introduces additional vulnerabilities and resource requirements to the host. Additionally, vendor DBMS software distributions frequently offer additional functionality, such as web servers and directory server software, on the same installation media that the DBMS is provided on. Since it is a best security practice to separate or partition services offered to different audiences, any DBMS should be installed on a host system dedicated to its support and offering as few services as possible to other clients. For this reason, a DBMS shall not be installed on a host system that also provides web services, directory services, directory naming services, etc. In particular, DBMS software s<� hall not be installed on Microsoft Windows domain controllers or backup domain controllers under any circumstances.�-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand System. -Expand CurrentControlSet. -Expand Control. -Select ProductOptions. 1. Verify that ProductType does not have a value of "LANMANNT" or "LANSECNT".A1. ProductType does not have a value of "LANMANNT" or "LANSECNT".:Verify that the sample databases have been removed. Microsoft SQL Server ships with sample databases. These databases contain many default permissions that do not conform to policy. Additionally, sample items can be used as an entry point into systems. The DBA shall ensure that the sample databases are removed.T-SQL: 1. None of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS Enterprise Manager: 1. None of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS�Verify that statement permissions are not granted to any application user, application administrator, application developer, or application role. The following list of SQL Server statement privileges shall not be granted, directly or indirectly through the use of roles, to any application user, application administrator, application developer, or application role. CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASE�Verify that the guest account does not have any role assignments granted. The DBA shall not grant SQL Server predefined roles to PUBLIC or GUEST.�Verify that only DBAs are granted server role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: 1. Only DBAs are granted server role memberships. Enterprise Manager: 1. Only DBAs are granted membership to the server role.�Verify that only DBAs are granted database role memberships. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: 1. Only DBAs are granted database role memberships (memberships beginning with "db_"). Enterprise Manager: 1. Only DBAs are granted membership to the database role.�Verify that only authorized DBAs are assigned the SYSADMIN role. The DBA shall ensure that the DBA role is restricted to authorized DBA accounts in a production environment.�T-SQL: 1. Only authorized logins are members of the System Administrators server role. Enterprise Manager: 1. Only authorized logins are members of the System Administrators server role.�Verify that the BUILTIN\Administrators group is not assigned the SYSADMIN role. The DBA shall deny the Windows BUILTIN\Administrators group the assignment to SYSADMIN role.�T-SQL: 1. BUILTIN\Administrators is not a member of the System Administrators server role. Enterprise Manager: 1. BUILTIN\Administrators is not a member of the System Administrators server role._Verify that users do not have administrative privileges. The DBA shall ensure that application user database accounts, application administrator accounts, application developer accounts, and application roles do not have the administration option of any object privilege. The DBA shall deny PUBLIC and GUEST the grant option of any object privilege.kVerify that object privileges are not assigned directly to individual application user database accounts. The DBA shall ensure that all object privileges granted to application users are granted through the use of application specific roles. The DBA shall ensure that object privileges are not assigned directly to individual application user database accounts.Verify that application users, application administrators, and application roles are not granted the references object privilege. The DBA shall ensure that application users, application administrators, and application roles are not granted the references object privilege.�Verify that the BUILTIN/Administrators group is not a valid SQL Server logon. Verify that the BUILTIN/Administrators group is not a valid SQL Server logon.dT-SQL: 1. Nothing is returned. Enterprise Manager: 1. BUILTIN\Administrators is not a valid login.�Verify that SQL Mail is disabled. The DBA shall ensure that SQL Mail is not implemented. The SQLServerAgent uses its own mail that is configured and controlled separately from the SQL Mail.�Verify that all database connections for replication agents are using Windows authentication logons. The DBA shall configure all database connections for replication agents to use Windows authentication logons.BVerify that inactive database accounts are disabled/removed. The DBA shall monitor database account expiration and inactivity and remove expired and inactive accounts in accordance with IRS requirements, which requires disabling of accounts after 45 days of inactivity and removal of accounts after 90 days of inactivity.�Verify that restore permissions on databases are restricted to DBAs and/or the database owners. The DBA shall restrict restore permissions on databases to DBAs and/or the database owners.T-SQL: 1. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). 2. Only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Enterprise Manager: N/A�Verify that when sensitive data is sent over the network that it is encrypted. When a database connection is requested via the network to a database server, the client shall provide an individual account name and authentication credentials to access the database. The database account name and any password transmission from a client to a database server over a network shall be protected.�Verify that only authorized batch jobs or database scripts are being run against the database. The DBA shall review the DBMS job queues daily to ensure that no unauthorized batch jobs or database scripts are being run against the database.Verify that a DBA Windows OS group exists. Verify that only authorized DBA Windows accounts exist within the DBA Windows OS group. The SA/DBA shall create a DBA Windows OS group. The SA/DBA shall assign only SecSpec-authorized DBA Windows accounts to the DBA OS group.$Verify that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database accounts. The DBA shall ensure that access to replication procedures and facilities is restricted to authorized DBAs and designated replication database accounts.�Verify that development databases do not co-reside on the same hosts as production databases. The DBA shall ensure that development databases do not co-reside on the same hosts as production databases on Unix-based and Windows operating system platforms.�Verify that no database links are defined between production and development databases. The DBA shall ensure that no database links are defined between production and development databases.Verify that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable. The DBA shall ensure that when not in use the ODBC tracing executable is deleted from the system to ensure the function is unavailable.21. The file does not exist anywhere on the system.+ �% SCSEM Subject: Microsoft SQL Server 2000ZServer 2000 database to receive, store, process or transmit Federal Tax Information (FTI).SQL2K-01SQL2K-02SQL2K-03SQL2K-04SQL2K-05SQL2K-06SQL2K-07SQL2K-08SQL2K-09�1. Verify with the DBA that database and database application software is baselined and the baseline is maintained after upgrades to the software are made.�1. The database and database application software is baselined and the baseline is maintained after upgrades to the software are made.SQL2K-10�1. Audit data is captured, backed up, and maintained. IRS requires the agency to retain archived audit logs/trails for the remainder of the year the<� y were made plus six years.SQL2K-11SQL2K-12uThe current service pack is SP4 (8.00.2039) as of May 6, 2008. T-SQL:. 1. Enter the following statement: select serverproperty( ProductVersion ) -Verify that the result is 8.00.760 (SP3) or higher. Enterprise Manager: 1. Right-click the server, and then click Properties. -Click the General tab. -Verify that the value for "Product version:" is 8.00.760 (SP3) or higher. �T-SQL:. 1. The result is 8.00.760 (SP3) or higher. Enterprise Manager: 1. The value for "Product version:" is 8.00.760 (SP3) or higher.SQL2K-13SQL2K-14SQL2K-15SQL2K-16ZT-SQL: Enter the following statement: use master exec xp_loginconfig 'audit level' 1. Verify that config_value is either "all" or "failure". Enterprise Manager: Repeat the following for each server. -Right-click the server and click Properties. -Click the Security tab. 1. Under Security/Audit level, verify that "All" or "Failure" is selected.nT-SQL: 1. config_value is either "all" or "failure". Enterprise Manager: 1. "All" or "Failure" is selected.SQL2K-17HT-SQL: Repeat the following for each server. -Enter the following statement which returns a row for each audit trace enabled on the system: select * from ::fn_trace_getinfo('0') where property = 5 1. Verify that at least one row is returned. 2. Verify that for each row returned that "value" is "1". Enterprise Manager: 1. N/ASQL2K-18HT-SQL: Repeat the following for each server. -Enter the following statement which returns a row for each audit trace enabled on the system: select * from ::fn_trace_getinfo('0') where property = 1 1. Verify that at least one row is returned. 2. Verify that for each row returned that "value" is "6". Enterprise Manager: 1. N/ASQL2K-19SQL2K-20SQL2K-21BVerify that the option to directly update system tables is disabled. The ALLOW UPDATES parameter specifies whether direct updates may be made to the system tables. When allow updates is disabled, database accounts cannot make updates to the system tables. The DBA shall disable or set to 0 the ALLOW UPDATES parameter.�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'allow updates' 1. Verify that the values for config_value and run_value are 0. Enterprise Manager: Repeat the following for each server. -Right-click the server and click Properties. -Click the Server Settings tab. -Under Server behavior 1. . Verify that the "Allow modifications to be made directly to the system catalogs" check box is not checked.�T-SQL: 1. The values for config_value and run_value are 0. Enterprise Manager: 1. The "Allow modifications to be made directly to the system catalogs" check box is not checked.SQL2K-22\NOTE! If replication is in use, then this should be enabled. T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'remote access' 1. Verify that the values for config_value and run_value are 0 unless replication is in use. Enterprise Manager: N/ASQL2K-23�NOTE! If a custom defined audit trace is being used in place of C2 auditing, then the scan for startup procs option may need to be enabled. A deviation will be required if this is the case. T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_configure 'show advanced options', 1 reconfigure exec sp_configure 'scan for startup procs' 1. Verify that the values for config_value and run_value are 0. Enterprise Manager: N/ASQL2K-24gT-SQL: Repeat the following for each server. -Enter the following statement: exec xp_loginconfig 'login mode' 1. Verify that config_value is "Windows NT Authentication". Enterprise Manager: Repeat the following for each server. -Right-click the server and click Properties. -Click the Security tab. 1. Under Security, verify that "Windows only" is selected.SQL2K-25/Verify that file permissions are set properly for the SQL Server install directory. The SA/DBA shall restrict access to all directories created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts. The SA/DBA shall restrict access to all files created by the installation of SQL Server to full control permissions granted to the SQL Server service account, the DBA OS group, the Administrators group, and the local SYSTEM accounts.J1. Open Windows Explorer. -Browse to SQL Server install directory. By default this is C:\Program Files\Microsoft SQL Server\MSSQL. -Right-click on the \MSSQL directory name. -Click Properties. -Select the Security tab. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Verify that permissions for subfolders and files contained in \MSSQL match the criteria specified above.W1. The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Permissions for subfolders and files contained in \MSSQL match the criteria specified above.SQL2K-26tT-SQL: Repeat the following for each database. -Get the list of files associated with the database by entering the following statement: select filename from sysfiles -For each file, do the following: a. Navigate to the file using Windows Explorer. b. Right-click on the file and click Properties. c. Select the Security tab. 1. Verify that the only permissions are the following or less: - full control - Administrators - full control - SYSTEM - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: N/ASQL2K-27�T-SQL: Repeat the following for each database. 1. Get the list of files associated with the database by entering the following statement: select filename from sysfiles Enterprise Manager: Repeat the following for each database. -Expand the server group. -Expand the server. -Right-click the database and click Properties. 1. Click the Data Files tab. 2. Click the Transaction Log tab. ZT-SQL: 1. Verify that each filename exists on a volume separate from the SQL Server executable volume. Enterprise Manager: 1. Verify that each filename under Location exists on a volume separate from the SQL Server executable volume. 2. Verify that each filename under Location exists on a volume separate from the SQL Server executable volume.SQL2K-28�Verify that registry permissions are set properly for the SQL Server registry values. The SA/DBA shall restrict access to the Windows registry keys under the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\MSSQLServer (for a default instance) or HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\MS SQL Server\InstanceName (for a named instance) to full control permissions granted to the DBA OS group, the Administrators group, the local SYSTEM account, and the SQL Server service account.�-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand Software. -Expand Microsoft. -Right click Microsoft <� SQL Server and click Permissions. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Verify that permissions for subkeys match the criteria specified above.z� 51. The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Permissions for subkeys match the criteria specified above.SQL2K-29�-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand Software. -Expand Microsoft. -Right click MSSQLServer and click Permissions. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Verify that permissions for subkeys match the criteria specified above.z� 41.The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - SQL Server service account (custom) d. full control - DBA group (custom) e. full control - CREATOR OWNER 2. Permissions for subkeys match the criteria specified above.SQL2K-30gVerify that registry permissions are set properly for the SQL Server registry values. The SA/DBA shall restrict read and write permissions to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\MSSQL Server and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Perflib registry keys to the SQL Server service account and the DBA OS group.%-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand Software. -Expand Microsoft. -Expand Windows NT. -Expand CurrentVersion. -Right click perflib and click Permissions. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - CREATOR OWNER d. read/write (see below) - SQL Server service account (custom) e. read/write (see below) - DBA group (custom) 2 Verify that permissions for subkeys match the criteria specified above.�1.The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - CREATOR OWNER d. read/write (see below) - SQL Server service account (custom) e. read/write (see below) - DBA group (custom) 2 Permissions for subkeys match the criteria specified above. Registry permissions for read/write values are as follows: - Query Value - Set Value - Create Subkey - Enumerate Subkeys - Notify - WriteDAC - Write Owner - Read ControlSQL2K-31-Click Start, Run then launch regedt32.exe. -Expand HKEY_LOCAL_MACHINE. -Expand System. -Expand CurrentControlSet. -Expand Services. -Right click MSSQLSERVER and click Permissions. 1. Verify that the only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - CREATOR OWNER d. read/write (see below) - SQL Server service account (custom) e. read/write (see below) - DBA group (custom) 2. Verify that permissions for subkeys match the criteria specified above.�1. The only permissions are the following or less: a. full control - Administrators b. full control - SYSTEM c. full control - CREATOR OWNER d. read/write (see below) - SQL Server service account (custom) e. read/write (see below) - DBA group (custom) 2. Permissions for subkeys match the criteria specified above. Registry permissions for read/write values are as follows: - Query Value - Set Value - Create Subkey - Enumerate Subkeys - Notify - WriteDAC - Write Owner - Read ControlSQL2K-32�T-SQL: Repeat the following for each database. -Enter the following statement: select sysobjects.name from sysobjects inner join syscomments on sysobjects.id = syscomments.id where syscomments.encrypted = 0 and (sysobjects.type= P or sysobjects.type= X ) and sysobjects.uid > 4 and sysobjects.uid <� 16384 1. Verify that nothing is returned in the above query. Enterprise Manager: N/A4T-SQL: 1. Nothing is returned. Enterprise Manager:SQL2K-33T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Select Extended Stored Procedures. 1. Scroll down the list of procedures. Verify that the owner for all procedures is dbo.HT-SQL: N/A Enterprise Manager: 1. The owner for all procedures is dbo.SQL2K-34�T-SQL: Repeat the following for each server. -Enter the following statement: use master select sysobjects.name, sysusers.name from sysobjects inner join sysprotects on sysobjects.id = sysprotects.id inner join sysusers on sysprotects.uid = sysusers.uid where ((sysobjects.name like 'xp_reg%') or (sysobjects.name like 'sp_OA%')) and (sysprotects.protecttype <�> 206) 1. Verify that only DBA accounts are listed in the return results. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Select Extended Stored Procedures. -For each procedure (and especially procedures that begin with sp_OA or xp_reg'), do the following: a. Right-click on the procedure name and select Properties. b. Select permissions. c. Select "List only users/user-defined database roles/public with permissions on this object." 1. Verify that only DBA accounts have access to the procedure.�T-SQL: 1.Only DBA accounts are listed in the return results. Enterprise Manager: 1. For each procedure, only DBA accounts have access to the procedure.SQL2K-35�Verify that the XP_CMDSHELL extended stored procedure is not present on the system. The DBA shall remove the XP_CMDSHELL extended stored procedure from the system unless fully justified and documented in appropriate ELC documentation.�T-SQL: Repeat the following for each server. -Enter the following statement: use master select sysobjects.name from sysobjects where sysobjects.name = 'xp_cmdshell' 1. Verify that no result is returned. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Select Extended Stored Procedures. -Scroll down the list of procedures. 1. Verify that the procedure xp_cmdshell does not exist.cT-SQL: 1. No result is returned. Enterprise Manager: 1. The procedure xp_cmdshell does not exist.SQL2K-36Verify that the Guest account does not exist in all databases except master and tempdb. The SQL Server guest account allows Windows a<� ccounts without direct SQL Server authorization that have been authenticated to the Windows OS to access the database. It cannot be removed from the master and tempdb databases. The guest account shall be deleted from all databases except the master and tempdb databases. The DBA shall delete the database guest account from all databases except the master and tempdb databases.For each database except master and tempdb, do the following. T-SQL: -Enter the following statement: exec sp_helpuser 'guest' 1. Verify that no records are returned. Enterprise Manager: -Expand the database. -Select Users. 1. Verify that the guest user does not exist.dT-SQL: 1. No records are returned. Enterprise Manager: 1.The procedure xp_cmdshell does not exist.SQL2K-37�Verify that object permissions have not been granted to the guest account in all databases. The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, 'guest', NULL, 'o' 1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Select Users. -Double-click user Guest. If Guest isn't there then the test passes for this database. -Select Permissions. -Select "List only objects with permissions for this user". 1. Verify that no permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.�T-SQL: 1. No rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: 1. No permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.SQL2K-38�Verify that object permissions have not been granted to the public database role in all databases. The DBA shall ensure that object privileges are not granted to PUBLIC or GUEST.HT-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, 'public', NULL, 'o' 1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Select Roles. -Double-click role Public. -Select Permissions. -Select "List only objects with permissions for this role". 1. Verify that no permissions are shown. If permissions are shown, verify that a green check is not visible for the permission.�T-SQL: 1. No rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: 1. No permissions are shown. If permissions are shown, verify that a green check is not visible for the permission.SQL2K-39T-SQL: Repeat the following for each database. -Enter the following statement: select SystemTableOrViewName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects inner join sysprotects on sysobjects.id = sysprotects.id inner join sysusers on sysprotects.uid = sysusers.uid where (sysobjects.type = 'S' or sysobjects.type = 'V') and (sysprotects.uid > 4) and (sysprotects.protecttype <> 206) 1. If results are returned, then verify that each UserOrGroupName is a DBA or a batch processing account. Enterprise Manager: N/A`T-SQL: 1. Each UserOrGroupName is a DBA or a batch processing account. Enterprise Manager: N/ASQL2K-40?T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Management. -Right-click on SQL Server Agent. -Select Properties. -Select the Job System tab. 1. Verify that the checkbox "Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps" is checked.�T-SQL: N/A Enterprise Manager: 1. The checkbox "Only users with SysAdmin privileges can execute CmdExec and ActiveScripting job steps" is checked.SQL2K-41�T-SQL: Repeat the following for each server. -Enter the following statement: use msdb select physical_drive, physical_name from backupfile -For each file listed in the query results, do the following: a. Open Windows Explorer and browse to the file. b. Right click on the file's container directory. c. Select Properties. d. Select Security tab. 1. Verify that the only permissions are the following or less: - full control - SYSTEM - full control - Administrators - full control - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNER Enterprise Manager: N/ASQL2K-42�Verify that objects are not owned by application user accounts. The DBA shall ensure that application user database accounts do not own any database objects.�T-SQL: Repeat the following for each database. -Enter the following statement which lists objects not owned by the database owner: select ObjectName = sysobjects.name, UserOrGroupName = sysusers.name from sysobjects inner join sysusers on sysusers.uid = sysobjects.uid where sysobjects.uid <> 1 1. Verify that all values for UserOrGroupName are not application user accounts. Enterprise Manager: Repeat the following for each database -Expand the database. -Select Tables, Views, Stored Procedures, Extended Stored Procedures, User Defined Data Types, and User Defined Functions.. 1. Verify that each object is not owned by an application user.�T-SQL: 1. A values for UserOrGroupName are not application user accounts. Enterprise Manager: 1. Each object is not owned by an application user.SQL2K-43OT-SQL: Repeat the following for each database. -Enter the following statement: select sysusers.name, sysobjects.name from sysobjects inner join sysusers on sysusers.uid = sysobjects.uid where sysusers.hasdbaccess = 1 and sysusers.name <> 'dbo' 1. Verify that no results are returned. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Security. -Select Logins. -For each login that is an application owner account, do the following: a. Double click the login. b. Select the General tab. 1. Verify that the "Deny access" radio button is selected.vT-SQL: 1. No results are returned. Enterprise Manager: 1. The "Deny access" radio button is selected for each login.SQL2K-44�T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Security. -Select Linked Servers. -For each linked server, do the following: a. Double-click the linked server. b. Select the Security tab. 1. Verify that the "Be made using the login's current security context" radio button is selected. 2. Under "Local server login to remote server login mappings", verify that there are no mappings.�T-SQL: N/A Enterprise Manager: 1. The "Be made using the login's current security context" radio button is selected for each linked server.. 2. There are no mappings for each linked server.SQL2K-45�T-SQL (preferred method): Repeat the following for each server. -Enter the following statement: use master select serverproperty(ServerName) 1. Verify that the version number, SQL Server-related or otherwise, is not in the server name. Enterprise Manager: N/A - While it is possible to get the server name using Enterprise Manager, for local servers this may not give an accurate result. Use T-SQL.SQL2K-46�Verify that all databases are located in separate database files. The DBA shall locate the system database MASTER.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the miscellaneous system database MODEL.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database MSDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the system database TEMPDB.MDF in a separate database that resides within its own unique datafile(s). The DBA shall locate the application databases in separate databases that reside within their own unique datafile(s).iT-SQL: Repeat the following for each server. -Enter the following statement: use master select name, filename from sysdatabases 1. Verify that there is a database n<� amed "master" and that the filename for it is "master.mdf". 2. Verify that there is a database named "model" and that the filename for it is "model.mdf". 3. Verify that there is a database named "msdb" and that the filename for it is "msdb.mdf". 4. Verify that there is a database named "tempdb" and that the filename for it is "tempdb.mdf". 5. Verify that all databases present are located in their own separate database files. Enterprise Manager: N/ASQL2K-47OTo locate the database names, do the following (repeat for each server): T-SQL: -Enter the following statement: use master select name from sysdatabases Enterprise Manager: -Expand the server group. -Expand the server. -Expand Databases. For each database name listed with the exception of master, tempdb, model and msdb, verify the following: 1. Verify that only alphabetic (A-Z), numeric (0-9), and special characters (e.g. hyphen, colon, underscore) which are appropriate to the language are present in the name. 2. Verify that the first character of the name is alphabetic (A-Z). 3. Verify that the name does not start with a verb. 4. Verify that the length of the name is less than 30 characters long. 5. Verify that the name is unique. 6. Verify that the name is clear and accurate to reflect a condensed version of the data description.SQL2K-48SQL2K-49SQL2K-50�T-SQL: Repeat the following for each server. -Enter the following statement: select count(name) from syslogins where password is null and name = 'sa' 1. Verify that "0" is returned. Enterprise Manager: N/ASQL2K-51SQL2K-52SQL2K-53SQL2K-54T-SQL: Repeat the following for each server. 1Enter the following statement: use master select name from sysdatabases 1. Verify that none of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksAS Enterprise Manager: Repeat the following for each server. -Expand the server group. -Expand the server. -Expand Databases. 1. Verify that none of the following databases exist: - Northwind - pubs - AdventureWorks - AdventureWorksDB - AdventureWorksASSQL2K-55�Verify that statement permissions have been revoked for the public database role in all databases. The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST.�T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, 'public', NULL, 's' 1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions tab. 1. Verify that a green check isn't visible in any checkbox for the public database role.�T-SQL: 1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: 1. A green check isn't visible in any checkbox for the public database role.SQL2K-56�Verify that statement permissions have been revoked for the guest account in all databases. The DBA shall ensure that SQL Server statement privileges are not granted to PUBLIC or GUEST.�T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, 'guest', NULL, 's' 1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions tab. 1. Verify that a green check isn't visible in any checkbox for the guest account.�T-SQL: 1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: 1. A green check isn't visible in any checkbox for the guest account.SQL2K-57�Verify that statement permissions have been revoked for user accounts in all databases. Verify that statement permissions have been revoked for user accounts in all databases.�T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, NULL, NULL, 's' 1. Verify that there are no rows returned where ProtectType is "Grant" or "Grant_WGO" and Grantee is a user account. Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Right-click the database and click Properties. -Select the Permissions tab. 1. Verify that a green check isn't visible in any checkbox for any user account.�T-SQL: 1. There are no rows returned where ProtectType is "Grant" or "Grant_WGO" and Grantee is a user account. Enterprise Manager: 1. A green check isn't visible in any checkbox for any user account.SQL2K-58T-SQL: N/A Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Right click the database and click Properties. -Click the Permissions tab. 1. Verify that none of the statement privileges listed below are granted to any application user, application administrator, application developer, or application role. Granted permissions are shown with a green checkmark. CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASEgT-SQL: N/A Enterprise Manager: 1. None of the statement privileges listed below are granted to any application user, application administrator, application developer, or application role. Granted permissions are shown with a green checkmark. CREATE TABLE CREATE VIEW CREATE SP CREATE DEFAULT CREATE RULE CREATE FUNCTION BACKUP DB BACKUP LOG CREATE DATABASESQL2K-59QT-SQL: Repeat the following for each database. -Enter the following statement which lists all of the database roles that guest is a member of: exec sp_helpuser 'guest' 1. Verify that either no results are returned or that a single result is returned where GroupName is 'public'. Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Select Users. -Double-click user Guest. 1. If Guest isn't there then the test passes for this database. 2. Under "Database role membership", verify that all checks except public are cleared.�T-SQL: 1. No results are returned or that a single result is returned where GroupName is 'public'. Enterprise Manager: 1. Guest isn't there. 2. All checks except public are cleared.SQL2K-60�T-SQL: Repeat the following for each server. -Enter the following statement which displays all users who are granted server role memberships: exec sp_helpsrvrolemember 1. Verify that only DBAs are granted server role memberships. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -For each server role, do the following: a. Double-click the server role. 1. Verify that only DBAs are granted membership to the server role.SQL2K-61BT-SQL: Repeat the following for each database -Enter the following statement which displays all users who are granted database role memberships: exec sp_helprolemember 1. Verify that only DBAs are granted database role memberships (memberships beginning with "db_"). Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Select Roles. -For each database role that begins with "db_", do the following: -Double-click the database role. 1. Verify that only DBAs are granted membership to the database role.SQL2K-62�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember sysadmin 1. Verify that only authorized logins are members of the System Administrators server role. Enterprise Manager: Repeat the following for each server. Expand the server. -Expand Security. -Select Server Roles. -Right-click <� the System Administrators (sysadmin) server role and click Properties. 1. Verify that only authorized logins are members of the System Administrators server role.SQL2K-63�T-SQL: Repeat the following for each server. -Enter the following statement: exec sp_helpsrvrolemember sysadmin 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Security. -Select Server Roles. -Right-click the System Administrators (sysadmin) server role and click Properties. 1. Verify that BUILTIN\Administrators is not a member of the System Administrators server role.SQL2K-64�T-SQL: Repeat the following for each database. -Enter the following statement which checks for the "grant with grant" privilege on objects: select sysusers.name, sysobjects.name, sysprotects.action from sysprotects inner join sysusers on sysusers.uid=sysprotects.uid inner join sysobjects on sysobjects.id=sysprotects.id where sysprotects.protecttype = 204 1. Verify that no results are returned. Enterprise Manager: N/A<�T-SQL: 1. No results are returned. Enterprise Manager: N/ASQL2K-65�T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, NULL, NULL, 'o' 1. Verify that there are no rows returned where Grantee is an application user account and ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: Repeat the following for each database. -Expand the server. -Expand Databases. -Expand the database. -Select Users. -For each application user account do the following: -Double-click the user. -Select Permissions. -Select "List only objects with permissions for this user". 1. Verify that no permissions are shown. If permissions are shown, verify that a green check isn't visible in any checkbox.�T-SQL: 1. No rows are returned where Grantee is an application user account and ProtectType is "Grant" or "Grant_WGO". Enterprise Manager: 1. No permissions are shown. If permissions are shown, a green check isn't visible in any checkbox.SQL2K-669T-SQL: Repeat the following for each database. -Enter the following statement: exec sp_helprotect NULL, NULL, NULL, 'o' 1. For each row where Grantee is an application administrator or an application user AND Action is "References", verify that ProtectType is not "Grant" or "Grant_WGO". Enterprise Manager: N/ANT-SQL: 1. ProtectType is not "Grant" or "Grant_WGO". Enterprise Manager: N/ASQL2K-67RVerify that system-defined extended stored procedures are restricted from user access. The DBA shall prevent creation and use of user-defined extended stored procedures. The DBA shall restrict use of system-defined extended stored procedures to authorized DBAs only unless fully justified and documented with the IT Security Specialist.S T-SQL: Repeat the following for each server. -Enter the following statement: use master select sysobjects.name, sysusers.name, sysprotects.action from sysprotects inner join sysobjects on sysobjects.id = sysprotects.id inner join sysusers on sysusers.uid = sysprotects.uid where (sysobjects.type = 'X') and (sysobjects.uid < 5) and (sysprotects.protecttype <> 206) 1. For each row returned, verify that the value for name is not "public". Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Databases. -Expand the master database. -Select Extended Stored Procedures. -For each user-defined extended stored procedure, verify the following: -Right-click on the procedure name. -Select All Tasks. -Select Manage Permissions. 1. For user public, verify that the check box under the EXEC column has a red X.�T-SQL: 1. For each row returned, the value for name is not "public". Enterprise Manager: 1. For user public, the check box under the EXEC column has a red X.SQL2K-68Verify that the SQL Server Agent service and the SQL Server service both run under the same service account. This account is only a member of the Users or Power Users group. The MS SQL Server Agent services, MSSQLServer or MSSQL$Instancename for a named instance and SQLServerAgent, shall not be run under the administrator or system accounts. A service account shall be defined and shall be a local Windows account unless a Windows domain account is required to support replication, remote procedure calls, or SQLMail. The SQL Server Agent services shall use the same account. The service account shall not be a member of the local or domain administrators group. The service account shall be denied the interactive logon right. The service account must be added to the SQL Server SYSADMIN role.�T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Management. -Right-click SQL Server Agent and click Properties. -Click the General tab. -Verify that under "Service startup account" that the "This account" radio button is clicked. Take note of the account being used as the SQL Server Agent service startup account. -Click Start->Administrative Tools->Active Directory Users and Computers (for Windows 2003 Server). -Find the account from step 5 and double-click it. -Click the Member Of tab. 1. Verify that the user is only a member of the Users group (or the Power Users group if SQL Service is part of an Active Directory). -Back in Enterprise Manager, right-click the server and click Properties. -Click the Security tab. 2. Verify that under "Startup service account" that the "This account" radio button is clicked. 3. Verify that the same user used for starting up the SQL Server Agent service is used here as well.ET-SQL: N/A Enterprise Manager: 1. The user is only a member of the Users group (or the Power Users group if SQL Service is part of an Active Directory). 2. Under "Startup service account" the "This account" radio button is clicked. 3. The same user used for starting up the SQL Server Agent service is used here as well.SQL2K-69�Verify that the SQL Server service account has the appropriate user rights. The service account shall be denied the interactive logon right. The SQL Server Agent service account requires the following rights: - Act as part of the operating system - Replace a process-level token - Log on as a service - Access this computer from the network - Increase quotas - May require the logon as a batch job right�T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Right-click the server and click Properties. -Click the Security tab. -Take note of the account being used as the SQL Server Agent service startup account. -Click Start->Administrative Tools->Domain Controller Security Policy->Local Policies->User Rights Assignment 1. Verify that the SQL Server Agent service startup account has the following rights: - Act as part of the operating system - Replace a process-level token - Log on as a service - Access this computer from the network - Increase quotas - May require the logon as a batch job right 6. Verify that the SQL Server Agent service startup account does not have the following rights: - Allow log on locally�T-SQL: N/A Enterprise Manager: 1. The SQL Server Agent service startup account has the following rights: - Act as part of the operating system - Replace a process-level token - Log on as a service - Access this computer from the network - Increase quotas - May require the logon as a batch job right 2. The SQL Server Agent service startup account does not have the following rights: - Allow log on locallySQL2K-70wT-SQL: Repeat the following for each server. -Enter the following statement: use master select name from sysxlog<� ins where (sysxlogins.name = 'BUILTIN\Administrators') 1. Verify that nothing is returned. Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Security. -Select Logins. 1. Verify that BUILTIN\Administrators is not a valid login.SQL2K-71�T-SQL: N/A Enterprise Manager: Repeat the following for each server. -Expand the server. -Expand Support Services. -Right-click SQL Mail and click Properties. 1. Verify that there are no MAPI profiles.@T-SQL: N/A Enterprise Manager: 1. There are no MAPI profiles.SQL2K-72�Verify that snapshot folders do not exist on Windows administrative shares. Verify that snapshot folders have the appropriate permissions assigned. The DBA shall configure the snapshot folder location on an explicit share and not on a Windows administrative share. The DBA shall set snapshot folder permissions to SYSTEM and ADMINISTRATOR Full Control, SQL Server Agent domain account read and write.~T-SQL: N/A Enterprise Manager: Repeat the following for each publication on each server. -Expand the server. -Expand Replication. -Expand Publications. -Right-click the publication and click Properties. -Click the Security tab. 1. Verify that the checkbox labeled "Generate snapshots in the normal snapshot folder" is unchecked. 2. Verify that the checkbox labeled "Generate snapshots in the following location" is checked and that the directory listed is not a Windows administrative share. -Navigate to the directory above using Windows Explorer. -Right-click on the directory and click Properties. -Select the Security tab. 3. Verify that the only permissions are the following or less: - full control - Administrators - full control - SYSTEM - read/write - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNERT-SQL: N/A Enterprise Manager: 1. The checkbox labeled "Generate snapshots in the normal snapshot folder" is unchecked. 2. The checkbox labeled "Generate snapshots in the following location" is checked and that the directory listed is not a Windows administrative share. 3. The only permissions are the following or less: - full control - Administrators - full control - SYSTEM - read/write - SQL Server service account (custom) - full control - DBA group (custom) - full control - CREATOR OWNERSQL2K-73vT-SQL: N/A Enterprise Manager: -Select Tools from the menu bar. -Select Replication. -Select Configure Publishing, Subscribers, and Distribution. -Select the Subscribers tab. -Double-click on each subscriber. -Under Agent connection to the Subscriber 1. Verify that the radio button "Impersonate the SQL Server Agent account on SQL Server (trusted connection)" is selected.�T-SQL: N/A Enterprise Manager: 1. The radio button "Impersonate the SQL Server Agent account on SQL Server (trusted connection)" is selected.SQL2K-74T-SQL: Repeat the following for each server. -Enter the following statement: select name, denylogin, hasaccess from syslogins 1. Verify that all accounts listed are actually in use. If they are not in use, verify that they are disabled. Enterprise Manager: N/A�T-SQL: 1. All accounts listed are actually in use. If they are not in use, verify that they are disabled. Enterprise Manager: N/ASQL2K-75�T-SQL: -Enter the following statement for each server. Note that the statement checking for the "CREATE DATABASE" statement will return an error if CREATE DATABASE is not assigned. exec sp_helpsrvrolemember 'sysadmin' exec sp_helpsrvrolemember 'dbcreator' exec sp_helprotect 'CREATE DATABASE' 1. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). -Enter the following statement for each database. Replace with the name of the database being tested. use exec sp_helprolemember 'db_owner' 2.. Verify that only users who should have access to RESTORE are returned (sa and the database owner are valid if they are returned). Enterprise Manager: N/ASQL2K-76�-Open the SQL Server Network Utility. -Select the General tab. 1. Verify that the checkbox "Force protocol encryption" is checked.71. The checkbox "Force protocol encryption" is checked.SQL2K-77T-SQL: Repeat the following for each server. -Review jobs scheduled to start automatically at system startup. Enter the following statement: use master select name from sysobjects where xtype = 'p' and objectproperty(id, 'ExecIsStartup') = 1 1. Verify that all jobs listed are authorized. -Review the SQL Server job history. Enter the following statement: use msdb select distinct (j.name) from sysjobhistory h,sysjobs j where h.job_id=j.job_id 2. Verify that all jobs listed are authorized. Enterprise Manager: N/AcT-SQL: 1. All jobs listed are authorized. 2. All jobs listed are authorized. Enterprise Manager:SQL2K-78�-Open Computer Management. Click Start, Control Panel, Administrative Tools, Computer Management. In Computer Management, expand System Tools, expand Local Users and Groups, and select Groups. -View the list of groups defined. 1. Verify that a DBA Windows OS group exists and that only authorized DBA accounts exist within that group. -Verify that the DBA Windows OS group exists as a SQL Server Login. In Enterprise Manager, expand the server, expand Security, select Logins. 2. Verify that the DBA Windows OS group exists as a login. -Double click the group, click the Server Roles tab 3. Verify that System Administrators is checked.�1. A DBA Windows OS group exists and that only authorized DBA accounts exist within that group. 2. The DBA Windows OS group exists as a SQL Server Login 3. System Administrators is checked.SQL2K-79>T-SQL: -Determine if replication is in use. Enter the following statement which checks to see if the replication database exists: select count(name) from sysdatabases where name = 'distribution' 1. If 0 is returned, then replication is not in use and this check passes. If 1 is returned, continue. -Enter the following statements use distribution exec sp_helprolemember 'replmonitor' 2. Verify that only DBA and designated replication database accounts are returned: -Determine the databases participating in replication. Enter the following statements: exec sp_helpreplicationdboption -For each databases participating in replication, enter the following statement use exec sp_helprolemember 'db_owner' 3. Verify that only DBA and designated replication database accounts are returned: Enterprise Manager: N/A�T-SQL: 1. 0 is returned (replication is not in use) If 1 is returned, continue. 2. Only DBA and designated replication database accounts are returned 3. Only DBA and designated replication database accounts are returned: Enterprise Manager: N/ASQL2K-80KTo locate the database names, do the following (repeat for each server): T-SQL: -Enter the following statement: use master select name from sysdatabases Enterprise Manager: -Expand the server group. -Expand the server. -Expand Databases. 1.Verify that all databases listed are production databases and not development databases.�T-SQL or Enterprise Manager: 1. All databases listed are production databases or development databases. Productiona and development should not reside on te same server.SQL2K-81�NOTE! This check will require information from the DBA. Repeat the following for each server. Enterprise Manager: -Expand the server. -Verify that the server contains either production or development databases. If the server contains both production and development databases, then this server fails this check. -Expand Security. -Select Linked Servers. 1. Verify that each linked server's function type matches the function type of the local server. For example, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases.^Enterprise Manager: 1. Each linked server's function type matches the function type of the local server. For <�Eexample, if the local server contains production databases, then all linked servers must contain only production databases. If the local server contains development databases, then all linked servers must contain only development databases. SQL2K-82�-Click Start -> Search. 1. Search all hard drives (including subfolders) for the file Odbctrac.dll. Verify that the file does not exist anywhere on the system.T�% DISA Microsoft SQL Server 2000 Database Security Checklist, Version 8, Release 1.77Out of Scope Controls - Unselected NIST 800-53 Controls �% SCSEM Version: 1.2 �% Released: February 12, 2013�% NIST Control Name&Full name which describes the NIST ID.NIST Control NameSC-9hMinor update to correct worksheet locking capabilities. Added back NIST control name to Test Cases Tab.Transmission ConfidentialityAccount Management%Audit Review, Analysis, and ReportingNetwork DisconnectSeparation of DutiesProtection of Audit InformationTime StampsLeast FunctionalityFlaw RemediationAudit GenerationAudit Storage CapacityAuditable EventsAuthenticator ManagementAccess EnforcementApplication PartitioningLeast Privilege�=�滇��⑩q��忋^��冩R茜�痂�"�� �n�=xx�GH�慅_�V�%�7�N��i�!w�'pb7� A�2M�0W�@^�ち篱� J奙轓斝� v蓐i{郎杬$c娶*%墎睌蹈�2閴�-u銩g�>韤z佣/�3燵0辙嘟還:農5�a青槃8姎�>窯T黹�8W婂�蟫绂>w齇o疁?猘〓潍�Uv_��PK!�+2m��drs/picturexml.xml琔[o�0~煷�`鶟r @%U毸4┷�.榒拓戫&│HU{i蕮}廄}吖欕汣茄�*亭(qx`DE%k&6%个2尨!�&\ Z�挽螫隒� "猇*B`(qk潭饈]荡#鶭n�o#UGl掌��x驱(R_o%祅)5宿僩垤鍌r>�)h吞\�4X雙搽OW捪妈诜贏棱G犹�$J偅薢淲升l0坼h楚i 邡鄏7驂先#�,�翉F{'�&�49堄#�q殾銔3鈶n霜剌酬^ |遷� ��$P/A:�0蠆�� 婓豏$泦U宲腻F�0~}鴫慳喢5X�;餫�轘�栾d鮗'铷wG�卹�薄s渐�輺�/囊庸鞾淥渕讓CuI�W/U磤e5U{)枀j@炚e�9溘.誟ㄙ誉洭!殇貶鑙R諁�(3:攛: he宆`m涄鏅鬬P�0榙Q擿T�荇噎{t鵅迮*眰芨@深NY),潗独梖�膳�0'A}N��?蹡醂��蓛|暛藏嫞t迮羠橥讒豄揍4YN枊�2黭�艵岁殜譱 �7冐盝I-sU晌wCO千�0疠趚翠�>嵳鎖��^獾h�笙e竀嘪嗕�!匭蹻狗N畅乃�a~洤A溓缩yHwL�1 鞬l_|譭��-p咣豀�1C猬+qv g?搅�dg��PK!+芄v�drs/downrev.xmlT怾O�0嗭M��1馧:F6)d!~EA寳蛌�譾iL��顉抻玺9澨:瞻 ZW-犨€∥L^隦纉鵳3婕怨l孎?鑐6郊樔qn秡仜詶寙h7�*镗1�.玃I�3-j��*椹�%檄芤p震0b甦匤򇝼鸑譐犁G蚝Z鳁/檑鼅�|釗KQ堧�.�姹螫�魋N鶤D捍 aJ奭撹�2�t�/�蚵努� 爙3覲�.x/ 嘵�0&粆霕蹻a進蹑榔Gvp破q<屛�(�("槦滝砰��PK-!�9^�[Content_Types].xmlPK-!�ぴ�1_rels/.relsPK-!�+2m��.drs/picturexml.xmlPK-!+芄v�Mdrs/downrev.xmlPK��b pi�]&`��>�@d��w��&&猩陏�寕�K�SafeguardReports@IRS.gov嗌陏�寕�K�Xmailto:SafeguardReports@IRS.govyX侓;H�,俔膮'cカ��''猩陏�寕�K�*http://www.irs.gov/uac/Safeguards-Program嗌陏�寕�K�lhttp://www.irs.gov/uac/Safeguards-ProgramyX侓;H�,俔膮'cカ:''Link to IRS Safeguards ��d?Identify OS or App Version and include Service Packs and Buildsae�X3Insert unique identifier for the computer or deviceBuds�H#Insert tester name and organization ode�O*Insert City, State and address or building� Sheet1gg��D T8�衫價紌 d褚MbP?_*+�€%��# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S飥� od��LetterPRIV� ''''��0\KhCFF燆��SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d��?�?�&�U}$ �h�q��q�€q�€q�€q�€q��q ��q �@ �@�@ �@�@�@�@ �@ �@��`�`�`� �H� �� m� �� "�� n� �� o� �� "�� k��w� �l� �� G� ��x�� uvvvvvzw� �! �% ��;t�繠�! �€T@�D 繢 �% �€T@ �;t�繠�� J� �� |�€~zw�� I� �� }�tzw�� zw� yyyyy �� +��;t��PassAZM� �7%��P D�%��B�zw�� +��;t��FailAZM��7%��F D�%��B�zw�� +��;t��InfoAZM��7%��I D�%��B�zw�� *��;t��N/AAZ��zw�� "rsssss{w�� yyyyy� � � �0�222&22&FT�FFP��h&>�@dy��z�w� ��;�€ �� N/AAZAZAZD�%�� ;�€�� N/AAZAZAZD�%�� ;�€�� N/AAZAZAZD�%�� {+{ {+{{+{� Sheet4gg��D T8�衫%螀悜 d褚MbP?_*+�€%��# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S飥� od��LetterPRIV�0''''��0\KhCFF燆��SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d��?�?�&�U}$ �} $ �}$ �%��€�€�€�€�€�€ �€ �€��@ �@��@�@�@��@�@��€�@��@�@��@�� $� �� K� �� "� � �z� � �{� � �|� �"� � �}� �" � �%� �� :� � L� � � M�� ;� � 5� � �� 6� � N� �� O�� P�� 7� � Q� � � R�� <�� S� � � T�� =� � U� � � V�� p� � >� � q� � W� � � X�� 9� � Y� �� Z�� ]�� B� X2222&222&2&2H<�HHH<�<�H<�H<�H<�HH<�H<� �!�"�@#�$�@� � �[� �� ! � !\�!�� "@� "� " ^�" �# � #_�#�� $?� $� $8�$ ��P<�<�H<��P餒@��0�( � �>�蔼d��A �w� Sheet6gg��D T8�衫^w�I�懡咨 d褚MbP?_*+�€%��# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S飥� oN��LetterPRIV�0''''��0\KhCFF燆��SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"N��333333�?333333�?�&�43U}$ �}��}��}$�}m�},�}��}�}$ �} �} ��}$ �tt �^�@�� 2�� "� �� B� �� &� C� .� /�� /�� /~� 4�� 4�� 4��)�� .� /� /�� /~� /�� /�� /��'�� .� /€� /�� /~� /�� /�� /��'�� .� /�� /�� /~� /�� /�� /��'�� .� /�� /�� /~� /�� /�� /��'�� .� /�� /�� /�� /�� 0�� /��'�� .� 0�� 0�� /�� 0�� /�� 0��(�� .� /�� /�� /�� /�� /�� /�� '�� .� /�� /�� 1~� 2�� /� 2� +�� .� /�� /�� 1~� 2�� /�� 2 �+�� .!� /€� /�� 1~� 5�� 6�� 5��+�� ."� /�� /�� 1�� 3�� /#� /$� *�� .%� /�� /�� 1�� 3�� 0�� /��-�� .&� /�� /�� 1�� 3�� /�� /��'�� .'� /�� /�� 1�� 3�� 0�� /��'�� .(� /�� /�� 1�� 3�� /)� /*�'�� .+� /�� /�� 1�� 3�� /,� /��'�� .-� /�� /�� 1�� 3�� /.� /��'�� ./� /�� /�� 1�� 3�� /�� /��'�� .0� /�� /�� 1�� 3�� 0�� /��'�� .1� /�� /�� 1�� 32� /3� /4�'�� .5� /�� /�� 1�� 3�� /6� /��'�� .7� /�� /�� 1�� 3�� /8� /��'�� .9� /�� /�� 1�� 3�� /:� /��,�� .;� /�� /�� 1�� 3<� /=� />�'�� .?� /�� /�� 1�� 3�� /@� /��'�� .A� /�� /�� 1�� 3�� /B� /C�'�� .D� /�� /�� 1�� 3E� 0F� /G�'�� .H� /�� /�� 1�� 3E� 0I� /J�,�� .K� /�� /�� 1�� 3L� 0M� /N�'�� D�l,�ttttttttttttttttttttttttttttt �!�"�#�$�%�&�'�(�)�*�+�,�-�.� /�0�1�2�3�4� 5�6�7�8�9�:�;�<��=�>�?�� .O� /�� /�� 1�� 3L� 0P� /Q� ,�� !.R� !/�� !/�� !1�� !3�� !/S� !/T�!,�� ".U� "/�� "/�� "1�� "3�� "/V� "/W�",�� #.X� #/�� #/�� #1�� #3�� #/Y� #/Z�#,�� $.[� $/�� $/�� $1�� $3\� $/]� $/^�$,�� %._� %/�� %/�� %1�� %3`� %/a� %/b�%,�� &.c� &/�� &/�� &1�� &3d� &/e� &/f�&,�� '.g� '/�� '/�� '1�� '3h� '/i� '/j�''�� (.k� (/�� (/�� (1�� (3�� (/l� (/m�('�� ).n� )/�� )/�� )1�� )3�� )/o� )/p�),�� *.q� */�� */�� *1�� *3�� */r� */��*,�� +.s� +/�� +/�� +1�� +3t� +/u� +/v�+,�� ,.w� ,/�� ,/�� ,1�� ,3�� ,/x� ,/y�,'�� -.z� -/� -/�� -1�� -3�� -/{� -/|�-'�� ..}� ./�� ./�� .1�� .3�� ./~� ./��.'�� /.� //�� //�� /1�� /3€� //�� //��/,�� 0.�� 0/�� 0/�� 01�� 03�� 0/�� 0/��0,�� 1.�� 1/�� 1/�� 11�� 13�� 1/�� 13��1'�� 2.�� 2/�� 2/�� 21�� 23�� 2/�� 23��2,�� 3.�� 3/�� 3/�� 31�� 33�� 3/�� 3/��3,�� 4.�� 4/�� 4/�� 41�� 43�� 4/�� 43��4,�� 5.�� 5/�� 5/�� 51�� 53�� 5/�� 53��5'�� 6.�� 6/�� 6/�� 61�� 63�� 60�� 63��6,�� 7.�� 7/�� 7/�� 71�� 73�� 7/�� 7/��7,�� 8.�� 8/�� 8/�� 81�� 83�� 8/�� 8/��8,�� 9.�� 9/�� 9/�� 91�� 93�� 9/�� 9/��9,�� :.�� :/�� :/�� :1�� :3�� :/�� :/��:,�� ;.�� ;/�� ;/�� ;1�� ;3�� ;/�� ;/��;,�� <�.�� <�/�� <�/�� <�1�� <�3�� <�/�� <�/��<�,�� =.�� =/� =/�� =1�� =3�� =/�� =/��=,�� >.�� >/� >/�� >1�� >3�� >/�� >/��>,�� ?.�� ?/� ?/�� ?1�� ?3�� ?/�� ?/��?,�� Dlttttttttttttttttttttttttttttttt@�A�B�C�D�E�F�G�H� I�J� K�L�M�N�O�P�Q�R�S� T�U� V� W� X� Y� Z� [� \� ]� � @.�� @/�� @/�� @1�� @3�� @/�� @/��@,�� A.�� A/� A/�� A1�� A3� A/�� A/��A,�� B.�� B/�� B/�� B1�� B3� B/�� B/��B,�� C.�� C/�� C/�� C1�� C3� C/�� C/��C,�� D.�� D/�� D/�� D1�� D3�� D/�� D/��D,�� E.�� E/�� E/�� E1�� E3�� E/�� E/��E,�� F.�� F/�� F/�� F1�� F3�� F/�� F/��F,�� G.�� G/�� G/�� G1�� G3� G/�� G/�G,�� H.�� H/�� H/�� H1�� H3� H/�� H/��H,�� I.�� I/�� I/�� I1�� I3�� I/�� I/��I,�� J.�� J/�� J/�� J1�� J3� J/�� J/��J,�� K.�� K/� K/�� K1�� K3� K/�� K/��K,�� L.�� L/�� L/�� L1�� L3� L/�� L/ �L,�� M.�� M/� M/�� M1�� M3 � M0�� M3��M,�� N.�� N/� N/�� N1�� N3� N/�� N/��N,�� O.�� O/�� O/�� O1�� O3� O0�� O3��O,�� P.�� P/�� P/�� P1�� P3 � P/�� P/��P,�� Q.�� Q/�� Q/�� Q1�� Q3� Q/�� Q/��Q,�� R.�� R/�� R/�� R1�� R3� R/�� R3��R,�� S.�� S/�� S/�� S1�� S3� S0�� S3�S,�� T� T3�T9 � W�#� X�� Y� � Z�� [�� \� ]�@�Dtttttttttttttttttttt4��& ��( � �餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C��]F!d ��Z餜� � C�� ]F !d ��Z餜� � C�� ]F !d ��Z餜� � C�� ]F!d �>�蔼<�Z�� A �w�S S ��;�€S d ��*��Pass��;�€S d ��?��@Fail��;�€S d ��Info{+{S {+{S {+{S ��/ %X[S�/ %\]S� Sheet2gg��D T8�衫.� d褚MbP?_*+�€%��# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S飥� od��LetterPRIV�0''''��0\KhCFF燆��SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d��?�?�&�U}$ �} $ �}$ ��€��€��€��€��€��€� �@�@�@ ��@�@�@��@�@�@�� '� �� (� �� `� �� a� �� b� �� "�� -� �� "�� ,� �� +� �� c� �� d� �� e� �� f� �� "�� )� �� *� �� "�� 8��22222222&2222&222222&2222>�蔼d��A �w� Sheet7gg��D T8�衫沆损 d褚MbP?_*+�€%��# &CIRS Office of Safeguards SCSEM&L&F&RPage &P of &N��&�?'�?(�?)�?M�Adobe PDF��S飥� od��LetterPRIV�0''''��0\KhCFF燆��SMTJ�Adobe PDF ConverterResolution1200dpiPageSizeLetterPageRegionLeadingEdgeInputSlotOnlyOne0EBDAStandard�"d��?�?�&�U}$ }mT}m��q�� 1�� .� �/� �0� �D�$�?%理鉆� &4� #�$殭櫃櫃�?~ %�銨� &�� #��^@��,銨� :�� #�� 0��82<�2 �P餒0��0�( � �>�蔼d��A �w� Sheet8gg��D �鄥燆鵒h珣+'迟0�hp�� IRS Office of Safeguards SCSEM$IT Security Compliance EvaluationBooz Allen Hamiltonusgcb, stig, pub1075�The IRS strongly recommends agencies test all SCSEM settings in a development or test environment prior to deployment in production. In some cases a security setting may 爄mpact a system抯 functionality and usability. Consequently, it is important to perform testing to determine the impact on system security, functionality, and usability. Ideally, the test system configuration should match the production system configuration. Prior to making changes to the production system, agencies should back up all critical data files on the system and if possible, make a full backup of the system to ensure it can be restored to its pre-SCSEM state if necessary.Michael CarusoMicrosoft Excel@D^0;彝@鈙樛@€�礪 ��胀諟.摋+,D胀諟.摋+,�@`h|�� securityOffice of SafeguardsInternal Revenue Service DashboardResults InstructionsTest Cases AppendixChange LogAppendix!Print_Area'Change Log'!Print_AreaDashboard!Print_AreaInstructions!Print_AreaResults!Print_Area'Test Cases'!Print_Area'Test Cases'!Print_TitlesWorksheets Named Ranges�0v~��_PID_LINKBASE_PID_HLINKS_NewReviewCycle�AThttp://www.irs.gov/uac/Safeguards-ProgramA*http://www.irs.gov/uac/Safeguards-Program7 mailto:SafeguardReports@IRS.gov !"#$%&'()*+,-./0123456789:;<�=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~€�� !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwx��z{|}~€��Root Entry�� F��Workbook��珩SummaryInformation(��yDocumentSummaryInformation8��