ࡱ> /2*+,-. gQbjbj++ 4TAAg  +++8cD +W~K'V))))++L,(}}}}}}},Z}97,++7,7,}/))4~///7,))}/7,}//m4Jt -&p>}'~0W~dp/|Jt/Jtt7,7,7,}}/7,7,7,W~7,7,7,7,7,7,7,7,7, :    Quality Excellence for Suppliers of Telecommunications Forum (QuEST Forum) TL 9000 Quality Management System Security Measurements Guidance Document Release 1.0 Introduction QuEST Forums vision is to be the global force for improving quality of products and services delivered to customers of communication technologies. It is a unique collaboration of service providers, suppliers and liaison organizations who come together to develop innovative solutions to practical business problems that make a difference to end users. As the communications industry continues to evolve and introduce new technologies, QuEST forum continues to use its expertise of the last two decades, through industrywide collaboration to address these new challenges. The Executive Board chartered the Next Generation Measurements Security Sub Team to identify existing industry security measurements. Based on a study of various Standards Development Organizations (SDOs), the published measurements from Center for Internet Security (CIS)  HYPERLINK "http://www.cisecurity.org" http://www.cisecurity.org and National Institute for Standards and Technology (NIST)  HYPERLINK "http://www.nist.gov/index.html" http://www.nist.gov/index.html were found to be most relevant to our efforts. The team also examined in detail the work of the Cloud Security Alliance (CSA) SDO on security measurements. However, their work is still in-progress. The measurements referenced from NIST and CIS are operational measurements applicable to an operations environment (not a development environment or supply chain) for the purpose of monitoring the effectiveness of security management within that operation. Some of these measurements may need modification before application to a telecommunications operations environment. As such, the measurements described here provide a basis for future work which can include trialing of use of the measurement, refinement of the definition, and wider review against other similar measurements that may be identified in the industry. The QuEST Forum has paraphrased the CIS and NIST measurements to conform to the TL 9000 format. To review the original measurements, the reader is directed to the links provided above and in the footnote. In publishing this document, the Next Generation Measurements Security Sub Team expects it will enable the TL 9000 registered organizations continual improvement of the security of their products and services. These measurements are for guidance only, and not intended to be mandatory for TL 9000 certification. Most Relevant Measurements The identified existing security measurements were not developed by SDOs specifically for the telecommunications industry in the spirit of TL 9000. For example, the NIST security measures assess the security assurance level of an organization regarding its information system management, operations and technology rather than focusing on a suppliers product security benchmarking. Some third party assessment/scanning tools are also needed. Most of the source data comes from incident databases, IDS logs and alerts which are from security suppliers who are usually not telecommunication manufacturers. The identified measurements are useful since they focus on measuring the security recovery and adaptation capabilities of the products and the network. Examples of such measurements are Percentage of Systems without Known Severe Vulnerabilities or Mean-Time to Mitigate Vulnerabilities. However, due to the complex telecommunications scenario both in the technical and contractual context, compared to the IT world, it is not very clear whether such measures will be eagerly adopted at this stage by the TL 9000 registered companies. Thus, the team has made an effort to identify measurements which will have high relevance for the TL 9000 user. It is hoped these most relevant measurements will significantly improve a users security posture by their use in the tracking and benchmarking of product security. The most relevant measurements are identified in the right-most column of the two Table of Contents tables below. The tables are sorted by Measurement Number and by Category. Table of Contents (Sorted by Measurement Number) Measurement NumberMeasurement IDSourceMeasurement NameCategoryMost Relevant1.1MTTIDCISMean Time to Incident DiscoveryIncidentsYes1.2MTBSICISMean Time Between Security IncidentsIncidentsYes1.3MTIRCISMean Time to Incident RecoveryIncidentsYes1.4PSWKSVCISPercent of Systems Without Known Severe VulnerabilitiesVulnerabilityYes1.5MTTMVCISMean-Time to Mitigate VulnerabilitiesVulnerabilityYes1.6PPCCISPatch Policy CompliancePatching1.7MTTPCISMean Time to PatchPatchingYes1.8PCCCISPercentage of Configuration ComplianceConfiguration1.9MTTCCISMean Time to Complete ChangesConfiguration1.10PCSRCISPercent of Changes with Security ReviewConfiguration1.11PCSECISPercent of Changes with Security ExceptionsConfiguration1.12RACCISRisk Assessment CoverageApplications1.13STCCISSecurity Testing CoverageApplicationsYes2.1VMNISTVulnerability MeasureVulnerabilityYes2.2RACMNISTRemote Access Control MeasureAttacks2.3STMNISTSecurity Training MeasureGovernance2.4ARRMNISTAudit Record Review MeasureGovernanceYes2.5CACMNISTCertification and Accreditation (C&A) Completion MeasureGovernance2.6CCMNISTConfiguration Changes MeasureConfigurationYes2.7CPTMNISTContingency Plan Testing MeasureGovernance2.8UAMNISTUser Accounts MeasureGovernance2.9IRMNISTIncident Response MeasureIncidentsYes2.10MSMNISTMedia Sanitization MeasureMaintenance2.11PSIMNISTPhysical Security Incidents MeasureIncidents2.12PMNISTPlanning MeasureGovernance2.13PSMNISTPersonnel Security MeasureGovernance2.14RAVMNISTRisk Assessment Vulnerability MeasureVulnerabilityYes2.15SACMNISTService Acquisition Contract MeasureGovernance2.16SCPMNISTSystem and Communication Protection MeasureCrypto Yes2.17FRMNISTFlaw Remediation MeasureVulnerabilityYes3.1SROQFSecurity Related OutagesIncidentsYes Table of Contents (Sorted by Category) Measurement NumberMeasurement IDSourceMeasurement NameCategoryMost Relevant1.12RACCISRisk Assessment CoverageApplications1.13STCCISSecurity Testing CoverageApplicationsYes2.2RACMNISTRemote Access Control MeasureAttacks1.8PCCCISPercentage of Configuration ComplianceConfiguration1.9MTTCCISMean Time to Complete ChangesConfiguration1.10PCSRCISPercent of Changes with Security ReviewConfiguration1.11PCSECISPercent of Changes with Security ExceptionsConfiguration2.6CCMNISTConfiguration Changes MeasureConfigurationYes2.16SCPMNISTSystem and Communication Protection MeasureCrypto Yes2.3STMNISTSecurity Training MeasureGovernance2.4ARRMNISTAudit Record Review MeasureGovernanceYes2.5CACMNISTCertification and Accreditation (C&A) Completion MeasureGovernance2.7CPTMNISTContingency Plan Testing MeasureGovernance2.12PMNISTPlanning MeasureGovernance2.13PSMNISTPersonnel Security MeasureGovernance2.15SACMNISTService Acquisition Contract MeasureGovernance2.8UAMNISTUser Accounts MeasureGovernance1.1MTTIDCISMean Time to Incident DiscoveryIncidentsYes1.2MTBSICISMean Time Between Security IncidentsIncidentsYes1.3MTIRCISMean Time to Incident RecoveryIncidentsYes2.9IRMNISTIncident Response MeasureIncidentsYes2.11PSIMNISTPhysical Security Incidents MeasureIncidents3.1SROQFSecurity Related OutagesIncidentsYes2.10MSMNISTMedia Sanitization MeasureMaintenance1.6PPCCISPatch Policy CompliancePatching1.7MTTPCISMean Time to PatchPatchingYes1.4PSWKSVCISPercent of Systems Without Known Severe VulnerabilitiesVulnerabilityYes1.5MTTMVCISMean-Time to Mitigate VulnerabilitiesVulnerabilityYes2.1VMNISTVulnerability MeasureVulnerabilityYes2.14RAVMNISTRisk Assessment Vulnerability MeasureVulnerabilityYes2.17FRMNISTFlaw Remediation MeasureVulnerabilityYes 1.1 Mean Time to Incident Discovery 1.1.1 General Description and Title Mean-Time-To-Incident-Discovery (MTTID) measures the effectiveness of the organization in detecting security incidents. Generally, the faster an organization can detects an incident, the less damage it is likely to incur. MTTID is the average amount of time, in hours, that elapsed between the Date of Occurrence and the Date of Discovery for a given set of incidents. The calculation can be averaged across a time period, type of incident, business unit, or severity. 1.1.2 Purpose Mean-Time-To-Incident-Discovery (MTTID) characterizes the efficiency of detecting incidents, by measuring the average elapsed time between the initial occurrence of an incident and its subsequent discovery. The MTTID metric also serves as a leading indicator of resilience in organization defenses because it measures detection of attacks from known vectors and unknown ones. 1.1.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.1.4 Detailed Description a) Terminology Security Incident A security incident results in the actual outcomes of a business process deviating from the expected outcomes for confidentiality, integrity & availability due to deficiencies or failures of people, process or technology. b) Counting Rules: Only incidents that meet the above definition of Security Incident should be included. These would be manual inputs as defined in CIS document Security Incident Metrics: Data Attributes c) Counting Rule Exclusions: Incidents that should not be considered security incidents include disruption of service due to equipment failures. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTTIDMean Time to Incident DiscoverySigma ( Date_of_Discovery - Date_of_Occurrence ) / Count(Incidents)Hours per Incident1.1.5 Sources of Data Since humans determine when an incident occurs, when the incident is contained, and when the incident is resolved, the primary data sources for this metric are manual inputs as defined in Security Incident Metrics: Data Attributes. However, these incidents may be reported by operational security systems, such as anti-malware software, security incident and event management (SIEM) systems, and host logs. 1.1.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.1.7 Source of Measurement CIS 1.2 Mean Time Between Security Incidents 1.2.1 General Description and Title Mean Time Between Security Incidents (MTBSI) calculates the average time, in days, between security incidents. 1.2.2 Purpose Mean Time Between Security Incidents (MTBSI) identifies the relative levels of security incident activity. 1.2.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.2.4 Detailed Description a) Terminology Security Incident A security incident results in the actual outcomes of a business process deviating from the expected outcomes for confidentiality, integrity & availability due to deficiencies or failures of people, process or technology. b) Counting Rules Only incidents that meet the above definition of Security Incident should be included. These would be manual inputs as defined in CIS document Security Incident Metrics: Data Attributes c) Counting Rule Exclusions Incidents that should not be considered security incidents include disruption of service due to equipment failures. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTBSIMean Time Between Security IncidentsSigma ( (Date_of_Occurence[Incident_n ] - Date_of_Occurence[Incident _n_minus_-1 ])/ Count(Incidents)Hours per incident interval 1.2.5 Sources of Data Since humans determine when an incident occurs, when the incident is contained, and when the incident is resolved, the primary data sources for this metric are manual inputs as defined in Security Incident Metrics: Data Attributes. However, these incidents may be reported by operational security systems, such as anti-malware software, security incident and event management (SIEM) systems, and host logs. 1.2.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.2.7 Source of Measurement CIS 1.3 Mean Time to Incident Recovery 1.3.1 General Description and Title Mean Time to Incident Recovery (MTIR) measures the effectiveness of the organization to recovery from security incidents. The sooner the organization can recover from a security incident, the less impact the incident will have on the overall organization. This calculation can be averaged across a time period, type of incident, business unit, or severity. 1.3.2 Purpose Mean Time to Incident Recovery (MTIR) characterizes the ability of the organization to return to a normal state of operations. This is measured by the average elapse time between when the incident occurred to when the organization recovered from the incident. 1.3.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.3.4 Detailed Description a) Terminology Security Incident A security incident results in the actual outcomes of a business process deviating from the expected outcomes for confidentiality, integrity & availability due to deficiencies or failures of people, process or technology. b) Counting Rules Only incidents that meet the above definition of Security Incident should be included. These would be manual inputs as defined in CIS document Security Incident Metrics: Data Attributes c) Counting Rule Exclusions Incidents that should not be considered security incidents include disruption of service due to equipment failures. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTIRMean Time to Incident RecoverySigma ( Date_of_Recovery - Date_of_Occurrence)/ Count(Incidents)Hours per incident1.3.5 Sources of Data Since humans determine when an incident occurs, when the incident is contained, and when the incident is resolved, the primary data sources for this metric are manual inputs as defined in Security Incident Metrics: Data Attributes. However, these incidents may be reported by operational security systems, such as anti-malware software, security incident and event management (SIEM) systems, and host logs. 1.3.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.3.7 Source of Measurement CIS 1.4 Percent of Systems without Known Severe Vulnerabilities 1.4.1 General Description and Title Percent of Systems without Known Severe Vulnerabilities (PSWKSV) measures the percentage of systems that when checked were not found to have any known high severity vulnerabilities during a vulnerability scan. Since vulnerability management involves both the identification of new severe vulnerabilities and the remediation of known severe vulnerabilities, the percentage of systems without known severe vulnerabilities will vary over time. Organizations can use this metric to gauge their relative level of exposure to exploits and serves as a potential indicator of expected levels of security incidents (and therefore impacts on the organization). This severity threshold is important, as there are numerous informational, local, and exposure vulnerabilities that can be detected that are not necessarily material to the organizations risk profile. Managers generally will want to reduce the level of noise to focus on the greater risks first. This metric can also be calculated for subsets of systems, such as by asset criticality of business unit. 1.4.2 Purpose Percent of Systems without Known Severe Vulnerabilities (PSWKSV) measures the organizations relative exposure to known severe vulnerabilities. The metric evaluates the percentage of systems scanned that do not have any known high severity vulnerabilities. 1.4.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.4.4 Detailed Description a) Terminology Vulnerability -- Vulnerability is defined as a weakness that could be exploited by an attacker to gain access or take actions beyond those expected or intended. b) Counting Rules Severe vulnerabilities identified across the enterprise during the time period c) Counting Rule Exclusions Vulnerabilities supplier rated as severe but organizationally ranked lower should be validated before exclusion. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePSWKSVPercent of Systems Without Known Severe VulnerabilitiesCount (Systems_Without_Known_Severe_Vulnerabilities)*100/ Count(Scanned_Systems)Percentage of systems 1.4.5 Sources of Data Vulnerability management systems will provide information on which systems were identified with severe vulnerabilities. 1.4.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.4.7 Source of Measurement CIS 1.5 Mean-Time to Mitigate Vulnerabilities 1.5.1 General Description and Title Mean-Time to Mitigate Vulnerabilities measures the average time taken to mitigate vulnerabilities identified in an organizations technologies. The vulnerability management processes consists of the identification and remediation of known vulnerabilities in an organizations environment. This metric is an indicator of the performance of the organization in addressing identified vulnerabilities. The less time required to mitigate vulnerability the more likely an organization can react effectively to reduce the risk of exploitation of vulnerabilities. It is important to note that only data from vulnerabilities explicitly mitigated are included in this metric result. The metric result is the mean time to mitigate vulnerabilities that are actively addressed during the metric time period, and not a mean time to mitigate based on the time for all known vulnerabilities to be mitigated. 1.5.2 Purpose Mean-Time to Mitigate Vulnerabilities (MTTMV) measures the average amount of time required to mitigate an identified vulnerability. This metric indicates the performance of the organization in reacting to vulnerabilities identified in the environment. It only measures the time average times for explicitly mitigated vulnerabilities, and not mean time to mitigate any vulnerability, or account for vulnerabilities that no longer appear in scanning activities. 1.5.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.5.4 Detailed Description a) Terminology Vulnerability -- Vulnerability is defined as a weakness that could be exploited by an attacker to gain access or take actions beyond those expected or intended. b) Counting Rules All vulnerabilities identified across the enterprise during the time period c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTTMVMean-Time to Mitigate VulnerabilitiesSigma (Date_of_Mitigation - Date_of_Detection)/ Count(Mitigated_Vulnerabilities)Hours per vulnerability 1.5.5 Sources of Data Vulnerability management systems will provide information on which systems were identified with severe vulnerabilities. 1.5.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.5.7 Source of Measurement CIS 1.6 Patch Policy Compliance 1.6.1 General Description and Title Patch Policy Compliance (PPC) measures an organizations patch level for supported technologies as compared to their documented patch policy. Policy refers to the patching policy of the organization, more specifically, which patches are required for what type of computer systems at any given time. This policy might be as simple as install the latest patches from system vendors or may be more complex to account for the criticality of the patch or system. Patched to policy reflects an organizations risk/reward decisions regarding patch management. It is not meant to imply that all vendor patches are immediately installed when they are distributed. 1.6.2 Purpose Patch Policy Compliance (PPC) indicates the scope of the organizations patch level for supported technologies as compared to their documented patch policy. While specific patch policies may vary within and across organizations, performance versus stated patch state objectives can be compared as a percentage of compliant systems. 1.6.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.6.4 Detailed Description a) Terminology Security Patch -- A patch is a modification to existing software in order to improve functionality, fix bugs, or address security vulnerabilities. Security patches are patches that are solely or in part created and released to address one or more security flaws, such as, but not limited to publicly disclosed vulnerabilities. b) Counting Rules None c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePPCPatch Policy ComplianceCount(Compliant_Instances)*100 / Count(Technology_Instances)Percentage of technology instances 1.6.5 Sources of Data Patch management and IT support tracking systems will provide patch deployment data. Audit reports will provide compliance status. 1.6.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.6.7 Source of Measurement CIS 1.7 Mean Time to Patch 1.7.1 General Description and Title Mean Time to Patch (MTTP) measures the average time taken to deploy a patch to the organizations technologies. The more quickly patches can be deployed, the lower the mean time to patch and the less time the organization spends with systems in a state known to be vulnerable. 1.7.2 Purpose Mean Time to Patch (MTTP) characterizes the effectiveness of the patch management process by measuring the average time taken from date of patch release to installation in the organization for patches deployed during the metric time period. This metric serves as an indicator of the organizations overall level of exposure to vulnerabilities by measuring the time the organization takes to address systems known to be in vulnerable states that can be remediated by security patches. This is a partial indicator as vulnerabilities may have no patches available or occur for other reasons such as system configurations. 1.7.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.7.4 Detailed Description a) Terminology Security Patch -- A patch is a modification to existing software in order to improve functionality, fix bugs, or address security vulnerabilities. Security patches are patches that are solely or in part created and released to address one or more security flaws, such as, but not limited to publicly disclosed vulnerabilities. b) Counting Rules None c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTTPMean Time to PatchSigma(Date_of_Installation - Date_of_Availability) / Count(Completed_Patches)Hours per patch 1.7.5 Sources of Data Patch management and IT support tracking systems will provide patch deployment data. 1.7.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.7.7 Source of Measurement CIS 1.8 Percentage of Configuration Compliance 1.8.1 General Description and Title The Percent of Configuration Compliance (PCC) measures the effectiveness of configuration management in the context of information security. A percentage metric will allow benchmarking across organizations. 1.8.2 Purpose The goal of this metric is to provide an indicator of the effectiveness of an organizations configuration management policy relative to information security, especially emerging exploits. If 100% of systems are configured to standard, then those systems are relatively more secure and manageable. If this metric is less than 100%, then those systems are relatively more exposed to exploits and to unknown threats. 1.8.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.8.4 Detailed Description a) Terminology None b) Counting Rules None c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePCCPercentage of Configuration ComplianceSigma(In Scope Systems With Approved Configuration) *100/ Count(In Scope Systems)Percentage of Systems 1.8.5 Sources of Data Configuration management and IT support tracking system audit reports will provide compliance status. Automated testing tools for CIS benchmarks are also available. 1.8.6 Reporting Frequency Monthly 1.8.7 Source of Measurement CIS 1.9 Mean Time to Complete Changes 1.9.1 General Description and Title The average time it takes to complete a configuration change request. 1.9.2 Purpose The goal of this metric is to provide managers with information on the average time it takes for a configuration change request to be completed. 1.9.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.9.4 Detailed Description a) Terminology None b) Counting Rules None c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMTCCMean Time to Complete ChangesSigma(Completion_Date - Submission_Date) / Count(Completed_Changes)Days per configuration change request 1.9.5 Sources of Data Configuration management and IT support tracking systems will provide configuration change data. 1.9.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.9.7 Source of Measurement CIS 1.10 Percent of Changes with Security Review 1.10.1 General Description and Title This metric indicates the percentage of configuration or system changes that were reviewed for security impacts before the change was implemented. 1.10.2 Purpose The goal of this metric is to provide managers with information about the amount of changes and system churn in their environment that have unknown impact on their security state. 1.10.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.10.4 Detailed Description a) Terminology None b) Counting Rules Only completed changes should apply. c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePCSRPercent of Changes with Security ReviewSigma(Completed_Changes_with_Security_Reviews)*100/ Count(Completed_Changes)Percentage of configuration changes 1.10.5 Sources of Data Configuration management and IT support tracking systems will provide configuration change data. 1.10.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.10.7 Source of Measurement CIS 1.11 Percent of Changes with Security Exceptions 1.11.1 General Description and Title This metric indicates the percentage of configuration or system changes that received an exception to existing security policy. 1.11.2 Purpose The goal of this metric is to provide managers with information about the potential risks to their environment resulting from configuration or system changes exempt from the organizations security policy. 1.11.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.11.4 Detailed Description a) Terminology None b) Counting Rules Only completed changes should apply. Security exceptions may only have been granted for systems that have received security reviews. c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePCSEPercent of Changes with Security ExceptionSigma(Completed_Changes_with_Security_Exceptions)*100/ Count(Completed_Changes)Percentage of configuration changes 1.11.5 Sources of Data Configuration management and IT support tracking systems will provide configuration change data. 1.11.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.11.7 Source of Measurement CIS 1.12 Risk Assessment Coverage 1.12.1 General Description and Title Risk assessment coverage indicates the percentage of business applications that have been subject to a risk assessment at any time. 1.12.2 Purpose This metric reports the percentage of applications that have been subjected to risk assessments. 1.12.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.12.4 Detailed Description a) Terminology Risk Assessment -- The term risk assessment is defined as a process for analyzing a system and identifying the risks from potential threats and vulnerabilities to the information assets or capabilities of the system. Although many methodologies can be used, it should consider threats to the target systems, potential vulnerabilities of the systems, and impact of system exploitation. It may or may not include risk mitigation strategies and countermeasures. b) Counting Rules None c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteRACRisk Assessment CoverageCount(Applications_Undergone_Risk_Assessment)*100/ Count(Applications)Percent of applications 1.12.5 Sources of Data The data source for this metric is a risk assessment tracking system. 1.12.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.12.7 Source of Measurement CIS 1.13 Security Testing Coverage 1.13.1 General Description and Title This metric tracks the percentage of applications in the organization that have been subjected to security testing. Testing can consists of manual or automated white and/or black-box testing and generally is performed on systems post-deployment (although they could be in pre-production testing). 1.13.2 Purpose This metric indicates the percentage of the organizations applications have been tested for security risks. 1.13.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 1.13.4 Detailed Description a) Terminology None b) Counting Rules Methodology for counting applications Refer to CIS Security Metrics document v1.0, section titled Application Security Metrics. c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteSTCSecurity Testing CoverageCount(Applications_Undergone_Security_Testing)*100/ Count(Deployed_Applications)Percent of applications 1.13.5 Sources of Data TBD 1.13.6 Reporting Frequency Weekly is recommended but can be reported Monthly, Quarterly or Annually 1.13.7 Source of Measurement CIS 2.1 Vulnerability Measure 2.1.1 General Description and Title Vulnerability Measure measures the percentage of high vulnerabilities mitigated within the organizationally defined time periods after discovery. 2.1.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Ensure all vulnerabilities are identified and mitigated. 2.1.3 Applicable Product Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.1.4 Detailed Description a) Terminology Vulnerability -- Vulnerability is defined as a weakness that could be exploited by an attacker to gain access or take actions beyond those expected or intended. b) Counting Rules High vulnerabilities identified across the enterprise during the time period High vulnerabilities mitigated across the enterprise during the time period c) Counting Rule Exclusions Vulnerabilities supplier rated as high but organizationally ranked lower with no mitigation should be validated before exclusion. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteVMVulnerability Measure(number of high vulnerabilities mitigated within targeted time frame) / (number of high vulnerabilities identified during time frame)% of vulnerabilities mitigated should be a high target set by the organization. 2.1.5 Sources of Data Vulnerability scanning software, audit logs, vulnerability management systems, patch management systems, change management records. 2.1.6 Reporting Frequency Organization defined (example annually) 2.1.7 Source of Measurement NIST SP800-53, RA-5 2.2 Remote Access Control Measure 2.2.1 General Description and Title Remote Access Control Measure measures the percentage of remote access points used to gain unauthorized access. 2.2.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Restrict information, systems, and component access to individuals or machines that are identifiable, known, credible, and authorized. 2.2.3 Applicable Product Categories End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.2.4 Detailed Description a) Terminology Remote Access Refer to NIST SP800-53, AC-17 b) Counting Rules Remote access points for the organization Access points used to gain unauthorized access based on incident logs, IDS, and remote access logs c) Counting Rule Exclusions Invalid exclusions will result if the organization does not document all remote access points (CM-2), use Intrusion Detection Systems to monitor remote access points (SI-4), collect/review remote access audit logs (AU-6), and normalize incident categories for security incidents (IR-5) d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteRACMRemote Access Control Measure(Number of remote access points used to gain unauthorized access) / (total number of remote access points)% of successful unauthorized accesses should be a very low number set by the organization. 2.2.5 Sources of Data Incident database, audit logs, network diagrams, IDS logs and alerts 2.2.6 Reporting Frequency Organization defined (example: quarterly) 2.2.7 Source of Measurement NIST SP800-53, AC-17 2.3 Security Training Measure 2.3.1 General Description and Title Security Training Measure measures the percentage of information system security personnel that have received security training. 2.3.2 Purpose Ensure a high-quality work force supported by modern and secure infrastructure and operational capabilities. Ensure that organization personnel are adequately trained to carry out their assigned information security-related duties and responsibilities. 2.3.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.3.4 Detailed Description a) Terminology None b) Counting Rules Employees in the organization having significant security responsibilities Employees with significant security responsibilities that have received required training c) Counting Rule Exclusions Invalid exclusions will result if the organization does not formally identify employees with significant security responsibilities (AT-3) or maintain adequate training records (AT-4) d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteSTMSecurity Training Measure(Number of information system security personnel completing security training in the past year) / (total number of information system security personnel)% of security personnel completing required training in a year should be a high number set by the organization. 2.3.5 Sources of Data Training awareness and tracking records 2.3.6 Reporting Frequency Organization defined (example: annually) 2.3.7 Source of Measurement NIST SP800-53, AT-3 2.4 Audit Record Review Measure 2.4.1 General Description and Title Audit Record Review Measure measures the average frequency of audit records review and analysis for inappropriate activity. 2.4.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate activity. 2.4.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.4.4 Detailed Description a) Terminology Audit Record -- Any log or record related to security such as a security log for a product or access log (physical building or product). b) Counting Rules System audit logs reviewed within the following time periods: past day, past week, 2 weeks to 1 month, 1 month to 6 months, over 6 months For Collection Frequency, refer to NIST SP800-53, AU-6. c) Counting Rule Exclusions Invalid exclusions will result for systems not adequately logging system data (AU-2) and for activities inappropriately categorized within system logs. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteARRMAudit Record Review MeasureAverage frequency during reporting time.Average frequency of log reviews during the time period should be a high frequency set by the organization. 2.4.5 Sources of Data Audit log reports 2.4.6 Reporting Frequency Organization defined (example: quarterly) 2.4.7 Source of Measurement NIST SP800-53, AU-6 2.5 C&A Completion Measure 2.5.1 General Description and Title C&A Compliance Measure measures the percentage of new systems that have completed certification and accreditation (C&A) prior to their implementation. 2.5.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Ensure all information systems have been certified and accredited as required. 2.5.3 Applicable Categories End Customers Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.5.4 Detailed Description a) Terminology C&A Certification, Accreditation, and Security Assessments performed per the organizations internal requirements Authorizing Official [AO] Group or individual with the authority to formally certify a system for implementation b) Counting Rules Number of new systems implemented during the reporting time period Number of new systems implemented during the reporting time period that received authority to operate prior to implementation c) Counting Rule Exclusions Invalid exclusions will result for organizations that do not maintain a system inventory, implement a formal C&A process (CA-1), or require all systems to complete the C&A process prior to implementation. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteCACMC&A Completion Measure(number of new systems with complete C&A packages with AO approval prior to implementation) / (total number of newly implemented systems)% of new systems certified prior to implementation should be a high number set by the organization 2.5.5 Sources of Data System inventory, system C&A documentation 2.5.6 Reporting Frequency Organization defined (example: annually) 2.5.7 Source of Measurement NIST SP800-53, CA-6 2.6 Configuration Changes Measure 2.6.1 General Description and Title Configuration Changes Measure measures the percentage of approved and implemented configuration changes identified in the latest automated baseline configuration. 2.6.2 Purpose Accelerate the development and use of an electronic information infrastructure. Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 2.6.3 Applicable Categories Core Network Products. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.6.4 Detailed Description a) Terminology None b) Counting Rules Number of configuration changes identified through automated scanning over the last reporting period Number of change control requests approved and implemented over the last reporting period c) Counting Rule Exclusions Invalid exclusions will result for organizations that do not manage configuration changes using a formal and approved process (CM-3) and for organizations that do not use automated tools to identify configuration changes on systems/networks. d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteCCMChange Control Measure(number of approved and implemented configuration changes identified in the latest automated baseline configuration) / (total number of configuration changes identified through automated scans)% of approved changes to detected changes should be a high number set by the organization 2.6.5 Sources of Data System security plans, configuration management database, security tools logs 2.6.6 Reporting Frequency Organization defined (example: annually) 2.6.7 Source of Measurement NIST SP800-53, CM-2/CM-3 2.7 Contingency Plan Testing Measure 2.7.1 General Description and Title Contingency Plan Testing Measure measures the percentage of information systems that have conducted annual contingency plan testing 2.7.2 Purpose Ensure an environment of comprehensive security and accountability for personnel facilities and systems. Establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations. 2.7.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.7.4 Detailed Description a) Terminology None b) Counting Rules Systems in Inventory Systems with approved contingency plan Contingency plans successfully tested within the year c) Counting Rule Exclusions None Measurement Identifiers and Formulas IdentifierTitleFormulaNoteCPTMContingency Plan Testing MeasureNumber of information systems that have conducted annual contingency plan testing / Number of information systems in the system inventory% information systems that have conducted annual plan testing 2.7.5 Sources of Data Contingency plan testing results. 2.7.6 Reporting Frequency Organization defined (example annually) 2.7.7 Source of Measurement NIST SP800-53, CP-4 2.8 User Accounts Measure 2.8.1 General Description and Title User Accounts Measure measures the percentage of users with access to shared accounts. 2.8.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. All system users are identified and authenticated in accordance with information security policy. 2.8.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.8.4 Detailed Description a) Terminology Shared account Any account that is not unique or intended for use by a single user. b) Counting Rules Number of users with access to the system Number of users with access to shared accounts c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteUAMUser Accounts Measure(number of users with access to shared accounts) / (total number of users)% of users with access to shared accounts (should be a low number set by the organization)2.8.5 Sources of Data Configuration management database, access control list, system-produced user ID list 2.8.6 Reporting Frequency Organization defined (example: monthly) 2.8.7 Source of Measurement NIST SP800-53, AC-2/AC-3/IA-2 2.9 Incident Response Measure 2.9.1 General Description and Title Incident Response Measure measures the percentage of incidents reported within required time frame per applicable incident category (the measure should be computed for each incident category). 2.9.2 Purpose Make accurate, timely information on the organizations programs and services readily available. Track, document, and report incidents to appropriate organizational officials and/or authorities. 2.9.3 Applicable Categories Core Network Products and End Customer Services. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.9.4 Detailed Description a) Terminology None b) Counting Rules Number of incidents reported during the reporting period for the following categories: unauthorized access, denial of service, malicious code, improper usage, scans/probes/attempted access, and investigation Number of incidents reported within the prescribed time frame established by US-CERT for each category c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteIRMIncident Response MeasureFor each category: (number of incidents reported on time) / (total number of incidents reported for that category)% of incidents reported in an appropriate timeframe should be a high number set by the organization 2.9.5 Sources of Data Incident logs, incident tracking database 2.9.6 Reporting Frequency Organization defined (example: annually) 2.9.7 Source of Measurement NIST SP800-53, IR-6 2.10 Media Sanitization Measure 2.10.1 General Description and Title Media Sanitization Measure measures the percentage of media that passes sanitization testing. 2.10.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Sanitize or destroy information system media before disposal or release for reuse. 2.10.3 Applicable Categories Core Network Products. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.10.4 Detailed Description a) Terminology None b) Counting Rules Number of media that successfully passed sanitization testing Total number of media tested c) Counting Rule Exclusions Invalid exclusions will result for organizations that do not set policy requirements for media sanitization (MP-1) or define media sanitization procedures (e.g. FIPS-199, high impact systems [MP-6, Enhancement 2]). d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteMSMMedia Sanitization Measure(number of media that pass sanitization procedures testing) / (total number of media tested)% of media successfully sanitized according to established procedures should be a high number set by the organization 2.10.5 Sources of Data Sanitization testing results 2.10.6 Reporting Frequency Organization defined (example: annually) 2.10.7 Source of Measurement NIST SP800-53, MP-6 2.11 Physical Security Incidents Measure 2.11.1 General Description and Title Physical Security Incidents Measure measures the percentage of physical security incidents allowing unauthorized entry into facilities containing information systems. 2.11.2 Purpose Ensure an environment of comprehensive security and accountability for personnel, facilities, and products. Integrate physical and information security protection mechanisms to ensure appropriate protection of the organizations information resources. 2.11.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.11.4 Detailed Description a) Terminology None b) Counting Rules Number of physical security incidents occurring during the specified period Number of physical security incidents resulting in unauthorized entry into facilities containing information systems c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePSIMPhysical Security Incidents Measure(number of physical security incidents allowing entry into facilities containing information systems) / (total number of physical security incidents)% of physical security incidents resulting in unauthorized access should be a low number set by the organization 2.11.5 Sources of Data Physical security incident reports, physical access control logs 2.11.6 Reporting Frequency Organization defined (example: quarterly) 2.11.7 Source of Measurement NIST SP800-53, PE-6 2.12 Planning Measure 2.12.1 General Description and Title Planning Measure measures the percentage of employees who are authorized access to information systems only after they sign an acknowledgement that they have read and understood rules of behavior. 2.12.2 Purpose Ensure an environment of comprehensive and accountability for personnel, facilities, and products. Develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for information systems, and the rules of behavior for individuals accessing these systems. 2.12.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.12.4 Detailed Description a) Terminology None b) Counting Rules Number of users that are granted access after signing rules of behavior acknowledgement Number of users that access the system c) Counting Rule Exclusions Invalid exclusions will result if no formal rules of behavior policies exist (PL-4) d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePMPlanning Measure(number of users who are granted system access after signing a rules of behavior acknowledgement) / (total number of users with system access)% of users accessing the system and having signed the rules of behavior should be a high number set by the organization 2.12.5 Sources of Data Rules of behavior acknowledgment records 2.12.6 Reporting Frequency Organization defined (example: annually) 2.12.7 Source of Measurement NIST SP800-53, PL-4/AC-2 2.13 Personnel Security Measure 2.13.1 General Description and Title Personnel Security Measure measures the percentage of individuals screened prior to being granted access to organizational information and information systems. 2.13.2 Purpose Ensure an environment of comprehensive and accountability for personnel, facilities, and products. Ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria for those positions. 2.13.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.13.4 Detailed Description a) Terminology None b) Counting Rules Number of individuals granted access to organizational information and information systems Number of individuals that have completed personnel screening c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNotePSMPersonnel Security Measure(number of individuals screened) / (total number of individuals with access)% of users screened prior to being granted system access should be a high number set by the organization 2.13.5 Sources of Data Clearance records, access control lists 2.13.6 Reporting Frequency Organization defined (example: annually) 2.13.7 Source of Measurement NIST SP800-53, PS-3/AC-2 2.14 Risk Assessment Vulnerability Measure 2.14.1 General Description and Title Risk Assessment Vulnerability Measure measures the percentage of vulnerabilities remediated within organization-specified time frames. 2.14.2 Purpose Ensure an environment of comprehensive accountability for personnel, facilities, and products. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals resulting from the operation of organizational information systems. 2.14.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.14.4 Detailed Description a) Terminology POA&M Plan of Actions and Milestones b) Counting Rules Number of vulnerabilities identified through vulnerability scanning Number of vulnerabilities remediated on schedule according to the POA&M c) Counting Rule Exclusions Invalid exclusions will result if a periodic scans do not occur in a timely manner (RA-5) or if no formal processes are defined for the documentation and remediation of vulnerabilities identified (e.g. POA&M, [CA-5]) d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteRAVMRisk Assessment Vulnerability Measure(number of vulnerabilities remediated in accordance with POA&M schedule) / (total number of POA&M-documented vulnerabilities identified through vulnerability scans)% of vulnerabilities remediated in accordance with established timelines should be a high number set by the organization 2.14.5 Sources of Data POA&Ms, vulnerability scanning reports 2.14.6 Reporting Frequency Organization defined (example: monthly) 2.14.7 Source of Measurement NIST SP800-53, RA-5/CA-5 2.15 Service Acquisition Contract Measure 2.15.1 General Description and Title Service Acquisition Contract Measure measures the percentage of system and service acquisition contracts that include security requirements and/or specifications. 2.15.2 Purpose Accelerate the development and use of an electronic information infrastructure. Ensure third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization. 2.15.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.15.4 Detailed Description a) Terminology None b) Counting Rules Number of active service acquisition contracts the organization has Number of active service acquisition contracts that include security requirements and specifications c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteSACMService Acquisition Contract Measure(number of system and service acquisition contracts that include security requirements) / (total number of system and service acquisition contracts)% of contracts that contain security requirements should be a high number set by the organization 2.15.5 Sources of Data System and service acquisition contracts 2.15.6 Reporting Frequency Organization defined (example: annually) 2.15.7 Source of Measurement NIST SP800-53, SA-4 2.16 System and Communication Protection Measure 2.16.1 General Description and Title System and Communication Protection Measure measures the percentage of mobile computers and devices that perform all cryptographic operations using validated cryptographic modules operating in approved modes. 2.16.2 Purpose Accelerate the development and use of an electronic information infrastructure. Allocate sufficient resources to adequately protect electronic information infrastructure. 2.16.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.16.4 Detailed Description a) Terminology None b) Counting Rules Number of mobile computers and devices used in the organization Number of mobile computers that employ cryptography Number of mobile computers and devices using validated encryption methods Number of mobile computers and devices using approved encryption modules c) Counting Rule Exclusions Invalid exclusions will result if no standardized and formal encryption methods/modes are identified for organizational use (e.g. FIPS 140-2) d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteSCPMSystem and Communication Protection Measure(number of mobile computers and devices using validated cryptographic modules and methods) / (total number of mobile computers and devices)% of mobile computers and devices using approved cryptographic modes and methods should be a high number set by the organization 2.16.5 Sources of Data System security plans 2.16.6 Reporting Frequency Organization defined (example: annually) 2.16.7 Source of Measurement NIST SP800-53, SC-13 2.17 Flaw Remediation Measure 2.17.1 General Description and Title Flaw Remediation measures the percentage of operating system vulnerabilities for which patches have been applied or that have otherwise been mitigated. 2.17.2 Purpose Accelerate the development and use of an electronic information infrastructure. Provide protection from malicious code at appropriate locations within organizational information systems, monitor information systems security alerts and advisories, and take appropriate actions in response. 2.17.3 Applicable Categories All Product Categories. For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 2.17.4 Detailed Description a) Terminology POA&M Plan of Actions and Milestones b) Counting Rules Number of vulnerabilities identified by analyzing distributed alerts and advisories Number of alerts identified through vulnerability scans Number of patches or work-arounds implemented to address identified vulnerabilities Number of vulnerabilities determined to be non-applicable Number of waivers granted for weaknesses that could not be identified by implementing patches or work-arounds c) Counting Rule Exclusions None d) Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteFRMFlaw Remediation Measure(number of vulnerabilities addressed in alerts for which patches were implemented, non-applicable, or waived) / (total number of applicable vulnerabilities identified through alerts and scans)% of total vulnerabilities addressed should be a high number set by the organization 2.17.5 Sources of Data System security plans 2.17.6 Reporting Frequency Organization defined (example: monthly) 2.17.7 Source of Measurement NIST SP800-53, SI-2 3.1 Security Related Outages 3.1.1 General Description and Title Basically the outages included in SRO are a subset of those in SONE (see Section 6.2 of TL 9000 Measurement Handbook) but the outages may be counted, tracked, and reported separately in order to focus on addressing security defects. 3.1.2 Purpose The SRO measurement can provide insight into the impact of network element (NE) security vulnerabilities in the field, or can indicate gaps in wider security controls in the environment into which the element is deployed (for example, de-facto controls against denial-of-service attacks or malware). As such, the SRO measurement can provide data to help evaluate the efficacy of NE capabilities against attacks that exploit the NE security vulnerabilities during product operation, and to help evaluate the efficacy of security controls and security operations in the deployment environment. 3.1.3 Applicable Categories Product categories 1~6 in Table A-2, TL 9000 Measurement Applicability Table (Normalized Units). For the latest version of the Product Category Table see  HYPERLINK "http://tl9000.org/resources/resources.html" http://tl9000.org/resources/resources.html. 3.1.4 Detailed Description The criteria for distinguishing between customer- and product-attributable outages as described in the following counting rules are very high-level and indicative and, as such, would require interpretation for every separate usage. The applicability and usefulness of this metric across a range of network element types requires investigation and elaboration. For example, the security requirements for a layer 2 switch are very different to those for an application server. Also, for example, one hour outage on a core switch (of which there are few in the network) is very much more serious than one hour outage of an access device (of which there may be a vast number deployed). While maintaining the four metrics for each network element type would be unwieldy, aggregating and counting the outages for a range of network elements into one result may not be appropriate. a) Terminology Outage b) Counting Rules: Outages for submission under All Causes include Customer Attributable Outage and Product Attributable Outage; Counting rules 3, 4, 5, 6, and 7 in Section 6.1.4 b) of the TL 9000 Measurement Handbook shall be applied; All outages caused by a security issue that result in a complete loss of primary functionality for all or part of the system for duration greater than 15 seconds during the operational window (see Table A-3 Network Element Impact Outage Definitions in TL 9000 Measurement Handbook). Security issues include: Virus, worms Hackers attacks based on product defects Denial of Services attacks based on product defects Other attacks based on product defects. Only outages directly caused by a security incident are counted. Outages due to an operational decision to take an element or system offline to protect against attack are not included. A product attributable outage can be caused by any of the following security reasons: Security intrusion exploiting product vulnerabilities against which the product was required to be hardened; Denial of Services attacks exploiting product vulnerabilities against which the product was required to be resilient; A customer attributable outage can be caused by any of the following security reasons: Vulnerabilities due to miss-configuration or due to not following any supplier instructions and guidelines on secure deployment and use of the product Attacks exploiting any weakness of a customer organizations internal policy that fails to follow the best practice for network security (e.g. bad security configurations, deploying no firewalls or anti-DOS devices etc.) Customers internal security management enforcement issues (e.g. users with access to shared accounts, password leakage etc.) Associated security patches are not deployed by the customer; Associated anti-virus solution or virus library is not updated by the customer; c) Counting Rule Exclusions: Counting rule exclusions 2, 3, 4, 5, 6 and 7 in Section 6.1.4 c) of the Measurement Handbook shall be applied; If, as a matter of internal policy, a SP organization fails to follow the best practice for network security (e.g. not deploying anti-virus solution, firewalls or anti-DOS devices etc.), then the resultant outages shall be attributed to SRO1 and SRO2; Outages due to customers internal management problems (users with access to shared accounts, etc.) shall be attributed to SRO1 and SRO2. Calculations and Formulas Measurement Identifiers and Formulas IdentifierTitleFormulaNoteSRO1 Security related customer attributable outage frequency (number of customer caused outages) / (number of NEs in service) customer caused outages per NESRO2 Security related customer attributable outage downtime (sum of durations of customer caused outage) / (number of NEs in service) minutes of customer caused outages per NE SRO3 Security related product attributable outage frequency (number of product caused outages) / (number of NEs in service) product caused outages per NESRO4 Security related product attributable outage downtime (sum of durations of product caused outage) / (number of NEs in service) minutes of product caused outages per NE 3.1.5 Sources of Data Information provided by customers 3.1.6 Reporting Frequency Monthly is recommended but can be reported quarterly or annually. 3.1.7 Source of Measurement QuEST Forum NGN Security Sub Team Glossary Audit Record Any log or record related to security such as a security log for a product or access log (physical building or product). OS Hardening Out of the box, nearly all operating systems are configured insecurely. The idea of OS hardening is to minimize a computer's exposure to current and future threats by fully configuring the operating system and removing unnecessary applications. Risk Assessment The term risk assessment is defined as a process for analyzing a system and identifying the risks from potential threats and vulnerabilities to the information assets or capabilities of the system. Although many methodologies can be used, it should consider threats to the target systems, potential vulnerabilities of the systems, and impact of system exploitation. It may or may not include risk mitigation strategies and countermeasures. Methodologies could include FAIR, OCTAVE or others. Security Incident A security incident results in the actual outcomes of a business process deviating from the expected outcomes for confidentiality, integrity & availability due to deficiencies or failures of people, process or technology. Security Patch A patch is a modification to existing software in order to improve functionality, fix bugs, or address security vulnerabilities. Security patches are patches that are solely or in part created and released to address one or more security flaws, such as, but not limited to publicly disclosed vulnerabilities. Vulnerability Vulnerability is defined as a weakness that could be exploited by an attacker to gain access or take actions beyond those expected or intended.  ?MNPXrtuqmq\M>3h5B*\phhFW5B*CJ\aJphht5B*CJ\aJph h5CJ4OJQJ\^JaJ4ht ht5CJ4OJQJ\^JaJ4$ht5CJ4OJPJQJ\^JaJ4 htht ht5CJ OJQJ\^JaJ &htht5CJ$OJQJ\^JaJ$*htht5CJ$OJPJQJ\^JaJ$*hthBU5CJ$OJPJQJ\^JaJ$$ht5CJ$OJPJQJ\^JaJ$&?MNOPXrstu gdgd3gdoS gdoS $a$gdZJgdt $a$gdt $7$8$H$a$gdtL M l    : C  ʹududM-jh21h0J2PJU^JaJnHtH h21hgSPJ^JaJnHtH h21hPJ^JaJnHtH h21hOPJ^JaJnHtH h21hAPJ^JaJnHtH h21hfpPJ^JaJnHtH h21hla PJ^JaJnHtH h21h3PJ^JaJnHtH hWh3 h{yh3h3hoShAhoS5B*\ph   6 7 P Q R V ; T W X йsbbQ h21hla PJ^JaJnHtH h21h CPJ^JaJnHtH$h21hgS0JPJ^JaJnHtH h21hgSPJ^JaJnHtH h21hPJ^JaJnHtH h21hPJ^JaJnHtH-jh21h+=0JPJU^JaJnHtH$h21h0JPJ^JaJnHtHh+=jh+=U h21hPJ^JaJnHtH >?r<EQr~#+,.04;<ͼ}l}l}l}} h21hGaPJ^JaJnHtH h21hPJ^JaJnHtHh @*hL hs hshshhhsCJaJhu:Rh9jMh$ h21hDPJ^JaJnHtH h21hfPJ^JaJnHtH h21hla PJ^JaJnHtH h21h/!NPJ^JaJnHtH( :;|} $Ifgdtgdk gdm6&gdzwgdla $a$gdla gdoS^gdu:R<JQRWop,-:;)*Xa ANQRSiɷoaoaoaoaoaoaoaoaoaohebCJOJQJ^JaJ hAhzwCJOJQJ^JaJh:5CJaJhAh:5CJhAhg9/5CJ hg9/5CJ h5CJh7h75CJaJ#h21h75PJ^JaJnHtH hla 5CJhla 5CJaJh)^JaJnHtHhhla ^JaJnHtHhla ^JaJnHtH%ip !6CDOt޴ޣޕveT h%N9hdCJOJQJ^JaJ h%N9hw.CJOJQJ^JaJhCJOJQJ^JaJ hAhdCJOJQJ^JaJhdCJOJQJ^JaJ hAh)XJCJOJQJ^JaJhACJOJQJ^JaJhCJOJQJ^JaJhebCJOJQJ^JaJ hAhzwCJOJQJ^JaJ hAhLzCJOJQJ^JaJ nqz{|}~'Nr%J·yqlqhahZhShLhE hnOht h ht h.ht hOyht hththt hg9/5hGYht5 hkhkh@CJaJhFWh@CJaJh@h@5CJaJhZJh@5hbg5CJPJ^J hbg5h:hzwCJaJ hAhw.CJOJQJ^JaJhw.CJOJQJ^JaJh%N9CJOJQJ^JaJ h%N9hw.CJOJQJ^JaJ 18//// $Ifgdtkd$$Ifl4ֈ  !%  D t0d&44 laytG6w1;?@DJ0kd$$Iflֈ  !%  D t0d&44 laytG6w $IfgdtJNs}0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt $Ifgdt90000 $Ifgdtkd=$$Iflֈ  !%  D t0d&44 laytG6w!0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt!%KY]^0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt^bfj $IfgdtJj (Gn $CXYfzVq4GHRl~ h,ht htb/ht hxthth h1ht hf"ht h9ht hEht h8Idhtht^JaJ hEht h~ht hOht hYVIht h ht hOht hm}ht hpMhtht290000 $Ifgdtkdw$$Iflֈ  !%  D t0d&44 laytG6w0kd5$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt )78 $Ifgdt89>CGo90000 $Ifgdtkd$$Iflֈ  !%  D t0d&44 laytG6wo}~0kdo$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt0kd-$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt $Ifgdt %90000 $Ifgdtkd$$Iflֈ  !%  D t0d&44 laytG6w%267;>0kd $$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt>CYgkl0kdg $$Iflֈ  !%  D t0d&44 laytG6w $Ifgdtlpuz $Ifgdt90000 $Ifgdtkd% $$Iflֈ  !%  D t0d&44 laytG6w0kd $$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt 0kd $$Iflֈ  !%  D t0d&44 laytG6w $IfgdtWbc $Ifgdtcdhlq90000 $Ifgdtkd_ $$Iflֈ  !%  D t0d&44 laytG6w0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt   $Ifgdt 590000 $Ifgdtkd$$Iflֈ  !%  D t0d&44 laytG6w5?CDIM0kdW$$Iflֈ  !%  D t0d&44 laytG6w $IfgdtMRmyz{0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt{ $Ifgdt90000 $Ifgdtkd$$Iflֈ  !%  D t0d&44 laytG6w0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt *Ofgr * - . : B Y Z \ m n !1!R!Ƿzvovov h~hi hi hg9/5hGYhi 5 hKhKhC5CJmH nH uhBhC5CJmH nH uhhdhCmH nH uhZJhCCJaJmH nH uhG6whG6wCJaJmH nH u h!0 h!0 h!0 hST,ht h2$ht hhthht+0kdO$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt %*P^b $Ifgdtbchmr90000 $Ifgdtkd $$Iflֈ  !%  D t0d&44 laytG6w0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt0kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt ! % $Ifgdt% & * . 1 9000 $IfgdtkdG$$Iflֈ  !%  D t0d&44 laytG6w1 J T X Y 'kd$$Iflֈ  !%  D t0d&44 laytG6w $Ifgdt $IfgdKY Z \ $Ifgdi gdKgdG6w$^`a$gd: 2))) $Ifgdi kd$$IfTl4ֈ  %   t0 &644 layt}T ! ! !+kd$$IfTlֈ  %   t0 &644 layt}T $Ifgdi  !!!!2!?!C! $Ifgdi C!D!H!M!R!4+++ $Ifgdi kdP$$IfTlֈ  %   t0 &644 layt}TR!o!!!!!"-"L"w""""""##4#5#?#P#k#####$$$)$7$;$E$_$m$q$|$$$$$$$$%)%M%j%%%%%%% h1hi h.hi hOyhi hthi hf"hi hhi h,hi hEhi h8Idhi h2$hi h- h9hi hOhi hYVIhi h hi hOhi hi hEhi 5R!p!x!y!z!+kd$$IfTlֈ  %   t0 &644 layt}T $Ifgdi z!~!!!!!! $Ifgdi !!!!!4+++ $Ifgdi kd$$IfTlֈ  %   t0 &644 layt}T!!!!!+kd$$IfTlֈ  %   t0 &644 layt}T $Ifgdi !!""."<"=" $Ifgdi =">"C"H"L"4+++ $Ifgdi kdd$$IfTlֈ  %   t0 &644 layt}TL"x""""+kd)$$IfTlֈ  %   t0 &644 layt}T $Ifgdi """"""" $Ifgdi """""4+++ $Ifgdi kd$$IfTlֈ  %   t0 &644 layt}T"# # ##+kd$$IfTlֈ  %   t0 &644 layt}T $Ifgdi ####5#@#A# $Ifgdi A#B#F#K#P#4+++ $Ifgdi kdx$$IfTlֈ  %   t0 &644 layt}TP#l#w#{#|#+kd= $$IfTlֈ  %   t0 &644 layt}T $Ifgdi |####### $Ifgdi #####4+++ $Ifgdi kd!$$IfTlֈ  %   t0 &644 layt}T## $ $ $+kd!$$IfTlֈ  %   t0 &644 layt}T $Ifgdi  $$$$*$5$6$ $Ifgdi 6$7$<$@$E$4+++ $Ifgdi kd"$$IfTlֈ  %   t0 &644 layt}TE$`$k$l$m$+kdQ#$$IfTlֈ  %   t0 &644 layt}T $Ifgdi m$r$w$|$$$$ $Ifgdi $$$$$4+++ $Ifgdi kd$$$IfTlֈ  %   t0 &644 layt}T$$$$$+kd$$$IfTlֈ  %   t0 &644 layt}T $Ifgdi $$$$ %%% $Ifgdi %%%%%)%4+++ $Ifgdi kd%$$IfTlֈ  %   t0 &644 layt}T)%N%X%\%]%+kde&$$IfTlֈ  %   t0 &644 layt}T $Ifgdi ]%a%f%j%%%% $Ifgdi %%%%%4+++ $Ifgdi kd*'$$IfTlֈ  %   t0 &644 layt}T%%%%%+kd'$$IfTlֈ  %   t0 &644 layt}T $Ifgdi %%%%& & & $Ifgdi %&&&&!&)&0&1&@&D&N&h&&&&&&'<'a'''''''''''((,(0(2(H(R(S(V(w(K*L*wlhth/;B*phhGMgh/;B*ph h dh/; hth/;hu:h/; hST,hi h2$hi hi ^JaJ hEhi hnOhi h hi hm}hi hpMhi hxthi h- h1hi h!0 h!0 h!0 hu:Rhu:Rhi htb/hi * & &&&&4+++ $Ifgdi kd($$IfTlֈ  %   t0 &644 layt}T&1&;&?& $Ifgdi $IfgdK?&@&E&I&N&4+++ $Ifgdi kdy)$$IfTlֈ  %   t0 &644 layt}TN&i&u&v&w&+kd>*$$IfTlֈ  %   t0 &644 layt}T $Ifgdi w&{&&&&&& $Ifgdi &&&&&4+++ $Ifgdi kd+$$IfTlֈ  %   t0 &644 layt}T&&&&&+kd+$$IfTlֈ  %   t0 &644 layt}T $Ifgdi &&&&')'-' $Ifgdi -'.'2'8'<'4+++ $Ifgdi kd,$$IfTlֈ  %   t0 &644 layt}T<'b'p't'u'+kdR-$$IfTlֈ  %   t0 &644 layt}T $Ifgdi u'y'|''''' $Ifgdi '''''4+++ $Ifgdi kd.$$IfTlֈ  %   t0 &644 layt}T'''''+kd.$$IfTlֈ  %   t0 &644 layt}T $Ifgdi '''(('(+( $Ifgdi +(,(R(S(4'"gd d ^`gd%'kd/$$IfTlֈ  %   t0 &644 layt}TS(w(L*M*[*+++,,,,--L...D/ ^`gd# ^`gdY8^8gdM,n8^8gd d ^`gdY8^8gdGMg^gdGMg^gdGMg^gdGMg  & F^gd KL*M*P*[*c**++++,[,\,,,,,,,,,------...C/D/b/c/////zsi_hh/;5\hoh/;5\ hh/; h >9h/;h/;5CJKHaJh dh~ehh~eh~eh h/;hhth/;hhM,n hthuh~e h~eh~ehujh+=0JUhbhcE0Jh+=jh+=UhcEh:h&o hGMgh/;h/; hth/;%D/b/c/////// $Ifgdx 8^8`gdGMg ^`gd%' ^`gdPP8^8gdGMg//////0&0~u~l~u $Ifgdo $Ifgdx $Ifgdx wkdf0$$If\8W~u#_ '=44 aUyto/////00%0'0=011111;2@2W2[2\2]2c222222233333)34333̾ӺӨӀumumubӀ^ӀhKgfhth/;B*phh/;B*phhjh/;B*ph hth/;"hPPh/;5CJaJmHnHuhG@$5CJaJmHnHuh{h#h/;5CJh#ho^ hPPh/; hoh/; hh/;h/;hh/;5\hoh/;5\ h/;5\hh/;\ h/;\$&0'0=01111:2;2W2~ulg~^^R  & F^gd8^gdPPgdPP^gdGMg^gdo^gdGMgwkd0$$If\8W~u#_ '=44 aUyto W2[2]22233)3333444455 68^8gdKgf ^`gdw8^8gdj^gdKgf^gdq^gdj^gdj^gdj d^gdG@$  & F^gd8333344T4U44444444455555n6667777D7d7f7i7j7o777778񸰨{tlbhqh/;5\hh/;\ hjh/;hh/;5\ h/;5\hoh/;5\ hh/; h >9h/;hYHh dhKgfhh~ehKgfhhth/;h h~ehKgf hthKgfjh+=0JUhbhcE0Jh+=jh+=UhcEhKgf hth/;h/;& 6n66777D7E7P7V7^7c7 $Ifgdx 8^8`gdj  ^ `gdYH8^8gdj ^`gdw c7d7j77788~u~~l $Ifgdq $Ifgdx $Ifgdx wkd^1$$If\8W~u#_ '=44 aUytx 8B8D8F8T8X8Z8`888888;;;;;r;s;t;y;;;;;;;%<&<f<g<<<<<B=C=D=G=R=˼ǵǼDZ|r|r|r|r|rkk hth/;h/;B*CJphhqh/;B*CJphhG@$h/;5CJaJ hPPh/;h Kh/;5CJaJhG@$5CJaJh`o# hCh/;ho^ hoh/;h/; hh/; hqh/;hh/;5\hqh/;5\^J h/;5\hqh/;5\(88888;;*;s;t;;~~ul~ulcu^gdj^gdj^gdj^gdjwkd1$$If\8W~u#_ '=44 aUytx ;;;;;C=D=R=V>W>s>E?F?a?p?d@v@@1A ^`gdo ^`gdo8^8gdKgf^gdKgf^gdq^gdq^gdq d^gdG@$^gdPPR=== >>V>W>Z>s>>>>??B?C?D?E?F?I?a?p??D@c@u@1AMAAAAAB'B)B+B,B1Bĺٳݬݳݤ}slbhh/;5\ h/;5\hoh/;5\ hh/; h >9h/; h?h hth %y hKgfhh~ehKgfhhthKgfh h~ehKgf hthKgfjh+=0JUhbhcE0Jh+=jh+=UhcEhKgfh/; hth/;h/;B*phhqh/;B*ph%1AMAAAABBBB!B&B $Ifgdx 8^8`gdq  ^ `gd?8^8gd %y ^`gdo8^8gdKgf &B'B,BKBSBBB~u~lc $Ifgdx $Ifgd`X $Ifgd`X $Ifgdx wkdV2$$If\8W~u#_ '=44 aUytx 1B6BJBKBSBcBgBxByBBBBBBLDMDNDSDTDDDDDDDD EEEE3EFEMEFFuhu^h/;B*CJphhF-ho^B*CJphhF-h/;B*CJphh^gdF-^gdF-^gdF- @ n^`gdjh+=0JUhbhcE0Jh+=jh+=UhcEh>hqh/;B*phh/;B*phhF-h/;B*phhjh/; hth/;hqh/;B*CJphh/;B*CJphhF-h/;B*CJphhF-h#|~B*CJph!KKKKLL1L7LLLLLM+M-MRMrMxMyMMMMMMNNNNNNNNNNNN O OOOO)O-OȾȐȌȈzvlh#h#5CJh# hChj hoh/;h/;hjho^hqh/;5\ h/;5\hh/;\ hu<h/;hh/;5\hu<h/;5\ hh/; h >9h/;hhth#|~hh#|~h hth#|~h dhaJ haJ*LLM,M-MRMSM^MdMlMqM $Ifgd 8^8`gdF-  ^ `gd & Fgd#|~8^8gd#|~ qMrMyMMNN~ulu $Ifgdu< $Ifgd $IfgdwkdN3$$If\8A 0V%   !44 aUyt NNN0NNNN O O)O-O~~ul~ccWW  & F^gd#^gdF-^gdF-^gdu<^gdF-wkd3$$If\8A 0V%   !44 aUyt -O.O0O1O[O\OOQQRR STTTUUUU8^8gd#v^gd>^gdu<^gd)V^gdu<^gdu<^gdu< dgdu<  & F^gd#-O.O/O0O1O4O5OZO[O\O_OOQQQQQQQQQRRRRS STTTTT$U`UaUUUU񼵨{sosfhbhcE0Jh+=jh+=UhcEh> hthw$hw$B*CJphh#vB*CJphh/;B*CJphh)Vh/;B*CJph hth/;hw$h)Vh/;mH nH uhth/;mH nH uhw$mH nH uh h CJaJmH nH uh/;hj hRh/;%UUUUUUUUUUVVV*VuVVVVWW1W2W3WXWxW}W~WWWWWWWWWľԭآwmmchqh/;5\hAh/;5\hh/;\ h)Vh/;hh/;5\ h/;5\ h >9h/;h/; hh/;hihth#vhh dhaJ haJhhaJ h hh#v hth#vh"H hth/; hth>hcEjh+=0JU"UVVVWW1W2WXWYWdWjWrWwW $Ifgd 8^8`gdu< 8^8`gdu<^gdu< & Fgd#v & Fgd#v8^8gd#v8^8gd wWxW~WWW X~ulu $IfgdA $Ifgd $IfgdwkdF4$$If\8W~u#_ '=44 aUytWWWW XXXXXXXXXXYYYY YY#Y$Y%Y&Y)Y*YAYBYCYFYgYYY6[8[[[ϽϹϟ~zsf\f\f\h/;B*CJphhnqh/;B*CJph hth/;hf@hth/;mH nH uhnqh/;mH nH uh/;mH nH uhf@mH nH u h/h/;h#h#5CJh# hCh]ho^ hoh/;h/;h"H hh/; hhh/;hh/;5\ h/;5\hhh/;5\$ XXX%XXXXXYY~ul~cuZZ^gdu<^gdu<^gdh^gdu<^gdu<wkd4$$If\8W~u#_ '=44 aUyt YY#Y$Y&YBYCYgYYY7[8[[\\Z][]w]I^J^e^^gdh^gdf@^gdnq^gdh^gdh^gdh dgdh  & F^gd#[\\\\Y]Z][]^]w]]]]^^F^G^H^I^J^M^s^t^^__________```:`Z`]`^`ְzsihh/;5\ h/;5\ h >9h/; hh/;h h/;h h .hhth/;hhhh(i hihihQF hthf@jh+=0JUhbhcE0Jh+=jh+=UhcEh/;B*CJphhnqh/;B*CJphhf@h/; hth/;(e^t^_____``:`;`F`L`T`Y` $Ifgd 8^8`gdh 8^8`gdh^gdh^gd .^gdh8^8gd 8^8`gdi8^8gdhY`Z`^`v```~ulu $IfgdK $Ifgd $Ifgdwkd>5$$If\8W~u#_ '=44 aUyt^`u`v`````````qasatawayazaaaaaaaaaaaaabbbb7b-cÿûû}qmfYh Ih/;B*CJph hth/;hshth/;mH nH uh Ih/;mH nH uh/;mH nH uhsmH nH u hRh/;h#h#5CJh# hCh/;ho^h/;hf@ hh/; hnqh/;hh/;5\ h/;5\hnqh/;5\hh/;\hnqh/;B*ph"````qasataaaa~ullcuZc^gdh^gdh^gd^gdh^gdhwkd5$$If\8W~u#_ '=44 aUyt aaaaabb7bLcMc[ceeeffff'h 8^8`gds8^8gds^gds^gd I^gd I^gd I^gd I dgd I^gd  & F^gd#-cJcKcLcMcPc[ceeeeeeefNfOffffffffffff&h8h9h:h>h?hZh_h`hahhhhhhhķ̦ݟݦݦxq h/;5\ h >9h/;h/; hh/;h hsh hshhthsh hihs hthsjh+=0JUhbhcE0Jh+=jh+=UhcEh Ih/;B*CJphhs hth/;hnqh/;B*CJphh/;B*CJph+'h9h?h[hahhhhhhhhh $Ifgd 8^8`gd I 8^8`gd I^gd I^gds8^8gds hhhh,iiAiiiiii jjjjj.j/j0j4j5j[j\j]j`jjjĽyunahe7Ih/;B*CJph hth/;h^7yhth/;mH nH uhe7Ih/;mH nH uh/;mH nH uh^7ymH nH u hRh/; hCh/;ho^h/;hs hh/; he7Ih/;hKh/;5\hnqh/;5\ h/;5\hh/;\h/;B*phhh/;5\%iTiiiijj+j/j~ullucZuc^gd I^gd I^gde7I^gd I^gd Iwkd6$$If\8W~u#_ '=44 aUyt /j0j\j]jjPkQk_kllmmm nnn/n4nPnUnsn^gd^7y^gde7I8^8gde7I^gd^7y^gde7I^gde7I^gde7I^gde7I dgd IjjOkPkQkTk_klllmmJmmmmmmmmmmmnn.n/n3n4nOnPnTnUnsntnunnnnnnĺٳݯ䳧ݎvkhe7Ih/;B*phhh/;5\ h/;5\ h >9h/; hh/;hth^7yh h^7yh h/;hhth/;hh/; hth^7yjh+=0JUhbhcE0Jh+=jh+=UhcE hth/;h^7yhe7Ih/;B*CJphh/;B*CJph(sntnnnnnnnnn[R $Ifgdwkd.7$$If\8W~u#_ '=44 aUyt $Ifgd 8^8`gde7I 8^8`gde7I^gde7I nn7oMoNoOoeo p p&pulcZQc^gde7I^gdwuw^gde7I^gde7Iwkd7$$If\8W~u#_ '=44 aUyt $Ifgd $Ifgd nnnnoo%o5o6o7oLoOoRo p p pppp&p-p.p/p2p4pNpOpPpQpTpUprpsptpwppļļuie^ hth/;h hth/;mH nH uh8Vh/;mH nH uh/;mH nH uh mH nH uhz}hz}CJaJmH nH u hRh/; hCh/; h/~9h/;ho^h/;h^7y hh/; hwuwh/;hh/;5\hwuwh/;5\hnqh/;5\ h/;5\hh/;\#&p.p/pKpOpPpQpsptppppp~qqqmrnrrr8^8gd u^gd u^gd8V^gd8V^gd8V^gd8V dgde7I^gde7I^gde7I^gde7IppppppppMqNq]q|q}q~qqqqqrr?r@rjrkrlrmrnrqrrrrrrrrrrrrrs:s>s?sȢТ̢̢yohh/;5\h/h/;5\ h >9h/;h/; hh/; h uhhth uh hth ujh+=0JUhbhcE0Jh+=jh+=UhcEh u hth/;h he7Ih/;B*CJphh/;B*CJphh8Vh/;B*CJph+rrrrrrrrss&s,s4s9s $Ifgd 8^8`gd8V 8^8`gd8V^gd8V^gd u8^8gd u^gd u 9s:s?s]sss~ulu $Ifgd/ $Ifgd $Ifgdwkd&8$$If\8W~u#_ '=44 aUyt?s\s]sbscsrsssssssssss>t?t@tBtEtGtHttttttttttttttuuqj hth/;h hth/;mH nH uh/h/;mH nH uh/;mH nH uh mH nH u hRh/; hCh/;ho^h/;h  hh/; h/h/;hh/;5\h/h/;5\hnqh/;5\ h/;5\hh/;\h8Vh/;B*ph$ssssAtBt\ttttt~ulcuZcul^gd/^gd8V^gd8V^gd8V^gd8Vwkd8$$If\8W~u#_ '=44 aUyt tttttttuuuuvuvvvvewfwwwww^gd\8^8gd\^gd\^gd/^gd/^gd/^gd/^gd8VujukuuuuuuTvsvtvuvvvzvvvvv7w8wbwcwdwewfwjwwwwwwwwwww x xx3xSxWxȢТ̢̝~th?3h/;5\ h >9h/;h/; hh/; h\hhth\h hVh hth\jh+=0JUhbhcE0Jh+=jh+=UhcEh\ hth/;h he7Ih/;B*CJphh/;B*CJphh/h/;B*CJph)wwww x x3x4x?xExMxRx $Ifgd 8^8`gd/ 8^8`gd/^gd/^gd\8^8gd\^gdV RxSxXxxxx~ulu $IfgdR| $Ifgd $Ifgdwkd9$$If\8W~u#_ '=44 aUytWxXxxxxxxxxxxxxxx ykylynyrytyuyyyyyyyyyyyyy'z(z)zܾ}th\hth/;mH nH uhh/;mH nH uh/;mH nH uhwmH nH uhz}hz}CJaJmH nH u hRh/; hCh/;ho^h/;h  hh/; h%h/;hR|h/;5\h?3h/;5\hnqh/;5\ h/;5\hh/;\h/h/;B*phhh/;5\$xxx ymynyyyyyy~ulculcul^gd/^gd/^gd/^gd/wkd9$$If\8W~u#_ '=44 aUyt yyy(z)zNzzzz{{{||||||}^gdw^gdw8^8gdw^gdw^gd^gd^gd^gd^gd)z-zNzzzzzzzz:{;{{{{{{{{{{5|6|n|o||||||||||||}}d}}}}}}}}}Ÿͧ h >9h/;h/; hh/; hwhhthwhhEh" hthwjh+=0JUhbhcE0Jh+=jh+=UhcEhe7Ih/;B*CJphh/;B*CJphhh/;B*CJph hth/;hw.}d}}}}}}}}}}} $Ifgd 8^8`gd 8^8`gd^gd^gdw8^8gdw 8^8`gdE }}}~j~~~u~l $Ifgd $Ifgd2 $Ifgdwkd:$$If\8W~u#_ '=44 aUyt}}}~~~~ ~J~K~W~h~i~j~~~~~~  noptvʬ쥞}tk_h2h/;mH nH uh/;mH nH uhX?mH nH u hRh/; hCh/;ho^ h2h/;h/;hw hh/; h%h/;hR|h/;5\h2h/;5\hnqh/;5\ h/;5\hh/;\h/;B*phh/h/;B*phhh/;5\hh/;5\$~~~~  &op~ulculcul^gd^gd^gd^gdwkd:$$If\8W~u#_ '=44 aUyt Z[jˀ̀؁Ńʃ ^gdX? 8^8`gd28^8gdX?^gdX?^gd2^gd2^gd2^gd2 !YZ[_jɀˀ̀ЀTU؁ăɃʃ 뼴䖒zs hh/; hX?hhthX?h h2h2h2hJ hthX?jh+=0JUhbhcE0Jh+=jh+=UhcEhe7Ih/;B*CJphh/;B*CJphh2h/;B*CJph hth/;hX?h/;hth/;mH nH u+ 01<BJOPTmd[R $Ifgd\ $Ifgd\wkd;$$If\8W~u#_ '=44 aUyt\ $Ifgd\ 8^8`gd2 8^8`gd2 0PSTlmrs˄΄҄)+,1245Յօׅĺ򯫤򫯙򫒫ymahth/;mH nH uh Mh/;mH nH uh/;mH nH uhW]mH nH u hRh/; hCh/;ho^ h%h/; h Mh/;h/;hX? h_Nh/;h_Nh/;5\hnqh/;5\hh/;\h2h/;B*phhh/;5\ h/;5\ hh/; h >9h/;&m̄̈́΄-.IulcZQcZ^gd2^gd2^gd2^gd2wkd;$$If\8W~u#_ '=44 aUyt\ $Ifgd\ $Ifgd_N օׅ%&58^8gdSC^gdW]^gd M^gd M^gd M^gd M dgd2^gd2^gd2^gd2ׅۅFG؆ن$%&*5+,deˆԈUVWrwxŸͧy h >9h/;h/; hh/; hSChhthSChh9VhSC hthSC hthW]jh+=0JUhbhcE0Jh+=jh+=UhcEhe7Ih/;B*CJphh/;B*CJphh Mh/;B*CJph hth/;hW]/ÈՈWsxɉω׉܉ $Ifgd\ 8^8`gd M 8^8`gd M^gd M^gdSC 8^8`gdSC8^8gdSC^gdSC ܉݉Ld~u~u $Ifgd\ $Ifgd\wkd<$$If\8W~u#_ '=44 aUyt\݉()5JKLcfj #$%(Iڋۋ܋ߋyuhLhth/;B*ph hth/;hth/;mH nH uh/;mH nH u h/h/; hCh/;ho^h/;hW] h_Nh/;hh/;5\hnqh/;5\hh/;\h Mh/;B*phhh/;5\ h/;5\ hh/;.def}~ullulcuZ^gd/y^gd M^gd M^gd M^gd Mwkd<$$If\8W~u#_ '=44 aUyt\  $%Iۋ܋Se & Fgd5) & Fgd5)8^8gd`8^8gd5)^gd5)^gd5)^gd5)^gd5) dgd|z !YZÍ֍5Se4 üÜÊytlyÑhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/;hDhth/;hh dh`aJ h`aJhh`aJ h h`h/; h h hJ}jh+=0JUhbh 0Jh+=jh+=Uh h3(> hth/;(Tukd<$$If\8HLE44 aUytpE $IfgdpE 8^8`gd5) 8^8`gd5)^gd5)8^8gd5)  wnen\e^gd5)^gd5)^gd5)ukd}=$$If\8HLE44 aUytpE $IfgdpE $IfgdpE ӑԑՑڑ )*+.OÒΒÓƓԓܓ89qrȾ፜᜘yuylbjh+=0JUhbhcE0Jh+=jh+=UhcEh3(>h'hth/;B*phhD hth/;h/;mH nH uhth/;mH nH u hDaJhTbh/;5CJ hRh/; hCh/; hh/;ho^h/;hDh/;CJaJh &XCJaJh/;CJaJ&ԑՑ*+OΒ“Óʔ 8^8gdVx8^8gdTb^gd3(>^gdTb^gdTb^gdTb^gdTb^gd5)^gd5)^gd5)ɔʔ ԖՖ:>?\]Ǘȗ"%(;ĘŘƘɘ˘渿撇|xqx hCh/;ho^hi75h/;CJaJhDh/;CJaJh/;CJaJhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/;hi75h/;h h/;hhth/;h hRhVxhVxh/;hD hth/; hth3(>hcE) 7Ֆ&,49 $IfgdpE 8^8`gdTb 8^8`gdTb^gdTb8^8gdTb & Fgdi758^8gdi75 & FgdTb 9:?]ȗ#ww $IfgdpE $IfgdpEukd=$$If\8HE|44 aUytpE#$%;ŘƘwnwewwe^gdTb^gdTb^gdTb^gdTbukdm>$$If\8HE|44 aUytpE =™͙ ʚ̚Ϛ:;st̛ћ\]{|ƻƷγ΅}xpi hh/;hi75h/;h h/;hhth/;hh[o hth3(>jh+=0JUhbhcE0Jh+=jh+=UhcEh3(>hQk?hth/;B*phh/;h& hth/;h/;mH nH uhth/;mH nH u h&aJh/;5>*CJ hRh/;)=͙˚̛̚ћ/]{ & Fgd & Fgd^gd[o8^8gd^gd3(>^gd^gd^gd^gd{|Ɲ]T $IfgdpEukd>$$If\8HLE44 aUytpE $IfgdpE 8^8`gd 8^8`gd^gd |}ŝƝߝyz)*+.01mnortŸßƟbcdgĹ̪̪xqmqbqmhth/;B*phh\ hth/;h/;mH nH uhth/;mH nH u h\aJh/;5>*CJ hRh/; hCh/;ho^hi75h/;CJaJhDh/;CJaJh/;CJaJh&hh/;\ h/;\hh/;5\ h/;5\ hh/; h >9h/;h/;&Ɲz*+Ewnen\e^gd^gd^gdukd]?$$If\8HE5 44 aUytpE $IfgdpE $IfgdpE EnoŸßcdrš~3Eϣ  & Fgd8^8gd5-+8^8gd^gd^gd^gd^gd^gdgršۡPQ{|}~3Eǣȣϣ $ܤݤޤ#'(uhh/;5\ h/;5\ h >9h/; hh/;hi75h/;h h/;hhth/;h hr!hr!hr!h! h5-+hd hthjh+=0JUhbhcE0Jh+=jh+=UhcE h8hh\h/; hth/;. %ܤݤ" $IfgdpE 8^8`gd 8^8`gd^gd & Fgd8^8gd "#(Dm٥ww $IfgdpE $IfgdpEukd?$$If\8HE|44 aUytpE(CDlmإۥޥ GHILNz{|RSTWb";ʿݰݩҰݢ~wswhwswwswhth/;B*phh< hth/;h/;mH nH uhth/;mH nH u h<aJh/;5>*CJ hRh/; hCh/;ho^hi75h/;CJaJhDh/;CJaJh/;CJaJh\ hh/;h/;hh/;5\ h/;5\hh/;\ h/;\'٥ڥۥHIe{wnwewwe^gd^gd^gd^gdukdM@$$If\8HE|44 aUytpE {STb;\۪ū & FgdBk9 & FgdBk98^8gdBk9^gdBk9^gdBk9^gdBk9^gdBk9;QƨǨ[۪īū *./EFϬЬ258KuvwʾҪʣʪ}rghi75h/;CJaJhDh/;CJaJh/;CJaJhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/;hi75h/;h h/;hhth/;hhh/;h< hth/;jh+=0JUhbhcE0Jh+=jh+=UhcEhZD( $)*/Ff]T $IfgdpE $IfgdpEukd@$$If\8HE|44 aUytpE $IfgdpE 8^8`gdBk9 8^8`gdBk9 FЬ345Kvwwnen\eS^gdBk9^gdBk9^gdBk9^gdBk9ukd=A$$If\8HE|44 aUytpE $IfgdpE $IfgdpE wz|}5׮خٮܮ0E+ĻĴ~wsh5-+ hthMjh+=0JUhbhcE0Jh+=jh+=UhcEhMhth/;B*phhdj hth/;h/;mH nH uhth/;mH nH u hdjaJh/;5>*CJ hRh/; hCh/;h/; hh/;ho^h<-׭5خٮ0+ & FgdpE^gd5-+8^8gdpE^gdM^gdpE^gdpE^gdpE^gdpE^gdBk9^gdBk9@ALRZ_ $IfgdpE 8^8`gdpE 8^8`gdpE^gdpE & FgdpE8^8gdpE & FgdpE @`cdz{<=@ABEG^yz}~ܯا؆د{icWhth/;mH nH u hdjaJ"h|zh/;5>*CJmHnHsHh|zh/;mHsH hCh/;h Thi75h/;CJaJhDh/;CJaJh/;CJaJhdjhh/;\ h/;\hh/;5\ h/;5\ h >9h/;h/; hh/; hth/;hi75h/;h h/;hhth/;h"_`d{=~u~u $IfgdpE $IfgdpEwkdA$$If\Pg 8T@ 44 ayt"lAB^y~u~lucuuc^gdpE^gdpE^gdpE^gdpEwkd1B$$If\Pg 8T@ 44 ayt"l ~ĵGHILWշ׷ڷ EF~ָ׸۸ܸbc˹ϹйȢ̛ۅ~thh/;5\ h/;5\ h >9h/; hh/;hth/;h hthI hthN1Ejh+=0JUhbhcE0Jh+=jh+=UhcEhIhth/;B*phh/;hdj hth/;hth/;mH nH uh/;mH nH u,yĵHIWַ׷ȸ׸ܸ,c^gd9 & Fgd&^gdI8^8gd&^gdN1E^gdw^gdw^gdw^gdMŹʹ˹й]T $IfgdpEukdB$$If\8HE|44 aUytpE $IfgdpE 8^8`gdw 8^8`gdw^gdw йz{Ѻ567:<hijmnݼ߼ǿһݴһݭ~so݂okhNhfhth/;B*phhHiW hth/;h/;mH nH uhth/;mH nH u hHiWaJh/;5>*CJ hRh/; hCh/;h Th/;CJaJhDh/;CJaJhdj hh/;h/;hh/;5\ h/;5\hh/;\ h/;\(й{Ѻ6wnenne\^gdw^gdw^gdwukd%C$$If\8HE|44 aUytpE $IfgdpE $IfgdpE 67Si޼߼н߽5Gr & Fgda_ & Fgda_8^8gda_^gda_^gda_^gda_^gda_^gda_^gdw^gdwMN޽߽5Gþ(+,ABST½ֲΫ΂΂zohDh/;CJaJh/;CJaJhr~ h/;5\hh/;\ hf"\hh/;5\ hf"5\ h >9h/; hh/;h h/;hhth/;hh5RFh/;hf hth/;jh+=0JUhbhcE0Jh+=jh+=UhcE'rþ "' $Ifgd( 8^8`gda_ 8^8`gda_^gda_^gd8^8gda_ & Fgda_ '(,B~u~u $Ifgd( $Ifgd(wkdC$$If\Pg 8T@ 44 ayt(TUo~ul~c~~cZ^gda_^gda_^gda_^gda_^gda_wkdD$$If\Pg 8T@ 44 ayt( TUXZ[-K45mnɹ⪹⹵x⢹ hth8jh+=0JUhbhcE0Jh+=jh+=UhcEh8hhth/;B*phh hth/;h/;mH nH uhth/;mH nH u h aJ hCh/;h/; hh/;h Thfhi75h/;CJaJ-16TU & Fgda_^gd88^8gda_^gd8^gda_^gda_^gda_016TUV{+,JKOPjklpĿܫܑܜ܆tktghh/;mH nH uhth/;mH nH u h\#taJh@9h@9CJaJ hCh/;h ThshDh/;CJaJh/;CJaJh hh/;\ h/;\hh/;5\ h/;5\ h >9h/;h/; hh/; hth/;h8 h/;hhth/;h'U{|d[R $Ifgd( $Ifgd(wkdD$$If\Pg 8T@ 44 ayt( $Ifgd( 8^8`gda_ 8^8`gda_ ,ulcllcZ^gda_^gda_^gda_wkdE$$If\Pg 8T@ 44 ayt( $Ifgd( $Ifgd( 4JKkl^gd88^8gd ^gd#C^gd ^gd ^gd ^gd ^gda_^gda_./gh(6Q)GHIn Ⱦ嫦嘟{shh/;\ h/;\hh/;5\ h15\ h/;5\ h >9h/; hh/; h/;hhth/;hh8 hth#Cjh+=0JUhbhcE0Jh+=jh+=UhcEh#Ch/;h hth/;hth/;B*ph,6R)GHnoz $Ifgd( 8^8`gd 8^8`gd ^gd  & F gd 8^8gd  & Fgd ~u~u $Ifgd( $Ifgd(wkdE$$If\Pg 8T@ 44 ayt(/~u~lucuuc^gd ^gd ^gd ^gd wkd F$$If\Pg 8T@ 44 ayt( 045XYZ^%&'+6248Qg ҞҞҞvljh+=0JUhbhF0Jh+=jh+=UhFh"hth/;B*ph hth/;h/;mH nH uhth/;mH nH u h aJ hCh/; hh/;h Th hi75h/;CJaJhDh/;CJaJh/;CJaJh/;hsh(]*/YZ&'634Q '6;M,1OP & Fgd^gd"8^8gd^gd^gd^gd^gd 56;M+,1OPQvTU !$%'(efgkmٰٰwh/;mH nH uhth/;mH nH u h aJ hCh/;h ThDh/;CJaJh/;CJaJhshh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/; h/;hhth/;hh" hth/;h/;h -Pvwd[R $Ifgd( $Ifgd(wkd~F$$If\Pg 8T@ 44 ayt( $Ifgd( 8^8`gd 8^8`gd U !<fgulcllcZc^gd^gd^gdwkdG$$If\Pg 8T@ 44 ayt( $Ifgd( $Ifgd( g.* & Fgd ^gd"8^8gd ^gd ^gd ^gd ^gd ^gd^gd.D*9:;`"#Ż񠧙zh/;CJaJhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/; h/;hhth/;hjh+=0JUhbhF0Jh+=jh+=UhFh"h hth/;B*phh/; hth/;hw.9:`alrz $Ifgd( 8^8`gd 8^8`gd ^gd 8^8gd  & F gd #~u~u $Ifgd( $Ifgd(wkdvG$$If\Pg 8T@ 44 ayt("#@[~u~lucuuc^gd ^gd ^gd ^gd wkdG$$If\Pg 8T@ 44 ayt( !"#'()\_`a{|}ABCGIRTVZs)üöҔÉҔÔ֔yuylhbhF0Jh+=jh+=UhFh.hth/;B*ph hth/;h/;mH nH uhth/;mH nH u h aJ hwaJ hCh/;h/; hh/;h Thwh hi75h/;CJaJhDh/;CJaJh/;CJaJhxCJaJ([|}BCRUVs,-IX]o &+IJ & Fgd@W^gd.8^8gd@W^gd@W^gd@W^gd@W^gd@W)*+-13WX]o %&+IJKpdgk~%()ʼ❒|vp h aJ hE aJ hCh/;h Thi75h/;CJaJhDh/;CJaJh/;CJaJhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/; h/;hhth/;hh.h/;h hth/;hFjh+=0JU*Jpq|d[R $Ifgd( $Ifgd(wkdnH$$If\Pg 8T@ 44 ayt( $Ifgd( 8^8`gd@W 8^8`gd@W efg~ulclZcQ^gd@W^gd@W^gd@W^gd@WwkdH$$If\Pg 8T@ 44 ayt( $Ifgd( $Ifgd( $PQv HIf <Kr. & Fgd@W & F gd(8^8gd@W^gd@W^gd@W^gd@W^gd@W^gd@W)*OPQUv 4GIMf| $&Jr- '()Nnrs=ۡێ}xphh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/; h/;hhth/;hjh+=0JUhbhF0Jh+=jh+=UhFhihth/;B*phh/;h hth/;h/;mH nH uhth/;mH nH u,. '(NOZ`hm $Ifgd( 8^8`gd@W 8^8`gd@W^gd@W8^8gd@W & F gd( mns>~u~u $Ifgd( $Ifgd(wkdfI$$If\Pg 8T@ 44 ayt(=>:;<@Btuxyzghimx_ae~ 4򾸲疇{w{nhbhF0Jh+=jh+=UhFhBhth/;B*ph hth/;h/;mH nH uhth/;mH nH u h aJ hE aJh@9h@9CJaJ hCh/;h ThDh/;CJaJh/;CJaJh hh/;h/;hh/;5\);<Ytu~u~~uluulc^gd(^gd@W^gd@W^gd@WwkdI$$If\Pg 8T@ 44 ayt( uhix`a~78Tchz#?Dbc^gd\pk & Fgd(^gdB8^8gd(^gd(^gd(^gd(^gd(4568<>bchz#>?Dbcdgh PQRVXƸ♎}w h aJ h8aJ hCh/;h ThDh/;CJaJh/;CJaJhh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/;h\pk h/;hhth/;hhBh/;h hth/;hFjh+=0JU*cd[R $Ifgd( $Ifgd(wkd^J$$If\Pg 8T@ 44 ayt( $Ifgd( 8^8`gd( 8^8`gd( h (QRulcllcZc^gd(^gd(^gd(wkdJ$$If\Pg 8T@ 44 ayt( $Ifgd( $Ifgd( RojkAB^mr & FgdU*^gdB8^8gdU*^gdU*^gdU*^gdU*^gdU*^gd(^gd(iko>?@BFHlmr7UVW|XYۡێ}xp}hh/;\ h/;\hh/;5\ h/;5\ h >9h/; hh/; h/;hhth/;hjh+=0JUhbhF0Jh+=jh+=UhFhBhth/;B*phh/;h hth/;h/;mH nH uhth/;mH nH u,B7UV|} $Ifgd 6H 8^8`gdU* 8^8`gdU*^gdU* & Fgd:8^8gdU* & Fgd: Y~u~u $Ifgd 6H $Ifgd 6HwkdVK$$If\Pg 8T@ 44 ayt 6HY MNOSU_`aep;<f¶񝊆~z~qhbhF0Jh+=jh+=UhFhBhth/;B*phh'H1 hth/;hST,mH nH uh'H1mH nH uhth/;mH nH u h aJ hCh/;h Thi75h/;CJaJhDh/;CJaJh/;CJaJh hh/;h/;( %NOl~u~lucuuZ^gda_^gdU*^gdU*^gdU*^gdU*wkdK$$If\Pg 8T@ 44 ayt 6H `apij"ZVr & Fgd:8^8gd: & F gd58^8gd5^gd:^gd:^gd:^gd:fghjnpVqrw(=>?CEFʼ▋|u|qmh zhe hCh/;h Thi75h/;CJaJhDh/;CJaJh/;CJaJ h/;5\hh/;\ hST,\hh/;5\ hST,5\ h >9h/; hh/;hB h/;hhth/;hh/;h hth/;hFjh+=0JU)rw $Ifgd 6H 8^8`gd: 8^8`gd:^gd:8^8gdB^gdB ~u~u $Ifgd 6H $Ifgd 6HwkdNL$$If\ g 8\ c44 ayt5(>?Z~u~lucuuZ^gd T^gd:^gd:^gd:^gd:wkdL$$If\ g 8\ c44 ayt5 EFbdei & Fgd z 8^8`gd z8^8gd z^gd z^gd z^gd z  & F^gd zgd z ^`gd zDFIbx|67abceh,&3\   ɼ h zhhth zh h]h z hjh z hwh zjh+=0JUhbhF0Jh+=jh+=UhF h+h z huh z hth z h dh zh zh^Wh@9CJ aJ 7$1Zo3  w  3          ^`gd zgd z & Fgd z8^8gd z & Fgd z & Fgd z       y            456R\^cdfgjkmnuvwxнxpннннннЬi huh zhuh z\huh zB*KHphhuh zB*KH^Jphh zB*KH^Jphhuh z5\aJ huh z5B*KHaJph$huh z5B*KH^JaJphh z5B*KH^JaJph hh z h >9h z hth zh z hdh z)        6xqh_h_ $Ifgd)XJ $Ifgd)XJwkdFM$$If\8W~u#_ '=44 aUyt)XJ $Ifgd)XJ 8^8`gd z !L~u~u $Ifgd)XJ $Ifgd)XJwkdM$$If\8W~u#_ '=44 aUyt)XJ   !",<JKLMPQRScyng hh zhuh znHtHh$uh zB*KH^Jphh z5B*KH^JaJphhuh z\nHtHhuh zB*KHphhuh zB*KH^Jphh zB*KH^Jphhuh z5\aJnHtH huh z5B*KHaJph$huh z5B*KH^JaJph(LMS~u~u $Ifgd)XJ $Ifgd)XJwkd>N$$If\8W~u#_ '=44 aUyt)XJ&'(18:<MVX]^`adeghopq㿯пuhuh zB*KHph hh zhuh znHtHhuh zB*KH^Jphh zB*KH^Jphhuh z5\aJnHtH huh z5B*KHaJph$huh z5B*KH^JaJphh z5B*KH^JaJphhuh z\nHtH.(r~u~u $Ifgd)XJ $Ifgd)XJwkdN$$If\8W~u#_ '=44 aUyt)XJqrs}2389pqrs{|չ{qg]TKTh#haJh#haJh#h5aJh D0h/;5CJh D0he5CJhu:R"hdhj5CJaJmH nH u hjh zh T h+h zh z hh zhuh znHtHhuh zB*KHphh$uh zB*KH^Jphhuh zB*KH^Jphh zB*KH^Jphhuh z5\aJnHtH23Oq~ul~ul~c^gd z^gd z^gd z^gd zwkd(O$$If\8W~u#_ '=44 aUyt)XJ qs|:;Jgdu ^`gduh^hgdu ^`gd3,l ^`gddgdD dgd# ^`gdu:R;JPLPMPNPPPPPPPQQQQQQ Q QQIQOQȾȾȾȵqj hy1 ho^h21ho^5B*\phjh+=0JUh)ho^0Jh+=jh+=U hho^Uho^jho^0J2UhhQFaJh#hu5aJh#huaJh#h3,l5aJh#h3,laJh#hdaJh#hd5aJh#hQFaJ(PPPQQQQQQ Q Q QQdQeQfQgQ$a$gdl4O $a$gdGY0^gd:CIS Consensus Security Metrics developed by the Security Benchmarks Division  HYPERLINK "http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.metrics.110" http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.metrics.110     TL 9000 Security Measurements Guidance Document Release 1.0 Page  PAGE 2 July 2012 OQPQVQWQXQYQZQdQfQgQhhQFaJh+= hy1 ho^jh!$UmHnHu*h21mHnHu*ho^jh!$U 21h:pZJ/ =!"#$% $$If!vh#v #v#v#v #v#vD:V l4 t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#vD:V l t0d&,5 555 55DytG6w$$If!vh#v #v#v#v #v#v:V l4 t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$If!vh#v #v#v#v #v#v:V l t0 &6,5 555 55yt}T$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUytos$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyto$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUytx s$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUytx $$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUytx s$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUytx $$IfU!vh#v #v #v#v :V !5 5 55 / 4 aUyt s$$IfU!vh#v #v #v#v :V !5 5 55 4 aUyt $$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyts$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyt\s$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt\$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyt\s$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt\}$$IfU!vh#v#v#v#v:V 5555/ 4 aUytpEo$$IfU!vh#v#v#v#v:V 55554 aUytpE}$$IfU!vh#v#v|#v#v:V 55|55/ 4 aUytpEo$$IfU!vh#v#v|#v#v:V 55|554 aUytpE}$$IfU!vh#v#v#v#v:V 5555/ 4 aUytpEo$$IfU!vh#v#v#v5 #v:V 5555 54 aUytpE}$$IfU!vh#v#v|#v#v:V 55|55/ 4 aUytpEo$$IfU!vh#v#v|#v#v:V 55|554 aUytpE}$$IfU!vh#v#v|#v#v:V 55|55/ 4 aUytpEo$$IfU!vh#v#v|#v#v:V 55|554 aUytpE$$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt"ls$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt"l}$$IfU!vh#v#v|#v#v:V 55|55/ 4 aUytpEo$$IfU!vh#v#v|#v#v:V 55|554 aUytpE$$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt(s$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt($$If!vh#v8#vT#v@ #v:V 585T5@ 5/ 4 ayt 6Hs$$If!vh#v8#vT#v@ #v:V 585T5@ 54 ayt 6H$$If!vh#v8#v#v\ #vc:V 5855\ 5c/ 4 ayt5s$$If!vh#v8#v#v\ #vc:V 5855\ 5c4 ayt5$$IfU!vh#v#v_ #v'#v:V =55_ 5'5/ 4 aUyt)XJs$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt)XJs$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt)XJs$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt)XJs$$IfU!vh#v#v_ #v'#v:V =55_ 5'54 aUyt)XJ3 999666666666666666666666666666666666666666666 6666666666 666666666666 6666666666666666666666666666666666666666666666666666666666666666666666666662 0@P`p2( 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p 0@P`p8XV~ OJPJQJ_HmH nH sH tH H`H 95eNormal OJPJQJ_HaJmH sH tH b@b95e0 Heading 2$$h@ @&^@ `05CJaJmHnHuR@R 95e0 Heading 3$ & Fd@&^p 5CJaJX@X 95e0 Heading 4$x:@&^x``5CJKHaJDA D Default Paragraph FontRi@R 0 Table Normal4 l4a (k ( 0No List VoV95e0Heading 2 Char"5CJOJQJ^JaJmHnHuNoN 95e0Heading 3 Char5CJOJQJ^JaJhPoP 95e0Heading 4 Char5CJKHOJQJ^JaJ4O"4 95e0BodyText <^p6O26 95e0 ParSpacer^pCJ4OB4 95e0NormBold5KHDO!RD 95e0 BodyTextTab0 ^ `:Oqb: 95e0 TableTextBold5BOrB 95e0 TableTexthaJHH 95e0 BodyTextTab2< ^ `HOH 95e0 BodyTextTab1<@ ^@ `:U`: N0 Hyperlink>*B*^Jph@@  ue0List Paragraph ^m$L@L }{0Header9r G$Pa$CJaJFoF ;9:0 Header CharCJOJPJQJaJtH > @> }{0Footer9r G$CJaJFoF ;9:0 Footer CharCJOJPJQJaJtH >O> yR>0Title1 7$8$H$ CJPJ^J>O> yR>0Title2 !7$8$H$ CJPJ^Jj #j  Table Grid7:V"0"H@2H $VR80 Balloon Text#CJOJQJ^JaJRoAR #VR80Balloon Text CharCJOJPJQJ^JaJL`RLVR80Revision% OJPJQJ_HaJmH sH tH PZ@bP 'zw0 Plain Text& CJOJPJQJ^JaJnHtHVoqV &zw0Plain Text Char CJOJPJQJ^JaJnHtHB'`B >0Comment ReferenceCJaJ8@8 *>0 Comment Text)aJFoF )>0Comment Text Char OJPJQJ@j@@ ,>0Comment Subject+5\RoR +>0Comment Subject Char5OJPJQJ\2B2 . z0 Body Text-xDoD - z0Body Text CharOJPJQJaJFV`F 0FollowedHyperlink >*B*ph:@: 10 Footnote Text0aJHoH 00Footnote Text Char OJPJQJ@&`!@ 0Footnote ReferenceH*PK!pO[Content_Types].xmlj0Eжr(΢]yl#!MB;.n̨̽\A1&ҫ QWKvUbOX#&1`RT9<l#$>r `С-;c=1g$ !)O^rC$y@/yH*񄴽)޵߻UDb`}"qۋJחX^)I`nEp)liV[]1M<OP6r=zgbIguSebORD۫qu gZo~ٺlAplxpT0+[}`jzAV2Fi@qv֬5\|ʜ̭NleXdsjcs7f W+Ն7`g ȘJj|h(KD- dXiJ؇(x$( :;˹! I_TS 1?E??ZBΪmU/?~xY'y5g&΋/ɋ>GMGeD3Vq%'#q$8K)fw9:ĵ x}rxwr:\TZaG*y8IjbRc|XŻǿI u3KGnD1NIBs RuK>V.EL+M2#'fi ~V vl{u8zH *:(W☕ ~JTe\O*tHGHY}KNP*ݾ˦TѼ9/#A7qZ$*c?qUnwN%Oi4 =3ڗP 1Pm \\9Mؓ2aD];Yt\[x]}Wr|]g- eW )6-rCSj id DЇAΜIqbJ#x꺃 6k#ASh&ʌt(Q%p%m&]caSl=X\P1Mh9MVdDAaVB[݈fJíP|8 քAV^f Hn- "d>znNJ ة>b&2vKyϼD:,AGm\nziÙ.uχYC6OMf3or$5NHT[XF64T,ќM0E)`#5XY`פ;%1U٥m;R>QD DcpU'&LE/pm%]8firS4d 7y\`JnίI R3U~7+׸#m qBiDi*L69mY&iHE=(K&N!V.KeLDĕ{D vEꦚdeNƟe(MN9ߜR6&3(a/DUz<{ˊYȳV)9Z[4^n5!J?Q3eBoCM m<.vpIYfZY_p[=al-Y}Nc͙ŋ4vfavl'SA8|*u{-ߟ0%M07%<ҍPK! ѐ'theme/theme/_rels/themeManager.xml.relsM 0wooӺ&݈Э5 6?$Q ,.aic21h:qm@RN;d`o7gK(M&$R(.1r'JЊT8V"AȻHu}|$b{P8g/]QAsم(#L[PK-!pO[Content_Types].xmlPK-!֧6 -_rels/.relsPK-!kytheme/theme/themeManager.xmlPK-!Ptheme/theme/theme1.xmlPK-! ѐ' theme/theme/_rels/themeManager.xml.relsPK] T ??fffi <iJR!%L*/38R=1BFK-OUW[^`-chjnp?suWx)z} ׅ |g(;w~йT ))=4Yf qOQgQ  #%(+.1479<?BEGKNQTWZ]`cfjlptvz~ 1J!^8o%>lc 5M{b% 1 Y !C!R!z!!!!="L""""#A#P#|### $6$E$m$$$$%)%]%%%% &&?&N&w&&&&-'<'u''''+(S(D//&0W2 6c78;1A&BBDLqMN-OUwW XYe^Y``a'hh@ACDFHIJLMOPRSUVXY[\^_abdeghikmnoqrsuwxy{|}6P[$$$,T,,555AABLLLwLTTT]:]e]9drddhhimmnr!sLsx@xkx~BӃ 7$O&Qʘ.@y4m1\9d KEV3lxkXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXPWYi!OX@ @H 0(  0(  8 B S  ? OLE_LINK1 OLE_LINK2 _Toc246469818 OLE_LINK3 OLE_LINK4 OLE_LINK5 OLE_LINK6 OLE_LINK7 OLE_LINK8- - - \*\*EERR[*[***OORR''''//////999+9kDDDD^NpNsNNNN/WBWPWdW______j%j(j7jAjRj9o`omo~ott uu&{L{ۀ'.# $**3+:+++I2R2&5V54AdAKK*TZT\\ccNh~hllFmvm}rrwws~~hxorų|&=01H;Rczu@VN \k(. w^N^(_8_B<p&tm:f\u "IZ0F5z>1/G>2229`|%>ABL<kOL T+Q B S9kVpYXTBGv_s?cո#@p|L1qB S.Zz@VGx>1.kOJdyG>2291q9%N9Bk9/~9?:u:p^;Ie;u<+=s.=3(>yR>K?X?Qk?o\@f@o@ A]AyA CSCC=C5zC0DDDZDEEN1E|UEcElEpEQF5RFcFV"H 6HYHpHI Ie7IYVI)XJ K L9jM/!N_NOO/Ol4OnO}QlgQ Ru:RxSgS T+UV8V=V&VVFW^WHiWX &X9X`XYuY!YL-Z\(];]W]w]O^^oo`>x`ebc d d8Idt0e95e"=e ue~eKgftfGMg'`g.*h< Ga21iI(iv.w. u}{w#%90@UJ}AR(+L J+o/s@(I' Mr>#CbgGo^ti}&3x&9,N8C :OTTbuvzB@9_Kd\!E] dt$-EZJs xpMBUV j[qA8\9m~`$48:hx?cGjtM5j fn,w9/;PK$dpookv=|i2@WOye.FO:Z u]j{} ."K<GY|W!$Y@-jdu?>w )&$JM?&D:"H;L1k]zkAJ\idl#oS:Rw-$u,BPP='Dhda_sw$Df/Gdx&bi //y#HBn'-eo}# S)=@#4/0@8t@@Unknown G*Ax Times New Roman5Symbol3 *Cx ArialM  Arial-BoldMTArial7@ Calibri3Nj-3 fg5*[`)Tahoma9  @ Consolas;Wingdings? *Cx Courier NewA$BCambria Math qh ' 'a(.+a(.+!0B#HP $P'95e2! xx 1 Beth FordRichard Morrow|                        Oh+'0@x    (08'1 Beth Ford Normal.dotmRichard Morrow2Microsoft Macintosh Word@F#@ @ +a(. ՜.+,D՜.+,0 hp  'AT&T 1 Title@ea] _PID_HLINKS_ms_pID_725343_ms_pID_7253431_ms_pID_7253432sflag'Ah<`+http://tl9000.org/resources/resources.htmlh<]+http://tl9000.org/resources/resources.htmlh<Z+http://tl9000.org/resources/resources.htmlh<W+http://tl9000.org/resources/resources.htmlh<T+http://tl9000.org/resources/resources.htmlh<Q+http://tl9000.org/resources/resources.htmlh<N+http://tl9000.org/resources/resources.htmlh<K+http://tl9000.org/resources/resources.htmlh<H+http://tl9000.org/resources/resources.htmlh<E+http://tl9000.org/resources/resources.htmlh<B+http://tl9000.org/resources/resources.htmlh<?+http://tl9000.org/resources/resources.htmlh<<+http://tl9000.org/resources/resources.htmlh<9+http://tl9000.org/resources/resources.htmlh<6+http://tl9000.org/resources/resources.htmlh<3+http://tl9000.org/resources/resources.htmlh<0+http://tl9000.org/resources/resources.htmlh<-+http://tl9000.org/resources/resources.htmlh<*+http://tl9000.org/resources/resources.htmlh<'+http://tl9000.org/resources/resources.htmlh<$+http://tl9000.org/resources/resources.htmlh<!+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.htmlh< +http://tl9000.org/resources/resources.htmlh< +http://tl9000.org/resources/resources.htmlh<+http://tl9000.org/resources/resources.html,ehttp://www.nist.gov/index.html1http://www.cisecurity.org'Phttp://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.metrics.110(3)HKoNdtJ9wUpVBJcInaAQOP5Bt/JJmQTZbuWO0t2P7UiZSdOirnbBzynEeZ3PXCRZC6zMZNc/ liiFmxm/fj5WRwROtCTSiqCnit+jSwmn3kAN0gnmv5d9h4ZTwktFU7VRgzQiuusUgsBSdz+f 0YNO0oGj0C/knX3hZ8Oug7zb9YIgxPiSd8bgttUIWYCHP0XmmRj4jk6eHFDqrP2kfVydgOQE 6pE/88MpGtFF0nFGHOJRI8XOBjImc5qTAGswHMB6C2sQYiS/bQr3pyKxQhcJBSv+0QKQDfYD sKsAfIGk1QjG+81G5dbq9lAaBVhxOJ2mX2a8u6cdbVl7Rdxb9ug+0GeALHfuV9TRDSvsm7AQ V1UpvyEp+YNYzqx+4CqDvs9IbrDun9Rea4XHwu5C7+bXiI7ly3IF2it0efaDTMZGRup8aobB C8VgAexpIZiBQIBiDA4+fWKOG9qtAQfYImlkHNiNLxTGU0tkqnvRJWGpzU3v9quhdfcLJimSK E4oMN796PuZ6bOBqEad9cKppd+iTad2fNNXhAbYO/yCd+i9V3hU= 1322498715  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~      !"#$%&'()014Root Entry F 3Data O1Table}WordDocument 4TSummaryInformation(DocumentSummaryInformation8MsoDataStore T LIQNR4KKR4==2 6 Item  PropertiesUCompObj `  F Microsoft Word 97-2004 DocumentNB6WWord.Document.8