Welcome to Linux Support and Sun Help
Search LinuxSupport
From: Subject: A System Security Policy for You Date: Wed, 18 Jul 2001 16:27:20 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_001E_01C10FA6.8491A5D0"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 This is a multi-part message in MIME format. ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.sans.org/infosecFAQ/policy/sys_sec.htm A System Security Policy for You

A System = Security Policy for=20 You
David Milford
April 25, 2001

1. Introduction

1.1 Purpose

The = purpose of=20 this document is to meet the requirements of the GIAC Security = Essentials assignment and to provide other interested parties = with a=20 reference document that they can use to get their System = Security=20 Policy (SSP) document=20 started.

1.2 Introduction

The first thing the auditor = asks is=20 "Please provide me with a copy of your System Security = Policies and=20 Security Operating Procedures". Then it starts "we = haven’t got round=20 to that yet" or "we have them but they are only at draft" or = "we don’t=20 have a policy just some notes on guidance" or "we tried to put = one=20 together but the person left the company before the task was=20 completed" or " we have them but they have not been = implemented yet",=20 well there are any number of excuses for not having or not=20 implementing a System Security Policy and the associated = security=20 operating procedures.

If you have no security policy = why are you=20 applying security measures and what are you applying them to? = Why do=20 auditors ask for a written policy? Why do the International = Standards=20 Organisation (ISO), the Orange Book (US DoD) and the = Communication=20 Electronic Steering Group (UK Government organisation) all = stress the=20 need for a written security policy.

Simply this, if you do not have = a written=20 and approved SSP then how do you apply the correct security = measures=20 to an IT System or network in a consistent and auditable = manner? How=20 do you know what measures have to be implemented? How do you = define=20 and delegate responsibilities? Where is your authority for=20 implementing security measures that may constrain how people = interact=20 with the system and network?

The System Security Policy is = the basis for=20 the legitimate application of security measures designed to = protect=20 your network from both internal and external threats. Without = the=20 definition provided by the policy document there is a very = good chance=20 that a security measure that should be implemented will be = missed or=20 you will implement measures that are not required, expensive = and the=20 cost can outweigh the benefit. Considering that for most = companies=20 Security is considered a bottom line cost, this is to be = avoided.=20

There is a saying that the job = isn’t=20 finished till the paperwork is complete. With IT security it = should be=20 reversed to say "don’t start the job until the paperwork = is to hand".=20

2. Types of=20 Policy

2.1 Where to=20 begin

The hardest part about a System = Security=20 Policy (SSP) is getting started. There are many security = companies=20 that either offer to write the policy for you or train you to = do it=20 yourself. The following Internet sites provide excellent = information=20 about creating a policy document and what should go into it, = but as=20 businesses are less forthcoming about providing example = policies and=20 this is understandable as providing this service is how they = make=20 their money. If at this stage in the document you would like = to get a=20 better understanding of what is required to complete a = security policy=20 document then try out the following=20 sites:

  • http://www.iss.net/customer_care/resource_center/whitepapers=20
  • http://www.information-security-policies-and-standards.com/weblin= ks.htm=20
  • http://www.pentasafe.com/=20
  • http://www.sun.com/software/white-papers/wp-security-devsecpolic= y=20

There are some government = organisations=20 that publish their own SSP. These are also an excellent source = of=20 information but remember the policy has been formatted and = designed to=20 meet their requirements and what they consider is the threat = to their=20 network or system.

  • http://csrc.nist.gov/se= cplcy/doc-man.txt=20 US Dept of Commerce=20
  • http://csrc.nist.gov/= policies/welcome.html=20 U.S.=20 Customs AIS Security Policy Manual=20
  • http= ://info.internet.isi.edu/in-notes/rfc/files/rfc2196.txt=20

If you are interested in seeing = how the US=20 DoD deals with securing IT systems then the site URL below = sets out=20 the requirements for establishing a trusted computer system = evaluation=20 criteria (TCSEC). In the context of this document and for most = commercial organisations the criteria detailed in TCSEC are = too=20 onerous, however for financial institutions and where the care = of=20 other peoples money is a priority the principles laid down in = TCSEC=20 are relevant.

http://www.antionline.com/archives/text/rainbow_books/orange.html=20

2.2 ISO=20 17799

ISO 17799 is the International = Standards=20 Organisations detailed security standard and is organised into = 10=20 major sections, it was derived from British Standard BS7799 = and is=20 designed for implementation by companies in the commercial = sector. It=20 is one of the most widely recognised security standards and is = comprehensive in its coverage of security issues. However = compliance=20 with ISO 17799 is far from trivial and is a difficult task = even for=20 the most security conscious organisation, it requires = commitment from=20 the top, CEO level, and the money to fund the effort. This URL = will=20 take you to ISO information=20 http://www.riskserver.co.uk/iso17799/

After looking at all the = available=20 information on putting an SSP together it seems a daunting = task. Often=20 just the thought of having to put everything down on paper = brings the=20 whole idea to a halt. Having looked at and used various = sources of=20 information from BS7799, Communications Electronic Security = Group=20 (CESG), a UK Government organisation, DERA the UK Defence = Research=20 Agency, the Royal Airforce (RAF), the Orange book and other = commercial=20 organisations. The following is a suggested SSP format that = can be=20 tackled as you would eat an Elephant, one bite at a time. The=20 following format allows you to address each area into small = logical=20 steps. The assumption made is that you know your system, it = has been=20 baselined and a risk assessment has been carried out. This = ensures=20 that the security measures to be implemented as part of the = policy are=20 pertinent to your system.

In the next section a suggested = format for=20 an SSP is detailed.

3. The = System Security=20 Policy

3.1 Basic = Facts

The following details need = to be in=20 this section

  • Name of = System/Project=20
  • Location of System=20
  • Key Target dates (if = required)=20

3.2 Security=20 Responsibilities

Unless responsibilities are = defined there=20 is a tendency for staff to claim that as nothing was written = down it=20 was not their = responsibility.

  • System Manager/Project = Manager=20 (originator of SSP)=20
  • Prime Contractor (if = relevant)=20
  • System Administrator=20
  • System Security=20 Officer/Administrator=20
  • Database = Administrator=20

3.3 Status of=20 Document

Just good housekeeping and = configuration=20 control.

  • Version Number=20
  • Superseded documents=20

3.4 System=20 Description

This section is designed to = enable the=20 Project Manager or System administrator to define exactly what = they=20 are looking after and for any third party to be able to = quickly=20 understand their = responsibilities.

  • Role of system. The role of = the system=20 in terms of data processing, data storage and communications = as=20 follows:
    • Type of information to be = held on the=20 system and output from system=20
    • Types of user = (administration, normal=20 user, print controller etc)=20
    • Number of users=20
    • Classification of data = (Finance Only,=20 HR Only, Project Eyes Only, if required)=20
    • Quantity of data = (Nbytes)=20
  • System Configuration. A = description of=20 the working elements of the system that carry out specific=20 tasks.
    • Number of terminals =
    • Number of control = consoles=20
    • Number and types of = terminals=20 (intelligent, dumb, print etc)=20
    • Media loading = arrangements=20
    • Software (OS and version=20 number)=20
    • Interconnections (LAN and = WAN)=20

3.5 Security=20 Requirements and Measures

This section consists of a = statement of the=20 security requirements to be met and the measures needed to = achieve=20 them. This should be agreed with a higher authority usually = referred=20 to as an Accreditor, and should be broken down as=20 follows:

  • Threats to confidentiality, = integrity=20 and availability of data. The nature and resources of = possible=20 attackers and the attractiveness of the system and data as a = target.=20
  • What will the impact be if = the data is=20 accidentally disclosed. =

3.6 Security=20 Domains

This is a key element of this = policy=20 document, by defining the security domains for the system it = is=20 possible to break down the policy into manageable pieces that = can be=20 completed domain by domain until the document is fit for = purpose. For=20 this type policy there are three domains, Global Security = Environment=20 (GSE), Local Security Environment (LSE) and the Electronic = Security=20 Environment (ESE).

They are defined as=20 follows:

  • GSE is the area in which the = system is=20 located in which the security relevant factors are defined = that are=20 considered to be outside of the control of the project=20 manager/system administrator. E.g. control of access to the = building=20 which is usually the responsibility of the security company = or=20 facilities manager.=20
  • LSE this consists of the = security=20 environment under the control of the project/system manager = and the=20 security boundaries with the GSE.=20
  • ESE deals with the security = aspects of=20 the system and its interfaces with the LSE and GSE.=20

By using domains to break down = each section=20 of the policy to be worked on it will be easier to put = together in=20 small logic steps that follow a consistent pattern throughout = the=20 document. It will also ensure that by following this pattern = defence=20 in depth is achieved.

3.7 Definition of=20 Security Measures

In this section of the security = policy the=20 measures to be taken to achieve security should be described. = The list=20 below is not necessarily comprehensive and others maybe = required to=20 meet specific system security requirements. As a minimum the = following=20 headings are recommended:

  • Identification and = Authentication -=20 establishment of a claimed identity=20
  • Access Control - the control = and=20 authorisation of access to information by a user=20
  • Integrity – prevention = of unauthorised=20 amendment or deletion of information=20
  • Accounting - the recording = of an account=20 holder’s security related actions=20
  • Audit - the monitoring of = security=20 related events=20
  • Reliability of Service - the = preservation of availability=20
  • Data Exchange - the = protection of=20 inter-communication.=20
  • Non-repudiation - to render = an event=20 undeniable

In order to ensure consistency = throughout=20 the document each section dealing with the security measures = should=20 start with the following = headings:

  • Definition of the = Term=20
  • Security principle to be = upheld=20
  • General security risks to be = countered
    • If required specific = examples of risks=20 that need to be considered can be detailed =
  • Assertions – an = explicit statement in a=20 SSP that security measures in one domain constitute and = adequate=20 basis for security measures in another.=20

4. Example using=20 Domains

In order to show how the use = of domains=20 and security measures are put together in small logical steps to = build=20 up to a complete policy, the following is how a single section = of the=20 document "Access Control" would be put=20 together.

4.2 Access/Access=20 Control

4.3 Definition

      Access is = defined as the=20 condition where the potential exists for information to flow = between=20 entities. Access Control is control over the flow of = information=20 between entities.

4.4 Security=20 Principle

      Access to = business sensitive=20 information should be limited to persons with the appropriate = rights=20 and need to know.

4.5 Security=20 Risk

      Individuals, = without the=20 correct clearance or need-to-know, may intentionally or = accidentally=20 gain unauthorized access to business sensitive information. = Business=20 sensitive information may be sent to destinations not = authorised to=20 receive it.

4.6 Assertions

Access to the GSE is under the = control of=20 the local Security Guard and reception=20 staff.

Users protect all business = sensitive=20 information passed from the systems to the GSE in accordance = with its=20 classification.

Access to system hardware is = restricted to=20 those authorized to do so.

All unescorted individuals = within the LSE=20 are known and trusted by The Company.

SyOPs specify the procedures = associated=20 with managing user access rights, and define procedures for=20 :

  • identification, marking, = recording and=20 handling and storage of magnetic media=20
  • handling of system hard copy = outputs=20
  • disposal and repair of = faulty or surplus=20 equipment containing memory. =

System Administration staffs = are=20 responsible for maintaining systems security, using permitted=20 administrative functions.

The System Administration staff = functions=20 are identified by roles and associated permissions. Such roles = control=20 access to, and use of, the systems Administration functions. = These=20 controls are restricted to what is authorized and necessary = for the=20 performance of their tasks. The roles=20 include:

  • Network System = Manager=20
  • System Administrators =
  • Site Support=20
  • System Security = Officer=20
  • Audit Administrator (The = role of the=20 Audit Administrator is carried out by the Security=20 Administrator).

4.7 GSE=20 Measures

Reception staff or Security = Guards shall=20 control access by personnel to buildings in which a system is=20 installed. Physical security of sites is the responsibility of = The=20 Company.

Workstations, printers, = graphical scanners=20 and optical device readers shall be placed in office space = within the=20 GSE.

Automatic virus detection shall = be=20 installed on server to ensure any magnetic media intended to = hold or=20 holding User data is virus checked.

The Security Guards shall = ensure that=20 offices are left secure at the end of the working day and all = desks=20 are cleared, where = possible.

4.8 LSE=20 Measures

Servers, routers, Firewalls and = where=20 possible control consoles shall be accommodated in the secure = computer=20 room. Access to the computer room shall be limited to = authorized=20 personnel and shall be re-verified on a periodic = basis.

SyOPs shall define user = responsibilities=20 with regard to use of the systems. Users shall not be admitted = to the=20 systems until they have been adequately trained in the use of = the=20 system and security features.

System Administration staff = shall ensure=20 that administrative functions are not made available to normal = users.

Access to the Configuration = Management (CM)=20 system and its data shall only be allowed to personnel = authorized to=20 carry out CM tasks.

User permissions shall be set = up and=20 maintained as per the site specific security = procedures.

Removable classified material = shall be=20 secured in lockable containers, when not in use.

SyOPs shall define procedures=20 for:

  • access control, recording, = supervision=20 and escorting of personnel in the Computer Room=20
  • control of Protectively = Marked=20 material=20
  • recording of actions = undertaken by=20 System Administration personnel.=20

Magnetic Media and Paper = Output: Access=20 to systems magnetic media shall be restricted to authorized = staff. The=20 following shall be = marked:

  • Magnetic media for the = storage of system=20 and archived user data=20
  • Systems hard copy outputs = shall be=20 marked and handled as for the highest data protective = marking for=20 the systems or server, unless the owner of the data can = assert that=20 it should be of a lower data protective marking.=20

4.9 ESE=20 = Measures

The user profile shall define = the set of=20 facilities each user is authorized to access. The systems = shall=20 constrain the profile by password mediation to only those = facilities=20 that the User is authorized to use.

The System Administration = facilities=20 shall be:

  • issuing initial = passwords=20
  • maintenance of user and = role=20 accounts=20
  • maintenance of hardware=20 accounts=20
  • Domain management = (controlled at=20 corporate level)=20
  • management of system = addresses=20
  • setting password = expiration=20 period=20
  • management of = groups=20
  • creation and distribution = of new=20 software packages=20
  • update site or system = inventory=20
  • perform back-up and = restore=20
  • configuration of = workstation or=20 server=20
  • unlock workstation=20
  • set system time=20
  • management of print = resources=20
  • close down and start-up of = system=20
  • monitor system = performance=20
  • perform diagnostic = routines=20
  • check software = integrity=20
  • examine and analyze the = accounting=20 logs=20
  • maintain accounting = filters=20
  • administer audit = alarms=20
  • allow the operator to = archive and=20 delete an accounting log.=20

The Security Administration = facilities=20 shall be:

  • Audit User accounts =
  • Audit security logs =
  • Audit of password = logs=20
  • Audit of Administrative=20 accounts =

All users shall have = automatic virus=20 detection software installed on their workstations and/or=20 Laptops.

4.10 Configuration of Electronic=20 Mail

E-mail shall be provided = internally for=20 all users of the systems as requested. User responsibilities = shall=20 be as stated in SyOPs.

All Email shall be virus=20 checked.

4.11 Remote Access=20 Control

Only the Company systems = staff,=20 authorized by the System Manager shall be permitted remote = access to=20 the systems.

The SecurID security = application shall be=20 implemented on the network to ensure secure User = authentication for=20 remote access. No other forms of remote access shall be = permitted.=20 The application shall maintain an encrypted list of = authorized=20 users, their passwords and profiles for identification and=20 authentication before access is permitted.

Remote access shall be = implemented by the=20 use of a Remote Access Server with integral auto switching, = a=20 security application and systems=20 Interface.

4.12 Internet Access & Firewall=20 = Configuration

Firewalls shall be employed = to ensure=20 data are only accessed by individuals with a need to know, = and with=20 the correct access privileges.

All Firewalls shall implement = a Default=20 Deny security strategy. That is a strategy that states "that = which=20 is not expressly permitted is denied". The Firewall security = policy=20 is maintained as a separate document.

Where deemed necessary, an = encrypted VPN=20 shall be implemented using a minimum of 56bit, and where = possible=20 128bit encryption, for secure communication over the=20 Internet.

In order to facilitate = changes in client=20 access requirements to shared resources, the System Manager, = on the=20 authority of the Security Manager, shall be able to permit = access to=20 the systems via the Firewall without the requirement to = re-submit=20 this document to the Accreditation Authority. This = interconnection=20 shall be subject to the provisions of a Partner to Partner=20 Interconnection = Policy.

4.13 Putting it=20 all Together

Once you have completed = Access control it=20 is a simple matter of selecting another Security Measure = from the=20 list and applying exactly the same process as you have = above. Add=20 them all together with the detail as outlined in paragraphs = 3.1 to=20 3.4 and you will have your SSP and be ready to move on to = the=20 Security Operating=20 Procedures.

5. Security Operating=20 Procedures (SyOPs)

5.1 Where = SyOPs fit=20 in

The role of Security = Operating=20 Procedures (SyOPs) is to look downwards to those who must = enforce the=20 SSP. SyOPs are the means by which the System or Project = Manager can=20 ensure that the responsibilities he/she has accepted are = actually=20 carried out in the day to day operation of the = system.

Once again it is not the = intention to=20 include a complete document but as an example and to show that = SyOPs=20 are directly related to the SSP, the following is the section = within=20 the SyOPs dealing with Access Control for an NT based=20 system:

5.2 Access = Authorization

      The LAN=20 Team leader and LAN Team Administrators shall have the ability = to=20 restrict access to information to those Users/groups who have = a=20 need-to-know. All maintenance engineers and visitors must be = in=20 receipt of a valid visitor’s security = pass.

5.3 System Access - Authorized=20 Users

All = Users shall=20 be authorized, by the LAN Team Administrators to access the = system via=20 a unique account and password.

The LAN Team Administrators = shall maintain=20 a list of Authorized Users=20 including:

  • Full name of the = Authorized=20 User=20
  • Name of = Group/Office/Department=20 etc=20
  • Authorized Userid allocated = for The=20 Company=20
  • Renewal date for access=20 permissions.

Authorized Users=20 shall be retired from the list by the LAN Team Administrators = under=20 the following = circumstances:

  • Upon expiration of their = authorization=20
  • When advised by the Line = Manager=20
  • When advised by Human = Resources=20
  • Upon termination of = employment or=20 contract.

5.4 New User Account = Creation

This = process shall be=20 carried out as documented in the local site IT Operations=20 Handbook.

5.5 Rights and Permission=20 Approval

      Special = rights,=20 permissions and privileges are granted to those whose job = function=20 requires it and are to be monitored and controlled on an = ongoing=20 basis. A formal request shall be submitted using a Company = Request=20 form and signed by an authorized submitter stating = justification for=20 all escalation of rights, permissions and privileges.=20

5.6 User Account Properties=20 Options

User Must Change Password at = Next=20 Logon
Default = = OFF

After a new = user account=20 is automatically generated by the system and the appropriate = request=20 has been approved (see section titled "Joining the THE = COMPANY_MASTER=20 Windows NT Domain in the Windows NT Policies and Procedure = document),=20 an initial password will be automatically generated using a = random=20 generator for each account. This option is initially turned on = and=20 forces the user to change the initial password and avert any=20 unauthorized logons with the randomly generated password. = After this=20 initial required reset, the option is turned off = automatically.=20

User Cannot Change = Password
Default=20 = OFF

Account Disabled
Default = ==20 Off

This option = is turned off=20 by default except in cases of misconduct, suspicion of a = breach in=20 security or simply because a user goes on vacation or on = temporary=20 leave. User accounts may also be disabled if the activity = status of=20 the account shows that it has been inactive for 30 days or = more. The=20 ON setting prevents anyone, other than an administrator or = account=20 operator, from accessing the user=20 account.

Account Locked = Out
Default ==20 Off

This option = appears if an=20 account locks because there were too many failed logon = attempts. This=20 last option is an indication that someone has attempted to = break into=20 an account unless the user simply forgot the password. Only a = domain=20 administrator can remove the = lock.

Logon To: Here = you specify=20 the names of the computers that the user can log on to. This = is an=20 important security feature, because it forces users to log on = to=20 systems where their activities can be physically monitored. It = also=20 prevents hackers from logging on to an account from their base = of=20 operation, which might be outside your company. The Company = will not=20 limit the machines a user can log onto except in situations = where the=20 limitation is warranted. Each user and manager will be = notified in=20 advance if such a situation becomes necessary.

One user=20 account for each member of staff: The Company = standard is=20 that each member of staff should only have one user account. = The=20 exception is for Administrators and other power users who are = allowed=20 to have two accounts, one for everyday tasks and another for=20 administrative = functions.

5.7 Locked User = Accounts

The = LAN Team=20 Administrators shall investigate all occurrences of locked = accounts.=20 The LAN Team Administrators or designee, who shall ensure the = correct,=20 User-id is being input, shall assist users with failed = log-ins. If the=20 User again fails to log-in a password change shall be=20 initiated.

The LAN = Team=20 Administrators under the authority of the LAN Team Leader = shall=20 proactively lock accounts for administrative and/or security=20 reasons.

5.8 Password = Standard

      Alpha, numeric with at least = one=20 capital

Maximum Password Age - 45=20 days

This is the = period of=20 time that a user is allowed to use a password before Windows = NT=20 requires that the user change the password. The Company = require that=20 you set this value to = 45.

Minimum Password Age - 1=20 day

This = setting can be used=20 to prevent a user from immediately reverting back to a = previous=20 password after a change. It specifies how long a user must = wait after=20 changing a password before the user can change it again. The = Company=20 require that this value be set to=20 1.

Minimum Password Length - 8 Alphanumeric=20 characters

This is a = critical=20 setting for security reasons. If users create short passwords, = a=20 cracker is more likely to discover a password. The Company = require=20 that this value is set to = 8.

Password Uniqueness -=20 10

This option = can prevent=20 users from toggling among their favorite passwords and reduces = the=20 chances that a hacker/password breach attempt will discover=20 passwords.

NOTE: Because = of the way=20 passwords are saved in a table, users cannot reuse a password = until=20 they have changed passwords n+2 times, where n is the = number of=20 passwords remembered. So if Password Uniqueness is set to 10, = users=20 cannot revert to the first password until they have changed = their=20 passwords twelve times = (10+2).

Account Lockout - after x bad logon = attempts ==20 5

The Account = lockout=20 feature is implemented to prevent brute force password=20 cracking/guessing attacks on the system. Each failure will then appear in the = Security Event=20 Log, which can be viewed with the Event Viewer. The account = that is=20 attempting log on and the machine where the logons are = occurring are=20 listed in the log file. When enabled, the Account Lockout = option in=20 the Account Policy dialog box allows the following=20 options:

Users must log on in order to = change=20 password = Yes

This option = prevents=20 users from changing their passwords if the passwords expire. = They will=20 not be able to log on and will need to call an administrator = to have=20 their password = changed.

5.9 System = Passwords

Any = standard=20 passwords supplied with System e.g. SYSTEM, MASTER, GUEST etc. = shall=20 be changed before the System is accessible to unprivileged = Authorized=20 Users.

All = System passwords=20 shall be treated as confidential and protected accordingly. It = is the=20 responsibility of the User to ensure his/her password is = secure at all=20 times. The password shall not be written down, except the copy = written=20 down and held securely by the Security = Administrator.

If a = User feels his=20 password has been compromised in any way then action shall be = taken=20 immediately to change the password. Under no circumstances = shall a=20 User allow others to use his/her User-id and = password.

Passwords that allow=20 access to System administration facilities shall be written = down and=20 held securely by the Security Administrator.

The = Security=20 Administrator and LAN Team Leader have overall responsibility = for the=20 policing of User-id's and passwords and for maintaining a = record of=20 all Users.

The = initial User-id=20 and password is allocated by the Windows NT Administrator or = designee,=20 when first used the System shall prompt for a password=20 change.

The = Windows NT=20 Administrator or designee shall reinstate a locked out = Authorized User=20 only when satisfied that an attempt to breach the security = policy has=20 not taken place.

NOTE: Manually = adding new=20 user accounts to the Windows NT security database on THE=20 COMPANY_MASTER is strictly prohibited without specific = approval from=20 Server Engineering Manager.

Authorized User-id shall be = considered for=20 retirement if the authorized Users have not logged on for a = period of=20 two months.

Once = authorized the=20 LAN Team Administrators shall assign privileges associated = with the=20 User role for all Users prior to there having access to the = system. If=20 a User-id is no longer required the LAN Team Administrators = shall be=20 informed, and shall then initiate removal of that User-id from = the=20 system.

Only authorized LAN Team = administration=20 personnel shall have access to the OS. The Operating System = shall be=20 backed up and periodically compared to the live version, = anomalies=20 shall be investigated by the Company Security Manager in = conjunction=20 with the LAN Team Leader and fully documented for audit=20 purposes.

The Administrator account is a = built-in=20 account that is installed when a Windows NT system is set up. = In a=20 domain environment, the Administrator account is set up = simultaneously=20 with the primary domain controller in the domain. The person = setting=20 up the system specifies the initial password for the = Administrator=20 account.

The Administrator account can = never be=20 disabled or deleted. This safeguard ensures that the = Administrator can=20 never be locked out of the system, thus allowing for a total = denial of=20 service assault. You cannot even set lockout features for the = account=20 to prevent someone from trying multiple passwords in an = attempt to=20 illegally access the account.

Because of the security risk to = the=20 Administrator account, every possible precaution shall be = taken to=20 ensure the account’s security. Select individuals are to = be assigned=20 individual accounts with essentially the same permissions but = without=20 the no-lockout feature built into the Administrator=20 account.

The original Administrators = account is not=20 to be used except in emergency situations such as a denial of = service=20 attack whereby all other administrative accounts are disabled, = locked=20 out or deleted. The account will be renamed and given an = alphanumeric=20 password. Copies of this password will be held securely by the = Security Administrator. =

6. Summary

After having looked at and = modified=20 various methods of putting an SSP together I consider that the = use of=20 Domains to breakdown the structure of the document into = manageable=20 sections makes the production and implementation of a reasonable = and=20 effective security policy an achievable task.

The sections included at = paragraph 3.7.1 are=20 by no means exhaustive but if completed diligently will ensure = that the=20 requirements of Confidentiality, Integrity and Availability are=20 achieved.

The format of the SSP as = presented can be=20 expanded or reduced depending on the assessed security measures = required=20 for an individual system. The SANS organisation has a number of=20 excellent policy examples and the policy content as outline by = Michele=20 Crabb-Guel is excellent for ensuring that all areas that need to = be in a=20 policy are given due consideration. These can be found at=20 = http://www.sans.org/newlook/resources/policies/policies.htm

Security is a bottom line expense = and this=20 should always be borne in mind. Businesses need to be convinced = of the=20 need to pay for security and often regard security more as a = hindrance=20 than help in supporting or providing services to their users and = customers. For a more flexible approach to implementing an SSP I = have=20 therefore borrowed the term "Adaptive" used by the company = Internet=20 Security Services at:

ht= tp://www.iss.net/customer_care/resource_center/whitepapers/

The term "Adaptive" is used to = ensure that=20 the SSP is flexible and ensures that the business is not a = prisoner to a=20 Security Policy that is set in concrete. By allowing and = documenting=20 exceptions to a policy it is possible to meet the requirements = of=20 business and at the same time maintain the security stance = required by=20 the CEO’s policy direction.

It is therefore recommended that=20 consideration is given to adding an "Exceptions Policy" in which = any=20 variation to the security measures detailed in the SSP can be = assessed=20 for risk, which is then written down. Based on the risk = assessment the=20 exception to policy can be approved by the Accreditor or if the = risk it=20 too great but the service is still required additional security = measures=20 can be implemented. This action is then documented as part of = the=20 Exception Policy and held with the = SSP.

7. References and Cited=20 Sources

CESG = Electronic Information=20 Systems (Infosec) Memorandum No 5: System Security Policies, = Issue 3.0,=20 July 1994 Unclassified

CESG Computer = Security=20 Memorandum No 1 – Glossary of Computer Security Terms, = Issue 2.2,=20 November 1993

AP 3086 – = RAF Manual of=20 Security 5th Edition

Department of = Defense Trusted=20 Computer System Evaluation Criteria (TCSEC) also referred to as = the=20 "Orange Book"

Internet Security = Systems (ISS)=20 Creating, Implementing and Managing the Information Security=20 Lifecycle

Principles and = Practice of=20 Computer Security, Admiral Management Services Ltd

Manual of Army = Security Vol 4 –=20 Information Technology Security dated 1991.

Site Security = Handbook RFC 1244=20 dated July 1991.

ht= tp://www.iss.net/customer_care/resource_center/whitepapers/

http://www.information-security-policies-and-standards.com/weblin= ks.htm

http://www.sun.com/software/white-papers/wp-security-devsecpolicy=20

http://csrc.nist.gov/se= cplcy/doc-man.txt=20 US Dept of Commerce

http://csrc.nist.gov/= policies/welcome.html=20 U.S.=20 Customs AIS Security Policy Manual

http= ://info.internet.isi.edu/in-notes/rfc/files/rfc2196.txt

www.= sans.org/newlook/resources/policies/policies.htm

http://www.antionline.com/archives/text/rainbow_books/orange.html=20

 

to top of page |=20 to = Security=20 Policy Issues | to = Reading=20 Room Home

 

------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/sanslogo.gif R0lGODlhsACJAMQAAAADBQAJDgAHCwAtQwAfLwBmlwBKbgAXIgAQFwAFBwACAgABAQFmZj+MjHur q6PFxb3W1tHj497q6ujw8O/19fX5+fv9/fn7+////3BwcENDQyUlJRISEgoKCgQEBAAAACwAAAAA sACJAAAF/yAjjmRpnmiqrmzrvnDMfnRtf3Ku73zvy7fgb0gsGo/BG6zhgDgfDlTjQYwer0vH4+lo oB7eU9L2akoolYokAjU1JsOGpNeo2+93F35vZzUjE2kTERBWJRJhJmM1LVMYj5CQEl0kDRhxGIky DYROnp+ehioOnaCfVKMTkZEVYCWZKIs0LRCRFhVoFpCoIg6XPw8YojENFBeryBgQLQ5oyY+to7a4 FcePEImWmiSyOCsPFZESUA8SkBXYIrVDERi8OUyqz9DbKU3JbfYUkRTk7Y8XEPWCJUbWimKQKHS5 40CeMgfNLAzZF8EHwnnuXjSoFYlSCjmRwDD8hyECRHP1RP90U8Hp3LBeJPdhkGiRno9gGOdolFmS Bc5H70ZsZPUoJYOVKX4qsxfOllEYvopa5PnspQqOFqxWEvfR3CqtSFF4lWoP2dMXP4PqUJpsWZlH FM4y4PhIq4gG1iCBNYgi6jUWdMnyGOuWjq55FeRu7cmyKQY4377G4nuCZFYWFwXraOAYso/A+GCE K/wlZAuSwiYvknIYQ9wWShWv8Kt5B+1kr12YU3sokmwHrfeuPkHb80HHslWwtbsE40zmvXkLbU2Q BUnhY1AEJh25tgzUGWs6r+iiFvPib+uqzn5ibPhGTZOnoI5BJx3n3kszD0zehTzsSZzAmWkv/COf gMjkxoP/JfhJZ0IwzLlnH2zqFTRcCQxCwl13Bz6IzGX34aegcqmxFolxflSoCGUk3NZfI/m9ABpQ NVEAHjLQiQDhR6tUEMM+AAphwm0osrBPh70hs+Em9d2GTJEn7CiFWTCYt16AHrJyYC1ITpcMlMTU 94ZzOUpJHI5QlbjihSTMmCMJwXQ5UDIWyCnUYwywpaRPag65p0Z9csPiCDNOmKKdeup1Hxx4YTRi lIHCiUxigEoXFgk3RvrRBXa6t8qSzUE24yoO6qipqciUakI/VwpZQqaGsjTBmwjOE2uYkAHnaGR2 JVqnjJYOKkKmFqhKwiSbYUTpDpZ45lBVJPb6DKhRBssm/6HPKOSCSWuRuSCeqM7zood2OflIsS5s 0aoSWSYjkB9yZkpgsp5llgynSZ3KgLnnvsnEumS0m0wEdmKmCn2RUAujcYnOS25Z8zwaw6Uj8Hsu wVg0oAsECD8Cph7gzhlxvnZl+AyyOlB8F37pHOFLVp5C8iu9Sc6jlZkndBwJtzmozMCAzrVcRC1w jKoikyha/Mi4I+BsQszIvDuxsMPiV1LB7S1lsbE8omhvMik5XULDq0g8A9VzWW0BxnHoQoXJq9wK cpFk0/gwxPih/ILP+1p9DdYVq/e1zHI264ZjuNUjdiWI50SrSmgDbTXbPQSzrLz6HhRym96OnTkD mE8qH//fafstpg/m2Ec21whCqXR9d+Nt9bJnX9ui6X8tuA8vFivM0uYkUPXhNosvZrrUKpDOANQY sd6XLobAzU+XhkOKEXfFc4670Ckoryvuj3uI7wjC+wYP8EI1vsrMpuY4uHPGKr887q7JWYuhRn8+ 5cf5290+LfT7nPxeNzAd7IM7Wzvfx143oexVonzOmcBZ5Fc68DEpUNKThAJVwDxF/Y8ZAVQYBUGC O7NJg313UR8kkFS9vgStafrDFv3sQsG+0c956qifCTAXvpV97GcQNF+eYniXZ02ue2jzUwkPlDrr hQZX3ZkHKhx4ONzRrgQ1DJffHqex99xuWkg7iM489sH/MgQRjBZiT7rygh+mQSwljfpSh1qYgtCl horEOSMyxofFJKLAjlpK10yMcsY5ok+J81gGHp1oNatkUSj9k8xpGHOC/PWQjinoIAYSs0g31I1U acTSEj65i0bsTnafgiKfmtdJT46RK2tS4xIgoMK4wUhfXXSXKo+jrHb0cGx6tEkfbScjqynmZU95 X4z2Vx7nQK9yjYylKDdBSsW044egs1moXEBAIkqjc4IiJq0cgZEcjSaKqdqmbvBTruQ4gI3pHKYs R1Ad64wROl00CUT2yc97nEydzHilvvTmk1ouRZ7THAEKD2JEh51pJhaIqEQnGtF5SBBQ2HwgOHeI w/xt/8hn3rRhW1YQSbXJB5Mk3eircKhMCkjTVSQIaQVX4cZjBTAZXDwkj8pZx5qiUmYvZdcrfOcG CCpsQIOIgFKXylSldpCod8roq3j6R6lOdVJBDVgJLCA3Ev3JhTHMIFwwGgOl2SUCC00RVhEK0xFU YxPwpCSkrqgCgyYHpQzVpnbq2YiY0SSc8xRBOJAUM4W1o6s71CtmdOpVnKbASjHQU5F8Fo5f6qlU uaPQM1iHV146dq9QLcH3IME0yh40TaCckjct5lMMMfYq0NqrVRmXSrYKlQThQKxqO/JGjdTShK6d 7RfRtNe0ssCIajEtH0G2iqcQLQYd9NdrOfjZSvrvBf+eeolpveiC9X1EFaGVYXV/J9zh8navcl2n EAGbUME+QrcnsKWJcCjSr5J3M+qzC1Y65B66HoVqTTHuTksJ1ktadGE70JN+PYhdWNpWq7jVUHPO a93luqCQiy0vbSlsArrAtwTP4s12Nykf2gB3HxeNAQ8zzAPQLJjBmHEMiB7MCBMgznlKoRaDPiyw 2krDpbaRpHVJC6iEAKzGJUAccK96NM+ll5sHjox/d8LhEgRmxugE1Ygz2xhJPOUfrf2IzgSMLTJr tsna83ILxjLl/xIzv6tEs5eebEoprsArv9ywvmZkLNpQa8vQYI7k2jxEj7GwoRr8iEzo22EYW3mP qnL/Dw0B7K4Xy7mIkLAwfOZB5u8tWa17xo2Dcpw8SkPjRB4RilJ8Sk4JlzVocHQP92SA58eewxap vosDHIO8rCI5whVggwRubAUmBCbFjNTLSUv6kqEIOQc4WTBXHxABqhQiDFrgB3S6kYTKcoADG1AK BSYggXIHIhIZ6EASNAABCNroAekeQwc0kIEMRMCgCXmABj6wgQyQQn0UgEC9OcDtIGzgERlYRC0g sAFwZ4AV5DY3VRxA8IJb/AMB2UAN+m1HCWSg4kF4OH40ngQOPCCYOPqABoKJi31fnAYKCEbCx8Cx mfM7A5G8QAZI/nJuC+MGHchAOdwFb1loAAr95OcD/x7Ac6ALHelJj3rRjw71pC+d6T2ngQYwYPMg EELdNjh6BOI6AYGDPOuymIDLb8ABnEtgAnCXgMCbjva62/3ubBe4wrteAw8I/e1xNwnd8X4DDZy9 79/ud70bzgEPEP7xkH+5AjQw+BpQXt7gpncGDN/4yHv+86APvehHT/rSm/70qE+96lfP+ta7/vWw j73sZ1/6AxDg9rjPfe4RQPtuHMAABSgAAXrf+gEMAPjBT77yjU+ABRA/CQhQfgEG8PziSz/4BuB9 9ccwAOkbIADbVz0CkL/86gfAAMMPAvmxr/0kEMAAADj9+53P+gSsP/jpJ373D5CE+2d/DAtgAAag AP+mBwAC6Hr2d335R3vnVwD8FwQE4H2LEIEDaHrdZwAIeH/C93zd54BJEIDJ939J0IAVSHrjVwAY 2HoJKH0LKHsHkHwP6H7GJwCL0IElOHrIl4L1p4EtCHsnGHwxmHUdiIIEOHpDqIOrt4LK14OuJwDr F4QvF4EhWIShJ4XYl4EK2HMCQADGB4VJkABcOAAEQIMfgABQaIDS54UF94LKd4OfZ4VX2A0AcADG NwDg93hKmHwtGAB12IfpB4coGH/cd31iaADUZwMaaIh1OId92Id3WIbXN3112Hwf0IiL+AELQIeW CIXR5319eAD0RwMLAIgo+Ih2l4f4dwMCMIQhWIn/kTgAoWgDNnh763eIH9CAkah8AcCH1yeCbJiL 2EeAx3d9d/iD5VcDpEiIoeiEemiFIniKPJgErIiCNpiFNzCE7feLtjiNuah90yiCwNiGRfiLyfeI uJh8tqgA4YiO9HeOD/iL33d3qLiBEBiJBuB83yiINICLBpAANiCFtlgD16eG5IiC7fcBBemGNRAA xIiI0heQNACISFgDCnCEgniOENlz88iEpAh/NNCJIUiGNECOUAh8GTmQ0Od9B5mQVGgD5xh8pnh/ GSmRSUCOtrgArGiKGhmN9ZiGFKmSsih9Kzl9QYCSQQCS7GcDLDmC9xeTD9mTrXgDCvCEQYmO0GiN /zdAkz8plFW5hIh4kj55lEBZA0sZBC9ZAE55jP8ogTeAlM/4AXCokBe3ke7HljB3fQeZjLD4kV5o lG05liPpfS25kE3pkGqJjHZZA6wYj4gZgvq4k1i5lm1oA+rIlWSZi4yZBH5pA0hpkEopmEwpfWlp lVmZmDSwfpkJl9Lnj2hHl1AZh3dpmTSAhrmohh+wmTXQmW9ZljdwlqMZfDNpmh/gfwJYnGGZda5Z mpO5lcp3kAgZjkyImx8JmM8pjqGpi4ZJmpIZlTawjpH5csm5nbD5AZXZnK8pndIJiW04lNZploVZ AzJ5nhN5m22ok5AXno3JneSJl3WJmawpkMfJmf/UyZsu+Z6n+ZTKqZ80kJ6Eh58RmZjlmXzOSZYa CJw3kJ66yZ5TeJ3lmJ0WmqDjuaAsGHoOqprLGZvmOQbM2IsXGqC5OaCg6Z6i6aFECaIoqH4I+nkl qpUoKqFKuYAVyaLd6aLTuZ6f2Z69aaDDmaP5GaKuWJ9jEACDOZc8aaNIGKHBd5DHJ58tqnxqmKFH uqEyip3wyaQPeqJNmopH+ZbgWaXieaPM6aOK6YHXiKb06aUpaaSXiaQ2sKIdCnPxaaVBIACR6JwB KJcWt6MQyp9z2o9tSX4QaZQJEINguqdiigDtR5swOKdmaqLciQB3yI0GEINTWQATenFnSY+CGqf/ WVqVEOmnOnl/w1eROlipRap88Td++YeTbMmNNRqmcairt+qJHTgAU3pxv0eI0uh9ItmZdEoDQ2is +Rmcbfh+z0qKC6ip2Pd+HmmpIQh8AtipfgqcFKiPyQildTePH0qY1hikD0mF0zgAdCimNgCCyiqK idiSxhiCE+qr3/eNE1qQSdmVvXiqBReu4SiA1Oes6DiubUiGx8eFGriXSaCtv3quahqYenoDvGqk FdqDCXmqyfqQIhl+P0qWdXgAx1qvmkgA/4mcYWibuVmHBtsNW9iF3YAAk1iyJtuzPvuzQBu0Qju0 RFu0Rnu0SJu0Sru0TNu0Tvu0UBu1Uju1VNt7AiEAADs= ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/isrrtitle.gif R0lGODlh0wEpALMAAABmZgZqahFwcCN7ezyKil6enoGzs6XJycTb2+Tu7v///39/f0VFRRAQEA0N DQAAACwAAAAA0wEpAAAE/xDISau9OOvNu/9gKI5kaZ5oqq5s675wLM90bd94ru987//AoHBILBqP yKRyyWzuBIaEImEINAMHReE2MBgKAgnBGiwoDmHnZ3BAEChmtHpeziqmhoFogDAAClJ+TARSBzUB BgoIBVEHjGk/WFNvK1AId5hTBwaQMFBSCXoSAlkJlDCIl5l3m6J0apIKpyBYoRKlZEoDgTWJhhJ8 ClVCiQiuK8FuAIigszBmthPFnZ6XphIF1s6vS2bGIwKKE4hbRmAVAgO5MYQKx7sH6z4BA50D5Sek Z7ntCNQuBKYco/fvhSQ5wEAd46bE20IPcQYh1DGtAiN5RBil0BePgp1tLf8CRtNxsFMiLQybOBzh i0kbjDZKUSPACckuQfmydJR2BycMkQ9tlITDCmbKjIqCcmippJhRGid9AhBwzoiAS1JJcFxnRtgM oDyGTmi38yiSlXAO6CHQBt8fA9YYVe2CoM9DKFXYluuyhVSfNHTVVmBbN88EfXi+TOBLIUCBNo4u PF7bdkNXlBTUNc7WB2TgAmTwfgkjuioAtmMMCF7GaEAwRa1pevlChtFoDFspnHQ7Cq5dC4R/V3Dc Fuy4RxMevyHMe6rv1RvEYutpIQDhyBcC1xwcmc1fYHC3m8WAFkCUpCfv4GMU9zagAwQAeQVmx0A7 KvV3YfKn/44/CYicQdP/JGLAldgWBKiCEx8JFMBWUtJIYUx6mOGmyj4YEALfbhVEYV9FU+mUhj7f ZDPJSWic5w9NEraG2C8THDCSBbkBYw01gHxIIE8b3jHLVQ2ypRCAKoYhnykUukWIH1cpUldz44h4 mDULMehgFt+M4+GADY6lioNSFBUQJhONZxGEo3iDABqSINDhGRQEhFM75dBzyQGbSFFAMJu8ERV8 f6g3HYxY6qZILvTwsgwC0QT4H2uK4ClAm09NdaEyFfCBEzSuALIXVsmdAUlA31CliWqHOipKFj7p B+MtUB6mU2h28EZInSB6E6M4AGZBiT4jQaFIGI5pwiaWoSWQABl0EqDU/zJSLsNhYzKK4igkZqzn 4yjteOFnT4B2BZKZ5Z0mqBg7SsDUou4YOlIpy5Vz54hU9jrfutAYioA8oAbaqqIADHCuuddogFhP 60Rxin6CCKCsR4cOOiqa4WC4J7pZsvrmvofNSKNOBLB4xkNtTCyLunBOt+yguXBK1KMCz0cwJevq k9VwWDpoIKZE/TvfLhzvGrTDGAYs4YhZxDpeuaS6InDBKMNISAKDATxrBRrvOkzURlIRKtU8BT0B qPrM0qYoT7sSDtQaUIjQVW6EHF8h0/mkV6gTNT3KwGOhmfViA19kcCl1UWcBPHLPPV+OX1tRdpwC vQxYumtT8rd5RWMgSf8ChaeMTtLUQhgRUV1KcIlb/d6SuZmhZomx0+liDuO6E9Ct+tZaQ4y7L/8k OIW+/HrVjjPQUJL2YbFr4HtRRnNe1/N9WHG5BXFMnGXlwPkts72EKj2KTpYmH6jz0C9yge8rT32M cdPBTPmOl/tS6VClNKcf8QROXzFOp+tuaFmsa9/60BSw2K3rThYohdbkcTlW5YJ3cOCcAsMWPD+I xBljMl7k9sa2DRwMQaLKQP8yUL2+XU98egPA9Mb3Bj4863sYGlOZ/NUBQqxpClZwWd9m5I3JQQ17 gRJbIm4WOjnox3Xo6mAGAQCwUSDQdBVS4fbkF8CXDdB1T5vFAT23K7D/SRF3t9PdA0MYMEa9IV8U rACoLli1kxUwWOI7zD9O4qYUXuCJ5CGjuU7YwT2uantO9IrgBle0aeGtIIsx4/hyuMEkHqOHwHhf we4XyBdCi4xdkQob4ySFNzSRXTAaYRh5VKmUMI2AWfxfFxnoOQdibXuu5JrRgoZGlIkNihbkm7nc eDwOjusP22gS1TZ5R15RIB0SM6EogAi5jAHSlqTwHgx3IsxHEvBwnEsDNBjpRkdKLpI/TNdKfMUB sSBmFmOy1bYkNJzUifKL/yslQ06JRQN67iQL+Vssc7dAHoUBdCoDnhq9wrDBoKmXU4mjuqB0EqMB 8h5hOAnxtKnHFDJT/5mjzFQgDOPBq6Erc3QaDGikqK308Y19QfThKZiJBbi0ogPS6QckCtpMPWCp EwEQ5Tvjt7oA0hN2bFtXtyogBVfsM6NfHCObxPm7NFIAVGfrGeDg2EdpzBBzbkKMTzQSqGEtZjuQ FKAvs+fMm2lVnjVCWYVeo8UtBGBbKrNCMibGQ6++caU7yqk0LyCdruIkqqESRFfcEg6x7XSKPWXd T6eqRS6WwhVLEuMrfbJP3r01ZcCaSkRxKIAx4FIMeorSSBB60TM1Z4SXgQ9hrKWKRcwNH0s8zSX4 uI0Ugm8AGIRrR1cnzFOchAohk9QybAesAAhAWMIgg0S/eVfkFWyIcv+zZJT0eMluhrRX0WiS2LL1 1CjyFICsi8UsirdDfOSUgE2SA5COcdPMpE6KZamIHTbRB1YIlhWbAFDqElEw7u7wFOkkId+oqNZM KClMZMpFMPDjCFaMIWbNIS/mElCZY9ZFumW0a3KaYa9MQG2+4SmEH17ThzaIWLloIiaEVbcK//wy fB67zykk7N+EJHeWCgZYkyibWLM8BhNU0MN5YOMYVTSoyPvhKLAYNRE27OdTdwiyk3tCgIPBh8Tp KAQk5iuGC3FUPozimXnCtAgkT8E0uvlCYQxUpgBFuTnLuzEnWbHHMyJ4Nczwzxb6w9BX4cZAeu6E HRTxhoOxjcT10LL/jTBhH86NNM+EHnKZTYSH4w56FQkoSCqSfIz0mO8PEuLcNhbMKLsZOQ+vEUY9 Bg2oKsqgs1WmgXUW9hBneSBkGPaAa4AhF6XAOgP0iPUFOou2XA/b1h/bqwlwC5JZL+YhuNUDMlOg llmHjBFeCwmyMcBsebr62+A+CluMzbpNwEQx4U63utcNFSKmOyDjsg+7503vetNCNex5MbgJnBZv 2zsDDwi4wAdO8IIb/OAIT7jCF87whjv84RCPuMQnTnGIMwDBC6i4xjdO8YtPYQEMCDkD8NQAjpv8 5ChPucpXzvKWu/zlKfe4AjIO85pHnAEXwsQCHGDznvv850APutCHXh5zkBP96AFnwAKWzoCSI/3p UI+61KdO9apb/epYz7rWt871rnv962APu9jHTvaym/3saE+72tfO9ra7/e1wj7vc5073utv97njP u973zve++/3vgA+84AdP+MLbPQIAOw== ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/banners/dailynews_banner.jpg /9j/4AAQSkZJRgABAgAAZABkAAD/7AARRHVja3kAAQAEAAAAPAAA/+4AJkFkb2JlAGTAAAAAAQMA FQQDBgoNAAALoQAAEmgAAB5IAAAvzf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoKDBAM DAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8fHx8f Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8IAEQgAOQHTAwERAAIR AQMRAf/EANkAAAEFAQEBAAAAAAAAAAAAAAQAAgMFBgEHCAEAAwEBAQAAAAAAAAAAAAAAAAECAwQF EAABBAEDAwQCAgMAAAAAAAABAAIDBBEhEgUQMRMgMEEUIjJAFVAjJBEAAgECAwQHBQYFBQAAAAAA AQIAEQMhMRJBUSIyEGFxgaETBCCRsUIjMMHhUmIzQPDRQ1PxgpIUVBIAAQMEAwEBAAAAAAAAAAAA IQBQERAgQHFgcAEwMRMBAAICAQMDBAMBAQEAAAAAAQARITFBUWFxEIGRIPChsTDB0fHhQP/aAAwD AQACEQMRAAAB9PZIjoIECBAgQNTq8+yFW9y8T3L3LhQrSCbIrMysJ6zQIECBAg4mMtUBVYoECBAg QIEDQEaDZGDQ4xwTonCROkF5SL2hsHRRIIDqcYQs1OTYlluTNqWn69czy56jq0yXHnb769HTYZxn Rd9HXR8/IPGd91dsrroIKzLnaguy52Cqwe01Ooz7nkxKuDQTOAcuC66OiUyoefIy2giQHExo03Zq E0LQKyFhKC5AUVweZCdNe20nUZiXaNHMGZA1qcqo+eMnx5bPu1z3NmHBoOi8lx5WGrsNNKbF6vs6 pa0xPn+fNV2m3RRc3Hc9HUJGcMQTelhrvQ83Fbb9IOfP1RCqN03r8sbHXcWM57oDLHV9noTPhzfL lBJd700OIIt6nr1r2qZgzHs6yjgxcmgV1kdUmfeBfH6nt54s0mWek1SCGtbnWZ5Mq3KY0PYFCMt2 u11OMWWlVGMa/t2CzkCJv+jbCefggJvTRdXdmeTkYpiUtSN02nq0A0ZgZ42u3SJGRumvAZK1vb0Z fj87X9muO4smhIyRvWdmpVscKYWaCtBDykdROfZdMrlJi1rGr+uSeuOIBgdNtJ9g1kSJcPrCKY8r oSMjTCimGzTeCVKxzKvHHonsP00aDE4JJKoaM0BV6IIpliT25argB55Wm2rZxsNM3GY8zIwLObje w4QkIna8qni0xy35eqWSG5FNiY659PIhWUZcFJojJwmWXuHQIECBqcK0gWkE6RKuDQIECDgUXNxi xnPVCRmVekEyhaLq7qnDmc2BnjK6YkxJBpuvrAz56zHE61GpjRIwzSi6cEo/WqbCJWX/AG7YNGFS DpQsklzyOSE0d3zMrOGs41DRxtwe8dFoECBAgQIEHE2jHWgEdLU0CDoutPF0TmmKZWOBzTFQk7da KeRFYSmclPiA4Y6omre0Q8usQIEHACDz8XnQuA0ECH0noyYRuYRCYzoNpiWfQuloECBAgQIECDgU +XdxUTWRNYzVk4ECBAgQIECBBT5d1hfMRWSBAgQIECBAgQIECBAMHmgvPyeN8QgQ+ktdFRNlicBA 1nKIaP/aAAgBAQABBQINWPYc0OD4y3pvcvNIvsSL7Ll9lOmeVkpthwTZmH2CQE6w0Jlhp9ohSaIl y19DUOnM25anHVuUvRT7ssc95WdibhOBKMWBs6Pe1jX8xPI+LlL4nnmZDFW5iaaxNII4oucmdLf5 EV44+RaKr+WtTKtcnfMrN98c39lO0xSCSPresOhjZJaNOnJbDW2E1zXdHDIOWnzSIknqyVzVY5fx z/YYvIPHx/JT2p+RumrHDYsy0akl5rOLuW7M1S/asXnBPICMwTpl5CmyJpyuQ5OChDJz1d3Gwvns STcbYjlhZsrPAXLv2x8fLvpkp2Fv6cw2V1OlyMlUU7kNxt6Z963AxsfLc3NtrT1jFFclN21zUBEd e+6FlYMsxyRujbXkZ9q1L9qaaACGdkUZnme2hBBcfFZBfPyMha6SIirPHAwRzSM46u20+LjfsOla 2Rt+1bc6WwyKNWp3/UdBP9ShvNerA6eSrAYxy8vipUbFqu21YnuT8vJ4YbTnQcTD/wA3D8FDiNTx lPO1eWJN8bk/bGyvy0EcFq7ZvO4aCdkVQ1I7N+cyzyOszw8RvHF8szdDxpxU7p1yIS7un90xljkb lOdmXUalfh7Lo6jSzk+QJtclzcQ+pwsQM8HOxFXpq9qShW+vW5mbZU4zja8tb69eCKs+vJY8cdi9 yQLrbozBDx7fJZh/6LxlbLaseJ8vIkNbP/ooUv8ATU41hdJXMTZWmg+Sz/uu8m/DHgw8bxssLBXb l3MymW20NrVeJYZ70v8A2cryrjYv808A1YfDXTpMKwS5T5ahZDXXLzn1218raxggbLJxwhkr2XRc cVjxu47kZYF/ZNtTt5GqyE8xgQuMkfllypKlaQxVq8SdXrvcvr194ggD3sY9rGQRCSvx7iGVGLKe xj00lo3vTzWgkhs10bFcB82WtLWgCJqMNff4ot07qzC2SOZbYixgjanRV5C769djGwp0UTjJ4xHV +q8Ne4LxtMm17hGyGEZpQzyinAI56k1l72sbBdhmA5SEumfhXLCmkAP9pIWMsNTppJIC9xr6F0mA 8MrP490+9jJ2k/ZQtKvPkbx6TuRM6P2ERKsH1snZHZlYfG9lX7Mz2SNe14twaxtxJPFKJW+VjL1i w15Y0mAOZC5mkrGxSKV/2FXPlVhs08zHgcc6Vpkrx15ZhOJYZi02YIaknI8rI3dx8U7hPZ+rXjmZ FxFCEfdsDI5KucSNGXjHTcSp3uctm2t3NwhsEb43RlsQWxiLI0AAN/tYC2MTxCE4jrhbSV43LxSL wyLwSJ9MvYKzl9Ur6ydAR0AJTa7l9ePbHGyNiIBU9SOZsVEQnMzU2UZ0WB6Oymc7HKyyAPdlyKx0 3Ow120ySeRQN8a3ooOynOW72z2f3HdiCHtyd4P099/68v3f3Xwh+x6V/3+B2RT/0X//aAAgBAgAB BQL3srKys9M+1lZ/n+RbyicISIoSpz8Lfp5Cg7oXregfQ84WuG5WfaMiz0a/Ke7CBOG5THEpriT7 p9UnZr8JrspxyR+0p0ITjkyBB+ENegOrjlEIonQApyeiNCFnQZTMr5c5FOOmNGJoymhSHRpITjlS aI6NGjYh7QPQdHIdMrPTyJ7gV+oEZTf2fqZRpGEJU45TBgSHRjNMYQXcv79kzuNTnUp6OgboGILR O1Mi7NYUFIdewj1J1c/UyID05WVn1BH1bQsLHTCx1wFp6dAgQshZ64Cwjhd+uAu3TCKbj06I4CyD 0Dsrf6MeodcLCKz/AAM6laZK+R0BWdSfSdUEdV8ZQWUe4AzImBE4WfxaNfUF8piI6Z/kYWFhYWFj rhY9BCDf4QR/wI/kn0jp/9oACAEDAAEFAvaB6YW0LYti2Lb0LEW+zsRZ/Pys9N3TcnaLGgJTXnKd Jr5Sgc+iR2ECcNCLFj0bR6C1HvsRQKJ6goH28eyUCgUV8u6FOTZMIPW8Jp1cdxLdHDCcfxa0p3eQ ojRwCz+LW5TQm93vThhPdptOI+zW5QGE4oIor4+G+y0HL4sJoDRKM9Aj6dyJXZbehTk1bkUE5AIa LK+XnKyFH3Grs5LlKnaNZoIgm9/xTtTKUdGxEJ6d0C+SnewIimNGSfyyvyQ0U2Ch0x7eFsQb0wsL COAhtX4raFsCDQFgLCdhZz1wCtAtFhFMx0w1HHqys+hpQDSnYaoTku6SuTXtRkC8oRmTn5WfVotF p7AdgkIgZOq+WruQcrP5Och27dBqicrcE52V8ekodPgerPoB/g5Qz6srIW4LcEXBb1vW9B/Xei70 ZQwtFt/wQ6H3Qnf4D//aAAgBAgIGPwJ9DIcmGGGAWnIjmW+jv//aAAgBAwIGPwLgkofMuwrCi+G8 3FBRSaHI/EVPnEPZW7NVNN9Mf//aAAgBAQEGPwL7TOZ9GU5Zu6McZu+wxmGMxw/hLl63+5gqndq2 zzTfc7WDEkNTZTrguDJgCO+bu7orQapQjo5egsxoozM0+ks6us1PgIlq7ZFXNKUKxrj5LEtlFAY0 2xrhyUViqyLpJANKxSnE7HIwXr/CTsHhD5Fnh34meVcSm/Z0G2ihqfGcdsdmIgcZH2Bo5mM1jiut l2Qm8ca4CcQmB9jOY9PVPKS3qyzNMT0FzgoFTNBRQgFScYpUAuxwBhvBB5rV8tR7tsu3PWYKgqBh 35RvMb6aDHDflNCt9HE0oOUdGUy9kPcBYsaKg2y96qzXWlF0Nsdsqw2zcYvfouJrU1jWCCb4OnQB 7sZaD0BVFDe7oSmC4g7NmEtljVqUPd7NEFeIa6bv9YQqhlbE1mrTR7ew7K7ovpbPIpz69p7oqLkr 090FsZ3D4CWH/wAq6vH+ksou5R3tiZa8tfprUGnhNGkMvugvW+zHMdULHlUVM826aZt3xVtCoGAl u2botqufXB5NzVviVPG9MfGVV9KtvOMSwMdFEr17YllDQKNnhEtm75f5nMBt3dbbZrY8WSnwlxxd KrtzjLaueXUcTH+c5p1amD0L76HGeTbbQuTPFNq7rbaZaFeN8T2TzGucOejtl7i0rv3b4eLTTHVn NGrWSczNAzucPdtjG1Z16/modkVWXS3IF7ZZ9NbNKYmm4YCW7ZNbl7P4x7nz3su/D4R7x+bhHYOi sxHRhGctwKKnsly47VYuxVNvVFF58FqUAG/ZPUt6itqxcXTqYfMMiOyf9j1BYsi1UAf3NmUNy5jc PN/TugshiUB16ScJ6YXK6tPhsi0w4oSx5WPjMIE1DE0w3zm6LiXF4AaKy9U02bdbpPPSkK5eo9Rs /KsW55nllhljFQmpVyCeyLZGQon9YhH9s+Ea83LaHifwlLy0OwrjEX0tri2kClYqHmzbtM0bbhp3 TzLyaix4cxh3RilsYCvbC/rGOnPbn3QW7I02yaDuzi+nXHTRe9piOG2PhGut8uPeZq2V1dwylb5I t18Iq2FoMu2st2BkoqYtv5mwPxMe8duPu/GPc2gYdpn11qPvipbtai3aILa5CiD74lodvcJTa+ff +EKn9xzgJWLZXHRh3mU+W0vwhut8tXPaZp+TVp/2rnFsL8tEHac5Z9MmSDLwEt2/yjHt29GUwSYi kznkjmfAtsnFtw74D8/LHTzAoa7w6zQYDGWtRU8QIKsGGfVOP1L69oFv8YQDVSM+qUuXKWxjjj3R rTuVtknQzcuVaj3R0L1GlXCUPEd3bKWbR/Tu/kRbpwY1985v1dFXtqTvpK27aqd9Jqe2rNvIHRr8 tdeeqgrWaxbUP+agrNLgMu4yiBUHVQSrW1r2T6aaeyYTjAamVcZRcAMhM4KW63TkFGMe4E8t7fNw gNFv0Gpjg2kaqzS5BU7DSFVVQDmABKqiL1gUlSq65q0Lq30gLoGc5ClWMIuWqaP8g3ylBo3bJRAB 1CYqpMZgoFN2cD6FVzjsrjKsgY9YrD5nIM55lu3pphUzAzVoTzM9VFrWFXKkbQcZUBEB2gBYiKir dfIqo+MPqHRQRjroK1M0P6fTeI1AuorSFnNFGZlwpXRbzc5RBofRcNEuUwJ+MymMLBh2TynUaR/N IdATfWlT41l03GUBQMdK1LHIVltPk5x2nOAVpG7Z6hqfVQAq3VWamQZVIXAYDd1zaPy/GcuY1d05 MspUcPV7WAmAHRjX7C+13nrROzqha5wtff8A4iWkAAt01dtcodKqDXQi0x/CC0nN5YTVu65Uitqx Vqb22S0eH/I9BltxJmoAgbKy417DCidkVCAFI1VcH4RLf/oetP0iX7tteEfTUfGNcSh8pK1UUFTL KjidjqutK0XVcagFMffCLYNE4deyeVaXzEtH6uNKndHFKF7tNW4UEu3rHJ6a2Etdpwr3T0yoNTD6 l9zX7+uXEX9/1d2hwyWL5On1C/trYIPCBh3ZZy6jKKIAlu2f07fCWvTvw2nNWubqbpfdGzotm+4q dI+6EX7mu8wOjCcHGXbTcqDQavwg8tje9PaXB2yDHdMISWlCYB0BS3DWIDQUFMIH+ZmwPVOsxUXL L3QEdlJWmcyFJygTKnV9plMph7GU5ZyzKZTS3LtmyZzOYGvRhMcIRv2wIgoq5DoxlKsm2qGhha2x LnNmxM5aictDK+2fa0nIZCVGyLv2w02zr6Oabx/GH+CMP2J6R0f/2gAIAQEDAT8hifwKAxntLTmA 6cAk7DDkE16vM5enaZrtvrOhExt26P0qG4I69ALVHeYLJEa9/j+IEg4M6qPczPWY6wqKplufMxC9 d2VfCYaW68y7fBAVWit4FxxoG8bf1F5LbYonHWXtKHHeF3s9GYG2uCV+3Hz6B2LacEbOrwJ54Pdg FgAlZasWyorVFfl4DzL75yZE26p+xqEKvOQFzUEEoC2qDLj2gnGR5dC3KkZA15C/igg0KbtSgC8j 6YKQM3lZrHmJIL3H5mPcdPHCez9F5qxOcG4CyK8Qq3TWpVo6Do5xOH3CCbvSxImgpnjEAKlS1b64 276Io3+C+AaepO0xPJlZ0MsQIUTLoG+8rUK0KDLj2lPgfgTl1zOHNUdWqKTMwAM9SvMVgA7xwZ74 ht2TouEi7ghZt8QnDD5a3MS4W2jLl0EMkkAU4Pi5uN9e5rZwn5nBFYTeEKrvZLZohZVgHPmc3nVH 9xhqxbfPkh7cT3VTBbrpGMs9vx6O1UQbVv8AVI22KLDfZJVlwLU2DSvmMRdR4I29hqcIX/h/Uvty vlfzUb+FP2H5EUvDeOKF9r/EbMP0LRb2uHERnqy3vMoivLp3G2YF+QnYyzXNehcvF8sR54Bu9viB tfPS+xZ3iXbbsYT3lyVY6q5fEr9z8lqx3xGNwdwsrPdiitGvYY7EIBSrmeqGTnvM4cw/u4qaq0Xe WnxDKsSzZotOxPKf4b4NQQO/BabHtK+QbDWec8BHrwupyVWcQzkCKYaG/eyBub0cs4BbDY4uN9Gx k4g8JC2y7xyS9lYN3xtgqlIfs/So0EVVPywJjcKUNDEpXI3mX00ZFNPB1biNqC1tpz30wTpha/E/ BZXzLPyn5fRDygvUR5pyn5ipMp3gSuX/AGWVeHSoax4RGtmqX3jb0dYsbE3fCWKkOUh58PaYZoad c07aEsJCdIq8zwRLd5PLOojhhtXbvNXRn4P9xcsUMWZl1PFtad3aU6OnouKvyzWGR3mYXQyK8dW5 b/OeQ4t7twQCw1NOrqd216qS4hefB8v2v8SkdAnhFfsJuGbfT/xMAV3OgTubjhc2lV9FG/LH3vdf 2YMTHH9Yy/0QDeZyoGORyMBrCIDNC6vcB2oihbYNkKjSrZJTQtJ8yrFUA7H/AJEavN7CP1IT9veb fNy+x2lVwQmcDRRnjMeumMIpd8zS+P0H9zpynyP/ABgNuuPGARtqq338RJdSiZs6nmWxFV4A5ct6 nVL7EP8AqHjI5HsEEEqt49f6VFIapQ5OM/M8ImohAe//AJD66nvTPzMteY72Py3O/wD2F3pmmH9g vz+JypenVwfB+YXOifk/KLOsst8sDKol8EJGbASK2hnHeX7x0O8usbEF3lspzfzKi+c+5T1uIt9V ZYOeiO2Rc+Fd03ClqILAqkXp7xjLL24Z7DTHmsJoNRWDScMCgYgGtMy5uNbXcGXihU5EKKSrPGp1 Gq/X/fTvbuL+dxbsAF/O53xZz8p6BUnbqxzdXczrValZ23V5iBI2YmM6YgSMobPiWA+SU/VQlO5S Ec8kPMoe2kp8wC1agwBO9+YsFlHvn0JgNczAvwXmNitcwabq5ZbM2h9masW7vyBN0nFK3xUTmbPF 31qd5F4r83uaiDxqdI2w9qcHRd9JsLrgPx1LTmaIe9EevM3F+9RqXOQAra8wOIvAdT9zuJQF+ZcQ JWUsolya/ALMXjL1lAV3oIIYBEutDaXcWyeuD3ItpLYhrWtytWWoY22NRxG2HijV2w2gK/w03lNQ OmamiV5NMpYtrN4OpNnJbYVjOF9oOJaYUoS6jh3Qx5Oqqx4ZaQa7geRsuYD3AmMIB4zUsJshhwV+ hAoxLzz2jQWsv3E5twUeiXWsamGK6EYnJ2JoFAmWNYe4RIi8Rn4PiWa1beeesu9RpxR75MeCcFc9 vP0riPln+xTr/iI0h5xmfqu9FQpVN0eVEKXRrfDf+xnfCs9H6gBVtk14bWoTHInQ5XtC2RXk2HgJ rkrYxQ6lepceHoWdTLiD0vRUU8MTP8ZjV1R37wk4bQxXZ8zIEi80vJd8Tn2rKgo3d7u+0csKPu6O IaABbhIYtvXsS26ey2To8x5XJ0O5fzF3kXYsH9QRuC6dqrWRcVcBMspmuo0jANQbbMF6avrqM2mt UAsYIMu5kN0p9kP29e9mu6ZwasE2UPRUqTY1qKGCiwp5ZTzZOBBbfWqErrAqPKHG4ygzF0DtEsH9 w6je2yYgJwzV0XmUTwfUS9pE669yAK/MBK202xl+L7g/2D6VRyVWIovPq18ZnTxN6nA6RmrQaHWf 2rfP8XbJ2s3uXQiXCj1tes8YnXU8S3ljtDiXorN/KJqraDXtBAWA0SzYxrE3vfxDbgTh+GL0Ljqv XpAKKUSmHPSVvNXoAULO8IOi9EPmb1I+2u8N8diPrZd4lWwz15imEs7+qCU5JgYMHEu6JchUR2De NwBCw9pbzuo5MreBiDuyJorywczaOr4lr/SJro9C417pXtAcGTglOn7/AN/j3Tf7+hp7zSa/xOmf t/xHP1M2el/OnEdvEOZ/VPv8x58TbH9Cfhzj77zn7/pn6Hp//9oACAECAwE/If4k9Ll/WC/4h/8A OqMfS5fotRTpC+klC461FRcS5UhsYpojrT6MNEvLC/opQfJHy+pf0DKmvReIylOKvzFkwxnU7J9a lSpX036EcM+tehdI0hOKQ1SaHWUg9ZRTEdJqSuRHELJlnEwhdQhpjeccTJqPgmhdQjTBElF3M2IX 85Y0Qhpi0i8poy1KZRGsIrioCPByzY6zBfrcuXLlxY1XoZYqhNI8eqnpvmaDc+Rla9QV7po+gzX0 gcwlh6JV5QmzKjEYsUUmpnSVSC7ehyy1KriY0TVm5Dm5W8wu0E0IuIwI8+i6kPggy+ieGPUVFfRf qsrOPQjMJlAr0fVTiBNRLx6VlYlwAjMBr0QfS42d5taqckYMQCZJSMb3BNiYrtAIpGhAIhlKzLMk uUSoATB7zYgjWYtQ/ZK/P0MNwzGHq5leph9bMzM/wAFcGM8sSjpFceHaa9ibSWSg7l+IGK6swW+0 N30IA115i+Ud6l1RmoP5x2TggFPlhY7qdDPaMcWjiJn9yllzCkcTIfQelQS79GTbEGWy0t9K/jqN fTUqVK9Df+EAK9bZTMy/5qiQVM5XpUCV/I+h/K//AFNfoJt6f//aAAgBAwMBPyH+Eal/pT0KSvpC SoEU/gCClH/39svFhDCAxyPRHUT0YoSjZKl/RQxuZPmIk9GKPQZv0A9QZjSWgqWyiXiC8xmWP8wP q1lEsitqEKJFcbXaIKgufQLNmsmIXRA2XFB1Yk3Mx0YlVCad1Babgy7FFxHUtKLTEDRuJXqxybl7 S7K/X0lUVx8RxBiB/AZiKG4mTMGyygJv+EAzSEG5kwY9BCvUFEWJinQhZuGnsl6BHiG7TeiOilFq FVRpTNixuUIF2gmr7TEEHuwXlixFmaJmxzGb6A+oGc7EF3TcOCNhlPFJUXoRUcnoczOVK9KIEr0q V6EW6RjpKiXiVlYeLMWTVVHC4+gaCZuLlekR2ZgNjXWUV2gBqMjTcDbTEu5Ss6luQiEYKcTBGiWX 6FvpneZoG/eY/WWEzTzLAh5BwwBkuUtfgna5nY56y99UqBJIxf1graYreUoziMH4iOJ0qadoMHzK 1yooFxx3gwOqWJTxDdnBAU68z3rD4peo1LfnMuekJf5jAL9Ii1BgZ9b9VQl04lxar/4Ll43D6LJT 6KkFSkr6bPRaiOIj9CnmMblOP8s/+Qmkf5mk3/8AjfRnHofwf//aAAwDAQACEQMRAAAQikkkjWKJ oeckhM0Ekkkglbd/q5cVyEs4r0fTnnboK8wTbzCXeJXLBbpzCpzm38WPJL75rfNrFy1KJnKMLfGJ 274oM7XlgXjKTKzJXy/9qxaCwApqNG9+6nlUkF8ozgRdglJrXMB7wLofWXUM81f0kjAXbbfGL8v5 K2TNbTidDAhHzQ2PykkkkiVLa0XM6GV1c3nGEggm3SoYf80kkkkhqWkkkkkFEkkkgkkgvZ33HAGL /9oACAEBAwE/ECEc41eNJADp2HtAr63B3cYuW+HPmoay9mtdI9g1sv8A9lVknen8sNt8gf1UNv8A DSn+x4qd1z9EtgsYrH+7hhy7kqyve38xe0YIlmT6ALQHVxALQnUz6U49ZVLoXjrB8sqBZ1a4ESxs eT66+JX/AGUhXtOWjfGI927/AHc51K8xeS/cxaXftcV6F/EEbR4jKOR2+yWhgXn/AMl3BNDhto4w uu8IFKCjYc0UKIYlZghCwBMuy5jkq0rDrLlBADsAOrK6c7jWFdlvLrXMF1WyLR5Yi1OIDjpZMVW3 W/L7blF3Wd/1HvufoCC9N3suskrCqEWllYGHWpq3Ixei1ysEzRPCJF2tXjpNDzi1dyW7uIEtBsaK ylhKkdaFo5g4ae8NWaDaRNG7IS4NKRvytz0zAmYtywQ301L/AOZmVqRDaVAjox1mPI3YQfKviW+2 xgUKivBOOkdvv+Jn8b8eYmBSNNG1TZeQ1AzKoBMC7UrF+8QBjVkCzwN3z0hqUOv+TLYHZz8egUN2 aiGwo2dPEywTGXLEieZc+0r769Z94+9RMHVvJ7VqHHe0UZwBZiCJy8lH+yzZDcDU+CYfASpZaUWv Roj913O2zBwo945ZUShLtnFbbUYwqChraW4ALYkr2aVQoGqF7TnSlEKON3YPmA5Iy3Gzi25fBZOH UK1F43DYAP5eb/qZ4p6pX7iyAbUL01qIkzTiLbaBuAH1jbApYmsWElE9oKjqXGeGKxC+PsBm4FN0 xW4bPhQIlfCArcUWCskDV937I4uoZZCnKhNBmFktK2o45ug6TIS9D/vcwgKaHMtetr+HoILBSoFd GXJ/MBInDMV0R2R9szAL6VIUubKXQ9pZIfYuCp1h1ZrZDcpDuVA2fOUSsC08Wrvkk1SNUmB8uXuH oWAoOwiQ+wQCo67QUAxjxoRdocA75Limg4YMJQaacNamI+mSg39EaKmxy9QV1s9oYRbXJLJ0GNxy 5bWxq8DVvJjNLoC0pGrm7fiXbnuppZc3QF7xlhgdtjIM20kUKxla0kfI8SwlBQLdIwcfkhpjPdkH aFuNfTiZCmyV0lV3hCpeYbC9uCnYitc9Q5tfQtHzCQg9JIRT8IvF5jh0bwoElVENlz2ZFsNnRYyx WeOCzAG9XceOHVlrTVoLjLNW7UecGf3AFK4wh3CKERzFSxroYBsvO7gtMyg5oAOEDrKEiPUGT4+S O3QA0oKHBNxzZ9RJSrKX46xa21E3iVzJ7kQTC1bch0vJlmcuc1r10Bmwgl6No80e3o+IgyHiMTlB p/NJLtactSyA55Ojs1DAdycXEb6dYogATAAvEBugaVuoCYV7yg+sSoJcL5MdNeULDKEHF+Uy2OVq EVJ42j35jxXUELz9VwHXvKAqt0qqr2OWYxVbhC10PTECuLRooDZ82lZJCyGVXV+Elz7hjMZraWKc YnynpouHVgEsKIUTxUNJT1SXkJntpx71L+oy1j0dC4H+kJvo0DmCRspr5zNu8UVoyzmrl5IO5U3g vcGGFRcNL0+DKfS2bwEv2hxM8ItGhGjWMXfaEqVECB0MHg8RshddKxWWboLc1L+sDHCZ/wDHuR71 0NZsWbRdal4fe11Y7WuWLMRhSxpA2o7fLi6CBqE5wusQkbR7kFeEwQhqgvq2r3XzEiuj2rEL9rQt JRcdUB0zQjMoZtmJ2i0WMw0KnCBHoZKvzH04Y6C/nC95YXDpNJwnSvzhAhmuLBvd0zHsInNlN54N +YPr0hkzAJwRibCbFJlnQs1WZxIBGtlXa/hM+xrNUFeO6/EtcJgWFWsTuZQPPWpAxCALa3vLBlmq /E0Sk3bir2rOSRsxtryicr0WRUfkDxNe4hzZQqHyDuxD7wwsGGjtQYAnAfMGEcjQIQtEKtZPdMAM w7DgcH+wQJwvq/3NgwYtISfImquGflfSogooZ/qMqmJzYHJkA8jdmbIAgFaHWQUaBr/YCx+gySt9 YMQufgh8yrWV01FaUSymFXmAZhPHD4GzIkDGi7iBlOWCUNvWo8e8Scv1UoaC0PXeZiK2iQiFxXo1 gjjhNSDkg5AyM1Djb+tAWBpkm945xj/1v0Vp2wH5NL5gsbEDKvHvdYxT6vFZRkOD0ZrrYK4rXkXu 4vak5RcXJZvOZQBVZdqWCYS4gvaeqqtCXiKEa0JK9d3vBh22C+XbrmPy5i1LGve2dVdUa4iDLA6T FAUH4lN8+Mr7zGPvXFlwOqbm5fKOWumxayr3FX0Lt2OgtG1ikSUIPoijCXmoaWzEDuswF3Sf8spt rUfsMqy7ay2954Ate52MveUszOPhkXxi3xD4GITZduSQOvVhSmwwcXUG6k615didHn5V7lb7wi0E 6gFrlaxGprTUYXQro/dmiwAPAtCwu42zEN4BOpiBzDkJqpoIV1xVZbjfgNzHE6QYJ8CdwL1ambps fM5dMqFk0KW1FOG2MJYAog+ZmJ4KJVhaj1nQwpMrVwYX0h3Wt6DvE2ToYwkzUC2iBY3lwxxcgF/C Aq1+KyupSCLi2+fHmMTC0tT7XASlo2l+OCpnBqNQGqRbCuRCLeOCLjlEpcRS7ZKZVjIOIejBKJlC 6GUVy98QdBrLa0g3UFf7dIsSZMobN9fDzIzlzumNysSqFXzarY8QJVbE5Bm5AV2l1qtFK7UUbcsf uENQgbrCjMXEMuSsq6K5de/5+k36g/qW6o9S37qJjkHifrMvrtbu2oHJvJ21KGz2+7meN8db1P8A n/n+Tnvxz7bnTng/8n2RuzFmAKA6bf8A2bO+zshcb6HjvFI2xCmL1uIEysPO3gkroMtxBFz8o1Wx ovvUZqPhw9rDGEvnMVqVLpqrCbYejDLPCIixQJauY34cBQFwW+vnxFiBeO0WBZBex6kyyaBRgNJa KX7Q3O8hAbFwz3zBTSGamg2QL2bhfhWG71umcWeYC9iroCAOCjWZi84IY9LLpy1B5l4O9NZqsA/U VoqbhjpLf0Y6bYs2CErN7NBcSZd1XZ+AzMN7u5R6UqTD1I0NmYmLR6MwVBdsudVKpcUSiq90rbwk fEqlwFSGLabGrmQAZljkTI07+IuLrFuxIEH/AAikaUkWxQ7IO4lCxgEtnBOcHXkuDB2q6qMHReGa 7RZOnaNLgADyaKUouhuORW/9zDiegZMCo8/1EGAAsY6uINcSrFaZpIA/KFaGAq5Xlb5ms9wyrTkx 3Ez/AAgBIWED4lsBaXkDZk4i93xRoYdK3UA6wwDfPbGowagucZC62/8Akr0/hhB2XFNt5CL7+Mg7 U8WzET0Yu/3Oa394hbov77S4N0bbHjEQVZdU/u5YFV0XI8So0LbcBa7eINzDunMr0FOERXxK4lIv YEdDTWYNaMBeA4JaF7ksqe16hiQRp2rzLaAbKpx7y+zvhyZ8P3/ZJDehf/kMoBxy1+iASxCUaKjT 3hfwDcB16rtfSgC66AlnmJRBArrYuhWekCnIVB0GlV4IBRK7a3veK/UTLjmzffTDEAZTTTpcJpdA Wfn1QAJsckqjRoGJSL/FeJWQM7tcxh7X9R+D8oiAi7QXjxGYVgXqtTbaxQvO8Eo0EUbEKwyqa0sL LO0umyxVguMSxcBiopC5Wc1G5bYC1n9TOoWaOG7rErxU5UQY1UquUUjjnHdmXTdeVb7P5F+b/abv P9T7HtNM3+f4vxmflfszR98v8Jv4P7+rT3P3Pw39M/M/sn5z9MNZ+Yn7D9E3eY3943+zmfY8E2fZ n0A/WNPOL839Zz7f1P/aAAgBAgMBPxBZf8CXKPS0vLS/pUy4KBf4FiJZ/GSvpfotIZgJWvQNZmb6 gFuotVkMdj2houIXoZgsuIgCFSqTLCNOdBvmVU9KiXE3JAIc/QoVtjr7UosnXBH0Sal4vqpMCLlI ks6lfoqVFbZUh2QZoniKrYSlD/4gw9B6DDGDGb6xBfQhEi/Q9SPNnxLACxhl1kiFoPu4IjhlMDdI ff4lUOh+Y5QYRhhZGMihXiZh7yhBCEUH5iBkgje0vg0MCJ4olKcUoC7jArsZeVzxHAoSxCrH37wi l2w9lR1la2MqTtmTOOku5qImypRq7mL64hC2X2YFEp1XpoYV9mZn8orXV6DD0LTugJQXOZqFVRV7 Tl6gxNHprlBr1ajBi4NQ8pah/wCZEC2UQB4hVjx/swE4ZmvQjtYWMn7lMO+ZjIpzdwUpF68TENfa 5YTxj3Y+CEuFx/c3uNxFzhADiKg8TD5P2w2yquj9xDHiIli5otalICHB1/uYZ2YMyjHH7YDtCLY4 z7zQ4v8ABGA8YldHB/yVfR636CUJU6MRxxOA8sYwLdzLUbhEiMGW8xZxLfTMImvBErQvj0y3RfiA tgX4gCksmkAjthNIqXN4XDBRLTUHsJkAttjMSCpb2LgJTVQGAB7EDkAjmUXM10XEMLXa2WnB1lKm IJgqK5BYnIGIGmgWZBBngISoqEXN0X4IpKamvo/Es4ALoQZoeazKy12yEAW6lkmuUEQprR9FqIzB iAbIHSPjpNICwtkTq7RZm/vUL89pjtg13L9PpbiwwkV9brvxNzD8RKx0fMAYAzR1gSroJzPV8sKd jq/9hGwxBhj0ho4bz/kuP/EQVIxGCHsEoW1mB6bXv8zJNDmGgU2/yUs6wC6dR/sPTeyCwf5IhGB1 tj76waTWA8f8gquFtibD2EcTH3K6xDx5tp94e6lt4e0uIwU4iv0QZrMMtOsLhwE0QW7NxAQfF6nc YdSNrv8Aj1KQCPrUylukv0l5aVqdQfrtIkC4TWqhgDR6JcM1aeIWY5eWWIHpKifyAu+ZYVMuKawI k4iS33/z+Nm0P5m00/8AiPofpOfTf76+lxP/2gAIAQMDAT8Q/hdWQDKi2wi3EYvAs8536UqonWJ3 L6QuJXojqM3iNkZ/+Rh6KwxCMqV6LWYtcIC0kALYy1UVFxFqoSLzBGgRrYn+GnpSq/8AYs/0giOf oU+SKqy4upmdRNwelTcAGSN2oBr18zG1cv8As8cuo8RFVSpBtiVFhDMWjj6r9FiyogLv1tiV9JXC LATikAUJQVKQesshEA4TGgk1zMwXcynXPvKgMATW33iQwXE6JdygwonR7uY64BGA+4/feA3elxM8 RLegiaRgA5v/ALLS05Y0N6ANhk+G68yzLR+usdc1XMubeqYHvH4RHKgEdB1mx1mK/pqVLgFSwQFw NcOrrvFFPYy/e4YA/wAb8ePTeDPrfpQUZqDMz3GJV3DVe81fQDN9IPMDRMZKKdYLZi7E5U+YsIqK 8NExt0iu+P2zx137Gv6loW32RnDGvMABomDzf+szzn+tfmInT+2LE4/uIVhZjnR/1AA+fv74mD5/ t/5AUXNKadZZSB7EOT0TwRaJUB61KZTFcRFvFzv4IKS2pV9XmoRmXtC4xqeubiEFHdiB3E3n/sYq YOsaYqc6jHBaCwZhKZTp6LbIJoiHZ6Vu6gLuolxeCDRq6Q6psg+0OifE7JFgyXARBkNsZgAZv5nL CA6JkMIvZIZbpfiIYFdrZdlHY6y2mP0mKAeI9kFjcAx8wlUE8XGrA+0zoAcao/dQLaFxGAY00VMk GRglEzFDLAt2lMd5UCWG4UuIZ94jX2naNEDfWWjv/kuusH7jRCaHtt/UolQxz/7LFkFtZz9kBFjn B8ZlOHV+zEes5cf5uA4Fy8P9lc1Xvc8fpHJnIX0x6qA4+vwAPHb8Rh4X4CYCCl+b1MIAyArP/kId 1bdO8zum58vEYnHVQ45ywKAh3gkwxj7++YwKhF4P6iP/AAJALY0/v9Q06u0VmU0ym1mB02VrPzMo 8PPiUQYb79oE6cNPxFRFoKgFK95kJypk4z2iHceh1Gyj7yllzAMJxMh6X6FlRRV4IlwcwdiqWW3M Ajp9LxX0V/ELrAeWaBxAhlv1xHkY9clXMepHrSxLqV6GPQj2QFSVNwMmGxlMFqABR6XCqtNAteds 4jUYLEqV9b6m4zDPoG4Yj/8ABtNU09Lv+TV/8Ox19DaG3po/SQ9P/9k= ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/searchblack.gif R0lGODlh0wEnALMAAMzM/zNmmWaZzABmmTOZmZnMzMz//////8zMzJmZmWZmZjMzMwAAAAAAAAAA AAAAACH5BAAAAAAALAAAAADTAScAAAT/8MlJq7046827/2AojmRpnmiqrmzrvnAsz3Rt33iu73zv /8CgcEgsGo/IpHLJbDqf0Kh0Sq1ar9isdsvter/gsHhMLpvP6LR6zW6733DPYE6v2+/4vH7P7/v/ gIGCg4SFhoeIiYqLjI2Oj5CRkpOUlZaXmJmam5ydnp+goaKjpKWmp6ipqqusra6vsLGys7S1tre4 ubq7vL2+v8DBwsPExcbHyMnKy8zNzs/Q0dLT1NXW19jZ2tvc3d7f4OHi4+Tl5ufo6err7O3u7/Dx 8vP09dBx+Pn6+/z9/v8AAwocSLCgwYMIEypcyLChw4cQI0qcSLGixYsYM2rcyLGjRw0RAQAAOw== ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/jpeg Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/images/smqueen.jpg /9j/4AAQSkZJRgABAgEASABIAAD//gAmRmlsZSB3cml0dGVuIGJ5IEFkb2JlIFBob3Rvc2hvcKgg NS4w/+4ADkFkb2JlAGSAAAAAAf/bAIQADAgICAkIDAkJDBELCgsRFQ8MDA8VGBMTFRMTGBEMDAwM DAwRDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAENCwsNDg0QDg4QFA4ODhQUDg4ODhQRDAwM DAwREQwMDAwMDBEMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwM/8AAEQgAMgAyAwEiAAIRAQMR Af/dAAQABP/EAT8AAAEFAQEBAQEBAAAAAAAAAAMAAQIEBQYHCAkKCwEAAQUBAQEBAQEAAAAAAAAA AQACAwQFBgcICQoLEAABBAEDAgQCBQcGCAUDDDMBAAIRAwQhEjEFQVFhEyJxgTIGFJGhsUIjJBVS wWIzNHKC0UMHJZJT8OHxY3M1FqKygyZEk1RkRcKjdDYX0lXiZfKzhMPTdePzRieUpIW0lcTU5PSl tcXV5fVWZnaGlqa2xtbm9jdHV2d3h5ent8fX5/cRAAICAQIEBAMEBQYHBwYFNQEAAhEDITESBEFR YXEiEwUygZEUobFCI8FS0fAzJGLhcoKSQ1MVY3M08SUGFqKygwcmNcLSRJNUoxdkRVU2dGXi8rOE w9N14/NGlKSFtJXE1OT0pbXF1eX1VmZ2hpamtsbW5vYnN0dXZ3eHl6e3x//aAAwDAQACEQMRAD8A 5PJ65iY17qLGWFzIktDY1G7u8eKF/wA5MH/R2/c3/wAmsfrP/KV39n/qWqmpMh4ZyA2BIa+LFGWO EjvKIJ+oek/5yYP+jt+5v/k0v+cmD/o7fub/AOTQ/qb0npfVupDGzTY19RFzQ0bm2NaffjWf6Pf7 f0n9ddV9efqp0DHw7euBtmE4DaMapoDLLXaVaf4H963ame4bpf7EPF5n/nJg/wCjt+5v/k0v+cmD /o7fub/5Nc2kjxFXsQ8XukkklI1H/9DzbrP/ACld/Z/6lqpq51n/AJSu/s/9S1U0/L/OT/vS/Njw fzOP+5H/AKL0H1H6w7pfX6CBuZlEUP5BG9w2ObH8tdn/AI1/rBfXgY/Rdg/WwLrXEkkMY79G1v8A XsavNulT+1MOOfXqj/Paus/xtuLvrLSOzcOsD/OtUdasjxKSSSKnukkklM57/9HzbrP/ACld/Z/6 lqprbz+j5OTl2X1uYGviA4mdGhvZp8FX/wCb+b+/V97v/IKfJgyGcyImjItXDzOEY4AzAIjEH7Hp f8Xv1Ox+q7esZGQA3FuHp47NSXs22Ndfr7K10/8AjC+pjOq47ursyBTlYWOZa7+bexm62C+f0dnu dtXneFgdbwLPUwsv7O88mt72z/W2t9ysZx+tPUavRzepOvq/0b7XlvzZt2pn3fNfylk+9YP84HnE lp/83839+r73f+QS/wCb+b+/V97v/II/d8v7hV96wf5wPTpKHqN80lJ7OT90tL3YfvB//9LnUlxi S2nnXs0lxiSSns0lxiSSns0lxiSSn//Z ------=_NextPart_000_001E_01C10FA6.8491A5D0 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Location: http://www.sans.org/infosecFAQ/policy/transparent.gif R0lGODlhAQABAID/AMDAwAAAACH5BAEAAAAALAAAAAABAAEAAAEBMgA7 ------=_NextPart_000_001E_01C10FA6.8491A5D0--
Valid HTML 4.01! Valid CSS!