ࡱ; M  !"#$%&'()*+,-./012345689:;<=>?@ABCDEFGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~Root Entry   FMicrosoft Word-Dokument MSWordDocWord.Document.89qOh+'0D px    , 8$Security Assessment Report Template Keith WatsonNormal Keith Watson+ [hhNormal$a$1$xxA$*$/B*OJQJCJmH sH PJ^JaJnHtH_H9^^ Heading 1@& & F & F<$OJQJCJ 5KH^JaJ \\ Heading 2@& & F & F<$OJQJCJ65^JaJZZ Heading 3@& & F & F<$OJQJCJ5^JaJ.. WW8Num1z0 OJQJ^J.. WW8Num1z2 OJQJ^J.. WW8Num1z3 OJQJ^J"!" WW8Num2z0"1" WW8Num3z0"A" WW8Num4z0"Q" WW8Num5z0.a. WW8Num6z0 OJQJ^J.q. WW8Num7z0 OJQJ^J.. WW8Num8z0 OJQJ^J.. WW8Num9z0 OJQJ^J$$ WW8Num10z000 WW8Num11z0 OJQJ^J00 WW8Num12z0 OJQJ^J00 WW8Num12z1 OJQJ^J00 WW8Num12z2 OJQJ^J00 WW8Num13z0 OJQJ^J00 WW8Num13z1 OJQJ^J00 WW8Num13z2 OJQJ^J0!0 WW8Num14z0 OJQJ^J010 WW8Num14z1 OJQJ^J0A0 WW8Num14z2 OJQJ^J0Q0 WW8Num15z0 OJQJ^J0a0 WW8Num15z1 OJQJ^J0q0 WW8Num15z2 OJQJ^J00 WW8Num16z0 OJQJ^J00 WW8Num16z1 OJQJ^J00 WW8Num16z2 OJQJ^J00 WW8Num17z0 OJQJ^J00 WW8Num17z1 OJQJ^J00 WW8Num17z2 OJQJ^J00 WW8Num18z0 OJQJ^J00 WW8Num18z1 OJQJ^J00 WW8Num18z2 OJQJ^J00 WW8Num19z0 OJQJ^J0!0 WW8Num19z1 OJQJ^J010 WW8Num19z2 OJQJ^J0A0 WW8Num20z0 OJQJ^J0Q0 WW8Num20z1 OJQJ^J0a0 WW8Num20z2 OJQJ^J0q0 WW8Num21z0 OJQJ^J00 WW8Num21z1 OJQJ^J00 WW8Num21z2 OJQJ^J00 WW8Num22z0 OJQJ^J00 WW8Num22z1 OJQJ^J00 WW8Num22z2 OJQJ^J00 WW8Num23z0 OJQJ^J00 WW8Num23z1 OJQJ^J00 WW8Num23z2 OJQJ^J00 WW8Num24z0 OJQJ^J00 WW8Num24z1 OJQJ^J0!0 WW8Num24z2 OJQJ^J010 WW8Num25z0 OJQJ^J0A0 WW8Num25z1 OJQJ^J0Q0 WW8Num25z2 OJQJ^J0a0 WW8Num26z0 OJQJ^J0q0 WW8Num26z1 OJQJ^J00 WW8Num26z2 OJQJ^J00 WW8Num27z0 OJQJ^J00 WW8Num27z1 OJQJ^J00 WW8Num27z2 OJQJ^J00 WW8Num28z0 OJQJ^J00 WW8Num28z1 OJQJ^J00 WW8Num28z2 OJQJ^J00 WW8Num29z0 OJQJ^J00 WW8Num29z1 OJQJ^J00 WW8Num29z2 OJQJ^J0!0 WW8Num30z0 OJQJ^J010 WW8Num30z1 OJQJ^J0A0 WW8Num30z2 OJQJ^J0Q0 WW8Num31z0 OJQJ^J0a0 WW8Num31z1 OJQJ^J0q0 WW8Num31z2 OJQJ^J00 WW8Num32z0 OJQJ^J00 WW8Num32z1 OJQJ^J00 WW8Num32z2 OJQJ^J00 WW8Num33z0 OJQJ^J00 WW8Num33z1 OJQJ^J00 WW8Num33z2 OJQJ^J00 WW8Num34z0 OJQJ^J00 WW8Num34z1 OJQJ^J00 WW8Num34z2 OJQJ^J00 WW8Num35z0 OJQJ^J0!0 WW8Num35z1 OJQJ^J010 WW8Num35z2 OJQJ^J0A0 WW8Num36z0 OJQJ^J0Q0 WW8Num36z1 OJQJ^J0a0 WW8Num36z2 OJQJ^J0q0 WW8Num37z0 OJQJ^J00 WW8Num37z1 OJQJ^J00 WW8Num37z2 OJQJ^J00 WW8Num38z0 OJQJ^J00 WW8Num38z1 OJQJ^J00 WW8Num38z2 OJQJ^J00 WW8Num39z0 OJQJ^J00 WW8Num39z1 OJQJ^J00 WW8Num39z2 OJQJ^J00 WW8Num40z0 OJQJ^J00 WW8Num40z1 OJQJ^J0!0 WW8Num40z2 OJQJ^J010 WW8Num41z0 OJQJ^J0A0 WW8Num41z1 OJQJ^J0Q0 WW8Num41z2 OJQJ^J0a0 WW8Num42z0 OJQJ^J0q0 WW8Num42z1 OJQJ^J00 WW8Num42z2 OJQJ^J00 WW8Num43z0 OJQJ^J00 WW8Num43z1 OJQJ^J00 WW8Num43z2 OJQJ^J00 WW8Num44z0 OJQJ^J00 WW8Num44z1 OJQJ^J00 WW8Num44z2 OJQJ^J00 WW8Num45z0 OJQJ^J00 WW8Num45z1 OJQJ^J00 WW8Num45z2 OJQJ^J0!0 WW8Num46z0 OJQJ^J010 WW8Num46z1 OJQJ^J0A0 WW8Num46z2 OJQJ^J0Q0 WW8Num47z0 OJQJ^J0a0 WW8Num47z1 OJQJ^J0q0 WW8Num47z2 OJQJ^J00 WW8Num48z0 OJQJ^J00 WW8Num48z1 OJQJ^J00 WW8Num48z2 OJQJ^J00 WW8Num49z0 OJQJ^J00 WW8Num49z1 OJQJ^J00 WW8Num49z2 OJQJ^J00 WW8Num50z0 OJQJ^J00 WW8Num50z1 OJQJ^J0 0 WW8Num50z2 OJQJ^J0 0 WW8Num51z0 OJQJ^J0! 0 WW8Num51z1 OJQJ^J01 0 WW8Num51z2 OJQJ^J0A 0 WW8Num52z0 OJQJ^J0Q 0 WW8Num52z1 OJQJ^J0a 0 WW8Num52z2 OJQJ^J0q 0 WW8Num53z0 OJQJ^J0 0 WW8Num53z1 OJQJ^J0 0 WW8Num53z2 OJQJ^J0 0 WW8Num54z0 OJQJ^J0 0 WW8Num54z1 OJQJ^J0 0 WW8Num54z2 OJQJ^J0 0 WW8Num55z0 OJQJ^J0 0 WW8Num55z1 OJQJ^J0 0 WW8Num55z2 OJQJ^J0 0 WW8Num56z0 OJQJ^J0 0 WW8Num56z1 OJQJ^J0! 0 WW8Num56z2 OJQJ^J01 0 WW8Num57z0 OJQJ^J0A 0 WW8Num57z1 OJQJ^J0Q 0 WW8Num57z2 OJQJ^J0a 0 WW8Num58z0 OJQJ^J0q 0 WW8Num58z1 OJQJ^J0 0 WW8Num58z2 OJQJ^J0 0 WW8Num59z0 OJQJ^J0 0 WW8Num59z1 OJQJ^J0 0 WW8Num59z2 OJQJ^J0 0 WW8Num60z0 OJQJ^J0 0 WW8Num60z1 OJQJ^J0 0 WW8Num60z2 OJQJ^J0 0 WW8Num61z0 OJQJ^J0 0 WW8Num61z1 OJQJ^J0 0 WW8Num61z2 OJQJ^J0! 0 WW8Num62z0 OJQJ^J01 0 WW8Num62z1 OJQJ^J0A 0 WW8Num62z2 OJQJ^J0Q 0 WW8Num63z0 OJQJ^J0a 0 WW8Num63z1 OJQJ^J0q 0 WW8Num63z2 OJQJ^J0 0 WW8Num64z0 OJQJ^J0 0 WW8Num64z1 OJQJ^J0 0 WW8Num64z2 OJQJ^J0 0 WW8Num65z0 OJQJ^J0 0 WW8Num65z1 OJQJ^J0 0 WW8Num65z2 OJQJ^J0 0 WW8Num66z0 OJQJ^J0 0 WW8Num66z1 OJQJ^J0 0 WW8Num66z2 OJQJ^J0 0 WW8Num67z0 OJQJ^J0! 0 WW8Num67z1 OJQJ^J01 0 WW8Num67z2 OJQJ^J0A 0 WW8Num68z0 OJQJ^J0Q 0 WW8Num68z1 OJQJ^J0a 0 WW8Num68z2 OJQJ^J0q 0 WW8Num69z0 OJQJ^J0 0 WW8Num69z1 OJQJ^J0 0 WW8Num69z2 OJQJ^J0 0 WW8Num70z0 OJQJ^J0 0 WW8Num70z1 OJQJ^J0 0 WW8Num70z2 OJQJ^J0 0 WW8Num71z0 OJQJ^J0 0 WW8Num71z1 OJQJ^J0 0 WW8Num71z2 OJQJ^J0 0 WW8Num72z0 OJQJ^J0 0 WW8Num72z1 OJQJ^J0! 0 WW8Num72z2 OJQJ^J01 0 WW8Num73z0 OJQJ^J0A 0 WW8Num73z1 OJQJ^J0Q 0 WW8Num73z2 OJQJ^J0a 0 WW8Num74z0 OJQJ^J0q 0 WW8Num74z1 OJQJ^J0 0 WW8Num74z2 OJQJ^J0 0 WW8Num75z0 OJQJ^J0 0 WW8Num75z1 OJQJ^J0 0 WW8Num75z2 OJQJ^J0 0 WW8Num76z0 OJQJ^J0 0 WW8Num76z1 OJQJ^J0 0 WW8Num76z2 OJQJ^J0 0 WW8Num77z0 OJQJ^J00 WW8Num77z1 OJQJ^J00 WW8Num77z2 OJQJ^J0!0 WW8Num78z0 OJQJ^J010 WW8Num78z1 OJQJ^J0A0 WW8Num78z2 OJQJ^J0Q0 WW8Num79z0 OJQJ^J0a0 WW8Num79z1 OJQJ^J0q0 WW8Num79z2 OJQJ^J00 WW8Num80z0 OJQJ^J00 WW8Num80z1 OJQJ^J00 WW8Num80z2 OJQJ^J00 WW8Num81z0 OJQJ^J00 WW8Num81z1 OJQJ^J00 WW8Num81z2 OJQJ^J00 WW8Num82z0 OJQJ^J00 WW8Num82z1 OJQJ^J00 WW8Num82z2 OJQJ^J00 WW8Num83z0 OJQJ^J0!0 WW8Num83z1 OJQJ^J010 WW8Num83z2 OJQJ^J0A0 WW8Num84z0 OJQJ^J0Q0 WW8Num84z1 OJQJ^J0a0 WW8Num84z2 OJQJ^J0q0 WW8Num85z0 OJQJ^J00 WW8Num85z1 OJQJ^J00 WW8Num85z2 OJQJ^J00 WW8Num86z0 OJQJ^J00 WW8Num86z1 OJQJ^J00 WW8Num86z2 OJQJ^J00 WW8Num87z0 OJQJ^J00 WW8Num87z1 OJQJ^J00 WW8Num87z2 OJQJ^J00 WW8Num88z0 OJQJ^J00 WW8Num88z1 OJQJ^J0!0 WW8Num88z2 OJQJ^J010 WW8Num89z0 OJQJ^J0A0 WW8Num89z1 OJQJ^J0Q0 WW8Num89z2 OJQJ^J0a0 WW8Num90z0 OJQJ^J0q0 WW8Num90z1 OJQJ^J00 WW8Num90z2 OJQJ^J00 WW8Num91z0 OJQJ^J00 WW8Num91z1 OJQJ^J00 WW8Num91z2 OJQJ^J00 WW8Num92z0 OJQJ^J00 WW8Num92z1 OJQJ^J00 WW8Num92z2 OJQJ^J00 WW8Num93z0 OJQJ^J00 WW8Num93z1 OJQJ^J00 WW8Num93z2 OJQJ^J<!<Default Paragraph Font6U"16 Internet Link B*ph>*&)"A& Page Number$Q$ Index LinkFrFHeading x$OJQJCJPJ ^J aJ4Br4 Text Bodyd  /q List^J @"@Caption xx $CJ6^J aJ]&&Index $^J JJ Document Map-DM OJ QJ ^J LL Contents 1$a$h;OJQJCJ5^JBB Contents 2$a$ CJ5aJJJ Contents 3$a$^]`CJaJJJ Contents 4$a$^]`CJaJJJ Contents 5 $a$^]`CJaJJJ Contents 6!$a$^p]`CJaJJJ Contents 7"$a$^L]`CJaJJJ Contents 8#$a$^(]`CJaJ,B,Header $ !, R,Footer % !JJ Contents 9&$a$^]`CJaJ0r0Frame Contents'>> Contents 10(  ^ ]`44Table Contents) $>> Table Heading *$a$ $5\f:3| $).3R"s.&klmnopqrstuvwx : )27AZHJbQRUR[]a$gilJr${4XTZz<̾tz(yz{|}~3N] 79Hvx+Y[t46O},Z\kLN]!OQ]5ce&TVu A D V  A D P ~ 9 < N |  % ( ; i l ~ ) , H v y #QTp),i,/Aor3adv>lo?mp  M{~BER[ \!\^^_c XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXovy!!8@V(     f0e0e>C" < C f tF__RefHeading___Toc507487953__RefHeading___Toc507487954__RefHeading___Toc507487955__RefHeading___Toc507487956__RefHeading___Toc507487957__RefHeading___Toc507487958__RefHeading___Toc507487959__RefHeading___Toc507487960__RefHeading___Toc507487961__RefHeading___Toc507487962__RefHeading___Toc507487963__RefHeading___Toc507487964__RefHeading___Toc507487965__RefHeading___Toc507487966__RefHeading___Toc507487967__RefHeading___Toc507487968__RefHeading___Toc507487969__RefHeading___Toc507487970__RefHeading___Toc507487971__RefHeading___Toc507487972__RefHeading___Toc507487973__RefHeading___Toc507487974__RefHeading___Toc507487975__RefHeading___Toc507487976__RefHeading___Toc507487977__RefHeading___Toc507487978__RefHeading___Toc507487979__RefHeading___Toc507487980__RefHeading___Toc507487981__RefHeading___Toc507487982__RefHeading___Toc507487983__RefHeading___Toc507487984__RefHeading___Toc507487985__RefHeading___Toc507487986__RefHeading___Toc507487987__RefHeading___Toc507487988__RefHeading___Toc507487989__RefHeading___Toc507487990__RefHeading___Toc507487991__RefHeading___Toc507487992__RefHeading___Toc507487993__RefHeading___Toc507487994__RefHeading___Toc507487995__RefHeading___Toc507487996__RefHeading___Toc507487997__RefHeading___Toc507487998__RefHeading___Toc507487999__RefHeading___Toc507488000__RefHeading___Toc507488001__RefHeading___Toc507488002__RefHeading___Toc507488003__RefHeading___Toc507488004__RefHeading___Toc507488005__RefHeading___Toc507488006__RefHeading___Toc507488007__RefHeading___Toc507488008__RefHeading___Toc507488009__RefHeading___Toc507488010__RefHeading___Toc507488011__RefHeading___Toc507488012__RefHeading___Toc507488013__RefHeading___Toc507488014__RefHeading___Toc507488015__RefHeading___Toc507488016__RefHeading___Toc507488017__RefHeading___Toc507488018__RefHeading___Toc507488019__RefHeading___Toc507488020__RefHeading___Toc507488021__RefHeading___Toc507488022fr~ Q <#~$$$$$-%f%%6(t(*~**e+0,./60a0001?455o6{;P<<V=A{BBCEFFGIJKMMQ{RR.VWWoYDZlZZe  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEfr~ Q <#~$$$$$-%f%%6(t(*~**e+0,./60a0001?455o6{;P<<V=A{BBCEFFGIJKMMQ{RR.VWWoYDZlZZe     ^`P^@`@^`0^```^`^`^`^``^0`0 ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J ^`OJQJ^J WW8Num20WW8Num24WW8Num30WW8Num32WW8Num35WW8Num51WW8Num53WW8Num55WW8Num65WW8Num72WW8Num76WW8Num78WW8Num81WW8Num91@ffP GTimes New Roman5Symbol3&ArialiLiberation SerifTimes New Roman5Aarial5Symbol?Courier New;WingdingsS&Liberation SansArialODroid Sans Fallback9FreeSans9$FreeSansCLucida GrandeChYFF«& QW QW00#Security Assessment Report Template Keith Watson Keith WatsonDyK  __RefHeading___Toc507487953DyK  __RefHeading___Toc507487954DyK  __RefHeading___Toc507487955DyK  __RefHeading___Toc507487956DyK  __RefHeading___Toc507487957DyK  __RefHeading___Toc507487958DyK  __RefHeading___Toc507487959DyK  __RefHeading___Toc507487960DyK  __RefHeading___Toc507487961DyK  __RefHeading___Toc507487962DyK  __RefHeading___Toc507487963DyK  __RefHeading___Toc507487964DyK  __RefHeading___Toc507487965DyK  __RefHeading___Toc507487966DyK  __RefHeading___Toc507487967DyK  __RefHeading___Toc507487968DyK  __RefHeading___Toc507487969DyK  __RefHeading___Toc507487970DyK  __RefHeading___Toc507487971DyK  __RefHeading___Toc507487972DyK  __RefHeading___Toc507487973DyK  __RefHeading___Toc507487974DyK  __RefHeading___Toc507487975DyK  __RefHeading___Toc507487976DyK  __RefHeading___Toc507487977DyK  __RefHeading___Toc507487978DyK  __RefHeading___Toc507487979DyK  __RefHeading___Toc507487980DyK  __RefHeading___Toc507487981DyK  __RefHeading___Toc507487982DyK  __RefHeading___Toc507487983DyK  __RefHeading___Toc507487984DyK  __RefHeading___Toc507487985DyK  __RefHeading___Toc507487986DyK  __RefHeading___Toc507487987DyK  __RefHeading___Toc507487988DyK  __RefHeading___Toc507487989DyK  __RefHeading___Toc507487990DyK  __RefHeading___Toc507487991DyK  __RefHeading___Toc507487992DyK  __RefHeading___Toc507487993DyK  __RefHeading___Toc507487994DyK  __RefHeading___Toc507487995DyK  __RefHeading___Toc507487996DyK  __RefHeading___Toc507487997DyK  __RefHeading___Toc507487998DyK  __RefHeading___Toc507487999DyK  __RefHeading___Toc507488000DyK  __RefHeading___Toc507488001DyK  __RefHeading___Toc507488002DyK  __RefHeading___Toc507488003DyK  __RefHeading___Toc507488004DyK  __RefHeading___Toc507488005DyK  __RefHeading___Toc507488006DyK  __RefHeading___Toc507488007DyK  __RefHeading___Toc507488008DyK  __RefHeading___Toc507488009DyK  __RefHeading___Toc507488010DyK  __RefHeading___Toc507488011DyK  __RefHeading___Toc507488012DyK  __RefHeading___Toc507488013DyK  __RefHeading___Toc507488014DyK  __RefHeading___Toc507488015DyK  __RefHeading___Toc507488016DyK  __RefHeading___Toc507488017DyK  __RefHeading___Toc507488018DyK  __RefHeading___Toc507488019DyK  __RefHeading___Toc507488020DyK  __RefHeading___Toc507488021DyK  __RefHeading___Toc507488022DyK yK .http://www.nessus.com/DyK yK \http://www.wasp.org/documentation/topten.html5@b@(1@9O@_՜.+,D՜.+,\M 0(Caolan80 =:cky$99F:Z:8:t;$^d*<8bA(KCVR4T^8bbd^)C"A98U}\0.:]^  {CLIENT ORGANIZATION} Security Assessment Report  DATE \@"MMMM\ d', 'yyyy" April 20, 2016 Report Prepared by: {YOUR NAME}, {YOUR CREDENTIALS} {YOUR EMAIL ADDRESS} {YOUR PHONE NUMBER} {YOUR ORGANIZATION} {YOUR MAILING ADDRESS}   TOC \o Executive Summary  HYPERLINK \l "__RefHeading___Toc507487953"5 Top-Ten List  HYPERLINK \l "__RefHeading___Toc507487954"5 1. Information Security Policy  HYPERLINK \l "__RefHeading___Toc507487955"5 2. {Security Issue #2}  HYPERLINK \l "__RefHeading___Toc507487956"5 3. {Security Issue #3}  HYPERLINK \l "__RefHeading___Toc507487957"5 4. {Security Issue #4}  HYPERLINK \l "__RefHeading___Toc507487958"5 5. {Security Issue #5}  HYPERLINK \l "__RefHeading___Toc507487959"5 6. {Security Issue #6}  HYPERLINK \l "__RefHeading___Toc507487960"6 7. {Security Issue #7}  HYPERLINK \l "__RefHeading___Toc507487961"6 8. {Security Issue #8}  HYPERLINK \l "__RefHeading___Toc507487962"6 9. {Security Issue #9}  HYPERLINK \l "__RefHeading___Toc507487963"6 10. {Security Issue #10}  HYPERLINK \l "__RefHeading___Toc507487964"6 Introduction  HYPERLINK \l "__RefHeading___Toc507487965"7 Scope  HYPERLINK \l "__RefHeading___Toc507487966"7 Project Scope  HYPERLINK \l "__RefHeading___Toc507487967"7 In Scope  HYPERLINK \l "__RefHeading___Toc507487968"7 Out of Scope  HYPERLINK \l "__RefHeading___Toc507487969"7 Site Activities Schedule  HYPERLINK \l "__RefHeading___Toc507487970"7 First Day  HYPERLINK \l "__RefHeading___Toc507487971"7 Second Day  HYPERLINK \l "__RefHeading___Toc507487972"7 Third Day  HYPERLINK \l "__RefHeading___Toc507487973"7 Background Information  HYPERLINK \l "__RefHeading___Toc507487974"8 {CLIENT ORGANIZATION}  HYPERLINK \l "__RefHeading___Toc507487975"8 Asset Identification  HYPERLINK \l "__RefHeading___Toc507487976"9 Assets of the {CLIENT ORGANIZATION}  HYPERLINK \l "__RefHeading___Toc507487977"9 Threat Assessment  HYPERLINK \l "__RefHeading___Toc507487978"9 Threats to the {CLIENT ORGANIZATION}  HYPERLINK \l "__RefHeading___Toc507487979"9 Laws, Regulations and Policy  HYPERLINK \l "__RefHeading___Toc507487980"10 Federal Law and Regulation  HYPERLINK \l "__RefHeading___Toc507487981"10 {CLIENT ORGANIZATION} Policy  HYPERLINK \l "__RefHeading___Toc507487982"10 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507487983"10 The {CLIENT ORGANIZATION} has no information security policy  HYPERLINK \l "__RefHeading___Toc507487984"10 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507487985"10 Personnel  HYPERLINK \l "__RefHeading___Toc507487986"11 Management  HYPERLINK \l "__RefHeading___Toc507487987"11 Operations  HYPERLINK \l "__RefHeading___Toc507487988"11 Development  HYPERLINK \l "__RefHeading___Toc507487989"11 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507487990"11 There is no information security officer  HYPERLINK \l "__RefHeading___Toc507487991"11 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507487992"11 Network Security  HYPERLINK \l "__RefHeading___Toc507487993"12 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507487994"12 The {CLIENT ORGANIZATION} systems are not protected by a network firewall  HYPERLINK \l "__RefHeading___Toc507487995"12 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507487996"13 System Security  HYPERLINK \l "__RefHeading___Toc507487997"13 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507487998"13 Users can install unsafe software  HYPERLINK \l "__RefHeading___Toc507487999"13 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488000"14 Application Security  HYPERLINK \l "__RefHeading___Toc507488001"14 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488002"14 Sensitive information within the database is not encrypted  HYPERLINK \l "__RefHeading___Toc507488003"14 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488004"14 Operational Security  HYPERLINK \l "__RefHeading___Toc507488005"15 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488006"15 There is no standard for security management  HYPERLINK \l "__RefHeading___Toc507488007"15 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488008"15 Physical Security  HYPERLINK \l "__RefHeading___Toc507488009"15 Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488010"15 Building Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488011"16 Several key doors within the building are unlocked or can be forced open  HYPERLINK \l "__RefHeading___Toc507488012"16 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488013"16 Security Perimeter Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488014"16 There is no entryway access control system  HYPERLINK \l "__RefHeading___Toc507488015"16 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488016"17 Server Area Vulnerabilities  HYPERLINK \l "__RefHeading___Toc507488017"17 The backup media are not protected from fire, theft, or damage  HYPERLINK \l "__RefHeading___Toc507488018"17 {State the Vulnerability}  HYPERLINK \l "__RefHeading___Toc507488019"17 Summary  HYPERLINK \l "__RefHeading___Toc507488020"18 Action Plan  HYPERLINK \l "__RefHeading___Toc507488021"18 References  HYPERLINK \l "__RefHeading___Toc507488022"18  Executive Summary Briefly describe the activities of the assessment. Talk about the importance of information security at the client organization. Discuss security efforts that the organization has under taken. Highlight three major security issues discovered that could significantly impact the operations of the organization.Top-Ten List A top-ten list is used to highlight the ten most urgent issues discovered during an assessment. Clients unfamiliar with security may be overwhelmed by a long list of problems. Putting the major issues together may allow the client to easily focus efforts on these problems first.The list below contains the  top ten findings, weaknesses, or vulnerabilities discovered during the site security assessment. Some of the issues listed here are coalesced from more than one section of the assessment report findings. Additional information about each is provided elsewhere in the report. It is recommended that these be evaluated and addressed as soon as possible. These should be considered significant and may impact the operations of the {CLIENT ORGANIZATION}. 1. Information Security Policy An information security policy is the primary guide for the implementation of all security measures. There is no formal policy specific to the {CLIENT ORGANIZATION}. Recommendation: Develop an information security policy that specifically addresses the needs of the {CLIENT ORGANIZATION} and its mission. Use that policy as a basis for an effective security program. 2. {Security Issue #2} {Brief description of Security Issue #2} Recommendation: {Brief list of recommendations for Security Issue #2} 3. {Security Issue #3} {Brief description of Security Issue #3} Recommendation: {Brief list of recommendations for Security Issue #3} 4. {Security Issue #4} {Brief description of Security Issue #4} Recommendation: {Brief list of recommendations for Security Issue #4} 5. {Security Issue #5} {Brief description of Security Issue #5} Recommendation: {Brief list of recommendations for Security Issue #5} 6. {Security Issue #6} {Brief description of Security Issue #6} Recommendation: {Brief list of recommendations for Security Issue #6} 7. {Security Issue #7} {Brief description of Security Issue #7} Recommendation: {Brief list of recommendations for Security Issue #7} 8. {Security Issue #8} {Brief description of Security Issue #8} Recommendation: {Brief list of recommendations for Security Issue #8} 9. {Security Issue #9} {Brief description of Security Issue #9} Recommendation: {Brief list of recommendations for Security Issue #9} 10. {Security Issue #10} {Brief description of Security Issue #10} Recommendation: {Brief list of recommendations for Security Issue #10} Introduction Provide an overview of the report.Scope The scope is the boundaries of the project. It is used to describe the on-site activities.Project Scope In Scope The following activities are within the scope of this project: Interviews with key staff members in charge of policy, administration, day-to-day operations, system administration, network management, and facilities management. A Visual Walk Through of the facilities with administrative and facilities personnel to assess physical security. A series of Network Scans to enumerate addressable devices and to assess each systems available network services. (These Scans will be conducted from within each center s network and from the outside.) A configuration and security assessment of at most ten key systems at each center. Out of Scope The following activities are NOT part of this security assessment: Penetration Testing of systems, networks, buildings, laboratories or facilities. Social Engineering to acquire sensitive information from staff members. Testing Disaster Recovery Plans, Business Continuity Plans, or Emergency Response Plans. Site Activities Schedule List the site activities.First Day Second Day Third Day Background Information Use this section to talk about any relevant background information.{CLIENT ORGANIZATION} Describe the client organization.Asset Identification Describe the process of asset identification.Assets of the {CLIENT ORGANIZATION} The following lists document some of the {CLIENT ORGANIZATION} tangible and intangible assets. It should not be considered a complete and detailed list but should be used as a basis for further thought and discussion to identify assets. Tangible Assets {List tangible assets.} Intangible Assets {List intangible assets.} Each item on these lists also has value associated with it. Each item s relative value changes over time. In order to determine the current value, it is often best to think in terms of recovery costs. What would it cost to restore or replace this asset in terms of time, effort, and money? Threat Assessment Describe the process of threat assessment.Threats to the {CLIENT ORGANIZATION} The following lists document some of the known threats to the {CLIENT ORGANIZATION}. It should not be considered a complete and detailed list but should be used to as a basis for further thought and discussion to identify threats. Natural Threats {List Natural Threats.} Intentional Threats {List Intentional Threats.} Unintentional Threats {List Unintentional Threats.} Laws, Regulations and Policy Talk about the role of laws, regulation, and policy on the client organization.Federal Law and Regulation Outline federal laws and regulation that impact the client organization.{CLIENT ORGANIZATION} Policy Talk about the current policy at the client organization. Describe what policy they currently have.Vulnerabilities Listed below are the vulnerabilities discovered during the assessment relating to law, regulation, and policy. These are considered significant and steps should be taken to address them. The {CLIENT ORGANIZATION} has no information security policy Explanation The {CLIENT ORGANIZATION} has no information security policy that is specific to its needs and goals. Risk There are several risks in not having an information security policy. Mistakes can be made in strategic planning without a guideline for security. Resources may be wasted in protecting low value assets, while high value assets go unprotected. Without a policy, all security measures are merely ad hoc in nature and may be misguided. Recommendations Create a policy that is in compliance with {CLIENT ORGANIZAION} security goals. Periodically review and update the policy. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Personnel Describe the personnel at the client organization. Organize them into related groups. In this example, we have Management, Operations, and Development.Management Describe the management group.Operations Describe the operations team.Development Describe the development team. Vulnerabilities Listed below are the staff vulnerabilities discovered during the interviews with the {CLIENT ORGANIZATION} staff. These are considered significant and steps should be taken to address them. There is no information security officer Explanation An information security officer is responsible for the overall security for an organization. He or she must help create security policy, enforce it, and act as the primary security contact. Risk Without an information security officer, important security issues may not receive the proper attention. The overall security of the {CLIENT ORGANIZATION} may suffer. Recommendations Designate an existing employee to fill the role of information security officer, or hire a qualified candidate for the position. Provide training opportunities to the information security officer. Encourage and support the acquisition of security certification(s). {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Network Security Describe the state of network security at the client organization. List public network resources and sites. List partner connections and extranets.Vulnerabilities Listed below are the network security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. The {CLIENT ORGANIZATION} systems are not protected by a network firewall Explanation A firewall is a network gatekeeper. Based on a configurable set of rules, the firewall determines which network connections to allow or deny. There are generally three types of attacks that can be prevented (or at least slowed) using properly configured firewalls: intrusion, denial-of-service, and information theft. There are two types of firewalls. One type is incorporated into operating systems (software-based). The other type consists of a networking hardware platform that protects a group of networked systems (hardware-based). The {CLIENT ORGANIZATION} systems are inconsistently protected by software-based firewalls. Most of the workstations have firewall software installed and configured. Some do not. Risk There are several risks in running network services without a firewall. Incoming network-based scans and attacks are not easily detected or prevented. Attackers target vulnerable network services. Attacks are not isolated and damage cannot be contained. Network probing for vulnerabilities slows system and network performance. Recommendations Enable operating system firewalls where available. Install a hardware-based firewall. Configure firewall rule sets to be very restrictive. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. System Security Describe the state of system security at the client organization.Vulnerabilities Listed below are the system security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. Users can install unsafe software Explanation Since users have privileged access to their workstations, they are free to install software that can impact the operations at the {CLIENT ORGANIZATION}. Most of this software is freely available from the Internet. Unsafe software is any software that impedes the productivity of the staff, collects information on the user or the {CLIENT ORGANIZATION} network environment, launches attacks or probes internal systems. Risk There are several risks in allowing users to install unsafe software. The software may contain a virus, worm, or some other dangerous electronic threat. The software may be a  Trojan Horse to fool users. The software may capture, disclose, delete, or modify sensitive data. The software may impact system performance and user productivity. Significant time may be wasted attempting to remove software. Recommendations The operations team should Remove user privileges to install software. Remove unsafe software from workstations. Reinstall systems as needed. Establish a process for the evaluation and installation of new software. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Application Security Describe the state of application security at the client organization.Vulnerabilities Listed below are the application security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. Sensitive information within the database is not encrypted Explanation Sensitive information in databases can be encrypted to protect confidentiality. If an attacker gets unauthorized access to the database, sensitive information still cannot be read. Risk If an attacker gains access to the database, sensitive information stored in the database can be viewed and modified. Recommendations Examine changes required to support encrypted database tables. Modify web and database software to work with encrypted data. Safely store and protect the encryption keys. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Operational Security Describe the state of operational security at the client organization.Vulnerabilities Listed below are the application security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. There is no standard for security management Explanation A security standard is a document that defines and describes the process of security management for an organization. Risk Without a guideline for security practices, those responsible for security may not apply adequate controls consistently throughout the {CLIENT ORGANIZATION}. Recommendations Evaluate existing security standards such as ISO 17799. Modify an existing standard for use within the {CLIENT ORGANIZATION}. Inform and train personnel on use of the standard. Audit information systems and procedures to ensure compliance. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Physical Security Describe the state of operational security at the client organization. Specifically, list the building, security perimeter, and server room vulnerabilities.Vulnerabilities Listed below are the physical security vulnerabilities discovered during the assessment. These are considered significant and steps should be taken to address them. The list is divided into a list of vulnerabilities that relate to the building, the security perimeter, and the server rooms. The building group contains vulnerabilities within the {CLIENT ORGANIZATION} office. The security perimeter group includes the exterior office windows, doors, alarm system, and the surrounding area. The server room are specific to rooms containing server equipment. Building Vulnerabilities Several key doors within the building are unlocked or can be forced open Explanation There are several important doors in the interior {CLIENT ORGANIZATION} office area that are normally unlocked or can be forced open even when locked. The door to the utility room is a hollow core wooden door with no lock. The utility room contains the wiring panel for the telephones, a junction for the fiber optic cable, and the alarm system box. The room containing the modem pool is normally open and unlocked. The system administrator s office containing the office file and web server is usually unlocked and open. Risk These doors protect valuable assets of the {CLIENT ORGANIZATION}. A determined attacker, thief, or disgruntled employee could get through these important doors with minimal effort to steal and/or destroy. Recommendations Replace current doors with stronger fire doors. Replace existing door hardware with high security locks. Weld exterior hinge pins in place. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Security Perimeter Vulnerabilities There is no entryway access control system Explanation An entryway access control system limits physical access to a secure area to authorized personnel with the correct PIN number or access card. These systems have either a control panel where a correct PIN number must be entered before entry is allowed or a unique access card (contact or contactless) for each person to enter. Advanced systems provide log information each time personnel enter the secure area. Risk There are several risks in not having an entryway access control system. Unauthorized people can enter secure areas unescorted. There is no record of personnel entries into secure areas. It is not possible to disable access for a specific person. Recommendations Evaluate available and suitable entryway access systems. Develop appropriate procedures for assigning and removing access. Install an appropriate system and assign access rights. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Server Area Vulnerabilities The backup media are not protected from fire, theft, or damage Explanation The backup media are stored near the backup system on an open shelf in the server area. The media could be stolen, misplaced, accidentally erased, dropped, or destroyed in a fire. If a system or data must be recovered, the media may not be available or functional when needed. Risk The operation of the {CLIENT ORGANIZATION} can be impacted if the backup media are not available due to theft, damage, or fire. Recommendations Purchase and install a lockable, fireproof media safe. Secure it to the floor and/or wall. {State the Vulnerability} Explanation {Explain the vulnerability.} Risk There are several risks in not having {this vulnerability}. {Provide a list of risks.} Recommendations {Provide a list of recommendations}. Summary Summarize the report findings.Action Plan Provide an action plan that lists steps to be taken to improve security at the client organization.References Anderson, R. Security Engineering: A Guide to Building Dependable Distributed Systems. Indianapolis: John Wiley & Sons, 2001. Archer, Tom and Whitechapel. Andrew. Inside C#. Redmond: Microsoft Press, 2002. Deraison, Renaud. The Nessus Security Scanner.  HYPERLINK "http://www.nessus.com/"http://www.nessus.com/ Garfinkel, Simson, Spafford, Eugene H., and Schwartz Alan. Practical Unix & Internet Security, 3rd Edition. Sebastapol: O Reilly, 2003. Gordon, Lawrence, Loeb, Martin, Lucyshyn, William and Richardson, Robert.  2004 CSI/FBI Computer Crime and Security Survey, San Francisco: Computer Security Institute, 2004. International Standards Organization, International Electrotechnical Commission. Information technology  Code of practice for information security management. ISO/IEC 17799:2000(E). Switzerland: ISO/IEC, 2001. Open Web Application Security Project.  The Ten Most Critical Web Application Security Vulnerabilities  2004 Update. OWASP, 2004.  HYPERLINK "http://www.wasp.org/documentation/topten.html"http://www.wasp.org/documentation/topten.html Peltier, Thomas R. Information Security Risk Analysis. Boca Raton: CRC Press, 2001. Public Law No. 100-235. The Computer Security Act of 1987. Stoneburner, Gary, Goguen, Alice, and Feringa, Alexis.  Risk Management Guide for Information Technology Systems. NIST Special Publication 800-30. National Institute of Standards and Technology, 2001. Stoneburner, Gary, Hayden, Clark, and Feringa, Alexis.  Engineering Principles for Information Technology Security (A Baseline for Achieving Security). NIST Special Publication 800-27 Rev A. National Institute of Standards and Technology, 2004. Swiderski, Frank and Snyder, Window. Threat Modeling. Redmond: Microsoft Press, 2004. United States Department of Agriculture.  USDA Information Systems Security Policy. USDA 3140-001. Washington: USDA, 1996. Viega, John and McGraw, Gary. Building Secure Software. Indianapolis: Addison-Wesley, 2002. Wood, Charles C., Banks, William W., Guarro, Sergio B., Garcia, Abel A., Hampel, Victor E., and Sartorio, Henry P. Computer Security. New York: Wiley, 1987. Zwicky, Elizabeth D., Cooper, Simon, and Chapman, D. Brent. Building Internet Firewalls, 2nd Edition. Sebastapol: O Reilly, 2000. {CLIENT ORGANIZATION} Security Assessment Report Confidential and Proprietary Information: Need to Know Page  PAGE 20 Confidential and Proprietary Information: Need to Know Page  PAGE 19 Confidential and Proprietary Information: Need to Know The information contained within this report is considered proprietary and confidential to the {CLIENT ORGANIZATION}. Inappropriate and unauthorized disclosure of this report or portions of it could result in significant damage or loss to the {CLIENT ORGANIZATION}. This report should be distributed to individuals on a Need-to-Know basis only. Paper copies should be locked up when not in use. Electronic copies should be stored offline and protected appropriately. ,bfh& P x |   l n p r t 2 4  " $ & V X jdUjUj2UjU$0JCJmHsHnHtHaJOJQJjU CJmHsHnHtHaJOJQJU jUCJaJ CJaJUCJaJOJQJ< B D F H J z | fhjln02 "$XZ02468FHj,UjUjUjaUjUj/UjU CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJjUU: "$&(<>PR"$&(*BDLNj Uj Uj[ Uj Uj) Uj UjUj^U CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJUjU968:<>jlprtvxLNDFHLN&(jUUjUj#UjUjUjXUj Uj& U CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJU< &(vxz~prtxzTVjUjUjUjRUjUj UjU CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJjUU:H J L P R v x V!X!Z!^!`!!!P"R"T"X"Z""""""""##p#r#t#x#z#######$F$H$$$j~UjUjLUjUjUjUjUjOU CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJUjU9$$$$$$:%<%>%B%D%p%r%%%%%%%%P&R&T&X&Z&&&,'.'0'4'6'l'n''''''''V(X(Z(^(`((((((((B)D)))))))jF UjUjUj{UjUjIUjUjU CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJU<))6*8*:*>*@*f*h********F+H+J+N+P+++++++++|,~,,,,,,--p-r-t-x-z----.. .$.&.~...ju$Uj#UjC#Uj"U#CJmHsH>*nHtHaJOJQJj"Ujx!U CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJj UU5.....//r/t/v/z/|////00000000000041611111111222 22(2*222222222333j=)Uj(Uj (Ujr'Uj&Uj@&U#CJmHsH>*nHtHaJOJQJj%U CJmHsHnHtHaJOJQJ$0JCJmHsHnHtHaJOJQJUj%U533 3 3303324455577L:;;8=V=>>J?h??@V@t@@AbAAABnBBB(CzCCD4DDDE@EEEFLFFF*G\GGG>HXHHHHbIfIIIJXK*KH^JaJOJQJUVRPSTSSSvUzUUUUU"V&VjXXXX0YZ[ [P[T[z[[[[\ \X\\\0]]]]^^^^```aaRbbc`dd"exeeeeffff"g6gghhlhhhhhii,ilipii k\ktkllJnjnloo|pppq qqqq&rHrr"sCJ5aJOJQJCJaJOJQJ]"srsvsstpuuxy"{,{{Z||(}}}B~~~(@z2RBFdLV||҉*J~ЋڋR΍".(Г ”.XXʗ|.CJ5aJOJQJCJaJOJQJ].F8XȝV$~BZnx2J~ЫګR:ܰx\ԲfZb<Ҷ&ܺ(bl:Լؼνzʾ(jʿ̿UCJ6aJOJQJCJ>*aJOJQJCJaJOJQJCJ5aJOJQJTBD TVXbd68`V"@z2<l"&6rvzLXZfhlnrt& 0JjU0J5CJ6ju*UH*CJ6aJOJQJCJ6aJOJQJCJaJOJQJ0JCJaJOJQJUj)UA.df( R z | & Fdh$a$dh$a$dh$a$dh$a$dhdh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dhxx v ( L p&:dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh ! dh$a$$:*,@zdh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !P|T dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh ! b!\""|#$$F%%\&8''b(()dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !)B**R++,|-(..~/01122dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !dh !2 332334445557 & Fdh:$$If    p 44l44l4f4 $Ifdh $Ifdhxx  & Fdh$ & Fdhdh ! 77N:;;:=>>L??@X@@AdAAdhdhdhdhdhdhdhdh & Fdhdhdh:$$If    p 44l44l4f4ABpBB*C|CD6DDEBEE FNFF,G^GG@HZH  & Fdh$dhdhdhdhdhdhdhdhdhdhdhdh & FdhZHHHHdIfIIIJdVVK dh^]` & Fdh^]`:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh:$$If4"    p 44l44l4f4$Ifdh$a$JZK>LMxNNOOJPP.QbQ $Ifdhxx & Fdh & F dh$a$ ^]` dh^]` & Fdh^]` & Fdh$a$ ^]` bQdQxQQQQXRZRRRd\ & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx  & Fdh$ & Fdh^h]`:$$If4"    p 44l44l4f4 RRRRSTSSxUzUUUrje`[S & Fdhdhdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx  & Fdh$:$$If4"    p 44l44l4f4 UUU$V&VlXXXX2Y[["[R[|t & Fdhdhdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdhdhdh & Fdhdhdh R[T[|[[[[\ \Z\\\2]]~ & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdhdh & Fdhdhdh & Fdhdhdh ]]^^^^````armeZO dh^]` dh^]` & Fdhdh<$$If4"    p 44l44l4f4 $Ifdhxx & Fdh:$$If4"    p 44l44l4f4 aaTbbcbdd$ezeeef ffff$g dh^]` dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` & F dh dh^]` dh^]`$g8ggjhlhhhhhil:$$If4"    p 44l44l4f4 & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh ii.inipii k^kvkltog\Q dh^]` dh^]` & Fdhdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh:$$If4"    p 44l44l4f4 llLnlnnoo~pppqqqqq(rJr & Fdh dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` dh^]` dh^]`Jrr$stsvsstruuxy${xm dh^]` dh^]` dh^]` dh^]` & Fdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdh $Ifdhxx ${.{{\||*}}}D~~~*B|4 & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` & F dh dh^]` dh^]`4TDFfNX|qf dh^]` dh^]` dh^]` & Fdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh & F dh dh^]` X~~ԉ,Lҋ܋T dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` dh^]` & F dh dh^]`T Ѝ |q dh^]` dh^]` & Fdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh dh^]` & F dh $0*ғ Ĕ0Z & Fdh dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & F dh dh^]` dh^]` dh^]`Z Z̗vkc & Fdh dh^]` dh^]` dh^]` dh^]` dh^]` & Fdhdh & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx ~0H:ZʝX $Ifdhxx & Fdh dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh&D\pz4xpp & Fdh dh^]` dh^]` dh^]` dh^]` dh^]` & Fdhdh & Fdh:$$If4"    p 44l44l4f4 LҫܫT<ްz dh^]` dh^]` dh^]` dh^]` dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdhz^ֲh\d> dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` & FdhԶ(޺*dn<y dh^]` & F dh dh^]` dh^]` dh^]` dh^]` & Fdh & Fdh dh^]` dh^]` dh^]` dh^]` dh^]` <ּؼн̾d\dh$a$:$$If4"    p 44l44l4f4 & Fdh:$$If4"    p 44l44l4f4 $Ifdhxx & Fdh & F dh ̾lFVZ:X|4ntdh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dh$a$dhdhdh$a$dh$a$dh$a$dh$a$dh$a$txzNprvxz%$a$xx$xx%$a$xx%$a$xx%xx%$a$xx$$a$xx$$a$xxdhxxdh$a$z "$&(dhxx $a$1$xxA$ $a$1$xxA$; 0/ =!".#$2P1h0p3P(20Root Entry FCompObjjOle 1Table:eData 7B+SummaryInformation(tWordDocumentN=:ObjectPoolDocumentSummaryInformation8 t