ࡱ>  { zbjbjzz q$!$!6!H!!$!!!P&"Dj*T !z'6P(PPPSRAW${ ?%A%A%A%A%A%A%$2+-e%$!R"S e%$!$!PPz%}}}Ǽ*$!P$!P?%}?%}}? PA:WF+%X&"z'.+.? .~!$? $3>}q=de%e%׾z'. :  SECURITY IMPLEMENTATIONHANDBOOK PENNSYLVANIA DEPARTMENT OF PUBLIC WELFARE March 2008 Forward The Security Implementation Handbook is intended only for Pennsylvania Department of Public Welfare use. The Security Implementation Handbook contains references to policies and procedures which were in effect as of its writing. The Department cannot ensure the accessibility of these policies and procedures through the hyperlinks provided in the online version of this handbook. Additional information may be obtained from the Department of Public Welfare Security Office at:  HYPERLINK "mailto:PW, IT-Security@state.pa.us"  HYPERLINK "mailto:PW, IT-Security@state.pa.us" PW, IT-Security@state.pa.us Version InformationVersion #DateBy1.004/20/2005F. Morrow1.105/17/2010C. VanScyoc Table of Contents  TOC \o "1-2" \h \z \u  HYPERLINK \l "_Toc101344347" Forward  PAGEREF _Toc101344347 \h 2  HYPERLINK \l "_Toc101344348" Version Information  PAGEREF _Toc101344348 \h 2  HYPERLINK \l "_Toc101344349" Table of Contents  PAGEREF _Toc101344349 \h 3  HYPERLINK \l "_Toc101344350" 1.0 Introduction  PAGEREF _Toc101344350 \h 5  HYPERLINK \l "_Toc101344351" 1.1 Overview  PAGEREF _Toc101344351 \h 5  HYPERLINK \l "_Toc101344394" 1.2 Purpose of the Handbook  PAGEREF _Toc101344394 \h 5  HYPERLINK \l "_Toc101344396" 2.0 Definitions  PAGEREF _Toc101344396 \h 6  HYPERLINK \l "_Toc101344397" Administrative Safeguards  PAGEREF _Toc101344397 \h 11  HYPERLINK \l "_Toc101344398" 3.0 Security Management Process  PAGEREF _Toc101344398 \h 11  HYPERLINK \l "_Toc101344399" 3.1 Risk Analysis  PAGEREF _Toc101344399 \h 11  HYPERLINK \l "_Toc101344449" 3.2 Risk Management  PAGEREF _Toc101344449 \h 13  HYPERLINK \l "_Toc101344450" 3.3 Sanction Policy  PAGEREF _Toc101344450 \h 13  HYPERLINK \l "_Toc101344451" 3.4 Information System Activity Review  PAGEREF _Toc101344451 \h 14  HYPERLINK \l "_Toc101344463" 4.0 Assign Security Responsibility  PAGEREF _Toc101344463 \h 16  HYPERLINK \l "_Toc101344464" 4.1 Department Security Officer  PAGEREF _Toc101344464 \h 16  HYPERLINK \l "_Toc101344465" 4.2 Program Office Security Monitor  PAGEREF _Toc101344465 \h 17  HYPERLINK \l "_Toc101344466" 4.3 Program Office Security Administrator  PAGEREF _Toc101344466 \h 17  HYPERLINK \l "_Toc101344467" 4.4 Program Office Contact (POC)  PAGEREF _Toc101344467 \h 18  HYPERLINK \l "_Toc101344468" 5.0 Workforce Security  PAGEREF _Toc101344468 \h 18  HYPERLINK \l "_Toc101344469" 5.1 Authorization and/or supervision  PAGEREF _Toc101344469 \h 18  HYPERLINK \l "_Toc101344470" 5.2 Workforce Clearance Procedure  PAGEREF _Toc101344470 \h 19  HYPERLINK \l "_Toc101344471" 5.3 Termination Procedures  PAGEREF _Toc101344471 \h 19  HYPERLINK \l "_Toc101344472" 6.0 Information Access Management  PAGEREF _Toc101344472 \h 20  HYPERLINK \l "_Toc101344473" 6.1 Isolating health care clearinghouse functions  PAGEREF _Toc101344473 \h 20  HYPERLINK \l "_Toc101344474" 6.2 Access authorization  PAGEREF _Toc101344474 \h 20  HYPERLINK \l "_Toc101344475" 6.3 Access establishment and modification  PAGEREF _Toc101344475 \h 21  HYPERLINK \l "_Toc101344476" 7.0 Security Awareness and Training  PAGEREF _Toc101344476 \h 21  HYPERLINK \l "_Toc101344477" 7.1 Security reminders  PAGEREF _Toc101344477 \h 21  HYPERLINK \l "_Toc101344478" 7.2 Protection from malicious software  PAGEREF _Toc101344478 \h 22  HYPERLINK \l "_Toc101344479" 7.3 Log-in monitoring  PAGEREF _Toc101344479 \h 22  HYPERLINK \l "_Toc101344480" 7.4 Password management  PAGEREF _Toc101344480 \h 23  HYPERLINK \l "_Toc101344481" 8.0 Security Incidents Procedures  PAGEREF _Toc101344481 \h 23  HYPERLINK \l "_Toc101344482" Response and Reporting  PAGEREF _Toc101344482 \h 23  HYPERLINK \l "_Toc101344483" 9.0 Contingency Plan  PAGEREF _Toc101344483 \h 24  HYPERLINK \l "_Toc101344484" 9.1 Data Backup Plan  PAGEREF _Toc101344484 \h 24  HYPERLINK \l "_Toc101344485" 9.2 Disaster Recovery Plan  PAGEREF _Toc101344485 \h 24  HYPERLINK \l "_Toc101344486" 9.3 Emergency Mode Operation Plan  PAGEREF _Toc101344486 \h 25  HYPERLINK \l "_Toc101344487" 9.4 Testing and Revision Procedures  PAGEREF _Toc101344487 \h 25  HYPERLINK \l "_Toc101344488" 9.5 Applications and Data Criticality Analysis  PAGEREF _Toc101344488 \h 26  HYPERLINK \l "_Toc101344489" 10.0 Evaluation  PAGEREF _Toc101344489 \h 26  HYPERLINK \l "_Toc101344490" 11.0 Business Associate Agreements and Other Arrangements  PAGEREF _Toc101344490 \h 26  HYPERLINK \l "_Toc101344491" Physical Safeguards  PAGEREF _Toc101344491 \h 28  HYPERLINK \l "_Toc101344492" 12.0 Facility Access Controls  PAGEREF _Toc101344492 \h 28  HYPERLINK \l "_Toc101344493" 12.1 Contingency Operations  PAGEREF _Toc101344493 \h 28  HYPERLINK \l "_Toc101344494" 12.2 Facility Security Plan  PAGEREF _Toc101344494 \h 28  HYPERLINK \l "_Toc101344495" 12.3 Access Control and Validation Procedures  PAGEREF _Toc101344495 \h 29  HYPERLINK \l "_Toc101344496" 12.4 Maintenance Records  PAGEREF _Toc101344496 \h 29  HYPERLINK \l "_Toc101344497" 13.0 Workstations  PAGEREF _Toc101344497 \h 30  HYPERLINK \l "_Toc101344498" 13.1 Workstation Use  PAGEREF _Toc101344498 \h 30  HYPERLINK \l "_Toc101344499" 13.2 Workstation Security  PAGEREF _Toc101344499 \h 30  HYPERLINK \l "_Toc101344500" 14.0 Device and Media Controls  PAGEREF _Toc101344500 \h 31  HYPERLINK \l "_Toc101344501" 14.1 Disposal  PAGEREF _Toc101344501 \h 31  HYPERLINK \l "_Toc101344502" 14.2 Media re-Use  PAGEREF _Toc101344502 \h 32  HYPERLINK \l "_Toc101344503" 14.3 Accountability  PAGEREF _Toc101344503 \h 32  HYPERLINK \l "_Toc101344504" 14.4 Data backup and storage  PAGEREF _Toc101344504 \h 33  HYPERLINK \l "_Toc101344505" Technical Safeguards  PAGEREF _Toc101344505 \h 34  HYPERLINK \l "_Toc101344506" 15.0 Access Control  PAGEREF _Toc101344506 \h 34  HYPERLINK \l "_Toc101344507" 15.1 Unique User Identification  PAGEREF _Toc101344507 \h 34  HYPERLINK \l "_Toc101344508" 15.2 Emergency Access Procedure  PAGEREF _Toc101344508 \h 34  HYPERLINK \l "_Toc101344509" 15.3 Automatic Logoff  PAGEREF _Toc101344509 \h 35  HYPERLINK \l "_Toc101344510" 15.4 Encryption and Decryption  PAGEREF _Toc101344510 \h 35  HYPERLINK \l "_Toc101344511" 16.0 Audit Controls  PAGEREF _Toc101344511 \h 35  HYPERLINK \l "_Toc101344512" 17.0 Integrity  PAGEREF _Toc101344512 \h 36  HYPERLINK \l "_Toc101344513" Mechanism to Authenticate EPHI  PAGEREF _Toc101344513 \h 36  HYPERLINK \l "_Toc101344514" 18.0 Person or entity authentication  PAGEREF _Toc101344514 \h 36  HYPERLINK \l "_Toc101344515" 19.0 Transmission security  PAGEREF _Toc101344515 \h 37  HYPERLINK \l "_Toc101344516" 19.1 Integrity controls  PAGEREF _Toc101344516 \h 37  HYPERLINK \l "_Toc101344517" 19.2 Encryption  PAGEREF _Toc101344517 \h 37  HYPERLINK \l "_Toc101344518" Policies, Procedures and Documentation Requirements  PAGEREF _Toc101344518 \h 38  HYPERLINK \l "_Toc101344519" 20.0 Documentation  PAGEREF _Toc101344519 \h 38  HYPERLINK \l "_Toc101344520" Appendix A. Summary of HIPAA Security Standards  PAGEREF _Toc101344520 \h 40  HYPERLINK \l "_Toc101344521"  164.308 Administrative Safeguards  PAGEREF _Toc101344521 \h 40  HYPERLINK \l "_Toc101344522"  164.310 Physical Safeguards  PAGEREF _Toc101344522 \h 42  HYPERLINK \l "_Toc101344523"  164.312 Technical Safeguards.  PAGEREF _Toc101344523 \h 43  HYPERLINK \l "_Toc101344524"  164.316 Policies and procedures and documentation requirements.  PAGEREF _Toc101344524 \h 43  HYPERLINK \l "_Toc101344525" Appendix B. HIPAA Security Standards Matrix  PAGEREF _Toc101344525 \h 45  HYPERLINK \l "_Toc101344526" Appendix C. Commonwealth and Department Security Standards and Practices  PAGEREF _Toc101344526 \h 46  Introduction Overview Among other things, the Federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 required issuance of comprehensive Federal regulations for protection of certain individually identifiable health information. Final regulations governing storage, use, and disclosure of electronic protected health information (EPHI) were published on February 20, 2003. These regulations are commonly referred to as the as the HIPAA security regulations. Most covered entities, including the Department, are required to comply with these regulations by April 20, 2005. The HIPAA security regulations create national standards which require covered entities to: ensure the confidentiality, integrity and availability of EPHI protect against any reasonably anticipated threats or hazards to EPHI protect against reasonably anticipated inappropriate disclosures ensure compliance with the rule by the covered entitys workforce. These regulations require the Department to implement various security-related safeguards. Some of these are required for compliance; others are considered addressable and depend on the circumstances of the Departments environment. Specifically, these safeguards must cover the following areas: Security management process Security responsibility assignment Workforce security Information access management Security awareness and training Security incident procedures Contingency planning Evaluation of security policies and procedures Business associate agreements Facility access controls Workstation use and security Device and media controls Access controls Audit controls Integrity of the data Person or entity authentication Data transmission security Purpose of the Handbook The Department developed this handbook to identify the policies and procedures it follows to ensure its compliance with the HIPAA security regulations. These policies and procedures are either Department-specific or developed and governed by the Governors Office of Administration as specified in the Information Technology Bulletins and Management Directives. Where possible, we have referenced the pertinent documentation and/or provided links to it in the online version of this handbook. Definitions Access. The ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Administrative safeguards. Administrative actions and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information (EPHI) and to manage the conduct of the covered entity's workforce in relation to the protection of that information. Authentication. Corroboration that a person is the one claimed. Availability. The property that data or information is accessible and useable upon demand by an authorized person. BIS. The Bureau of Information Systems under the Pennsylvania Department of Public Welfares Office of Administration. Business associate. A person or entity who, on behalf of a covered entity or an organized health care arrangement, performs or assists in the performance of one of the following: A function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management and repricing. Other than as a member of the covered entitys workforce, provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services for such covered entity or organized health care arrangement. Business associate agreement. A contract or other arrangement between a covered entity and a business associate that does all of the following: Establishes the permitted and required uses and disclosures of protected health information (PHI), including EPHI, by the business associate. Provides that the business associate will use PHI only as permitted by the agreement or as required by law, use appropriate safeguards, report any disclosures not permitted by the agreement, ensure that agents to whom it provides PHI will abide by the same restrictions and conditions, make PHI available to individuals and make its record available to U.S. Department of Health and Human Services (DHHS). Authorizes termination of the agreement by the Department if the Department determines that there has been a violation of the contract. The business associate agreement is often part of a contract made in the procurement process, but can be part of a Memorandum of Understanding (MOU), grant agreement or other document. CMS. Centers for Medicare & Medicaid Services within the DHHS. Commonwealth. The Commonwealth of Pennsylvania. Compliance date. The date by which a covered entity must comply with a standard, implementation specification, requirement or modification specified in this handbook. Confidential information. Data to be used or disclosed only by those authorized to do so. Confidentiality. The property that data or information is not made available or disclosed to unauthorized persons or processes. Covered entity. A health care provider who transmits any health information in electronic form in connection with a transaction covered by the privacy rule, a health care plan or a health care clearinghouse. Covered functions. Those functions of a covered entity, the performance of which makes the entity a health care plan, health care provider or health care clearinghouse. DHHS. The U.S. Department of Health and Human Services. Department. The Pennsylvania Department of Public Welfare. Designated record set. The medical records and billing records, including electronic records, about individuals maintained by or for a covered health care provider; the enrollment, payment, claims adjudication and case or medical management record systems maintained by or for a health care plan; or medical records and billing records used by or for the covered entity to make decisions about individuals. For purposes of implementing HIPAA requirements, the Department intends to treat all client records as if they were part of the designated record set and afford them the corresponding privacy protection. Disclosure. The release, transfer, provision of access to or divulging of information outside the entity holding the information. DPW. The Pennsylvania Department of Public Welfare. Electronic media. Electronic storage media including memory devices in computers (internal memory or hard drives) and any removable/ transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card; or transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the internet (wide-open), extranet (using internet or other technology to link a business with information accessible only to collaborating parties), leased lines, dial-up lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission. Electronic protected health information (EPHI). Information in an electronic media that comes within of the definition of PHI as specified in this section. Encryption. The use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. Facility. The physical premises and the interior and exterior of one or more buildings. Health care. Care, services or supplies related to the health of an individual. Health care includes, but is not limited to preventive, diagnostic, therapeutic, rehabilitative, maintenance, mental health or palliative care and sale or dispensing of a drug, device, equipment or other item in accordance with a prescription. Health care clearinghouse. A public or private entity that does either of the following: 1. Processes health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction. 2. Receives a standard transaction from another entity and processes health information into nonstandard format or nonstandard data content for the receiving entity. Health care operations. Includes any of the following activities: Conducting quality assessment and quality improvement activities. Reviewing the competence or qualifications of health care professionals. Evaluating practitioner and provider performance, health care plan performance and conducting training programs of non-health care professionals, accreditation, certification, licensing or credentialing activities. Underwriting, premium rating and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care. Conducting or arranging for medical review, legal services and auditing functions including fraud and abuse detection and compliance programs. Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies. Business management and general administrative activities of the entity. Health care plan. An individual or group plan, including Medical Assistance (MA) Programs, that provides, or pays the cost of, medical care. Health care provider. A provider of services and any other person or organization who furnishes, bills or is paid for health care in the normal course of business . Health information. Any information, whether oral or recorded in any form or medium, that does both of the following: 1. Is created or received by a health care provider, health care plan, public health authority, employer, life insurer, school or university or health care clearinghouse. 2. Relates to the physical or mental health or condition of an individual, the provision of health care to an individual or payment for the provision of health care to an individual. For purposes of implementing HIPAA requirements, the Department intends to treat all client records as if they were health information and afford them the corresponding privacy protection. Health maintenance organization (HMO). A federally qualified HMO and an organization recognized as an HMO under State law. Health oversight agency. An agency or authority of the United States, Pennsylvania or a political subdivision of a state, or a person or entity acting under a grant of authority from or contract with such public agency, authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Individual. The person who is the subject of PHI. Individually identifiable health information. Health information, including demographic (such as names, addresses, telephone numbers, etc.) information that identifies the individual or for which there is a reasonable basis to believe the information can be used to identify an individual. For purposes of implementing HIPAA requirements, the Department will treat all individual records (including electronic records) as if they were health information and afford them the corresponding privacy protection. Information system. A system, whether automated or manual, comprised of people, machines, and/or methods organized to collect, process, transmit and disseminate data. Integrity. The property that data or information have not been altered or destroyed in an unauthorized manner. Malicious software. Software, for example, a virus, designed to damage, disrupt, or otherwise compromise an electronic information system or network. OA/OIT. The Office of Information Technology under the Commonwealth of Pennsylvanias Governors Office of Administration. Organized health care arrangement. A clinically integrated care setting in which individuals typically receive health care from more than one health care provider or an organized system of health care in which more than one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement and participate in joint activities. Password. Protected/private alphanumeric string used to authenticate an identity or to authorize access to data. Physical safeguards. Physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. Privacy Rule. The Federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) of 1996, which created national standards to protect PHI. Protected health information (PHI). Individually identifiable health information that is maintained or transmitted in any form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act (FERPA). For purposes of implementing HIPAA requirements, the Department intends to treat all individual records, including electronic records, as if they were health information and afford them the corresponding privacy protection. Public health authority. An agency or authority of the United States, Pennsylvania, a political subdivision of a State or a person or entity acting under a grant of authority from or contract with such public agency that is responsible for public health matters as part of its official mandate. Privacy Officer. The Departments privacy/client information officer. Currently, the Departments Office of General Counsel (OGC) functions in this capacity. Program office coordinator (POC). The program offices primary contact for HIPAA matters. Research. A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to general knowledge. Security or security measures. All of the administrative, physical, and technical safeguards in an information system. Security incident. The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Security Officer. The Departments security/client information officer. Technical safeguards. The technology and the policy and procedures for its use that safeguard EPHI and control access to it. Trading partners. Entities that exchange EPHI. Treatment. The provision, coordination or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to an individual or the referral of an individual for health care from one health care provider to another. Use. With respect to individually identifiable health information, the sharing, employment, application, utilization, examination or analysis of such information within an entity that maintains such information. User. A person or entity with authorized access. Workstation. An electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment. Administrative Safeguards Security Management Process 164.308(a)(1)(i) The Department is required to implement policies and procedures to prevent, detect, contain and correct security violations. Risk Analysis (Required) 164.308(a)(1)(ii)(A) The Department must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity. The Department complies with this requirement in the following manner: The Department assesses the potential risks and vulnerabilities to the confidentiality, integrity and availability of EPHI that the Department stores, uses, and releases. This assessment includes: Utilization of the Security and Privacy Self-Assessment template developed by the Governors Office of Administration ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.1). Currently, self-assessment templates are available for: Security and Privacy Business Continuity Planning (the ability of the Department to provide uninterrupted or minimally interrupted services in the event of disaster or major system failure). These assessments rate the Department as a whole in the specific areas that they address. The assessments are filed with the OA/OIT along with any resulting corrective action plans (CAP), as outlined in Management Directive  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=129517" MD325.7. These assessments include all servers where the relevant data is stored, including the mainframe. The CAPs are updated and submitted to OA/OIT on a quarterly basis. In addition, each Program Office in the Department conducts its own self-assessment, reporting the assessment, resulting CAPs, and quarterly updates to the Department Security Office. Utilization of the OA/OIT Electronic Commerce Security Assessment ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867" ITB B.5) or ECSA. The Department requires the completion of the ECSA prior to each new application (or major revision of an existing application) going into production. The ECSA provides a risk assessment of the application, including an evaluation of the potential consequences of a security breach relative to the likelihood of such a breach occurring. Appropriate security measures are developed for the application based on the results of the risk assessment. The ECSA is reviewed by Department security staff and approved by an OA/OIT security committee. Utilization of various tools (SMS, ePolicy Orchestrator, Pest Patrol, etc.) to monitor and update (as needed) software and applications residing on the Departments systems. This monitoring occurs continually, 24x7, as a background process and updates are applied as deemed appropriate. Utilization of the Departments Remedy system and the OA/OITs Remedy Asset system for inventory and maintenance of the Departments hardware assets. Updates to the Departments Remedy system are performed as equipment is added, moved/relocated, or retired. The Department system feeds cumulative updates to the OA/OIT system on a monthly basis. Audits performed by regulatory and auditing agencies external to the Department. These include the Internal Revenue Service (IRS), the Commonwealth Auditor Generals Office (AG), the Commonwealth Office of the Inspector General (OIG), and various certification authorities such as DHHS and CMS. These audits cover a number of systems including the mainframe. The frequency of these audits varies from one entity or program to the next. The IRS generally audits the Department systems on a bi-annual basis; the AG and OIG generally respond to a particular complaint; the certification authorities generally respond to a new application or change in an existing application. Periodic application criticality review by Department applications staff and IT Management. Generally, this is done on an annual basis. Ongoing evaluations of the Departments disaster recovery and continuity planning in order to keep abreast of new applications and/or changes to existing applications and the data they access. Currently a major re-assessment of the Departments disaster recovery system is in progress. Assessments by outside organizations (e.g., Booz, Allen, and Hamilton, Ernst and Young) are contracted to perform assessments and audits for specific projects on an as-needed basis, for example, Commonwealth-wide HIPAA Privacy and Security review, biannual (approximately) IRS security audits, or federal certification of Department programs. Software updates and patches are tested and reviewed by appropriate staff prior to installation. Hardware or firmware updates and patches are tested and reviewed by appropriate staff prior to installation. OA/OIT, through a MOU with agencies under the Governors Office, will develop an enterprise security initiative including centralized review and auditing of Department systems and administration. These various surveys and evaluations cover a range of different aspects of the Departments IT and data assets, including: Hardware Software and applications Database systems Network access and related defenses User background checks User authorization Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. Requires agencies to conduct periodic risk assessments. Risk Management (Required) 164.308(a)(1)(ii)(B) The Department shall implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). The Department complies with this requirement in the following manner: CAPs are filed with the OA/OIT. These are reviewed, implemented, and updated on a quarterly basis, noting progress made and issues closed. Application security controls must be reviewed and approved prior to applications move to production as a part of the applications ECSA. Anti-virus and anti-spyware files are updated as released by the vendor through an automated process. IT staff subscribe to various hardware and software notification lists (CERT, CISCO, Microsoft, etc.) to keep up-to-date on hardware and software vulnerabilities and related patches. BIS staff members evaluate the impact of these vulnerabilities on our systems. Patches are tested and applied as deemed appropriate.  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" Department Business and Technical Standards are reviewed on a regular basis (at least every 6 months) and updated as necessary. Security information is sent out to Department staff as appropriate in the form of posters, newsletters, and bulletins. Systems are continually monitored (24x7) by a combination of onsite programs (Sightline, SMS, HP OpenView, etc.) as well as offsite services (e.g., Verizon NOC). Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.1. Requires Agency Self-Assessments for Security and Privacy as well as Corrective Action Planning to address any identified deficiencies. Additional information (guidebook, forms, etc.) may be found  HYPERLINK "http://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav" here.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=4&Q=188016" Exec Order 2004-8. Establishes the Enterprise Information Technology Governance Board, including IT Domain Teams (Security, Privacy, etc.). This Board provides recommendations on Commonwealth IT standards and policies. Technical Review Team. Standing DPW committee consisting of various IT Domains (Security, Privacy, etc.) tasked with the creation and review of DPW Business and Technical Standards and with the review of requests for procurement of new technology (hardware or software) to see that they conform to those standards. The team meets on a bi-weekly basis. Application Review Board. Standing DPW Committee to review application technical specifications to see that they conform to DPW Business and Technical Standards. The board meets on a weekly basis. Sanction Policy (Required) 164.308(a)(1)(ii)(C) The Department must apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. The Department complies with this requirement in the following manner: Access to Department and Commonwealth resources are subject to contracts and agreements with employees, contractors (including business associates), and trading partners. These are based on the users specific access and usage needs with the goal of restricting such access and usage to the minimum necessary to perform the individuals job requirements. All user applications for such access must be approved by that users supervisor and other appropriate agency authorities. Suspected violations or abuses of security policies and procedures will be investigated by the appropriate authorities (including the Pennsylvania State Police and FBI, if appropriate), contracts or agreements terminated, and sanctions levied or disciplinary or legal actions taken against the offender up to and including termination. In addition to Departmental disciplinary actions or sanctions, violators may be subject to civil and/or criminal actions. During the course of any such investigation, the users access to Department and Commonwealth shall be suspended or curtailed as appropriate, pending the final resolution of the investigation and any disciplinary or legal action taken. All users must sign the  HYPERLINK "http://bis/pgm/doc/oisforms/internetuseragreement.pdf" Commonwealth Internet and Computer usage agreement prior to being granted access to the Department and/or Commonwealth systems. Users requesting remote dial-in access to Department systems must sign the  HYPERLINK "http://bis/pgm/doc/oisforms/remoteaccessrequest.doc" Internet/Remote/Dialout Access form and agree to its terms of usage. Users requiring access to the Mainframe systems must complete the Unisys 2200 Demand Access Request Form. Users requiring access to the restricted systems area must complete the Willow Oak Building Badge and Data Center Access Card Request form. Access to individual applications is granted by the Program Office security monitor based on the applicants job requirements. Additional sources of information:  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf" MD 205.29. Establishes appropriate use of the Internet and the Internet User Agreement.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf" MD 205.34. Establishes appropriate use of email and the Internet and related disciplinary actions for its misuse.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdf" MD 505.7(13). Establishes disciplinary process for Commonwealth employees. Information System Activity Review (Required) 164.308(a)(1)(ii)(D) The Department must implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. The Department complies with this requirement in the following manner: The Department has implemented procedures to review records of information system activity. Some of these reviews are performed on a daily basis as part of systems operations; others, generally more detailed, are performed in response to particular requirements of audits, investigations, etc. These reviews include: Health checks. This review is run before-hours each workday and checks for the availability of applications and the systems they interact with. Performance statistics. This is an automated process which monitors performance statistics (memory and CPU usage, transaction rates, etc.) on a continual basis. Internet access. Automated tools monitor Internet access by Department personnel on a continual basis. Other tools on our web servers monitor application access by both internal and external users, also on a continual basis. Firewall logs. The Department firewalls log all traffic traversing them, both incoming and outgoing, on a continual basis. Automated alerts. A variety of tools and services monitor critical systems on a continual basis and automatically alert appropriate personnel should any system exhibit aberrant behavior (e.g., fails to respond, excess traffic, excess CPU usage, etc.) Security logs. The Department archives all security logs (e.g., Unified Security system and mainframe) and makes them available for review in the event of an internal or external investigation, audit, etc. Application logs. The Department archives all application and database logs and makes them available for review in the event of an internal or external investigation, audit, etc. Access logs. The Department archives all access logs (e.g., restricted area access and after-hours building entry) and makes them available for review in the event of an internal or external investigation, audit, etc. These reviews are performed by a variety of personnel, both internal and outsourced as appropriate. These personnel include: Department server staff Department operations staff Department security staff Department networking staff Unisys (management of the mainframe system) Verizon (management of the network infrastructure & system alerts) OA/OIT (management of the outside network connections to the Department) Various tools are used to perform these checks and reviews, including: Webtrends SiteLine HP Openview Vital Suite Concord Crystal Reports SQL Reporting Aberrations are acted upon and reported to management and/or the Department Security Officer as appropriate. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|" ITB I.6.2. To the extent that systems software permits, computer and communications systems handling sensitive, valuable, or critical Commonwealth information must securely log all significant security-related events.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=131183&oaoitNav=|8305|1821|5815|" ITB I.11. Establishes the Intrusion Detection System (IDS) at the Commonwealth network periphery. Suspect traffic is identified based on over 800 cyber attack signatures, and this information is written to a Microsoft SQL Server 2000 database for further analysis and reporting. Assign Security Responsibility (Required) 164.308(a)(2) The Department must identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. The Department complies with this requirement in the following manner: The Department has appointed a Security Officer who oversees all ongoing activities related to the development, implementation, maintenance of and adherence to the Departments security policies and procedures covering the use and access to EPHI in compliance with Federal and state laws and regulations. Department Security Officer The role of the Department Security Officer is to: Provide guidance and assist in the identification, development, implementation and maintenance of information security policies and procedures in coordination with the administration (Commonwealth and Department), and the POCs. Direct the performance of initial and periodic privacy risk assessments, quality assessments and ongoing compliance monitoring activities. Work with program offices to ensure that the Department has and maintains appropriate documentation reflecting current security policies and procedures. Oversee the management of initial and ongoing security training to all Department employees who may have access to EPHI. Oversee delivery of initial guidance to contractors, business associates and other appropriate third parties. Participate in the development of business associate agreements. Ensure compliance with security practices and consistent application of sanctions for failure to comply with security policies for all employees in the Departments workforce in cooperation with Human Resources. Initiate, facilitate and promote activities to foster information security awareness within the Department and with trading partners and business associates. Serve as a liaison to business associates, where necessary. Review system-related information security plans throughout the organizations network. Work with Department employees involved in release of EPHI, ensuring full coordination and cooperation under the Departments policies and procedures. Monitor changes in applicable federal and state security laws and advancement in information security technologies to ensure Department compliance. Work with consumers and consumer advocates to refine the Departments policies and procedures to ensure consumer protection. Cooperate with DHHS, CMS, and Department auditors in any appropriate compliance review or investigation. Act as Liaison with the Privacy Office to ensure consistency between privacy and security implementation. In addition to appointing a security officer, the Department has appointed program office security monitors, administrators, and contacts. Each performs security-related duties as follows: Program Office Security Monitor The role of the Program Office Security Monitor is to: Assist the Departments Security Officer in the identification, development, implementation and maintenance of information security policies and procedures for the Department enterprise. Develop, maintain and review Program Office specific security policies, procedures, forms, handbooks and training materials. Review and authorize all requests for system security changes, security clearances, security profiles and transaction registrations for applications and security registrations administered by the Program Office. Work with application teams to develop security profiles, account registration and account maintenance processes. Perform periodic privacy risk assessments, quality assessments, security audits and ongoing compliance monitoring activities for Program Office owned or managed applications, EPHI and user accounts. Maintain appropriate documentation reflecting current security policies and procedures administered by Program Office Security Administrators. Insure compliance with security practices and consistent application of sanctions for failure to comply with security policies for employees in the Program Office in cooperation with the Departments Security Officer. Conduct investigations relative to security breaches, fraud scenarios or any other type of activity involving the Program Office workforce in conjunction with the Departments Security Officer, Labor Relations and other investigative agencies. Serve as liaison to business associates of the Program Office. Work with Program Office employees involved in the release of EPHI to insure adherence to all Department and Program Office policies and procedures. Participate in compliance reviews or investigations conducted by DHHS, CMS, and Department auditors. Develop materials and ensure security policies and procedures are communicated to the Program Office workforce and business associates. Monitor the duties performed by Program Office Security Administrators. Program Office Security Administrator The role of the Program Office Security Administrator is to: Process requests for all types of security clearances in accordance with established policies and procedures. Maintain user account information and perform password resets in all account domains in conjunction with established policies and procedures. Maintain required documentation regarding security clearances and password reset requests. Insure proper security forms are processed and maintained. Participate in routine security audits and resolve security discrepancies per direction from the Program Office Security Monitor. Participate in the development of security policies, procedures, profiles, forms, handbooks and auditing processes implemented by the Program Office. Interface with business associate security liaisons to process business associate user registrations and security clearances. Assist users in establishing proper security measures to protect and control access to EPHI. Assist in communicating security policies and procedures to the Program Office workforce and business associates. Implement system security monitoring and monitor system generated security logs. Program Office Contact (POC) All program offices must appoint a person(s) to perform the following: Assure program office compliance with this handbook. Manage and document initial and ongoing security training for all program office employees (including contracted personnel), unless done through automated training. Manage and monitor the business associate agreements. Manage required tracking of disclosures through the use of the Disclosure Tracking System. Conduct ongoing compliance monitoring activities. Provide evaluation and other data upon request. Participate in relevant meetings. Additional sources of information: HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|"ITB I.1.2. Each agency must identify and designate a Commonwealth of PA employee in the agency as the Security Officer.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|" ITB I.6.2. Requires the appointment of an agency IT Security Officer. Workforce Security 164.308(a)(3) The Department must implement policies and procedures to ensure that all members of its workforce have appropriate access to EPHI, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to EPHI. Authorization and/or supervision (Addressable) 164.308(a)(3)(ii)(A) The Department must implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed. The Department complies with this requirement in the following manner: The Department has procedures for granting employees access to EPHI and related applications based on their job functions and to terminate it upon changes in their job status. This function is delegated to the Program Office Security Administrators (see section 4.3). Access by business associates and their employees is governed by the same rules and is controlled by the Program Office Security Administrators (section 4.3) and Program Office Contacts (section 4.4). Additional sources of information:  HYPERLINK "http://bis/pgm/H-Net%20Standards/2.0%20Network/Business%20Partner%20User%20Access%20Request%20-%20Approval%20Form.doc" \t "_blank" Business Partner User Access Request. Form used to register and control access by outside business partners.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|" ITB I.1.2. Security officer for each agency is responsible for determining the sensitivity of the data created and/or processed within the organization and establishing and/or defining appropriate controls and acceptable levels of risk.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. All data must have a designated owner. The data is classified into categories depending on its sensitivity and value and access is then granted on a need to know basis.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security. Department enterprise system to authenticate and authorize users. Workforce Clearance Procedure (Addressable) 164.308(a)(3)(ii)(B) The Department must implement procedures to determine that the access of a workforce member to EPHI is appropriate.  The Department complies with this requirement in the following manner: Access to EPHI is based on job functions with the minimum necessary access being granted in order to perform the users duties. Furthermore, all Commonwealth employees and contractors are subject to criminal background checks as part of the employment process. Additional sources of information: HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/515-15.pdf"MD 515.15. Agencies are required to conduct identification, employment, and education verification checks on final candidates selected for initial state employment. This includes criminal background checks through the Pennsylvania State Police. Alien residents are required to produce proper employment eligibility documentation.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=147983&oaoitNav=|8305|1821|5815|5817|" ITB I.1.6. IT contractors/vendors must agree to conduct criminal background checks on all employees who will perform services on site at Commonwealth facilities, or who will have access to Commonwealth facilities through onsite, or remote computer access. Termination Procedures (Addressable) 164.308(a)(3)(ii)(C) The Department must implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. The Department complies with this requirement in the following manner: Employee and contractor authorization for access to EPHI is based on job function and is under the control of the Program Office Security Administrators (section 4.3). In addition, the removal of a user from the Department workforce (retirement, termination, transfer, etc.) results in the revocation of access rights controlled by the  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system. Additional sources of information:  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf" MD 205.29. Establishes appropriate use of the Internet and the Internet User Agreement.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf" MD 205.34. Establishes appropriate use of email and the Internet and related disciplinary actions for its misuse.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdf" MD 505.7(13). Establishes disciplinary process for Commonwealth employees. Information Access Management 164.308(a)(4) The Department must implement policies and procedures for authorizing access to EPHI that are consistent with applicable requirements. Isolating health care clearinghouse functions (Required) 164.308(a)(4)(ii)(A) If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization. The Department complies with this requirement in the following manner: The Department clearinghouse functions are outsourced to EDS and are therefore isolated from our systems. Access to these functions is limited to authorized personnel who require it as part of their job duties. Access authorization (Addressable) 164.308(a)(4)(ii)(B) The Department must implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism. The Department complies with this requirement in the following manner: Access authorization to applications or data is controlled at a number of layers and is assigned based on the minimum needed for a user to perform their duties. The  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system controls access to the majority of applications at the user-interface level. Applications not yet using the Unified Security System, including the mainframe applications, have their own user-interface security. Additional security is applied at the data level through server-, file-, and database- level controls. These additional controls may include such features as additional userIDs and passwords, restriction of a given users access to their assigned caseload, and restrictions based on a users location or organizational or workgroup membership. Access establishment and modification (Addressable) 164.308(a)(4)(ii)(C) The Department must implement policies and procedures that, based upon the entitys access authorization policies, establish, document, review, and modify a users right of access to a workstation, transaction, program, or process. The Department complies with this requirement in the following manner: Program Office Security Administrators are responsible for maintenance of users access accounts and authorizations. This includes the registration of business associate users into the system, following procedures established as meeting the requirements of the particular Program Office and application. Program Office Security Administrators review and audit users access to applications and systems. The review occurs when the user changes jobs or work assignments or when the applications they access acquire new functionality. In addition, the mainframe system administrators provide the Security Administrators with listings of users whose accounts have been inactive for six months or more; the Unified Security system administrators periodically (every 3-6 months) purge the authentication system of any inactive users. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2. Every 180 days the Commonwealth requires that agencies review the access rights of its employees. Agencies must promptly report all significant changes in duties or employment status to the system administrators responsible for userIDs. Transfers, terminations, furloughs, etc. require Human Resources to issue a notice of status change to all system administrators responsible for any system on which the involved user might have privileges. Security Awareness and Training 164.308(A)(5) The Department must implement a security awareness and training program for all members of its workforce (including management). Security reminders (Addressable) 164.308(a)(5)(ii)(A) The Department must issue periodic security updates. The Department complies with this requirement in the following manner: The Department issues periodic security updates and reminders in the form of: Monthly Security Awareness Posters. These are distributed and displayed in Department facilities. Quarterly Security Awareness Newsletters. These are distributed electronically to all employees. HIPAA Privacy Training. This is provided to all Department employees. HIPAA Security Training. This is provided to all Department employees.  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" DPW Business and Technical Standards (Security, Privacy, etc.). These are available to all employees, contractors, and business associates. FYI and CIO Newsletters. These are sent out electronically by the CIOs office, highlighting BIS activities and programs. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.2. Creation of the Cyber Academy to further the knowledge and skill of Commonwealth employees in the areas of Security and Privacy. The implementation of a security awareness program for all Commonwealth employees is the first phase of the Academy. Protection from malicious software (Addressable) 164.308(a)(5)(ii)(B) The Department must implement procedures for guarding against, detecting, and reporting malicious software. The Department complies with this requirement in the following manner: The Commonwealth has established McAfee Antivirus as the enterprise standard for safeguarding against computer. ePolicy Orchestrator is used to automatically update the antivirus signature and data files ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73972&oaoitNav=|8305|1821|1845|" ITB C.7). The Commonwealth has installed Antigen for Exchange on the enterprise email system to filter file types (e.g. .ZIP, .EXE, .BAT) that may contain computer viruses. The Commonwealth has established procedures for reporting of virus or other security issues ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|" ITB C.4). This includes the establishment of a standing enterprise Anti-Virus Team to address virus issues. The Department has established Computer Associates Pest Patrol as the Department standard for monitoring and eliminating Spyware and Adware. Systems not meeting established specifications for anti-virus and other security updates are quarantined from the Department network. These various tools operate in the background on Department desktop workstations and servers. Users, including those with administrative access to their desktop workstation, are restricted from tampering with or disabling these tools and are subject to disciplinary action for doing so. Log-in monitoring (Addressable) 164.308(a)(5)(ii)(C) The Department must implement procedures for monitoring log-in attempts and reporting discrepancies. The Department complies with this requirement in the following manner: Server logins are monitored and recorded through the Windows Security log files. Application logins are monitored and recorded by the  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system and/or application log files. Database logins are monitored through database tools. Network access to the Internet is monitored by the CheckPoint firewalls and webSense. Password management (Addressable) 164.308(a)(5)(ii)(D) The Department must implement procedures for creating, changing, and safeguarding passwords. The Department complies with this requirement in the following manner: The Commonwealth has established enterprise password policies for all employee and contractor accounts ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|" ITB I.1.4): 60-day password expiration Minimum of 7 characters Must be a combination of at least three of the following: Uppercase letters Lowercase letters Numbers -- 1,2,3, Special characters -- !,#,$,^,*,(,),_,+ May not contain your user name or any part of your full name. Cannot recycle any of the previous 6 passwords Can only be changed once every 2 days Five failed login attempts locks the account. Once locked out, the Program Office Security Administrators are responsible for unlocking the account (Section 4.3). In addition to the Commonwealth enterprise policies for employee and contractor accounts, the Department has mirrored the same policies for its business associate user accounts ( HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security). Security Incidents Procedures 164.308(a)(6) The Department must implement policies and procedures to address security incidents. Response and Reporting (Required) 164.308(a)(6)(ii)(A) The Department must identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. The Department complies with this requirement in the following manner: The Department follows established procedures for reporting security violations and breaches (hacking, viral attacks, etc.) to management ( HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2,  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|" ITB C.4). The Commonwealth Enterprise Network Security Team has established an Enterprise Computer Incident Response Team (ECIRT) to address incidents. Where necessary, the appropriate law enforcement authorities become involved. In addition to reporting, appropriate Department staff members subscribe to and monitor security alerts from a variety of sources, including: Carnegie Mellon University CERT Technical Cyber Security Alert system Microsoft and other software alerts and bulletins McAfee bulletins Hardware vendor alerts and bulletins Contingency Plan 164.308(a)(7) The Department must establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain EPHI. Data Backup Plan (Required) 164.308(a)(7)(ii)(A) The Department must establish and implement procedures to create and maintain retrievable exact copies of EPHI. The Department complies with this requirement in the following manner: The Department follows established procedures for nightly backups of critical data from its servers through a combination of incremental and full backups, and storage of these at an off-site location ( HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" Server Backup and Restore Standard,  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" Recovery Planning Standard). Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|" ITB I.2.3. Each agency must make arrangements to store mission-critical resources at a remote storage site that provides geographic separation in the event of a local disaster. Agencies are encouraged to use the off-site storage services of the vendor currently on state contract. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|"ITB I.6.2. Guidelines for frequency of backups are provided in under "Data and Program Back-up".  HYPERLINK "http://bis/pgm/h-net%20standards/7.2%20operations%20and%20support%20servi/backup%20and%20restoration%20of%20enterprise%20systems.doc" Backup and Restoration of Enterprise Systems. Overview of backup and recovery operations at the Department. Disaster Recovery Plan (Required) 164.308(a)(7)(ii)(B) The Department must establish (and implement as needed) procedures to restore any loss of data. The Department complies with this requirement in the following manner: The Department has established an off-site disaster recovery location, outside of the Harrisburg metropolitan area. Provisioning and maintenance of this location have been arranged through external contractors. In the event of its activation, it will be staffed by a combination of personnel from the Department and those contractors. The data and applications on the systems resident at the location are either actively synchronized with the corresponding systems here in the Department or will be brought up-to-date from data backups when the site is activated. The system is tested and exercised on a semi-annual basis by both the Department and the Commonwealth. Critical personnel have been issued emergency response cards for access to the facilities in the event of emergency or disaster. These are Commonwealth standard cards which will permit the bearer to bypass road and facility closures. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4. Provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" Server Backup and Restore Standard. Establishes off-site storage of Department data backups. DPW Disaster Recovery Plan (details available through the DPW Security Office). PROMISe Disaster Recovery Plan. Emergency Mode Operation Plan (Required) 164.308(a)(7)(ii)(C) The Department must establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of EPHI while operating in emergency mode. The Department complies with this requirement in the following manner: The Department has established an off-site disaster recovery location, outside of the Harrisburg metropolitan area. Provisioning and maintenance of this location have been arranged through external contractors. In the event of its activation, it will be staffed by a combination of Department and these contractors. The data and applications on the systems resident at the location are either actively synchronized with the corresponding systems here in the Department or will be brought up-to-date from data backups when the site is activated. The system is tested and exercised on a semi-annual basis by both the Department and the Commonwealth. Critical personnel have been issued emergency response cards for access to the facilities in the event of emergency or disaster. These are Commonwealth standard cards which will permit the bearer to bypass road and facility closures. At the Commonwealth level, resources and priorities in the time of a disaster are managed by the Governors Office in consultation with the Federal Emergency Management Agency (FEMA), the Pennsylvania Emergency Management Agency (PEMA), appropriate public safety organizations, and any county or local government entities. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4. Provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10. Establishes the Red Card system to enable emergency response status for critical personnel. DPW Disaster Recovery Plan (details available through the DPW Security Office). PROMISe Disaster Recovery Plan. Testing and Revision Procedures (Addressable) 164.308(a)(7)(ii)(D) The Department must implement procedures for periodic testing and revision of contingency plans. The Department complies with this requirement in the following manner: The Department and the Commonwealth schedule tests of the Disaster Recovery plan on a semi-annual basis. Data backups are stored offsite. Additional sources of information:  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" Server Backup and Restore Standard. Establishes off-site storage of Department data backups.  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" Recovery Planning Standard. DPW Disaster Recovery Plan (details available through the DPW Security Office). PROMISe Disaster Recovery Plan. Applications and Data Criticality Analysis (Addressable) 164.308(a)(7)(ii)(E) The Department must assess the relative criticality of specific applications and data in support of other contingency plan components. The Department complies with this requirement in the following manner: The Departments Division of Application Development and Deployment periodically reviews the production applications for Department mission criticality. The Departments Disaster Recovery Team reviews the applications on an ongoing basis. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&QUESTION_ID=85347" Electronic Commerce Security Assessments (ECSA). .The ECSA is designed to help agency staff members identify appropriate security requirements for an application.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=132275&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4. .Provides guidelines for HCIS analysis of systems, data, and applications (HCIS = Highly critical, Critical, Important, Suspend). DPW Disaster Recovery Plan (details available through the DPW Security Office). PROMISe Disaster Recovery Plan. Evaluation 164.308(a)(8) The Department must perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of EPHI, that establishes the extent to which an entitys security policies and procedures meet the requirements of this subpart. The Department complies with this requirement in the following manner: Members of the Departments Technical Review Team review the  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" DPW Business and Technical Standards in each area of expertise and update or revise them as necessary (at least every six months, based on the age of a given standard). Business Associate Agreements and Other Arrangements (Required) 164.308(b)(1) A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit EPHI on the covered entitys behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information. 164.308(b)(2) This standard does not apply with respect to (i) The transmission by a covered entity of EPHI to a health care provider concerning the treatment of an individual. (ii) The transmission of EPHI by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of 164.314(b) and 164.504(f) apply and are met; or (iii) The transmission of EPHI from or to other agencies providing the services at 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of 164.502(e)(1)(ii)(C) are met. 164.308(b)(3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and 164.314(a). 164.308(b)(4) Written contract or other arrangement The Department must document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a). The Department complies with this requirement in the following manner: The Department requires written business associate agreements with all business associates. These agreements are negotiated by the Program Offices and reviewed by the OGC. Contracts and agreements in existence prior to the compliance date of HIPAA Privacy Regulations have been amended accordingly. Additional sources of information:  HYPERLINK "http://www.dpw.state.pa.us/business/requestproposals/rfpinformation/003671334.htm" DPW Business Associate Agreement.  HYPERLINK "http://bis/pgm/h-net%20standards/13.0%20privacy/Handbook.doc" DPW HIPAA Privacy Implementation Handbook, Section 6.0. Physical Safeguards Facility Access Controls 164.310(a)(1) The Department must implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. Contingency Operations (Addressable) 164.310(a)(2)(i) The Department must establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. The Department complies with this requirement in the following manner: The Department has established an off-site disaster recovery location, outside of the Harrisburg metropolitan area. Provisioning and maintenance of this location have been arranged through external contractors. In the event of its activation, it will be staffed by a combination of Department and these contractors. The data and applications on the systems resident at the location are either actively synchronized with the corresponding systems here in the Department or will be brought up-to-date from data backups when the site is activated. Critical personnel have been issued emergency response cards for access to the facilities in the event of emergency or disaster. These are Commonwealth standard cards which will permit the bearer to bypass road and facility closures. As a part of the Departments business continuity planning effort, each Program Office is actively reviewing and establishing procedures to continue or maintain their essential services. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4. Provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10. Establishes the Red Card system to enable emergency response status for critical personnel. DPW Disaster Recovery Plan (details available through the DPW Security Office). Facility Security Plan (Addressable) 164.310(a)(2)(ii) The Department must implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. The Department complies with this requirement in the following manner: The Department Datacenter and Server rooms are physically secured with electronic locks. These locks require key cards to both enter. If the key card is not used to exit as well, re-entry is barred. All accesses are logged. Key cards are issued as required by an individuals job requirements and are approved by their supervisor and Department security officers. Access can be restricted to only those areas that are appropriate for a given user. In addition, the Willow-Oak Building, which houses the Datacenter and Server Rooms, is secured by security guards who require IDs of all users and visitors before granting them admission to the facility. Security at outlying offices (County Assistance Offices, hospital and treatment facilities, detention facilities, etc.) is managed by the local administrators and/or facility managers and is customized to the needs of the particular facility. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126395" ITB I.1.5.1. Provides an overview of and a sample policy for overall accessibility to Commonwealth facilities.  HYPERLINK "%09http:/bis/pgm/h-net%20standards/1.0%20security/Physical%20Building%20Security%20Manual.doc" Willow-Oak Building Security. Details security procedures in place at the Willow-Oak Building (the Department and Commonwealth Datacenter). Access Control and Validation Procedures (Addressable) 164.310(a)(2)(iii) The Department must implement procedures to control and validate a persons access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. The Department complies with this requirement in the following manner: The Department Datacenter and Server rooms are physically secured with electronic locks. These locks require key cards to both enter. If the key card is not used to exit as well, re-entry is barred. All accesses are logged. Key cards are issued as required by an individuals job requirements and are approved by their supervisor and Department security officers. Access can be restricted to only those areas that are appropriate for a given user. In addition, the Willow-Oak Building, which houses the Datacenter and Server Rooms, is secured by security guards who require IDs of all users and visitors before granting them admission to the facility. Security at outlying offices (County Assistance Offices, hospital and treatment facilities, detention facilities, etc.) is managed by the local administrators and/or facility managers and is customized to the needs of the particular facility. Additional sources of information:  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10. Establishes the use of card readers and security badges for certain Commonwealth buildings.  HYPERLINK "%09http:/bis/pgm/h-net%20standards/1.0%20security/Physical%20Building%20Security%20Manual.doc" Willow-Oak Building Security. Details security procedures in place at the Willow-Oak Building (the Department and Commonwealth Datacenter). Maintenance Records (Addressable) 164.310(a)(2)(iv) The Department must Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). The Department complies with this requirement in the following manner: Maintenance records for the Willow-Oak Building (Datacenter and Server Rooms) are maintained by the building managers office. Maintenance records for networking and other infrastructure under the purview of BIS are maintained by the corresponding BIS unit(s). Maintenance records for outlying facilities are maintained by the local administrators and/or facility managers and the corresponding Program Office administrators. Workstations Workstation Use (Required) 164.310(b) The Department must implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access EPHI. The Department complies with this requirement in the following manner: The Department and Commonwealth have acceptable use policies for the use of workstations assigned to employees and contractors. The Department issues a standard image for the workstation software and has standard (minimum) specifications for workstation hardware. Decisions regarding the physical surroundings of a specific workstation or class of workstations are left to the management of individual facilities and business units. Through its training programs, the Department cautions employees to be aware of their surroundings and instructs them to report any suspicious persons, behaviors, parcels, etc. to their building security. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. Transportable computers containing unencrypted "restricted" or "confidential" Commonwealth information must not be checked in airline luggage systems, with hotel porters, or other unsupervised handling or storage processes. These computers must remain in the possession of the traveler as hand luggage.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?a=353&q=191033" MD 245.4. Policies for personal computers and networks.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=194435" MD 720.7. Policies for reporting bomb threats or other suspicious packages found in the workplace. Workstation Security (Required) 164.310(c) The Department must implement physical safeguards for all workstations that access EPHI, to restrict access to authorized users. The Department complies with this requirement in the following manner: The Departments standard software image and policies automatically lock a workstation after 15 minutes of inactivity. UserID and Password are required to unlock the workstation. Some Program Offices have more stringent limits, e.g. the Office of Income Maintenance sets its inactivity lockout at 10 minutes. Each desktop has also been provided with an icon which the user may click to immediately lock the desktop without waiting for the inactivity timeout. In addition to the workstation lockout, the Unified Security system enforces a 20-minute inactivity lockout for the applications after which the user must re-authenticate to Unified Security. Unified Security also enforces a 24-hour session timeout. Facilities containing workstations are secured after hours (generally between 6:00 pm and 7:00 am on weekdays, all day on weekends). While individual workstations within a facility may not be secured behind a locked door, the facility itself is secured and access to it controlled and tracked by the facilitys management. Through its training programs, the Department instructs users to secure their work area when they are away from it. This and other related practices (locking their desk, putting away papers, CD, diskettes, etc.) are also covered in the Departments HIPAA security training program. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.2.1. All PCs will automatically lock (that is, will require entry of username and password to unlock and use) after 15 minutes of non-use. In addition, users are strongly encouraged to manually lock their PC when the PC will be left unattended  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. Transportable computers containing unencrypted "restricted" or "confidential" Commonwealth information must not be checked in airline luggage systems, with hotel porters, or other unsupervised handling or storage processes. These computers must remain in the possession of the traveler as hand luggage. Device and Media Controls 164.310(d)(1) The Department must implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain EPHI into and out of a facility, and the movement of these items within the facility. Disposal (Required) 164.310(d)(2)(i) The Department must implement policies and procedures to address the final disposition of EPHI, and/or the hardware or electronic media on which it is stored. The Department complies with this requirement in the following manner: The Commonwealth requires that storage devices be removed from all systems prior to their disposal (or return upon the end of their lease) and either sanitized of data or destroyed. Storage devices are removed from any systems that must be sent out for repair or replacement and reinstalled when the system is returned. The Department maintains drop-off boxes through the building managers office for the disposal of removable media such as floppy diskettes and CD-ROMs. The Department requires pre-approval by the Department Security Office for the use of memory sticks and other such electronic media and requires encryption and/or password protection of data on such devices as deemed appropriate. Simple deletion of files on these devices is sufficient. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|" ITB C.11. The hard drive in all equipment owned by agencies under the Governors jurisdiction must be erased. The hard drive is then removed from the computer collected by DGS for destruction and recycling.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3. Hard drives in state-owned PCs, servers and printer/peripheral devices must be cleansed prior to transfer to a new user. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440"Decommissioning of State-Owned PC's. Specifies the process for sanitizing a hard drive prior to decommissioning a Department computer according to U.S. Department of Defense guidelines (overwriting the drive with at least (6) passes of three (3) writing cycles).  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598" Policy Regarding Portable Storage Devices and Removable Media. Specifies policy on the use of memory sticks.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" Data Classification Standards. Establishes the Department policy for the storage, transmission, and encryption of data. Media re-Use (Required) 164.310(d)(2)(ii) The Department must implement procedures for removal of EPHI from electronic media before the media are made available for re-use. The Department complies with this requirement in the following manner: The Commonwealth has policies and procedures requiring that storage devices be sanitized prior to the re-issuance or repurposing of a system. The Commonwealth has policies related to the use of portable media including the pre-approval and registration of the device with the Department Security Office. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3. Hard drives in state-owned PCs, servers and printer/peripheral devices must be cleansed prior to transfer to a new user. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|"ITB A.6. Addresses temporary storage of data on smart devices such as photocopiers with internal hard drives or memory. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440"Decommissioning of State-Owned PC's. Specifies the process for sanitizing a hard drive prior to decommissioning a Department computer according to US Department of Defense guidelines (overwriting the drive with at least (6) passes of three (3) writing cycles).  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598" Policy Regarding Portable Storage Devices and Removable Media. Specifies policy on the use of memory sticks. Accountability (Addressable) 164.310(d)(2)(iii) The Department must maintain a record of the movements of hardware and electronic media and any person responsible therefore. The Department complies with this requirement in the following manner: The Commonwealth requires the registration of systems (including portable smart media devices) in the enterprise asset tracking system. The Department uses an internal asset tracking system (Remedy) as well which is used to update the Commonwealth enterprise system on a monthly basis. Additional sources of information: HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|"ITB A.6. Addresses temporary storage of data on smart devices such as photocopiers with internal hard drives or memory.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73965&oaoitNav=|8305|1821|1845|" ITB C.6. Establishes Commonwealth enterprise asset management system and tools to be used (Remedy Asset Management System). Data backup and storage (Addressable) 164.310(d)(2)(iv) The Department must create a retrievable, exact copy of EPHI, when needed, before movement of equipment. The Department complies with this requirement in the following manner: The Department performs systems and data backups of critical data systems on a daily basis. When such a system requires major repair and/or replacement; the Department performs a backup (where possible) immediately prior to the start of such work to ensure the preservation of the data and to facilitate the transfer of it to the repaired or replacement system. Due to the number of workstations in the Department (approximately 20,000), routine backups of users workstations is not physically or economically possible. The Department encourages users to store any files important to their work on shared file servers which are backed up; critical and sensitive data (HIPAA, IRS, etc.) which are stored on a workstation will not be routinely backed up unless they are moved or copied to a file server. In the event a users workstation requires major repair and/or replacement; the Department performs a backup (where possible) immediately prior to the start of such work to ensure the preservation of the data and to facilitate the transfer of it to the repaired or replacement system. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|" ITB C.11. The hard drive in all equipment owned by agencies under the Governors jurisdiction must be erased. The hard drive is then removed from the computer collected by DGS for destruction and recycling.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3. Prior to replacing any personal computer or laptop/notebook computer or replacing their hard drives, agency IT personnel must copy all information that resides locally on these devices to a durable and secure storage medium.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|" ITB I.2.3. Each agency must make arrangements to store mission-critical resources at a remote storage site that provides geographic separation in the event of a local disaster. Agencies are encouraged to use the off-site storage services of the vendor currently on state contract. Guidelines for frequency of backups are provided in  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2 under "Data and Program Back-up".  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" Server Backup and Restore Standard. Establishes the software and procedures used for Department data backups.  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" Recovery Planning Standard. Establishes the process for backup and contingency planning. Technical Safeguards Access Control 164.312(a)(1) The Department must implement technical policies and procedures for electronic information systems that maintain EPHI to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). Unique User Identification (Required) 164.312(a)(2)(i) The Department must assign a unique name and/ or number for identifying and tracking user identity. The Department complies with this requirement in the following manner: All Commonwealth systems are required to use unique userIDs. This is enforced by the DPW network access, the  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security System, and the various other systems and applications. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|" ITB I.1.4. Each user ID must be unique and identifiable by user. Once deleted cannot be reissued. Will be maintained in an historical database. Will be inactivated after 180 days of non-use and will be disabled after at most 5 invalid logon attempts.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf" M245.4. Overview of computer and network security standards for the Commonwealth.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security. Enforces this for Commonwealth employees, contractors and outside business associate users. Emergency Access Procedure (Required) 164.312(a)(2)(ii) The Department must establish (and implement as needed) procedures for obtaining necessary EPHI during an emergency. The Department complies with this requirement in the following manner: Recovery of the Departments EPHI data is defined in the Data Backup, Business Continuity and Disaster Recovery Plans maintained by the Department. The policies and procedures for obtaining access to necessary EPHI during an emergency are as follows: Database, application, and/or server administrators can recover lost or damaged data through the backup system. Database administrators may be able to access specific data in the event of the failure of an application. Additional sources of information:  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4. Provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" Server Backup and Restore Standard. Establishes off-site storage of Department data backups. DPW Disaster Recovery Plan (details available through the DPW Security Office).  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf" M245.4. Overview of computer and network security standards for the Commonwealth. Automatic Logoff (Addressable) 164.312(a)(2)(iii) The Department must implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. The Department complies with this requirement in the following manner: The Departments standard software image and policies automatically lock a workstation after 15 minutes of inactivity. UserID and Password are required to unlock the workstation. (Some program offices have more stringent limits, e.g. the Office of Income Maintenance sets its inactivity lockout at 10 minutes.) In addition to the workstation lockout, the  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system enforces a 20-minute inactivity lockout for the applications after which the user must re-authenticate to Unified Security. Unified Security also enforces a 24-hour session timeout. Encryption and Decryption (Addressable) 164.312(a)(2)(iv) The Department must implement a mechanism to encrypt and decrypt EPHI. The Department complies with this requirement in the following manner: The Department has standardized on the use of 128-bit SSL (3DES) to encrypt data as it is served to outside entities over the Internet. The Department Secure eMail system also uses this same standard. Additional sources of Information:  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Encryption%20Standards.doc" DPW Data Encryption Standard. Establishes requirements for data encryption and acceptable technologies.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" DPW Data Classification Standard. Maps types of data to encryption requirements. Audit Controls (Required) 164.312(b) The Department must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use EPHI. The Department complies with this requirement in the following manner: Logging of user access and usage of systems, applications, and data occurs at numerous levels:  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security. Provides logging of application access attempts (passed and failed). It also tracks the movement of users within the application, though not what action(s) that user may have taken. Server Security logs. Track user access to the servers. WebSense logs. Track users access to the Internet. CheckPoint Firewall logs. Track access to and from the Department core network. Application logs. Track what users accessed or what actions they performed within the application. Database logs. Track access to the database. Mainframe logs. Track activities on the Mainframe systems. Physical Access logs. Track access to restricted areas at the Willow Oak Building as well as to the building after normal working hours (6a 6p). Integrity 164.312(c)(1) The Department must implement policies and procedures to protect EPHI from improper alteration or destruction. Mechanism to Authenticate EPHI (Addressable) 164.312(c)(2)(i) The Department must implement electronic mechanisms to corroborate that EPHI has not been altered or destroyed in an unauthorized manner. The Department complies with this requirement in the following manner: The Department has procedures in place to authenticate, authorize, and validate changes to the data and to ensure the proper application of those changes to the data store. The Department implements these procedures through a combination of application-, data transfer-, and database- level processes to validate that the data being processed conforms to business/application data requirements and that it is not accidentally replaced or deleted. Person or entity authentication (Required) 164.312(d) The Department must implement procedures to verify that a person or entity seeking access to EPHI is the one claimed. The Department complies with this requirement in the following manner: Upon being registered for access (section 6.3), all users are assigned a unique userID and a password (section 7.4) or PIN. To obtain access to any data system, the user must authenticate to the network using their userID/Password combination. Once the user has been authenticated to the network, the applications require user authentication with the same or, occasionally, a different userID/Password depending on the needs of the application. This authentication process is controlled by the Unified Security system for most applications. Additional userID/Password combinations are also registered and applied at the mainframe and database levels. Transmission security 164.312(e)(1) The Department must implement technical security measures to guard against unauthorized access to EPHI that is being transmitted over an electronic communications network. Integrity controls (Addressable) 164.312(e)(2)(i) The Department must implement security measures to ensure that electronically transmitted EPHI is not improperly modified without detection until disposed of. The Department complies with this requirement in the following manner: All electronic transfers of EPHI to outside entities are done over secure electronic transmission. The source data remains untouched in the Department systems. Validation of transmitted data is done where appropriate at the application and database levels. Additional sources of information:  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200" MD 210.12. Establishes policy, responsibilities, and procedures for the implementation of the Electronic Transactions Act (Act 69 of 1999). It applies to all agencies under the Governor's jurisdiction whenever an executive agency sends, accepts, stores, or uses information electronically.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=177789&PM=1&oaoitNav=|8305|1821|1855|" ITB D.13. establishes policy for use of FTP for file transfers.  HYPERLINK "http://bis/pgm/doc/secureemail/secureemail%20overview.doc" Secure Email Overview. The Departments encrypted email system for data transmissions to/from registered outside entities. WebMethods is used for system to system and application to application data transmissions. SSL is used for web access to applications and/or data. Encryption (Addressable) 164.312(e)(2)(ii) The Department must implement a mechanism to encrypt EPHI whenever deemed appropriate. The Department complies with this requirement in the following manner: The Department uses 128-bit SSL (3DES) to encrypt data as it is served to outside entities over the Internet. The Department  HYPERLINK "http://bis/pgm/doc/secureemail/secureemail%20overview.doc" Secure eMail system also uses this standard. Additional sources of Information:  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200" MD 210.12 establishes policy, responsibilities, and procedures for the implementation of the Electronic Transactions Act (Act 69 of 1999). It applies to all agencies under the Governor's jurisdiction whenever an executive agency sends, accepts, stores, or uses information electronically.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Encryption%20Standards.doc" DPW Data Encryption Standard. Establishes requirements for data encryption and acceptable technologies.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" DPW Data Classification Standard. Maps types of data to encryption requirements.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867&oaoitNav=|8305|1821|1828|3632|" ITB B.5. Establishes policies for use of encryption in Commonwealth e-Government initiatives. Policies, Procedures and Documentation Requirements Documentation 164.316(a he Department must implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. (b)(1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (b)(2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from date of its creation or the date when it last was in effect, whichever is later. (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the EPHI. The Department complies with this requirement in the following manner: The Department stores the  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" Business and Technical Standards referred to in this Handbook in the Departments FileNet system. Obsolete standards are purged from time-to-time as space requirements dictate; however, copies of them are recoverable from appropriate data backups as required. From within the FileNet system, the current standards are automatically published to both a Department Intranet site as well as to a restricted-access Internet site. OA/OIT maintains the Commonwealth standards (ITBs and Management Directives) in a similar fashion. The Department requires all security-related policies and procedures to be documented in written form, which may be electronic. All documentation required by HIPAA (including the Security and Privacy Rules) must be retained for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later. In addition, the Commonwealth requires retention of all Commonwealth business-related records through a variety of procedures as outlined below. Additional sources of information:  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120179" MD 210.10. Establishes and clarifies state records management policy with respect to the creation, use, maintenance, scheduling, and disposition of electronic records.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=119507" MD 210.5. Establishes the records management to control the creation, use, maintenance, preservation, and disposition of records of state agencies.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120207" MD 210.13 (amended). Establishes policy, responsibilities,and procedures for the retention and disposition of records created on electronic mail (E-mail) systems. Appendix A. Summary of HIPAA Security Standards Excerpted from the Federal Register / Vol. 68, No. 34, pp. 8376-8380 / February 20, 2003. 164.308 Administrative Safeguards (a) A covered entity must, in accordance with 164.306: (1) (i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (ii) Implementation specifications: (A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (C) Sanction policy (Required). Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (D) Information system activity review (Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. (2) Standard: Assigned security responsibility. Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the entity. (3) (i) Standard: Workforce security. Implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic protected health information, as provided under paragraph (a)(4) of this section, and to prevent those workforce members who do not have access under paragraph (a)(4) of this section from obtaining access to electronic protected health information. (ii) Implementation specifications: (A) Authorization and/or supervision (Addressable). Implement procedures for the authorization and/or supervision of workforce members who work with electronic protected health information or in locations where it might be accessed. (B) Workforce clearance procedure (Addressable). Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate. (C) Termination procedures (Addressable). Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends or as required by determinations made as specified in paragraph (a)(3)(ii)(B) of this section. (4) (i) Standard: Information access management. Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part. (ii) Implementation specifications: (A) Isolating health care clearinghouse functions (Required). If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. (B) Access authorization (Addressable). Implement policies and procedures for granting access to electronic protected health information, for example, through access to a workstation, transaction, program, process, or other mechanism. (C) Access establishment and modification (Addressable). Implement policies and procedures that, based upon the entitys access authorization policies, establish, document, review, and modify a users right of access to a workstation, transaction, program, or process. (5) (i) Standard: Security awareness and training. Implement a security awareness and training program for all members of its workforce (including management). (ii) Implementation specifications: (A) Security reminders (Addressable). Periodic security updates. (B) Protection from malicious software (Addressable). Procedures for guarding against, detecting, and reporting malicious software. (C) Log-in monitoring (Addressable). Procedures for monitoring log-in attempts and reporting discrepancies. (D) Password management (Addressable). Procedures for creating, changing, and safeguarding passwords. (6) (i) Standard: Security incident procedures. Implement policies and procedures to address security incidents. (ii) Implementation specification: Response and Reporting (Required). Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. (7) (i) Standard: Contingency plan. Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information. (ii) Implementation specifications: (A) Data backup plan (Required). Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information. (B) Disaster recovery plan (Required). Establish (and implement as needed) procedures to restore any loss of data. (C) Emergency mode operation plan (Required). Establish (and implement as needed) procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode. (D) Testing and revision procedures (Addressable). Implement procedures for periodic testing and revision of contingency plans. (E) Applications and data criticality analysis (Addressable). Assess the relative criticality of specific applications and data in support of other contingency plan components. (8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entitys security policies and procedures meet the requirements of this subpart. (b) (1) Standard: Business associate contracts and other arrangements. A covered entity, in accordance with 164.306, may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entitys behalf only if the covered entity obtains satisfactory assurances, in accordance with 164.314(a) that the business associate will appropriately safeguard the information. (2) This standard does not apply with respect to (i) The transmission by a covered entity of electronic protected health information to a health care provider concerning the treatment of an individual. (ii) The transmission of electronic protected health information by a group health plan or an HMO or health insurance issuer on behalf of a group health plan to a plan sponsor, to the extent that the requirements of 164.314(b) and 164.504(f) apply and are met; or (iii) The transmission of electronic protected health information from or to other agencies providing the services at 164.502(e)(1)(ii)(C), when the covered entity is a health plan that is a government program providing public benefits, if the requirements of 164.502(e)(1)(ii)(C) are met. (3) A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the standards, implementation specifications, and requirements of this paragraph and 164.314(a). (4) Implementation specifications: Written contract or other arrangement (Required). Document the satisfactory assurances required by paragraph (b)(1) of this section through a written contract or other arrangement with the business associate that meets the applicable requirements of 164.314(a). 164.310 Physical Safeguards A covered entity must, in accordance with 164.306: (a) (1) Standard: Facility access controls. Implement policies and procedures to limit physical access to its electronic information systems and the facility or facilities in which they are housed, while ensuring that properly authorized access is allowed. (2) Implementation specifications: (i) Contingency operations (Addressable). Establish (and implement as needed) procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency. (ii) Facility security plan (Addressable). Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft. (iii) Access control and validation procedures (Addressable). Implement procedures to control and validate a persons access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision. (iv) Maintenance records (Addressable). Implement policies and procedures to document repairs and modifications to the physical components of a facility which are related to security (for example, hardware, walls, doors, and locks). (b) Standard: Workstation use. Implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access electronic protected health information. (c) Standard: Workstation security. Implement physical safeguards for all workstations that access electronic protected health information, to restrict access to authorized users. (d) (1) Standard: Device and media controls. Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain electronic protected health information into and out of a facility, and the movement of these items within the facility. (2) Implementation specifications: (i) Disposal (Required). Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored. (ii) Media re-use (Required). Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. (iii) Accountability (Addressable). Maintain a record of the movements of hardware and electronic media and any person responsible therefore. (iv) Data backup and storage (Addressable). Create a retrievable, exact copy of electronic protected health information, when needed, before movement of equipment. 164.312 Technical Safeguards. A covered entity must, in accordance with 164.306: (a) (1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). (2) Implementation specifications: (i) Unique user identification (Required). Assign a unique name and/ or number for identifying and tracking user identity. (ii) Emergency access procedure (Required). Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (iii) Automatic logoff (Addressable). Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (iv) Encryption and decryption (Addressable). Implement a mechanism to encrypt and decrypt electronic protected health information. (b) Standard: Audit controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (c) (1) Standard: Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (2) Implementation specification: Mechanism to authenticate electronic protected health information (Addressable). Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. (d) Standard: Person or entity authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (e) (1) Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (2) Implementation specifications: (i) Integrity controls (Addressable). Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (ii) Encryption (Addressable). Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. 164.316 Policies and procedures and documentation requirements. A covered entity must, in accordance with 164.306: (a) Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in 164.306(b)(2)(i), (ii), (iii), and (iv). This standard is not to be construed to permit or excuse an action that violates any other standard, implementation specification, or other requirements of this subpart. A covered entity may change its policies and procedures at any time, provided that the changes are documented and are implemented in accordance with this subpart. (b) (1) Standard: Documentation. (i) Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form; and (ii) If an action, activity or assessment is required by this subpart to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment. (2) Implementation specifications: (i) Time limit (Required). Retain the documentation required by paragraph (b)(1) of this section for 6 years from date of its creation or the date when it last was in effect, whichever is later. (ii) Availability (Required). Make documentation available to those persons responsible for implementing the procedures to which the documentation pertains. (iii) Updates (Required). Review documentation periodically, and update as needed, in response to environmental or operational changes affecting the security of the electronic protected health information. Appendix B. HIPAA Security Standards Matrix Excerpted from the Federal Register / Vol. 68, No. 34, p. 8380/ February 20, 2003. StandardsSectionsImplementation SpecificationsAdministrative SafeguardsSecurity Management Process 164.308(a)(1)Risk Analysis (R)Risk Management (R)Sanction Policy (R)Information System Activity Review (R)Assigned Security Responsibility164.308(a)(2)(R)Workforce Security164.308(a)(3)Authorization and/or Supervision (A)Workforce Clearance ProcedureTermination Procedures (A)Information Access Management164.308(a)(4)Isolating Health care Clearinghouse Function (R)Access Authorization (A)Access Establishment and Modification (A)Security Awareness and Training 164.308(a)(5)Security Reminders (A)Protection from Malicious Software (A)Log-in Monitoring (A)Password Management (A)Security Incident Procedures164.308(a)(6)Response and Reporting (R)Contingency Plan 164.308(a)(7)Data Backup Plan (R)Disaster Recovery Plan (R)Emergency Mode Operation Plan (R)Testing and Revision Procedure (A)Applications and Data Criticality Analysis (A)Evaluation 164.308(a)(8)(R)Business Associate Contracts and Other Arrangement164.308(b)(1)Written Contract or Other Arrangement (R)Physical SafeguardsFacility Access Controls 164.310(a)(1)Contingency Operations (A)Facility Security Plan (A)Access Control and Validation Procedures (A)Maintenance Records (A)Workstation Use164.310(b)(R)Workstation Security164.310(c)(R)Device and Media Controls164.310(d)(1)Disposal (R)Media Re-use (R)Accountability (A)Data Backup and Storage (A)Technical SafeguardsAccess Control164.312(a)(1)Unique User Identification (R)Emergency Access Procedure (R)Automatic Logoff (A)Encryption and Decryption (A)Audit Controls164.312(b)(R)Integrity164.312(c)(1)Mechanism to Authenticate Electronic Protected Health Information (A)Person or Entity Authentication164.312(d)(R)Transmission Security164.312(e)(1)Integrity Controls (A)Encryption (A)DocumentationDocumentaton164.316(b)(2)(i)Time limit (R)164.316(b)(2)(ii)Availability (R)164.316(b)(2)(iii)Updates (R) (R) Required (A) -- Addressable Appendix C. Commonwealth and Department Security Standards and Practices Administrative SafeguardsReq (R) or Addr (A)CommonwealthDPW164.308(a)(1)Security Management Process164.308(a)(1)(ii)(A) Risk AnalysisR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.1.  Requires Agency Self-Assessments for Security and Privacy as well as Corrective Action Planning to address any identified deficiencies. Additional information (guidebook, forms, etc.) may be found  HYPERLINK "http://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav" here.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=129517" MD 325.7. Requires the filing of self-assessment CAPs with the OA/OIT. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867" ITB B.5. Requires each agency to prepare and submit an Electronic Commerce Security Assessment (ECSA) prior to instituting a new online application. The ECSA includes Risk Analysis of the application as well as the steps taken to mitigate any identified risks.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. Requires agencies to conduct periodic Risk Assessments. 164.308(a)(1)(ii)(B) Risk ManagementR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.1.  Requires Agency Self-Assessments for Security and Privacy as well as Corrective Action Planning to address any identified deficiencies. Additional information (guidebook, forms, etc.) may be found  HYPERLINK "http://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav" here.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=4&Q=188016" Exec Order 2004-8. Establishes the Enterprise Information Technology Governance Board, including IT Domain Teams (Security, Privacy, etc.). This Board provides recommendations on Commonwealth IT standards and policies.Technical Review Team. Standing Department committee consisting of various IT Domains (Security, Privacy, etc.) tasked with the creation and review of  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" Department Business and Technical Standards and with the review of requests for procurement of new technology (hardware or software) to see that they conform to those standards. Application Review Board. Standing Department Committee to review application technical specifications to see that they conform to Department Business and Technical Standards.164.308(a)(1)(ii)(C) Sanction PolicyR HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf" MD 205.29. Establishes appropriate use of the  HYPERLINK "http://bis/pgm/doc/oisforms/internetuseragreement.pdf" Internet and the Internet User Agreement.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf" MD 205.34. Establishes appropriate use of email and the Internet and related disciplinary actions for its misuse.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdf" MD 505.7(13). Establishes disciplinary process for Commonwealth employees. In addition, specific policies referenced in this document may also reference disciplinary actions.DPW users requiring access to/from outside networks are required to submit the  HYPERLINK "http://bis/pgm/doc/oisforms/remoteaccessrequest.doc" Internet/Remote/Dialout Access form for approval. 164.308(a)(1)(ii)(D) Information System Activity ReviewR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|" ITB I.6.2. To the extent that systems software permits, computer and communications systems handling sensitive, valuable, or critical Commonwealth information must securely log all significant security-related events.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=131183&oaoitNav=|8305|1821|5815|" ITB I.11. Establishes the Intrusion Detection System (IDS) at the Commonwealth network periphery. Suspect traffic is identified based on over 800 cyber attack signatures, and this information is written to a Microsoft SQL Server 2000 database for further analysis and reporting.All IT Infrastructure within Department is monitored by the staff responsible for those systems. This monitoring includes health checks, Internet access, alerts (failures, intrusions, etc.), and log files. A variety of redundant tools are used by the staff. Aberrations are reported to Senior management and/or the Department Security Officer as appropriate.164.308(a)(2)Assigned Security Responsibility164.308(a)(2) HIPAA Security OfficerRHYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|"ITB I.1.2 - Each agency must identify and designate a Commonwealth of PA employee in the agency as the Security Officer.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|" ITB I.6.2. Requires the appointment of an agency IT Security Officer.As of this writing (03/2005) Frank Potemra and Frank Morrow jointly work on the Department Security systems. Potemra is overall Security Officer, particularly regarding audits and outside organizations. Frank Morrow is in charge of user security. He heads the Department Security Domain and serves as Departments representative on the Commonwealth Security Domain.164.308(a)(3)Workforce Security164.308(a)(3)(ii)(A) Authorization and/or SupervisionA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|" ITB I.1.2. Security officer for each agency is responsible for determining the sensitivity of the data created and/or processed within the organization and establishing and/or defining appropriate controls and acceptable levels of risk.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1. - All data must have a designated owner. The data is classified into categories depending on its sensitivity and value and access is then granted on a need to know basis. HYPERLINK "http://bis/pgm/H-Net%20Standards/2.0%20Network/Business%20Partner%20User%20Access%20Request%20-%20Approval%20Form.doc" \t "_blank" Business Partner User Access Request is used to register and control access by outside business partners. User (employee and business associates staff) authorization and supervision is delegated to program office security monitors who assign and remove access rights based on the users job responsibilities. These security monitors and the DWP Security Officer comprise the Department Security committee. The  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system (Netegrity SiteMinder) controls access to the majority of applications at the front-end.164.308(a)(3)(ii)(B) Workforce Clearance ProcedureA HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/505-15.pdf" MD 515.15. Agencies are required to conduct identification, employment, and education verification checks on final candidates selected for initial state employment. This includes criminal background checks through the Pennsylvania State Police and Immigration status.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=147983&oaoitNav=|8305|1821|5815|5817|" ITB I.1.6  IT Contractors/vendors must agree to conduct criminal background checks on all employees who will perform services on site at Commonwealth facilities, or who will have access to Commonwealth facilities through onsite, or remote computer access.164.308(a)(3)(ii)(C) Termination ProceduresA HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf" MD 205.29. Establishes appropriate use of the Internet and the Internet User Agreement.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf" MD 205.34. Establishes appropriate use of email and the Internet and related disciplinary actions for its misuse.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdf" MD 505.7(13). Establishes disciplinary process for Commonwealth employees.Employees leaving their job with Department (termination, retirement, transfer out of Department, etc.) are interviewed by their Program Office security monitor or supervisor. Their user-id is disabled and their authorizations are removed. The  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system automates this process, based on the disabling of the user-id.164.308(a)(4)Information Access Management164.308(a)(4)(ii)(A) Isolating Healthcare Clearinghouse FunctionR EDS performs this function164.308(a)(4)(ii)(B) Access AuthorizationAAccess Authorization to applications or data is controlled at a number of layers. The  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system (Netegrity SiteMinder) controls access to the majority of applications at the front-end. Applications not yet using the Unified Security System have their own front-end security (where appropriate). Additional security is applied at the data level through server-, file-, and database- level controls.164.308(a)(4)(ii)(C) Access Establishment and ModificationA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2  - Every 180 days, agencies must re-evaluate the system privileges granted to users. In response to feedback from management, system administrators must promptly revoke all privileges that are no longer needed by users. Agencies must promptly report all significant changes in duties or employment status to the system administrators responsible for user IDs associated with the involved persons. Situations involving termination require Human Resources to issue a notice of status change to all system administrators responsible for any system on which the involved user might have privilegesUser (employee and business associates staff) authorization and supervision is delegated to program office security monitors who assign and remove access rights based on the users job responsibilities. These security monitors and the DWP Security Officer comprise the Department Security committee. 164.308(a)(5)Security Awareness and Training164.308(a)(5)(ii)(A) Security RemindersA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|" ITB I.1.2 - Creation of the Cyber Academy to further the knowledge and skill of Commonwealth employees in the areas of Security and Privacy. The implementation of a security awareness program for all Commonwealth employees will be the first phase of the academyMonthly Security Awareness Posters are distributed and displayed in facilities. Quarterly Security Awareness Newsletters are distributed electronically. HIPAA Privacy Training is provided to all new Department employees. HIPAA Security Training is provided to all new Department employees. DPW Business and Technical Standards (Security, Privacy, etc.) are made available to all employees, contractors, and business associates. FYI and CIO Newsletters are published monthly by the CIOs office.164.308(a)(5)(ii)(B) Protection from Malicious SoftwareA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73972&oaoitNav=|8305|1821|1845|" ITB C.7  All devices that access the Commonwealth network must use the Network Associates McAfee anti-virus software.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|" ITB C.4 - All Commonwealth employees, or their Security Administration Sections, must report all virus infections on PCs, servers, LANs, or networks by completing the report on the Commonwealths Intranet Anti-Virus web page. Computer Associates Pest Patrol has been procured by Department to address the issue of Adware and Spyware on its computer systems. Operating system and other critical patches are deployed to Department systems through the use of SMS. Anti-virus update files are deployed to Department systems through the ePolicy Orchestrator system. Systems not meeting current patches and update levels are quarantined from the network.164.308(a)(5)(ii)(C) Log-in MonitoringAServer logins are monitored and recorded through the Windows Security log files. Application logins are monitored and recorded by the  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system and/or application log files. Database logins are monitored through database tools. Network access to the Internet are monitored by the firewalls and webSense. 164.308(a)(5)(ii)(D) Password ManagementA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|" ITB I.1.4 - The standard for user-id lockouts (expiration, failed access attempts, etc.) and password policies (minimum length, complexity, expiration, etc.). UserID and Password policies are enforced through policies established in the Commonwealth user database (Microsoft Active Directory). The  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security system enforces this based on those Policies. Mainframe password policies conform to the standards established in  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|" ITB I.1.4 164.308(a)(6)Security Incident Procedures164.308(a)(6)(ii)(A) Response and ReportingR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2 - All suspected security violations should be reported to the Commonwealth Enterprise Network Security Team. The Commonwealth Enterprise Network Security Team has established an Enterprise Computer Incident Response Team (ECIRT) to address network violations.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|" ITB C.4 - All Commonwealth employees, or their Security Administration Sections, must report all virus infections on PCs, servers, LANs, or networks by completing the report on the Commonwealths Intranet Anti-Virus web page. Department Staff monitor system and network security alerts from a variety of sources, including: Carnegie Mellons CERT team Microsoft security alerts McAfee anti-virus Other product-specific sources.164.308(a)(7)Contingency Plan164.308(a)(7)(ii)(A) Data Backup PlanR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|" ITB I.2.3 Each agency must make arrangements to store mission-critical resources at a remote storage site that provides geographic separation in the event of a local disaster. Agencies are encouraged to use the off-site storage services of the vendor currently on state contract. Guidelines for frequency of backups are provided in  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2 under "Data and Program Back-up". HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" DPW Server Backup and Restore Standard establishes the software and procedures used for Department data backups.  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" DPW Recovery Planning Standard establishes the process for backup and contingency planning.  HYPERLINK "http://bis/pgm/h-net%20standards/7.2%20operations%20and%20support%20servi/backup%20and%20restoration%20of%20enterprise%20systems.doc" Backup and Restoration of Enterprise Systems provides an overview of backup and recovery operations at the Department. 164.308(a)(7)(ii)(B) Disaster Recovery PlanR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4 - provides guidelines for establishing alternate processing site in case of an emergency or disaster.Alternate-site facilities have been contracted for an outside organization for mission-critical applications. System and procedure tests are performed periodically.  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" DPW Server Backup and Restore Standard establishes off-site storage of Department data backups.  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" DPW Recovery Planning Standard establishes the process for backup and contingency planning. DPW Disaster Recovery Plan PROMISe Disaster Recovery Plan164.308(a)(7)(ii)(C) Emergency Mode Operation PlanR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4 - provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10 establishes the Red Card system to enable emergency response status for critical personnel. DPW Disaster Recovery Plan PROMISe Disaster Recovery Plan164.308(a)(7)(ii)(D) Testing and Revision ProcedureA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4 - provides guidelines for establishing alternate processing site in case of an emergency or disaster.Alternate-site facilities have been contracted for with SunGuard and Unisys for mission-critical applications. System and procedure tests are performed periodically.  HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" DPW Server Backup and Restore Standard establishes off-site storage of DPW data backups. DPW Disaster Recovery Plan PROMISe Disaster Recovery Plan164.308(a)(7)(ii)(E) Applications and Data Criticality AnalysisA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4 - provides guidelines HCIS (H-C-I-S: H=Highly-Critical, C=Critical, I=Important, and S=Suspend) analysis of systems, data, and applications.DPW Disaster Recovery Plan PROMISe Disaster Recovery Plan 164.308(a)(8)Evaluation164.308(a)(8) EvaluationRTechnical Review Team. Standing DPW committee consisting of various IT Domains (Security, Privacy, etc.) tasked with the creation and review of  HYPERLINK "http://bis/pgm/h-net%20standards/introduction/introduction.asp" Department Business and Technical Standards (reviewed at least once every 6 months) and with the review of requests for procurement of new technology (hardware or software) to see that they conform to those standards.164.308(b)Business Associate Contracts and Other Arrangement164.308(b) Written Contract or Other ArrangementR HYPERLINK "http://www.dpw.state.pa.us/General/HIPPAPrivacy/003670800.htm" HIPAA Business Associate Agreement  HYPERLINK "http://bis/pgm/h-net%20standards/13.0%20privacy/Handbook.doc" DPW HIPAA Privacy Implementation Handbook, Section 6.0. Physical SafeguardsReq (R) or Addr (A)CommonwealthDPW164.310(a)(1)Facility Access Controls164.310(a)(2)(i) Contingency OperationsA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|" ITB I.2.4 - provides guidelines for establishing alternate processing site in case of an emergency or disaster.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10 establishes the Red Card system to enable emergency response status for critical personnel. 164.310(a)(2)(ii) Facility Security PlanA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126178&oaoitNav=|8305|1821|5815|5817|5822|" ITB I.1.5.  establishes minimum standards for physical security at Commonwealth IT facilities  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Physical%20Building%20Security%20Manual.doc" Willow Oak Building Security establishes physical security procedures for the DPW computer center. Physical Security at outlying DPW facilities falls under the purview of the respective program office security monitors and is based on the case-by-case requirements of those facilities.164.310(a)(2)(iii) Access Control and ValidationA HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202" MD 625.10 establishes the use of id cards, card readers, and emergency response access to Commonwealth facilitiesAccess to the Willow Oak Facility is controlled by a manned security desks at the various entrances (see  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Physical%20Building%20Security%20Manual.doc" Willow Oak Building Security). Commonwealth ID cards must be presented. Access to Willow Oak Building Restricted Areas is controlled by electronic locks and ID cards (currently not the Commonwealth ID card). Entrance and egress is electronically logged. Access to other DPW facilities is controlled based on their specific requirements.164.310(a)(2)(iv) Maintenance RecordsAMaintenance records for each facility are maintained by the Facility Manager. 164.310(b)Workstation Use164.310(b) Workstation UseR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.2.1 - All PCs will automatically lock (that is, will require entry of username and password to unlock and use) after 15 minutes of non-use. In addition, users are strongly encouraged to manually lock their PC when the PC will be left unattended  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.1.4 - Users must have a unique userID and password  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1 - Transportable computers containing unencrypted "restricted" or "confidential" Commonwealth information must not be checked in airline luggage systems, with hotel porters, or other unsupervised handling or storage processes. These computers must remain in the possession of the traveler as hand luggage.DPWs Office of Income Maintenance has set their systems to automatically lock after 10 minutes of non-use.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security automatically locks application access after 20 minutes of non-use, regardless of whether or not the user is actively using any application at the terminal; application access is also terminated after 24 hours of active usage. 164.310(c)Workstation Security164.310(c) Workstation SecurityR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.2.1 - All PCs will automatically lock (that is, will require entry of username and password to unlock and use) after 15 minutes of non-use. In addition, users are strongly encouraged to manually lock their PC when the PC will be left unattended  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.1 - Transportable computers containing unencrypted "restricted" or "confidential" Commonwealth information must not be checked in airline luggage systems, with hotel porters, or other unsupervised handling or storage processes. These computers must remain in the possession of the traveler as hand luggage.Entrances to Offices within the Willow-Oak Building are locked by building security when not in use, denying physical access to those terminals. Unused Network ports in Public Areas are disabled to prevent visitors from attaching unauthorized equipment to the network. 164.310(d)(1)Device and Media Controls164.310(d)(2)(i) DisposalR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|" ITB C.11 - The hard drive in all equipment owned by agencies under the Governors jurisdiction must be erased. The hard drive is then removed from the computer collected by DGS for destruction and recycling.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3 - Hard drives in state-owned PCs, servers and printer/peripheral devices must be cleansed prior to transfer to a new user. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440"Decommissioning of State-Owned PC's - Specifies the process for sanitizing a hard drive prior to decommissioning a Department computer according to US Department of Defense guidelines (overwriting the drive with at least (6) passes of three (3) writing cycles).  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598" Policy Regarding Portable Storage Devices and Removable Media Specifies policy on the use of memory sticks. HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" Data Classification Standards establishes the Department policy for the storage, transmission, and encryption of data. 164.310(d)(2)(ii) Media Re-useR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3 - Hard drives in state-owned PCs, servers and printer/peripheral devices must be cleansed prior to transfer to a new user. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|"ITB A.6. Addresses temporary storage of data on smart devices such as photocopiers with internal hard drives or memory. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440"Decommissioning of State-Owned PC's - Specifies the process for sanitizing a hard drive prior to decommissioning a Department computer according to US Department of Defense guidelines (overwriting the drive with at least (6) passes of three (3) writing cycles).164.310(d)(2)(iii) AccountabilityA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73965&oaoitNav=|8305|1821|1845|" ITB C.6.  Establishes Commonwealth enterprise asset management system and tools to be used. HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|"ITB A.6. Addresses temporary storage of data on smart devices such as photocopiers with internal hard drives or memory. Remedy Asset Management has bee selected as the Commonwealth Enterprise tool for asset management.DPW uses an internal Remedy Asset tracking system which is uploaded to the Commonwealth system on a monthly basis.164.310(d)(2)(iv) Data Backup and StorageA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|" ITB C.11 - The hard drive in all equipment owned by agencies under the Governors jurisdiction must be erased. The hard drive is then removed from the computer collected by DGS for destruction and recycling  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|" ITB C.3 - Prior to replacing any personal computer or laptop/notebook computer or replacing their hard drives, agency IT personnel must copy all information that resides locally on these devices to a durable and secure storage medium.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|" ITB I.2.3 Each agency must make arrangements to store mission-critical resources at a remote storage site that provides geographic separation in the event of a local disaster. Agencies are encouraged to use the off-site storage services of the vendor currently on state contract. Guidelines for frequency of backups are provided in  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|" ITB I.6.2 under "Data and Program Back-up". HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" DPW Server Backup and Restore Standard establishes the software and procedures used for DPW data backups.  HYPERLINK "http://bis/pgm/h-net%20standards/7.1%20operations%20and%20support%20proce/recovery%20planning.doc" DPW Recovery Planning Standard establishes the process for backup and contingency planning.  Technical SafeguardsReq (R) or Addr (A)CommonwealthDPW164.312(a)(1)Access Control164.312(a)(2)(i) Unique User IdentificationR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|" ITB I.1.4 - Each user ID must be unique and identifiable by user. Once deleted cannot be reissued. Will be maintained in an historical database. Will be inactivated after 180 days of non-use and will be disabled after at most 5 invalid logon attempts.  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf" M245.4 Overview of computer and network security standards for the Commonwealth HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security enforces this for Commonwealth employees, contractors and outside business associates.164.312(a)(2)(ii) Emergency Access ProcedureR HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=132275&oaoitNav=|8305|1821|5815|5823|6464|" I.2.4 - If the application that houses the EPHI data is specified as highly critical in the HCIS database then during an emergency the application would be one of the first to be recovered at the hot site  HYPERLINK "http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf" M245.4 Overview of computer and network security standards for the Commonwealth HYPERLINK "http://bis/pgm/h-net%20standards/4.2%20platform%20server/server%20backup%20and%20restore.doc" DPW Server Backup and Restore Standard establishes the software and procedures used for DPW data backups. 164.312(a)(2)(iii) Automatic LogoffA HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|" ITB I.6.2.1 - All PCs will automatically lock (that is, will require entry of username and password to unlock and use) after 15 minutes of non-use. In addition, users are strongly encouraged to manually lock their PC when the PC will be left unattendedDPWs Office of Income Maintenance has set their systems to automatically lock after 10 minutes of non-use.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security automatically locks application access after 20 minutes of non-use, regardless of whether or not the user is actively using any application at the terminal; application access is also terminated after 24 hours of active usage.164.312(a)(2)(iv) Encryption and DecryptionA HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Encryption%20Standards.doc" DPW Data Encryption Standard establishes requirements for data encryption and acceptable technologies.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" DPW Data Classification Standard maps types of data to encryption requirements. 164.312(b)Audit Controls164.312(b) Audit ControlsRNumerous log files are maintained:  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security provides logging of application access attempts (passed and failed). It also tracks the movement of users within the application, though not what action(s) that user may have taken. Server Security logs track user access to the servers. WebSense logs tracks users access to the Internet CheckPoint Firewall logs track access to and from the DPW core network Application log files track what users accessed or what actions they performed within the application. Database log files are maintained tracking accesses to the database Mainframe Logs track activities on the Mainframe systems Physical Access logs are maintained for restricted areas at the Willow Oak Building as well as for general access to the building after normal working hours (6a 6p).164.312(c)(1)Integrity164.312(c)(2)(i) Mechanism to Authenticate Electronic Protected Health Information ABackups provide protection from destruction of data. UserID , passwords and other methods of identification provide protection. Application software should provide protection from improper alteration of the data.Application level procedures are in place to authenticate changes to data and to ensure the proper application of valid changes to the database.164.312(d)Person or Entity Authentication164.312(d) Person or Entity AuthenticationR HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/unified%20security%20overview.doc" Unified Security provides for user/entity authentication. Application specific security is also in place where appropriate.164.312(e)(1)Transmission Security164.312(e)(2)(i) Integrity ControlsA HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200" MD 210.12 establishes policy, responsibilities, and procedures for the implementation of the Electronic Transactions Act (Act 69 of 1999). It applies to all agencies under the Governor's jurisdiction whenever an executive agency sends, accepts, stores, or uses information electronically.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=177789&PM=1&oaoitNav=|8305|1821|1855|" ITB D13 establishes policy for use of FTP for file transfers. HYPERLINK "http://bis/pgm/doc/secureemail/secureemail%20overview.doc" Secure Email Overview DPWs encrypted email system for data transmissions to/from registered outside entities WebMethods is used for system to system and application to application data transmissions. SSL is used for web access to applications and/or data.164.312(e)(2)(ii) EncryptionA HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200" MD 210.12 establishes policy, responsibilities, and procedures for the implementation of the Electronic Transactions Act (Act 69 of 1999). It applies to all agencies under the Governor's jurisdiction whenever an executive agency sends, accepts, stores, or uses information electronically.  HYPERLINK "http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867&oaoitNav=|8305|1821|1828|3632|" ITB B.5 establishes policies for use of encryption in Commonwealth e-Government initiatives.  HYPERLINK "http://bis/pgm/doc/secureemail/secureemail%20overview.doc" Secure Email Overview DPWs encrypted email system for data transmissions to/from registered outside entities  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Encryption%20Standards.doc" DPW Data Encryption Standard establishes requirements for data encryption and acceptable technologies.  HYPERLINK "http://bis/pgm/h-net%20standards/1.0%20security/Data%20Classification%20Standards.doc" DPW Data Classification Standard maps types of data to encryption requirements. WebMethods is used for system to system and application to application data transmissions and provides encryption as needed. SSL is used for web access to applications and/or data. DocumentationReq (R) or Addr (A)CommonwealthDPW164.316(a)Documentation164.316(b)(2)(i) Time Limit 164.316(b)(2)(ii) Availability 164.316(b)(2)(iii) UpdatesR R R HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120179" MD 210.10. Establishes and clarifies state records management policy with respect to the creation, use, maintenance, scheduling, and disposition of electronic records.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=119507" MD 210.5. Establishes the records management to control the creation, use, maintenance, preservation, and disposition of records of state agencies.  HYPERLINK "http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120207" MD 210.13 (amended). Establishes policy, responsibilities,and procedures for the retention and disposition of records created on electronic mail (E-mail) systems.The Department requires all security-related policies and procedures to be documented in written form, which may be electronic. All documentation required by HIPAA (including the Security and Privacy Rules) must be retained for at least 6 years from the date of its creation or the date when it was last in effect, whichever is later.      HIPAA Security Implementation Handbook April 2005 PAGE 60 PA Department of Public Welfare Page  PAGE 63      -./234AѻщvcM7%"hxh>(u5CJ OJQJ\^J+hxh>(u5B*CJ OJQJ\^Jph3f+hxh}]5B*CJ OJQJ\^Jph3f%h}]5B*CJ OJQJ\^Jph3f%h>(u5B*CJ OJQJ\^Jph3f!hxh>(uB*OJQJ^Jphf"hxh}]5CJ`OJQJ\^Jh>(u5CJ`OJQJ\^J+hxh>(u5B* CJ`OJQJ\^Jph!hxh>(uB* OJQJ^Jph9jhxh>(uB* CJOJQJU^JmHnHphu      ./01234^_jlm $ !a$$a$gdv'$a$ $a$AK^_iklmntuvɶvhU@.@.@"ho5B*CJOJQJ^Jph(hd=6h>(u5B*CJOJQJ^Jph%hxh>(u5>*CJOJQJ\^Jhv'h>(uCJ OJQJ\h?0CJ OJQJ\hv'h?0CJ OJQJ\hxh>(uOJQJ^J hxh>(u%hv'5B*CJ OJQJ\^Jph3f%h5B*CJ OJQJ\^Jph3f+hxh>(u5B*CJ OJQJ\^Jph3f"hxh>(u5CJ OJQJ\^Jh'$5CJ OJQJ\^Jmuv W X gd[gdX($`a$($a$gdd=6 $ !a$gdv'l r R U W X Y 뵣zhNz=0hbXhbX0JCJaJ!jhbXhbX0JCJUaJ2jhbXh5CJOJQJU^JaJ#hbXhbX5CJOJQJ^JaJ,jhbXhbX5CJOJQJU^JaJ"hbX5B*CJOJQJ^Jph"h[5B*CJOJQJ^Jph"h/h5B*CJOJQJ^Jph"hTt5B*CJOJQJ^Jph"ho5B*CJOJQJ^Jph(hd=6h/h5B*CJOJQJ^Jph   ! " & ' , . ; < W Ьsk]kPCPCP*B*CJOJQJU^JaJph  X$$@&Eƀ&Ifa$gd2El $a$gd[gdv'gd[    ! <<<T+$Eƀ&Ifgdv'l nkdn$$Ifl,""     t0644 lap yt2E! " `kd$$IflF ,"      t06    44 lapyt2E" & 1 ; T+$Eƀ&Ifgdv'l ; < `kd$$IflF ,"      t06    44 lapyt2E< @ K W Y+$Eƀ&Ifgdv'l o{W X k l & z { [VQHFFFF hgd"Jgd\QgdXkd$$IflF ,"         t06    44 lag{pyt2EW X Y k l m  ˳ynyiybN'jhx:hU>*B*Uph hU5CJ hVr>j hUUjhUU hUhx:hU0J\'jhx:hU>*B*UphhUhx:hU0Jjhx:hU0JUhs[hL^JaJjhs[hLU^JaJheuhX0J>*B*phhXhXOJQJ\hGS h[hbX   ! " # $ % & ' ( D E F G X Y Z t u v w x y z { | } ÿëӡ̐ÿ|ӡ̡qjhUU'j|hx:hU>*B*Uph hU0JjhUUhx:hU0J\'jhx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU hVr>jhUUjhUU hU,          ; < = > A B Y Z [ u v w x y z { | } ~ ùîùÊȄp'jj hx:hU>*B*Uph hU0Jj hUU'jp hx:hU>*B*Uph hVr>jhUUjhUU hUhU5CJaJ'jvhx:hU>*B*UphhUhx:hU0Jjhx:hU0JU+  { | ,;b,W$\%P   %&')*+,-.JKLMPQlmn³³|qj hUU'j^ hx:hU>*B*Uphj hUU'jd hx:hU>*B*UphhUhx:hU0J hU0Jjhx:hU0JU hVr>j hUUjhUU hU hU5CJhx:hU0J\, 45689:;<=YZ[ٸٳُٸٳp'jLhx:hU>*B*UphjhUU'jRhx:hU>*B*Uph hVr>j hUU hUhU5CJaJ'jX hx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JUjhUU,[\_`opq !?@A[\]_`۞xjhUU hU5CJ'j@hx:hU>*B*UphjhUU'jFhx:hU>*B*UphhU hVr>jhUUjhUU hUhU5CJaJhx:hU0Jjhx:hU0JU/`abcd   %&')*+,-.JKL⼲⼲o'j.hx:hU>*B*UphjhUU'j4hx:hU>*B*Uph hVr>jhUUjhUU hUhU5CJaJ'j:hx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU+LMPQvwx!"456P۞y hU5CJhx:hU0J\'j"hx:hU>*B*UphjhUU'j(hx:hU>*B*UphhU hVr>jhUUjhUU hUhU5CJaJhx:hU0Jjhx:hU0JU+PQRTUVWXYuvwx{|!"#$%&BCȰȧȢꢗاȃȧȢxاjhUU'jhx:hU>*B*UphjhUU hUhU5CJaJ'jhx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU hVr>jhUUjhUU.CDEHI_`a{|} ǽDzթՕދǽyބթe'jhx:hU>*B*UphjhUU hU5CJhx:hU0J\'j hx:hU>*B*UphhU hVr>jhUUjhUU hUhU5CJaJhx:hU0Jjhx:hU0JU'jhx:hU>*B*Uph'  9:;UVWYZ[\]^z{|} "#$%&'CjuhUU'jhx:hU>*B*Uphj{hUU'jhx:hU>*B*UphhUjhx:hU0JU hVr>jhUUjhUU hUhx:hU0JhU5CJaJ2CDEFIJijk zօf'jhx:hU>*B*UphjihUUhU5CJaJ'jhx:hU>*B*UphhU hVr>johUUjhUU hU hU5CJhx:hU0J\jhx:hU0JU'jhx:hU>*B*Uphhx:hU0J(  -./IJKMNOPQRnopqtu"jW"hUU'j!hx:hU>*B*Uphj]!hUU'j hx:hU>*B*UphhUjhx:hU0JU hVr>jc hUUjhUU hUhx:hU0JhU5CJaJ2"#$%()FGHbcdfghijkzf'j$hx:hU>*B*UphhU5CJaJjK$hUU'j#hx:hU>*B*UphhU hVr>jQ#hUUjhUU hU hU5CJhx:hU0J\jhx:hU0JU'j"hx:hU>*B*Uphhx:hU0J(is6b7V#x-5E 9:;<?@PQRlmnpqrstuÿëâӢÿÃâxӢj9'hUU'j&hx:hU>*B*Uphj?&hUUhU5CJaJ'j%hx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU hVr>jE%hUUjhUU hU//01345678TUVWZ[z{|ĺįĺċwĺ'j)hx:hU>*B*Uphj-)hUU'j(hx:hU>*B*Uph hVr>j3(hUUjhUU hUhU5CJaJjhx:hU0JU'j'hx:hU>*B*Uphhx:hU0JhU.    -./045?@A[\]_`abcdƮؤ꘍؝yؤn؝j,hUU'j+hx:hU>*B*Uphj!+hUU hU hU5CJhx:hU0J\'j*hx:hU>*B*UphhUhx:hU0JhU5CJaJjhx:hU0JU hVr>jhUUj'*hUU*012456789UVWX\]uvw½œ½}i'j.hx:hU>*B*Uphj.hUU'j-hx:hU>*B*Uph hU5CJ hVr>j-hUUjhUU hUhx:hU0J\'j,hx:hU>*B*UphhUhx:hU0Jjhx:hU0JU hU0J)345OPQSTUVWXtuvw{|j0hUU'j0hx:hU>*B*Uphj0hUU'j/hx:hU>*B*UphhUjhx:hU0JU hVr>j /hUUjhUU hUhU5CJaJhx:hU0J2 !"#$%ABCDHIUVWqrsuvwxyzĺįҌĺz҅f'jn3hx:hU>*B*Uphj2hUU hU5CJhx:hU0J\'jt2hx:hU>*B*Uph hVr>j1hUUjhUU hUhU5CJaJjhx:hU0JU'jz1hx:hU>*B*Uphhx:hU0JhU(   &'(*+,-./KLMNRSlmnzoj5hUU hU5CJhx:hU0J\'jb5hx:hU>*B*Uphj4hUU'jh4hx:hU>*B*UphhUjhx:hU0JU hVr>j3hUUjhUU hUhU5CJaJhx:hU0J+./0234567STԼԳԮԏԳԮj7hUU'jV7hx:hU>*B*Uphj6hUU hUhU5CJaJ'j\6hx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU hVr>jhUU-TUVZ[ijk  " ǽDzթՕ̋ǽǀzթfދ'jD:hx:hU>*B*Uph hU0Jj9hUUhx:hU0J\'jJ9hx:hU>*B*UphhU hVr>j8hUUjhUU hUhU5CJaJhx:hU0Jjhx:hU0JU'jP8hx:hU>*B*Uph(" # $ > ? @ B C D E F G c d e f j k y z { ÿëӡ̡ÿÂynj<hUUhU5CJaJ'j8<hx:hU>*B*Uphj;hUUhx:hU0J\'j>;hx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JU hVr>j:hUUjhUU hU+ !!!!! !$!%!?!@!A![!\!]!_!`!a!b!c!d!!!!!!!!!!!!!!!!!!!!!!!!!ùîùÊv'j&?hx:hU>*B*Uphj>hUU'j,>hx:hU>*B*Uph hVr>j=hUUjhUU hU'j2=hx:hU>*B*UphhUhx:hU0JhU5CJaJjhx:hU0JU. b!!"t""(###I$$$%j%k%%F&& '''((((gd\Q!!!!""""""""";"<"=">"B"C"Q"R"S"m"n"o"q"r"s"t"u"v""""""""""""""ˠ˙zˠojAhUU'jAhx:hU>*B*Uphj@hUU hU5CJhx:hU0J\'j @hx:hU>*B*UphhUhU5CJaJjhx:hU0JU hVr>j?hUUjhUU hUhx:hU0J+""""""""""###!#"###%#&#'#(#)#*#F#G#H#I#M#N#m#n#o############ټُⅼzjChUUhx:hU0J\'jChx:hU>*B*UphhU5CJaJ hVr>jBhUU hU'jBhx:hU>*B*UphhUhx:hU0J hU5CJjhx:hU0JUjhUU)################# $ $$$$$&$'$($B$C$D$F$G$H$I$J$K$g$h$i$j$n$ȾȳޥޥȾyބޥeޥ'jEhx:hU>*B*UphjEhUUhU5CJaJ'jEhx:hU>*B*UphhUhx:hU0J hVr>jDhUUjhUU hU hU5CJhx:hU0J\jhx:hU0JU'jDhx:hU>*B*Uph'n$o$y$z${$$$$$$$$$$$$$$$$$$ %%%%%%%%%2%3%4%5%9%:%G%H%I%c%s'jGhx:hU>*B*Uph hU5CJjsGhUUhx:hU0J\'jFhx:hU>*B*UphhU hU0Jjhx:hU0JU hVr>jyFhUUjhUU hUhx:hU0JhU5CJaJ(c%d%e%g%h%i%j%k%l%m%%%%%%%%%%%%%%%%%%%%&#&$&%&?&@&A&C&D&E&F&G&¾ªؠꛐ¾|›qhhU5CJaJjaJhUU'jIhx:hU>*B*UphjgIhUU hUhx:hU0J\'jHhx:hU>*B*UphhUhx:hU0J hU0J hU5CJjhx:hU0JU hVr>jhUUjmHhUU(G&H&d&e&f&g&&&&&&&&&&&&&&&&&&&&''''' ' ' ' '(')'*'+'l'm'n'''͸óҪ͋óҪwljOMhUU'jLhx:hU>*B*UphjULhUU'jKhx:hU>*B*UphhU5CJaJ hVr>j[KhUUjhUU hUjhx:hU0JU'jJhx:hU>*B*UphhUhx:hU0J*''''''''''''''''''''''''((((( (!("(k(l(m((((̴䨟tj_jCOhUUhx:hU0J\'jNhx:hU>*B*Uph hU5CJjINhUU hUhU0J\^Jhx:hU0J\^J'jMhx:hU>*B*UphhUhx:hU0J hU0JhU5CJaJjhx:hU0JU hVr>jhUU%(((((((((((((((()")0)yk]L>L0Lh`K)CJOJQJ^JaJhKCJOJQJ^JaJ hGSh>(uCJOJQJ^JaJh0CJOJQJ^JaJhGSCJOJQJ^JaJh!i hd=6CJOJQJ#hd=6h>(u5CJOJQJ^JaJhGShGSOJQJ\^Jh!i OJQJ\^Jh\QhGS0J5>*B*phh\Qh>(u0J5>*B*phjhs[hLU hU5CJjhx:hU0JUjhUU hVr>(((((**RMD>^s^sgdGSgdGSS & F.Eƀ&.gd2Eog:d& & FV$ & F.Eƀ&.0a$gd2Eog:d& & F0)1)8)B)C)U)V)^))))))))*O*]*g*q**********+++++1,B,P,W,,,,ӴӘӘӴᇘӇvhvh=CJOJQJ^JaJ hd=6hJCJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJhECJOJQJ^JaJhbCJOJQJ^JaJ hGSh0CJOJQJ^JaJh`K)CJOJQJ^JaJh0CJOJQJ^JaJ hGSh>(uCJOJQJ^JaJhTtCJOJQJ^JaJ(*E+++PR & F CCEƀ&^CgdmaR & F CCEƀ&^Cgdmas^sgdd=6+ ,N,P,z-{-YPPG^gdd=6s^sgdd=6R & F CCEƀ&^CgdmaR & F CCEƀ&^Cgdma,,---8-;-G-L-N-Y-^-_-d-x-------------------. . . .....5.6.9.=.E.K.L.l.v.w....ȷַȷȷȷַȘȘȘȘַȷȷȷַַȷȷȷ&hd=6hh[CJOJQJ^JaJ hd=6hCJOJQJ^JaJh=CJOJQJ^JaJ hd=6hJCJOJQJ^JaJh0CJOJQJ^JaJhCJOJQJ^JaJhECJOJQJ^JaJh[CJOJQJ^JaJ4{---WS & F9Eƀ&gd2Eog:d& & FS & F9Eƀ&gd2Eog:d& & F---WS & F9Eƀ&gd2Eog:d& & FS & F9Eƀ&gd2Eog:d& & F- .).WS & F:Eƀ&gd2Eog:d& & FS & F:Eƀ&gd2Eog:d& & F).>.m.WS & F9Eƀ&gd2Eog:d& & FS & F9Eƀ&gd2Eog:d& & Fm...WS & F9Eƀ&gd2Eog:d& & FS & F9Eƀ&gd2Eog:d& & F.................../ //// /!/"/0/5/C/K/L/W/[/d///////////0дУ£s hd=6h`K)CJOJQJ^JaJhECJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ h!i h>(uCJOJQJ^JaJh`K)CJOJQJ^JaJhCJOJQJ^JaJ hd=6hJCJOJQJ^JaJ hd=6hCJOJQJ^JaJh0CJOJQJ^JaJ-...WS & F9Eƀ& gd2Eog:d& & FS & F9Eƀ& gd2Eog:d& & F...WS & F9Eƀ& gd2Eog:d& & FS & F9Eƀ& gd2Eog:d& & F./0/WS & F9Eƀ& gd2Eog:d& & FS & F:Eƀ&gd2Eog:d& & F0/K/L/d/e/T1U1F@77^gdGS^S & F.Eƀ&.gd2Eog:d& & F C ^C` gdd=6S & F9Eƀ&gd2Eog:d& & F0&020;0>0W00000001%1S1T1U1`1a1b1i11 2 2%22֦qaTaTJTh=OJQJ^Jhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^J#hd=6h>(u5CJOJQJ^JaJhGSh>(uOJQJ\h!i OJQJ\hGSCJOJQJ^JaJh>(uCJOJQJ^JaJ hd=6hECJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJhCJOJQJ^JaJh=CJOJQJ^JaJhECJOJQJ^JaJU1a1b111B3G33333v4w4+5,5 ) ^gdQ4G)^ 7$8$H$^V$ & F.Eƀ&.0a$gd2Eog:d& & F2222G3V3X3Y3333343444v44X66U7V7i7´ª˜ydM,hd=6h>(u5B*CJOJQJ^JaJph)hd=6h>(uB*CJOJQJ^JaJphh`K)CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJhXOJQJ^Jhd=6h1 5OJQJ^Jhd=6h1 OJQJ^Jhd=6h>(u5OJQJ\^Jhd=6h>(uOJQJ^JhbOJQJ^Jh`K)OJQJ^J,5W6X6U7V777A666  h^X & F7$8$Eƀ&.H$gd2Eog:d& & F p07$8$H$^p`0X & F7$8$Eƀ&.H$gd2Eog:d& & F i7s777&8E8H8U8Y8Z888888+949]9`9: : ::,:5:6::::%;+;-;.;3;4;O;P;Q;԰԰԰‰԰t‰‰԰԰԰b#h>(uB*CJOJQJ^JaJph)hd=6hQ4GB*CJOJQJ^JaJph)hd=6h=B*CJOJQJ^JaJph#hbB*CJOJQJ^JaJph#h`K)B*CJOJQJ^JaJph#h=B*CJOJQJ^JaJph)hd=6h>(uB*CJOJQJ^JaJph,h`K)h>(u5B*CJOJQJ^JaJph%7v8w8 ::B8  hgdQ4GX & F hEƀ&.gd2Eog:d& & F  h8^8X & F hEƀ&.gd2Eog:d& & F:::P;Q;;;;;l<m<<||s|eee 7$8$H$^)^gdQ4G 7$8$H$^ h^ h0`0gdQ4GX & F hEƀ&.gd2Eog:d& & F Q;U;w;;;;;;;;;;;;l<m<<<<<<<<<ܽܩvdVHVHVHVh\kCJOJQJ^JaJhoCJOJQJ^JaJ#hoho5CJOJQJ^JaJh>(uCJOJQJ^JaJh=OJQJ^Jhd=6h1 OJQJ^Jhd=6h1 5OJQJ^J&hd=6h>(u5CJOJQJ\^JaJh=CJOJQJ^JaJ hd=6h1 CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJ<<I=J=>>>>??C?D?@@AA-B.BcBdB 7$8$H$^gd1  h07$8$H$^`0gd1 7$8$H$ h07$8$H$^`0 7$8$H$^)^ 7$8$H$^<<<I=J=[=>0>>>>>??D?\?@A AAAA-B.B2Bq_K&hd=6h1 5CJOJQJ\^JaJ#hd=6h>(uCJOJQJ\^JaJhXH"CJOJQJ^JaJh\kCJOJQJ^JaJ&hd=6h>(u5CJOJQJ\^JaJh=CJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^J hd=6hoCJOJQJ^JaJ2BdBuBBBBBBBVCWCDDE FFFFF9GCG{GGGGGGHHJJ O!O4OoOҸҫҸߞҔҔ҂qq__q#hd=6h1 5CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJh=OJQJ^Jhb5OJQJ\^Jhd=6h1 OJQJ^Jhd=6h)OJQJ^Jhd=6h=t+OJQJ^Jhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^J hd=6h1 CJOJQJ^JaJ"dBEEFF4G9GGGHH4I5IIIJJJJ 7$8$H$gd1 7$8$H$^gd1 7$8$H$07$8$H$^`0gd=t+07$8$H$^`07$8$H$ 7$8$H$^)^JKK`KaKBX & F7$8$Eƀ&.H$gd2Eog:d& & F 7$8$H$gd1 X & F7$8$Eƀ&.H$gd2Eog:d& & F aK8L9L8M9MBX & F7$8$Eƀ&.H$gd2Eog:d& & F 7$8$H$gd1 X & F7$8$Eƀ&.H$gd2Eog:d& & F 9MMMNNBX & F7$8$Eƀ&.H$gd2Eog:d& & F 7$8$H$gd1 X & F7$8$Eƀ&.H$gd2Eog:d& & F N O!OOOVPWPPPzQyoa07$8$H$^`0 7$8$H$ 7$8$H$^ 7$8$H$gd=t+ 7$8$H$^ 7$8$H$^gd1 X & F7$8$Eƀ&.H$gd2Eog:d& & F oOqOrO{OOOTPUPVPWPjP2R3RPRbRRSnSoSS'T8TJTKT1U2U3U4UAUcUykZLh=CJOJQJ^JaJ hd=6hKCJOJQJ^JaJhKCJOJQJ^JaJh\kCJOJQJ^JaJ)hd=6h>(uB*CJOJQJ^JaJphheCJOJQJ^JaJ-hd=6h>(uB*CJOJPJQJ^JaJphhXH"CJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJhGICJOJQJ^JaJzQ{Q2R3RRRnSoS2U3UhUiUVVgWhWXXXXY)gd=t+)^7$8$H$ 7$8$H$gd=  h8^8 7$8$H$^07$8$H$^`0p07$8$H$^p`0cUfUiUUVVVVhW|WWWWWXXXXXXXXXXY YYYY"YNYcYYYY4[ᱤrdrZrhoOJQJ^Jhd=6h1 5OJQJ^Jhd=6h1 OJQJ^Jhd=6h9OOJQJ^Jhd=6h>(uOJQJ\^JhXH"OJQJ^Jhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^Jh=CJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJhXH"CJOJQJ^JaJ#YYYY4[5[[[\\L]M]^^c_d_``-a.aaa!b 7$8$H$gd=t+ 7$8$H$^ h7$8$H$gd=t+ h7$8$H$^7$8$H$)^4[5[>[[[\\\\\] ]?]K]M]p]^^d_{_``````,a.aHaNaïÐÂpÂpïÂ_ïK&hd=6h9O5CJOJQJ\^JaJ hohXH"CJOJQJ^JaJ#hd=6h>(u5CJOJQJ^JaJhXH"CJOJQJ^JaJh=CJOJQJ^JaJ hXH"5CJOJQJ\^JaJ&hd=6h>(u5CJOJQJ\^JaJ hd=6h>(uCJOJQJ^JaJhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^Jhd=6h>(uOJPJQJ^JNaOafanazaaaaaa"b.b/b7bAbbbb`cacͼۼۜیobQDhd=6h9OOJQJ^J h=h=CJOJQJ^JaJhd=6h>(uOJQJ^Jhd=6h=5OJQJ\^Jh=5OJQJ\^Jhd=6h>(u5OJQJ\^J#hd=6h>(u5CJOJQJ^JaJhXH"CJOJQJ^JaJ hd=6h9OCJOJQJ^JaJh=CJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ&hd=6h>(u5CJOJQJ\^JaJ!b"bbb`caccc)d*dZd[deef~~ 7$8$H$^7$8$H$ 7$8$H$^gd9OG)EƀF^/^gd=)gd=t+)^ 7$8$H$gd=t+ackcrccccd dd(d)d*d;dTdXdYdZd[dedeeffffggʹ~pfYGG~#hd=6h>(u5CJOJQJ^JaJhd=6hXH"OJQJ^Jh\kOJQJ^JhXH"hXH"5OJQJ^Jh>(uOJQJ^JhbOJQJ^JhXH"OJQJ^Jhd=6h>(uOJQJ^Jhd=6h>(u5OJQJ\^J hd=6h>(uCJOJQJ^JaJ hd=6h9OCJOJQJ^JaJ&hd=6h9O5CJOJQJ\^JaJ h=5CJOJQJ\^JaJffffgggggggdfyM !7$8$Eƀ[&H$gdrQ/)gd=t+)^ 7$8$H$gd=t+ ggggggggghhh hhhhhо}o]L?2h!i h9TCJOJQJh!i h&CJOJQJ hd=6hxCJOJQJ^JaJ#hd=6h&6CJOJQJ^JaJh!i CJOJQJ^JaJhOJQJ\"hh6CJOJQJ\aJ hd=6h&CJOJQJ^JaJhYM5h>(uOJQJ\h!i OJQJ\#hd=6hfy5CJOJQJ^JaJ#hd=6hrQ/5CJOJQJ^JaJhrQ/hrQ/CJ OJQJ\aJ hrQ/hYM5OJQJ^JggghhhhB9^gdfyS & F.Eƀ&.gd2Eog:d& & F ^gd&gd&V$ & F.Eƀ&.0a$gd2Eog:d& & FhhhhhhhhhTiYitiuiviiiiôՒq]OAO3h&CJOJQJ^JaJh\kCJOJQJ^JaJhCJOJQJ^JaJ&hd=6h1 56CJOJQJ^JaJho6CJOJQJ^JaJ#hd=6h1 6CJOJQJ^JaJ hd=6hfzCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hfz6CJOJQJ^JaJ hd=6h1 CJOJQJ^JaJh!i h&CJOJQJh!i h1 CJOJQJhuiviiijjkxc & F= Eƀ&^gd2Eog:d& & F p^^gd-^gd^gd-^gdfyiiiiiii4j8jgjhjijnjyjjjjjjjdk´ИЇvvhZI4I)jhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJhCJOJQJ^JaJh-CJOJQJ^JaJ hd=6h@ACJOJQJ^JaJ hd=6hv$CJOJQJ^JaJhbCJOJQJ^JaJh/ CJOJQJ^JaJhXH"CJOJQJ^JaJh=CJOJQJ^JaJ hd=6h&CJOJQJ^JaJhPCJOJQJ^JaJ hd=6hCJOJQJ^JaJdkekfkokpktkkkkkkkkjlklllm m'm(mMmNmmҴugVHHҴhTCJOJQJ^JaJ hd=6h-CJOJQJ^JaJhCJOJQJ^JaJ#hd=6h5CJOJQJ^JaJhCJOJQJ^JaJ hd=6h 2CJOJQJ^JaJhXH"CJOJQJ^JaJ hd=6hCJOJQJ^JaJhd=6h0JCJaJ)jhd=6hCJOJQJU^JaJ/jOhd=6h>mWCJOJQJU^JaJkkklllGnHn9000^gdj=c & FT ppEƀ&o^pgd2Eog:d& & F  p^pc & FT ppEƀ&o^pgd2Eog:d& & F  p^pmmmmmmmnnFnGnooDoEooooooooҴ|n]ҴEҴ7h/ CJOJQJ^JaJ/jQhd=6hCJOJQJU^JaJ hd=6hWeCJOJQJ^JaJhMLCJOJQJ^JaJhCJOJQJ^JaJhCJOJQJ^JaJhCJOJQJ^JaJhCJOJQJ^JaJ hd=6hCJOJQJ^JaJhd=6h0JCJaJ)jhd=6hCJOJQJU^JaJ/jPhd=6h>mWCJOJQJU^JaJHnooqqrr9S & F0Eƀ&gd2Eog:d& & F $^a$gdj=S & F0Eƀ&gd2Eog:d& & F^gdj=^gdj=ooooCpDpapbpepqp|pppqqNqQqdqgqqqqqqqqrrrrrrrrrrᣒseၱWhSXNCJOJQJ^JaJhT_hCJOJQJ^JaJh=CJOJQJ^JaJ hd=6hv$CJOJQJ^JaJ hd=6hWeCJOJQJ^JaJhCJOJQJ^JaJhTCJOJQJ^JaJ hd=6h CJOJQJ^JaJ hd=6hCJOJQJ^JaJ hd=6hSXNCJOJQJ^JaJhCJOJQJ^JaJ"r{sAtBtCtWtxtttttu3uIu]ukuuuuuFvvvvᱠ᱒veWE#hd=6hgA5CJOJQJ^JaJhWeCJOJQJ^JaJ heuhCJOJQJ^JaJhMLCJOJQJ^JaJhCJOJQJ^JaJhTCJOJQJ^JaJ hd=6hgACJOJQJ^JaJ hd=6h CJOJQJ^JaJ hd=6hWeCJOJQJ^JaJhCJOJQJ^JaJhCJOJQJ^JaJ hd=6hSXNCJOJQJ^JaJrBtCtvvNE8^8gdj=S & F0Eƀ&gd2Eog:d& & F^gdj=S & F0Eƀ&gd2Eog:d& & Fvv:wDwEwrwswtwwww4xAx|xxxxxx˺yk]LkL>yh 2CJOJQJ^JaJ hd=6hv$CJOJQJ^JaJh-CJOJQJ^JaJhCJOJQJ^JaJ hd=6hd CJOJQJ^JaJ hd=6h-CJOJQJ^JaJhgACJOJQJ^JaJ heuhCJOJQJ^JaJ heuh-CJOJQJ^JaJ heuhgACJOJQJ^JaJ hd=6hgACJOJQJ^JaJ#hd=6h&5CJOJQJ^JaJvswtwxxNS & F0Eƀ&gd2Eog:d& & F^gdj=S & F0Eƀ&gd2Eog:d& & Fxxxy!y3yHyyyz{{{{{||| }ͼ͝{m{m{\G\)jhd=6h\CJOJQJU^JaJ hd=6h\CJOJQJ^JaJh/ CJOJQJ^JaJ hd=6hgACJOJQJ^JaJ hPB=hKCJOJQJ^JaJh9BCJOJQJ^JaJ heuh\kCJOJQJ^JaJ heuh&rKCJOJQJ^JaJ heuhd CJOJQJ^JaJ hd=6hd CJOJQJ^JaJ hd=6h&rKCJOJQJ^JaJxyyMzNzRS & F0Eƀ&gd2Eog:d& & Fgdj=S & F0Eƀ&gd2Eog:d& & FNzzz{{{MD;^gd-^gdgAS & F0Eƀ& gd2Eog:d& & F gdKo"\&S & F0Eƀ& gd2Eog:d& & F{| |WS & F Eƀ&gd2Eog:d& & FS & F Eƀ&gd2Eog:d& & F |1|U|WS & F Eƀ&gd2Eog:d& & FS & F Eƀ&gd2Eog:d& & FU|l||||WNE^gd-^gdgAS & F Eƀ&gd2Eog:d& & FS & F Eƀ&gd2Eog:d& & F } } }}}@}A}E}F}R}S}T}n}o}p}}}}Ҵ}p_M>- h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hfz6CJOJQJ^JaJ hd=6hd CJOJQJ^JaJh!i hfzCJOJQJh!i h-CJOJQJh-CJOJQJ^JaJh7CJOJQJ^JaJh/ CJOJQJ^JaJ hd=6h\CJOJQJ^JaJhd=6h\0JCJaJ)jhd=6h\CJOJQJU^JaJ/jRhd=6h\CJOJQJU^JaJ|R}S}T}o}p}+~NE<^gd ^gd S & F.Eƀ&.gd2Eog:d& & F gd-S & FEƀ&gd2Eog:d& & F}}*~,~Z~s~t~y~|~~~~~~~~&3VWY/0xxxgYKgghT_hCJOJQJ^JaJh=CJOJQJ^JaJ hd=6hHCJOJQJ^JaJ hd=6hd CJOJQJ^JaJh7.CJOJQJ^JaJhTCJOJQJ^JaJh5CJOJQJ^JaJhj6bCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6hez~6CJOJQJ^JaJ hd=6hez~CJOJQJ^JaJ+~,~s~t~<S & F7Eƀ&gd2Eog:d& & FS & F7Eƀ&gd2Eog:d& & F^gdez~^gdk%@^gd 0WS & F7Eƀ&gd2Eog:d& & FS & F7Eƀ&gd2Eog:d& & F01}~x ꣒seeTeFh/ CJOJQJ^JaJ hd=6h5CJOJQJ^JaJh5CJOJQJ^JaJhTCJOJQJ^JaJ hd=6h4^CJOJQJ^JaJ hd=6hd CJOJQJ^JaJ hd=6hHCJOJQJ^JaJhd=6hH0JCJaJ/jShd=6hS-^CJOJQJU^JaJ hd=6hez~CJOJQJ^JaJ)jhd=6hez~CJOJQJU^JaJ0xWS & F7Eƀ&gd2Eog:d& & FS & F7Eƀ&gd2Eog:d& & Fx>IS & FEƀ&gd2Eog:d& & F^gd gd\S & F7Eƀ&gd2Eog:d& & F>?|}߄123EFyz|!Lrڵڵwڵi[[MhTCJOJQJ^JaJhT_hCJOJQJ^JaJh=CJOJQJ^JaJ/jWhd=6h\CJOJQJU^JaJ/jUhd=6h\CJOJQJU^JaJhPCJOJQJ^JaJhd=6h\0JCJaJ/jThd=6h\CJOJQJU^JaJ)jhd=6h\CJOJQJU^JaJ hd=6h\CJOJQJ^JaJsWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & Fr9:;<DKVWXklqпybN9)h=h=B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJph,hd=6hfz6B*CJOJQJ^JaJph#hd=6h&rK5CJOJQJ^JaJh!i h&CJOJQJh!i hez~CJOJQJh!i h9TCJOJQJhMLhMLCJOJQJ hd=6h&CJOJQJ^JaJ hd=6h7CJOJQJ^JaJhTCJOJQJ^JaJ hd=6h\CJOJQJ^JaJ s:;<WXMD;+^gdez~^gd&rKS & F.Eƀ&.gd2Eog:d& & Fgd&gd=t+S & FEƀ&gd2Eog:d& & Fq>Xˉ!"*1=AkuƊ$78[|´yyykkZyZyZZZ hd=6h TCJOJQJ^JaJhGICJOJQJ^JaJh/ CJOJQJ^JaJhTCJOJQJ^JaJ hd=6hZOCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6hez~CJOJQJ^JaJ,hd=6hez~6B*CJOJQJ^JaJph)hd=6hez~B*CJOJQJ^JaJph#WX89ӎ~S & F1Eƀ&gd2Eog:d& & F^gd&^gdLA^gd T^gdk%@^gdZO ;DɌٍ NOP`ab±sfNf/jXhd=6hLACJOJQJU^JaJhd=6hZO0JCJaJ/jWhd=6hZOCJOJQJU^JaJ)jhd=6hZOCJOJQJU^JaJ hd=6hZOCJOJQJ^JaJ hd=6h&CJOJQJ^JaJ hd=6hLACJOJQJ^JaJh'$CJOJQJ^JaJ hd=6h TCJOJQJ^JaJhTCJOJQJ^JaJӎWS & F1Eƀ&gd2Eog:d& & FS & F1Eƀ&gd2Eog:d& & FAB#$%./02ےܒݒͼjX@/jV[hd=6h\CJOJQJU^JaJ#hd=6h\5CJOJQJ^JaJ/j{Zhd=6h\CJOJQJU^JaJhd=6h\0JCJaJ/jYhd=6h\CJOJQJU^JaJ)jhd=6h\CJOJQJU^JaJ hd=6h\CJOJQJ^JaJ hd=6h&rKCJOJQJ^JaJ hd=6h TCJOJQJ^JaJ hd=6hZOCJOJQJ^JaJAWNE^gd 8^8gd&rKS & F1Eƀ&gd2Eog:d& & FS & F1Eƀ&gd2Eog:d& & FAWS & F1Eƀ&gd2Eog:d& & FS & F1Eƀ&gd2Eog:d& & Fݒ*,0NYZ[\opqvͼl]L; hd=6h@ACJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ,jhd=6hfz6CJOJQJU^JaJ#hd=6hfz6CJOJQJ^JaJh!i h@ACJOJQJh!i h9TCJOJQJh!i hW CJOJQJ hd=6h&CJOJQJ^JaJ hd=6h\CJOJQJ^JaJ)jhd=6h\CJOJQJU^JaJhd=6h\0JCJaJ*+,[\'(RII^gdW S & F.Eƀ&.gd2Eog:d& & Fgd&S & F1Eƀ&gd2Eog:d& & F&(Vp̔EOPٕ?Vėҗ@Q<J ;YƚgqcqqqqqqqUqUh0CJOJQJ^JaJhj6bCJOJQJ^JaJhVCJOJQJ^JaJ hd=6h\(CJOJQJ^JaJh5CJOJQJ^JaJ hd=6h\CJOJQJ^JaJ hd=6h&CJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6h@ACJOJQJ^JaJ#hd=6h@A6CJOJQJ^JaJ (op@ES & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & F^gdW ^gdk%@ŗAWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & FA= WS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & F WNN^gd\(S & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & F2NWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & FNhWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & FWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & F<=IS & FEƀ&gd2Eog:d& & F^gd\(gd\(S & FEƀ&gd2Eog:d& & FWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & FWS & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & Fǝ՝֝CDgWNEEE^gd\(^gd\(S & FEƀ&gd2Eog:d& & FS & FEƀ&gd2Eog:d& & Fghʞ˞̞֞מ؞ٞ +,-.LW٢يykZM@h!i hfzOJQJ^Jh!i h!i OJQJ^J hd=6h7CJOJQJ^JaJh@ACJOJQJ^JaJ hd=6h@ACJOJQJ^JaJ/jJ]hd=6h\(CJOJQJU^JaJ#hd=6h\(5CJOJQJ^JaJhd=6h\(0JCJaJ/j/\hd=6h\(CJOJQJU^JaJ hd=6h\(CJOJQJ^JaJ)jhd=6h\(CJOJQJU^JaJg+,-.WRRRgd@AS & FEƀ&gd2Eog:d& & F S & FEƀ&gd2Eog:d& & F .XY ghzzgdl 7$8$H$^gdl^gdk%@$a$^gd gd V$ & F.Eƀ&.0a$gd2Eog:d& & F WXYZefk~ Nklz!YϽzl^MMM?Mh'$CJOJQJ^JaJ hd=6hlCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6h>(uCJOJQJ^JaJ#hd=6h 6CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hfz6CJOJQJ^JaJ hd=6hfzCJOJQJ^JaJ hd=6h CJOJQJ^JaJh!i h>(u>*OJQJ^JY]gkJLX\cfMʪݪߪ3ʫ߫  [\]^~µvhvhhhhhhµh\kCJOJQJ^JaJhk%@CJOJQJ^JaJ hd=6h=t+CJOJQJ^JaJh'$CJOJQJ^JaJ#hd=6hl5CJOJQJ^JaJh!i hlCJOJQJ hd=6h7CJOJQJ^JaJhlCJOJQJ^JaJ hd=6hlCJOJQJ^JaJhbCJOJQJ^JaJ( 7$8$H$gd=t+7$8$H$^`gdlgdlS & F.Eƀ&.gd2Eog:d& & FФ[/g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^[m/g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^mۦ/g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^/g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F3 7$8$Eƀ&H$^gd2Eog:d& & F ^ʨ"/g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^"M/g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^Mʪ3/g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^3\]^|wwgdl 7$8$H$^gd]m7$8$H$gdk%@o&g & F2 7$8$Eƀ&H$^gd2Eog:d& & F ^^~r1c & F4 Eƀ&^gd2Eog:d& & F ^gd ^`gdgdlS & F.Eƀ&.gd2Eog:d& & F[eڲ޲{|ghi·˷̷зѷOS:;﷦}}}}﷦k#hd=6hl5CJOJQJ^JaJh/ CJOJQJ^JaJhdXCJOJQJ^JaJh!i hlCJOJQJ hd=6h7CJOJQJ^JaJhCJOJQJ^JaJh\QCJOJQJ^JaJhbCJOJQJ^JaJh'$CJOJQJ^JaJ hd=6hCJOJQJ^JaJ!rŮ9c & F4 Eƀ&^gd2Eog:d& & F ^c & F4 Eƀ&^gd2Eog:d& & F ^Ů79c & F4 Eƀ&^gd2Eog:d& & F ^c & F4 Eƀ&^gd2Eog:d& & F ^h9c & F4 Eƀ&^gd2Eog:d& & F ^c & F4 Eƀ&^gd2Eog:d& & F ^h]9c & F4 Eƀ& ^gd2Eog:d& & F ^c & F4 Eƀ&^gd2Eog:d& & F ^19c & F4 Eƀ& ^gd2Eog:d& & F ^c & F4 Eƀ& ^gd2Eog:d& & F ^ghi944gdlc & F4 Eƀ& ^gd2Eog:d& & F ^c & F4 Eƀ& ^gd2Eog:d& & F ^iʹδ<@S & F5Eƀ&gd2Eog:d& & Fgd ^`gdgdlS & F.Eƀ&.gd2Eog:d& & F<ʵ%WS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & F%aWS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & FyWS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & FVɸWS & F5Eƀ& gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & Fɸ:;RI^gdlS & F.Eƀ&.gd2Eog:d& & FgdlS & F5Eƀ& gd2Eog:d& & F;fiOPqrǹǫnj{m_J9 hPhxCJOJQJ^JaJ)jhPhxCJOJQJU^JaJhxCJOJQJ^JaJhQ CJOJQJ^JaJ hd=6hQ CJOJQJ^JaJhlCJOJQJ^JaJ hd=6hdXCJOJQJ^JaJhdXCJOJQJ^JaJha6CJOJQJ^JaJ hd=6hlCJOJQJ^JaJ#hT_hB*CJOJQJ^JaJph)hd=6hlB*CJOJQJ^JaJph]WS & F5Eƀ& gd2Eog:d& & FS & F5Eƀ& gd2Eog:d& & F]WS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ& gd2Eog:d& & F PWS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & FPrsyIS & FoEƀ&gd2Eog:d& & F^gdxgdxS & F5Eƀ&gd2Eog:d& & F yzܼݼ޼&')*+=>Ҵңңzse^QAhYM5hfz>*OJQJ\^Jh!i >*OJQJ\^J hd=6hfzha6CJOJQJ^JaJ hd=6hl hxh7CJOJQJ^JaJ/j_hPhxCJOJQJU^JaJ hPhxCJOJQJ^JaJ hPhPCJOJQJ^JaJhPhx0JCJaJ)jhPhxCJOJQJU^JaJ/jg^hPhxCJOJQJU^JaJy&'*+>?OJA/^gdZgdfzV$ & F.Eƀ&.0a$gd2Eog:d& & Fgda6S & FoEƀ&gd2Eog:d& & F>?KLQceͽѽνveveWPCh!i hZCJOJQJ h7h7hZCJOJQJ^JaJ hd=6hZCJOJQJ^JaJh\Q6CJOJQJ^JaJ#hd=6hZ6CJOJQJ^JaJ&hd=6hZ6CJOJQJ]^JaJ#hd=6hZCJOJQJ]^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hfz6CJOJQJ^JaJ hd=6hfzCJOJQJ^JaJ}~ſƿxxo^gd@O^gdZ^gdk%@gdZ+^gdZ+^gdZS & F.Eƀ&.gd2Eog:d& & F+gd7+gdZ ѾҾ׾KP}~ƿٿ ҾҀn`RA3A3A3A3hbCJOJQJ^JaJ hd=6hZCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6hZ5CJOJQJ^JaJ&ho6B*CJOJQJ^JaJph)hd=6hZB*CJOJQJ^JaJph)h=h=B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJph,hd=6hZ6B*CJOJQJ^JaJph,hd=6hZ5B*CJOJQJ^JaJph 7MmnRSwx{ްޟtcRHhfz0JCJaJ h0/h0/CJOJQJ^JaJ hPh0/CJOJQJ^JaJ$hPhP0J>*B*CJaJphhP0J>*CJaJhd=6hfz0JCJaJ!jhd=6hfz0JCJUaJ#hd=6hZ5CJOJQJ^JaJhLCJOJQJ^JaJhbCJOJQJ^JaJ hd=6h@OCJOJQJ^JaJ hd=6hZCJOJQJ^JaJWS & FHEƀ&gd2Eog:d& & FS & F Eƀ&gd2Eog:d& & F+,-78;<=wfXC2 ha6hXCJOJQJ^JaJ)jha6hXCJOJQJU^JaJh@OCJOJQJ^JaJ hd=6h@OCJOJQJ^JaJ'jahd=6h@O0JCJUaJhd=6h@O0JCJaJ!jhd=6h@O0JCJUaJ$ha6ha60J>*B*CJaJph hd=6ha6CJOJQJ^JaJ'j`hd=6ha60JCJUaJhd=6ha60JCJaJ!jhd=6ha60JCJUaJ<WRRgdfzS & F Eƀ&gd2Eog:d& & FS & F Eƀ&gd2Eog:d& & F!"#67ҷuh[hI7(h=6CJOJQJ^JaJ#hd=6h@O6CJOJQJ^JaJ#hd=6h@O5CJOJQJ^JaJh!i h@OCJOJQJh!i hfzCJOJQJ hd=6h7CJOJQJ^JaJh@OCJOJQJ^JaJ)ha6hyB*CJOJQJ^JaJphhPCJOJQJ^JaJh/ CJOJQJ^JaJha6hX0JCJaJ)jha6hXCJOJQJU^JaJ/jbha6hXCJOJQJU^JaJ"##^gdPB=^gdk%@gdfz^gd@Ogd@OS & F.Eƀ&.gd2Eog:d& & F 7<O!w#$̫̽seWeI8!jha6h@O0JCJUaJhQY4CJOJQJ^JaJhbCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6hfzCJOJQJ^JaJ0jhd=6h[0J,<CJOJQJU^JaJ#hd=6h@O5CJOJQJ^JaJho6CJOJQJ^JaJ#hd=6h@O6CJOJQJ^JaJ hd=6h@OCJOJQJ^JaJ h=h=CJOJQJ^JaJ$defpq\()*+,/0!"#9ΰΰvvhWJh!i hfzCJOJQJ hd=6h7CJOJQJ^JaJhfzCJOJQJ^JaJhPCJOJQJ^JaJhP0JCJaJ'jdha6h@O0JCJUaJhQY4CJOJQJ^JaJ hd=6h@OCJOJQJ^JaJha6h@O0JCJaJ!jha6h@O0JCJUaJ'jcha6h,[0JCJUaJha6hQY40JCJaJ#!"#WRRgdfzS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & F#HI89NOuh^hgdx^gdk%@^gdy+^gdygdyS & F.Eƀ&.gd2Eog:d& & F 9HI\]btuv689gʶ{iUʌ{G9{hk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&ho6B*CJOJQJ^JaJph#hd=6hy6CJOJQJ^JaJ hd=6hyCJOJQJ^JaJ)hd=6hyB*CJOJQJ^JaJph)h=h=B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJph,hd=6hy6B*CJOJQJ^JaJph#hd=6hy5CJOJQJ^JaJh!i hyCJOJQJ7;CMV`ab234DEMNRuӷӍrdS h/ hxCJOJQJ^JaJhxCJOJQJ^JaJhyCJOJQJ^JaJhDShy0JCJaJ/jehDSh,[CJOJQJU^JaJ#jhDSCJOJQJU^JaJhQY4CJOJQJ^JaJh'$CJOJQJ^JaJhDSCJOJQJ^JaJ hd=6hyCJOJQJ^JaJhbCJOJQJ^JaJuvWXYbc9]^_`ٜلsbTC hd=6hDSCJOJQJ^JaJh, !CJOJQJ^JaJ hxh, !CJOJQJ^JaJ hxhxCJOJQJ^JaJ/jhh/ hxCJOJQJU^JaJ/jgh/ hxCJOJQJU^JaJh/ hx0JCJaJ/jgh/ hxCJOJQJU^JaJ h/ hxCJOJQJ^JaJ)jh/ hxCJOJQJU^JaJuWS & FpEƀ&gd2Eog:d& & FS & FpEƀ&gd2Eog:d& & F^_`~OF^gd, !V$ & F.Eƀ&.0a$gd2Eog:d& & Fgd, !S & FpEƀ&gd2Eog:d& & F`}~RSƷƆwcTB5h!i h, !CJOJQJ#hd=6h75CJOJQJ^JaJh, !5CJOJQJ^JaJ&hd=6h, !56CJOJQJ^JaJhN6CJOJQJ^JaJho6CJOJQJ^JaJ hd=6h, !CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h, !6CJOJQJ^JaJ#hd=6h, !5CJOJQJ^JaJhYM5h, !OJQJ\h!i OJQJ\RSDEabcypp^gd+N^gd^gd+N^gdk%@gd, !+^gd, !^gd, !S & F.Eƀ&.gd2Eog:d& & F SgiDEsACabűܣ~p_N_p_p_<#h+NB*CJOJQJ^JaJph hhGCJOJQJ^JaJ hhf]CJOJQJ^JaJhCJOJQJ^JaJ,hd=6hk%@5B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&ho6B*CJOJQJ^JaJph,hDSh, !6B*CJOJQJ^JaJph hd=6h, !CJOJQJ^JaJ#hDSh, !6CJOJQJ^JaJbcT=AB˼ˋ}oaaPC/'jihd=6h`.0JCJUaJhd=6h`.0JCJaJ!jhd=6h`.0JCJUaJhDSCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJh\Q6CJOJQJ^JaJ hd=6h`.CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h`.6CJOJQJ^JaJh!i h+NCJOJQJ)hd=6h7B*CJOJQJ^JaJphcST^gd`.^gdk%@^gd`.S & F.Eƀ&.gd2Eog:d& & F w?B ´´´´£yjXKh!i h`.CJOJQJ#hd=6h75CJOJQJ^JaJh`.5CJOJQJ^JaJhNCJOJQJ^JaJh.GCJOJQJ^JaJh<CJOJQJ^JaJ hDShDSCJOJQJ^JaJhDSCJOJQJ^JaJ hd=6h`.CJOJQJ^JaJh/ CJOJQJ^JaJhd=6h`.0JCJaJ!jhd=6h`.0JCJUaJ !"#jk^gdk%@+^gd`.S & F.Eƀ&.gd2Eog:d& & F !45:HN"#QjkƵ{fXJ<+ hPB=hj6bCJOJQJ^JaJhj6bCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ)hd=6h`.B*CJOJQJ^JaJph,hDSh`.6B*CJOJQJ^JaJph#hDSh`.6CJOJQJ^JaJ hd=6h`.CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h`.6CJOJQJ^JaJ/hd=6h`.5B*CJOJQJ]^JaJph  `f<=>Gիիՙo^Fo9hd=6h`.0JCJaJ/jjhd=6h`.CJOJQJU^JaJ hd=6h`.CJOJQJ^JaJ)jhd=6h`.CJOJQJU^JaJ)hd=6h`.B*CJOJQJ^JaJph#h0B*CJOJQJ^JaJph)hPB=h8B*CJOJQJ^JaJph)hPB=hj6bB*CJOJQJ^JaJph)hPB=h0B*CJOJQJ^JaJph)hPB=hk%@B*CJOJQJ^JaJphGHIJKY7d +,-βΤΤ΅t`WK7&hd=6h[5>*CJOJQJ^JaJhYM5h[OJQJ\hv6>OJQJ\&hd=6h75CJOJQJ]^JaJ h75CJOJQJ]^JaJ h`.5CJOJQJ]^JaJh.GCJOJQJ^JaJhNCJOJQJ^JaJhj=CJOJQJ^JaJhPCJOJQJ^JaJ hd=6h`.CJOJQJ^JaJ,jhd=6h`.5CJOJQJU^JaJhP0JCJaJ ,-KFgd[V$ & F.Eƀ&.0a$gd2Eog:d& & F^gd`.S & F5Eƀ&gd2Eog:d& & F-9:?QS2`yzɷ쥑s_ɷQC4hk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&hd=6hSZ6CJOJQJ]^JaJ hd=6h[CJOJQJ^JaJh!i h[CJOJQJ&hd=6h[5>*CJOJQJ^JaJ#hd=6h[6CJOJQJ^JaJ#hd=6h[CJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&hd=6h[6CJOJQJ]^JaJ-12yz^gdk%@^gd[S & F.Eƀ&.gd2Eog:d& & Fgd[ 0]^gd[ +S[\ijkпЮпЮ޿ЮЮпtZ톮2jkhj6bh6CJOJQJU^JaJ#hj6bhBY6CJOJQJ^JaJ,jhj6bhBY6CJOJQJU^JaJ hj=h'$CJOJQJ^JaJ hj=h[CJOJQJ^JaJ hj=h.GCJOJQJ^JaJh/ CJOJQJ^JaJh/ 6CJOJQJ^JaJ#hj6bh[6CJOJQJ^JaJ#+WS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & FWS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & F45<jst ޿}p\}p}RA hd=6h[CJOJQJ^JaJhP0JCJaJ'jlhj=h[0JCJUaJhj=h[0JCJaJ!jhj=h[0JCJUaJ hPB=hj6bCJOJQJ^JaJh/ CJOJQJ^JaJ#hPB=hj6b6CJOJQJ^JaJh[CJOJQJ^JaJ hj=hECJOJQJ^JaJ hj=h[CJOJQJ^JaJ hj=h.GCJOJQJ^JaJtuWNN^gdj=S & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & FP9:BCLMϱϣp\H\4&hd=6h%(6CJOJQJ]^JaJ&hd=6hSZ6CJOJQJ]^JaJ&hd=6hN6CJOJQJ]^JaJ)hd=6hNB*CJOJQJ^JaJphh!i hNCJOJQJ hd=6h7CJOJQJ^JaJh[CJOJQJ^JaJhNCJOJQJ]^JaJh.GCJOJQJ]^JaJ#hd=6h[CJOJQJ]^JaJ hj=h[CJOJQJ^JaJhPCJOJQJ^JaJ9:RIII+^gdNS & F.Eƀ&.gd2Eog:d& & Fgd[S & F5Eƀ&gd2Eog:d& & FMNSpq9˷}o]L;&;)jhd=6h%(CJOJQJU^JaJ hd=6h%(CJOJQJ^JaJ hd=6hNCJOJQJ^JaJ#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ)hd=6hNB*CJOJQJ^JaJph,hd=6hN6B*CJOJQJ^JaJph&hd=6hN6CJOJQJ]^JaJ#hd=6hNCJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ FES & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & F+^gdk%@^gdk%@9:;BCDFGҴiR4iRi;jnhd=6h.G>*B*CJOJQJU^JaJph,hd=6h.G>*B*CJOJQJ^JaJph5jhd=6h.G>*B*CJOJQJU^JaJph hd=6h.GCJOJQJ^JaJhT_hCJOJQJ^JaJ hd=6hNCJOJQJ^JaJ hd=6h%(CJOJQJ^JaJhd=6h%(0JCJaJ)jhd=6h%(CJOJQJU^JaJ/jmhd=6h%(CJOJQJU^JaJ"+,:YKLMNnoпvdOB*/hd=6h%(6B*CJOJQJ]^JaJphh!i h%(CJOJQJ)hd=6h7B*CJOJQJ^JaJph#hNB*CJOJQJ^JaJph hd=6h49CJOJQJ^JaJhj6bCJOJQJ^JaJh49CJOJQJ^JaJh%(CJOJQJ^JaJh'$CJOJQJ^JaJ hd=6h%(CJOJQJ^JaJ hd=6hNCJOJQJ^JaJ hd=6h.GCJOJQJ^JaJh.GCJOJQJ^JaJWS & F5Eƀ&gd2Eog:d& & FS & F5Eƀ&gd2Eog:d& & F,LMNWRR+gdNS & F5Eƀ&!gd2Eog:d& & FS & F5Eƀ& gd2Eog:d& & FNno56ES & F5Eƀ&"gd2Eog:d& & F^gdk%@+^gd%(S & F.Eƀ&.gd2Eog:d& & Fowx6ǵwi[D)5jhd=6h%(>*B*CJOJQJU^JaJph,hd=6h%(B*CJOJQJ]^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ)hd=6h%(B*CJOJQJ^JaJph,hd=6h%(6B*CJOJQJ^JaJph#hd=6h%(CJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&hd=6hSZ6CJOJQJ]^JaJ&hd=6h%(6CJOJQJ]^JaJ ./ ˰鰙xiWJ6&hd=6h%(6CJOJQJ]^JaJh!i h%(CJOJQJ#hd=6h7CJOJQJ]^JaJheCJOJQJ]^JaJh%(CJOJQJ]^JaJ#hd=6h%(CJOJQJ]^JaJ,hd=6h%(B*CJOJQJ]^JaJph5jhd=6h%(>*B*CJOJQJU^JaJph;j phd=6h%(>*B*CJOJQJU^JaJph,hd=6h%(>*B*CJOJQJ^JaJph UWS & F5Eƀ&$gd2Eog:d& & FS & F5Eƀ&#gd2Eog:d& & F RII^gd%(S & F.Eƀ&.gd2Eog:d& & F+gd%(S & F5Eƀ&%gd2Eog:d& & F#A~ ǵseTC5h.CJOJQJ^JaJ hd=6h{iCJOJQJ^JaJ hd=6hXsFCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6hNCJOJQJ^JaJ hd=6h%(CJOJQJ^JaJ#hd=6h%(CJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&hd=6h%(6CJOJQJ]^JaJ&hd=6h{i6CJOJQJ]^JaJES & F5Eƀ&'gd2Eog:d& & FS & F5Eƀ&&gd2Eog:d& & F^gdk%@^gd%(019Dauv6F̧̖tbPbPbP>#hj=h{iCJOJQJ]^JaJ#hj=hRltCJOJQJ]^JaJ#hj=h%(CJOJQJ]^JaJ hd=6h%(CJOJQJ^JaJ hNh%(CJOJQJ^JaJ hNh{iCJOJQJ^JaJhd=6h{i0JCJaJ/jqhd=6h{iCJOJQJU^JaJ)jhd=6h{iCJOJQJU^JaJ hd=6h{iCJOJQJ^JaJhNCJOJQJ^JaJ'WS & FREƀ&ogd2Eog:d& & FS & F5Eƀ&(gd2Eog:d& & F'9LWS & FREƀ&ogd2Eog:d& & FS & FREƀ&ogd2Eog:d& & FLvWS & F5Eƀ&)gd2Eog:d& & FS & FREƀ&ogd2Eog:d& & F WS & F5Eƀ&+gd2Eog:d& & FS & F5Eƀ&*gd2Eog:d& & F 7gdRlt^gd{igd{i^gdj=S & F5Eƀ&,gd2Eog:d& & FFG>_`ʼʮʙʁtfXG>2hYM5hNOJQJ\h!i OJQJ\ hd=6h7CJOJQJ^JaJh7CJOJQJ^JaJhRltCJOJQJ^JaJhd=6h{i0JCJaJ/j8rhd=6h{iCJOJQJU^JaJ)jhd=6h{iCJOJQJU^JaJh.CJOJQJ^JaJh/ CJOJQJ^JaJ hd=6h{iCJOJQJ^JaJ#hj=h{iCJOJQJ]^JaJ#hj=h.CJOJQJ]^JaJ^_01zqhqqq^gdk%@^gdD++^gdD+^gdD+gd!i ^gd{i+^gd{igd{iV$ & F.Eƀ&.0a$gd2Eog:d& & F  \^_˺ڒ}pcO=˺#hd=6hD+6CJOJQJ^JaJ&hd=6hD+5CJOJQJ]^JaJh!i hNCJOJQJh!i h{iCJOJQJ)hd=6h{iB*CJOJQJ^JaJph,hd=6h{i6B*CJOJQJ^JaJph hd=6h{iCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h{i6CJOJQJ^JaJ&hd=6h{i5>*CJOJQJ^JaJVWYgh´Š|gOgBghd=6hD+0JCJaJ/j=shd=6hD+CJOJQJU^JaJ)jhd=6hD+CJOJQJU^JaJh/ CJOJQJ^JaJh=CJOJQJ^JaJh.CJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6hD+CJOJQJ^JaJ,hd=6hD+6B*CJOJQJ^JaJph)hd=6hD+B*CJOJQJ^JaJphEFGNOQ/01٣yykZH6#hj=hD+CJOJQJ]^JaJ#hj=hj6bCJOJQJ]^JaJ hd=6h.CJOJQJ^JaJhD+CJOJQJ^JaJh.CJOJQJ^JaJh/ CJOJQJ^JaJh=CJOJQJ^JaJ hd=6hD+CJOJQJ^JaJh/ hD+0JCJaJ/jlth/ hD+CJOJQJU^JaJ h/ hD+CJOJQJ^JaJ)jh/ hD+CJOJQJU^JaJ17NS & F5Eƀ&.gd2Eog:d& & FS & F5Eƀ&-gd2Eog:d& & F^gdD+m}~VWYz~ɵr`Qr@ hD+5>*CJOJQJ^JaJh\Q6CJOJQJ^JaJ#h/ h/ 6CJOJQJ^JaJ hd=6hD+CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hD+6CJOJQJ^JaJ&hd=6hD+5>*CJOJQJ^JaJhYM5hD+OJQJ\hF(OJQJ\#hj=hD+CJOJQJ]^JaJhPB=CJOJQJ]^JaJ7HmWS & F5Eƀ&0gd2Eog:d& & FS & F5Eƀ&/gd2Eog:d& & Fm~FA+gdD+S & F.Eƀ& .gd2Eog:d& & F/^gdD+gdD+V$ & F.Eƀ& .0a$gd2Eog:d& & F"&')*սzcOc:&&hd=6hD+5CJOJQJ]^JaJ)hd=6hD+B*CJOJQJ^JaJph&h\Q6B*CJOJQJ^JaJph,hd=6hD+6B*CJOJQJ^JaJph hd=6hD+CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hD+6CJOJQJ^JaJ/hd=6hD+5B*CJOJQJ]^JaJphhF(hD+CJOJQJhF(CJOJQJ&hd=6h75>*CJOJQJ^JaJ )*qr\] ~S & F5Eƀ&1gd2Eog:d& & F^gd^gd?QZ[\]^ϋwbQ9bb/jwhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJ)jhd=6hCJOJQJU^JaJ&hd=6hD+5CJOJQJ]^JaJ#hd=6hCJOJQJ\^JaJhd=6hD+0JCJaJh/ 0JCJaJhd=6h0JCJaJhd=6h0JCJ\aJ,jhd=6hCJOJQJU\^JaJ2jvhd=6hCJOJQJU\^JaJ tuvlϴk\M;-hg0J>*B*CJph#jhg0J>*B*CJUphhD+CJOJQJ\^JaJhPCJOJQJ\^JaJ&hP>*B*CJOJQJ^JaJph;jxhd=6h>*B*CJOJQJU^JaJph,hd=6h>*B*CJOJQJ^JaJph5jhd=6h>*B*CJOJQJU^JaJph#hd=6hCJOJQJ\^JaJ hd=6hCJOJQJ^JaJhPCJOJQJ^JaJ WRI^gdD+gdPoS & F5Eƀ&3gd2Eog:d& & FS & F5Eƀ&2gd2Eog:d& & Flmn-z׾|o|]N=,] hd=6hCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h6CJOJQJ^JaJhF(hCJOJQJ&hd=6h5CJOJQJ]^JaJ hd=6hPoCJOJQJ^JaJhghgCJOJQJ^Jhg0J>*B*CJphhP0J>*B*CJphhghg0JCJ#jhg0J>*B*CJUph+j zhghs[CJOJQJU^JyzabMNqgdML^gdML^gdk%@^gdh=6CJOJQJ^JaJ#hd=6h 6CJOJQJ^JaJ/hd=6h 6B*CJOJQJ]^JaJphhF(h CJOJQJhF(CJOJQJ hd=6h7CJOJQJ^JaJh CJOJQJ^JaJ hh CJOJQJ^JaJ#hhMLCJH*OJQJ^JaJ hhMLCJOJQJ^JaJ hGhMLCJOJQJ^JaJh/ CJOJQJ^JaJ345WRRgd S & F5Eƀ&?gd2Eog:d& & FS & F5Eƀ&>gd2Eog:d& & F5noWXJKn^gd_,^gdk%@+^gd +^gd S & F.Eƀ& .gd2Eog:d& & F  >WX[i̵r]H]3])hohk%@B*CJOJQJ^JaJph)hohCHB*CJOJQJ^JaJph)hoh B*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ)hd=6h B*CJOJQJ^JaJph,hd=6h 6B*CJOJQJ^JaJph#hd=6h 6CJOJQJ^JaJ hd=6h CJOJQJ^JaJ h=h=CJOJQJ^JaJ IJKmnoñ꜇ufTF.T/jhghs[CJOJQJU^JaJhgCJOJQJ^JaJ#jhgCJOJQJU^JaJh_,CJOJQJ]^JaJ#hd=6h_,CJOJQJ]^JaJ)hd=6h_,B*CJOJQJ^JaJph)hoh B*CJOJQJ^JaJph#hNB*CJOJQJ^JaJph)hohCHB*CJOJQJ^JaJph#hxB*CJOJQJ^JaJph)hoh_,B*CJOJQJ^JaJphefg-145EFӴhZK777&hI`hI`5CJOJQJ]^JaJhPCJOJQJ]^JaJhI`hI`0JCJ]aJ2j݂hI`hI`CJOJQJU]^JaJhI`CJOJQJ]^JaJ&jhI`CJOJQJU]^JaJhgCJOJQJ]^JaJ hghgCJOJQJ^JaJhgCJOJQJ^JaJhPCJOJQJ^JaJ#jhgCJOJQJU^JaJhghg0JCJaJnfdWS & F5Eƀ&Agd2Eog:d& & FS & F5Eƀ&@gd2Eog:d& & FFOPZ[bcd~ͻwiXFXiX4#h_,B*CJOJQJ^JaJph#hhMLCJH*OJQJ^JaJ hhMLCJOJQJ^JaJh/ CJOJQJ^JaJ hhGCJOJQJ^JaJ hGhGCJOJQJ^JaJ hGhMLCJOJQJ^JaJ hGh_,CJOJQJ^JaJ#hd=6hI`CJOJQJ]^JaJh/ CJOJQJ]^JaJ&hI`hI`5CJOJQJ]^JaJhI`CJOJQJ]^JaJdWRRM+gd_,gdMLS & F5Eƀ&Cgd2Eog:d& & FS & F5Eƀ&Bgd2Eog:d& & F  abyhQ=Q()hd=6h_,B*CJOJQJ^JaJph&h\Q6B*CJOJQJ^JaJph,hd=6h_,6B*CJOJQJ^JaJph hd=6h_,CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h_,6CJOJQJ^JaJ)hd=6h_,5>*CJOJQJ]^JaJhYM5h*CJOJQJ]^JaJ#hCHB*CJOJQJ^JaJph)hd=6h:B*CJOJQJ^JaJph'(|}7$+,89q\ }}2]d]]^gd/ 1b]b^gd/ +^gd/ +gd,V$ & F.Eƀ& .0a$gd2Eog:d& & F /02|:;@SX$().AF+쓪쓪쓪m^Lm=mho6CJOJQJ^JaJ#h/ h=6CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h,6CJOJQJ^JaJ&ho6B*CJOJQJ^JaJph,h/ h=6B*CJOJQJ^JaJph,hd=6h,6B*CJOJQJ^JaJph,hd=6h:6B*CJOJQJ^JaJph&hY6B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJph+:=89HJQq\ ]   zhVE7)hk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6h"CJOJQJ^JaJ#hd=6h,6CJOJQJ^JaJ#hd=6h"6CJOJQJ^JaJ hd=6h,CJOJQJ^JaJ&hd=6h,6CJOJQJ]^JaJhY6CJOJQJ^JaJ#hYh,6CJOJQJ^JaJ)hd=6h,B*CJOJQJ^JaJph&hY6B*CJOJQJ^JaJph,hd=6h,6B*CJOJQJ^JaJph\ ]   !!!{"S & F@Eƀ&gd2Eog:d& & F+gdk%@+^gdk%@^gdk%@+gd"    !!B!P!!!!!!!!V"W"X"x"y"z"ر|mS|E|6hYCJOJQJ]^JaJhNhN0JCJ]aJ2jhNh\I^CJOJQJU]^JaJhNCJOJQJ]^JaJ&jhNCJOJQJU]^JaJh"CJOJQJ]^JaJ#hd=6h"CJOJQJ]^JaJ)hd=6h,B*CJOJQJ^JaJph#hCHB*CJOJQJ^JaJph)hd=6h"B*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJphz"{"|""""""#########ܴܥo_XD3 hd=6h"CJOJQJ^JaJ&hd=6h"6CJOJQJ]^JaJ hrQ/hrQ/hrQ/hNCJ OJQJ\aJ hrQ/hrQ/CJ OJQJ\aJ hrQ/ hN6CJOJQJ]^JaJ hd=6h:CJOJQJ^JaJhYCJOJQJ]^JaJhNhN0JCJ]aJ2jhNh\I^CJOJQJU]^JaJ&jhNCJOJQJU]^JaJhNCJOJQJ]^JaJ{"#####3#EV$ & F.Eƀ& .0a$gd2Eog:d& & F+gdrQ/gdrQ//gd"S & F@Eƀ&gd2Eog:d& & F#2#3#@#A#F#Y#.$/$0$=$U$V$e$f$k$}$~$$P%ɸؓ|reSɸS<,hd=6hSZ6B*CJOJQJ^JaJph#hd=6hSZ5CJOJQJ^JaJhF(hSZCJOJQJhF(CJOJQJ,hd=6h75;>*CJOJQJ]^JaJ&hSZ5;>*CJOJQJ]^JaJ hd=6hSZCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hSZ6CJOJQJ^JaJhYM5hSZOJQJ\hF(OJQJ\3#4#.$/$0$U$V$R%S%%%''((yyyyy^gd^gdk%@^gdSZ+^gdSZS & F.Eƀ& .gd2Eog:d& & FgdSZ^gdSZP%R%S%%%%%%%% &'@((((((g)ʼ}}}n_M;M#hPB=h8CJOJQJ]^JaJ#hPB=hj6bCJOJQJ]^JaJhCJOJQJ]^JaJhs#CJOJQJ]^JaJha-ZCJOJQJ]^JaJ#hd=6hCJOJQJ]^JaJh49CJOJQJ]^JaJhk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6hSZ5CJOJQJ^JaJ)hd=6hSZB*CJOJQJ^JaJph(g)h))k* +NS & F5Eƀ&Egd2Eog:d& & FS & F5Eƀ&Dgd2Eog:d& & F^gdg)h))))))*****k*l*********ƵƐƂƵjƐƂXIhP5CJOJQJ^JaJ#hd=6h5CJOJQJ^JaJ/j hd=6hCJOJQJU^JaJhPCJOJQJ^JaJhd=6h0JCJaJ/jhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJ)jhd=6hCJOJQJU^JaJ#hd=6hCJOJQJ]^JaJ#hPB=hCJOJQJ]^JaJ** +:+n+o+p+q+r+{+|++++++++ͼ͝|r|r|eQ?0h=6CJOJQJ^JaJ#hd=6h6CJOJQJ^JaJ&hd=6h5CJOJQJ]^JaJhF(hSZCJOJQJhF(CJOJQJhF(hCJOJQJ&hd=6h75CJOJQJ]^JaJ hSZ5CJOJQJ]^JaJhaCJOJQJ^JaJ hGhGCJOJQJ^JaJ hGhCJOJQJ^JaJ hd=6hCJOJQJ^JaJ hPhPCJOJQJ^JaJ +p+q+r+++Q,RI@+^gd^gdS & F.Eƀ& .gd2Eog:d& & FgdSZS & F5Eƀ&Fgd2Eog:d& & F+++O,Q,R,,,,..+/,/-////ڱwhYG5G#hPB=h0QlCJOJQJ]^JaJ#hPB=h8CJOJQJ]^JaJh8CJOJQJ]^JaJhCJOJQJ]^JaJh<CJOJQJ]^JaJhk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6hCJOJQJ]^JaJ,hd=6h6B*CJOJQJ^JaJph)hd=6hB*CJOJQJ^JaJph h=h=CJOJQJ^JaJQ,R,,,,/-/ 0!0D01S & F5Eƀ&Ggd2Eog:d& & F^gd8^gdk%@^gd //0 0!0D0E000000001111ǵxj_jN@.#jhI`CJOJQJU^JaJhI`CJOJQJ^JaJ hI`hI`CJOJQJ^JaJhF0JCJ]aJhFhF0JCJ]aJ2jhFhs[CJOJQJU]^JaJ&jhFCJOJQJU]^JaJhFCJOJQJ]^JaJ#hPB=hFCJOJQJ]^JaJ&hPB=h85CJOJQJ]^JaJ#hPB=h8CJOJQJ]^JaJ#hPB=hPB=CJOJQJ]^JaJ1o1p1q111111112222 2728292Ȼ򟎀oeXeXK7&hd=6h bm5CJOJQJ]^JaJhF(hCJOJQJhF(h bmCJOJQJhF(CJOJQJ hd=6h7CJOJQJ^JaJh bmCJOJQJ^JaJ hI`hFCJOJQJ^JaJhaCJOJQJ^JaJhPCJOJQJ^JaJhFhI`0JCJaJ#jhI`CJOJQJU^JaJ/jh=9hCJOJQJU^JaJhI`CJOJQJ^JaJ112282921323RI@I^gd bm^gd bmS & F.Eƀ& .gd2Eog:d& & FgdS & F5Eƀ&Hgd2Eog:d& & F92J2K2P2b2c2d20323`3y3z355 6ͼtfWE6Eh<CJOJQJ]^JaJ#hd=6h bmCJOJQJ]^JaJhk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&hd=6h bm5CJOJQJ]^JaJ&hd=6h bm56CJOJQJ^JaJ#hd=6h bm5CJOJQJ^JaJ hd=6h bmCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h bm6CJOJQJ^JaJ23y3z3 6 677%77S & F5Eƀ&Igd2Eog:d& & F 0^`0gd7^gd bm^gd bm^gdk%@ 6 6 66666666777$7%7&7l7ϱϢώ}lZH:hFCJOJQJ^JaJ#jhFCJOJQJU^JaJ#hFhFCJOJQJ]^JaJ hF5CJOJQJ]^JaJ h bm5CJOJQJ]^JaJ&h8hF5CJOJQJ]^JaJhPB=CJOJQJ]^JaJh8CJOJQJ]^JaJh0QlCJOJQJ]^JaJ#h8hFCJOJQJ]^JaJhFCJOJQJ]^JaJh bmCJOJQJ]^JaJl7m7n7w7x7z7{7|777D8E8F8c8d8e8f88888888պլլuaWJhF(h bmCJOJQJhF(CJOJQJ&hd=6h75CJOJQJ]^JaJ hF5CJOJQJ]^JaJhaCJOJQJ^JaJ/j2h=9hCJOJQJU^JaJhFCJOJQJ^JaJhPCJOJQJ^JaJhFhF0JCJaJ#jhFCJOJQJU^JaJ/jOhFhs[CJOJQJU^JaJ78888899NEE^gd bmS & F.Eƀ& .gd2Eog:d& & F^gd bmS & F5Eƀ&Jgd2Eog:d& & F88 9 99"9999:+:,::c;{;˺{gUC1#hPB=hDzhCJOJQJ]^JaJ#h8hDzhCJOJQJ]^JaJ#h8h bmCJOJQJ]^JaJ&hk%@B*CJOJQJ]^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hoh bm6CJOJQJ^JaJ hd=6h bmCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h bm6CJOJQJ^JaJ&hd=6h bm5CJOJQJ]^JaJ9+:,:;;;;;;;gdp?V$ & F.Eƀ& .0a$gd2Eog:d& & F^gd bm^gd bm^gdk%@ {;;;;;;;;;;;;;;;ɷuiuU>1'hF(CJOJQJhF(hp?CJOJQJ,hd=6h75;>*CJOJQJ]^JaJ&hp?5;>*CJOJQJ]^JaJhYM5hp?OJQJ\hYM5h bmOJQJ\&hd=6h85CJOJQJ]^JaJ h85CJOJQJ]^JaJ h bm5CJOJQJ]^JaJ#h8h bmCJOJQJ]^JaJ#h8hDzhCJOJQJ]^JaJ#hPB=hDzhCJOJQJ]^JaJ#hPB=h8CJOJQJ]^JaJ;;<<<<<<)<(=,=.=/=]=v=w=W>n`R@/ hohp?CJOJQJ^JaJ#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6hp?6CJOJQJ^JaJh\Q6CJOJQJ^JaJ hd=6h bmCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h bm6CJOJQJ^JaJ&hd=6h bm6CJOJQJ]^JaJhF(hlCJOJQJhF(hp?CJOJQJ;<<.=/=v=w=??@^gdk%@^gdp?gd bmS & F.Eƀ& .gd2Eog:d& & F W>b>>>>?)?Y?a?????@@@@@@@@ͼͫpVK;hP>*B*CJOJQJphhDzhhDzh0JCJ3jhDzhhDzh>*B*CJOJQJUph$hDzhhDzh>*B*CJOJQJph-jhDzhhDzh>*B*CJOJQJUph hPB=h8CJOJQJ^JaJ hPB=h)CJOJQJ^JaJ hPB=hoCJOJQJ^JaJ hPB=hp?CJOJQJ^JaJ h8hoCJOJQJ^JaJ h8hp?CJOJQJ^JaJ@@AAA B B BBBB B&B.BDBEBFBGBBBBȺșȋzzlZL6Z+jh)hs[CJOJQJU^Jh)0J>*B*CJph#jh)0J>*B*CJUphha0J>*B*CJph hDzhhDzh0J>*B*CJphhP0J>*B*CJphhDzhhDzh0JCJ+jhDzhhs[CJOJQJU^JhDzh0J>*B*CJph#jhDzh0J>*B*CJUphhp?CJOJQJ^JaJ hDzhhDzhCJOJQJ^JaJ h1:hDzh@AFBWS & F5Eƀ&Lgd2Eog:d& & FS & F5Eƀ&Kgd2Eog:d& & FBBBBBBBC CCCC C!C&Cij{nYG8' h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hp?6CJOJQJ^JaJ)hd=6hp?B*CJOJQJ^JaJphhF(h bmCJOJQJhF(hlCJOJQJhF(hp?CJOJQJhF(hF(CJOJQJ hd=6h bmCJOJQJ^JaJ hDzhhDzhCJOJQJ^JaJ hDzhh)0J>*B*CJphh)0J>*B*CJph#jh)0J>*B*CJUphh)h)0JCJFBBBBCCCID;+^gdp?+gdp?S & F.Eƀ& .gd2Eog:d& & Fgd bm^gdDzhS & F5Eƀ&Mgd2Eog:d& & F&C9CxC|CCCCCCCLDNDDDDDEӿ걣|gRg@g+g)hXh`- B*CJOJQJ^JaJph#hoB*CJOJQJ^JaJph)hXhgB*CJOJQJ^JaJph)hXh$;B*CJOJQJ^JaJph)hXhp?B*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&h\Q6B*CJOJQJ^JaJph,hohp?6B*CJOJQJ^JaJph)hd=6hp?B*CJOJQJ^JaJphCCCCEEFFGGII>IJS & F5Eƀ&Ngd2Eog:d& & F+^gdDzh^gdk%@+^gdp? EE%EE[F\FFFFFGI?IIIIIIIJJJKKKKKʲإؗo\Bo7ohDzhh 0JCJ3jhDzhh >*B*CJOJQJUph$hDzhh >*B*CJOJQJph-jhDzhh >*B*CJOJQJUph hDzhhDzhCJOJQJ^JaJhPCJOJQJ^JaJhDzhhDzh0JCJaJ/jhDzhhs[CJOJQJU^JaJhDzhCJOJQJ^JaJ#jhDzhCJOJQJU^JaJ)hDzhhp?B*CJOJQJ^JaJphKKKLLMLNLOLPLiLjLkLuLwLxL}Lع{iWH7 h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hT26CJOJQJ^JaJ#hd=6h$;6CJOJQJ^JaJ)hd=6h$;5;CJOJQJ]^JaJhYM5hp?OJQJ\hF(OJQJ\&hd=6ho6CJOJQJ]^JaJ ho6CJOJQJ]^JaJh CJOJQJ^JaJ hDzhh CJOJQJ^JaJ h1:h hP>*B*CJOJQJphJMLNLOLPLjLkLB=gd$;V$ & F.Eƀ&.0a$gd2Eog:d& & F^gdp?^gd S & F5Eƀ&Ogd2Eog:d& & F}LLM MZM[M\MpMqM|MMMMMMMM#N$NݺpaP?p0݂h\Q6CJOJQJ^JaJ hd=6hT2CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hT26CJOJQJ^JaJ&hd=6h$;5CJOJQJ]^JaJhF(h$;CJOJQJ,hd=6h756;CJOJQJ]^JaJ&h$;56;CJOJQJ]^JaJho6CJOJQJ^JaJ#hd=6h$;6CJOJQJ^JaJ hd=6h$;CJOJQJ^JaJkLZM[M\MpMqM$N%NlNmNOOIPJPjQkQ^gd`- ^gdk%@^gd$;S & F.Eƀ&.gd2Eog:d& & F^gd$;$N%NSNmN~NNNNaOOOOOOnPoPPPjQQ´´¦vhWF hPB=h~ CJOJQJ^JaJ hPB=h8CJOJQJ^JaJh8CJOJQJ^JaJ h8h CJOJQJ^JaJ h8h~ CJOJQJ^JaJh`- CJOJQJ^JaJh~ CJOJQJ^JaJh CJOJQJ^JaJ hd=6h`- CJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6h$;CJOJQJ^JaJkQQRSNS & F5Eƀ&Qgd2Eog:d& & FS & F5Eƀ&Pgd2Eog:d& & F^gd`- QQQQQRRRRRR-S.S/S6S7S8SSSSSST T!Tꦔ|k^Jk^k@hP0JCJaJ'jhd=6h3"0JCJUaJhd=6h3"0JCJaJ!jhd=6h3"0JCJUaJ/jhd=6h`- CJOJQJU^JaJ#hd=6h`- 5CJOJQJ^JaJhPCJOJQJ^JaJhd=6h`- 0JCJaJ/j̒hd=6h`- CJOJQJU^JaJ hd=6h`- CJOJQJ^JaJ)jhd=6h`- CJOJQJU^JaJ!T#TTTTTUUUNUOUPUUUUUUUUU#V$V%VBVCVDVEVGVѿ~~m_G~~/jܖh 2_hm#CJOJQJU^JaJh8CJOJQJ^JaJ hPB=h 2_CJOJQJ^JaJhPCJOJQJ^JaJh 2_h 2_0JCJaJ/jh 2_hm#CJOJQJU^JaJh 2_CJOJQJ^JaJ#jh 2_CJOJQJU^JaJh8haCJOJQJ^JaJ h~ h~ CJOJQJ^JaJh~ 0J>*CJaJSUUWS & F5Eƀ&Sgd2Eog:d& & FS & F5Eƀ&Rgd2Eog:d& & FGVVVVVVVVVVVVVW WQWSWWWWWWWXƹƝ}Ɲn`RAA hd=6hYCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJho6CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h`- 6CJOJQJ^JaJhF(CJOJQJhF(h`- CJOJQJ hd=6h`- CJOJQJ^JaJ h~ h8 h 2_h 2_CJOJQJ^JaJ hPB=h 2_CJOJQJ^JaJUVVVVVRWID;^gd`- gd`- S & F.Eƀ&.gd2Eog:d& & F^gd$;gd8S & F5Eƀ&Tgd2Eog:d& & FRWSWWWXXXYS & F5Eƀ&Ugd2Eog:d& & F^gdH^gdk%@^gd`- XX'X.X`XaXXXXXXXSYTYUY\Y]Y^YYY;ZP#jhaCJOJQJU^JaJhaCJOJQJ^JaJ hahaCJOJQJ^JaJ hPB=h 2_ hPB=h 2_CJOJQJ^JaJ$hPB=h 2_0J>*B*CJaJphh 2_0J>*CJaJhP0JCJaJ'j!hd=6h 2_0JCJUaJhd=6h 2_0JCJaJ!jhd=6h 2_0JCJUaJhHCJOJQJ^JaJ hd=6hHCJOJQJ^JaJYZ \WS & F5Eƀ&Wgd2Eog:d& & FS & F5Eƀ&Vgd2Eog:d& & FS\T\U\|\}\\\\\\\\\\\\\\ȾհreQ?0h=6CJOJQJ^JaJ#hd=6hH6CJOJQJ^JaJ&hd=6hH6CJOJQJ]^JaJhF(hHCJOJQJ hd=6h7CJOJQJ^JaJhYCJOJQJ^JaJ hPB=haCJOJQJ^JaJhaCJOJQJ^JaJhPCJOJQJ^JaJhP0JCJaJh 2_ha0JCJaJ#jhaCJOJQJU^JaJ/jh 2_haCJOJQJU^JaJ \\\\\\x]y]RI@@^gdH^gdHS & F.Eƀ&.gd2Eog:d& & FgdHS & F5Eƀ&Xgd2Eog:d& & F\\ ]w]x]y]]]__f_g_h_o_p_r_s_____G`̺̬މqdVHމh<CJOJQJ^JaJhPCJOJQJ^JaJhd=6hH0JCJaJ/jhd=6hHCJOJQJU^JaJ)jhd=6hHCJOJQJU^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6h`- 6CJOJQJ^JaJ#hd=6hH6CJOJQJ^JaJ hd=6hHCJOJQJ^JaJ h=h=CJOJQJ^JaJy]]]^^__`@S & F5Eƀ&Zgd2Eog:d& & FS & F5Eƀ&Ygd2Eog:d& & FgdH^gdH^gdk%@G`H`I`Q`R`S`T``````aaaŮzkYG8' h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hH6CJOJQJ^JaJ#hd=6hH5CJOJQJ^JaJhF(hH0J6CJOJQJ h7h7hHCJOJQJ^JaJhPCJOJQJ^JaJ hd=6hHCJOJQJ^JaJ,jhd=6hH5CJOJQJU^JaJhd=6hH0JCJaJ)jhd=6hHCJOJQJU^JaJ/j hd=6hHCJOJQJU^JaJ`````naoaaa"c#ceefy^gd u8^gd\C^gdk%@^gdHU & F.@&Eƀ&.gd2Eog:d& & F+gd72dgdH aa=aAamanaoaaaoc8dBdiddJeef fffݼݮpp_J_2/j'hd=6h u8CJOJQJU^JaJ)jhd=6h u8CJOJQJU^JaJ hd=6h u8CJOJQJ^JaJ h=h0QlCJOJQJ^JaJ h=h\CCJOJQJ^JaJh\CCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6h$;6CJOJQJ^JaJh\Q6CJOJQJ^JaJ#hd=6hH6CJOJQJ^JaJ hd=6hHCJOJQJ^JaJffffff[g\ggggggghhiii i!i"igjhjjjjjjkkkknkϽꬔϬ|ϬkWkkϬ'jhd=6h u80JCJUaJ!jhd=6h u80JCJUaJ/jihd=6h u8CJOJQJU^JaJ/jNhd=6h u8CJOJQJU^JaJ hd=6h u8CJOJQJ^JaJ#hd=6h u85CJOJQJ^JaJhPCJOJQJ^JaJhd=6h u80JCJaJ)jhd=6h u8CJOJQJU^JaJ!f[ghWS & F5Eƀ&\gd2Eog:d& & FS & F5Eƀ&[gd2Eog:d& & FhkkWS & F5Eƀ&^gd2Eog:d& & FS & F5Eƀ&]gd2Eog:d& & FnkokpkkkkkkkkQlRlSlelmlnlplrllҷoUGŁ8hPCJOJQJ\^JaJhd=6h u80JCJ\aJ2jңhd=6h(]CJOJQJU\^JaJ#hd=6h u8CJOJQJ\^JaJ,jhd=6h u8CJOJQJU\^JaJh'$CJOJQJ^JaJ hd=6h u8CJOJQJ^JaJhPCJOJQJ^JaJhd=6h u80JCJaJ)jhd=6h u8CJOJQJU^JaJ/jhd=6h(]CJOJQJU^JaJkllllllA<gd u8V$ & F.Eƀ&.0a$gd2Eog:d& & F^gdHgdrQ/gdrQ/S & F5Eƀ&_gd2Eog:d& & FlllllllllllllXm]mmmƯyhWH4&h u85;>*CJOJQJ]^JaJho6CJOJQJ^JaJ hd=6h u8CJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h u86CJOJQJ^JaJhYM5h$;OJQJ\hF(OJQJ\,hd=6h u85;>*CJOJQJ]^JaJ,hd=6hrQ/5;>*CJOJQJ]^JaJhrQ/h u8CJ OJQJ\hrQ/hrQ/CJ OJQJ\ hrQ/;>*lmmmnnnnnnoop}^gdk%@+^gd u8 +@&^gdF(S & F.Eƀ&.gd2Eog:d& & Fgd u8 1b]b^gdF( mmmmmmnnnnn/n1nnnܷs\E0)hd=6h u8B*CJOJQJ^JaJph,hd=6h u86B*CJOJQJ^JaJph,hd=6h u8B*CJOJQJ]^JaJph,h=h=B*CJOJQJ]^JaJph)h=6B*CJOJQJ]^JaJph/hd=6h u86B*CJOJQJ]^JaJph/hd=6hF(5B*CJOJQJ]^JaJphhF(hF(CJOJQJhF(h u8CJOJQJ,hd=6h75;>*CJOJQJ]^JaJnnnnnn4o8o9oooooop pҽpXK6)jhd=6h u8CJOJQJU^JaJhT_hhX0JCJaJ/jhT_hhXCJOJQJU^JaJ hT_hhXCJOJQJ^JaJ)jhT_hhXCJOJQJU^JaJ)hT_hh u8B*CJOJQJ^JaJph#h<B*CJOJQJ^JaJph)hd=6h u8B*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ pqprpsp|p}p~ppqqqqqqqqqqq r r rrmrnrorµ§µ§p[pC[/jhd=6h8CJOJQJU^JaJ)jhd=6h8CJOJQJU^JaJ hd=6h8CJOJQJ^JaJh<CJOJQJ^JaJ/jhd=6h u8CJOJQJU^JaJhT_hCJOJQJ^JaJhd=6h u80JCJaJ)jhd=6h u8CJOJQJU^JaJ/jhd=6h u8CJOJQJU^JaJ hd=6h u8CJOJQJ^JaJppq rWS & F5Eƀ&agd2Eog:d& & FS & F5Eƀ&`gd2Eog:d& & Forrrrrrrrrrrrrrrsssо}kVL?L?2hF(h u8CJOJQJhF(h8CJOJQJhF(CJOJQJ)hd=6h7B*CJOJQJ^JaJph#h u8B*CJOJQJ^JaJph hd=6h u8CJOJQJ^JaJhLCJOJQJ^JaJ hd=6h8CJOJQJ^JaJ hT_hhT_hCJOJQJ^JaJ#hd=6h85CJOJQJ^JaJhT_hCJOJQJ^JaJ)jhd=6h8CJOJQJU^JaJhd=6h80JCJaJ rrrrssssRMDM+^gd8gd8S & F.Eƀ&.gd2Eog:d& & F+gd u8S & F5Eƀ&bgd2Eog:d& & Fssss1sxs}ssssssstһ{j\N<+ h h CJOJQJ^JaJ#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6h8CJOJQJ^JaJ&ho6B*CJOJQJ^JaJph,hd=6h86B*CJOJQJ^JaJph)hd=6h8B*CJOJQJ^JaJph,h=h=B*CJOJQJ]^JaJph)h=6B*CJOJQJ]^JaJph/hd=6h86B*CJOJQJ]^JaJph ssstJuuuuE@gd8S & F5Eƀ&dgd2Eog:d& & FS & F5Eƀ&cgd2Eog:d& & F^gd8^gdk%@tIuJuuuuuFvGvHvQvRvSvUvVvvv$w%w&wHwIwJwKwMwlwvwwͻzzͻbzzQ h 2_h'$CJOJQJ^JaJ/j2h 2_hm#CJOJQJU^JaJhT_hCJOJQJ^JaJh 2_h80JCJaJ/jh 2_hm#CJOJQJU^JaJh 2_CJOJQJ^JaJ#jh 2_CJOJQJU^JaJ h 2_h8CJOJQJ^JaJ h 2_h CJOJQJ^JaJ h 2_hX5CJOJQJ^JaJuvwWS & F5Eƀ&fgd2Eog:d& & FS & F5Eƀ&egd2Eog:d& & Fwwwwwwxxx$x%x'xpxqxrxsxtxx­wiXJ9/hF(CJOJQJ hd=6h7CJOJQJ^JaJh8CJOJQJ^JaJ h h CJOJQJ^JaJhT_hCJOJQJ^JaJhd=6h 0JCJaJ/jEhd=6h CJOJQJU^JaJ hd=6h CJOJQJ^JaJ)jhd=6h CJOJQJU^JaJ h 2_h8CJOJQJ^JaJh<CJOJQJ^JaJ hGhGCJOJQJ^JaJhGCJOJQJ^JaJwwrxsxtxWRRgd8S & F5Eƀ&hgd2Eog:d& & FS & F5Eƀ&ggd2Eog:d& & Ftxxx-y.yuyvy|||+^gd8^gdk%@^gd8gd8S & F.Eƀ&.gd2Eog:d& & F xxxxxxx.y\yuyvyyyz:zzν♋}kVAV/V#h<B*CJOJQJ^JaJph)hd=6hgB*CJOJQJ^JaJph)hd=6h8B*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJphhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ#hd=6h86CJOJQJ^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&hd=6h86CJOJQJ]^JaJ hd=6h8CJOJQJ^JaJhF(h8CJOJQJzzzz<{={>{N{O{P{{{|||| |8|9|òÍò{m\OEO4 hd=6h8CJOJQJ^JaJhF(CJOJQJhF(h8CJOJQJ hd=6h7CJOJQJ^JaJh8CJOJQJ^JaJ#hXB*CJOJQJ^JaJphhZhX0JCJaJ/j(hZhXCJOJQJU^JaJ hZhXCJOJQJ^JaJ)jhZhXCJOJQJU^JaJ)hd=6h8B*CJOJQJ^JaJph#h/B*CJOJQJ^JaJph|8|9|||||}}}^gdk%@^gd8gd8S & F.Eƀ&.gd2Eog:d& & F 9|I|J|O|b|||||||} }e}}}}},~ɸ{m\\G\)jhd=6hgCJOJQJU^JaJ hd=6hgCJOJQJ^JaJhT_hCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJh\Q6CJOJQJ^JaJ#hd=6h86CJOJQJ^JaJ hd=6h8CJOJQJ^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&hd=6h86CJOJQJ]^JaJ,~-~.~J~K~L~M~O~~~~~~!"#QRSTbҷҦҷwcLChF(OJQJ\,hd=6h75;>*CJOJQJ]^JaJ&hg5;>*CJOJQJ]^JaJ,hd=6h85;>*CJOJQJ]^JaJ/j2hd=6hgCJOJQJU^JaJ hd=6hgCJOJQJ^JaJhT_hCJOJQJ^JaJhd=6hg0JCJaJ)jhd=6hgCJOJQJU^JaJ/j-hd=6hgCJOJQJU^JaJ}~QRSTWRRRgdgS & F5Eƀ&jgd2Eog:d& & FS & F5Eƀ&igd2Eog:d& & Fbmnoxy~Mgƀǀо~j\N7,jh<hg6CJOJQJU^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&hk%@5;>*CJOJQJ]^JaJh\Q6CJOJQJ^JaJ hd=6hgCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hg6CJOJQJ^JaJ,hd=6hg5;>*CJOJQJ]^JaJhYM5h u8OJQJ\hYM5hlOJQJ\Tnofgƀ^gdk%@gdk%@^gdggdgV$ & F.Eƀ&.0a$gd2Eog:d& & Fǀ&'(89:;=ׁځ ,9:B_`ayÂӼzi[i[i[i[i[iMi[ih'$CJOJQJ^JaJh<CJOJQJ^JaJ hd=6hgCJOJQJ^JaJ h<h<CJOJQJ^JaJ h<hgCJOJQJ^JaJ#h<h<6CJOJQJ^JaJh<hg0J6CJaJ,jh<hg6CJOJQJU^JaJ2j?h<hg6CJOJQJU^JaJ#h<hg6CJOJQJ^JaJƀ,9c & F* 88Eƀ&^8gd2Eog:d& & F 8^8c & F* 88Eƀ&^8gd2Eog:d& & F 8^8,a9c & F* 88Eƀ&^8gd2Eog:d& & F 8^8c & F* 88Eƀ&^8gd2Eog:d& & F 8^8ÂƂ"#$2BCDORUV~ !"Ϯv_VJ_hYM5h u8OJQJ\hF(OJQJ\,hd=6hg5;>*CJOJQJ]^JaJ)hd=6h7B*CJOJQJ^JaJph#hgB*CJOJQJ^JaJph ha6hgCJOJQJ^JaJ#h<h<6CJOJQJ^JaJh<6CJOJQJ^JaJ#h<hg6CJOJQJ^JaJ hd=6hgCJOJQJ^JaJh<CJOJQJ^JaJD9c & F* 88Eƀ&^8gd2Eog:d& & F 8^8c & F* 88Eƀ&^8gd2Eog:d& & F 8^8D900^gdgc & F* 88Eƀ&^8gd2Eog:d& & F 8^8c & F* 88Eƀ&^8gd2Eog:d& & F 8^8!"Єфopxvmvvvh^hgd]m8^8gd]m^gdlgdF( 3]`gdl^gdgV$ & F.Eƀ&.0a$gd2Eog:d& & Fgdg "./4Gty„τЄфͼ필wmwcwVB0#hd=6hl6CJOJQJ^JaJ&hd=6hl5CJOJQJ]^JaJhF(hgCJOJQJhoCJOJQJhF(CJOJQJhF(hlCJOJQJ hd=6hlCJOJQJ^JaJ/hd=6hg56;>*CJOJQJ]^JaJho6CJOJQJ^JaJ hd=6hgCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6hg6CJOJQJ^JaJ-2nop߅f̩̽yj[I:I[+h 2_CJOJQJ]^JaJhF(CJOJQJ]^JaJ#hd=6hlCJOJQJ]^JaJhX5CJOJQJ]^JaJhk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&hd=6hl5CJOJQJ]^JaJ&hd=6hl6CJOJQJ]^JaJho6CJOJQJ^JaJ#hd=6hl6CJOJQJ^JaJ hd=6hlCJOJQJ^JaJ h=h=CJOJQJ^JaJwxyz{ɇʇͼtcQ=+#h/hl6CJOJQJ^JaJ&h/h8U6CJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ h=6CJOJQJ]^JaJ&h/hl6CJOJQJ]^JaJ&hd=6hl5CJOJQJ]^JaJhYM5hlOJQJ\&hd=6h75CJOJQJ]^JaJ h75CJOJQJ]^JaJ hl5CJOJQJ]^JaJ#hd=6hlCJOJQJ]^JaJhX5CJOJQJ]^JaJ xyz{+,st gd^gdk%@gdlV$ & F.Eƀ&.0a$gd2Eog:d& & F^gdlgd]m+,Zstوۈ#@Ϳ~~l~l~lXD3 h75CJOJQJ]^JaJ&hPB=hl5CJOJQJ]^JaJ&hPB=h75CJOJQJ]^JaJ#hPB=hXCJOJQJ]^JaJ#hPB=hCJOJQJ]^JaJ#hPB=h7CJOJQJ]^JaJhk%@CJOJQJ]^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJ hd=6hlCJOJQJ^JaJ#h/hl6CJOJQJ^JaJho6CJOJQJ^JaJ   !-.36@F݋ދʾudSdD,/hd=6h56;>*CJOJQJ]^JaJho6CJOJQJ^JaJ h2: hCJOJQJ^JaJ hd=6hCJOJQJ^JaJ h=h=CJOJQJ^JaJh=6CJOJQJ^JaJ#hd=6h6CJOJQJ^JaJ,hd=6h5;>*CJOJQJ]^JaJhYM5hOJQJ\&hd=6he5CJOJQJ]^JaJ he5CJOJQJ]^JaJ h5CJOJQJ]^JaJ   !ދߋFS & F.Eƀ&.gd2Eog:d& & F^gdV$ & F.Eƀ&.0a$gd2Eog:d& & Fgdދߋ*puȶvaM?1hk%@CJOJQJ^JaJh\kCJOJQJ^JaJ&ho6B*CJOJQJ^JaJph)hd=6hB*CJOJQJ^JaJph)h=h=B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJph,hd=6h6B*CJOJQJ^JaJph#hd=6h5CJOJQJ^JaJhF(hCJOJQJ,hd=6h75;>*CJOJQJ]^JaJ&h5;>*CJOJQJ]^JaJ &S & F+Eƀ&gd2Eog:d& & F ^gdk%@+^gdǍȍڍ&'mnoxy{|ش؍|dWI7#hd=6h5CJOJQJ^JaJhT_hCJOJQJ^JaJhd=6h0JCJaJ/jDhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJ)jhd=6hCJOJQJU^JaJ#hB*CJOJQJ^JaJph#hoB*CJOJQJ^JaJph#hbB*CJOJQJ^JaJph)hd=6hB*CJOJQJ^JaJph#hk%@B*CJOJQJ^JaJph|} >?@ޱɤɌw]H]]6#hT_hB*CJOJQJ^JaJph)hd=6hB*CJOJQJ^JaJph2jhd=6hB*CJOJQJU^JaJph)hd=6hB*CJOJQJ^JaJphhT_hCJOJQJ^JaJhT_h0JCJaJhd=6h0JCJaJ/j'hd=6hCJOJQJU^JaJ)jhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJ hT_hhT_hCJOJQJ^JaJ?WS & F+Eƀ&gd2Eog:d& & F S+ & F+Eƀ&gd2Eog:d& & F `đőʹwjXD3 h=6CJOJQJ]^JaJ&hd=6h6CJOJQJ]^JaJ#hd=6hCJOJQJ]^JaJhF(hCJOJQJ hd=6h7CJOJQJ^JaJ)hd=6hB*CJOJQJ^JaJphhCJOJQJ^JaJh<CJOJQJ^JaJ hd=6hCJOJQJ^JaJh'$CJOJQJ^JaJ#hT_hB*CJOJQJ^JaJph)hd=6hB*CJOJQJ^JaJph`WNN^gdS+ & F+Eƀ&gd2Eog:d& & F S & F+Eƀ&gd2Eog:d& & F  !hi_`^gdk%@^gd^gdS & F.Eƀ&.gd2Eog:d& & F őʑݑ!Oix|/01ɺɬq_Q9_/jNh8Uh8UCJOJQJU^JaJh8UCJOJQJ^JaJ#jh8UCJOJQJU^JaJhT_hCJOJQJ^JaJh/CJOJQJ^JaJ hd=6hCJOJQJ^JaJhk%@CJOJQJ^JaJh\kCJOJQJ^JaJho6CJOJQJ^JaJ#hd=6h6CJOJQJ^JaJ#hd=6hCJOJQJ]^JaJ#h=h=CJOJQJ]^JaJ1=>ʓ˓̓Փ֓NOP­wfQ9Q/jhd=6hCJOJQJU^JaJ)jhd=6hCJOJQJU^JaJ hI2hI2CJOJQJ^JaJhJphI20JCJaJ/j/hJphI2CJOJQJU^JaJ hJphI2CJOJQJ^JaJ)jhJphI2CJOJQJU^JaJhCJOJQJ^JaJ hd=6hCJOJQJ^JaJ#jh8UCJOJQJU^JaJh8Uh0JCJaJWS & F5Eƀ&kgd2Eog:d& & FS & FrEƀ&gd2Eog:d& & F Plmnoq @ACDEstۖܖݖ<=>пп޿ппobЇЇQK hs[aJ hd=6h<CJOJQJ^JaJh<h<0JCJaJ/j$h<h<CJOJQJU^JaJh<CJOJQJ^JaJ#jh<CJOJQJU^JaJ/jhd=6hCJOJQJU^JaJ hd=6hCJOJQJ^JaJhT_hCJOJQJ^JaJ)jhd=6hCJOJQJU^JaJhd=6h0JCJaJs=rstWRMMgd<_gds[S & F5Eƀ&mgd2Eog:d& & FS & F5Eƀ&lgd2Eog:d& & F>fqrtRr ¶xgUx>,h2: h-96B*CJOJQJ^JaJph#h2: hX+6CJOJQJ^JaJ h2: h-9CJOJQJ^JaJhT_h6CJOJQJ^JaJ#h2: h-96CJOJQJ^JaJ h2: h<_CJOJQJ^JaJh2: h<_OJQJ\h2: h-9OJQJ\&h2: h<_5CJOJQJ]^JaJhs[h<_CJ OJQJ\aJhs[hs[CJ OJQJ\hs[CJ OJQJ\t Hr:\ܜ{riri+p^pgda6+^gda6/^gd-9 +^`gde/`gd-9/^gd-9gd<_V$ & F.Eƀ&.0a$gd2Eog:d& & F HNQrtuz?B[\ܜôՠt`tôN<#h2: h\Q6CJOJQJ^JaJ#h2: ha66CJOJQJ^JaJ&hT_h6B*CJOJQJ^JaJph,h2: ha66B*CJOJQJ^JaJph)h=h=B*CJOJQJ^JaJph&h=6B*CJOJQJ^JaJphhT_h6CJOJQJ^JaJ#h2: h-96CJOJQJ^JaJ,h2: h-96B*CJOJQJ^JaJph&he6B*CJOJQJ^JaJphܜҝӝNO12U $`a$gd)gd7^gd8^gd2: ^gd) $^a$gd)p^pgda6^gda6 ҝӝ:;<RST\]r͸x[NE8Nh7h70JCJaJh7h)0Jh7h)0JCJaJ8jIh7hdB*CJOJQJU^JaJph#h7B*CJOJQJ^JaJph,jh7B*CJOJQJU^JaJph,h7h)5B*CJOJQJ^JaJph)h7h)B*CJOJQJ^JaJphh2: h<5CJOJQJ#h2: h<_6CJOJQJ^JaJ#h2: h-96CJOJQJ^JaJrzMNO012UVñՋzcN7%#hI`B*CJOJQJ^JaJph,jhI`B*CJOJQJU^JaJph)h7h<B*CJOJQJ^JaJph,h7h<5B*CJOJQJ^JaJph!h7h<B*OJQJ^Jph!h7h)B*OJQJ^Jph)h8h8B*CJOJQJ^JaJph#h7B*CJOJQJ^JaJph#h)B*CJOJQJ^JaJph)h7h)B*CJOJQJ^JaJph)h7h7B*CJOJQJ^JaJphHI'(nop̪̘̿{̿n\̘?̪̿\8jhI`hI`B*CJOJQJU^JaJph#hT_hB*CJOJQJ^JaJphhI`h2: 0JCJaJ8jhI`hI`B*CJOJQJU^JaJph#hI`B*CJOJQJ^JaJph)h7h<B*CJOJQJ^JaJphhI`h<0JCJaJ,jhI`B*CJOJQJU^JaJph8j4hI`hI`B*CJOJQJU^JaJphUH'9c & F+ 88Eƀ&^8gd2Eog:d& & F 8^8c & F+ 88Eƀ&^8gd2Eog:d& & F 8^8'HIɥydT@ h8p^gdb+ h8pgdb h8p7$8$H$gdb h8pgdb$ h8pa$gdbc & F+ 88Eƀ&^8gd2Eog:d& & F 8^8!$GHI[\lm~ӱs[F4#hC(B*CJOJQJ^JaJph)hC(5B*CJOJQJ\^JaJph/h?0hC(6B*CJOJQJ\^JaJph)h?05B*CJOJQJ\^JaJph)h?0h?0B*CJOJQJ^JaJph&h3"hC(5CJ OJQJ]^JaJ "h?0h5CJ OJQJ\aJ h?0h?0CJ OJQJ\aJ h?0h3"CJ OJQJ\aJ !h 2_h<_B*CJOJQJphh7h<B*ph ~ɥʥ 2ۦҧbfjʽrrdRAdAdRAdA hC(h#CJOJQJ^JaJ#h<h#6CJOJQJ^JaJhbCJOJQJ^JaJ,h<h#6B*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph#hbB*CJOJQJ^JaJphhLh#CJOJQJhLhLCJOJQJ!h_6h#B*OJQJ^Jph#hC(B*CJOJQJ^JaJph#h?0B*CJOJQJ^JaJphɥbT{c/ h8p^`gdb+ h8p8^8`gdb+ h8p^`gdb+ h8p`^``gdb/ h8p8^8gdb/ h8p0^`0gdb5 h8pgdb jkIªêǪȪTW\]|}lptu&.ϫm_h CJOJQJ^JaJ#h=9hb6CJOJQJ^JaJ,h=9h#6B*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph#hbB*CJOJQJ^JaJph#h=9h#6CJOJQJ^JaJ hC(h#CJOJQJ^JaJ#h<h#6CJOJQJ^JaJhbCJOJQJ^JaJ$T}l&:#L~4w___+ h8p^`gdp s/ h8p`gdb0 h8p`]^``gdp s+ h8p^`gd{+ h8p^`gd + h8p^`gdb/ h8pgdb .S:<?@DEm#&+,JLPTU~ų4<Y\`deܴ,4Tʵʵʞʵʞܐܐܐܐܐʵʵʞܐܐܐh|(6CJOJQJ^JaJhp sCJOJQJ^JaJ,h|(h#6B*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph#hp sB*CJOJQJ^JaJph hC(h#CJOJQJ^JaJ#h|(h#6CJOJQJ^JaJ24\,}ѸV/ h8p`gdb/ h8p`^``gdp s+ h8p`^``gdp s+ h8p^`gdp s+ h8pgdp sǵ :}ŶзѸٸȹG#QV]r6)Ͻ#h|(B*CJOJQJ^JaJph,h|(h#6B*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph#hp sB*CJOJQJ^JaJph hC(h#CJOJQJ^JaJ#h|(h#6CJOJQJ^JaJhp sCJOJQJ^JaJ2VԿq1k5 h8p`gdb h8p^gdb+ h8pgdb1 h8pb`]b^``gdp s+ h8p`^``gdp s+ h8pgdp s+ h8p8^8`gdp s )JRUҿԿۿqy1:ᯚᖅtcVLVhLCJOJQJhLh#CJOJQJ!hC(5B*OJQJ\^Jph hp sh#CJOJQJ^JaJ hp shp sCJOJQJ^JaJhp s)hC(h#B*CJOJQJ^JaJph#hp sB*CJOJQJ^JaJph#h|(h#6CJOJQJ^JaJhp sCJOJQJ^JaJ hC(h#CJOJQJ^JaJh|(CJOJQJ^JaJ:C46:;<Y[b\_cd#Z*-12T5abef D3589Y`t$'+,Djmqr«ԙ#hGB*CJOJQJ^JaJph,h|(hp s6B*CJOJQJ^JaJph#hp sB*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph,h|(h#6B*CJOJQJ^JaJph<14[\*a3Y$sc5 h8pgdp s5 h8p8^8`gdp s5 h8p0^`0gdp s5 h8p^`gdp s5 h8p`^``gdp s5 h8p`gdb5 h8p8|^8`|gdp s $j3j95 h8p0^`0gdp s5 h8p8|^8`|gdp s5 h8p`gdb h8p^gdb+ h8pgdb5 h8p`^``gdp s (34jkns9<@Ag,{@Ii&+,Jɷ균균균균균균균균균균균귉,h|(hp s6B*CJOJQJ^JaJph,h|(h#6B*CJOJQJ^JaJph#hp sB*CJOJQJ^JaJphhLh#CJOJQJhLhLCJOJQJ hC(hC()hC(h#B*CJOJQJ^JaJph6{@&L$(k1 h8pb]bgdG h8p^gdb5 h8p`gdb5 h8p`^``gdG5 h8pgdp s5 h8p0^`0gdp s5 h8p8^8`gdp s JLSt$,F(-N@H!$%;؟؈؟؟؈zizi؟؈zizWi#h|(h6CJOJQJ^JaJ hhCJOJQJ^JaJhGCJOJQJ^JaJ,h|(h6B*CJOJQJ^JaJph)hhB*CJOJQJ^JaJphh2: hCJOJQJ,h|(h#6B*CJOJQJ^JaJph#hGB*CJOJQJ^JaJph)hC(h#B*CJOJQJ^JaJph"(@T||wgdC( 7$8$H$gdC(+ 8`^``gdU+ 8`^``gdUo|+ 8`^``gd)9+ h8p`^``gdG/ h8pgdG/ h8p0^`0gdG OkSU^_biprz{ϾϾq\\\NhLhC(5OJQJ\(hUhL0J9B*CJ OJQJ\ph(hUhv6>0J9B*CJ OJQJ\ph(hUhC(0J9B*CJ OJQJ\ph"hU0J9B*CJ OJQJ\ph h)9h<_CJOJQJ^JaJ h)9hCJOJQJ^JaJ#h|(h6CJOJQJ^JaJ h)9hGCJOJQJ^JaJh)9CJOJQJ^JaJ $ezqqq_N= hZbhC(CJOJQJ^JaJ h2Ehk=CJOJQJ^JaJ#h2Ehk=5CJOJQJ^JaJ&h2EhC(5CJOJQJ\^JaJ h2EhC(CJOJQJ^JaJhC(#h?0B*CJOJQJ^JaJph)h?0hC(B*CJOJQJ^JaJph,h?0hC(6B*CJOJQJ^JaJph)h?0h?0B*CJOJQJ^JaJph#hC(B*CJOJQJ^JaJph #Fkdݺ$$IflF@ ," \ t06    44 lapyt2E$$7$8$H$Ifa$gd2El #$AOawww$7$8$H$Ifgd2El pkd$$IflL,"" t0644 lap yt2Eabcdx`III$7$8$H$Ifgd2El kd!$$IflF@ ," \ t06    44 lapyt2Exyz{`III$7$8$H$Ifgd2El kdӼ$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd7$$IflF@ ," \ t06    44 lapyt2E5`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E5678V`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2EVWXYt`III$7$8$H$Ifgd2El kdM$$IflF@ ," \ t06    44 lapyt2Etu`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kdc$$IflF@ ," \ t06    44 lapyt2E>Lc`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2Ecdef`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kdy$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd+$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E )>`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E>?@A\`III$7$8$H$Ifgd2El kdA$$IflF@ ," \ t06    44 lapyt2E\]^_`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kdW$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd $$IflF@ ," \ t06    44 lapyt2E,:d`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2Edey`F$$7$8$H$Ifa$gd2El kdm$$IflF@ ," \ t06    44 lapyt2Eyzwww$7$8$H$Ifgd2El pkd$$Ifly,"" t0644 lap yt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E `III$7$8$H$Ifgd2El kd]$$IflF@ ," \ t06    44 lapyt2E   &`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E&'7BF`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2EFG\gk`III$7$8$H$Ifgd2El kds$$IflF@ ," \ t06    44 lapyt2Ekl`III$7$8$H$Ifgd2El kd%$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd;$$IflF@ ," \ t06    44 lapyt2E`F$$7$8$H$Ifa$gd2El kd$$IflF@ ," \ t06    44 lapyt2E=www$7$8$H$Ifgd2El pkd$$Ifl,"" t0644 lap yt2E=>?@_`III$7$8$H$Ifgd2El kd+$$IflF@ ," \ t06    44 lapyt2E_`abw`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2Ewxyz`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kdA$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E7BF`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2EFG]k`III$7$8$H$Ifgd2El kdW$$IflF@ ," \ t06    44 lapyt2E`III$7$8$H$Ifgd2El kd $$IflF@ ," \ t06    44 lapyt2E`F$$7$8$H$Ifa$gd2El kd$$IflF@ ," \ t06    44 lapyt2Ewww$7$8$H$Ifgd2El pkdm$$Ifl,"" t0644 lap yt2E`III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E `III$7$8$H$Ifgd2El kd$$IflF@ ," \ t06    44 lapyt2E+>@`WWWWOJJgdC($a$gdL 7$8$H$gdZbkd]$$IflF@ ," \ t06    44 lapyt2E'+>@IJM {{{iXGX h2EhqCJOJQJ^JaJ h2EhC(CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2EhZb5CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJhC(h?0CJ OJQJ\aJ h?0hv6>CJ OJQJ\aJ h?0hC(CJ OJQJ\aJ hZbhC(CJOJQJ^JaJhk=CJOJQJ^JaJ hZbhZbCJOJQJ^JaJ$$Ifa$gd2El )$IfgdZl kd$$Ifl44\(% 3 z Z   ```` t(0644 laf4p(yt2E ]G$$Ifa$gd2El kd,$$Ifl403 3 -  t0644 laf4g |pyt2E$IfgdZl [\YZٜلo^Fo/j h2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJ/j&h2EhiCJOJQJU^JaJ/j h2EhiCJOJQJU^JaJh2Ehi0JCJaJ/jh2EhiCJOJQJU^JaJ h2EhiCJOJQJ^JaJ)jh2EhiCJOJQJU^JaJ[\]$If^`gd2El F$If^`Fgd2El  ![\_t'ͼ͓ͤ͂pX/jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2EhqCJOJQJ^JaJ h2Eh>-CJOJQJ^JaJ/jh2EhC(CJOJQJU^JaJ h2EhXCJOJQJ^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ]^_-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E_t0Y$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgdql '()-.01yz{Yoz>ҴҴҴyhSB h2Eh"2aCJOJQJ^JaJ)jh2Eh"2aCJOJQJU^JaJ h2EhT_hCJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ#h2EhC(6CJOJQJ^JaJ/j?h2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/j$h2EhC(CJOJQJU^JaJ>?@Jkl !wŸҧraaPr;)jh2EhC(CJOJQJU^JaJ h2EhqCJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ#h2EhC(6CJOJQJ^JaJ h2EhT_hCJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJh2Eh'$0JCJaJ)jh2Eh"2aCJOJQJU^JaJ/j&h2Eh"CJOJQJU^JaJ-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2Ela'($If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgdql BClmaҴvşҴ^ҴҴFҴ/jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ/jh2Eh8CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ&'(*?bde ٣kSkFkkh2EhC(0JCJaJ/j&h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2EhqCJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2Eh>-0JCJaJ/jeh2Eh>-CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJ()*-$IfgdZl kd>$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E*?bd($If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgdql    '(EOfpRST]^1ҴnҴVҴҴ/jh2EhC(CJOJQJU^JaJ h2EhqCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jAh2EhC(CJOJQJU^JaJ-$IfgdZl kd^$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EUB/B$Ifgdql $IfgdZl kdF$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El {$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El 123=> %FHIҴn]ҴE/jh2EhC(CJOJQJU^JaJ h2EhqCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhXCJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ-$IfgdZl kd2$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E%FUB/B$Ifgdql $IfgdZl kd$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El FH$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El    RSwxyڵ珞xaP? h2Eh'$CJOJQJ^JaJ h2EhECJOJQJ^JaJ,h2Eh0/>*B*CJOJQJ^JaJph h2Eh0/CJOJQJ^JaJh2Eh0/0J>*CJaJh2Eh0/0JCJaJ!jh2Eh0/0JCJUaJh2EhC(0JCJaJ/jh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJPQRbc>?@JKOPڵ邏lTlGllh2EhC(0JCJaJ/jh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2Ehq0JCJaJ/jh2EhqCJOJQJU^JaJ)jh2EhqCJOJQJU^JaJ h2EhqCJOJQJ^JaJ-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EO$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl /01;<D E  Ҵ|ҴdҴҴLҴҴ/jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ)h2EhC(B*CJOJQJ^JaJph3f h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2ED   $If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l        + 5   + , - = >     Ҵ}eŎSB h2Eh0/CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ/jvh2Eh8CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJ h2Eh'$CJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ   -$IfgdZl kd{$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E      UB/B$Ifgd0/l $IfgdZl kdc$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El       + @        G\nyaǶܶܡ܉|ܶܡd|S h2EhECJOJQJ^JaJ/jh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/jh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ h2Eh0/CJOJQJ^JaJ)h2EhC(B*CJOJQJ^JaJph h2EhC(CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ     $If^`gd2El F$If^`Fgd2El $$Ifa$gd2El    -$IfgdZl kd $$Ifl4r3(% 3zZ  t0644 laf4p2yt2E + @ B C E$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l EFG-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EG\R$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l akEFGPQNp+BZdp޻ޔ|o]]]]]L h2EhECJOJQJ^JaJ#h2EhC(6CJOJQJ^JaJh2EhC(0JCJaJ/jh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EUB/B$Ifgd0/l $IfgdZl kd$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El N+p=$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El =?TwyzUV̺̍kSkFkh2EhC(0JCJaJ/j h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJh2Eh0/0JCJaJ/j h2Eh0/CJOJQJU^JaJ)jh2Eh0/CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ#h2Eh0/6CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ=>?-$IfgdZl kd $$Ifl4r3(% 3zZ  t0644 laf4p2yt2E?TwyU#F$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l _iH]oXYZjk-ACDTV<ͻަގͻަiXަ h2EhPCJOJQJ^JaJ/jh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/j h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2Eh'$CJOJQJ^JaJFGH-$IfgdZl kd $$Ifl4r3(% 3zZ  t0644 laf4p2yt2EH]oqr$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l -$IfgdZl kd$$Ifl4r3(% 3zZ   t0644 laf4p2yt2E-ACP~8$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd0/l <=>NO+,-679Cop    ҴҴҴxgUҴ=/j~h2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh0/CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ/jh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ89:-$IfgdZl kd$$Ifl4r3(% 3zZ   t0644 laf4p2yt2E:;<=>?@AB$If^`gd2El o&$IfgdZl BCQnubG$If^`gd2El $IfgdZl kd$$Ifl403 3- t0644 laf4pyt2EnopubOb9$$Ifa$gd2El $Ifgd0/l $IfgdZl kd$$Ifl403 3- t0644 laf4pyt2E    !!!!!!!e"o"""0#P#Q#f#w#y#z##ْٰفo^L#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhGCJOJQJ^JaJ h2Eh'$CJOJQJ^JaJh2EhC(0JCJaJ/jh2EhC(CJOJQJU^JaJ h2EhT_hCJOJQJ^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJ!e"""Wq & F,$Eƀ&If^`gd2El og:d& & F^`$If^`gd2El F$If^`Fgd2El ""#q & F,$Eƀ&If^`gd2El og:d& & F^`q & F,$Eƀ&If^`gd2El og:d& & F^`#/#q & F,$Eƀ&If^`gd2El og:d& & F^`/#0#>#-$IfgdZl kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E>#O#P#Q#f#w#UB/B$Ifgd"2al $IfgdZl kd$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El w#y#%&~'(($If^`gd2El F$If^`Fgd2El $$Ifa$gd2El #####3%4%%%%%%%%:&;&<&@&Y&b&c&&&&ҴҴҴv^PŇ? h2Eh'$CJOJQJ^JaJh2EhC(0J6CJaJ/jh2Eh8CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJ/jh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jZh2EhC(CJOJQJU^JaJ&&' '!'%'6'?'@'~''(((?(@(((׽鯟vcKv>vc- h2Eh>-CJOJQJ^JaJh2Eh>-0JCJaJ/jh2Eh>-CJOJQJU^JaJ$h2Eh>-0J>*B*CJaJph-jh2Eh>-0J>*B*CJUaJph#h2EhC(CJOJQJ\^JaJh2EhC(0J6CJ\aJh2EhC(0JCJ\aJ2jh2Eh8CJOJQJU\^JaJ#h2Eh>-CJOJQJ\^JaJ,jh2Eh>-CJOJQJU\^JaJ(((-$IfgdZl kd3$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E(((((())*)+)4)5)))B*C*********lTlFlh2EhC(0J6CJaJ/jJ!h2Eh8CJOJQJU^JaJ)jh2Eh>-CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJh2EhC(0JCJaJ/j h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ h2EhC(CJOJQJ^JaJ(((()B*+++,$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd"2al *++++++++++++,,2,P,R,ǵǍ}ǵkYH6#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ#h2Eh"2aCJOJQJ\^JaJ#h2EhmWCJOJQJ\^JaJh2Eh>-0J6CJ\aJh2Eh>-0JCJ\aJ2j]"h2Eh>-CJOJQJU\^JaJ#h2Eh>-CJOJQJ\^JaJ,jh2Eh>-CJOJQJU\^JaJ h2EhC(CJOJQJ^JaJ h2Eh'$CJOJQJ^JaJ,,,-$IfgdZl kdz#$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E,2,P,R,2--. .$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd"2al R,S,,,,,,2-3-y-z-{----..".7.V.X.Y...ٜيxgU=/j\'h2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ#h2Eh"2aCJOJQJ\^JaJ#h2EhmWCJOJQJ\^JaJ/j%h2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/jb$h2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJ .!.".-$IfgdZl kdt&$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E".7.V.X.8//000$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd"2al ....//J0K0L0P0i0r0s0000000$1&1'11̷݀ݷn\KK9#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ#h2Eh"2aCJOJQJ\^JaJ#h2EhmWCJOJQJ\^JaJh2EhC(0J6CJaJ/j(h2Eh8CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ000-$IfgdZl kd)$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E00$1&1-2H2h2$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd"2al 11111-2H2g2i2r2222233:3Ҵ~l[I8 h2EhT_hCJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh"2aCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ#h2Eh"2aCJOJQJ\^JaJ#h2EhmWCJOJQJ\^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/j*h2EhC(CJOJQJU^JaJh2i2j2-$IfgdZl kd+$$Ifl4r3(% 3zZ   t0644 laf4p2yt2Ej2k2l2m2n2o2p2q2$If^`gd2El o&$IfgdZl q2r222ubG$If^`gd2El $IfgdZl kd,$$Ifl403 3- t0644 laf4pyt2E222222ubOb9$$Ifa$gd2El $Ifgd"2al $IfgdZl kdY-$$Ifl403 3- t0644 laf4pyt2E22d4$If^`gd2El F$If^`Fgd2El :3;33333335484e4444444%5&5'5I5٣nYAY4h2EhC(0JCJaJ/j0h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhT_hCJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2Eh"2a0JCJaJ/j.h2Eh"2aCJOJQJU^JaJ h2Eh"2aCJOJQJ^JaJ)jh2Eh"2aCJOJQJU^JaJd4e4p4-$IfgdZl kd.$$Ifl4r3(% 3zZ  t0644 laf4p2yt2Ep444444UB/B$Ifgd"2al $IfgdZl kd/$$Ifl403 3- t0644 laf4g |pyt2E$If^`gd2El 444K5L55$IfgdI2l $If^`gd2El F$If^`Fgd2El $$Ifa$gd2El I5J5K5L5M555555555556ȱwfXG5#h2EhJp5CJOJQJ^JaJ hC(hC(CJOJQJ^JaJh>-CJOJQJ^JaJ h2EhI2CJOJQJ^JaJh2EhI20JCJ]aJ2jq1h2EhI2CJOJQJU]^JaJ#h2EhI2CJOJQJ]^JaJ,jh2EhI2CJOJQJU]^JaJ h2EhI2CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJ5555-((gdC(kdT2$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E5555 66$$Ifa$gd2El 666)$IfgdZl kd<3$$Ifl44\(% 3 z Z   ```` t(0644 laf4p(yt2E6768696J6a6c6]G$$Ifa$gd2El kdY4$$Ifl403 3 -  t0644 laf4g哔&pyt2E$IfgdZl 68696I6J6`6c6d666666C7D7777˹ܒzmXG/X/j@6h2Eh>-CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJh2EhC(0JCJaJ/j5h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ#h2Eh9\5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJc6C777$If^`gd2El F$If^`Fgd2El 7777777 8"8$8%8888888888^9ͼs[sNsͼsh2EhC(0JCJaJ/j 8h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2Eh>-CJOJQJ^JaJ)jh2Eh>-CJOJQJU^JaJh2Eh>-0JCJaJ777-$IfgdZl kd#7$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E7 8"8$889:$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l ^9_9`9|9}9::::::::::;;;;C<D<E<a<b<=====>>ҴҴhҴҴPҴ/j<h2EhC(CJOJQJU^JaJ/j9;h2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/j<9h2EhC(CJOJQJU^JaJ:::-$IfgdZl kdQ:$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E::::p;<F==$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l ===-$IfgdZl kd1=$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E=====>$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l >>>-$IfgdZl kd>$$Ifl4r3(% 3zZ   t0644 laf4p2yt2E>>>>>>>%>Bkd?$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El o&$IfgdZl >>6>7>B>R>T>U>>>>>>??%@&@'@0@1@3@S@b@c@@ʹʒzmʒUmDʒ h2Eh>-CJOJQJ^JaJ/jAh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/jk@h2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ%>5>6>7>B>R>ZG4G$Ifgd9\l $IfgdZl kd?$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El R>T>?b@BtBCC$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El @@@@@tBuBBBBBBCCCCCDDDҴҴҴyhVA)jh2Eh>-CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ/jCh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jBh2EhC(CJOJQJU^JaJCCC-$IfgdZl kdD$$Ifl4r3(% 3zZ  t0644 laf4p2yt2ECCCCCDUBBB$IfgdZl kdE$$Ifl403 3- t0644 laf4g哔&pyt2E$If^`gd2El DDzE GG-H$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El DyDzD{DDDzE{EEEEEEG-H.H3H\H]HnHwHµµ{iWF4#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ/jGh2Eh>-CJOJQJU^JaJh2Eh>-0JCJaJ)jh2Eh>-CJOJQJU^JaJ/jqFh2Eh>-CJOJQJU^JaJ h2Eh>-CJOJQJ^JaJ-H.H/H-$IfgdZl kdH$$Ifl4r3(% 3zZ   t0644 laf4p2yt2E/H0H1H2H3HAHBkdI$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El o&$IfgdZl AH[H\H]HnHwHZG4G$Ifgd9\l $IfgdZl kd_J$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El wHyHIJKLMM$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El wHyHzHHHHHHIIJJJ!J"JJJJJJJ K K KKKKڵڵk]LHh9\ h2Eh9\CJOJQJ^JaJh2Eh9\0J>*CJaJ'jOMh2Eh9\0JCJUaJ!jh2Eh9\0JCJUaJh2Eh9\0JCJaJ/j4Lh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/j Kh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJKK8L9L:LwLxLLLL MMM,M-MMMMMMMMM٣ً٣zeO:)jh2EhC(CJOJQJU^JaJ+h2EhC(5CJOJQJ^JaJmH sH (h2Eh9\CJOJQJ^JaJmH sH h2EhC(CJOJQJ^JaJ/jOh2Eh9\CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2Eh9\0JCJaJ/j6Nh2Eh9\CJOJQJU^JaJ h2Eh9\CJOJQJ^JaJ)jh2Eh9\CJOJQJU^JaJMMM-$IfgdZl kd*P$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EMMMMNuOPP$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l MNNNNNNNNNNOOuOvOOOOOOOOPPPPµµk]LHA h9\h9\h9\ h2Eh9\CJOJQJ^JaJh2Eh9\0J>*CJaJ'jJSh2Eh9\0JCJUaJh2Eh9\0JCJaJ!jh2Eh9\0JCJUaJ/j-Rh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jQh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJPPP-$IfgdZl kd1T$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EPPPPPPPPQQQRQ[Q\QQQRRRRRRdSeSfSxSSSͻަގlTlGlͻh2Eh9\0JCJaJ/j4Vh2Eh9\CJOJQJU^JaJ)jh2Eh9\CJOJQJU^JaJh2EhC(0JCJaJ/jUh2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2Eh9\CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJPPPPQRRdS$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l dSeSfS-$IfgdZl kdQW$$Ifl4r3(% 3zZ  t0644 laf4p2yt2EfSxSSSTVtXMYZZ$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $Ifgd9\l SSSSSTTTT0U1U2U9U:UVVVVVVVWWEXٟviQi/j{Zh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/j`Yh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJh2EhJp0JCJaJ/j9Xh2EhJpCJOJQJU^JaJ h2EhJpCJOJQJ^JaJ)jh2EhJpCJOJQJU^JaJEXFXGXPXQXtXuXXXXXXYYMYNYYҴvhşQ?#h2Eh`CJOJQJ\^JaJ,jh2Eh`CJOJQJU\^JaJh2EhC(0J6CJaJ/j\h2Eh8CJOJQJU^JaJ h2Eh`CJOJQJ^JaJ)jh2Eh`CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/j[h2EhC(CJOJQJU^JaJYYYYYYYZZZ!Z*Z\ZzZ{Zϟ}lZH6#h2Eh5CJOJQJ^JaJ#h2EhJp5CJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ hC(hC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ#h2EhC(CJOJQJ\^JaJh2EhC(0J6CJ\aJh2EhC(0JCJ\aJ,jh2Eh`CJOJQJU\^JaJ2j]h2Eh8CJOJQJU\^JaJZZZ!Z-((gdC(kd_$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E!Z6ZAZJZWZ[Z$$Ifa$gd2El [Z\ZjZ)$IfgdZl kd_$$Ifl44\(% 3 z Z   ```` t(0644 laf4p(yt2EjZyZzZ{ZZZZ]G$$Ifa$gd2El kda$$Ifl403 3 -  t0644 laf4g擔&pyt2E$IfgdZl {ZZZZZ[[[[[\\X\Y\Z\`\a\\\ ] ] ]]]j]t]x]]]]]^̷̷̟z̷bQ̷ h2EhECJOJQJ^JaJ/jch2EhC(CJOJQJU^JaJ/jbh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/jah2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ h2EhJpCJOJQJ^JaJZ\\v]$If^`gd2El F$If^`Fgd2El v]w]x]-$IfgdZl kdd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2Ex]]]]^_X`Y`$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $IfgdJpl ^^^^^C^G^^^,_-_._4_5_______Ҵ}eX}}@X/jgh2EhJpCJOJQJU^JaJh2EhJp0JCJaJ/jfh2EhJpCJOJQJU^JaJ h2EhJpCJOJQJ^JaJ)jh2EhJpCJOJQJU^JaJ h2EhbCJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jeh2EhC(CJOJQJU^JaJ_ ```X`[`n`````````VbWbbbbbbccccc>dϾnaIa/jjh2EhC(CJOJQJU^JaJh2EhC(0JCJaJ/jih2EhC(CJOJQJU^JaJ)jh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ h2EhJpCJOJQJ^JaJ)jh2EhJpCJOJQJU^JaJh2EhJp0JCJaJh2EhJp0J6CJaJY`Z`[`-$IfgdZl kdh$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E[`n```aVbc$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $IfgdJpl ccc-$IfgdZl kdk$$Ifl4r3(% 3zZ  t0644 laf4p2yt2Ecccccd_e$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $IfgdJpl >d?d@d\d]ddd e ee.e/e`eee~eeeeeeee!fҴҴҴxgxVDҴ#h2EhC(5CJOJQJ^JaJ h2EhJpCJOJQJ^JaJ h2EhCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ/jmh2EhC(CJOJQJU^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jlh2EhC(CJOJQJU^JaJ_e`eae-$IfgdZl kdn$$Ifl4r3(% 3zZ   t0644 laf4p2yt2EaebecedeeepeBkdo$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El o&$IfgdZl peeeeeeZG4G$IfgdJpl $IfgdZl kdp$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El eeeef8z & F* $Eƀ& If^`gd2El og:d& & F ^`$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El !f"f#f3f4fff*iCiDiUiiiik+k,k-k.k9kYk\k]kkkkkҴn]nҴE/jcuh2EhC(CJOJQJU^JaJ h2EhCJOJQJ^JaJ#h2EhC(5CJOJQJ^JaJ h2EhJpCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EhT_hCJOJQJ^JaJ h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/j:qh2EhC(CJOJQJU^JaJf#gz & F* $Eƀ& If^`gd2El og:d& & F ^`#gVgz & F* $Eƀ& If^`gd2El og:d& & F ^`Vggz & F* $Eƀ& If^`gd2El og:d& & F ^`ghz & F* $Eƀ& If^`gd2El og:d& & F ^`hHhz & F* $Eƀ&If^`gd2El og:d& & F ^`Hhhz & F* $Eƀ&If^`gd2El og:d& & F ^`h)iz & F* $Eƀ&If^`gd2El og:d& & F ^`)i*i8i-$IfgdZl kd?r$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E8iBiCiDiUiiUBBB$IfgdZl kd's$$Ifl403 3- t0644 laf4g擔&pyt2E$If^`gd2El iiojk$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El kk k-$IfgdZl kds$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E k,k-k.k9kYkUB/B$IfgdJpl $IfgdZl kdt$$Ifl403 3- t0644 laf4g擔&pyt2E$If^`gd2El Yk[k\kk;l$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El kkl?lbldlelvlllllllllmm_nǶقpXKh2EhC(0JCJaJ/jxh2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2EhJpCJOJQJ^JaJ h2EhCJOJQJ^JaJ#h2Eh5CJOJQJ^JaJ h2EheCJOJQJ^JaJ#h2Ehe5CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ)jh2EhC(CJOJQJU^JaJ;ll?lMlclUB'$If^`gd2El $IfgdZl kd^w$$Ifl403 3- t0644 laf4pyt2E$If^`gd2El o&cldlelvlllubOb9$$Ifa$gd2El $IfgdJpl $IfgdZl kd x$$Ifl403 3- t0644 laf4pyt2ElmnXooo$If^`gd2El F$If^`Fgd2El _n`nanhninnnnnnnooo p p pSpTpUp^p_pvqwqҴŚtbҴJҴt/j{h2EhC(CJOJQJU^JaJ#h2EhC(5CJOJQJ^JaJ h2EhJpCJOJQJ^JaJ)h2EhC(B*CJOJQJ^JaJph2jh2EhC(B*CJOJQJU^JaJph h2EhC(CJOJQJ^JaJh2EhC(0JCJaJ)jh2EhC(CJOJQJU^JaJ/jyh2EhC(CJOJQJU^JaJooo-$IfgdZl kdz$$Ifl4r3(% 3zZ  t0644 laf4p2yt2Eoo p pwq?r@rrsytt.u$If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $IfgdZl $IfgdJpl wqxqqqqqq?r@rArrrrrrrXsYsZs٣tgtR:R/j}h2EhJpCJOJQJU^JaJ)jh2EhJpCJOJQJU^JaJh2EhC(0JCJaJ)h2EhC(B*CJOJQJ^JaJph2jh2EhC(B*CJOJQJU^JaJph h2EhJpCJOJQJ^JaJh2EhJp0JCJaJ/j|h2EhJpCJOJQJU^JaJ h2EhJpCJOJQJ^JaJ)jh2EhJpCJOJQJU^JaJZsvswsss&t't(tHtItxtyt-u.u/u1u4uhu͵͠yhWI7#h2Ehk=5CJOJQJ^JaJhk=CJOJQJ^JaJ hC(hC(CJOJQJ^JaJ h2EhC(CJOJQJ^JaJ#h2EhC(6CJOJQJ^JaJ)h2EhC(B*CJOJQJ^JaJph)h2EhJpB*CJOJQJ^JaJph/j~h2EhJpCJOJQJU^JaJ h2EhJpCJOJQJ^JaJ)jh2EhJpCJOJQJU^JaJh2EhJp0JCJaJ.u/u2u4u-#gdC( gdC(o˓kd$$Ifl4r3(% 3zZ  t0644 laf4p2yt2E4uBuMuVucugu$$Ifa$gd2El guhusu)$Ifgd l kd$$Ifl44\(% 3 z Z   ```` t(0644 laf4p(yt2Esuuuuuuuuuuu]kdˁ$$Ifl403 3 -  t0644 laf4g擔&pyt2E$Ifgd l huuuuuuuuuu,v-v.v7v8vvvw w!w*w+wwwwܰ~qTq8jfh2Ehk=B*CJOJQJU^JaJphh2Ehk=0JCJaJ8jh2Ehk=B*CJOJQJU^JaJph)h2Ehk=B*CJOJQJ^JaJph2jh2Ehk=B*CJOJQJU^JaJph#h2Ehk=5CJOJQJ^JaJ h2Ehk=CJOJQJ^JaJ#h2Ehk=5CJOJQJ^JaJuuuuuuuuuvwxyy$Ifgdk=l $If^`gd2El F$If^`Fgd2El $$Ifa$gd2El $Ifgd l wwxxxxxxyyyyyyyzzzzz:z;z6666666666666666666666666666666666666666666666666hH6666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~_HmH nH sH tH @`@ \NormalCJ_HaJmH sH tH >@> 9 Heading 1$$@&a$5B@B 6 Heading 2$@&^5\:@:  Heading 3$@&5\B@B  Heading 4$$@&a$5CJ$F@F  Heading 5$$ P@&a$CJ`@`  Heading 6)$$  80@&^8`0a$ 5CJ\X@X  Heading 7$$@&]a$5CJOJQJ\^JL@L  Heading 8$$ P@&a$ 5CJ\Z @Z  Heading 9 $$@&a$5B* CJ`OJ QJ \^J ph3fDA`D Default Paragraph FontVi@V  Table Normal :V 44 la (k`(No List NB@N Body Text h7$8$H$ B*aJphdC@d Body Text Indent 887$8$H$^8 B*aJphhR@h Body Text Indent 2 87$8$H$^ B*aJphjS@"j Body Text Indent 3 87$8$H$^ B*aJph\^@2\ Normal (Web)dd[$\$B*OJ PJ QJ ^J phBU`AB Q Hyperlink>*B*OJQJ^Jph*WQ* Strong5\4>@b4 Title$a$5CJ:J@r: Subtitle$a$5CJ4 @4 Footer  !.)@. Page NumberRY@R  Document Map-D M OJ QJ ^J 4@4 Header  !F@F\QTOC 1 (! 5CJmHnHuX@XLTOC 2 ! 0^`05CJaJmHnHu.@. TOC 3 ^.@. TOC 4 ^.@. TOC 5 ^.@. TOC 6 !^.@. TOC 7 "^.@. TOC 8 #^.@. TOC 9 $^FVQF FollowedHyperlink >*B* phBP@bB Body Text 2&$a$ 5CJ\H@rH  Balloon Text'CJOJ QJ ^J aJZQ@Z Body Text 3($7$8$H$a$5B*CJ\aJphe@ HTML Preformatted7) 2( Px 4 #\'*.25@9CJOJ PJ QJ ^J aJj@j r Table Grid7:V*0*dod ez~Default+1$7$8$H$-B*CJOJQJ^J_HaJmH phsH tH B'@B @AComment ReferenceCJaJ<@< @A Comment Text-CJaJ@j@@ @AComment Subject.5\6O6 ZCM8/d B*^Jph8O8 [CM160d B*^Jph6O6 ,CM61d B*^Jph6O6 ,CM482] B*^Jph8O8 lCM183d B*^Jph8O8 (]CM104d B*^Jph8O8 (]CM335d B*^JphROaR F(Heading 2 Char5CJ\_HaJmH sH tH 6O6 CM477* B*^Jph6O6 CM58d B*^JphPOP ?0Heading 1 Char5CJ_HaJmH sH tH PK![Content_Types].xmlN0EH-J@%ǎǢ|ș$زULTB l,3;rØJB+$G]7O٭V$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3N)cbJ uV4(Tn 7_?m-ٛ{UBwznʜ"Z xJZp; {/<P;,)''KQk5qpN8KGbe Sd̛\17 pa>SR! 3K4'+rzQ TTIIvt]Kc⫲K#v5+|D~O@%\w_nN[L9KqgVhn R!y+Un;*&/HrT >>\ t=.Tġ S; Z~!P9giCڧ!# B,;X=ۻ,I2UWV9$lk=Aj;{AP79|s*Y;̠[MCۿhf]o{oY=1kyVV5E8Vk+֜\80X4D)!!?*|fv u"xA@T_q64)kڬuV7 t '%;i9s9x,ڎ-45xd8?ǘd/Y|t &LILJ`& -Gt/PK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-![Content_Types].xmlPK-!֧6 0_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!0C)theme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] DPWUSERYorfhmfhm@f@f@r AOA W  [`LPC C "T" !"#n$c%G&'(0),.02i7Q;<2BoOcU4[Naacghidkmorvx }}0rqݒgWY;>7$9u`Sb G-M9oF*=lz- nFb/+ z"#P%g)*+/192 6l78{;;W>@B&CEG=IK}L$NQ!TGVXGZS\\G`afnklmn porstwxz9|,~bǀÂ"ދ|ő1P>r~j.):J'> 1  a< #&(*R,.1:3I567^9>@DwHKMPSEXY{Z^_>d!fk_nwqZshuwCzz>@BCKLMOPQRSTUVWXY[\]^_`abcdeghijklmnpsy~    "(*+,.134579;=?@CEFHKLMOQSTVWYZ\^`acefhjkmoprsuwyz{|~ !$%(,0147:@DGLQXY[]`cflpuwzm  ! " ; < W  (*+{---).m....0/U1,57:<dBJaK9MNzQY!bfghkHnrvxNz{ |U||+~0xsӎA(A Ng.[m"M3^rŮhi<%ɸ]Py##uc-N'L 17m q Tg5nd\ {"3#( +Q,12379;@FBCJkLkQSURWY \y]`fhklp rsuwtx|}Tƀ,Dx tܜU'ɥT4V1$(#ax5Vtc>\dy &Fk=_wF]_(*F     EG=?FH8:Bn"#/#>#w#((,, .".00h2j2q222d4p445566c677::==>>%>R>CCD-H/HAHwHMMPPdSfSZ!Z[ZjZZv]x]Y`[`cc_eaepeef#gVgghHhh)i8iik kYk;l=lclloo.u4ugusuuyyzz?ADEFGHIJNZfoqrtuvwxz{|}  !#$%&')-/0268:<>ABDGIJNPRUX[]_bdgilnqtvx}     "#&')*+-./235689;<=>?ABCEFHIJKMNOPRSTUVWZ\^_abdeghijkmnoqrstvxy{|}~Xl!#$&FYuwx{=Zvxy| &)*,Lm589;[p@\_`b & ) * , L w  5 Q T U W w   ! " $ D ` |   : V Y Z \ |   " # % E j .JMNPp$Gcfgi;Qmpqs0346V{   /@\_`b1457Wv4PSTVv !#CVruvx '*+-Mm/235Uj #?BCEez@\_`b=Rnqrt"%&(Hn'CFGIiz4Hdghk$@CDFf *m ! l becocMeeeDgggt uu0y~yy>{{{|||||2}E} OaA$.܊g˖֖ yݴ¹Rwº,7<#ep)3DuXbA=Hj :BF.0_gFN;>] umqQ-7g3   n   f   7\Wx{!!"k"""D((()p))%/m/w//E0c08889 ::F:::>AAABCCIIJJ.K6KKKLMOMMM$NBNPTQ\QQ P$P$L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'U)U)U)U)U)U)U)U)U)U)U)U)U)U)U)T?U_____`jceeggTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuyyy@}@}<,...............................................................................^i+kkkkkk#@@`c N_m  5 0r#*033:PD\ELLNTXddejtptTw||{ >tӕ2ܼܼU@##9-9- hr@@@ @ @@@@@@\ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnop@q@rs@tuvwx@y@z@{@|@}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~@@@@@@     @@@@@@@@@@ !"#$%@&@'(@)@*+,@-@./0123456789:;<@=@>?@ABCDEFGHIJKLMNOPQRS@T@UVWXYZ[\]^_@`@a@b@ct  %0:j? "P$L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'L'c'c'c'c'c'U)U)U)U)U)U)U)U)U)U)U)U)U)U)`)T?U_____`kceeggTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTuTunuyyyA}A}VY...........................................................................WWWW}9=!llllllGAA}Q+8m}  m &2T#7*034;iDoELLNTXddfkp7tmw ||qM0TGǝǝ22##:-:-wir9+> ,> -> .> /> 0> 1> 2> 3> 4> 5> 6> 7> 8> 9> :> ;> <> => >> ?> @> A> B> C> D> E> F> G> H> I> J> K> L> M> N> O> P> Q> R> S> T> U> V> W> X> Y> Z> [> \> ]> ^> _> `> a> b> c>  ""33366SQSQcQ66F &55q&q&|&)))Q-Q-\-000H2H2S2??d d j @?@?K?r     ! "$#%'&()*+,-/.012435768""33366_QoQoQBHH%--""??{&&&)))[-d-d-000R2[2[2??i q q J?S?S?r ! "$#%'&()*+,-/.012435768 =6*urn:schemas-microsoft-com:office:smarttags PlaceType=5*urn:schemas-microsoft-com:office:smarttags PlaceName97*urn:schemas-microsoft-com:office:smarttagsplace89*urn:schemas-microsoft-com:office:smarttagsdate?*urn:schemas-microsoft-com:office:smarttags stockticker>*urn:schemas-microsoft-com:office:smarttags PersonNameB3*urn:schemas-microsoft-com:office:smarttagscountry-region8.*urn:schemas-microsoft-com:office:smarttagsCity8*urn:schemas-microsoft-com:office:smarttagstime A 0182202003200547DayHourMinuteMonthYear9  9  765737657.7.7657567.7.7.756756756756756  9  9  765756756 #qq.!RSWX_bghJMYZJKSTWXablmpqmqqqqrrrrr;rFrrr}rrrrrrqq;rFrrr}rrrr II^^IIlmqqqqqqrrrrrrrrr II^^IIlqqqqqqrrrrrrrrr C #|>F@ +: q=NWgJYD+Y:04dD!6f$FN-)t@/zM4P,5x87l391<~FR<&Dkj&>??iU?d&YE*p CGbh:0J4$L.'j} LJ~uOMlRb TBlq# m??Yq2gxN-)0C #igNWg0zM40&YE0t@/0F@ 0l39uOMp CG0~FR<0lp0X4f} L$                            Z                 0|                   '{      0|                                  O O     N9        w                                     D                 ڪ        @                D                                                     54@AW8?0Q'$GI-7./rQ/db0 m0 2I2T2}v3z34=4QY4J5YM5d=6a6O7 u8)949=9(:k}:$;=PB=v6>Vr>\?k%@LAgA EFXsF8GQ4GCHHJ"J&rKLsrL(xL|MN+NSXN9O-PGS T+T9T8U>mWyuWbXdXYZa-ZSZA[s[K#\a.\9\f]4^S-^\I^ 2_`I`a"2a b0bj6bZbub$af/hT_hDzh{ii0Ql bm6nPoJp+fpq@&qp sTtRlt>(u9uCIvwxyfzu{ez~Uj3"MLe)lCv$I;e%(0/VC(`.+7k=[7jv#.GPHgkK,ma:X5bp?xZOSW "N\.QKg)6=Q r~ "D+'-9j=5 q\i@OXBY68Q!8!mL\QT9Beu&/ .Y"-&fy2El\k \X+im#BWeo#F(?L(],[8y[{Z#r pFor8|D({CDSX0V~)Tl}]JNZ\CG0@G1[<mW n E[kH85y<_ 3qq@r@UnknownAuthorDPWUSERY"Division of Technology Engineeringdpwuser"Division of Technology EngineeringFrank3Division of Technology Engineering20100517T13227838V&"Division of Technology EngineeringG*Ax Times New Roman5Symbol3. *Cx Arial9GaramondCMeliorMelior?Melior-Bold;. *Cx HelveticaE Helvetica-Bold3*Ax TimesO.  k9Lucida Sans UnicodeI. ??Arial Unicode MS5. .[`)Tahoma?= *Cx Courier New;WingdingsA$BCambria Math"0hhg:g: m]??pm]??p!x4pp 2qHX?5y2 !xx HIPAA Security Manual%DPW HIPAA Security policies/practicesHIPAA, Security Frank Morrowdpwuser                           Oh+'0, <H h t  HIPAA Security Manual(DPW HIPAA Security policies/practicesFrank MorrowHIPAA, Security Normal.dotmdpwuser2Microsoft Office Word@@?E1@A@A?m]՜.+,D՜.+,X hp  Pa Dept. of Public Welfarep?p HIPAA Security Manual Title@\dt  (4 _PID_HLINKS_AdHocReviewCycleID_EmailSubject _AuthorEmail_AuthorEmailDisplayName_PreviousAdHocReviewCycleID_ReviewingToolsShownOnce xd_Signature Order TemplateUrl xd_ProgID PublishingStartDatePublishingExpirationDate _SourceUrl_SharedFileIndexADJM9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120207CJ9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=119507MG9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120179 DNhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.docAJhttp://bis/pgm/h-net standards/1.0 security/Data Encryption Standards.doc6x>8http://bis/pgm/doc/secureemail/secureemail overview.doc;Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867&oaoitNav=|8305|1821|1828|3632|J89http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=1202006x58http://bis/pgm/doc/secureemail/secureemail overview.docsk2[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=177789&PM=1&oaoitNav=|8305|1821|1855|J/9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200,Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc)Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc &Nhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.doc#Jhttp://bis/pgm/h-net standards/1.0 security/Data Encryption Standards.doc Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|YWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.docJK9http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf+s`http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=132275&oaoitNav=|8305|1821|5815|5823|6464|Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.docJK9http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf)t [http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817| Vhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczl_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|%y[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|~j[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|]Vhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73965&oaoitNav=|8305|1821|1845|bi;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440]Vhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845| Nhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.dochn;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598bi;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|~j[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|M Rhttp://bis/pgm/h-net standards/1.0 security/Physical Building Security Manual.docJ9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202M Rhttp://bis/pgm/h-net standards/1.0 security/Physical Building Security Manual.doc'~`http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126178&oaoitNav=|8305|1821|5815|5817|5822|J9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202zi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|S9http://bis/pgm/h-net standards/13.0 privacy/Handbook.doc>http://www.dpw.state.pa.us/General/HIPPAPrivacy/003670800.htm=http://bis/pgm/h-net standards/introduction/introduction.aspzi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|YWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|J9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202zi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464| Vhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464| qhttp://bis/pgm/h-net standards/7.2 operations and support servi/backup and restoration of enterprise systems.doc Vhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczl_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|%y[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|zl_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|)t~[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|{Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc)tx[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|uJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.docrUhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|oUhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73972&oaoitNav=|8305|1821|1845|/vl[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|zli_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|fJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doccJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc<%`4http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdfM]5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf@Z5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf%zW[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=147983&oaoitNav=|8305|1821|5815|5817|LT5http://www.oa.state.pa.us/oac/lib/oac/MDs/505-15.pdfQJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc)<Ndhttp://bis/pgm/H-Net Standards/2.0 Network/Business Partner User Access Request - Approval Form.doc KZhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|,uH[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|EUhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|,uB[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|Y?Vhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=131183&oaoitNav=|8305|1821|5815|<Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|%)94http://bis/pgm/doc/oisforms/remoteaccessrequest.doc<%64http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdfM35http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdfDJ06http://bis/pgm/doc/oisforms/internetuseragreement.pdf@-5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf*=http://bis/pgm/h-net standards/introduction/introduction.aspnd';http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=4&Q=188016W$Uhttp://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav/v![http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|<:;http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867B9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=129517WUhttp://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav/v[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|J9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120207C 9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=119507M 9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120179=http://bis/pgm/h-net standards/introduction/introduction.aspZhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867&oaoitNav=|8305|1821|1828|3632| Nhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.docJhttp://bis/pgm/h-net standards/1.0 security/Data Encryption Standards.docJ9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=1202006x8http://bis/pgm/doc/secureemail/secureemail overview.doc6x8http://bis/pgm/doc/secureemail/secureemail overview.docsk[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=177789&PM=1&oaoitNav=|8305|1821|1855|J9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=120200Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc Nhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.docJhttp://bis/pgm/h-net standards/1.0 security/Data Encryption Standards.docJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.docJK9http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdfYWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczi_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.docJK9http://www.oa.state.pa.us/oac/lib/oac/manuals/m245-4.pdf)t[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc Vhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.doczl_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|%y[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|~j[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73965&oaoitNav=|8305|1821|1845|]Vhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|hn;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598bi;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440]Vhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=178461&oaoitNav=|8305|1821|1822|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845| Nhttp://bis/pgm/h-net standards/1.0 security/Data Classification Standards.dochn;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=196598bi;http://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&Q=171440Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73944&oaoitNav=|8305|1821|1845|~j[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=159869&PM=1&oaoitNav=|8305|1821|1845| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830| Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|M9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=194435E:http://www.oa.state.pa.us/oac/cwp/view.asp?a=353&q=191033 Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830| H\\hbgpwisfps01\cir\Morrow\HIPAA Security Docs\" http:\bis\pgm\h-net standards\1.0 security\Physical Building Security Manual.docJ9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202 H\\hbgpwisfps01\cir\Morrow\HIPAA Security Docs\" http:\bis\pgm\h-net standards\1.0 security\Physical Building Security Manual.doc8<<http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126395J|9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202ziy_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|Sv9http://bis/pgm/h-net standards/13.0 privacy/Handbook.docDsRhttp://www.dpw.state.pa.us/business/requestproposals/rfpinformation/003671334.htmp=http://bis/pgm/h-net standards/introduction/introduction.asp+sm`http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=132275&oaoitNav=|8305|1821|5815|5823|6464|3jDhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?A=4&QUESTION_ID=85347 gVhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWdQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.docJa9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=150202zi^_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464|YW[Qhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.docziX_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5823|6464| Uqhttp://bis/pgm/h-net standards/7.2 operations and support servi/backup and restoration of enterprise systems.doczlR_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|%yO[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126199&oaoitNav=|8305|1821|5815|5823| LVhttp://bis/pgm/h-net standards/7.1 operations and support proce/recovery planning.docYWIQhttp://bis/pgm/h-net standards/4.2 platform server/server backup and restore.docFUhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|zlC_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|@Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc)t=[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126171&oaoitNav=|8305|1821|5815|5817|:Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc7Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73951&oaoitNav=|8305|1821|1845|4Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73972&oaoitNav=|8305|1821|1845|/v1[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|.=http://bis/pgm/h-net standards/introduction/introduction.aspzl+_http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|5815|5830|5839|(Jhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc<%%4http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdfM"5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf@5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdfJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc%z[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=147983&oaoitNav=|8305|1821|5815|5817|M5http://www.oa.state.pa.us/oac/lib/oac/MDs/515-15.pdfJhttp://bis/pgm/h-net standards/1.0 security/unified security overview.doc Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|,u [http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|)< dhttp://bis/pgm/H-Net Standards/2.0 Network/Business Partner User Access Request - Approval Form.docUhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|,u[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126164&oaoitNav=|8305|1821|5815|5817|YVhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&q=131183&oaoitNav=|8305|1821|5815|Uhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74224&oaoitNav=|8305|1821|9103|<%4http://www.oa.state.pa.us/oac/lib/oac/MDs/505-7.pdfM5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-34.pdf@5http://www.oa.state.pa.us/oac/lib/oac/MDs/205-29.pdf%)4http://bis/pgm/doc/oisforms/remoteaccessrequest.docDJ6http://bis/pgm/doc/oisforms/internetuseragreement.pdfnd;http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=4&Q=188016WUhttp://www.pasecureonline.state.pa.us/pasecure/cwp/view.asp?A=3&Q=231626&pasecureNav/v[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|=http://bis/pgm/h-net standards/introduction/introduction.asp Zhttp://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=74196&oaoitNav=|8305|1821|5815|5830|<:;http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=73867B9http://www.oa.state.pa.us/oac/cwp/view.asp?A=12&Q=129517/v[http://www.oit.state.pa.us/oaoit/cwp/view.asp?a=12&Q=126157&oaoitNav=|8305|1821|5815|5817|1_Toc1013445261_Toc1013445251_Toc1013445241_Toc1013445231_Toc1013445221_Toc1013445211_Toc1013445201_Toc1013445191_Toc1013445181_Toc1013445171_Toc1013445161_Toc1013445151_Toc1013445141_Toc1013445131|_Toc1013445121v_Toc1013445111p_Toc1013445101j_Toc1013445091d_Toc1013445081^_Toc1013445071X_Toc1013445061R_Toc1013445051L_Toc1013445041F_Toc1013445031@_Toc1013445021:_Toc10134450114_Toc1013445000._Toc1013444990(_Toc1013444980"_Toc1013444970_Toc1013444960_Toc1013444950_Toc1013444940 _Toc1013444930_Toc1013444920_Toc1013444910_Toc1013444900_Toc1013444890_Toc1013444880_Toc1013444870_Toc1013444860_Toc1013444850_Toc1013444840_Toc1013444830_Toc1013444820_Toc1013444810_Toc1013444800_Toc1013444790_Toc1013444780_Toc1013444770_Toc1013444760_Toc1013444750_Toc1013444740_Toc1013444730_Toc1013444720_Toc1013444710_Toc1013444700z_Toc1013444690t_Toc1013444680n_Toc1013444670h_Toc1013444660b_Toc1013444650\_Toc1013444640V_Toc1013444630P_Toc1013444510J_Toc1013444500D_Toc1013444497>_Toc10134439978_Toc10134439872_Toc1013443977,_Toc1013443967&_Toc1013443947 _Toc1013443517_Toc1013443507_Toc1013443497_Toc1013443487_Toc101344347 #mailto:PW, IT-Security@state.pa.us #mailto:PW, IT-Security@state.pa.usynHIPAAfpotemra@state.pa.usPotemra, Fra  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,./012346789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry FFK(!Data 1TableR/WordDocumentSummaryInformation(-DocumentSummaryInformation85CompObjrMsoDataStore FK(!FK(!   F Microsoft Word 97-2003 Document MSWordDocWord.Document.89qDocumentLibraryFormDocumentLibraryFormDocumentLibraryForm fieldsID="48c5b5cd9b8d25ff6dd15848836f4270" ns1:_="" xm repoint/v3"> This value indicates the number of saves or revisions. The application is responsible for updating this value after each revision.