From 224775a025b13d6f6108917a7303c0d323d67c82 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Thu, 5 Dec 2024 20:06:02 +0100 Subject: [PATCH] improve ANSSI hygiene guide add implementation groups add en translation --- .../libraries/anssi-guide-hygiene.yaml | 1769 +++++++++++++++-- tools/anssi/anssi-guide-hygiene.xlsx | Bin 35432 -> 60843 bytes 2 files changed, 1586 insertions(+), 183 deletions(-) diff --git a/backend/library/libraries/anssi-guide-hygiene.yaml b/backend/library/libraries/anssi-guide-hygiene.yaml index 4d5ff44f50..2750af0cb3 100644 --- a/backend/library/libraries/anssi-guide-hygiene.yaml +++ b/backend/library/libraries/anssi-guide-hygiene.yaml @@ -5,9 +5,15 @@ name: "ANSSI - Guide d'hygi\xE8ne informatique" description: "Renforcer la s\xE9curit\xE9 de son syst\xE8me d\u2019information en\ \ 42 mesures\n https://cyber.gouv.fr/sites/default/files/2017/01/guide_hygiene_informatique_anssi.pdf" copyright: Licence Ouverte/Open Licence (Etalab - V1) -version: 1 +version: 2 provider: ANSSI packager: intuitem +translations: + en: + name: Guideline for a healthy information system + description: 'Strengthen Information System Security in 42 Measures + + https://cyber.gouv.fr/sites/default/files/2013/01/guideline-for-a-healthy-information-system-in-42-measures_v2.pdf' objects: framework: urn: urn:intuitem:risk:framework:anssi-guide-hygiene @@ -15,12 +21,37 @@ objects: name: "ANSSI - Guide d'hygi\xE8ne informatique" description: "Renforcer la s\xE9curit\xE9 de son syst\xE8me d\u2019information\ \ en 42 mesures" + translations: + en: + name: Guideline for a healthy information system + description: 'Strengthen Information System Security in 42 Measures + + https://cyber.gouv.fr/sites/default/files/2013/01/guideline-for-a-healthy-information-system-in-42-measures_v2.pdf' + implementation_groups_definition: + - ref_id: S + name: standard + description: null + translations: + en: + name: standard + description: null + - ref_id: R + name: "renforc\xE9" + description: null + translations: + en: + name: strengthened + description: null requirement_nodes: - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:i assessable: false depth: 1 ref_id: I name: Sensibiliser et former + translations: + en: + name: Raise awareness and train + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:1 assessable: true depth: 2 @@ -53,6 +84,31 @@ objects: cifiques dans les contrats de prestation pour garantir une formation r\xE9\ guli\xE8re \xE0 la s\xE9curit\xE9 des syst\xE8mes d\u2019information du personnel\ \ externe et notamment les infog\xE9rants." + implementation_groups: + - S + translations: + en: + name: Train the operational teams in information system security + description: "The operational teams (network, security and system administrators,\ + \ project managers, developers, chief information security officer (CISO))\ + \ have special access to the information system. They can, inadvertently\ + \ or through not understanding the consequences of certain practices,\ + \ carry out operations creating vulnerabilities.\nWe can cite for example,\ + \ granting accounts with too many privileges in relation to the task to\ + \ be carried out, the use of personal accounts to carry out services or\ + \ periodical tasks, or even choosing passwords that are not sufficiently\ + \ robust granting access to privileged accounts.\nThe operational teams,\ + \ to comply with information system security accepted practice, must therefore\ + \ undertake - upon taking on their role and, subsequently, at regular\ + \ intervals - training on:\n> the legislation in effect;\n> the main risks\ + \ and threats;\n> security maintenance;\n> authentication and access control;\n\ + > the detailed configuration and hardening of systems;\n> network partitioning;\n\ + > and logging.\nThis list must be specified according to the employee\u2019\ + s job , considering aspects such as security integration for project managers,\ + \ secure development for developers, the security reference documents\ + \ for ISSMs, etc.\nMoreover, it is necessary to mention specific clauses\ + \ in service agreements in order to guarantee regular training in information\ + \ system security for external staff and especially outsourcers." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:2 assessable: true depth: 2 @@ -80,10 +136,60 @@ objects: nements suspects, etc. ;\n> les moyens disponibles et participant \xE0 la\ \ s\xE9curit\xE9 du syst\xE8me : verrouillage syst\xE9matique de la session\ \ lorsque l\u2019utilisateur quitte son poste, outil de protection des mots\ - \ de passe, etc. \nRenforc\xE9 - Pour renforcer ces mesures, l\u2019\xE9laboration\ - \ et la signature d\u2019une charte des moyens informatiques pr\xE9cisant\ - \ les r\xE8gles et consignes que doivent respecter les utilisateurs peut \xEA\ - tre envisag\xE9e." + \ de passe, etc. " + implementation_groups: + - S + translations: + en: + name: "Raise users\u2019 awareness about basic information security" + description: 'Each user is a part of the information system chain. To this + end, as he enters the organization, he must be informed of the security + stakes, the rules to + + respect and the proper behaviour to adopt in terms of information system + security by awareness raising and training actions. + + These actions must be regular and adapted to the users targeted. It may + take different forms (emails, displays, meetings, dedicated intranet space, + etc.) and, as a minimum, deal with the following issues: + + > the objectives and stakes that the organization encounters in terms + of information system security; + + > the information considered as sensitive; + + > the regulations and legal obligations; + + > the rules and security instructions governing daily activity: adhering + to the security policy, not connecting personal devices to the network + of the + + organization, not divulging passwords to a third party, not reusing professional + passwords in the private sphere or the other way round, reporting suspicious + events, etc.; + + > the means available and involved in computer security: systematically + locking the session when the user leaves his device, password protection + tool, etc.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:2.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:i + ref_id: 2.R + name: "Sensibiliser les utilisateurs aux bonnes pratiques \xE9l\xE9mentaires\ + \ de s\xE9curit\xE9 informatique (renforc\xE9)" + description: "Pour renforcer ces mesures, l\u2019\xE9laboration et la signature\ + \ d\u2019une charte des moyens informatiques pr\xE9cisant les r\xE8gles et\ + \ consignes que doivent respecter les utilisateurs peut \xEAtre envisag\xE9\ + e." + implementation_groups: + - R + translations: + en: + name: "Raise users\u2019 awareness about basic information security (strengthened)" + description: To strengthen these measures, the creation and signature of + an IT resource charter specifying the rules and instructions that must + be adhered to by users may be considered. - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:3 assessable: true depth: 2 @@ -116,11 +222,42 @@ objects: \ pas ici consid\xE9r\xE9 comme \xE9tant du ressort de l\u2019infog\xE9rance\ \ et par ailleurs d\xE9conseill\xE9 en cas de traitement d\u2019informations\ \ sensibles." + implementation_groups: + - S + translations: + en: + name: Control outsourced services + description: "When an organization wants to outsource its information system\ + \ or data, it must assess, in advance, the risks specific to outsourced\ + \ services (controlling the information system, remote actions, shared\ + \ hosting, etc.) in order to take into account the needs ans suitable\ + \ security measures when creating the requirements applicable to the future\ + \ service provider.\nThe information security system risks inherent in\ + \ this type of approach may be linked to the context of the outsourcing\ + \ operation, but also deficient or\nincomplete contractual specifications.\n\ + Therefore, in order to run smoothly the operations, it is important to:\n\ + > carefully study the offers\u2019 conditions, the option of adapting\ + \ them to the specific needs and the limits of the service provider\u2019\ + s responsibility;\n> impose a list of specific requirements on the service\ + \ provider: contract reversibility, the carrying out of audits, backup\ + \ and data recovery in a\n> standardised open format, security maintenance\ + \ over time, etc.\nTo formalise these commitments, the service provider\ + \ will provide the customer with a security insurance plan detailed in\ + \ the bid. This is a contractual\ndocument describing all of the specific\ + \ measures that the applicants commit to implementing in order to guarantee\ + \ the security requirements specified\nby the organization are met.\n\ + The use of digital solutions or tools (hosted in the Cloud for example)\ + \ is not considered here as it comes under the area of managed services\ + \ and, moreover, is not advisable when processing sensitive data." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ii assessable: false depth: 1 ref_id: II name: "Conna\xEEtre le syst\xE8me d'information" + translations: + en: + name: Know the Information System + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:4 assessable: true depth: 2 @@ -146,6 +283,27 @@ objects: \ avec l\u2019ext\xE9rieur (Internet, r\xE9seaux priv\xE9s, etc.) et les partenaires.\ \ Ce sch\xE9ma doit \xE9galement permettre de localiser les serveurs d\xE9\ tenteurs d\u2019informations sensibles de l\u2019entit\xE9." + implementation_groups: + - S + translations: + en: + name: Identify the most sensitive information and servers and maintain a + network diagram + description: "Each organization has sensitive data. This data can be on\ + \ its own activity (intellectual property, expertise, etc.) or its customers,\ + \ individuals or users\n(personal data, contracts, etc.). In order to\ + \ effectively protect your data, identifying it is essential.\nFrom this\ + \ list of sensitive data, it will be possible to determine in which areas\ + \ of the information system it is located (databases, file sharing, workstations,\n\ + etc.). These components correspond to the servers and critical devices\ + \ of the organization. To this end, they must be subject to specific security\ + \ measures that may concern backup, logging, access, etc.\nTherefore,\ + \ this involves creating and maintaining a simplified network diagram\ + \ (or mapping) representing the different IP areas and the associated\n\ + addressing plan, the routing and security devices (firewall, application\ + \ relays, etc.) and the networks with the outside (Internet, private networks,\ + \ etc.) and\npartners. This diagram must also be able to locate the servers\ + \ holding the entity\u2019s sensitive information." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:5 assessable: true depth: 2 @@ -175,6 +333,37 @@ objects: \ souhaitable de d\xE9finir et d\u2019utiliser une nomenclature simple et\ \ claire pour identifier les comptes de services et les comptes d\u2019administration.\ \ \nCela facilitera notamment leur revue et la d\xE9tection d\u2019intrusion." + implementation_groups: + - S + translations: + en: + name: Have an exhaustive inventory of privileged accounts and keep it updated + description: 'Accounts benefiting from specific permissions are preferred + targets for the attackers who want to obtain as wide an access as possible + to the information system. They must therefore be subject to very specific + attention. This + + involves carrying out an inventory of these accounts, updating it regularly + and entering the following informations into it: + + > users with an administrator account or higher rights than those of a + standard user in the information system; + + > users with rights enough to access the work folders of top managers + or all users; + + > users using an unmanaged workstation which is not subject to the security + measures detailed in the general security policy of the organization. + + Carrying out a periodical review of these accounts is strongly recommended + in order to ensure that the accesses to sensitive items (notably the work + folders and electronic mailboxes of top managers) are controlled. These + reviews will also be the opportunity to remove access rights that have + become obsolete following the departure of a user, for example. + + Lastly, defining and using a simple, clear nomenclature to identify system + accounts and administration accounts is desirable. This will make review + and intrusion detection easier.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:6 assessable: true depth: 2 @@ -198,8 +387,53 @@ objects: > l\u2019affectation des \xE9quipements mobiles (ordinateur portable, cl\xE9\ \ USB, disque dur, ordiphone, etc.) ;\n> la gestion des documents et informations\ \ sensibles (transfert de mots de passe, changement des mots de passe ou des\ - \ codes sur les syst\xE8mes existants).\nRenforc\xE9 - Les proc\xE9dures doivent\ - \ \xEAtre formalis\xE9es et mises \xE0 jour en fonction du contexte." + \ codes sur les syst\xE8mes existants)." + implementation_groups: + - S + translations: + en: + name: Organise the procedures relating to users joining, departing and changing + positions + description: 'The staff of an organization, whether public or private, is + constantly changing: arrivals, departures, internal mobility. Therefore + it is necessary to update + + the rights and accesses to the information system in accordance with these + developments. It is essential that all of the rights granted to an individual + are revoked when he or she leaves or changes position. The arrival and + departure procedures must therefore be defined, in accordance with the + human resources department. They must, as a minimum, take into account: + + > the creation and deletion of IT accounts and their corresponding mailboxes; + + > the rights and accesses to grant to, or remove from, an individual whose + role changes; + + > the management of physical accesses to premises (granting and return + of badges and keys, etc.); + + > the allocation of mobile devices (laptops, USB sticks, hard drives, + smartphone, etc.); + + > the management of sensitive documents and information (transferring + passwords, changing passwords or codes in existing systems).' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:6.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ii + ref_id: 6.R + name: " Organiser les proc\xE9dures d\u2019arriv\xE9e, de d\xE9part et de changement\ + \ de fonction des utilisateurs (renforc\xE9)" + description: "Les proc\xE9dures doivent \xEAtre formalis\xE9es et mises \xE0\ + \ jour en fonction du contexte." + implementation_groups: + - R + translations: + en: + name: Organise the procedures relating to users joining, departing and changing + positions (strengthened) + description: The procedures must be formalised and updated according to + the context. - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:7 assessable: true depth: 2 @@ -224,15 +458,55 @@ objects: \ des utilisateurs doit donc s\u2019accompagner de solutions pragmatiques\ \ r\xE9pondant \xE0 leurs besoins. Citons par exemple la mise \xE0 disposition\ \ d\u2019un r\xE9seau Wi-Fi avec SSID d\xE9di\xE9 pour les terminaux personnels\ - \ ou visiteurs.\nRenforc\xE9 - Ces am\xE9nagements peuvent \xEAtre compl\xE9\ - t\xE9s par des mesures techniques telles que l\u2019authentification des postes\ - \ sur le r\xE9seau (par exemple \xE0 l\u2019aide du standard 802.1X ou d\u2019\ - un \xE9quivalent)." + \ ou visiteurs." + implementation_groups: + - S + translations: + en: + name: Only allow controlled devices to connect to the network of the organization + description: "To guarantee the security of the information system, the organization\ + \ must control the devices which connect to it, each one being a potentially\ + \ vulnerable entry point. Personal devices (laptops, tablets, smartphones,\ + \ etc.) are, by definition, difficult to control since it is the users\ + \ who decide on their level of security. In the same way, the security\ + \ of visitors\u2019 devices is completely out of the organization\u2019\ + s control.\nOnly the connection with terminals managed by the entity must\ + \ be authorised over its different access networks, whether wired or wireless.\ + \ This recommendation, above all of an organisational nature, is often\ + \ perceived as unacceptable and even retrograde. However, unless this\ + \ is adhered to, the task of a hacker is made very much easier by making\ + \ an organization\u2019s network vulnerable.\nRaising users\u2019 awareness\ + \ must therefore be accompanied by pragmatic solutions responding to their\ + \ needs. For example, the provision of a Wi-Fi network with dedicated\ + \ SSID for personal and visitor devices" + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:7.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ii + ref_id: 7.R + name: "Autoriser la connexion au r\xE9seau de l\u2019entit\xE9 aux seuls \xE9\ + quipements ma\xEEtris\xE9s (renforc\xE9)" + description: "Ces am\xE9nagements peuvent \xEAtre compl\xE9t\xE9s par des mesures\ + \ techniques telles que l\u2019authentification des postes sur le r\xE9seau\ + \ (par exemple \xE0 l\u2019aide du standard 802.1X ou d\u2019un \xE9quivalent)." + implementation_groups: + - R + translations: + en: + name: Only allow controlled devices to connect to the network of the organization + (strengthened) + description: These developments can be supplemented by technical measures + such as the authentication of devices on the network (for example thanks + to 802.1X standard or an equivalent). - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iii assessable: false depth: 1 ref_id: III name: "Authentifier et contr\xF4ler les acc\xE8s" + translations: + en: + name: Authenticate and control accesses + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:8 assessable: true depth: 2 @@ -258,9 +532,50 @@ objects: \ \xEAtre d\xE9di\xE9 exclusivement aux actions d\u2019administration. De\ \ plus, il doit \xEAtre utilis\xE9 sur des environnements d\xE9di\xE9s \xE0\ \ l\u2019administration afin de ne pas laisser de traces de connexion ni de\ - \ condensat de mot de passe sur un environnement plus expos\xE9.\nRenforc\xE9\ - \ - D\xE8s que possible la journalisation li\xE9e aux comptes (ex : relev\xE9\ - \ des connexions r\xE9ussies/\xE9chou\xE9es) doit \xEAtre activ\xE9e." + \ condensat de mot de passe sur un environnement plus expos\xE9." + implementation_groups: + - S + translations: + en: + name: Identify each individual accessing the system by name and distinguish + the user/administrator roles + description: 'In the event of an incident, in order to facilitate the attribution + of an action within the information system or the identification of possible + compromised accounts easier, access accounts must be nominative. + + The use of generic accounts (e.g : admin, user) must be marginal and they + must be able to be associated with a limited number of individuals. + + Of course, this rule does not stop you from retaining service accounts + attributed to an IT process (e.g : apache, mysqld). + + In any event, generic and service accounts must be managed according to + a policy that is at least as stringent as the one for nominative accounts. + Moreover, a nominative administration account, different from the user + account, must be attributed to each administrator. The usernames and authentication + secrets must be different (e.g : pmartin as a username, adm-pmartin as + an admin username). This admin account, having more privileges, must be + exclusively dedicated to administration actions. Furthermore, it must + be used in environments dedicated to administration in order that no connection + traces or password hashes are left in a more exposed environment.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:8.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iii + ref_id: 8.R + name: "Identifier nomm\xE9ment chaque personne acc\xE9dant au syst\xE8me et\ + \ distinguer les r\xF4les utilisateur/administrateur (renforc\xE9)" + description: "D\xE8s que possible la journalisation li\xE9e aux comptes (ex\ + \ : relev\xE9 des connexions r\xE9ussies/\xE9chou\xE9es) doit \xEAtre activ\xE9\ + e." + implementation_groups: + - R + translations: + en: + name: Identify each individual accessing the system by name and distinguish + the user/administrator roles (strengthened) + description: 'As soon as possible, the logging linked to accounts (e.g.: + list of successful/failed connections) must be activated.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:9 assessable: true depth: 2 @@ -286,12 +601,32 @@ objects: \ etc. Une revue r\xE9guli\xE8re des droits d\u2019acc\xE8s doit par ailleurs\ \ \xEAtre r\xE9alis\xE9e afin d\u2019identifier les acc\xE8s non autoris\xE9\ s." + implementation_groups: + - S + translations: + en: + name: "Allocate the appropriate rights to the information system\u2019s\ + \ sensitive resources" + description: "Some of the system\u2019s resources can be a source of invaluable\ + \ information from the hacher\u2019s point of view (folders containing\ + \ sensitive data, databases, mailboxes, etc.). It is therefore essential\ + \ to establish an accurate list of these resources and for each of them:\n\ + > define which group can have access to them;\n> strictly control access,\ + \ by ensuring that users are authenticated and are part of the target\ + \ group;\n> avoid their circulation and duplication to uncontrolled areas\ + \ or areas subject to a less strict access control.\nFor example, the\ + \ folders of administrators bringing together various pieces of sensitive\ + \ information must be subject to specific access control. The same goes\ + \ for sensitive information present on network shares: exports of configuration\ + \ files, information system technical documentation, business databases,\ + \ etc.\nA regular review of the access rights must, moreover, be carried\ + \ out, in order to identify any unauthorised access" - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:10 assessable: true depth: 2 parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iii ref_id: '10' - name: "\_ D\xE9finir et v\xE9rifier des r\xE8gles de choix et de dimensionnement\ + name: "D\xE9finir et v\xE9rifier des r\xE8gles de choix et de dimensionnement\ \ des mots de passe" description: "L\u2019ANSSI \xE9nonce un ensemble de r\xE8gles et de bonnes pratiques\ \ en mati\xE8re de choix et de dimensionnement des mots de passe. Parmi les\ @@ -308,6 +643,28 @@ objects: \ de telles proc\xE9dures, un effort de communication visant \xE0 expliquer\ \ le sens de ces r\xE8gles et \xE9veiller les consciences sur leur importance\ \ est fondamental." + implementation_groups: + - S + translations: + en: + name: Set and verify rules for the choice and size of passwords + description: 'ANSSI sets out a collection of rules and best practices in + terms of the choice and size of passwords. The most critical one is to + make users aware of the risks involved in choosing a password that is + too easy to guess, and even the risks of reusing the same password from + one application to another, especially for personal and professional mailboxes. + + To supervise and confirm that these choice and size rules are being applied, + the organization may use different measures, including: + + > blocking accounts following several failed logins; + + > deactivating anonymous login options; + + > using a password robustness checking tool. + + In advance of such procedures, communication aiming to explain the reason + for these rules and raise awareness of their importance is fundamental.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:11 assessable: true depth: 2 @@ -329,6 +686,25 @@ objects: \ num\xE9rique doit respecter les r\xE8gles \xE9nonc\xE9es pr\xE9c\xE9demment\ \ et \xEAtre m\xE9moris\xE9 par l\u2019utilisateur, qui n\u2019a plus que\ \ celui-ci \xE0 retenir." + implementation_groups: + - S + translations: + en: + name: Protect passwords stored on systems + description: 'The complexity, the diversity and even the infrequent use + of some passwords may encourage their storage on a physical (memo or post-it) + or digital (password files, sending an email to yourself, recourse to + "Remember password" buttons) medium in the event a password is lost or + forgotten. + + Yet passwords are a preferred target for hackers wanting to access the + system, whether it is following a theft or the possible sharing of a storage + medium. This is why they must be protected by secure solutions, the best + of which are using a digital safe and using encryption mechanisms. + + Of course, the password chosen for this digital safe must respect the + rules set out previously and be memorised by the user, who only has to + remember this password.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:12 assessable: true depth: 2 @@ -351,10 +727,48 @@ objects: \ par d\xE9faut se r\xE9v\xE8le impossible pour cause, par exemple, de mot\ \ de passe ou certificat \xAB en dur \xBB dans un \xE9quipement, ce probl\xE8\ me critique doit \xEAtre signal\xE9 au distributeur du produit afin que cette\ - \ vuln\xE9rabilit\xE9 soit corrig\xE9e au plus vite.\nRenforc\xE9 - Afin de\ - \ limiter les cons\xE9quences d\u2019une compromission, il est par ailleurs\ - \ essentiel, apr\xE8s changement des \xE9l\xE9ments d\u2019authentification\ - \ par d\xE9faut, de proc\xE9der \xE0 leur renouvellement r\xE9gulier." + \ vuln\xE9rabilit\xE9 soit corrig\xE9e au plus vite." + implementation_groups: + - S + translations: + en: + name: Change the default authentication settings on devices and services + description: 'It is essential to consider that the default settings of the + information systems are known by the hackers, even if these are not known + to the general public. These settings are (too) often trivial (password + the same as the username, not long enough or common to all the devices + and services for example) and are often easy to obtain by hackers capable + of pretending to be a legitimate user. + + The default authentication settings of the components of the system must + therefore be changed when they are set up and, in terms of passwords, + be in accordance with the previous recommendations in terms of choice, + size and storage. + + If changing a default password is impossible due, for example, to a password + or certificate being "hardcoded" onto a device, this critical problem + must be raised with the product supplier so that it can correct this vulnerability + as fast as possible.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:12.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iii + ref_id: 12.R + name: "Changer les \xE9l\xE9ments d\u2019authentification par d\xE9faut sur\ + \ les \xE9quipements et services (renforc\xE9)" + description: "Afin de limiter les cons\xE9quences d\u2019une compromission,\ + \ il est par ailleurs essentiel, apr\xE8s changement des \xE9l\xE9ments d\u2019\ + authentification par d\xE9faut, de proc\xE9der \xE0 leur renouvellement r\xE9\ + gulier." + implementation_groups: + - R + translations: + en: + name: Change the default authentication settings on devices and services + (strengthened) + description: In order to limit the consequences of a compromise, it is, + moreover, essential, after changing the default authentication settings, + to renew them regularly. - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:13 assessable: true depth: 2 @@ -367,21 +781,60 @@ objects: \ passe, trac\xE9 de d\xE9verrouillage, signature) ;\n> quelque chose que\ \ je poss\xE8de (carte \xE0 puce, jeton USB, carte magn\xE9tique, RFID, un\ \ t\xE9l\xE9phone pour recevoir un code SMS) ;\n> quelque chose que je suis\ - \ (une empreinte biom\xE9trique).\nRenforc\xE9 - Les cartes \xE0 puces doivent\ - \ \xEAtre privil\xE9gi\xE9es ou, \xE0 d\xE9faut, les m\xE9canismes de mots\ - \ de passe \xE0 usage unique (ou One Time Password) avec jeton physique. Les\ - \ op\xE9rations cryptographiques mises en place dans ces deux facteurs offrent\ - \ g\xE9n\xE9ralement de bonnes garanties de s\xE9curit\xE9.\nLes cartes \xE0\ - \ puce peuvent \xEAtre plus complexes \xE0 mettre en place car n\xE9cessitant\ - \ une infrastructure de gestion des cl\xE9s adapt\xE9e. Elles pr\xE9sentent\ - \ cependant l\u2019avantage d\u2019\xEAtre r\xE9utilisables \xE0 plusieurs\ - \ fins : chiffrement, authentification de messagerie, authentification sur\ - \ le poste de travail, etc." + \ (une empreinte biom\xE9trique)." + implementation_groups: + - S + translations: + en: + name: Prefer a two-factor authentication when possible + description: 'The implementation of a two-factor authentication is strongly + recommended, requiring the use of two different authentication factors + from among the following: + + > something I know (password, unlock pattern, signature); + + > something I have (smart card, USB token, magnetic card, RFID, a phone + to receive an SMS); + + > something I am (a digital fingerprint).' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:13.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iii + ref_id: 13.R + name: "Privil\xE9gier lorsque c\u2019est possible une authentification forte\ + \ (renforc\xE9)" + description: "Les cartes \xE0 puces doivent \xEAtre privil\xE9gi\xE9es ou, \xE0\ + \ d\xE9faut, les m\xE9canismes de mots de passe \xE0 usage unique (ou One\ + \ Time Password) avec jeton physique. Les op\xE9rations cryptographiques mises\ + \ en place dans ces deux facteurs offrent g\xE9n\xE9ralement de bonnes garanties\ + \ de s\xE9curit\xE9.\nLes cartes \xE0 puce peuvent \xEAtre plus complexes\ + \ \xE0 mettre en place car n\xE9cessitant une infrastructure de gestion des\ + \ cl\xE9s adapt\xE9e. Elles pr\xE9sentent cependant l\u2019avantage d\u2019\ + \xEAtre r\xE9utilisables \xE0 plusieurs fins : chiffrement, authentification\ + \ de messagerie, authentification sur le poste de travail, etc." + implementation_groups: + - R + translations: + en: + name: Prefer a two-factor authentication when possible (strengthened) + description: 'Smart cards must be encouraged or, by default, one-time passwords + with a physical token. Encryption operations implemented with two-factor + authentication generally offer good security results. + + Smart cards can be more complex to implement as they require an adapted + key management structure. However, they have the advantage of being re-usable + for various purposes: encryption, message authentication, authentication + on the workstation, etc.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iv assessable: false depth: 1 ref_id: IV name: "S\xE9curiser les postes" + translations: + en: + name: Secure the devices + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:14 assessable: true depth: 2 @@ -404,14 +857,53 @@ objects: \ d\xE9rogation n\xE9cessaire aux r\xE8gles de s\xE9curit\xE9 globales applicables\ \ aux postes, ceux-ci doivent \xEAtre isol\xE9s du syst\xE8me (s\u2019il est\ \ impossible de mettre \xE0 jour certaines applications pour des raisons de\ - \ compatibilit\xE9 par exemple).\nRenforc\xE9 - Les donn\xE9es vitales au\ - \ bon fonctionnement de l\u2019entit\xE9 que d\xE9tiennent les postes utilisateurs\ - \ et les serveurs doivent faire l\u2019objet de sauvegardes r\xE9guli\xE8\ - res et stock\xE9es sur des \xE9quipements d\xE9connect\xE9s, et leur restauration\ - \ doit \xEAtre v\xE9rifi\xE9e de mani\xE8re p\xE9riodique. En effet, de plus\ - \ en plus de petites structures font l\u2019objet d\u2019attaques rendant\ - \ ces donn\xE9es indisponibles (par exemple pour exiger en contrepartie de\ - \ leur restitution le versement d\u2019une somme cons\xE9quente (ran\xE7ongiciel))." + \ compatibilit\xE9 par exemple)." + implementation_groups: + - S + translations: + en: + name: Implement a minimum level of security across the whole IT stock + description: "Depending on his level of IT security practices, the user,\ + \ a great deal of the time, is the first port of call for hackers trying\ + \ to enter the system. It is therefore fundamental to implement a minimum\ + \ level of security across the entire IT stock of the organization (user\ + \ devices, servers, printers, phones, USB peripherals, etc.) by implementing\ + \ the following measures:\n> limit the applications installed and optional\ + \ modules in web browsers to just what is required;\n> equip users\u2019\ + \ devices with an anti-virus and activate a local firewall (these are\ + \ often included in the operating system);\n> encrypt the partitions where\ + \ user data is stored;\n> deactivate automatic executions (autorun).\n\ + In the event of a necessary exception from the general security rules\ + \ applicable to devices, these devices must be isolated from the system\ + \ (if it is impossible to update certain applications for interoperability\ + \ reasons for example)." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:14.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iv + ref_id: 14.R + name: "Mettre en place un niveau de s\xE9curit\xE9 minimal sur l\u2019ensemble\ + \ du parc informatique (renforc\xE9)" + description: "Les donn\xE9es vitales au bon fonctionnement de l\u2019entit\xE9\ + \ que d\xE9tiennent les postes utilisateurs et les serveurs doivent faire\ + \ l\u2019objet de sauvegardes r\xE9guli\xE8res et stock\xE9es sur des \xE9\ + quipements d\xE9connect\xE9s, et leur restauration doit \xEAtre v\xE9rifi\xE9\ + e de mani\xE8re p\xE9riodique. En effet, de plus en plus de petites structures\ + \ font l\u2019objet d\u2019attaques rendant ces donn\xE9es indisponibles (par\ + \ exemple pour exiger en contrepartie de leur restitution le versement d\u2019\ + une somme cons\xE9quente (ran\xE7ongiciel))." + implementation_groups: + - R + translations: + en: + name: Implement a minimum level of security across the whole IT stock (strengthened) + description: "Data vital to the proper business of the organization that\ + \ is held on users\u2019 devices and servers must be subject to regular\ + \ backups and stored on disconnected devices, and its restoration must\ + \ be tested periodically. An increasing number of small organisations\ + \ are subject to attacks which make their data unavailable (for example\ + \ demanding, in exchange for returning the data, the payment of a significant\ + \ amount of money (ransomware))." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:15 assessable: true depth: 2 @@ -432,14 +924,50 @@ objects: \ par exemple) et de limiter au maximum celui de cl\xE9s non ma\xEEtris\xE9\ es (dont on connait la provenance mais pas l\u2019int\xE9grit\xE9) sur le\ \ syst\xE8me d\u2019information \xE0 moins, dans ce dernier cas, de faire\ - \ inspecter leur contenu par l\u2019antivirus du poste de travail.\nRenforc\xE9\ - \ - Sur les postes utilisateur, il est recommand\xE9 d\u2019utiliser des solutions\ - \ permettant d\u2019interdire l\u2019ex\xE9cution de programmes sur les p\xE9\ - riph\xE9riques amovibles (par exemple Applocker sous Windows ou des options\ - \ de montage noexec sous Unix). \nLors de la fin de vie des supports amovibles,\ - \ il sera n\xE9cessaire d\u2019impl\xE9menter et de respecter une proc\xE9\ - dure de mise au rebut stricte pouvant aller jusqu\u2019\xE0 leur destruction\ - \ s\xE9curis\xE9e afin de limiter la fuite d\u2019informations sensibles." + \ inspecter leur contenu par l\u2019antivirus du poste de travail." + implementation_groups: + - S + translations: + en: + name: Protect against threats relating to the use of removable media + description: "Removable media can be used to spread viruses, steal sensitive\ + \ and strategic information or even compromise the organization\u2019\ + s network. Such attacks can have disastrous consequences for the activity\ + \ of the organisation targeted.\nAlthough it is not a matter of completely\ + \ prohibiting the use of removable media within the organization, it is\ + \ nevertheless necessary to deal with these risks by identifying adequate\ + \ measures and by raising users\u2019 awareness to the risks that these\ + \ media can carry.\nIt is advisable to prohibit the connection of unknown\ + \ USB sticks (collected in a public area for example) and to reduce, as\ + \ much as possible, the use of uncontrolled sticks (the origin of which\ + \ is known but not the integrity) on the information system, or at least\ + \ have their content examined by the workstation\u2019s anti-virus." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:15.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iv + ref_id: 15.R + name: "Se prot\xE9ger des menaces relatives \xE0 l\u2019utilisation de supports\ + \ amovibles (renforc\xE9)" + description: "Sur les postes utilisateur, il est recommand\xE9 d\u2019utiliser\ + \ des solutions permettant d\u2019interdire l\u2019ex\xE9cution de programmes\ + \ sur les p\xE9riph\xE9riques amovibles (par exemple Applocker sous Windows\ + \ ou des options de montage noexec sous Unix). \nLors de la fin de vie des\ + \ supports amovibles, il sera n\xE9cessaire d\u2019impl\xE9menter et de respecter\ + \ une proc\xE9dure de mise au rebut stricte pouvant aller jusqu\u2019\xE0\ + \ leur destruction s\xE9curis\xE9e afin de limiter la fuite d\u2019informations\ + \ sensibles." + implementation_groups: + - R + translations: + en: + name: Protect against threats relating to the use of removable media (strengthened) + description: "On user devices, using solutions able to block the execution\ + \ of programs on removable media (for example Applocker on Windows or\ + \ noexec assembly options on Unix) is recommended.\nAt the end of the\ + \ removable media\u2019s life span, it will be necessary to implement\ + \ and respect a strict disposal procedure which may extend to their secure\ + \ destruction, in order to limit the leaking of sensitive information." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:16 assessable: true depth: 2 @@ -465,6 +993,26 @@ objects: me d\u2019exploitation ou d\u2019applications pourront facilement s\u2019\ appliquer depuis un point central tout en favorisant la r\xE9activit\xE9 attendue\ \ en cas de besoin de reconfiguration." + implementation_groups: + - S + translations: + en: + name: Use a centralised management tool to standardise security policies + description: "The information system\u2019s security relies on the security\ + \ of the weakest link. It is therefore necessary to standardise the management\ + \ of security policies applying across the entire IT stock of the organization.\n\ + Applying these policies (managing passwords, restricting logins on certain\ + \ sensitive devices, configuring web browsers, etc.) must be simple and\ + \ quick for administrators, with a view to facilitate the implementation\ + \ of counter measures in the event of an IT crisis.\nTo do this, the organization\ + \ may deploy a centralised management tool (for example Active Directory\ + \ in the Microsoft environment) into which it is possible to include as\ + \ many IT devices as possible. Workstations and servers are concerned\ + \ by this measure, which may require upstream harmonization work in matter\ + \ of hardware and operating systems selection.\nTherefore, hardening policies\ + \ for the operating system or applications may easily be applied from\ + \ a central point while favouring the expected responsiveness in the event\ + \ reconfiguration is required." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:17 assessable: true depth: 2 @@ -481,21 +1029,59 @@ objects: gr\xE9s (pare-feu local Windows) ou sp\xE9cialis\xE9s.\nLes flux de poste\ \ \xE0 poste sont en effet tr\xE8s rares dans un r\xE9seau bureautique classique\ \ : les fichiers sont stock\xE9s dans des serveurs de fichiers, les applications\ - \ accessibles sur des serveurs m\xE9tier, etc.\nRenforc\xE9 - Le filtrage\ - \ le plus simple consiste \xE0 bloquer l\u2019acc\xE8s aux ports d\u2019administration\ - \ par d\xE9faut des postes de travail (ports TCP 135, 445 et 3389 sous Windows,\ - \ port TCP 22 sous Unix), except\xE9 depuis les ressources explicitement identifi\xE9\ - es (postes d\u2019administration et d\u2019assistance utilisateur, \xE9ventuels\ - \ serveurs de gestion requ\xE9rant l\u2019acc\xE8s \xE0 des partages r\xE9\ - seau sur les postes, etc.).\nUne analyse des flux entrants utiles (administration,\ - \ logiciels d\u2019infrastructure, applications particuli\xE8res, etc.) doit\ - \ \xEAtre men\xE9e pour d\xE9finir la liste des autorisations \xE0 configurer.\ - \ Il est pr\xE9f\xE9rable de bloquer l\u2019ensemble des flux par d\xE9faut\ - \ et de n\u2019autoriser que les services n\xE9cessaires depuis les \xE9quipements\ - \ correspondants (\xAB liste blanche \xBB).\nLe pare-feu doit \xE9galement\ - \ \xEAtre configur\xE9 pour journaliser les flux bloqu\xE9s, et ainsi identifier\ - \ les erreurs de configuration d\u2019applications ou les tentatives d\u2019\ - intrusion." + \ accessibles sur des serveurs m\xE9tier, etc." + implementation_groups: + - S + translations: + en: + name: Activate and configure the firewall on workstations + description: "After having succeeded in taking control of a workstation\ + \ (due, for example, to a vulnerability of the web browser), a hacker\ + \ will often seek to spread his intrusion to other workstations and, ultimately,\ + \ access users\u2019 documents.\nIn order to make this sideways movement\ + \ from the hacker more difficult, it is necessary to activate the local\ + \ firewall of workstations thanks to built-in (local Windows firewall)\ + \ or specialised software.\nFlows from device to device are very rare\ + \ in a traditional office network: files are stored on file servers, applications\ + \ are accessible on business servers, etc." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:17.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:iv + ref_id: 17.R + name: "Activer et configurer le pare-feu local des postes de travail (renforc\xE9\ + )" + description: "Le filtrage le plus simple consiste \xE0 bloquer l\u2019acc\xE8\ + s aux ports d\u2019administration par d\xE9faut des postes de travail (ports\ + \ TCP 135, 445 et 3389 sous Windows, port TCP 22 sous Unix), except\xE9 depuis\ + \ les ressources explicitement identifi\xE9es (postes d\u2019administration\ + \ et d\u2019assistance utilisateur, \xE9ventuels serveurs de gestion requ\xE9\ + rant l\u2019acc\xE8s \xE0 des partages r\xE9seau sur les postes, etc.).\n\ + Une analyse des flux entrants utiles (administration, logiciels d\u2019infrastructure,\ + \ applications particuli\xE8res, etc.) doit \xEAtre men\xE9e pour d\xE9finir\ + \ la liste des autorisations \xE0 configurer. Il est pr\xE9f\xE9rable de bloquer\ + \ l\u2019ensemble des flux par d\xE9faut et de n\u2019autoriser que les services\ + \ n\xE9cessaires depuis les \xE9quipements correspondants (\xAB liste blanche\ + \ \xBB).\nLe pare-feu doit \xE9galement \xEAtre configur\xE9 pour journaliser\ + \ les flux bloqu\xE9s, et ainsi identifier les erreurs de configuration d\u2019\ + applications ou les tentatives d\u2019intrusion." + implementation_groups: + - R + translations: + en: + name: Activate and configure the firewall on workstations (strengthened) + description: "The most simple filter consists of blocking access by default\ + \ to administration ports from workstations (TCP 135, 445 and 3389 ports\ + \ in Windows, TCP 22 port in Unix), except from explicitly identified\ + \ resources (administration and user assistance devices, possible management\ + \ servers requiring access to network shares on devices, etc.).\nAn analysis\ + \ of useful incoming flows (administration, infrastructure software, particular\ + \ applications, etc.) must be carried out to define the list of authorisations\ + \ to configure. It is preferable to block all of the flows by default\ + \ and only authorise the necessary services from the corresponding devices\ + \ (\xABwhite list\xBB).\nThe firewall must also be configured to log the\ + \ blocked flows and therefore identify the application configuration errors\ + \ or intrusion attempts." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:18 assessable: true depth: 2 @@ -516,11 +1102,36 @@ objects: \ de transmission des donn\xE9es. Ainsi, si les donn\xE9es chiffr\xE9es sont\ \ transmises par courriel, une remise en main propre du mot de passe ou, \xE0\ \ d\xE9faut, par t\xE9l\xE9phone doit \xEAtre privil\xE9gi\xE9e." + implementation_groups: + - S + translations: + en: + name: Encrypt sensitive data sent through the Internet + description: 'The Internet is a network from which it is almost impossible + to obtain guarantees as to the way that data will take when you send it + through this me- + + dium. It is, therefore, entirely possible that a hacker will be on the + pathway of data travelling between two correspondents. + + All the data sent by email or uploaded to online hosting tools (Cloud) + is therefore vulnerable. Therefore, its systematic encryption must be + undertaken before sending it to a correspondent or uploading it. + + Passing on confidential information (password, key, etc.) that is therefore + able to decrypt data, if required, must be carried out by a trusted channel + or, failing that, a different channel from the data transmission channel. + Therefore, although the encrypted data is sent by mail, handing over the + password by hand or, failing that, over the phone must be favoured.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:v assessable: false depth: 1 ref_id: V name: "S\xE9curiser le r\xE9seau" + translations: + en: + name: Secure the network + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:19 assessable: true depth: 2 @@ -549,6 +1160,28 @@ objects: \ serait pas ais\xE9, il est recommand\xE9 d\u2019int\xE9grer cette d\xE9\ marche dans toute nouvelle extension du r\xE9seau ou \xE0 l\u2019occasion\ \ d\u2019un renouvellement d\u2019\xE9quipements." + implementation_groups: + - S + translations: + en: + name: Segment the network and implement a partitioning between these areas + description: "When the network is \"flat\", without any partitioning mechanism,\ + \ each device in the network can access any other device. If one is compromised\ + \ all of the connected devices are therefore in jeopardy. A hacker can\ + \ therefore compromise a user\u2019s device and then, moving around from\ + \ device to device, find a way to critical servers.\nTherefore it is important,\ + \ from the network architecture\u2019s design, to work through segmentation\ + \ into areas made up of systems with uniform security needs. You may,\ + \ for example, separately group infrastructure servers, business servers,\ + \ user workstations, administrator workstations, IP phones, etc.\nOne\ + \ area is therefore characterised by dedicated VLANs and IP subnetworks\ + \ or even by infrastructures dedicated according to their criticality.\ + \ Therefore, partitioning measures such as an IP filter with the help\ + \ of a firewall can be implemented between the different areas. Specifically,\ + \ you will ensure that the devices and flows associated with administration\ + \ tasks are segregated as far as possible.\nFor networks for which subsequent\ + \ partitioning would not be easy, integrating this approach in any new\ + \ network extension or when devices are changed is recommended." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:20 assessable: true depth: 2 @@ -579,6 +1212,32 @@ objects: \ personnels ou visiteurs (ordinateurs portables, ordiphones) doit \xEAtre\ \ s\xE9par\xE9e des connexions Wi-Fi des terminaux de l\u2019entit\xE9 (ex\ \ : SSID et VLAN distincts, acc\xE8s Internet d\xE9di\xE9)." + implementation_groups: + - S + translations: + en: + name: Ensure the security of Wi-Fi access networks and that uses are separated + description: "The use of Wi-Fi in a professional environment is now widespread,\ + \ yet it still presents very specific security risks: poor guarantees\ + \ in terms of availability, no control over the coverage area which can\ + \ lead to an attack out of the geographical scope of the organization,\ + \ default configuration of access points that are not secure by design,\ + \ etc.\nThe network architecture segmentation must be able to limit the\ + \ consequences of intrusion by radio access up to a given perimeter of\ + \ the information system.\nThe flows coming from devices connected to\ + \ the Wi-Fi access network must therefore be filtered and restricted to\ + \ just the necessary flows.\nFurthermore, it is important to give priority\ + \ to the use of robust encryption (WPA2 mode, AES CCMP algorithm) and\ + \ centralised authentication, if possible through client certificates\ + \ for devices.\nProtecting the Wi-Fi network with a single and shared\ + \ password is not advisable. However, if this is inevitable, it must be\ + \ complex and its renewal must be planned, but under no circumstances\ + \ must be transmitted to unauthorized third parties.\nMoreover, access\ + \ points must be administrated in a secure way (e.g.: dedicated interface,\ + \ changing the default administrator password).\nFinally, all Wi-Fi connection\ + \ from staff or visitor terminals (laptops, smartphones) must be separate\ + \ from Wi-Fi connections from the organization\u2019s devices (e.g.: distinct\ + \ SSID and VLAN, dedicated internet access)." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:21 assessable: true depth: 2 @@ -602,6 +1261,24 @@ objects: \ d\u2019anciens protocoles non s\xE9curis\xE9s. Citons par exemple SSh (Secure\ \ SHell) venu remplacer les protocoles de communication historiques TELNET\ \ et RLOGIN." + implementation_groups: + - S + translations: + en: + name: Use secure network protocols when they exist + description: "Although security is no longer optional today, this has not\ + \ always been the case. This is why numerous network protocols had to\ + \ evolve to integrate this component and respond to the confidentiality\ + \ and integrity requirements that exchanging data requires. Secure network\ + \ protocols must be used as soon as possible, whether on public networks\ + \ (the Internet for example) or on the organization\u2019s internal network.\n\ + Although it may be difficult to provide an exhaustive list, the most common\ + \ protocols rely on the use of TLS and are often identifiable by the addition\ + \ of the letter \"s\" (for secure) in the protocol acronym. As an example\ + \ HTTPS for web browsing or IMAPS, SMTPS or POP3S for email.\nOther protocols\ + \ were designed securely from their creation to replace prior, insecure\ + \ protocols. As an example SSH (Secure SHell) which came to replace the\ + \ TELNET and RLOGIN historic communication protocols.." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:22 assessable: true depth: 2 @@ -619,20 +1296,56 @@ objects: \ au plus pr\xE8s de l\u2019acc\xE8s Internet pour filtrer les connexions\ \ et un serveur mandataire (proxy) embarquant diff\xE9rents m\xE9canismes\ \ de s\xE9curit\xE9. Celui-ci assure notamment l\u2019authentification des\ - \ utilisateurs et la journalisation des requ\xEAtes.\nRenforc\xE9 - Des m\xE9\ - canismes compl\xE9mentaires sur le serveur mandataire pourront \xEAtre activ\xE9\ - s selon les besoins de l\u2019entit\xE9 : analyse antivirus du contenu, filtrage\ - \ par cat\xE9gories d\u2019URLs, etc. Le maintien en condition de s\xE9curit\xE9\ - \ des \xE9quipements de la passerelle est essentiel, il fera donc l\u2019\ - objet de proc\xE9dures \xE0 respecter. Suivant le nombre de collaborateurs\ - \ et le besoin de disponibilit\xE9, ces \xE9quipements pourront \xEAtre redond\xE9\ - s. \nPar ailleurs, pour les terminaux utilisateurs, les r\xE9solutions DNS\ - \ en direct de noms de domaines publics seront par d\xE9faut d\xE9sactiv\xE9\ - es, celles-ci \xE9tant d\xE9l\xE9gu\xE9es au serveur mandataire.\nEnfin, il\ - \ est fortement recommand\xE9 que les postes nomades \xE9tablissent au pr\xE9\ - alable une connexion s\xE9curis\xE9e au syst\xE8me d\u2019information de l\u2019\ - entit\xE9 pour naviguer de mani\xE8re s\xE9curis\xE9e sur le Web \xE0 travers\ - \ la passerelle." + \ utilisateurs et la journalisation des requ\xEAtes." + implementation_groups: + - S + translations: + en: + name: Implement a secure access gateway to the Internet + description: "Implement a secure access gateway to the Internet : websites\ + \ hosting malware, the downloading of \"infected\" files and, consequently,\ + \ the possibility of devices being compromised, leaking of sensitive data,\ + \ etc. To secure this use, it is therefore essential that the users\u2019\ + \ devices do not have direct network access to the Internet.\nThis is\ + \ why it is advisable to implement a secure Internet access gateway, including,\ + \ as a minimum, a firewall as close to the Internet access as possible\ + \ to filter the connections and a proxy server with different security\ + \ mechanisms. This ensures users are authenticated and requests are logged." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:22.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:v + ref_id: 22.R + name: "Mettre en place une passerelle d'acc\xE8s s\xE9curis\xE9 \xE0 Internet" + description: "Des m\xE9canismes compl\xE9mentaires sur le serveur mandataire\ + \ pourront \xEAtre activ\xE9s selon les besoins de l\u2019entit\xE9 : analyse\ + \ antivirus du contenu, filtrage par cat\xE9gories d\u2019URLs, etc. Le maintien\ + \ en condition de s\xE9curit\xE9 des \xE9quipements de la passerelle est essentiel,\ + \ il fera donc l\u2019objet de proc\xE9dures \xE0 respecter. Suivant le nombre\ + \ de collaborateurs et le besoin de disponibilit\xE9, ces \xE9quipements\ + \ pourront \xEAtre redond\xE9s. \nPar ailleurs, pour les terminaux utilisateurs,\ + \ les r\xE9solutions DNS en direct de noms de domaines publics seront par\ + \ d\xE9faut d\xE9sactiv\xE9es, celles-ci \xE9tant d\xE9l\xE9gu\xE9es au serveur\ + \ mandataire.\nEnfin, il est fortement recommand\xE9 que les postes nomades\ + \ \xE9tablissent au pr\xE9alable une connexion s\xE9curis\xE9e au syst\xE8\ + me d\u2019information de l\u2019entit\xE9 pour naviguer de mani\xE8re s\xE9\ + curis\xE9e sur le Web \xE0 travers la passerelle." + implementation_groups: + - R + translations: + en: + name: Implement a secure access gateway to the Internet (strengthened) + description: "Additional mechanisms on the proxy server may be activated\ + \ depending on the organization\u2019s needs: anti-virus analysis of the\ + \ content, filtering by URL categories, etc. Security maintenance of the\ + \ gateway\u2019s components is essential, it must therefore follow defined\ + \ procedures. Depending on the number of employees and the availability\ + \ requirement, these devices may be redundant.\nMoreover, for user devices,\ + \ the direct DNS resolutions of public domain names will be, by default,\ + \ deactivated, as they are delegated to the proxy server.\nLastly, it\ + \ is strongly recommended that mobile devices establish a prior secure\ + \ connection to the organization\u2019s information system to browse the\ + \ web securely through the gateway." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:23 assessable: true depth: 2 @@ -657,6 +1370,29 @@ objects: \ \xE9galement d\u2019imposer le passage des flux entrants par un serveur\ \ mandataire inverse (reverse proxy) embarquant diff\xE9rents m\xE9canismes\ \ de s\xE9curit\xE9." + implementation_groups: + - S + translations: + en: + name: Segregate the services visible from the Internet from the rest of + the information system + description: 'An organization can choose to host internally services visible + on the Internet (website, email server, etc.). In light of the development + and improvement of cyberattacks online, it is essential to guarantee a + high level of protection for this service with the competent administrators, + available and continuously trained (up to date in terms of technology). + Otherwise, recourse to outsourced hosting with professionals is to be + favoured. + + Furthermore, the web hosting infrastructures must be physically segregated + from all the information system infrastructure, which is not designed + to be visible from the Internet. + + Lastly, it is advisable to implement an interconnection infrastructure + for these services with the Internet, able to filter the flows linked + to services differently from the other flows of the organization. It also + concerns ensuring incoming flows go through a reverse proxy server with + different security mechanisms.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:24 assessable: true depth: 2 @@ -685,17 +1421,71 @@ objects: venir la r\xE9ception de fichiers infect\xE9s ;\n> de l\u2019activation du\ \ chiffrement TLS des \xE9changes entre serveurs de messagerie (de l\u2019\ entit\xE9 ou publics) ainsi qu\u2019entre les postes utilisateur et les serveurs\ - \ h\xE9bergeant les bo\xEEtes aux lettres.\nRenforc\xE9 - Il est souhaitable\ - \ de ne pas exposer directement les serveurs de bo\xEEte aux lettres sur Internet.\ - \ Dans ce cas, un serveur relai d\xE9di\xE9 \xE0 l\u2019envoi et \xE0 la r\xE9\ - ception des messages doit \xEAtre mis en place en coupure d\u2019Internet.\n\ - Alors que le spam - malveillant ou non - constitue la majorit\xE9 des courriels\ - \ \xE9chang\xE9s sur Internet, le d\xE9ploiement d\u2019un service anti-spam\ - \ doit permettre d\u2019\xE9liminer cette source de risques.\nEnfin, l\u2019\ - administrateur de messagerie s\u2019assurera de la mise en place des m\xE9\ - canismes de v\xE9rification d\u2019authenticit\xE9 et de la bonne configuration\ - \ des enregistrements DNS publics li\xE9s \xE0 son infrastructure de messagerie\ - \ (MX, SPF, DKIM, DMARC)." + \ h\xE9bergeant les bo\xEEtes aux lettres." + implementation_groups: + - S + translations: + en: + name: Protect your professional email + description: 'Email is the main infection vector for a workstation, whether + it is opening attachments containing malware or a misguided click on a + link redirecting towards a site that is, itself, malicious. + + Users must be especially aware of this issue: is the sender known? Is + information from him or her expected? Is the proposed link consistent + with the subject mentioned? If any doubt, checking the message authenticity + by another channel (telephone, SMS, etc.) is required. + + To protect against scams (e.g.: a fraudulent transfer request seeming + to come from a manager), organisational measures must be strictly applied. + + Moreover, the redirection of professional messages to a personal email + must be prohibited as it may constitute an irremediable information leak + from the organization. If necessary, controlled and secure methods for + remote access to professional email must be offered. + + Whether the organization hosts or has their email system hosted, it must + ensure: + + > that it has an anti-virus analysis system upstream of the mailboxes + of users to prevent the receipt of infected files; + + > that it has activated TLS encryption for exchanges between email servers + (from the organization or public) as well as between the user devices + and servers hosting the mailboxes.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:24.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:v + ref_id: 24.R + name: "Prot\xE9ger sa messagerie professionnelle" + description: "Il est souhaitable de ne pas exposer directement les serveurs\ + \ de bo\xEEte aux lettres sur Internet. Dans ce cas, un serveur relai d\xE9\ + di\xE9 \xE0 l\u2019envoi et \xE0 la r\xE9ception des messages doit \xEAtre\ + \ mis en place en coupure d\u2019Internet.\nAlors que le spam - malveillant\ + \ ou non - constitue la majorit\xE9 des courriels \xE9chang\xE9s sur Internet,\ + \ le d\xE9ploiement d\u2019un service anti-spam doit permettre d\u2019\xE9\ + liminer cette source de risques.\nEnfin, l\u2019administrateur de messagerie\ + \ s\u2019assurera de la mise en place des m\xE9canismes de v\xE9rification\ + \ d\u2019authenticit\xE9 et de la bonne configuration des enregistrements\ + \ DNS publics li\xE9s \xE0 son infrastructure de messagerie (MX, SPF, DKIM,\ + \ DMARC)." + implementation_groups: + - R + translations: + en: + name: Protect your professional email (strengthened) + description: 'Not directly exposing the mailbox servers to the Internet + is preferable. In this case, a relay server dedicated to send and receive + messages must be implemented in case the Internet is cut off. + + While spam - whether malicious or not - accounts for the majority of email + exchanges on the Internet, the deployment of an anti-spam service must + be able to remove this source of risks. + + Finally, the email administrator will ensure the implementation of authenticity + verification mechanisms and the correct configuration of public DNS records + linked to its email infrastructure (MX, SPF, DKIM, DMARC).' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:25 assessable: true depth: 2 @@ -715,14 +1505,49 @@ objects: entr\xE9e des flux sur le r\xE9seau de l\u2019entit\xE9. La matrice des flux\ \ (entrants et sortants) devra \xEAtre r\xE9duite au juste besoin op\xE9rationnel,\ \ maintenue dans le temps et la configuration des \xE9quipements devra y \xEA\ - tre conforme.\nRenforc\xE9 - Pour des entit\xE9s ayant des besoins de s\xE9\ - curit\xE9 plus exigeants, il conviendra de s\u2019assurer que l\u2019\xE9\ - quipement de filtrage IP pour les connexions partenaires est d\xE9di\xE9 \xE0\ - \ cet usage. L\u2019ajout d\u2019un \xE9quipement de d\xE9tection d\u2019\ - intrusions peut \xE9galement constituer une bonne pratique. \nPar ailleurs\ - \ la connaissance d\u2019un point de contact \xE0 jour chez le partenaire\ - \ est n\xE9cessaire pour pouvoir r\xE9agir en cas d\u2019incident de s\xE9\ - curit\xE9." + tre conforme." + implementation_groups: + - S + translations: + en: + name: Secure the dedicated network interconnections with partners + description: "For operational needs, an organization can be required to\ + \ establish a dedicated network interconnection with a supplier or customer\ + \ (e.g.: managed services, electronic data interchange, financial flows,\ + \ etc.)\nThis interconnection can be done by a link to a private network\ + \ of the organization or directly online. In the latter case, it is advisable\ + \ to establish a site to site tunnel, ideally IPsec, adhering to ANSSI\u2019\ + s recommendations.\nThe partner is, by default, considered as unsafe,\ + \ so it is essential to carry out IP filtering with the assistance of\ + \ a firewall as close as possible to the flows\u2019 entrance into the\ + \ organization\u2019s network. The flow matrix (incoming and outgoing)\ + \ must be strictly reduced to the operational need, maintained over time\ + \ and the devices\u2019 configuration must be in accordance with it." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:25.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:v + ref_id: 25.R + name: "S\xE9curiser les interconnexions r\xE9seau d\xE9di\xE9es avec les partenaires" + description: "Pour des entit\xE9s ayant des besoins de s\xE9curit\xE9 plus exigeants,\ + \ il conviendra de s\u2019assurer que l\u2019\xE9quipement de filtrage IP\ + \ pour les connexions partenaires est d\xE9di\xE9 \xE0 cet usage. L\u2019\ + ajout d\u2019un \xE9quipement de d\xE9tection d\u2019intrusions peut \xE9\ + galement constituer une bonne pratique. \nPar ailleurs la connaissance d\u2019\ + un point de contact \xE0 jour chez le partenaire est n\xE9cessaire pour pouvoir\ + \ r\xE9agir en cas d\u2019incident de s\xE9curit\xE9." + implementation_groups: + - R + translations: + en: + name: Secure the dedicated network interconnections with partners (strengthened) + description: 'For organizations with more demanding security needs, it will + be advisable to ensure that the IP filtering device for partner connections + is dedicated to this use. The addition of an intrusion detection device + may also be considered as a good practice. + + Moreover, knowing an up-to-date point of contact for the partner is necessary + to be able to react in the event of a security incident.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:26 assessable: true depth: 2 @@ -751,11 +1576,36 @@ objects: \ d\u2019accueil, couloirs, placards, etc.) doivent \xEAtre restreintes ou\ \ d\xE9sactiv\xE9es afin d\u2019emp\xEAcher un attaquant de gagner facilement\ \ l\u2019acc\xE8s au r\xE9seau de l\u2019entreprise." + implementation_groups: + - S + translations: + en: + name: Control and protect access to the server rooms and technical areas + description: "Physical security mechanisms must be a key part of information\ + \ systems security and be up to date to ensure that they cannot be bypassed\ + \ easily by a hacker. It is, therefore, advisable to identify the suitable\ + \ physical security measures and to raise users\u2019 awareness continuously\ + \ of the risks caused by bypassing these rules.\nAccess to server rooms\ + \ and technical areas must be controlled with the assistance of locks\ + \ or access control mechanisms such as badges. The unaccompanied access\ + \ of external service providers to sever rooms and technical areas must\ + \ be prohibited, except if it is possible to strictly monitor the access\ + \ and limit it to given time intervals. A regular review of the access\ + \ rights must be carried out, in order to identify any unauthorised access.\n\ + When an employee leaves or there is a change of service provider, the\ + \ access rights must be withdrawn or the access codes changed.\nFinally,\ + \ the network sockets in areas open to the public (meeting room, reception\ + \ hall, corridors, etc.) must be restricted or deactivated in order to\ + \ stop a hacker easily gaining access to the company\u2019s network." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vi assessable: false depth: 1 ref_id: VI name: "S\xE9curiser l'administration" + translations: + en: + name: Secure administration + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:27 assessable: true depth: 2 @@ -776,14 +1626,54 @@ objects: \ \xE0 fournir un acc\xE8s distant \xE0 une infrastructure d\u2019administration\ \ depuis un poste bureautique est d\xE9conseill\xE9e car elle peut mener \xE0\ \ une \xE9l\xE9vation de privil\xE8ges en cas de r\xE9cup\xE9ration des authentifiants\ - \ d\u2019administration.\nRenforc\xE9 - Concernant les mises \xE0 jour logicielles\ - \ des \xE9quipements administr\xE9s, elles doivent \xEAtre r\xE9cup\xE9r\xE9\ - es depuis une source s\xFBre (le site de l\u2019\xE9diteur par exemple), contr\xF4\ - l\xE9es puis transf\xE9r\xE9es sur le poste ou le serveur utilis\xE9 pour\ - \ l\u2019administration et non connect\xE9 \xE0 Internet. Ce transfert peut\ - \ \xEAtre r\xE9alis\xE9 sur un support amovible d\xE9di\xE9. \nPour des entit\xE9\ - s voulant automatiser certaines t\xE2ches, la mise en place d\u2019une zone\ - \ d\u2019\xE9changes est conseill\xE9e. " + \ d\u2019administration." + implementation_groups: + - S + translations: + en: + name: Prohibit Internet access from devices or servers used by the information + system administration + description: 'A workstation or a server used for administration actions + must, under no circumstances, have access to the Internet, due to the + risks that web browsing (websites containing malware) and email (potentially + infected attachments) bring to its integrity. + + For other administrator uses requiring the Internet (viewing documentation + online, their email, etc.), it is advisable to provide them with a separate + workstation. Failing this, access to a remote virtual infrastructure for + office applications from an admin device is possible. The reverse, consisting + of providing remote access to an admin infrastructure from an office device, + is not advisable as it can lead to a privilege elevation in the event + admin authenticators are recuperated.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:27.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vi + ref_id: 27.R + name: "Interdire l\u2019acc\xE8s \xE0 Internet depuis les postes ou serveurs\ + \ utilis\xE9s pour l\u2019administration du syst\xE8me d\u2019information" + description: "Concernant les mises \xE0 jour logicielles des \xE9quipements\ + \ administr\xE9s, elles doivent \xEAtre r\xE9cup\xE9r\xE9es depuis une source\ + \ s\xFBre (le site de l\u2019\xE9diteur par exemple), contr\xF4l\xE9es puis\ + \ transf\xE9r\xE9es sur le poste ou le serveur utilis\xE9 pour l\u2019administration\ + \ et non connect\xE9 \xE0 Internet. Ce transfert peut \xEAtre r\xE9alis\xE9\ + \ sur un support amovible d\xE9di\xE9. \nPour des entit\xE9s voulant automatiser\ + \ certaines t\xE2ches, la mise en place d\u2019une zone d\u2019\xE9changes\ + \ est conseill\xE9e. " + implementation_groups: + - R + translations: + en: + name: Prohibit Internet access from devices or servers used by the information + system administration (strengthened) + description: 'Concerning software updates for administrated devices, they + must be collected from a safe source (the site of the publisher for example), + tested then transferred to a device or server used for administration + and not connected to the Internet. This transfer can be carried out on + a dedicated removable medium. + + For organizations wishing to automate certain tasks, the implementation + of secure interchange area is advisable.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:28 assessable: true depth: 2 @@ -799,15 +1689,50 @@ objects: \ bureautique des utilisateurs, pour se pr\xE9munir de toute compromission\ \ par rebond depuis un poste utilisateur vers une ressource d\u2019administration.\ \ \nSelon les besoins de s\xE9curit\xE9 de l\u2019entit\xE9, il est recommand\xE9\ - \ :\n> de privil\xE9gier en premier lieu un cloisonnement physique des r\xE9\ - seaux d\xE8s que cela est possible, cette solution pouvant repr\xE9senter\ - \ des co\xFBts et un temps de d\xE9ploiement importants\nRenforc\xE9 -\n>\ - \ \xE0 d\xE9faut, de mettre en \u0153uvre un cloisonnement logique cryptographique\ - \ reposant sur la mise en place de tunnels IPsec. Ceci permet d\u2019assurer\ - \ l\u2019int\xE9grit\xE9 et la confidentialit\xE9 des informations v\xE9hicul\xE9\ - es sur le r\xE9seau d\u2019administration vis-\xE0-vis du r\xE9seau bureautique\ - \ des utilisateurs ;\n> au minimum, de mettre en \u0153uvre un cloisonnement\ - \ logique par VLAN. " + \ :\n> (voir renforc\xE9)\n> \xE0 d\xE9faut, de mettre en \u0153uvre un cloisonnement\ + \ logique cryptographique reposant sur la mise en place de tunnels IPsec.\ + \ Ceci permet d\u2019assurer l\u2019int\xE9grit\xE9 et la confidentialit\xE9\ + \ des informations v\xE9hicul\xE9es sur le r\xE9seau d\u2019administration\ + \ vis-\xE0-vis du r\xE9seau bureautique des utilisateurs ;\n> au minimum,\ + \ de mettre en \u0153uvre un cloisonnement logique par VLAN. " + implementation_groups: + - S + translations: + en: + name: Use a dedicated and separated network for information system administration + description: "An administration network interconnects, among others, the\ + \ administration devices or servers and the device administration interfaces.\ + \ Within the logic of segmentation for the organization\u2019s global\ + \ network, it is essential to specifically segregate the administration\ + \ network from the user office network, to prevent any intrusion by redirection\ + \ from a user device to an administration resource.\nDepending on the\ + \ organization\u2019s security needs, it is advisable:\n> (see strengthened)\n\ + > failing this, to implement a logical cryptographic partitioning relying\ + \ on the implementation of IPsec tunnels. This allows for assurance over\ + \ the integrity and confidentiality of data carried in the administration\ + \ network over the user office network;\n> as a minimum, implement logical\ + \ partitioning using VLAN." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:28.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vi + ref_id: 28.R + name: "Utiliser un r\xE9seau d\xE9di\xE9 et cloisonn\xE9 pour l\u2019administration\ + \ du syst\xE8me d\u2019information" + description: "Selon les besoins de s\xE9curit\xE9 de l\u2019entit\xE9, il est\ + \ recommand\xE9 :\n> de privil\xE9gier en premier lieu un cloisonnement physique\ + \ des r\xE9seaux d\xE8s que cela est possible, cette solution pouvant repr\xE9\ + senter des co\xFBts et un temps de d\xE9ploiement importants;" + implementation_groups: + - R + translations: + en: + name: Use a dedicated and separated network for information system administration + (strengthened) + description: "Depending on the organization\u2019s security needs, it is\ + \ advisable:\n> to firstly favour a physical partitioning of networks\ + \ as soon as this is possible, as this solution can represent significant\ + \ costs and deployment time;" - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:29 assessable: true depth: 2 @@ -833,11 +1758,38 @@ objects: \ pour r\xE9pondre \xE0 un besoin ponctuel de l\u2019utilisateur, celle-ci\ \ doit \xEAtre trac\xE9e, limit\xE9e dans le temps et retir\xE9e \xE0 \xE9\ ch\xE9ance." + implementation_groups: + - S + translations: + en: + name: Reduce administration rights on workstations to strictly operational + needs + description: 'Numerous users, including at the top management level, are + tempted to ask their IT department to be able to provide them, in line + with their personal use, with higher privileges on their workstations: + installation of software, system configuration, etc. By default, it is + recommended that an information system user, whatever his responsibility + level and allocations, should not have administration privileges on his + workstation. This measure, which appears restrictive, aims to limit the + consequences of malicious executions from malware. The availability of + a well-rounded application store, validated by the organization from the + security point of view, will be able to respond to the majority of needs. + + Consequently, only administrators responsible for the administration of + workstations must have these rights during their interventions. + + If delegating privileges to a workstation is really necessary to respond + to a one-off need from the user, it must be monitored, for a limited time, + and be withdrawn afterwards.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vii assessable: false depth: 1 ref_id: VII name: "G\xE9rer le nomadisme" + translations: + en: + name: Manage mobile working + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:30 assessable: true depth: 2 @@ -862,11 +1814,47 @@ objects: \ autocollant aux couleurs de l\u2019entit\xE9 par exemple).\nPour \xE9viter\ \ toute indiscr\xE9tion lors de d\xE9placements, notamment dans les transports\ \ ou les lieux d\u2019attente, un filtre de confidentialit\xE9 doit \xEAtre\ - \ positionn\xE9 sur chaque \xE9cran.\nRenforc\xE9 - Enfin, afin de rendre\ - \ inutilisable le poste seul, l\u2019utilisation d\u2019un support externe\ - \ compl\xE9mentaire (carte \xE0 puce ou jeton USB par exemple) pour conserver\ - \ des secrets de d\xE9chiffrement ou d\u2019authentification peut \xEAtre\ - \ envisag\xE9e. Dans ce cas il doit \xEAtre conserv\xE9 \xE0 part. " + \ positionn\xE9 sur chaque \xE9cran." + implementation_groups: + - S + translations: + en: + name: Take measures to physically secure mobile devices + description: "Mobile devices (laptops, tablets and smartphones) are, naturally,\ + \ exposed to loss and theft. They may contain sensitive information for\ + \ the organization, locally, and constitute an entry point to wider resources\ + \ of the information system. Beyond the minimal application of the organization\u2019\ + s security policies, specific security measures for these devices must\ + \ therefore be provided.\nFirst and foremost, users\u2019 awareness must\ + \ be raised to increase their level of vigilance during their trips and\ + \ keep their devices within sight. Any organization, even a small sized\ + \ one, may be the victim of a cyberattack. Consequently, when mobile,\ + \ any device becomes a potential or even favoured target.\nIt is recommended\ + \ that mobile devices are as ordinary as possible, avoiding any explicit\ + \ mention of the organization they belong to (by displaying a sticker\ + \ with the colours of the organization for example).\nTo avoid any indiscretion\ + \ during journeys, especially on public transport or in waiting areas,\ + \ a privacy filter must be placed on each screen." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:30.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vii + ref_id: 30.R + name: " Prendre des mesures de s\xE9curisation physique des terminaux nomades" + description: "Enfin, afin de rendre inutilisable le poste seul, l\u2019utilisation\ + \ d\u2019un support externe compl\xE9mentaire (carte \xE0 puce ou jeton USB\ + \ par exemple) pour conserver des secrets de d\xE9chiffrement ou d\u2019authentification\ + \ peut \xEAtre envisag\xE9e. Dans ce cas il doit \xEAtre conserv\xE9 \xE0\ + \ part. " + implementation_groups: + - R + translations: + en: + name: Take measures to physically secure mobile devices (strengthened) + description: Finally, in order to make the device on its own unusable, the + use of an additional external media (smart card or USB token for example) + to hold decryption or authentication secrets may be considered. In this + case, it must be kept separate - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:31 assessable: true depth: 2 @@ -892,6 +1880,31 @@ objects: pondent \xE0 des besoins diff\xE9rents et peuvent potentiellement laisser\ \ sur le support de stockage des informations non chiffr\xE9es (fichiers de\ \ restauration de suite bureautique, par exemple)." + implementation_groups: + - S + translations: + en: + name: Encrypt sensitive data, in particular on hardware that can potentially + be lost + description: 'Frequent journeys in a professional context and the miniaturisation + of IT hardware often lead to their loss or theft in a public space. This + may put the sensitive data of the organization which is stored on it at + risk. + + Therefore, on all mobile hardware (laptops, smartphones, USB keys, external + hard drives, etc.), only data that has already been encrypted must be + stored, in order to maintain its confidentiality. Only confidential information + (password, smart card, PIN code, etc.) will allow the person who has it + to access this data. + + A partition, archive or file encryption solution may be considered depending + on the needs. Here, once again, it is essential to ensure the uniqueness + and robustness of the decryption method used. + + As far as possible, it is advisable to start by a complete disk encryption + before considering archive and file encryption. These last two respond + to different needs and can potentially leave the data storage medium unencrypted + (backup files from office suites for example).' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:32 assessable: true depth: 2 @@ -914,12 +1927,50 @@ objects: \ choisir de d\xE9roger \xE0 la connexion automatique en autorisant une connexion\ \ \xE0 la demande ou maintenir cette recommandation en encourageant l\u2019\ utilisateur \xE0 utiliser un partage de connexion sur un t\xE9l\xE9phone mobile\ - \ de confiance.\nRenforc\xE9 - Afin d\u2019\xE9viter toute r\xE9utilisation\ - \ d\u2019authentifiants depuis un poste vol\xE9 ou perdu (identifiant et mot\ - \ de passe enregistr\xE9s par exemple), il est pr\xE9f\xE9rable d\u2019avoir\ - \ recours \xE0 une authentification forte, par exemple avec un mot de passe\ - \ et un certificat stock\xE9 sur un support externe (carte \xE0 puce ou jeton\ - \ USB) ou un m\xE9canisme de mot de passe \xE0 usage unique (One Time Password). " + \ de confiance." + implementation_groups: + - S + translations: + en: + name: Secure the network connection of devices used in a mobile working + situation + description: "In a mobile working situation, it is not uncommon for a user\ + \ to need to connect to the organization\u2019s information system. Consequently,\ + \ it is important to ensure this network connection is secure through\ + \ the Internet.\nEven if the option of establishing VPN SSL/TLS tunnels\ + \ is now common, the establishment of a VPN IPsec tunnel between the mobile\ + \ workstation and a VPN IPsec gateway, provided by the organization, is\ + \ strongly recommended.\nTo guarantee an optimal level of security, this\ + \ VPN IPsec tunnel must be automatically established and not removable\ + \ by the user, in other words no flow must be able to be sent outside\ + \ of this tunnel.\nFor specific authentication needs on captive portals,\ + \ the organization may choose to depart from automatic connection by authorising\ + \ a connection upon request, or keep this recommendation by encouraging\ + \ the user to use tethering on a trusted mobile phone." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:32.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vii + ref_id: 32.R + name: "S\xE9curiser la connexion r\xE9seau des postes utilis\xE9s en situation\ + \ de nomadisme" + description: "Afin d\u2019\xE9viter toute r\xE9utilisation d\u2019authentifiants\ + \ depuis un poste vol\xE9 ou perdu (identifiant et mot de passe enregistr\xE9\ + s par exemple), il est pr\xE9f\xE9rable d\u2019avoir recours \xE0 une authentification\ + \ forte, par exemple avec un mot de passe et un certificat stock\xE9 sur un\ + \ support externe (carte \xE0 puce ou jeton USB) ou un m\xE9canisme de mot\ + \ de passe \xE0 usage unique (One Time Password). " + implementation_groups: + - R + translations: + en: + name: Secure the network connection of devices used in a mobile working + situation (strengthened) + description: In order to avoid any reuse of authenticators from a stolen + or lost device (saved username and password for example), it is preferable + to use two-factor authentication, with a password and a certificate stored + on an external medium (smart card or USB token) or a one-time password + mechanism, for example. - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:33 assessable: true depth: 2 @@ -945,15 +1996,56 @@ objects: \ des applications valid\xE9es du point de vue de la s\xE9curit\xE9, etc.\ \ \nDans le cas contraire, une configuration pr\xE9alable avant remise de\ \ l\u2019\xE9quipement et une s\xE9ance de sensibilisation des utilisateurs\ - \ est souhaitable.\nRenforc\xE9 - Entre autres usages potentiellement risqu\xE9\ - s, celui d\u2019un assistant vocal int\xE9gr\xE9 augmente sensiblement la\ - \ surface d\u2019attaque du terminal et des cas d\u2019attaque ont \xE9t\xE9\ - \ d\xE9montr\xE9s. Pour ces raisons, il est donc d\xE9conseill\xE9." + \ est souhaitable." + implementation_groups: + - S + translations: + en: + name: Adopt security policies dedicated to mobile devices + description: "Smartphones and tablets are a part of our daily personal and\ + \ professional lives. The first recommendation consists precisely of not\ + \ sharing personal and professional uses on the single and same device,\ + \ for example by not simultaneously synchronising professional and personal\ + \ email, social networks and calendar accounts, etc.\nThe devices, provided\ + \ by the organization and used in a professional context, must be subject\ + \ to a separate securing, as soon as they are connected to the organization\u2019\ + s information system or as soon as they contain potentially sensitive\ + \ professional information (mails, shared files, contacts, etc.). Consequently,\ + \ the use of a centralised management solution for mobile devices is to\ + \ be favoured. It will be desirable to uniformly configure the inherent\ + \ security policies: a method for unlocking the device, limiting the use\ + \ of the application store to validated applications from a security point\ + \ of view, etc.\nOtherwise, configuration prior to distribution of the\ + \ device and an awareness raising session with users is desirable." + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:33.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:vii + ref_id: 33.R + name: " Adopter des politiques de s\xE9curit\xE9 d\xE9di\xE9es aux terminaux\ + \ mobiles" + description: "Entre autres usages potentiellement risqu\xE9s, celui d\u2019\ + un assistant vocal int\xE9gr\xE9 augmente sensiblement la surface d\u2019\ + attaque du terminal et des cas d\u2019attaque ont \xE9t\xE9 d\xE9montr\xE9\ + s. Pour ces raisons, il est donc d\xE9conseill\xE9." + implementation_groups: + - R + translations: + en: + name: Adopt security policies dedicated to mobile devices (strengthened) + description: "Among other potentially risks, using a built-in voice assistant\ + \ markedly increases the terminal\u2019s vulnerabilities to hacking and\ + \ incidents of hacks have been demonstrated. For these reasons, it is\ + \ therefore not advisable." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:viii assessable: false depth: 1 ref_id: VIII name: "Maintenir le syst\xE8me d'information \xE0 jour" + translations: + en: + name: Keep the Information System up to date + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:34 assessable: true depth: 2 @@ -982,6 +2074,38 @@ objects: \ recommandation s\u2019applique aussi bien au niveau r\xE9seau par un filtrage\ \ strict des flux, qu\u2019au niveau des secrets d\u2019authentification qui\ \ doivent \xEAtre d\xE9di\xE9s \xE0 ces syst\xE8mes. " + implementation_groups: + - S + translations: + en: + name: Define an update policy for the components of the information system + description: 'New flaws are regularly discovered at the heart of systems + and software. These are generally access doors that a hacker can exploit + for a successful intrusion into the information system. It is, therefore, + vital to stay informed of new vulnerabilities (follow CERT- FR alerts) + and to apply the corrective security actions over all of the components + of the system within the month following their publication. An update + policy must therefore be defined and be a part of operational procedures. + + These must specify: + + > the way in which the inventory of the information system components + is carried out; + + > the sources of information relating to the publication of updates; + + > the tools to deploy the corrective actions over the stock (for examples + WSUS for updates for Microsoft components, free or paid tools for third + party components and other operating systems); + + > the possible qualification of corrective measure and their gradual deployement + over the stock. + + The obsolete components which are no longer supported by their manufacturers + must be isolated from the rest of the system. This recommendation applies + as much on the network level, by strict filtering of flows, as it does + as regards the authentication secrets which must be dedicated to these + systems.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:35 assessable: true depth: 2 @@ -1011,11 +2135,51 @@ objects: \ ressources n\xE9cessaires (mat\xE9rielles, humaines, budg\xE9taires) \xE0\ \ la migration de chaque logiciel en fin de vie (tests de non-r\xE9gression,\ \ proc\xE9dure de sauvegarde, proc\xE9dure de migration des donn\xE9es, etc.)." + implementation_groups: + - S + translations: + en: + name: Anticipate the software and system end of life/maintenance and limit + software reliance + description: 'The use of an obsolete system or software package significantly + increases the possibilities of a cyberattack. Systems become vulnerable + when corrective measures are no longer proposed. Malicious tools exploiting + these vulnerabilities can be spread quickly online while the publisher + is not offering a security corrective measure. + + To anticipate obsolescence, a certain number of precautions exist: + + > establish an inventory of the information system applications and systems + and keep it up to date; + + > choose solutions with support that is ensured for a time period corresponding + to their use; + + > ensure monitoring of updates and end of support dates for software; + + > keep an homogeneous software stock (the co-existence of different versions + of the same product increases the risks and makes monitoring more complicated); + + > reduce software reliance, in other words, dependency on the operating + of a software package compared to another, in particular when its support + comes to an end; + + > include in contracts with service providers and suppliers clauses guaranteeing + the monitoring of corrective security measures and the management of obsolescence; + + > identify the time periods and resources necessary (material, human, + budgetary) for the migration of each software package at the end of its + life (non-regression tests, backup procedure, data migration procedure, + etc.).' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ix assessable: false depth: 1 ref_id: IX name: "Superviser, auditer, r\xE9agir" + translations: + en: + name: Supervise, audit, react + description: null - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:36 assessable: true depth: 2 @@ -1044,13 +2208,64 @@ objects: \ (URL sur un relai hTTP, en-t\xEAtes des messages sur un relai SMTP, etc.)\ \ ;\nAfin de pouvoir corr\xE9ler les \xE9v\xE8nements entre les diff\xE9rents\ \ composants, leur source de synchronisation de temps (gr\xE2ce au protocole\ - \ NTP) doit \xEAtre identique.\nRenforc\xE9 - Si toutes les actions pr\xE9\ - c\xE9dentes ont \xE9t\xE9 mises en \u0153uvre, une centralisation des journaux\ - \ sur un dispositif d\xE9di\xE9 pourra \xEAtre envisag\xE9e. Cela permet de\ - \ faciliter la recherche automatis\xE9e d\u2019\xE9v\xE9nements suspects,\ - \ d\u2019archiver les journaux sur une longue dur\xE9e et d\u2019emp\xEAcher\ - \ un attaquant d\u2019effacer d\u2019\xE9ventuelles traces de son passage\ - \ sur les \xE9quipements qu\u2019il a compromis. " + \ NTP) doit \xEAtre identique." + implementation_groups: + - S + translations: + en: + name: Activate and configure the most important component logs + description: 'Having relevant logs is required in order to be able to detect + possible malfunctions and illegal access attempts to the components of + the information system. + + The first stage consists of determining what the critical components of + the information system are. These may be network and security devices, + critical servers, sensitive user workstations, etc. + + For each of these, it is advisable to analyse the configuration of logged + elements (format, frequency of file rotation, maximum size of log files, + event categories recorded, etc.) and to adapt it as a consequence. The + critical events for security must be logged and saved for at least one + year (or more, depending on the legal requirements of the business area). + + A contextual assessment of the information system must be carried out + and the following elements must be logged: + + > firewall: packets blocked; + + > systems and applications: authentications and authorisations (failures + and successes), unplanned downtime; + + > services: protocol errors (for example the errors 403, 404 and 500 for + HTTP services), traceability of flows applicable to interconnections (URL + on a HTTP relay, headers of messages on a SMTP relay, etc). + + In order to be able to correlate the events between the different components, + their time synchronisation source (thanks to NTP protocol) must be identical.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:36.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ix + ref_id: 36.R + name: "Activer et configurer les journaux des composants les plus importants\ + \ (renforc\xE9)" + description: "Si toutes les actions pr\xE9c\xE9dentes ont \xE9t\xE9 mises en\ + \ \u0153uvre, une centralisation des journaux sur un dispositif d\xE9di\xE9\ + \ pourra \xEAtre envisag\xE9e. Cela permet de faciliter la recherche automatis\xE9\ + e d\u2019\xE9v\xE9nements suspects, d\u2019archiver les journaux sur une longue\ + \ dur\xE9e et d\u2019emp\xEAcher un attaquant d\u2019effacer d\u2019\xE9ventuelles\ + \ traces de son passage sur les \xE9quipements qu\u2019il a compromis. " + implementation_groups: + - R + translations: + en: + name: Activate and configure the most important component logs (strengthened) + description: If all the previous actions have been implemented, a centralisation + of the logs through a dedicated measure will be able to be considered. + This makes the automatic searching for suspect events easier, and allows + for the archiving of logs over the long term, as well as stopping a hacker + from deleting possible traces of their intrusion on the devices that he + or she has compromised. - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:37 assessable: true depth: 2 @@ -1075,29 +2290,76 @@ objects: \ :\n> syst\xE9matique, par un ordonnanceur de t\xE2ches pour les applications\ \ importantes ;\n> ponctuelle, en cas d\u2019erreur sur les fichiers ;\n\ > g\xE9n\xE9rale, pour une sauvegarde et restauration enti\xE8res du syst\xE8\ - me d\u2019information.\nRenforc\xE9 - Un fois cette politique de sauvegarde\ - \ \xE9tablie, il est souhaitable de planifier au moins une fois par an un\ - \ exercice de restauration des donn\xE9es et de conserver une trace technique\ - \ des r\xE9sultats." - - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:38 + me d\u2019information." + implementation_groups: + - S + translations: + en: + name: Define and apply a backup policy for critical components + description: 'Following an exploitation incident or in the context of managing + an intrusion, the availability of backups, saved in a safe place, is essential + to continue the activity. Formalising a regularly updated backup policy + is therefore highly recommended. This aims to define the requirements + in terms of backing up information, software and systems. + + This policy must, at least, integrate the following elements: + + > the list of data judged vital for the organization and the servers concerned; + + > the different types of backup (for example the offline mode); + + > the frequency of backups; + + > the administration and backup execution procedure; + + > the storage information and the access restrictions to backups; + + > the testing and restoration procedures; + + > the destruction of media that contained backups. + + The restoration tests may be carried out in several ways: + + > systematic, through a task scheduler for important applications; + + > one-off, in the event of an error in files; + + > general, for complete backup and restoration of the information system.' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:37.r assessable: true depth: 2 parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ix - ref_id: '38' + ref_id: 37.R + name: "D\xE9finir et appliquer une politique de sauvegarde des composants critiques\ + \ (renforc\xE9)" + description: "Un fois cette politique de sauvegarde \xE9tablie, il est souhaitable\ + \ de planifier au moins une fois par an un exercice de restauration des donn\xE9\ + es et de conserver une trace technique des r\xE9sultats." + implementation_groups: + - R + translations: + en: + name: Define and apply a backup policy for critical components (strengthened) + description: null + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:38.r + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:ix + ref_id: 38.R name: "Proc\xE9der \xE0 des contr\xF4les et audits de s\xE9curit\xE9 r\xE9guliers\ - \ puis appliquer les actions correctives associ\xE9es" - description: "Renforc\xE9 - La r\xE9alisation d\u2019audits r\xE9guliers (au\ - \ moins une fois par an) du syst\xE8me d\u2019information est essentielle\ - \ car elle permet d\u2019\xE9valuer concr\xE8tement l\u2019efficacit\xE9 des\ - \ mesures mises en \u0153uvre et leur maintien dans le temps. Ces contr\xF4\ - les et audits permettent \xE9galement de mesurer les \xE9carts pouvant persister\ - \ entre la r\xE8gle et la pratique. \nIls peuvent \xEAtre r\xE9alis\xE9s par\ - \ d\u2019\xE9ventuelles \xE9quipes d\u2019audit internes ou par des soci\xE9\ - t\xE9s externes sp\xE9cialis\xE9es. Selon le p\xE9rim\xE8tre \xE0 contr\xF4\ - ler, des audits techniques et/ou organisationnels seront effectu\xE9s par\ - \ les professionnels mobilis\xE9s. Ces audits sont d\u2019autant plus n\xE9\ - cessaires que l\u2019entit\xE9 doit \xEAtre conforme \xE0 des r\xE9glementations\ - \ et obligations l\xE9gales directement li\xE9es \xE0 ses activit\xE9s.\n\xC0\ + \ puis appliquer les actions correctives associ\xE9es (renforc\xE9)" + description: "La r\xE9alisation d\u2019audits r\xE9guliers (au moins une fois\ + \ par an) du syst\xE8me d\u2019information est essentielle car elle permet\ + \ d\u2019\xE9valuer concr\xE8tement l\u2019efficacit\xE9 des mesures mises\ + \ en \u0153uvre et leur maintien dans le temps. Ces contr\xF4les et audits\ + \ permettent \xE9galement de mesurer les \xE9carts pouvant persister entre\ + \ la r\xE8gle et la pratique. \nIls peuvent \xEAtre r\xE9alis\xE9s par d\u2019\ + \xE9ventuelles \xE9quipes d\u2019audit internes ou par des soci\xE9t\xE9s\ + \ externes sp\xE9cialis\xE9es. Selon le p\xE9rim\xE8tre \xE0 contr\xF4ler,\ + \ des audits techniques et/ou organisationnels seront effectu\xE9s par les\ + \ professionnels mobilis\xE9s. Ces audits sont d\u2019autant plus n\xE9cessaires\ + \ que l\u2019entit\xE9 doit \xEAtre conforme \xE0 des r\xE9glementations et\ + \ obligations l\xE9gales directement li\xE9es \xE0 ses activit\xE9s.\n\xC0\ \ l\u2019issue de ces audits, des actions correctives doivent \xEAtre identifi\xE9\ es, leur application planifi\xE9e et des points de suivi organis\xE9s \xE0\ \ intervalles r\xE9guliers. Pour une plus grande efficacit\xE9, des indicateurs\ @@ -1108,6 +2370,33 @@ objects: \xE9ventuelles vuln\xE9rabilit\xE9s, ils ne constituent jamais une preuve\ \ de leur absence et ne dispensent donc pas d\u2019autres mesures de contr\xF4\ le. " + implementation_groups: + - R + translations: + en: + name: Undertake regular controls and security audits then apply the associated + corrective actions (strengthened) + description: 'Carrying out regular audits (at least once per year) of the + information system is essential as this makes it possible to correctly + assess the effectiveness of measures implemented and their maintenance + over time. These controls and audits are also able to measure the gaps + that may remain between the theory and the practice. + + They can be carried out by possible internal audit teams or by specialised + external companies. Depending on the scope to test, technical and/or organisational + audits will be carried out by the professionals called upon. These audits + are especially necessary as the organization must comply with the regulations + and legal obligations directly linked to its activities. + + Following these audits, corrective actions must be identified, their application + planned and monitoring points organised at regular intervals. For higher + efficiency, indicators on the state of progress of the action plan may + be integrated into the overview for the management. + + Although security audits participate in the security of the information + system by being able to show possible vulnerabilities, they are never + proof of their absence and therefore do not negate the need for other + control measures.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:39 assessable: true depth: 2 @@ -1133,6 +2422,27 @@ objects: \ \xE0 aborder dans le cadre des sensibilisations, permettant ainsi d\u2019\ \xE9lever le niveau de s\xE9curit\xE9 du syst\xE8me d\u2019information au\ \ sein de l\u2019organisme." + implementation_groups: + - S + translations: + en: + name: Designate a point of contact in information system security and make + sure staff are aware of him or her + description: "All organizations must have a point of contact in information\ + \ system security who will be supported by the management or an executive\ + \ committee, depending on the maturity level of the organisation.\nThis\ + \ point of contact must be known to all the users and will be the first\ + \ person to call for all questions relating to information system security:\n\ + > defining the rules to apply according to the context;\n> verifying the\ + \ application of rules;\n> raising users\u2019 awareness and defining\ + \ a training plan for IT stakeholders;\n> centralising and dealing with\ + \ security incidents noticed or raised by users.\nThis point of contact\ + \ must be trained in information system security and crisis management.\n\ + In larger organizations, this correspondent can be designated to become\ + \ the CISO representative. He or she may, for example, raise users\u2019\ + \ grievances and identify the themes to deal with in the context of awareness\ + \ raising, therefore allowing the security level of the information system\ + \ to be raised within the organization." - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:40 assessable: true depth: 2 @@ -1162,22 +2472,52 @@ objects: der au changement des mots de passe compromis. Tout incident doit \xEAtre\ \ consign\xE9 dans un registre centralis\xE9. Une plainte pourra \xE9galement\ \ \xEAtre d\xE9pos\xE9e aupr\xE8s du service judiciaire comp\xE9tent." + implementation_groups: + - S + translations: + en: + name: Define a security incident management procedure + description: 'Noticing unusual behaviour from a workstation or a server + (impossible connection, significant activity, unusual activity, unauthorised + open services, files created, modified or deleted without authorisation, + multiple anti-virus warnings, etc.) may be a warning of a possible intrusion. + + A bad reaction in the event of a security incident can make the situation + worse and prevent the problem from being dealt properly. The right reaction + is to disconnect the device from the network, to stop the attack. However, + you must keep it powered and not restart it, so as to not lose useful + information for analysing the attack. You must then alert the management, + as well as the information system security point of contact. + + He or she may get in contact with the security incident response service + providers (PRIS) in order to carry out the necessary technical operations + (physically copying the disk, analysing the memory, logs and possible + malware, etc.) and determine if other elements of the information system + have been compromised. This will also concern coming up with a response + to provide, in order to remove possible malware and the access that the + hacker may have and to change compromised passwords. Any incident must + be recorded in a centralised register. Charges may also be pressed with + the competent legal service.' - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:x assessable: false depth: 1 ref_id: X name: Pour aller plus loin - - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:41 + translations: + en: + name: To go even further + description: null + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:41.r assessable: true depth: 2 parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:x - ref_id: '41' - name: Mener une analyse de risques formelle - description: "Renforc\xE9 - Chaque entit\xE9 \xE9volue dans un environnement\ - \ informationnel complexe qui lui est propre. Aussi, toute prise de position\ - \ ou plan d\u2019action impliquant la s\xE9curit\xE9 du syst\xE8me d\u2019\ - information doit \xEAtre consid\xE9r\xE9 \xE0 la lumi\xE8re des risques pressentis\ - \ par la direction. En effet, qu\u2019il s\u2019agisse de mesures organisationnelles\ + ref_id: 41.R + name: "Mener une analyse de risques formelle (renforc\xE9)" + description: "Chaque entit\xE9 \xE9volue dans un environnement informationnel\ + \ complexe qui lui est propre. Aussi, toute prise de position ou plan d\u2019\ + action impliquant la s\xE9curit\xE9 du syst\xE8me d\u2019information doit\ + \ \xEAtre consid\xE9r\xE9 \xE0 la lumi\xE8re des risques pressentis par la\ + \ direction. En effet, qu\u2019il s\u2019agisse de mesures organisationnelles\ \ ou techniques, leur mise en \u0153uvre repr\xE9sente un co\xFBt pour l\u2019\ entit\xE9 qui n\xE9cessite de s\u2019assurer qu\u2019elles permettent de r\xE9\ duire au bon niveau un risque identifi\xE9.\nDans les cas les plus sensibles,\ @@ -1196,31 +2536,94 @@ objects: \ :\n> le recours aux bonnes pratiques de s\xE9curit\xE9 informatique ;\n\ > une analyse de risques syst\xE9matique fond\xE9e sur les retours d\u2019\ exp\xE9rience des utilisateurs ;\n> une gestion structur\xE9e des risques\ - \ formalis\xE9e par une m\xE9thodologie d\xE9di\xE9e." - - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:42 + \ formalis\xE9e par une m\xE9thodologie d\xE9di\xE9e.\nDans ce dernier cas,\ + \ la m\xE9thode EBIOS r\xE9f\xE9renc\xE9e par l\u2019ANSSI est recommand\xE9\ + e. Elle permet d\u2019exprimer les besoins de s\xE9curit\xE9, d\u2019identifier\ + \ les objectifs de s\xE9curit\xE9 et de d\xE9terminer les exigences de s\xE9\ + curit\xE9." + implementation_groups: + - R + translations: + en: + name: Carry out a formal risk assessment (strengthened) + description: 'Each organization develops within a complex computing environment + specific to itself. As such, any position taken or action plan involving + the information system security must be considered in light of the risks + foreseen by the management. Whether it is organisational or technical + measures, their implementation represents a cost for the organization, + which needs to ensure that they are able to reduce an identified risk + to an acceptable level. + + In the most sensitive cases, the risk analysis may call into question + certain previous choices. This may be the case if the probability of an + event appearing and its potential consequences prove critical for the + organization and there is no preventive action to control it. + + The recommended approach consists, in broad terms, of defining the context, + assessing the risks and dealing with them. The risk assessment generally + works by considering two areas: the likelihood and the impacts. This is + then followed by the creation of a risk treatment plan to be validated + by a designated authority at a higher level. + + Three kinds of approach can be considered to control the risks associated + with the information system: + + > the recourse to best IT security practices; + + > a systematic risk analysis based on feedback from users; + + > a structured risk management formalised by a dedicated methodology. + + In this last case, the EBIOS method referenced by ANSSI is recommended. + It is able to write down security needs, identify the security objectives + and determine the security demands' + - urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:42.r assessable: true depth: 2 parent_urn: urn:intuitem:risk:req_node:anssi-guide-hygiene:x - ref_id: '42' + ref_id: 42.R name: "Privil\xE9gier l\u2019usage de produits et de services qualifi\xE9s par\ - \ l'ANSSI" - description: "Renforc\xE9 - La qualification prononc\xE9e par l\u2019ANSSI offre\ - \ des garanties de s\xE9curit\xE9 et de confiance aux acheteurs de solutions\ - \ list\xE9es dans les catalogues de produits et de prestataires de service\ - \ qualifi\xE9s que publie l\u2019agence.\nAu-del\xE0 des entit\xE9s soumises\ - \ \xE0 r\xE9glementation, l\u2019ANSSI encourage plus g\xE9n\xE9ralement l\u2019\ - ensemble des entreprises et administrations fran\xE7aises \xE0 utiliser des\ - \ produits qu\u2019elle qualifie, seul gage d\u2019une \xE9tude s\xE9rieuse\ - \ et approfondie du fonctionnement technique de la solution et de son \xE9\ - cosyst\xE8me.\nS\u2019agissant des prestataires de service qualifi\xE9s, ce\ - \ label permet de r\xE9pondre aux enjeux et projets de cybers\xE9curit\xE9\ - \ pour l\u2019ensemble du tissu \xE9conomique fran\xE7ais que l\u2019ANSSI\ - \ ne saurait adresser seule. \xC9valu\xE9s sur des crit\xE8res techniques\ - \ et organisationnels, les prestataires qualifi\xE9s couvrent l\u2019essentiel\ - \ des m\xE9tiers de la s\xE9curit\xE9 des syst\xE8mes d\u2019information.\ - \ Ainsi, en fonction de ses besoins et du maillage national, une entit\xE9\ - \ pourra faire appel \xE0 un Prestataire d\u2019audit de la s\xE9curit\xE9\ - \ des syst\xE8mes d\u2019information (PASSI), un Prestataire de r\xE9ponse\ - \ aux incidents de s\xE9curit\xE9 (PRIS), un Prestataire de d\xE9tection des\ - \ incidents de s\xE9curit\xE9 (PDIS) ou \xE0 un prestataire de service d\u2019\ - informatique en nuage (SecNumCloud)." + \ l'ANSSI (renforc\xE9)" + description: "La qualification prononc\xE9e par l\u2019ANSSI offre des garanties\ + \ de s\xE9curit\xE9 et de confiance aux acheteurs de solutions list\xE9es\ + \ dans les catalogues de produits et de prestataires de service qualifi\xE9\ + s que publie l\u2019agence.\nAu-del\xE0 des entit\xE9s soumises \xE0 r\xE9\ + glementation, l\u2019ANSSI encourage plus g\xE9n\xE9ralement l\u2019ensemble\ + \ des entreprises et administrations fran\xE7aises \xE0 utiliser des produits\ + \ qu\u2019elle qualifie, seul gage d\u2019une \xE9tude s\xE9rieuse et approfondie\ + \ du fonctionnement technique de la solution et de son \xE9cosyst\xE8me.\n\ + S\u2019agissant des prestataires de service qualifi\xE9s, ce label permet\ + \ de r\xE9pondre aux enjeux et projets de cybers\xE9curit\xE9 pour l\u2019\ + ensemble du tissu \xE9conomique fran\xE7ais que l\u2019ANSSI ne saurait adresser\ + \ seule. \xC9valu\xE9s sur des crit\xE8res techniques et organisationnels,\ + \ les prestataires qualifi\xE9s couvrent l\u2019essentiel des m\xE9tiers de\ + \ la s\xE9curit\xE9 des syst\xE8mes d\u2019information. Ainsi, en fonction\ + \ de ses besoins et du maillage national, une entit\xE9 pourra faire appel\ + \ \xE0 un Prestataire d\u2019audit de la s\xE9curit\xE9 des syst\xE8mes d\u2019\ + information (PASSI), un Prestataire de r\xE9ponse aux incidents de s\xE9curit\xE9\ + \ (PRIS), un Prestataire de d\xE9tection des incidents de s\xE9curit\xE9 (PDIS)\ + \ ou \xE0 un prestataire de service d\u2019informatique en nuage (SecNumCloud)." + implementation_groups: + - R + translations: + en: + name: Favour the use of products and services qualified by ANSSI (strengthened) + description: 'The qualification delivered by ANSSI offers security and trust + guarantees to purchasers of solutions listed in the product catalogues + and qualified service providers that the agency publishes. + + Beyond organizations subject to regulation, more generally ANSSI encourages + all companies and French administrations to use products that it qualifies; + the only proof of a serious and in depth study of the technical functioning + of the solution and its ecosystem. + + In terms of qualified service providers, this certification is able to + respond to the cybersecurity stakes and projects for the entirety of the + French companies that ANSSI could not address on its own. Assessed on + technical and organisational criteria, the qualified service providers + cover the vast majority of the information system security jobs. Therefore, + depending on its needs and the geographical position an organization will + be able to call on an Information System Security Audit Service Provider + (PASSI), a Security Incident Response Service Provider (PRIS), a Security + Incident Detection Service Provider (PDIS) or a Cloud Computing Service + Provider (SecNumCloud).' diff --git a/tools/anssi/anssi-guide-hygiene.xlsx b/tools/anssi/anssi-guide-hygiene.xlsx index c904159c067f39f46d8991829308c1e76ad109ff..f29103fc305c4754f86b5b41b502e8a814b43e7f 100644 GIT binary patch delta 56292 zcmYIvV{jmC)NIVn#jC)u8H}?w&c_ z^PHrBRc?S|D#?OFpn*Vvz<_{&5QF&I{lu^a1p&#g$0Pv*rc!on2AI%BuAzOxlQ!nX z@MD;(3@&C5DW>>^mb2H5GDEUY?k_!Y++*gc3+uMnn#Nyx3>A|cxeVATbVYuQ(Ovo^`laqD# zL4u!BQ{e_Xks2Mw(>D*D0B0Mpij^y|EoJYy>GS^E+yu?~BoDjzqnFH=Y;-rzN$(3; zviJ^>gkNzdiOkgqoT&z3w>{n%h5tZr66A~>N+zli+;?SrRQSmXC0kM^1!UCI7!%vx z{Yn}}WbrRLj(+;}Wa7ffL5paXC!AV%tJDk6D?~C=5L#m;I5{{F$0FVR4h{lx0Sf|x z_^%yac8s2mF199)jRbDw!HM}>|cI0-~~-p8g`bXb*67e&znB8&2NSr=EnTYUC~X zr8TA1!TbSy7jgIl-4d;j$eBhIqg;?t^~=Ik*?R8JOs(P4W*y?{zFxpUHSVM5GCs!%_p*>PaWqF>*2=y;XOyk~d0oNx__E4dWTPOgqYV^{6bGWr;I$ zee4WdVz^K%NZAvi$@?~^&)`gJo1n-?f4d#Q5%^6YQMq!}mY&`#Po9C;w)Gy?1x9Av zgIs`B`W8c-hP1)Uy{-&3;U6I*A{j8$$(je8E6sEd^w@C5cV?RD- zM`4N0yiMS*!J-~4hd9*@?)p^pa&aDL?qmds&!10$1+fU-|rQFe(9vL)-^A-Zxu`^O`9?r||ZzmvFA+P?bLNb4tnDmSK z3Hlvo6U=b^%H4j8;=3e+6UKM69rJpfLB

QUbFuVBBSdg8d1C0pZRsb@yByb1y} z(MMbn>$t0RQ{{`U(!V9!S{+wu!kn;b<>|q8L>ruuMpnV2{6$bkDfuskoJT!_r1v28 zS+Es@4`QpFfrs%y9@N~xr*XlljP$=)s4RNGB zQaTDIi*^W&GZbJ3lfC;1&Xs-qDZ3uRgtEy|Pavm;X)3AI*`Rvn>K5P&CR%P;$Z7m# zBorj-4737+3a;;Br4M9A?tu3)!UUguE6e** zfJrHJTxyV06$g<*aQw`dZD)srtgrK-Wqew#)|eyaj2RMl)Y%*n?N1%D(Q%5%A)?yB z1J1DVbfX5`K{HvV4R+(PlYk}O@Sh?bRW{28LEbv(Vc`s6{&3%7ACf-yGavC3VHvMX zsYgB6!?U+cZs0*czLHskkm1-C$R@r+fPi!%B$Hzi0ou_UOlYAy@E?dG*Ku8B1fxUP z4Qy`th$ZKZB!;6TX@@csEc74O-7aa^Feyw%y4zQtGpTVD@sdjk{8+T^x^q@YDqz)f zC3c*UAD{NgRL;vs>$iIvUOml zF&0qu>Bt?z6b6w={=6n|FZG0olx8uk?NH|$3&~W-yys0FCppMvCU)(NkJWh}WPgZc z_n0D0vh%)7wHyx#|Gg={zW!&Ek_KGH1u-Fs8xH>kfyaE$hmzLtLmo(ap4@_&-)h~# zW|HF#X!&}_x;}0C9W3r+oq46_uCBe=Ls+>%EYf5HRM^VaK593;4tG>M83MvO?WH|>bnxb50^NPQRg((`;&6+S@sb-^tk#L>s-73-N zCB3)tshDpLL8td@zt%Met#t1bUtj60kcs2=Oip#+i{cmbD}}kZk);m$Hj!cKvFu_q z#w$t*CRGlzl2HTQteGtNo<4us&4aFkV5wOuGS}sMSj5gU;cy5s&fdn4u!1)syvniD zYTX82c2j=&eYJoDMq)uhzCJke&UFI1VSPhL!QXQvr;ER|KIuQelXGxwze71*iq`-8 z?itbr0l@-E?u^6%vQzXO*O}15t|>1CwR$Lt4TX@bA?+JA*2UQ$oiDk*YsKzQaX|81 z_Fk{Troh4$$UyKa%(!kp;qf+ZMr*I$ucy;-!>~!YjuaEPJ_fQ z!w3J2VTN$Fk;*Nxf74daZt#)j3}P=0rqVzKe|^YoeHB8z$H^u-Gynbl7aBbgoPlej zr&0_=jzBd|xs-D7wLTJRln0zYvEDp!tghfB8JD`sdBk%O_qpIKoEPv9>hhZqJ ziDA8_1MYJi04GR6EfrVw7azk9iGydru6@yMaPr%i^a7twasMEZAz42W5HT7&?8QvT zN4MaWtB};mC;z#Zr9ECSxQwn+HSw44r$C(O#m>|w)a&?~M&48+@o>^o3=WhuSWJvv zZ^Oi9eaDQ`cX&sYD01?a4B?+fW}HsMhtcHx!c#~tKufW)Rj-{fZno%=a};txSZ{-+ z7vo?kn*?0ea1JuKY-*BYl`~Ba7VVD67tkK;w$MYSWc{(>-Q>!2LWrL`gXrMuS(uAX z6Jg=m@Hs5o2-WQ5BCC-oZ{IV1NxEOz{J<16u~E%S|MVoM%Eh|7=xY6|DiHQd%8Bc3 zj#StKaM<)1W4fnM=8Dm4hbxueP7ifp!xAKGNs3QtE9+ZTMR8<{3MbWdv43oN|9c^W zGsGp|qMuW$>{eKQEbPii6$Hlx6~j*oLuueN=SJ+ZDLJqzsh~jXLX0Ai$v_!1nmu2V z-D5i<`2Qs&TW{WFg9GV3HAXNW0{}@%;)%07%On8?_bn(Cttn@UFLy9Oh>=@cxfcCp zL%Lbr_&_?tiwL%R{9kVOUk*nn_XnQ@zdr9j?s7Wc?jKhsTU(!N4HZ4}dOjn*xVHUX zM-dondp~ck@6uaW7WA+p z{t=e|rQ+>d9Mg_>@Zwz%HzTsM57rE#?~L#)H(u$CX`BS-EalHP)v=wi!Mket>|n~f zY>UJm#>nBW*d@co!Ny)IU;1{w1E}(GbhFW`lZ6q?`Mj>|oD@ zpyzj&@j=CCl_}Qh9Yzqg5qT{H>SGzT$Imt<^>zGx9!_wq*mclszzW0`HOIpmW2GsW zoz2nIq7*(biCjCAW~GGzuYrJfgVaa>=UBZ;?&gP%wS>!a13VIkMX2U>)P1;?MUkG5F;>$F`{H*o|wc}C6@Brcm~4vclQNrb0>dc9#? z3fOlc^4GgQwIN>#>MNhlMtUfU%7?;V;*i9X|J%0Arq0I`_m*;CAmtVa-|dpl8Y+xe zV!M_GHGXVx8?-xRu7;%792Uu^hCybRS->m`joi^4x_tvLK zgb2w~1Jg9*Jx`ffNf9A*H&W!JmQ0mcEZvQK?Z2mKEMSj|gG##;e3u+JpQRbcf&tLM zURm0)tILxvPD_{Y^?<|$)~tC4Qy95j=(y6B5;wL;F>!?;b?vI5>g8S|)rIg1`d zN}QAxQX?12;s{YAD^(pu8qw^r>w=D}sg;ouKU;P&7v>V(X~Nks>r*CFbMsl^^=mK&JrM{sdKa!Xcd>Q0vWp6o4i&v_VA00zhSZ~hAzjcX zDh4|;%B9SvX~SiS8TC@luQKO0b@MT!}X zj!g~1LE}WKo}&+vB$aS(WIS;gKvC&mY!6uhh41%T$#0W3u3XqJUztg(ihXHT`0n#poBtaH{YsfyqWHl*3w2joDz=2BLf(`}=CGf<(2*jE=MfMmzHg(^h&l>DkHM<`SrvHP93zLBr) zDVaN79gab(V6Ik76h#|!18xHjRiX3QvXu~o6XRjDp5KW}QRx9UqKqS~e5CY&?@f_3 z<84Qh2|xDzfPy8&UkSk1ol4Z1gg6KvY3K8m!Xcw2P0+*n*ZXOGS@3xBGCoDENvax{ z5zT6U-8*V<1gaXUU#U@qr))S=J|SE(tn)pRQUW(>{S*uB0b&#tTxSF%@#@c^T(=cZ zNkKSI%!A=<|9a0-f1@L8FUC^8O!dq%lYI=E5y8$IRNjFj1CX3yLca%SRt_Z+;*dDz z=O}pGJX7N^CuaJM>&rXZyb=gIz86=QpZTM5W`ZZf===W<08suh4+04Vl-9yKceN^< zG5w?xG~O|U{$Eu&2Q}bqkQxK6LL44=v9Uo9{+)Xoq@4?c7p2wr6J83hR%#Yzgs}d3 zT4?p715i;qS2B|+(0wP6D?$3Fz6_~g9ysKAoy!A1wEqc+ShYA)PX{c$5Ar;+mvfhj zVr=#u$1K6G?`bI!vc!eCx1lE`601x}?gRpz&G=*Dd8@71|;f+9)DB z9(kn)(LU9rm~rvb5MOeZN?&O|3k?hMBn3n;(9QM_-(7tM)W04k@KND%298yy)I6w4 zA)tanA^aGA@*tr`FA7`?6J@+eQNdtFpB_&bd zIHqa3Y(*-sDn`h~pCLwyV)?zR;?dp{<{w*xyF`hw?5gx(M)K-`j36A#y|HKSR*2lH z7!ZzakeXO2kaOOUGxH4;p#{Q_t=5;$zUunzDcF}$jD%D#xbS5Qg@0119#bk5QFPDL zgd3Zrn6gf)F$*V^9Z3@>N4aZ{;S8XurGJBDcN-YHLg{$t(EeA{(Ep06wL@+s?>=*v zq8(NZ3$a&ub?LHurinZNs*4&?HfM8%6)AL*M_noq!C+0Y&I#*HLe*5~p&{f>Qo)1* z8jy1fe}k$P{|&M^4$UKRj@&ZqdjS21_o5i#WmYO4yO1=w3)611nPIK`oesPVH=Wz%`))*PhsdAej>!& zLPZ?GdW1@!1iob5cPG$PWo5SEXZ!X1uw7n3c-LV5P1=9@Hy9ZetT4=o!|a^wCp?Tu zYY0iYjA-DCD));g`{3FeK(ZmAee6DVbh(Rky?d^AM@$QIbWaPY);Cw<)ARj|Nj5!Z zzd^;z6-8T|<3Rm$pf8dV6Y~+S>SA2nET0RLD@qenyjN`yLz{c1h;pb80F zISEPDE4b~(obc+73kLTJ9Sb8}`?_I9rXAQrD4iTI8jXS@-6@n;qxl#NK3Qnq^qqLy z2`PeP8v^xj&P8evfCJ`aGSo>Z*eF2gxA45S_2Esia;c!toTe=s4-Mi!~A}inj zGcE{6eN8RE?@Q6feu^Me_7QRjKHa20g3Blivp=LFR-`I#KRm*-!3H&)Ya+LoX<>+X z79s-tbLzLAkPGF2YkUA0#}fUw5XidJA2w(Y3$wG`Uy}GqKq|7dK^~?AS<=d@ulw&% z!3n10Q<1IjZ(9s#A&k^WN_{#P6GG~u!)eJ+Z}GLC(ErZ~VVjwU3u3~8+||VX`e6B8 zPeIe>^v?*TdtWMGf5|};yUs=5&bijZQ*cP%jl~5=A+>}5wRb^>*q56^Uqii1o+8~8 zW$Pf*6wzL;I^Mj9UfV1~>yAcQG=y8ol4lo=DVx(dYd6G!R<|Q{)*YLXe0wLV88A(-2FIa5b7gLZL+G>zkD1ASV(UM zVp0xxHausV<3|<$*Tl>EJ%>mYsBxmwa-RM9+;boHza}0Knw{IXP&Ph_xF5`cs|(H* z6taBO-*TrsY(F*0Y_En670VzCzmQK%)%5n!Is+o$$v|>`0 z?`|0p7{+_=XxrYbnTZm=i^iF?wT!A`k6fP=>sCe}6N$2R*Rd2E9o|>bj4CpC)5bx>Rm=vS~FVIl;JPAyL;jPwIpM!Fns-^Ga8} z(zC1hru*Sy=yYy;unTa__EM?V?D^&J1Ro!qB)-41$p^9FC^dkcr!|19ka#RxyQf}$ z+X1jvrDywo7=QcViVNcM1t)74sxu%mK0(}(5&qqcUZpAXUWd6nI}QB*aXcka{`&wC zl0>b@5y(P+o{gwJ+FmtvmWVv>PYN8~%$% zVK&>OGzsni!$uf>;s_%m)Oz%nO6Zy3gxNB@85M6bwd2HTLBb!mjx$XO1>ghfKievK zIRdFs1ZfQ#&#FCzV&O_kCt$1D(kS2p;#5X zV=83PgiOwY01VA%(2CZPw2^Aa}0Ec{FEY zOm_P+EkPr{jHhD%o^bH%hLT4pRshPnnsE;%%~ri~Ase)&aw6&Q-n@g=^C;;(1Y!)h z7QH21fzMsqKJg?8tts`fI32Xsqp`M0smx&$q9C);Wdah;lr22Qad>OlYVziCo$4S~ z<@fcROABmOBgYVSG<&$pdSBCFAsKb+WyyV28l&#} zO3~M82N1^wii$Q*83n!GoGA%^M>znN`?ZOkgDl;b6wtrI2l=Ed+i8r=l#&-q|4iTjU$Il_GT|MlmIyXv8Jg z0y|2Kwt&dnz#oGj3Us!w(@1Z29_Kd-$_#$HMqsvTo;@^-mb)42%5Jj7F6qaq+w_vBEcxL;Q zfp0c4CxlLxbeUcLHw; zFB1*ilSIo*>OYt_$!m}x z_Sac(9{<-Vw0>`{BgW*zaIL`e(Yc}E+Y_N%=Z9VQ&uWhIPffzj$4H z;PqOdD-)n!A#}T&Htzmfg6@4j2i}A|wHUv=P6T6j-rtXVpLh2SuhIy=T)u9sd$;Ll z(<%>Zc04|Mey6@&G74@2?~{lRkv;;=XP#TewY5`^AI6>M7U7&*YZl!{Pb(X12A=Eg zo{pNHjxH?L>a z67Y0v|Lrn~`#`s7;s4~}yer@SAl|z{O4f7i!f(i+)jFQJ<=VV;Ycfq*C#1`8DY_R-^E_uMIQ?cqVj zC*!(Bo1PwWyMFCYY41;aZ(05+Usw0;HDLPwhpSnC155WUn&gzn9Vlx>xl{m3m)6LWS2IUl9eaMtl|op3rgTw?4{$ z)0efHYEKj@q`TcRAZ|V;4uXTCA3gn-7qyQu*ORI~?bU9AZr_Usfv8)f4pSEqJ`TaMVF30yOu+i8fW=NhlDbjqkZWu zdTX?n$#f%haeXCYwq#nW5$HYgi2i)78|u>rp-02j5Y{1%COFauyZzeL2G%imP9~~{ zvq<4LuzMi9&n#Mox}Fb@Y+Rk6(uV5{qsrupZb?0E7F*EEJEcBE*5_XJTQ4;)R%7*k z=XKExhnJjOe_v_9x7t`bvWPSz!2Y|kaX5`q>p=`^Xy3v+zOGjT4aC~~k*Y6kxN02y zR9W!v$qrB1y?T5)S+uJz0~XKKJu^f&x4;ShEj^m+ye=btvp>4DtsFyw7 zKX@dc7x3!a4>aq|dT6z6`Llj0;OZZ={fH*5jL|j79UnQTdG^U=Ybx|bFWDsS(7CX| zIuP0Zt>OPJ;}Fljk8yIL-WTrR&;6SRQ*dz_>8KT6j<1qWPlqH{1pup_Ky|qOJccOu zT|GfH@xKoW|FFQlU0zqbV);2IhT~I&g}tv2fZ)e?>`fS`p?u^joJ?L0e~V6{7SIeOIxz_>L1Nemri;9r%%JGapu^vnl*m~kHsfe#){Q7Y(oaA-!l|J_Phe|g4o!`3RTmSsI@WBB|sgk3k|1hUs< zUd|J=+!UTKE>=IqtMTzI>6NyCbvJ6UF>5^;XO_94UqAC|FOVSRJzsHRdlMh%?W{u_ z%yI}r{`4%lmqE(v_KHduSD+Vg2`e|v53%tfMibZj`fX={02 zq4v?b;{{FH8_>(RxU#UmCO)Rs`#{Jr>vtTL~v_?BNcI_oC?5Ajy6JiR*JAMxd z1zExat&P`xx0)6Mqlv0Ir-WBiI+Yhh1PK%$7^j)x{jr6>LM&>>Hj9cTsirZ_;Wn~A zW=Zy{Bot_!`i%QL!-(Hap#Q#fUE2D#RY_{>pmd`+0(hN0PfG55#s<-FcZCPuTpM)r zysl#+OPJuk9DQUx1}wcl-v<f*Om@aT z!<_08c0YA4R{>)!3Pa>1(Wj|b+F6P;4X_zPLs218Fd`4v$VDhw0&RtoPr09au7g$K zF)!m-0G?VPu#WQ_2I&>`bUBM4fqX7_@AH1QwUOoD+}@K0?X&LZ{^Rvbdh~oPq)Z;S za{;4YZgcqVs-!t6dYo6Vd5Z!>4+$G}S40V9)qJvF`ukQo)sH{)&yYtjmX-=4Qo@Eh zaafs1l|=q#wBh-dE0B*P%P8nKlnhR;T7e_20IRb2$=|D&eaSqAC$PXDVW0AV`}7Rg zDwp8(@f(gZ%`RpbNRIe!ZRKTamTmdsT8reMtGs_-=9`V~3B=z9=hv!@oexe89YHCC z_b$cj!Rteb)Vi_V5`Yv{sqoUqNxQp^g-|sDj-Jx#ui7L{nnFP`(y|40i*ZoqT8cv_ zzzt4)IxUtB6SquNS%)gQ8maD6hSo5tvf2rxkxnxmUeQOFOa9$!pnLi;8+ed0hHTPK ze3pn7gc$fTiCgnAr75Y<{2T(R_Zw$(?ZwIR#%LppX{zciwCELo=XWQ$ci9%^BXILP z-`l?W72B6kRFnfoUoUIBiQ|#4^(r ztoM;E$J6TNLdgp|s>7rH@wrfO#SMf@fr)Sfji7jsukD|no-YTh)g`!e?C>%?C~9*J z{)<9+u;ZSS0bAUBupE8cCF(4MW>>Zw#sMw-T$n{{0 zT9mFtyC$VtHl_joaE574P!Rj*N(vDcX3RG1<$O1i;9G@xZxc;uk!d7? zD!FCEw*#n#ftDE!cBPp*tEM<>UkFy&n8lowF%K|_(PEaiVdG!k7{dp*fQ%xqNpqur z*8JHL=*)bvqEugUu|I@L@JXZFr0ZBU*n%=yizRY;3s1lb<3MkQUv9Jq<*z#25NF6rLK- znVQ8=#B)$tBAyHpS-8e1&_BCQ5L&19MpRUG9r)Xw^6rUxN0>ZP1k;>jhp?$W%2jpfYMzO8qEimtflX1l=PK$q>sw!5XcMC5mG>7Z64F6(Nq4XZixqgspMBf3@ z6oPCRZ<@(S>O>w(l3%=eR)s59)Qov1#U9>-&M4R~-9uV-+Wi&*m|Tt_o74Ci%PDQk zeiXIxoE;=wL<2|GPZgHInlqp6vgDfX8eBbmj_8u`M!{z97CP|EHI z19a_>&s7*5^lWu_kb13|+~H(Fb%gF3^6~X5eIR!X#9G%P6f54XH{Eo?W9Hm9g%=*XyMqLw-K|DpR`Lizc>ayr zgtN*{?s@!NQ6bMwFE$nKn~fFNRcQ6D?DqRHK8GJtiBTp-)=U3#U7|58S$RJ0OPw=; z;(-04)uY(O(?UxJEN&R^_(31C%AoPck^2qF>HcF0X zhqwxN*6PlVYgB!#NhA}~eXFYLPDA2ui`T;|)?_D9kClEkrzxMCzUU=lbL}C}&u5_; zzLhVSI*XA!{Lgj02Gt8X7P1r7j$@J$C!Y@thC7$ zh&(QiGlU`^;Gj(aA*iK|?(}U7QBU4umrM1&>rJh9RCs+psE4%A*wYA^#F^}iLKZO1 zO#KUoU_O2S^;3P#reC$n5J&iwFlG5MgIUCx+9l*CKldOvH?@?Do~rb=Rr5;#H`(J= zv49l0iRs<&)WA;CZ$?q@@ImT^0h3JNXYvv5H>5 zhei!9amO3wWjqKhkkfji1aiZ*LP5G!)WLq7zhq&YO)|wUCfFAs-|>Ji))TonV!b3Z_B;*rxbKyUKcA@B>mCQw3N01h|jd| zKJ}p>pP~QeWpRURXo|)fCE~iLN=2lBJq+vFPHZ#)HB3AU9KTXPn&D=t2W>NKoKa+A zWocW-(Urj+y&GD4H=1bndEhBZ?+;4mV24}X&rmB^cfX3aE@5e!StnTpN5*6~QzQRR~Fl=qR#fd@0u%Dx%6WNQ5L(#{8cr9|% zg*Nw>W7=DRG4c{pGa$H<4@vbI*hvSPL8GbWrtWp&A!o$|jyNK~WhFvvDUlgK0W*;glC&3??T_ zPS8f7%-B09#tpZzf8#`-qf%f!#<-(N;Fu;3ajJ*{d>mkB|v?_^z7I95V zjtjbRI9RYfP&9Pg_Zj+Dy`U4UGPpXWkG`2bKJT>+ns*PM`eEwJ;~K8p#ZfEK|&aZw;JA+hoUb&{AO>Y8cea)9X~9T)O1R7=a$J z)zK{MlZ9Mj@3`*puGIN8Kmb$a`foLfL!57xMOrFc8VruEeo{IakXxRuImm!>)Nuaz z);HLaUuRJP6ee(osrr=~>N*64C--A$>+XmtE*b(#W`B&}G?tYNS}FuGvb#<;UfB$Y z3$ct{-irr7G{HNw)l%VMi<#=N`J+Bu%GcP;)Yuxi69!f&FBe!Gf#rsE&EluOF$@-{ zluX4IVE6J>2@yYarYuHVFBw6CRwAufM2nb=)PBvYJ(2xtBUJq6GcRBU7cn2A0#Owl zaRpFhS0DTZZ>5F#39Vv9>5M7jETuB`gy~eGJhlWujWJS1&hD?IL)I2SO~o!Y7EN5SbQIE)Q;g+eAH*|%`XLd1H4OHam^&&NkU!+DlVR)SNoM4ByI6fr zTa;Kv5sGQl0OF9C;&tywE|ZtX3IQl^8AA#mH+^tC{t6%DP_aoX#cr|^6Aw7!W`_0- z%9{F(EPA3MW4U4w`>D^yRD(WAcT&ViXzc{2$ zmLnM!Vuy}{`P$9xh<7CXw034X%z)i&o3`3u^%oW&0@Mk&Hr6vBjDsj-_86PqApFH% z0yULUQ%N5a5B>z29@1@5yorF|APmmf_y~^=P$N&aCo~!2r_CC@tghN$|GE~4b*L;Q zV5mmZ1py@xp5TfPy^n^8c`qcDj^UhATQz;Ad3#a5jfKw9IGB;(heuql+nAPc4e*t* zNZnqm0E}DLiF}fnb$$(Si{*5zULKWF+Jg^EahoF#5b{`k^F>O%`6JrEQi$QiNq$KL z3xB2L(vq7vH}ige{nj|3$tJxCIyA6h)C`@@;oK}i93==vL<6XURCFq*WJn$+^)RfK z0vf-n1KUH{_8aYW<)vZABE-6fgyslZK#a^kfb#KL_55pwX#(cu`TTjmFyt&%R-el7 zAsR+l-sQlS9<7^+|xENGfiKV+#C7^(Hw|zOf3Rc=`O^vhF@u=FRdGk)e zyMy$#zD_yyojJvnbItaE$0|Kv+mu`spLDD0qzq???5E8(nx@9S1NE?-EDt;Dn*^yS z&@E-{>olM&(ddDQ{m|21>O$nQaIr|)*HSW;n5cGF?TkDiw$so3K=S=<^asiVqjWsV z6WMnLLKDr9e7(N~DTs543=sX!b=_Npwen|5?DH0QIf3|A-m2p85MBubWBby9hheyf z-b8DcTa0b;YVCUL9ALLDJ0FL$g%8db^hfkyHByXGnvgZL<-|tM<7g-N91;%Q z5(IfJVuG>LdG-#Hyqm5!D3KB*{~#qjsW->E5&dA?yR=^-#pHQylr6ut0#er>fdg0T zTch$0K|H4xI8GKzJsWD;thkhBXFdBAoZEAagmV>rw~u8{GfH$ zx|-o38caARq9VlT(OpA9&6=P#eizG)gvu+llowJtExx#*FRAc}b=+qFzWONW3wjL;kYkV-VSI;<@&K zIi{mYwJf$bFx`Tp4p7~lYEPp{!#O4L5{}63)8RR|MdqO0ln?2tiULZY&Th$G?NUP7 z@Udb?@?e|dQCt~^2s?8re?P!L^LFAWm@YK4^c85+5}k^O#_jZ>1L(jB~CJ_v2`j=bmSC!xg>|M zzulNFC+)YfSxn-?3VGrVc2eEx9=p4F+4YRyK;NxwL6~%Y8QLaC?D| zaY;0!Du(-N*|7>mgIte1|JUJjN|rhCm{Rgz_5i6D)OI0o4=baB<|~$LRIOaM#@Hqd zNr8oR2Cp>~c{@6BN+TjkUw}OQ`J;kpRBgYYt)}{wXp=O9!G!?)?7=4Jr&;XOa5QI* zRx;hYa|zCfd_bidCQe0pCK-owpt;}}6&al}y{+1ylP2ioFET_lLG=_8v?nFAB9`yA zerm~0QA;_%y(87Ji%e$SL`uWQuBt{fG;MW;DvuRjS*T{L`Hwvpo@1T?o+9ftvm6sS zdlCEJ4rg=qzt65CFYY2w?%bgguQbvNimtK^;c4zWDecvnWQV{a)YG`jJ?XZTUk{yT z>+L7d^ZjpFVT0?%gykwiVSU)#a3Hh2Tn_LQ(uMwIgS+vQ^ERnT4GZ_p=}@F{MGb?} zu0*Iy=wb-*6X)30&T?`$81jyN&d}+uXP$t@PbgG!q>5rNT>jg#=BptSx+C1W7IxEQu!K zJVPu%$T@5N<{T{ElLxctT=XAjkJ?E;?*%=&Va`$CAgz>6N`VR1Md$-f`uCwv7 zbZq!}wB#6X7rB=!BSw9XZVHBbrAfuUM;5)5il=^`^p<&6ZJ(4>Li0x1P`&j;a=_Ac zm$bY*TJS^hy2O}F9C08-tTk$qs(u}?F>FAX9I>goqAxj*L<(ldv-yd#B`eCeEu!i0 z3eWRe{-^02Bx^ana=CU{xlK*xnn!+oJg&TD_92?)Z*w=&f_z?C$gv9o3;(#*MQ$81 zH!O-CEh4$uJ!$s_mlQ=!9+4|p3cOHE(^gbGtC(x&6>KLA;lQbc4czH z3poldK6Jx2h^BLp<}R=gqY)^vA;|PxmB>#IE>t+w_I+_TbPcWZ;sk*^Dq%;s7_(I1 zwkN7t^};*6ZV$2f>bn&vwlTV+UK_D~Z&{JoyOcJ@9LDdA2OIT%FxH=6RPSR$)%~s& zHO?+gq*N{rjPvU`G9_4+#Y?w)jthLsoLt`2N=3fV@xS8Wx7Q{x!4;Xn8g`odqz*tJeKJwpm7p_ezrz&+X*?BfJH)9V zO`-fNO$$*9N8ebE3)S>nH1H*H?yQpHx>WFsSV{Semek3EgeAX`a3&27M6FSS`xUqC zpLMqM$8)3S*NXJOzaIL0`*6=Na8>rRhKM8i^K^k&OCDE{&Y^dodtOSKHX-48jxC~0 z$0<*p2A8C~1cr5B*V0A=IH|NPSnM9N%s0Y2MwC6PewW$kzMe$#Dk<2! z*gaRfku$$-Hz&_g(EX}TBVy~J_nwbCa2@$fEij+|EeqLG$Xx$^d4SZ_L(@epvN_M# z(UCIIT@?4{ms>$OP#3biCUC7jA+(t#_Kk%~oNkk35HE~kEa|=vK#i3wNC;=(Rca5A z<|Qs2j?`7xq}j1qzWT%zlUf{G`mUR(dmmoX7FPsi>j*)|;E9zPAYVkm7&Se8b=oPM zEQy%l0cT{Rwv(eJQS3xV!euM!yhU!JI&=fVOtXC&5bpZH&xIhTI$0*Wo9$EhUN(k$ zMeHnzpFI>gZeqR%pjcgBCeU{Q6*Tv-)#4swCK(5)z23 z>4>9=G?1TO=`+_J6Faw~S5)6)_B*YSUPh#SQmU zWxrA2LA{~UrSA2s-_E!Pf>l<6wfD&Fpf z-Q$+_@WT4Mwk{;DRRhApD`W{$WavVdl;j50v@O~-jfG!8%wlvvH9DiPp!MmK#uagx}PP)-ff+3lwWF z9NeE{p%4WMEe*WP1^D&7>uur9J64Zi;w8labO*pPj{HtCGE&oI2WvjC!FVDuYlE1Z zPU{3g#rL8mlIbWlX2L0@{4CR9?zVLOha%!ehel;)_8C;M)hPqcv!1c0pkal#F@qy# zT^!M5_m6t~Ok96fg!*B6+x=Bw9Xopqh(Nsico)OMKVAg(#VBu8fuOF={kLM z)DD;7F6FaIa?*gq)`w*amz=W$l7Kt@%Tkg$ z>T0Rg?vsD-j3+JPcMWTXDym2Xqx7Dw+V-MkyR7BVNP&{WAfTFkPJKsw=Ho`%-=BU{ zh&aW2MquSGlUJ_wNs+S8`)WuAJ8uVY?K*|1p{bn*Ik`5{7%Bh>a_`~Vo+rbCu}Do_ z5n=}4JR~8;qRgf3S7Qy9IWcuh7E%MehympL?Z1E2`mK1R>9TB^IkFkYmcgWK8p$CJ zlb1iAoiXRfvH2J}QsiM^5becy>_%y1el*6UrnO^#n}R<cfJ&pxd;rJYclVtdST%bXZ29bC~1VsAN(WCoRU9L{-AXF<^RGOP=&uTc#9OF25^Xp#gXRHvc9VZP zc;f74AFxw9^SoH*(bP?w-Kqn%SgSiBPMU9Wt(9$MW>_@4aJ#m^C)Fq$KDHZTHQLz@ ztNoH@m}rh~#zGm6x+MU6=eKH1>W|N02XhLy?)J~_{`4&7Aqx|!mr^SlfVA=-S-d(` zbXlrqCK=0XyYC8KhY&gQx{L(&lU{#&gqcH3*1}v%H`6FrM>E1!O4|;-LX2&3J#6Bv z!nh-C}UEmxi1eACu#24VL>Dn=L1BZju>Xy464ei&MItTs$x_>ma%_30o}%U zCqTXG;=(y9m`iRahwHcf{Num0cN=2vk}aCLh_BrdU6NNWd5BhCf!gp5JjMIW;m_K{ z5|#wyRHYk;3WG!dC#0!{F=Ja~MLj64^bj8%Bb6Kxk~+(Ao>@RuI)~~6u_5)uKIHKW zNTsKMmCDFKm_q*L=`~kjmid1Tf=3>S@4!1p{$xb+vh}KY%lR^H{}7P_#}vk_$-5{; z7&dtd5u0i-8LbDW*;O0v(iJG7I%B6cXZ)!-ji9bVrIw0K>lmrLZShwmm`7a(;_ss4 zqkL;1zy~xtT?|x0os02cAr>)=K@*y@dp&Y2)U8T$$F=R{R<&>_%W8jdRiY>dy8MB2 zBE-dr`xL}OYDnX<83W!MbM%16Pt7vkx9^c_G~AVj z&YvG0+~BDz;wZ|f5ZN#nN!J)kD662iO*33A3TKJiW^G@j4O5d{-D(TtQKKNk_9Y=C;bgG0Ojh?94X zY|*?2h{zI7a}rEc$KS)c7Lgb@^r(L~aAUF=1GU^irpTOVtzp|^0)SLM&NOHU_maLl zk$H%dCR`!o#*CN&7vpHP@2=FN%kll8V3vf%+PJMUB1tb^F)aon%374u z>F`q?sN}FX4s)516PD-bnT2@A%G=yi#gHd)AbSHLAItA1;&k6-?3x@M9mkwWqokCl zyUB*r@Cm7)iobuL4WkA#?s42Akuyi(%oyO6bv6;6n7Shsi-KHw-cE4Vt{e~ru4YOV zr3*y6_?X95(o$0&XcpJCmq)u7~L;C}`P znl|qn%^Mz19SP6KP23Q%V8xo2c{jsN3K_>D5Fr5@(qPI`hTw)X)+T70cE(c7Kk`hB zp_G3Rqev*7K;Oj}qYSA^wvsA=6cGsVw3S4-#ik!O&=z#7CHAu1yIc1*k46!F9R4wi z?n?_1C?fW=w15vonz}R1=u)c*Vo-**z@T%$R#IO8gv|H90HQClQ4fy==KLNkPyghqIor|MRS`STCA z6=fZH4A)l{5451#Xmq*&o!|<5^)%Qa^vD=*U;+ zKor#&>&z!tS53y}z*ueJw5+)X5aXSZ!7FlErt#IYnB?{OVod*W6R4g)83NFj=6s0H z7Fk0_hB;!REd~-~7PS?OoV;=r!DTwHX3^WSsFMH9P6@OaV4F?d{La%>3mk6*-Hjfr zKC_c$1cnOId~B7g&fLJ#&MkkIu#?MKn&swBGV>9OADJnZ4Lsn+k|`&*#bKc)wMe>wg5o1^1Ij!t>0wYOSQ7OEt+A~{!v9_Wwc`pAO~;jx9f zOm>t|3|)?y*<Zc(L>gpTk;oX17&+5iFzS4Sj zTnJDK)WoqnwU`eetY1oze1;Sab9x*Dl!ZpvjEEZH5Ywcg9`&nwwA-q)>J0Ijkl-m_ zG*Y#AnjA5M%4dp7+CMHbCjqB{kdy_iHiw1g;ki84HAqE8M+vjZAnKgYI+XtvU)2`D zn13XAjZ;js048!1f>(boI|=O=^HfndB+F1+8KQ-+yk_a(&AOgxSrly4Kty)`QG@oWWGx6RcR|n?wzzOLev(pY3G{#mpLz@p}c>da?AD5zOXCB#g^mpP;6+&H2-! z?RWRB*YL;tUwVJ|`+cuH{Pi6#&fvl6Be8KW%HzHOyngp0U+x8-XSaNIabN+SUEYE* z*GIeL*!S6QzIpZ8%V&T8AAj@engoA1-=oY*+ga zDKX)vkAC{Izy9#2Kl{)^@NEjgw{2wdt)=Ao_2T?k)~CO*2vEP}q)rF#*w0q`%iBQ` z)Ots`$+3UlwEF&^`t^T)$d)vsf8WPW!P)Bz9WzTG+>ls0^*t%Sr4e$u*YikkY#&t}i^O`kO*8lT0R@~daR_=xFLakFo4KDvJ`i`|gw-}h?w zs{ef-6jv5&&>!Kw(<6yH)(b1<-P`FO9(t}H*%5!GWf#=pPcQd1ffd<)j)>V1fEcW6 z!csrGQWoSMiHSB=cJJsFoM@PRPuNBVoj{R^Sqj^Z+|}3j-t2^fpJlKW!K8TT3bA=@ z-yy|CPNM%ohhq@ZYp|o|{=GeDZ|W1!^92(1wP_ zLbreF$@d#CNFzh}7|%PN9rj_Sfx>y(9foUlOMg6Hp^4(+QX|vA2lz5CIcNU*Vv5mv z5V7fy&3QTV4%nc)jEjY+J7-#%M?03S5ZBnVDO^M~Pi&A6exXYe%M0w1h2Kxdfk6!h~BG_hAob4w@N+Yn4&xEYU~U$F3( zjMhSayoMe=?xTZP-=MfgZ@2ux1r#Y z!@Pik?jwdY(BXAfmbgISBc+!s@$N|r>HIeX<-!x{11ee3c~IY_&Rt4mc0*M_YEu?U z2}qZ}l>x%pG%9^d6);t@S+%!W^i+SttXL5K*36XAmmn7C-SeYU{%Ip$@1JTtv@`Ir zdVjtPsdmAyyk{_aYT=KCM*ggq9Jw7^tH~57Q%I>Az^T9O3Bi;sI_u1maR3eS#;0a^ z*4*wezvPEuTeaY&ibqNV@SGTuY|~fnp5ro2dFzAuv+avky;>=x0g3S8mN|d4*JluR zuTD?D$jt5IM_(W?jG%$0C*t8XnLDF^AARS2bPtgv`MPsDUgGdL_O+0dGYW{ZFNxnq zYM-xO9DG__uW%$Js!Gwjt#?`sb+MzGn5y%0TWlXXge{a!JM5!~dV4&*SI2_*aqKa^ z^<3s7{PxlFucl7owB|*UEjWK_$~;Ql)TCYH6T!AkdUV9y(wUo1^9a$oR5Sm~okeCP zAdL({X7Fk`i>Nsfjvg*ok|iS0u(d8+)VSGcbxhW}M_t>H6@n_sY#MiU4^`4@U>=?D zbl*xeH6=q^&y;(*zo{cnJZib#<(RKY`WzxoDsAvgoV*S{(Ob|l*Mlx|&+ zTv2{$JdNwU>$kXsYDv_1s!c9O1xn;5`MgL*4gDo5RnnL0!BLYo$KmisOhTUJr#rw= zjWi&Jw7Vq7C+jM6?~H%`D37K4@@m<@LfM(a*egD7ShqmjY@zE|j zEoY2HdXAJ?orybY|4_+gW1*avq#Q*9a$R?=vtY>y>?U7|in@Q1#*Ph+uIs~$GYMZ0 z0%L0Re#!ZR)EnuXzIu3@tCsFRF@*F9#i2vqFiHZN$$-t2CiMXy^|Hp~bX|ne>4(+8 zwU3j%K?b@nByP!--kBX9C2&=ctz%2Eh}V}k7lK@F4N~cVXCX)f#q+s(Ehdvh%?8=} zRL|WZTymzY+AV)Jv8qDs7@DVDQTo}LXO7~H1mtA2K~ui*LbcprZ&Ht*>aISDN{?om zMV%?ws9FTA6nhSpSIIhSu6B`{m{K;KKZ|{2E$VzTd5y`q_dO@XPMzFK2CI@B#1JV( z8MYSGEYxrh;zV|6t*#|YUd8&G&j8R{`u=gq}uG&AAR)z48&vO!v+$xXzV0_IjTcZZUW(KE@Py9HCOPzk@F*mZl=M%tGYRWyL60QeB~f z*m8gN;wT*JJr`O>4f>cNtte)4LpziH;Q-VpzL#Zsks%YxO_u4OOEM@75YDBK|z?@QC)=Xc$M~=(sL=S*WqF89_V<*NKIxSeU(m zb9nW&JRJ4{dNoin#g-yb&TlOT)#k*@H&TD(5Wi@?1&37;+i>eQ(^TqPQx85(RMLHX zu#td)E8cCcgK?h58xuH2>eNpUH8v}pZ z8e-PagCIcsNbA0bQIROBU)YjZ^|I`AXQ`?bliviIqVVyhI!q^nri%LbYGE#)ZY5cB z+9ny7(fbr5k_=uD6ckp6&9(v}zCNm2LUqlxsV<^ z_3S7ex!a%SlYb>49h=`|_IUe-C-ib?ml0MVuzeO&Vu zBr2SV&Ze1U#L}CbErBRs%P4;v_gUL@6#8uS_)$GvI(Ygs10(KRU|R}fHNpdY$oeAL ztauj*Mde?NNbV(sLL~CZN84Iywa1SzyGIa31S}9+noRYxaQm5-C8+(zd>VhFalTt2($t25 z!Y@>$C=+F4rqT(4efjDFiEPA=+{izyH{bh)#~G@70sY8_T(*!at{*#Z(H1QaHrI#> zspt3g!06lVLRI`kD{MdCgeINE1nGhiHmp6Jm2pj2Pz`4pALvck0MWFyV6Q^D{0eRuLmDnOtH?4$_)VJAUUV=e4a7OJ zD6dj`e8nq_Vq=0@XcX%-h+o-4T+L+DriSQ~lF&ON$9jJbfMC_nrIl6eR7Dym!yww& zSolLQhY(~$(UF_bu4&ND{5z?@_m>-kVq@Ynd>ZyjTfnko$TB0uZ(5bs6&_5GP7-Cx zTd zIEo+25`2F$I4*Txpj)sG;ryH9g=aMFRfx?$FDYmOB)G20xl09Tn!+v6GaSVnL{J28 z$17G4S#!_4pbp6(ogA><$xdEC=1yFM(#u|l&2`Oz%PD9OpD#7OZp6YY;$dCfYGXLl zBr7e2Lv6Nd1R-kBP!oX(dl;TcVj5^rR6oN03f6xc>Pii3qit>T!(ho}|NZgq3O*1) zZWx-aL$_l<*dhQ&Md|9dL)>j+E!|G#oAqk7kYoXXh1bLe1oRoLs0F4RaXgo8U7c;- za21JMv(&W3akCQ6iJ1zI6R#lMVILfdAo~$Bh(Umwr|N|rRgg#BL8{guLHnpj_&>Cr z%aVUx=aHS~iqJcpz^D{KK+TKVG99)82FVt~qzDs~**z>&9TZBe3si+e0vh=p`~sd? z>W=W-(K9jpUjEj~%>T0YE`V%W6Nv!M*=O&6|Ch{_Ypr~$hh!e9@v+jD4nBFS-fNT7 z(|V%mb#p3q0)R=Kx2`lR5sH(6m5`GlTN!`LS8q=Rdg^kl$g(!EVqVmi6YyN?$SOFs z@e7PYV9TYQHFsVQ!KHw@e6IloRG$xp1kp8uH~_29)n@wltK#8yxoh`Dh>Np|meg7M zr<$EFR|_+}gQ6ORFDqweSI)_1bgId`p{yu#qv;nX$LC5#%q<4do=u;e+(275Jsy9> zUiwRJ8dGN2CLb}2!jgOSSH+o|DE#ho!+3d}Waz6R0F7g2QL@g z!O5iDN{~Xk>swuMsOMGrP<$JRFYF~v>ZV3pXc|2K^u9Qpr$tZsti|l_c&1|*j zuI^Qfl3Je-sby7}mLBj(h*YRenFas3d@12WG(32AwHU;8V_(g@ddZBVw5kA)3hPn+ zpdK|^ZlYyx-W>K#P7`U?hCIb8q8!zDF@3s>Z|qnVi$)dM-af?^huROrz;rkGm#T5% z&{AdfYqQl&AqT$2sT$fVpGSXYsuSpWV_Vdy7T&;fZP22C(o~1MVyyn#GD&#py75Zw zyFTBXcE^+tK3OnzBC7cVx+f=Vh*?zB%T&Sl|gX ziIaK{kvZ<%V4FG0{ARy@Auz*n=$h~OrMZzF4WWMnN%E=qeq^@iCv$%|U9r@gZ};DP z-Bmq+*fK~!0r1bI7myVK56Dts0d3lp3nyg!QIwbPhJdPGX`U@aK&qo-C6Z*^LGul)i~XF z_DbB!q3)^KXm5XbW{~%G1Es;(TyOCtHLD3pLen62D$mL*lzVS+G&7`KMYR8J%?o@O z9oH1Z%c-wSd+ubtm^l?v*ZClZ!bWf*Ur9CUxQh-bveq$%BO;Fnd#rq%t2+byMmGWr zA+ITa*^go{I%%Cp(*$N|`Z-8yQ@L0io~dJX882A3L#%(CRQ=tr|L(m9@BZUpYvf0T zEzE*mzbsQ6TXUZUT_(6KcSYf|i-MVYtyN`+`KCd(83pHL5_zW)CIxD}EFfl6wo+|ahJsDqs~TYW4#QMa`l+P>^Q zvf?|eCCdSskzd)DP0#NzSP!9o=uStGbH(OXSUS?Q#(VRcZC z9lax+g}PN^vPjbiOCi|XdP=Ug|1Yit&5BMnAZQ~OD5*kKshMd(6PII^F#P|!^ji`I zD$SjHKjEZz*0i$HKfs|;KuQ?Vc~nIaQ6zsG2I8D4x)(n}ZMmP~tw*_~CYVV>r4M4t zYNw^VC$|Z_ivsPSAmM0mUv&dhF2JiEmW}`Yc*AlHTb6W0W=3*f`~o{($2*^-{ro9Fu<* zmu>PMS#+Lr`l%dJMX|x{i|NbORKR$a#Jz9!5}%|p>Io}ef>;Nt&GwpE0=c~+RT=rSjWl?j>L|IOZxvmjPW4;0)3G78-7lyugD8ju#Qc~C zyH7eA9uH=Ehbh2*y4cm~E@>kw^h5n0mnL%Rm&iy&$1O>rJ6z0zeI7%z?n}=pBjHWT!rxU$S$if zl73(8Hx#F)j?tvPq@<)Uil9zV{tR71%6KbVgSkMBRf!wqkxE3{-)8GKMd88>#pP9O)8-rU9R zG#H3wQ;Y1g=T$&!DklTo&2D(BayBG{KsGYvKO0ePF)xPF7T%fqfuW>ucvclxJ zG-$mNdXFyaxgX4HIg-AbywUDK%!xNN(^xdp7&eOdeY&>i@eL+T?aqQS|;5zWTSEt8KUg z795RlZCn@?Ua4_| zP6*1xY^M6dWK@5tdte$(w-Cbt!%h7@?qHs7$Af~SPe9>Hm)dwbf3shFOY#6CPxosDfs6QpI0HkNxyN~I=wNni5QVeCU`@{P z9~8kP8)HLZ#5fowkIH^^#uh+YCuDPkO&ISW&Rj%##Y%tcaBs2qYeV=}?&*RGlPYRH z2=$DH4_x3(y)xr!;p?3Mdd1X0s_S;&MQH4DJ+xa`NYz*t&5Za=;t(5A2=WKl^<=)oR1% z?aF1rZx??v2C-u_8YagDL%WSk9|a+i3z@s}JLzYlD4}Rw0MxPjvAC70+SaN$OE65* z?WMn!_5vR4y8Il9Ssv=jHx@fVJa(XCDXj|1XUb0UzS9XoFJ>AaFQ?&}*EAu^d4bAY zEMId-<^Z=g`WlL!ROJBI4sCUo;t5@9-n{isNz{LG#Gy~HVVeQy`>CN25RY9hr3o20 zv|^rU52>eXJ2I(dPYFcAT8>rv9e#4SVR7B)f?X%V&~T@g`{Yg-DD#`H*d-lu!MJjU zEpSz_R_??qyp_xc1~Md97oaZo&!ohZcukMxjg}uDet8|23W^hhr?dJZQA#c&fa!C|J^R(UCL{cViBcw?OGepOo)Fex7qU6QAZC@v#ZG#lh z)=0;Km8a~f?I$V9OM3OdVs5puPSbWNQgeSP>_vv6cjZ}24* z#ai7@%gouK0V5BnY4lZ zh#EIIi)dTpeoRJH_lCsBf{u!#%k|+!{n9ZWkyf^-lz4ta=b}j0Tp~SSK%7Z2H+X*t zy*XkkT|da=gtGpRfx)QGFW?>7zAc}x!$K>ZV4zk`8yQfls%w5yFk-zWyk4=kAq&9X z-mSk-(KI^zICp9#47b(kui-dUcjWEzR`Jc5&MLjb?Q4psqs^ZsTzG(mVz(c9`QL;p zh|3O6Ep{4He9=pX$?@xuM3GGrmU@3G&Y%Wxn7N^}dB}7N!;y)$xu7&gy}4^P*cV0X zZJt7-jI9w5b$9}4b-*oN+iG=_EE$;Lczp&j)bdr0m|;FF!&%TibkF}3rbQ+GT#>5n zD}O7`1CcRQf3!d&E8THnT?w;Uvc@uO(vI8oyKno=I0(%NZ(;)>xl+K%l?i{EWG)_Q zsXO~XraqH+v`mvED^J0vIj_DD`^53B38p|P5)w2pQ1=%KJeFT+V;xp&vb9Tjo6~)b zzVJHyh?q2C$l#5r58zsKRQFt8Mm-x)S9m%>#Br>N3KUT_$sp38k$VY8Dz^VzNsVK;0sTo4Qm2s|T|(Oym@nVz`{yq$(kfvb75!X~ zxzDmc8=DsTs@0%{E~$SN_{}r15FJ-zTPvw6r=@Ao;F+!?vH<$>@ApC+(cxJ)!qb( z$IoKl54t;V_U5&hCnG7w(E079K*A|O9CkqVAzoZACehkU_o&PIBrgjMZ>e5s934J6 zIFx0gahu8$4m(YlC>mu|DaiT~++3?vDH&nN0pk5TSFK5~3Yg!0Zw*#jr+V@Fi>BFQg8zI6mDKbGA=HeLtQ8x3=0p9GhY-d@q+`NvGXqLydB>Zy-h zH69T4AI{?R%I2S4|-)huy7vxBKhA=-z)JknaBauVLK8Zx0hm1rb45(V4Ba zG8*mK!p4c&NmW6GIhU$5>|Wc^64#)yrg@ZC77dxBm59io=Tt3}4F&{E&%L#=d6mcl z(yNB*B{MMqotl@1QmT+^6x;#%P{LqevZz&*pyOyYwP3&hh>7a4PIV81Y8 zMeu*?l_A)H&~&X}imf?flQ4T8(_$MwQkx>6Bkxf4DfpuUPPhtte)<*P223yM&_DTkK96O08h zlN@cebljWb{;~m=&YiO0pxMB`pB|`rN+qTB&L)@0JcVq6{A_<2^@h={nS_KCD{=b@ zk=JFg!KJ}lVc-}G+h~Ck*}N~{=5v2x*Ub~7VTLk=loMtf+?da?aPOE=9!{Be+ZN-p z0G^B2>p=AV4F*UAh2K^&GZ;?1?I_h_D55i%HUEGA$KhN4O9kvzgv!fh5oC{$=;k86 z#KNr5tz8IgqC>HZu`A~FP!s0(%Qydk-uXRdGr1jbX!h4ml zW|d3f>br6XsT(G+npCb++Y*04XmgJi#mHQr6+-3})#SB1r5mZCj@BDEBBJ?%JN%01 z5`IGDun4Xtgp8povPUon#wMiB^+bAm@m$y9m%%?A%>kDX_?X%qHEn9`Z3x>`azqA98ssK0Ety7NBf`h*2$$1H^qO~=P9rEBiMp1 z-r`|f{OS6dzh0(xYqRxE~upt#P+9-SXF9-kvawO4g+3<5+$U25|Z zj-|5y+3wSw;-((>nCD4G!qEsGbVID%4E%o4syf5BUHmz+EJ=$UlvUcLm#EtKs&*q} zUnlu5u^$N)6HaXK!c0^ZrnCWVU0?1qw6#kph1tcNVcXbJu{?hfb;m!&;;ou&p>tx= z7AsjHD1r|czZRc70(NAvL%wgMG;MiguHi zsO@HIvs|+yp-}0icS<&Yx%LQXRb(-UuuV z+^XF_^1FZi(?QKQ^$xGS1nE;koEy(x%{du3x&ZADwsj&HjlSW$0wLS?VZeZ)9b zE679wZ=PK%#kdj+FKw>-tM-LeXhHjAkf;Y&Q=>Z}ZlPb_Nh=nhr2ruhf}Xy$8q~8- z`mz5&zf3zH5?0>2!juoXZ@o)J>cozaJ8(pEWc`2D;Y!rfkJbOq6Fsy`Q7s>vW*X@- z_thU8obb;suAdsf%-82AKp&4G7ETmHHAj2r0P+UoP;Ql{$C2PS3LFUv7pY7*Tr3EJ z9y@y|J0mk@5T-fP07<1>GWO@2+AVpU@*)`#&viQT!8#pL+}eg6+$kRQpsl2NX|#sl z)B1nXCc^#&+=zvsQRvSjtkoMNA5(vK0__%&7F;p)_)Agox|RDRb@i*JXs40| zziQq?m_meLv7W6AI@lAn17|#*I3R%!CqCb;mYO6D*m8dVzX+8uXWn1@Vx7l)S`ACO z#Wy3l5G27~xMB7>^QK0_kHh!#3tFCCKk;&J2|qt_@UF;?*(yKLcBi_ZX0z2>N9lj~ zkJ1v}A!`4_tL1zts*N2|#Sq|Q6yC*RP`hvbS%%Y79T4SMm6+Yp)exGwQ)QN*LSQhI zhO+S@su}u8ykUrSqLJIw7}xDi)%_zqR)M2=%tZq*^Z0eBDG=rV6|$<^l&rjMJP`*Q zDBNV0>M>|$?nM=t&NYwI)~S|MrZ|7h7+-1=KHUJjbc#K_x&Ds3bxH3Jie0}GzkzYj z=5Z?jbS2`+!ei{)C#)xEL!FLGap&m3NT_#e1 zf-O4Fz|T)QoL}Tvf@VDA^5}I|qgs4BiHind@W!XoiAqr?_S4~j9Zshe%Xxq3dIZf9 zO|CYt#;jY}$R&*-+G{5nIETu`;LuyyK)x~sold3+x2q-?dIZuO#p?l26phT@1+5#~ z^wJeFdy;t+!{V4%DY8XSv$EmZdb9aRW9LJsG^`>wGLIXdDp%$-)r-gTe1AcrL%mIN zi7jtc8qgHmAe9v%D{MuBY}gw->ooa z{{AAA=gGc3cMLb3w+~r8#1}@Z330#XXl9SHr9_L$9d9unP93kVwVGAuzTN%)>iiWn zYCx{EL!-i+dN!OIqjrA}7|u~5H;w##4+Aq7qB)_9a!NguGOV6o=bjS7ieE;aTt*NNv(WgWF9VOA@9&NT{nNPXz&g{FA*_-oQe6) zBI+kC7DtJZO#D9r>pT4kEEYl^&3&jWzA!lv&o+L)2T_jTl!VA1i>*gfTyss)UTbos zR8-cc1xrS|Dwn+@1-Me8s`!GmMCnSzr_=O)iEm#5tj6|@{VG3RkF8XqfYh1|Lk8Ry z8WZgJD$s&yu33M%WU-|liYeg4NylR+P9RTwCsW6WiJ1`fzN^RDy~rrgW$Zd zV_kxYJI*%BL4r#)3fv&Pxt7!r4PEBy5(yr^a+@!RF^7K;aygl!gVf;u!6+Qrc7(sx z&mMDdid#ajhy9h^@1e7a#zR~hZrndy~?z-B_hmQSLmI=uwf3SPv&YAXz4xxl`MxqF95IP;Sb+nGQ#k;Pi zKyxggs_WLr>E}OtNIz;9-qZ9=M*d>l2;qSn-dkzc`@2QK-7B9)Vu;fV2 z-gV_FM;ggHwi;k+zB#pd66edUT$DAW5w1(qr#z|Z^G&jErWv^H-JS+XVusa2N_nq`(LCXq#0nK|bm&I8N0TUrEjYzN8m;HVb2Ldz*ytwP9!pmCS|we8-T zuC1VKJIO^IOEETxkxd|U(E)d6?@^Fj;NFJMOlC4cxa>O6K&M_1B?d(3DH?bvP|r7Ff(z zePIML%0#Uto1Rvt@PJ@YU(~ig>!g3+ibvBNd%5%W782%lRn->$Z2N6%ov7}NBZWmE zB7&sbbGK=tbQ--9?+}Avrb%n)x6G?~0V}}W?>-_7Q{~w$iS#}{KNlVdxogx?(#}RS zqTKkrbvNF-YI`as5XWe5m6C~DZ`8gnwtTSrdT3k{q^N30;vnB0LTcM%d(D5*5fwkO z=Uy{ByimwajTNR7Y20}<%!^h5jAcJn#e}lFNQc)F8nUrO$W4QQ79d|(S4MO1HtXuN zUtU8xfC)mewgRYt%}-3X(C}noyOwO4x|Uf#uUCD7CF*zsP5y}!cja)I z?6J+;P$A+@HSkN4_=4ZGkqN!wXFmU%6dm8xOFK+0NKG|PKm$&JD)Fo8&l~t%Z@Biu zAnitisy4OQ?wBc+ZIDH+mI^f-4qXpe#s9k_hINxVo%MqyTefOI9QnhRf=y^> zi|$`Q7pF>0+9ICWxkkv;Sfb5;P>Jx6JfGS$77qjgU=S%Pcy^&7U==yR6JO5%!Psg; zjv`i;_;0v!R&Ys(%e?R@aSP*aTG`13ahU%L2|J%v%WNjF5IKoVq6(Ln&|vqvo@yrX z*>LWecDT@{2J%(~y!KV`>iCUqg2ZRK?gje@Iy3DyDnZ}I0jtys;=MV4f&{0muL5FD z#Ak>qtx&fOo1RfyaL1Mv5Y|_Z9`D|L|5xwqKKS5Qg5%zQ|JVOMaKC&nlvY$F(&yfL zZ$Jcj9HaLpcD@j!P~*w?m+iD_=DhuA%-%p3Ll#9|*tqd5*y}ARu44X9o#i_)i`JJUots+K$iaFykphC|uH*?aCqMAxk68xY4?Drz2;!gG2wFM@LW}u@} z8KUTZ6m!j15bocVlie`q#N3k(p$XTmeS%7bUcmL=imwJUAJ(b>%P5JL^b+(%QvZNl zU13QhGe2QJwHi4^JK8f1he;&>OT#3ZBu0L~amoZPD;O_-hpDH3{ap{JUf`zO9-&N$hj>ckFm_G^D&jD(4BEC3ZFE=04`I7vE zRU!{l*1-==cdss35M;EW%mIVv;`ox-j`RibD8YwxPRD!A?R;%y(F$~7o@cRJP@h_< zj`Lt_RkzZh|M*LPyah>mX#RKFouDf|p&x7(1|v!HIjT0g>Q*&&gE~6h=Go7j_N-tH z=>jL@aVj1nDGgP`?SB7_)40H{+#a)?j0DWtZFvz6bJ|{nCgK8pZyGoBiddPU3q2W# z^I23<*^;-9qo^9Tr@Pi@;h}RZ-tcxTDuyoLxH81n0&P z=FVB8=w9J}d)UfaLnJ-MY^)Q9lV8>}zDLt}r3}UgR(zbnXopswS3bM=dm}A%WJT&x z=Mz~;+asJ~q%F*1gLii3n)q-wwcNSoenaw~12%AfyR*t{*D)x+`YA+>H4Y)>qX55K zH4=6W!1DiRo+GPMXu%k-NoDz<&m8IGhHY+{+z-Zo95Lw>j~Wpvo0+oY$nq}lt{puE zl(5F(#?HXn&`u+6eR%)QL~Yt!b|3!5z6#r!)0XetW1_WP`0KxrL2^XuX5(b}D%dV= zJ{k4$>d4k^+b9^EwV;y#^@u`9^wV1TA@gaEqKceYYQ|G<1?fD$BD z4Eygn8@LvL??DMSqDw&oPxmjs+mir@Mc-$C1J_sL@UX;tZ7i8?VZgv^!9?g9KV!dl z6!@Cq*;(CiBf*{97rSL~fBS=tu^f8piA0GX-iQwOwfc zG;|WLP4};f6L+Y`JXZ^531E^4=BehQ1iSs{;?o3=?}#*B>$=&(G`?0XON_bYiBLU% ze^v1^`yAeXA${X!!1(E;;gJ|Ou`i(Unusr>lz?iE)m3ItG}NcsqODhWb(`Hu>q0{V zATCi=Ax*&?PO(*rilpkPji=Ai_i`gvQAQJR3G~W)taG_@(>pqNP)b3^CX0-H@1pZuij$ zL_0+d!!CJ+LJPXX&8e6|6$|P&`)9g-kr|^?)!2N6II-zUbpoA)HE_%}C^IvENnw@& zky=5^SWM3GT1-vJnaA%4V-DmmQbDx@X;ZVkHQ*c$5bLe-o}`+wD$;MEwz}KBUwM$F zj0LOEmPY9)X$Ad9N1edJ(Y48Upw|P^r2LFsP!*@?9EqT`nHS(VLY|^yQ+TB2rzlOplCR442zk5tX{98Ttw|s1%k&0 zQwTgm#lvc(*z0#8&Qf%su4;O#LFjqvEa4l2pTAxxHE@|-$ynh+Nr;YrJ)eZjUbCZg zKZA#*Vd)&>%4R=9^F4H3DIsj+|4bp;P$VE9U?kh9YMuoA&saz8T}+!)AGmmPeSkZt z0xSoq&I1N}ez_{r|kqt736 zNTVLJ1BpzZF*79#q6}hD(LNnOdu7QE^fG|q&VF{=)5~)*EU%{K8u=&v`T03L_q;vA z=KT531`p(Ed9*p*_vpaMl!}@8p!h;&#F*dq)60Bairc)mZIgw5IflN5PKf6x>VIHV zi(M#&J_DVoJck)dP@tPU6ug9d;6Z=MsTp(t?(gM$nxq5Eonxsm|rcE&L_3G zI$ROAL($99X|GME&To$ZdqytoH4R?ujvT_;T4eEd4O>Yp@Cb6nH{qvNfM}%x?FjLH zZqpWV#7w1O*1WtvjlMzrv)t4?FE5PzJ#~(#P5AhKwz`t@DcR1!Ti=_+w!W|Du`%PU zaKSouK|c;q1-g8_`K{Ehf%{64WdaY$6s?>H8x5+`tgwQ1dX{WJBBc zCho`~Y&cSbXpML)E z@soEDy6Xd6`0*Ey-;YlkVqj#x&=E5{(|1yT)DVJ@O0ccOa*%s!8ml|#MX+U;?`x(= zctZI6Q1F)Pr;X9_R-Zii?d~Wi%ah*%ko+P;#1k32n(G%=)G&SZ@n^sL_$!a+m!Ey{ z51;-{;xe`uiTfv`(f)I5pPC`D&6~@EU14mdV&gPhuI%^T+fZwoWnLw_0=2Z+5F;Fa z7zPOn)o{Z7w1;}VYI;e;Zild}E7&#pr>_xZp?0Q2z}eoMZ`tiJE77WayC(*8A{Y{B zWjRAb_bLukw0e2{DmeHUs>y3k)iR;mDt2+qs!9q(qshoibKP*HD9DHp`x$n8^1P57 zFdfLFT@DSNImM;`ZFY}ExlfU`z-%O9d*IZ2FN%X2^= z#`e(br*$?o?Mb!L8hEDhqsHer-2CxyeZEV5?+>x{(P77|SKpa>77J20U$Qq;C=3>L zkPy=<{1U%Ys`#xeSoU$j4JrOYRCpTz>WZlg>RA@_nfi)#Wl}%a%d)&^S=wxW#koIX zqQ8Ql3P1Ch$MhT-oP!p=HDfc+M`F-RNzSv19ob3!R!nSlf}P%qguJV^RMrQpkp0ih z-qp(ch#5WJkxA0gX-f}N+MuoH)Zow&=4Cn|X1gj=zSwS6?8I2rwhKAB0&7_q>e`Xz za1m`Ac9Ip--+%d8O>C;Xhz8X5RlQ-fKyt(8_XbhA24I#y zTW~T=C^0h!lRsvq>J3^^C!r zGGROT7=~T9T(nJBxF42_CUd1|0!fnN9zojmKBIMk>l#|hJlZj1&G3sO)|TnCSB(AP zl2ieNmU8#m55vQ0!j@=%GTz-&^*(MsDNNCcpjNpmCdk+$+~Z=i`sqjA+uRj@?9s{c zBLIoBtjZLeU8)tQ=QYlXDrh)5dA7Sp@@&H7y{i6Rkw@vU3I}W@9Xguh#4>E*`bzp7 zhG$F%X!-6YqdSC_!VPv`LC=mz)xj}ATNToKrad&WNWb^Bv=v5wuOj!_ zGPNI$D7SaXfIiDyr{qgjWy#sfOyRr@*Adq2mA4N)}tfhJd=42>05X+7|wuEQ!tBzJSfjh!O;){Wm4QN1v zF)X`_e^xV>t;Q>V87(X6Zl2h!?xqv5ZY@Lm;z0=aCk%_}7NPWpfM|b;v(R9=GS;$l zI7F?9!vk1Z6}{Ix4hs@BQZ1h!84o$IRU+lXBh_bxl0~>_sJMdLI4l~2sY};cER9J>n=qF7f$(}?JVoU>Pt-%>!u2ScL7aX;!2tx*%9Y~O!n!> zJ0cOvO^n))x^@m5F97ZO99!)a;JGuOJN35jMrh=-q5qhDv0A$V0Vyi$%4c0U)F~3E zz?*YHIReV}EjkwRE^QOBptdZ{qAq-S&7U3@_Ek%6KsNFRH_}U$M`CZU zh9uW%rr_;=N=aBtoW{y{W*n=H`$?hd{(7Sj2u!gTRyDP1`#~!PNjgzU9)H#%FUk1?}h=fKNK&7=p1sx+4FXP zN{%kBU-%r(lA|P=rF=hmP2N+Q`>1u-Yn@sP^)}Xjl;XL5HycqFm<_0c@y}+PgW1b0 zT6%J{6&$E-)4F9y5KOzK=QoH+TylPO2zz|aU$4HS0E0PDOlWGrx*O75vwgirf9{O> zJ5sB;YXVi!Ae^4I625CcV?n^%0rO5^uayN>SxpG8*10BFov+J!Rf8qfVbql%LE=@k z36H*iq#SH?)|szX>J39#62K=a5O;Xz^js~=Nh&x>y<)lzYi?0IOyP!cIk%$I_VF^h zC-$tnPSD{93-G-+1#4@nom&H@k!9uh&PL_J>=1KtxKmJSWoW7yne>3td0;u6N$C?* zm}53WdjSbt`BA6ma@i*O?QR^pSnpcnb+@X2XL&J3P1FaGY81IHFeMc{YaP^BUR}1# zpoVkhdbWx^&jSHe5|xd@GN`kDMxLc-2f#Cce`wU-=wKHA_v#x4AdZHpnGyz`avmA$ zh)r2$z>rehV1!FTN@lq+djMhw%aEamk2}M}erL@7_OSoZJ&9NpVyX~OTi5xU-KUd( zS3$s6&(AM)$HKcxspAhi#KiW1eeg7HTp_3k%=Z>_y+b>%&vd z(cUVDyIHvtDk=~&g|JaKP>ho!D(8EbwT03F)rAX?OO`=$5iP(1TkUPwBZMaW7Q75_ zJ+N=0zMJENynVP~*BE5@=r%HJ=@43fs|^oxm7T>tohkmifdxCdpg6|LdUcc0xzMC8 zAt8vGLIMq5d(XUjo%&N_rLbuU3CU*lb1j5lueMfy_pz&{ z_h3r25ZFZgerr0|sPfGJGyoW2`si-dk=JIw5LX?sWgS}f3YK9+8QJ0%n zYi5;n%&>T(fNY=Ncw?BLLaE{lm4ihJR>n!wk5@~?ozU%pHWoyXD6zC&}0UkL-qjG0t=pn>3kDfYUM~sC|0LcJ;_Hj8njCoA7qhAQh3&gJMM5ZYOM|YTYA$_YYs(nV*GI zG|VahD+*8$RuPUI;EmiJYpb3@KH1@gKDv3Tce}&=h}-m?mg4T*I$S8KB#s;hvM&Yk z;t$~@5^dfcdD{j2<-y!M0R}=j^#9q!BIF=UHOfDaxg7hVMD3P^TQkE;bO#jlqv6(I zd`WluQ0?&)f>@}*9&Y4+G{GZp>@uH}I0KZ6|Ado3?b#N6@)f!L{$C|;y9js43AncH zDqgx!uGn7nUJFfx&Xdx}V^xuIRNo8;t4JQchbakJjQ@;m;vH_o32Gl9tMLpta;4qP zkJ;y=rcZH|NE?i?`DULQ$LFn!C7?b7f=($(MmHpJd{Q0IOAI_Ft4JXPix^LQ$D&0_hEDr|yS8 z4>+ejGQOpTWe#Y&O71aBi0e2nnG;&RdZVqL!SL&ckn%K}*2S;Lf-{4xNqxgS^+wWF zLUpcr4)Hql0+`HyVVJsvUj_N;Uh(aqS-akSiAY)EdOAmC1P0Bs^!ffzsRpjOuZJ29 zhdc-}rjo0Y(9JXcUnqChTdKFW$2VN50FhU3^Suu?3S&&tX0q7 zn8H-m)Z|dbBE&b=dtdE?j%IND)XX&Ms#=Vx`czP&QP)tA^G>sH$z3!Y5aX>hbk26W zU6ZV7J)9}+to7bW!AGX>u^lJ*7VlS7t&BY zmtYv+3VyZ2GI*8}i_FLjIEwP+I^tbSQm+G77qvF18o^3syLOcilLJXi?I*E+#h8WV zo=;3lK5;TtM9jeQpK)5{q{(tj;k~_PFTXU8O;ccAZn9xkS72yecNLmek_FUReGFk{sd-Bf8v{R$`$icG_X05*WY0~1 zo|aAi$j`N_x=D-c!-p649Ad@}6`zN4o5(t&43I8&_eU;==CVT0`z_UV_4tx7!}fIE ziqv+MnG6Fh69Y|<@nKc;3hRXH^J!Bn=+lX#f89@zKAytX9V>|wdllRbg2R9)HE)uq z(u=7k3Jjz}4yS3cjj@nsiw9ro2-#HUHR|NHsFFCVQLg1@8Y7xNM{ z#1pkBshNmoVWR2M8dlDP=~_d8300%S&V%Zws-5O#t73J^B0#H!YeD#pz9sE{;Akeo zRi+IZs4nR`!uZ?x9h2)n<7Iwr-2DSmm| zHfyR5$?6N?YgF*QnB($3^Do!bT=KJRTb9JdoQWV5X0~(djfkqN$1O}4{zC1r*%GHu zuGb3gq79|UY(r(SN@mp|ZJu<0y{r`lFNs3Pm%uxN)GL);+}vWu{lGbvPSj%GW+`#%HYm4K~0yOin(u z6(|V_%!Eu>Mv&}636C6~f-0vr$p{EL=^%Rv3ACVO(J5lO0G!W7*Z@Z$mss3$fWG*Q z&55>waeq@4PJ&Ce0=AWZCS|gqr>Zl9^jrdu4O+q=9MZhde0K$g8&3-p&Tn2w{L|gW zpL!yFQO036=dX50GM_czZL#*@I zK|QE|I{3ng>?69yL1h~kobZueKbByoIU zWzN^fvS5zYJ9#93Q~*_!UUk-#hmwFMYBFJNuElHfjDVNIe#5R}ZRM(hm&Mrr& z4neojaw;FN{DNhmpgZMh`bi#js77mNEgc)`G;Wdt3c{3-);)b~O5&+Bb~d+@L^_(i zZb{$gdTsF6gSbv-rHI#CyRw1)lVu~12h?yNtLV+(rT{K~-PsLKpi8T)=e8NHvo=Aq zW;1R$gDWoM-U>{ZhpjU6wpY-l;qf+A^=Y-dd3TcIyvsCM_c1EO`ybv>NjIM!pOOm1 zl0dyfj6~ZX{Giz}9V3$5^H84ttZ6j-`KV@ zSt(k2!~AT2l4;d5(Hq(MAf#Rdp4!HI(tXQ1mGHSbF;E~nM_rlkBrgIo@|=)nLuoG_ z8fToUu1vpXIiZqhQ#Prj8W(cxsq`5}ZL*U@*OOh51VirR!5##T5#-Oh=b{dJRGT(z`RY zBXjuYoWm+ElBS)SND?L78Zc3G8>)!+H`?sJ|Mwf;-T2-2*T1`ab$Rh2 z>B7l>{y*L$ck+V2_n#<(n2?)gpAZPZg;Z0JYHjYmF4>n)sHMB635-0xqBsI&xH^F? zsk#$eo3vWknh~T(nloc&*{A@-HgQ6~zO;=qknl|6Yn*|`lgw56_eQp%< zspRrt_b7pE+eR90qq?sr%-r4hV=pK~DhvL95UnQZ6=3I>l%DXMK*z>*C!<742%FC zJ5=&_gNLFv)hE!y#O{y2f0qm`cPn(f95gA+=~_7$CS8TpW&iS*{MG`kZS3-W)a>ei z5e#fKih@B`vjfA*(Sx7A0BjKD9xw@yq&yENGdXj}2bgleh!hoag8K<9lwfuS>YRQ= zjQ%yHWJrO|D2!%*6vu`^V|7?OuK`bxrH&N4E4HQhAVfm$m!jcA z+Ye7iW|*~9;&!DG5}#IzUCgOdsz6tx(q7kw+WM^pg zdVy1+JKWvTyE;4YIM;GUCD0vzZW`%Fx+Heyv2>fg^=qgOU{((zrIQBwowXq$cQ%NIm7q$hbxfg2QflQasss?WB z?Vi235+;rgI;D{m#Ob!Zh#UlY4gI-&u(PVZ(Q;h~@ONTsJ1wy;3gE`+9aKt+vMpj&gJG{HdyWg3Ee(U@g2h zC+l9Ze4O9@^n>Sr-#>e?_t(dI4Sn;&5BN$Cz>|ru8dfN#%b??|%Z0I!MZdgb)@XMA z?(QOJ+SY;+6o-)qaMc!s^}+tkN;DDHYDw!|wTsMI-qbqm=CnqRdg1o6AQJa@eH7(G zlu`|PtXRdWG>e1_P+)ZX@E}!->Ew-PJgA99dAi+06sU%OMFEvDU%i$DFKG}bW=fqo z6XYs~kjX4=)`4O2iCW!KF|W+s^!2sA;qiV zh)dA9J@x*7qyU<0p>+2+|40*xe{0?@`cnv9wbLFh7TOv?a-RNNnPX?%VP{9OTHL4k)=RBx>M z^?Th3gD637$NmkwOUpEUH#c$I?~mXL>(=;UN)N}15~BB55&IGX8>NCo2xj6r%LG2E zv_W3q!WNAqzR^!OHih!wgOxM1$<6Js$AfNv?KOkXLgat`PvPl4`VNa|YM|*wx3FUb zKEfL{`Ymi_0D8>j?%fco1MH1Gfv*5x0}%S>hsUxXa8e+6O95QS2Gqk{e5^7Ot-t=o zR0W_LE_kqQ4yY%5rACNV4dK))swCWp+IuX^kaYXY;t|jjI%dT*UoNb-Gyd@L{Z*z)_%{7`_FKPFoup33i!-*?o54vA1m` z=jkfs&iavMwGkdp#1P;nQX#3xt@+a7L$u1WW`W}GlSDz=v6P1F#fiBPpf*r{9b_Mo zs*RkxN+hwbLgtU|f~rBE-}?lT$HSZ2LBA9g`tdObL^vQ#UI9k|_9R^<(4`JHyC8cO zPJ0eB+SO4M@?!z5GAih8`q#Fh6m>3mLbRvf{k0BKt3T4~t9vVa=%|<4UI+5(#jP=^ zoLmE$p3^OQxJGj*H{o{E7wcVrLQJ$<0B+r}Jq7_}TMmF>f!^d6522o{)?V~c@YPVI z-62OSD^q@)=zzV1w{gWj3aSs7XhUL~zcVak^Cai8(CKTdaI>{mi12c&x=U8P5%vyNhf3Tl6Lrs(Q_`fTz|+a37D zDBVH+7y>yi9&SVhVU%mdWl|C!zxw>2C2RBfuNdgReExYj9#!+`7VMW|_|n^TwgmCG zi9b^eZUbrF&`B7fUd9r9LI;o)U}oi7MFk|!!!LSrYwn&v5~?D3`bnt6YG2DqDiJ4= z3$zb_E^7^2TriysXB+f?tu)<6xq0%@*+2q$XiUB0@aA4RE7a|z{wl^qv!$66nEMy` z=w@Td`P_V`85wIb1I^Z6*sph@5o&hJk}R*fg?r@`0Y_#a>3YP6`PzAvRLruEgsaMR zA(SR7&0S7u8MT6*N9y4 zb`@A(9&bp1!Bem5Rr@G17L+h!=o6i{?zEso-9IyPmwwcNwd~}c4iJnOl*mEL%!`e) zE25=rkkk{c4-T+(^9Z67GuQ2z5Jbb^dK=8_k-M2n!`yamt#sjySWYnX70pbE>nX`8EndPoHW+qf*39o;n0aH73gbvdW(E<45c7xWRP4)wL}` zmHL=K=_i>(A6M$56WAW`s^;ETJKy9_1@lNaqi);~$V9GBpsj%>?b7W)$F_j>27|?Z z$@p1##)VpcM&*P={9n-168=29%r+nGnJ=P~BM~Jz`=TjGWLLgp-|Q|JDR0R@Qbv71 z!KbPp%GBGaK$W4}6qO4JKa=^u{LB9!bI7ZIiex2bZ1612&Gd_ZsQyt*m%~6n7rORODwGM;qi@tikQ>-=@VZJYx_c(u6&%#-$iG#u0N31_Z5n&x|N!ty@ZA121d z=$8xQlI3yGNT|BpM&0*tD4%*{x(h-sP(-e}+ws|UuQhWAm8In~u}zeqyHkR^OclRZ zZaduzxeD3AIxDMzUPafR%qf73L0T?W)!*n$w>+KPXj;BT!>39eH#5%zV0H)Q<`O1s z7B!H6rONqB`I}}-UVE+DOTJRZMt-@(!40zOVVyFN@0{MoXdN=D84Qs900n>_C}(<} zS{iavS9BQe-jf=7tTkM8A|SiD2s9nGN#HWlpw_9f1=28v9iiSB2@ioJO-*oor>LOVKh0hIc!EF&sY^xdNM5+`HDWt=Xxz?$(2{`S#t< znjUrb02!G0GbjNQ5y)O_ZrCU+zS;cy^Y6r={QJ+`>#v#F-r<20&Aq%kBNK&aVNXSP zr>x;|AB0t>H_vv#a+RWJBU>Xg$oJUaPGEOJ&i)&Po15BDrO2{<&85x!i!2vx}OV zlPHTZw6i?grN+sWW7%ZL!7kkg3G+*n%UldGbzFE z`mlK%ZSf}&A=)!nqhD57NhK*0-gxapmmpow*p}r^7#J=_c+t18j5D{eZjrg9i6}RE zR!btPEE>{(ASM^Gdx$L)l}04P#Av0p2}$QA?2Iu`H|b_(L;au* z=&1yd@gbCY6pI^5Mxwj3J5ok&l290v+>&uizfP|n4y@>1`ROX%nN7gbg|`7&fUSze zvKq(^Dox;La!#R9wHp&iCDD}9I8muEIZQKPGk3RpdMlPC9+Q3UHu&a$m6wA=2Oj%yT**cB=7t{q!xr;L7E97d<&m6o;7;AiGdtA+HHetAm zYb8fbMJUNzjZ0?D9k<4P(XYAPUPKpvFqX)Nk#C}u0M)NDdWPA5v|}a8jroHWA$Sae z5~MDSlkl)naROB9UB2~wis|jo3aVy0WnA@|54$%myCNUYI61)6 zo^Dy@z?JuK4`_Oh?o>jHMdATYg*n!-88VZNd}O#ChAM|fEHSP^a$`xQ-p}%rf=8?# zpX4-g$9Zm}2?kJq(YGLkI#pM-&XCjQoS;D59^FIz(kX+>8&Q@~tIWaq8LUX36`Ob& zOQ`?;Cm*3qlr^dd<}eSr3JtXRVk2f6Oq)wdDH!ZHK#@>(VacLLIRpJa)AJV{(yg~% z-mvYE(J-C=WvKDTis7_bD-EK#l9QKdljU4#B$ZI~7M&}93(6_9YlW-GjU4e?=ALBu zde5zXjGmj!a+J(~O@;u5txRorS8z%n48ejc0IWX{H>V5o*2)87oi_*k!0&P}GD*pR zEx1^g5GcLg1h+d;6a_p;QNNd$Q78223Y@eGoQxS(Ww68c@@0`JzOZXG9||=UUb#Xk z1Ha=GVQxNurt3iry!lod!8o^Yv>l2)XjDVy?@xu;)4nt*7a+XxGtvw6j zRCtJe6*;zxc40A@1d8cvEhsf`GBF%#hnHKV=Qs>rA_#l7k{cT$g}lS}GQx@hITIYn z7GbhFZAXBLk=l(c=fLT)XRLePxE$0tVArRN$nw;GX(0lpBy#K81_8h5@+EKm=4&QpDKH0Op`_1#e z>)YNZw?0Xz>yuEAax7t?9{Ma7R=f-qeNA9;w0$8VHws;$a;nPn&Y#G{bPEM1QTFpj z!=G7y1}Dv$;uH=5aHbm#b+PEJKS<-^9_U74X!_uwEB!=_%-Ii3r8n{BDGFz_fYH28 z!`VV^QeRHXG_;#V>(H$UopJo_Y(jLr#=v*1=;NGZ}cjF!e^tPKu+ zo2}C%^i*?#d*7A>nb11;kxS-YlZ-+K>aoNNH7BWf)rjwjF?FlzF->AH9pN2Cap$`{ z_){Nmys;65Yy~^$R={UagREdv^eOjs^-@mASCrPc8fa-V4vvfQRyocYB1EN=wrjzE z$q#cYUy`WOB3~Iyi&fdx$_7d|4BW8KSd|oOB8w~gXTdj_uVQPZ>E65oxirnlz_%_z z**)h`J;1d0rd!n;*}H3HPJ_k=n`8!~RI+YessW2-!t@&kv0z%2EOwriMSuFu%RE?# z{{Ttau~H-@q0s2kY&6edkloFx`mOALJk1`@Qg7|bd@GlV0`FmnG#8g#pXT0mZZj%w6sC}W z@@-6omtpBVo*fQfFXN!E1NS{~eRQy0asr~DJzvFbj z=K@-Z7pxc_T4#ADJ)l3hOh=>1MZ4lPDgeouj$TFe+dBb`=fIBD9_%`<)Kjtj(HemH zqnpAMAkg2m+2-g->Wn5-#kR1ZJ5{3pR!@s&n_W53-2fe|ruJ!C%3z$wnb}8rg0WX} zUW4U=%Coe%iA%&_a71QSisjXR?RpSu29)prllr97m^%JsRwm8VqF7k1$Laaip(+$| z)O)%4OO-bD1Cn;$+#ZW>XeYO{4NUi&w?%t}ETSgee0y}2>pP+$04D8`PcNeNCwom_o#o z*=q${Z=9&rH0}$WqU5rFpP;~!=0JT3-Ut~qBBf3UK|EpR=R+ohxW=BxY6Au=vs*z zT2X*`z=H{Ua}Zp6*5@V~(|eUQ0t8ne}ZgIWib>V*o+wG6c9 zYOm-H&vt!~m+AJdRUHp6tE?-+_4!fKyk@^^IaZ%s3b`f7H&6>y_BXnBghmpvK-y~H zWj?N1|2HKy1hBk>Y1Sa#l1_RR{vy`_|khp(3#88TLXpHd8k0N3?3AQ9HmVUV@AXt0M|A2~(ytnWm74{UL zo_>1#XenJt5J3jMd(>Aaw;`^ULIB<(RVW>S=;pT)s0iVI^}4bH&O$B&)oIOv37uMB zlIbxNpE6tMf+#{F$H?uXv#P!tRdI(Fo1!xn&sic&*G^W~s-gI$u-6Dq0uGq1<@}vI zcKFJ?#xBHw;>2G_(9>7CRgBlVqke)l@l51Pn*E1G-8-$J>SCffD;1?vz$Ce?Mrkaw zm7z!QMD>viGNx!JCjR61h;TBi7zHK^14r{$c+Ssz~dDztGk@$yppl?1rFwPxW zDS8sE$;HnMYw759cswq(FiJS;ng$2U6?-V7U4iU>PvrEO*Q|?p#Lg>K3=v%=w-H(y zj)Y^)*}n3$p&c|GR;K{ko+uo$-pmRH_+k4B6Q5jFIGCeQk|WevD{N^^KKcRg3532? zvQAJ(zLW{n#4ca@?JQr`Mb#sN9udeSux`yor_V#YJ!o}3?NSAdU(l+b2$mLu9*T8V zTp>Sy5*2bZx=ca!zQ91P6iIfg!=v~xNw(l~-Dl~aCi)E=SS){L$rB}6$L*hPe!IK( zd4P75YetUpcnbG$E$Vg~_|Zt5tJ76(cSR&LHE3HS%~xxm-{Z2uP=#Aa?`h+uIX^aW zl!8oeHT|MsFr%O{kqdUSM*9R4gQr{94V+ScCS`>H+D22K&~x9@fz!37l6SWBtKIH8 zubc|`*y1b@oLp+*S4=co9$9>yRG?hVn5vr3{tW5VrA|l+BLc@pYMZc6y;WUvP2R|4 zVyt%`o00>@C1T9*kV0&dFj`nwxNB`dw|H@BmI()vI5jNj&%_2a&`{QevryyXrd6na z5Je)|G6OXvvTRp@Ju-;OQ5rom&cLxdQuF16IIY_2TTd~o> zDQWF$$bAnRp*wxh4_7fDPf4b!RYgG3Ev%;7Rd)9j6?^a508*-EwVR%yX415hZ&X|8 zQL#l}0yeMck+2MDi)f5ZAqlE!7E=^|en&4i;(p)lRypY3G=|)fTI>Rg$I2J9s8kyX za#5w-U8uOdo6u!scLm)Y>*SJBu&LmR(Q)t`O05W~$rN6u)Ba2Z)nde|aSr z;8-eo5Uftd;EcVm;(nHpi-E zsYX8(#_(4>I{TYev^v+0Kb9t%_A%9d>=TWwv$QhMnPJd$Y1~h2-vxLf*+t$l{_S*m zschxuMwhD|*>~_SH_xAar{6gSAdo!pC*heHL-Evxvo0T4`#CZdcsa>`#)s$1H);N! zcI1Y*!OgTBa2;X-$#w`Dpt#!eL=>}9ZFqj0-)Uu-KoUCe0q(`!8ucgI4*(7(+B9qU z)uHlr{$p;8;Y^0~nKKN0gnVN-@Pes5E%fZ?4o>81WcIMSL1gcdNV~*Sw}hy zT+9lCT1<;Q5ZRt{X}NBH1n7@0V%Hh=d<1T_IIw1s3=5~_@E*5E*U=9+_6Vhn%^BFEjaq{nzx?E$x(zt;6iqQHT?T=nwEU{w*H; zK2dLs)!t0g0NQrpMm2{X4d zOfd$m)Vo7ulL>42F4ZgIg{Xy|zoy1JmIbaGi~Sm39Ln3PJ{QyGCr!+4Ktb`Ma0D}rw^bu)qe%01t09*;L$14eKN-3dko^YD0sPwy?d19k%o@* zr~Ha4?`q}z1#hmNC|LxT@Vqnt7ZTq^ZYu85+~Q<^qjiWxNI4iX(v$Cack!U}sMa3} zPyhp5b=#hQ-x!!9?oZ3SZty+UQRop~MSnxuShnTysQ&54KjJ-x_63e|cE&nA#~hO@ zB-n{IN}UVJxsFxqA$P8%QImGOdzI(-QUO&t)2V%Gy+U<`+Qiv&CJm{zJW|xDhv~`K z@EbW}hG`yrwidj}cW^4?uQTb=CYU*4HvD{3yPpdh!< z<*8G^JwKdU^l2`7rNxIx!?Ux;Tr<4v^qmrvQ~+(Ub-}7(?nd?85ge&jRu+|#5PXZfr4 zf;D+i;IYwIJ?OSOjA(=-3dsq`u5fdO&Kw4R%U5%!4T~5Amup2>X>XfSTt=<)<+PYh zrxOq$B5mTWg0%g3-XGs9bAIezJNKNGbM5)D zGjp#>F_3c^ii%ao-r>~dlo_i}nM;%iPh{NcqIa}S^an^&74@cpJD^SS2_A>rsJltD z)e{mVm9Y$Xeb^5GW%*Dr4hgy)KV#k5efwa??$8bTU{b2u=_RIC$bEGl^+kiRMgN{I zjUs{?hDNr|@fxrvTx&3FlBqs^_j2EoeX2P9n7k#r;pX@k#7bhr0DVm$BkBAUTB8+P zpOaK+7oSk!XFG?F`blW#f`Te^*UAvw-|DN8oL$#8h-qBq7r+VzE!tcZ{KI8`9~oL{ zFD|1_F`VlPkIRr4v$6BXd5T%x%r*#J0~AdZ`q*9VEp7fgce=WZ|DTL1G2qj|%H34ZB<;oB(NJB5#la7yZm5e|K#}-oCb9pE+7Y#3a8)j1@~5 z+04)D@EN(2)X<~Mu-ooByHuj&F9|&7svH9Y%a1^)BX4-lU<1J%Em(mm zo;rU_8`r#YvB`y{l31<_d+(i|ARJCY%_>Jp36Yu6k;lN7c0(*tys_}7>w|O8JTNSOo@Ky?12UBDCVnpydV^y2K}jvDkPQXBX9Rz;7d!d z(ILstCI+v6)wqg8_n91MsV4VHp6P8y&2&uc3Eu95z0lRH;%2VcsSZsxmO*cg3j+f{ zDZYI9&&)l_!va*!k$5=PYE4TV)0E zl5z{qNNI=MhFwD(e;OQN06-{2FyDHj}NT3HHD)HFEzJ6UAPysP; zVDWl&t@*UuV8oQs^fOC;$vDHlMpdFO<_DRMjTNna&mRkjWDGay@vb77yf|OWxm(q) zVNh>z^~+CMWMdxbGNBr+h<)jLINdhS3HT*fD$1o=tRT!kP*qT#RN~+aw3KjRNr7+V z!YyJ#y9iJotASS%u8}qtuHa-_pgG;K>#Fug=n{>e7#Oh@GpbGci0 z2Kv?E>6I?1cc~X&BZu*xIQlUWQan2>rD=n~x}`%^d`NR_vsAFG&Dds)v49d#PW3H) zQ-e!W|6cC1&!U8(xH^>?8hhTbrEc(>>`sv!!{ei0ihmG#PG^-FXro1M6&r1fRwf!} zE>WZJ?(qL@KMm8)mRTzW*_q?CfGwxRW~+D!Zj34#JMpszaADgX%p@D`vkyS6-#ePA zm;W9=-YN3+83nxfs_jD+BcN0d>k;`Z+f_Rfco1zAA8dUTGczfvKyu7rnx+@WXjsI% z*E^@g3#uwDmoKqRwcy?B(m9Miy-aT0%}OO$>SBLa`px7yt3sw3)xPR;n~!= z=j3&|daab866RC-4(Wbt@ATcnRAHW8U0kXST#v5Td~erNs^^sCi}>j$vW;GK`K&7? zWz^WSU2%s>QKpW&S*MKej)0FG79RqUVOxv04rwZF0mmpQC=LE)tsqUgt-oB9pUw2K zr{YoqS1c?S1e+Vv3~|Ibn9oqz4-Pci+8aw*{<`;@AUpK8)*!W<=eRyOa)l#|er^6) z3CmRz5r0A>OxB-Pi@GInHw)(Rr9=%p4i!G!GY+g@ES?2^06u54uz?G2YnEk+2iBze z%|O8k9f#;;8N`23zqUIruyus6@*E@?8okh@)u|A}DO{1E7zu6P+mztYQ3YghDBQ`U zS$n_}WW5^P7%TC_J*Zo;GZ|`8UwpF)^h?>>>Ft;()bN*ObnSPc3GWP8(|e;i=X^`_ zDi``{bt7D&sb&iEJs2#g)Z2{By)6R~xiIkEOr>`H+)Xtz5#t!yDbxEgvnOY?f-B1@ zoamm-0Nem~fT`Q53nNSb-zK%+ieE#rW%3m@E%HJjf+id6S zrKsIs=c;_m_}19Goi~1dep%6l3(`&dm2BH@#h=67HjNzNmIYpSN=D8{Y%5cxJ{$McEHT1AUp@ehBPeby{=2Q zW)~=f3C4;&GUq`Q=>Dp@aC5G6d72-E9@Am|FGH9YS|v*ONv8;-%7px-)Y(ET|M@T% zQz6OWV0-S|AXuSAaYZ{_v4;ph%G?gdu&)Un0Rnv@_$4x$Ep=b4njsZhJNPg7`T7SEifK@I61^tA4UrUyJ&ryaHW_znQ}(IU9GPg zh?B_Xhw#wSCQFij{~bWIg%IKpOJh}Vg^N2|<1}(BTgDpaiuv1WfMg^DcgFVv zZSQkjANc*Bq2lj>L_gEj^3Qj!wPmhNN~MAi439PLKg*)Tq)W8c_)&Pus?lc)*R^a` ziJq70>r&@5CVlR4=xOx)X%Tf23NsJ={CrN=AL3E{lLx|Ydv zo~hs|Uh|+W|L^NEf3pS~g{P}OX*jF0Spr;6nxOiSCfwV-3)eTlD!y6xvTZL7burq9 z(#Zwk$JZgXhVWxEEJ5t=^mD!x_O@YdpYHFu$WfS_=I?x2UB9vUd?wb{IQpi7>hHZe zl*vDJm8Qw&GWLWby^kn|ljGejlEsfjvKk#MiN)-&JMptRX^Ns;BcE5np4VHzY#FJi z7G)SFvM*w25TsqCJYYDf;=ZEe6r6ED?6;;NaMfrxs zYXkl#V*)B&g`89K`j!(Sng=<1%luC&k8boO@h;Vw)IYGzxQ?U*ruZd`{nbpT@$cK9 z1%)9u`o;OsQzClojJhCMvT;w1G#s$xoGi!yR>!^IW&ro+2z=(MsY*4OHV?FEnZ(k4 zaHH+2Z>ILfsH!*q$%`#$wK;GwW5(@EUpd%vsT4N40u>NXU{oHBrCgZuAof|rLxR7*FJ;oi zL27qrZMAccLoSf1P0A)lb#hml_>KE2#RLxZ(KS8PQ26&u9Jiw6YVY1pr%O2cLNR!c zT(*#myXcK>B}QXr@3S8ViN-2oV#j5Wlnn2e6cQ(UyiUjF3WDmt3^@zW!o}*M^XsSy&E@`1;E9li0Y{_F(FLzWYN!cGfAH&` zB5{(2ih;aXa14q+pU&A8bHY4|kE^tWG>IF^!7kS{O|}R(FB%|m1P%rp#eFzdb>^jw zKtm|B{&3QMpFp7)${w-HE6$e!WpmA8dJg4d2}Y~&5J9ADG5N%8S}r8s-4 z()Ta;SCc;$6;v4g0za{qNN9&tSbe(i7rbA?T#wrjIr3Uxgv}-P=cqkZdFAmaf~YKF58dVP!kr_GbLFmE!K<#NMLjQ-B7fBl$<$(&sua1h zTq6%fIVUBE91dg~-hW|P#1-556c!Iw9Q%>0fB-i$bSI1V3)Zbs?_{6y-j87p; zp^Ao5zF-V%x!_vzf-OiiH7Krz0rh-uT6ptS8i!RMO9Xt}`Chozd?PDfUheIOLV*of z3Gh2lnCl%sGkPS&>K79*5WG?=EW!O{43Q_YR6dtPZA8c(u4nxAIIDF@meZ8B3jP@>{-jp=D{{z0XNTNE@L+>?f1waoRc%xnJ)T{fX|-`dN=N8uLw|w#@fe8 zALnW%PZ46rrtzSSfep+rQ;E7(Z=LiK=XUH{a8w6U!+AESlVA15iHgeIXLDl>q78N# z?>>MA3!;6Z5$J0l21%DeZp0v(rb-qzfeS-^$-go3ixlb<~nUX1n8S3*mi(2 zGmR6aGLzr>A5*Y|#-M`F*-CP}Z(okmFyeJbLd^JTFtZVs0P9u6sm;x49^YJlO& zoMTu#I`+C(!~EPaw~%b5>B^xxzO5{}U*x8NPYu5Y_ix*nRJyTcKx;j3F`J0;Jg#jnf$m?z2%|oc|VAR4^QT$9I05-xo^kgM$eod9Y>? zz8Exf=blVl=1%ekA&N;CrC&SO*1wR{50!UnpdgoJ$G)4hMTG2AbGKO;iEG@P_d@3I zvlO2RG<*V+HRS@G!*D4b)KUpmRPl5e^5nAj;)ZiG!uf_W?TKC5iD|)Cpxkg$AXPNQ zV^v^!(9&b6b}O!)Gcr01{8lqCeXpWD)MIZ|I-J6yD%GEHqFBv!20L%vicrIE=HrWC z{K|#Kb@-IhhaxtIcj8hej7+eU4#8yYt9g1Ce zwZ5LytEYdc=UU38$6>z;%6?y^AzHS&wfPX0tR+=HBl%{@W0H)<{})N{{!2+Kr3knU z>5-H&*)S33R7#$6k}+ekjJZV1_qC0EiB<>Z>@F){%y*uq$E;d?IS=jD-Pmu}RmT@6 zjcsm9wq0_&C{~TP zA~l(=u5&EWaqaIMf~%}aP>{z~cL=!TqMEpI5I7q{My)6iGS}ORpJq?Krz^4xW1jw0 zD8h)r&@Sy^M>|5c7G7pDAxt4maT^@wA5;`_2kZyXkw~lY8&-QLw)58&#O|DSI^^zSl)cc|HUO75C*?Q9qYNl7-z|c}uj2M^ zpN=z>oEP9=wE_6lK%B>-4+HU5Y{vHfoqZl2yG7_m z%7@Z;(U(OPc6h5jW34njH_5Z?#iT?*&Z#QCWL50>V;}GxcR_+rHTRj(?*nb|`mfvT zUez@=y*Ohkw{vFk&BJlC&YU-EmN{Zf4LF&N7{lBKAN`0@m=6wG4q<(R)pQ>tP5a0c zwN62(X@DbPe;KcN*d_1K^n6&;rTlZ_IrWRiw~mNV<6Wwst&>27%&gFu&j|ELsZaR% z@}5Rxns*X|#r#ai1)hzn@bgGL@nQDDUJs^^u&hSflX9g-ACsY{W7{k{*!HVfablxT z`h?qkTVtMVWK34ypOiO$Z^C>ESi z>ay(|KKXe4QDVZSy9>AXi}^|geHy1K3g-rP<)YLZuKg_n+!{yChAM;9VmWhB9)1Dg zIxb&)*&NlkexzPMHO36<0$TiZjgt8`6(_uQ8OD;Thv&z^_r(^D6UdjAXu8`-+@+t{ zcCal%>ccb$p?bes$;O8&ENoa|EbaT|Y!&o>p$yrpf2F2*UQU9#KHugM`suC25^W!B zSV+bk3N@q`1>1bKd#Ua=7OZOY3mu^n{>9O@!Dd zBs~!CD6ndL4F#oJYRX31wB;C`PUg81=g zXt#v%rzvYLobigLLM1<>?S@dpSPwSSf^$-zGd zMyxl58%*<87iByl-Sc;oWst_A;|+5vPKUfmdC5L0(&0daqhHU!?x*bxFg_$ZeEg|QFs4GCd%B>SIW`j~7hZGqEjDqzeRC1^nsQKWk zJ!OtY%sm<}6o$LM5q2zpus8apztfLXFt*_}tRr9-1#C=*IA9w5E_DI5-(~RY3D@Mf z>GQ(xQUCB(_Zz`amVOH|#O=vZ?uPD;!&qO(Vxzmxfkk%F8Ncj~a(7aD{7+|!eT~*y zo!IntiCPcM3YiV1SC`6ZLEc{($Ec<(?L(E|I|?&dOGyzqSGn1H?<4+@JP-i@fPeqc z0Qy=esC)o&044zYxrGG~;gwD4{`?sW5Tyx*C`AZl0wX<4SmW~(8US#N0|5NT?!RRO z6Y&PZ!nlF+hZFVLX#N>Q``_B<+Bq%&fcS|?i_nD-(~HisjS->)06hc%0QLWZ2@@bh zpxpGBz9-6!&pixU{$D^a38EXyEqramVhMQeCF-lB@d_o0KxN=pNH~4B!U;w4q>7<^W6?IX$1hz zexp1u&Ht1_0Yn&-gZ{sMA?0HtX$kQG N&(E_GdiWph{{!IY1Oxy8 delta 30837 zcmV)5K*_(W+XLv70vAwA0|XQR1^@^E001EX5*XgyWB~vG7_k>30)NDm&u+pn494%1 z_6}99QybtgO%sK~{v0=?u?NT+LnG28iVcIepBrGBrVfNa+NDt&`}=-zV-Lsc#%3#s zXuK;$zvzh!T;;WK^HRJ|pYuDBAt|So^$tq00TkoW_0@2?34j@AJ1j*_6z-+Os)j~k z;R86{nfcf#;@3ErL4Q>XH3vE9^=@V59f6~qS`9H8KEg~bEoDz@{=6lLU{Pcb+rZYV z6eKbx5fw6B&8SD?TUL20Z3sIf&_i$)o@=RV+{f?!dmrGH_N_IyeBM2^8f zaS-1-km-4TDU!^QgClJ$;H7_m5D6$*`y4su0wF+MMPgnOKh_y4i_YM_|NU*IgFE-EEYfevOyFenT zI8tDl!-JGmTO2fHKA=mN#>YW(8e=Pit`C2@MOo(gos7RVpqgololy{X<{HF)49WR# zZQnFqjgP*58_@9?3(1KKlc0_*vVv*+UKUvb1$myKT$AC$#{*eJK5-mZB&SQc1XKJo z%wjUPYr>G#5zPz7R6aVTGg~hubF(T8kA3R;u`4vqKlXA~|LO|>0RR6308mQ<1Qe6Z z1_=ojVGaN20{{T6limgxe{E0WI1v7R(*1{A#MfXuZw(P;m9)t%608t(;qFuACN8l^ z;-2k55!(NLV2cp0Q6qt()3{6rx!H#DdpcKlh-v)fDmheJdng)DZTX1lC%@FNA-BVQ`0?!1Qjbh8I#OvDC)^ zjW(p;#ZNFI0sYU@D&2n+4ge(vH_)CD@-oMWmgd^iYu~%AJ@P0nMfU4clN2nnvrQEjo zxhax2ZwncdfBB0aq+t-aq2u|9=OmGzIwt{+oJmBoEXgMM2#>x&Ffxn_K|5V-Ch|TQWAA$@8*ri~Y|UraDmM zp1Zf_?)HTrwu2txEh|k+!sdIkErt2IZkywI&P^vxsiq66nCaAl);9wiVp|n2OJ*)6 z`)s@Ye;-H55s8noqrf{wd%&Qyx0?b|0o`mKy@(=$-4jESt@VY{{Sz9Ao6Pz+8Q~M( z!I>90estnGk?*rbn=bx8&ilTfcb{w;L@D-wqMwu8@yQ8x(lqp)V48cuXNXKES&+YyHQ_Hmc-ls&|C&+V*Bwar z^Vp2}c6GP7+$?PC`{u}qucs!E?bknZyn*OzcA#^9d!Xaw%jN9yK;MgOHowacbxtnR zX>z!Ka($irJ}84unVkI#lfecQe+V59>*xXi0JsML01W^D0C;RK zb98xZWpgfgZEU<%U2EGg6n!7;KM1|M{-~WL!FFky8VX$*G=se=ww#FS!$?Z%bnL(H z%Fc&N%eu9&msq-z&OKM>=q9~r1xH(|4O241;aPwYm8GhfTxIzCqVUET8B1hExRNx( zJ8JMnfByMXYV3~F`!%H&0faOeUR&EteczO8Du_8#4VAD`D=mnHsb2Y}(Ueri9TMD+ zf?(te!X)kyrlR~C5JB|ArtwN88e-X!ab|ZN7Dl3+-mIk3WXXYQ8^)wWZ8*{qYV{#W z7k!aOuu?0dYI_E_zN%|h(wB56{=_Hc2?>zje}@z%eh@vYz18nTihWJD%*luIv{up@ zRH}`%ASMuXS1^5$>QNSM$p!med1{`}mT-tf*w52aaix(3>EPx<7m-BJe#d2Fl|gqz zYxU?>Y9bil^=sYXPV)U`!9W1F%Xeh<9|MON=SOOhV*!CY1r06LvVaNNj~BZJI7qNt ze-G2`dt>)XlU*1kg9Cn-Fi)3CS77hcr5r+e%4uzZsAj9R`&!k&?^0O{7Rb|zk(H8! zyHa|P;{eJjDd+d@3H+#^VYfAs8&L>*Q)L()le>h&5DM83d%S+)@P}wU_5e19%lda% z)YeD*51dA%Y54Avvy~LIcU7K}!xTMgf6^>y+qumZ($*j1`bM_3((DN?)Y;aF*U9~# zQ@&bqCm={R@WnG%9Q8%+Rb}|jHAN2ZbFUFvZWy;rzTybLtlE>u0#~zj4X$(FF$-9& zqBYrYyErap_%!}XE4C5Qao0DtRknl3@M(POoBOoAx5`ZZ{?A84}OzXCWZjHiY}E7tpB_a)w+Vi_Jx zditF!fcB94BpL;mNf>y=c@TQ>h>X4Q=sfX?B#h>xcy^r>$$)$E&So6=Vc55IM?RTa zCMaj}pw&U4VH8Ay=^u*l4@&r_1i#$;HQ6q~mDXJvBq($GoLwQL6 zUyJ}+C<^oa|8Qoek4GuIJ!r#KSCVKH5)V42YTj*1^5gs3&xvO&?P@Ai2PJs{Lmp=z zKTHowZ%qqeJtTCdB(1f55d?;{AgLLt9)CLg(5Y(c7)AHV2Xp-H7lT>eaz0Z{F5m9l$?aKfqo@B+-rc;_$ z0`opbDP`VK;}zqbTx5p*8zsq^Rz@{;gyi7l`8NGYFbOETl5X?A3lpV*hCO!$e1Ap7 z@3RzTS62KAOWp|^Ut#XJbg|=gN&aT}_+hf1M}EFcKKZM0y6`89B=f^OnMYaluvq5l zKQf!v94qXy@-#FhnMcJkN=Y!A4h{5^!@;~+dzMzuAb?pwk%)L!^uQ!k7>>&3`~}nv_|-hjVm>Gw^$GvB;c*;A-LR`eJ82wES1? zRn)*ziC?_7EqcPys-dAfVZW)vXW*OG;_eua#`RWFzpTJ8Y-+SJik%Eo0-5;qBzMD! zJxPzl`*221MtKs4Nfe{Q3XENIha?``8LQ+)_{=&{F!O=pPT)*Q!n-lS;D6~q00030 z{{R30|NoSg-EP7#4255%$^)!%Qht?I8skN(t`b*lA{A_JKRcapVghRJfF8~lJNBvb zr*WK){nU5v@^z~&tpZi~@BZxZ)84A;2bzA^fBqgvKaA(8Rr<}S&J84eM=k#1@%yy{ zy><1qbM^55^gvFnGO@b2pW!*hhbHVVW{N_K?@i;i3;s1 z4{ZvdsEwc?pyVXmy3Rva1yIyRP$Qt^B%zx;be%#^=xXuIF9!+#6Tx{%!k8V%5lv!^ zZSwF7Qt)b4uQxhS|Y%Se4WP0 zh8UR}!Beb};Y&&TT@qK26aWAKcx*3oXkl_?WK(oMn8E_iKhqZDQQ}4 zvV>BREfv5=fk}32>lxvh>701cJt8|(EB(W)X4lY0tR6tC*$lX2Vt!=4WX?Heb|3B$ z#p)S=04p;i{Ba*<$BrF;v-`k z-#lu@eY;t)y^wE7cKKh5}@4xrSIPM#KcQbza=w`p)ef;d%xVY)o?f7)N>o)ky z)pl67d;B8lOG9!Q=Jzz1^@~JiJ*R zFg*C`bvN#@vh<++X3;M(*pq>tKEmsvzwI$E*F7H{gLW9(Yh4VNULJaUAMeJw>W15% z@AJc5!;;V~`SJUg_DaZcWUauMO$QqA5C$X4yj%XglW{LZ!g@E_q zsCLa2*9+Ev?q<_I{3jOzme+20_z`c0dBtYpLR-yWOe2H0diawD1Q*y35C4Cy zyQyrkrcpzSWsbkxw*73sekcDSbC~DErkMM6vD)_B=x`M~E;*X2$*taf**$*+n?5XQ zR&<@kg4P79S-;=N;K=}JZ zZV4}bvt4hmAKqXv-KhM6y}y9{8Mat;*S^27+OX@#X6RO!G1@eYgB*c7bYJ@8 zVMp5mlega9YEi%4m23yPv1UO(4Df=jrLADz?y$e%YQO3iwo2gZ_DA+qyWvyv^%8c# z>v86%7oaDCLAb&nd~fkPKOErDxt+{^Te}B4;wgMQc&GK&+`Z*2ZR^GJVdsxnlbq3Heds6O(I7v6Ma*Ci4#TiEz=nrzIho;Xn-)9f%@Tfp1hzL{ zn)?PjA7D0~(EV+J4WAX87JF&-f`|PU0BCBYahGhT9oy}N8)@;!?f^ViP4`+*f!pRC zJ>A#CbqllQ%PqqyUvC3o61LzuXAtWQ%MDOQxCldoRVtf}zg=xNLJ6An5)#kwQ9oi! zaCs1OZ2(Pg9T_*>-A#MIFkU5pze=aHOF&JINyx~-DX^e>;&<~F#T;`{7KkhD6PdXL z8}drRJLj9?u@Qw}iL_i{K0z~#>oega8|aqk+R+{?*+6_f{pRl!c=-0$Rvv5DBf|h= z)t-iw6GZv0P>RU5dvetsfcF=OC=7`Ff(QEr3_!=X8Ht+=INxsjE;*ck>4RN#*IZH> zw6yd&`14RGJfp2a`U@Bt+~Z#nLCzwMiw|JdgcmKmnP73BLjcGRxW(ZV|Ik1AUGGcX z1{y;XcnF@5(ZcL5$)#!B;BK~yEhj5o-fzq8iS2~j{BZc7XH0bm`+--OEuz_L!x+&( z!)r0Vi>J-kExq~lYA+psOZbvZk*AnfxQMT?taPGqC~^R88YY3lz}zwp(b2&?3Q;GqRq&ZUjCG8M60Z#i+@K zws;)+42L)hk?yqoVPW^(;zoSI?BcI}KfT@WXR%=URv*-$ZT{td*|-0Rkt0#SY4rX3 zSFdJY`_ck;*hYNw_@te%n$Ir|aCBG<-EeMkBL9K4+g|rGhxO`Trmryj#cN_j4)0(= z7*^kA_TDoCP=qVs1T08->xUwInSSWV*t|&a3C~1uomYt13vK-)%P0cylOsC2_w*NE z2+N%^=4UlHNDKadyfp9y?{W@c(p?EwVOf9Q?ctvv-rRPp?QTa8cHVpgYT|K&*OLi% zn^wEh62VN|#na|2h#`Q^j9nm%*$>+tx76j(VTb#e{0M8Vs}0~R0Lm2%w9WqE-!ans zf!jdOdwwiPh#MtVhKmxbzq{jdj*vbXT#TMw86P8F1`$f?>zu<%UX<}!AZ9#q4b3qr z&9J=$QsSF`ksTr&O`%*+AT#WQQG4qu#4PiXAO1{7>aozn8w@4~O@oVJIqE$#lQmgK zSe9FaR$PU^hlnNmTU`5zu8wue!8h(t1cY%E|7R;YCwAbS*_zx=@q*=s+ znY&FNKNgu8hnFmjg>N=X#cc>Gu!#VXKt3|ewXcELTwqV-=qL~IZyS4GtdDT#0^t!S z_}_V*RxA}5R`Sz${HF~z4iE*VlW>ERgN3g72Cw)AcVx6Z!i;RV{`g!G$N|T!+RH6= zr4X`z4a(TV>Hyrikr{W`dn0@%01cxi!?_GG6L6YfR%0|UEi-dQaFZ;W-mic->1z|C z=TOTjSCQ2<&zZhR^9XKgzu=I(S~ZH)VN1Zztn`AgH!wb<7+8ik`UjuGSHWV1P=&Yw z`*(q`QOq?0LlEVB9r_hyCAeM4D!N6|?ZJ6}V#J)rPK%lLg%s?=kG}cd9otuIFf0!C z4#-x_|7N>y*BZNsb}ZsRwq)kxEY2+gHw_5_9Yj4Vt_N&O3;yuzdPuVbhyow}6Su1g z?U_4y_&0cg29Yb%8CWiazF@VQ*5k`YLstg4=M4#=yg&_ef(7H9y3O~r-PPnWM9qYM z11)x^1! z<}*z>y_o#lu+d#<%*|NZmMm5TJVU!|ci2k21Kzw!IxWCT!7IXko4e+cGgcJbtfe3D zHKkR?=8O}{>s^6_x`EY^D@IZb1{FJhLR2^nFczsMN`Tw8%46jZU<8&JQ=kW>oepcQ z`0)S~LW|trio{Q5na=(4d!`M5S8zq2I@$;3iMUbBQgCnK1!-^ppXQ;o@>OI{JR(D- z(Zl?&V`{i9%CB+6jfU2Q>3O%8tNz-5q=RYaUowiz;G}Xt$I>f8NU+It70hFQ=v{v} zZ1?>VUIshp<5;lnW9w{5aysYO)|)4p#^-XZ7@z`zoMeyeBFi4Y%HECltWgG*HFiJk zKb8e=iNT3g=QeNxOUeijBOqG{E4I6lxggG>cfl}`@)^vx0pKE8hA}lBN$-M>87;`= zWIn}Bbvak-?LD@aA-j!eSzeldCW_fi`XoY_+KLvG-N(#E58DHb8$GYwEBKt0p5iwx zUPUNqjBd#d6IKAs)0NVU3BC}$Ig8C$lS|%HlGQ*ZxARTM)Gzo%03wA-*bn>#HWzWP zr!x$0f(AD4D`+Fvu7TSt0V*bqc#*NNtdNgRnOr85CLhnSF;979;VMmk;$|otP=35J zIj}T=9J&o6#ulEXn|YNlG;;oQvA@C6-n2*f} zygX<74FF@JUp@OUvKyQOT_2Dx zQ@$dMrDZJy0A!7YnHZ0MFj#~C!xF=UEbY?f*6#Xii<*=;T`&(ud*58);zY|r5`-dH z6?AAyOUX>llV7x@?leZC9Af`~yg)zLg_f#^)y7-VJKyh={|2a9Lo|S}C;W-|BY+dI zR(Kj3ZNdy14H>i?y$R(S1WBlq5Q5(W`x7bYm>0`}1YTO~51d$kGGoZ}Lu`QCz|5qJaXCzz<#a3RDrprFA*;ro#X7Fkh1 zytCIYE*>|skhjKc$Wen$0SLvHH2F^(L<)H+S^i?VT^!`RY(%w&xgeopAQGDBak#j} zMJSw{gb#|D@QDQEH?uc3f0kMB|NY+%45jOc0^{K}dty%NC@9vX@Q|b|x{ctM zNCI31iYWkpT3^iLcBPruW|Wf~2??;V&3Mu-oRw6JTSl?mKC_zx=IwE_;jNe!ZIORj z^jwDl&Zq$aG$ZA}h*H$^NGgVr#w2CpzCOom9C2K#gFiP6xxfwZMc`QYnuIPYV3@Ky zr^2CdS={drKjLcK*>jP@(`JI>6Aou~cMwgXU?<^!KHvlFP>dP>53@>JP0|C_&y67W z9}*?Q6GfikQs@X__UH^3kn147%fP^O2OMpDK$!{5-C26jga~2Pz#MvP>eqbQyl~MM z))Mb%ta?h7cZ?H|DCZE$mU8xbEKndb8ZHLvWUDZpDT9hdgn&<2jA>vvmx6O3?J$># z&`5WG*t#iQ&e6ueNZsONi2VU(p->9FCA}+%Kw94tS#a=JQ)id0a72CtF`Ij)a`>E# zhz#($AjTFDRU2uvIMtV-7E$<8~mRG0K4p zpYfA+!Eq;Fxfo6&w+}f?A2wRrWXt8hOfD6FtdL;|BM`&%R)&t$9cK}4B!cN88R{8W z+So{nj*wfKRIbR6HfLCz3n0`j=%5|O`7z84offAiFzK?4Se3|YUcGisEL(6Wew0{B zDl~hADh$E{0~2s+J&9LZ`^a*_{XzW^f;Xa(EB8K%b&WQuQ&9jONIc2&V%H+Ih5dMc z76~)CQ>v0@r-$&X3Un-Ld{E^Z~f{^_l(g|?^2$X>D4fW%@ z+e;uV@n6AO(~nc7w`zf=vk7=>g5ni_w@OJa&-RPQ9S-c^uJ%|DOrN?MjbUl+(&bGT zSP=$el}lhqfu&u@6lBoM2w>2pj38NRncCP51$mPMdvW!Ev{vu{+|K+1X8>8%kR){b@IWvPTCDUiZ>tPw{7T*U$dd~t<=&q9$dcw-B@6TTi(GYGf%xRx=tH{j;$2G<{Uy~yWEc!NGvnc zQi&PK4`3!>D|kJjFm$(+E9IP$x!<%}T}lVT6G#}}4czHDBwDXRc9u0T zXEmXGYWghmP~`q`F~Ax)wIsqUXZJB|1ECCE3L|mm_XMc)E-)y70Nh&^lZM@J06WU% z!*p;c#Sm;FUf_%(CybSU2VYHgGpK%AOq&P%OPXb`gHYZ=205}ZMD&(PMnqX8WMaX( zW%0pE%lD+_FRe6q{4msrOAGCqm^XU?ndJ01d2IPQ5-g`2S1z}p9W!eOdL3g(NG>9^ zkP!N6XH35R;lNLjVB|h!j1WsyiD1Ab{o%OO?rB3x=agd4QBPWb@};XZKF61_i?kU| zGzM<4s6x$0pyjH{n*#%R5HPL{25|6MvN8UvZPY%Y_o6CsI6)%4;vc2o4w@;0j`$D*uvx)G63487W;sx& zvO&dip*jVc9IMdK{}G^5eiExBML|USCjW7BVau9v8o~tk#qqMnS4ZZ@qSa>m@W03| zD{PqM5jYfoq;BLAjYxp!I#%TNwE4{H(jNW{k_gIhK=&+q0 z&rEMHkO|9Ln%o?>r5qxdHw^2KbTUvS03mb|)OF)R-@~7CormRrC{IhoB5?*saM)sQ zja8~JxaqfQodys;y)dXFu1-E^T|g8U@JP?3LTB9_F)=ayIVjt1cwE{D7^3 zxU&VME?~;zra{xXNQ68KYY`l1y0Fo5Odce9r6?ve@CqLEA5Gf^-?Kcx`IzlcwT?J? zN$`+95m8TigQ{YFh3rSDDpSA$oHKn6;!>bHL}DeNYy7=;cxFJ6_5Jw6YDsVZ8O<21 zl3LGXJn|yN)yoxGrJrN6S38QRi{L%aHo-rwA#K-djO=50`MFt7qi;DE|g)I ztwg@aMAv11>1%>tC<#LKpwexO@yZ;!q>+(BcgTqOB28mjtXdLmu00m7Xf+JO*ewRi zZuB72(y)4!mOjQNVTV7 zB)HY6gstrE7GMV>HA{@0L{>-QV!#Amc&Z<>O^Fev?Vxp|ZULl1NKO1^sS0pXV;RYO zmNCP!kTg~ilQK*$Q_i?xgYBxyZ44^Btixpf&#UY33|L0hBNzqR-C=wl-b{@CXI3gw zaHBJACw9C_B{4d&KW&=9aCeY@)aael6UyB&Bj1hBh=H~UM7y!FK~gClQ+2#da&8V| z5h0f8m`H&!glFQ|*%1pSXZ7xuyY65I73JMa+-Hs>@yJbcRxwV@W3fMhkVQubRK_33}ul zR6*s8253t0{0NI(TV>fk(wXVWOn%r^Vg-;J>Is1&AY}^G_=8vCFAhi!dHt&=m?>9O zA@ww?On|#Rz!w{hQo?h819sdPX4LJqDI3T&0p`IcL?yKvsZ?7qZ|JU(E0SmoL+Paf z%oLsofWxvLPdOZaNM9hfuAoiFI8b5DU`DHBo(zZ@dZ`k~IeE-1Xa>`*tYzTLj}bgu znKCXLc}zD#>XhK&K*aY3oD(2?TczxIGuucZ4R2% zyUxnJCq${Qda?HrM9rnlh!2E;p^O0tR)7ehBjqpnk%%-3EG9^eWffO=eip94RdY|7 zp_`BxS!T-%K}uq!+6?7bGc7ftnRl-oPq6F#_s&>Xyk()qxPQ{`QJ`~ZHV6E25Q}fTcWOod!IX1%!hg!M%A3sz?MS zx|VS+M_sJ8iqJ*ei$HC_Df5}^2kM!G+Lg^y-xew(cBkkl?$(r$K~;3kRd2?dQ8_!5kXW1s z1?JioQWZU6cBfngqO+$G92QzJWM|JEE=_B@!A!^u%je1=yG=Fip5nw7p`2}YZw1b- zA@aORl<*^ed-?obw`F#O4EIf)6WyVS=I)Q;}E?n@IkOE4h96kufqk z*6og|G2>+5(rrz3NG&i&g$fn)3roG7O0vT$0H{_5L&F9-X!JpL*2J*t#but#>;*~ANkOP3BiWv+ zrw&~X`JOod^1%~-x9D^izOzTsoToM9wxcWDk+G#dsq=<;7SkEx z#El3!kg;wz7Mo0}2~Cu0Wge*t6&j<0f+=a+7JC=IhWH;NkL_0Q-$WPqeXS8Hid${Z z6iXup8I-^cn{r_(sR9z4;8rq>oaq)dvmK#cw0h)A%BInLk^YGogvm>08l}&F-^fLt zp_&x}YoUZth67r{NfT5qW}bvImb-1O+q-^^f-?9~=7r)Gbx=qjsB|r|<>WJ{%AqS7 zw!nnab*tV$EDdLU!)2;oi*TpdQS{4>0A@S{yp|>mo6)2TcnCWjo8|V8 zuFzuLg$dc@5~1pZns2j(D_Pj5zuWY8pa{W|yW)XJ-!>4|o-EFMn^^&Whx9FFO)lS% zH6d!OiN`U=n4znv->ONZvNbG;>)>C4B_Y~ShRpg@e18CX$E696~q%4G(bE(bA;%K_)d4j~Nn^G;cta)nVc2;)toFFU8DcF%ua!DG9XlG~( zIYsP|y2^bBiN+X@<&5E`MS}pZXa7TY8N!I7<~Yl@pjc*#D={?_21(=^m3Ni#EYew? zD}?R#!VPG zn$2f0@(X09@9AJ_V*1N|F>J@}75Iwwz~HtnsgkV$LvKz(q`n0^Mx@DPRiVYCD$yI{ zxtz(G4rX&{;&1LFZ_p!#60?c9#=5rf&eB&dI8c;nrh>Y^#1*(#$Lm?eAb@I8oN`mN z0}2T}DQ-c7I@ZyDmPNP9)DyM}A;G+%6NABE{0Ci@bG1miA36slRor^K)y3+5(%RF_LVDs>4_J7FZSuyQev$`ReprAmyv-d| zJjw&64zFdB3N{RaE-#gfNJKau_qJ9;e49GkP0+>PVlb^Jy3TMX(_5Ht%uM+Ap`-p) z{bP!Mk@A!fd8I1DQ8(0$daU=~WAY()5%&d1v7D0R+Ia7pO>5o3*1*Wp;zmaE z#cHVvMv^eDfC&hQOqfT`BAS!~+Ip2PZtt2eXZmRAQvd2Kc*X``w~kPmmy4*P>9oVj zC1cQ6#A@my8p*w+C@%~J4O3bJm1kCmZ&kB@Y4Fa#?$}FQqI#AU;m8_@fy>6l#vxZO z8511u7fPp8aVFE`lcYCv0jvwbCK(^JXt44od5{vnan+TR1X_yoOerNsncaMCUQg=W zqp3qys4-?IpGBJm!;5!i5vJrK6lP`y-Xc?L%j|WLuGv^a)&hr6R=p{2oBRW=&3Uqa zcI0BLndX(70m{&qfrBiAmB^>C{tRi9JXYEmMGk$A;YW48^H*Mt|bpE{=w=gFj9!5*cnUQUlBP~<}}ql8qL5#R!Ti}WM?^m zbwd!SQv{j(9lSMclCe4NAQXn9suwPQfL->v5k_ko>iq1+I)Ew*NG%1|LXP>d8C62X zhje+L{+ugvEIRs8QunWkrG&6~pXfB_`C>vYwfzMX;G{@t=!A=*g)HpKF-Id_;TXm! zkwd`ANhj86CVTcV5s=hoef2v08qFpPEEzhWDigSYp+5x}T2rzw7^2^QfAQk0 zP^&ZIXB!wRa70~Z(#%klpp=YIFYtZw))@WNwbN8t&;V#vz}-OU(iC{PC~&QtnHmPOS zz|YALe$BYnL-gK-&4rAZWslCIVdOC z3=BS2lMX_WLGGFxQDb;#ZpSqW*zg4;HN0q=ZoQ^dRM1~|#yOV6JbRYRpeTh71(y{D zLAq)+Uk-}In?BA>u!}fH%DitoVp(0u2#)zx9-U`My|*CW|Iq zoy5sSO2QZe?JMrkOaNQxEn6vq$O^H_Zde(Zn?Sp&BsK^mpzr!8(N3WHc?tl+8|%BS z8<(&OoAxuzZio-nC?U=rF`O*%R){qqD#MmlgA#cUErc?&A6-6wne)Y@|KatE4*^YA z*ZkHEl4&nKzi3{*{PMMOvayV&D$w#E1$NtFJZ1+Ha2j$dFLjiV2@l*ruqSRkwX;$M zfDR6^k>gc}j!JEb9kJv+I)LIajq>|tj}B0jXno*W$*EY=1w4{JGb*206K-y_X%WxQ ztPaU9?*(;G4Gp$`qSv?~v_8-%cvPW&X6jv%$}l2u6=zayl%%+xtCgyz8)As89;G6Q zO@FD>5~x6h_Uc~EvPUMFT?02&=G5F`nY<0_(U!UJ3_^%{4-Ji=sd9yoLPJvWw%7k>}LYorLrX? z{OJoq`I^dqLEqkVzN(zd`CxBGpB2U-#oj`>KsIs+LsBGwwGGrL zbdnHIA%c=F>;c1loQlg_DvO$0X4*@+Z5$PG>z&ZpaL;?~6EcZblQ@qi+tMej1LGsn z9n}RI-+pl+X{wcqncybnVy(wTB=&$Ll>20KZ#iy%gh9~S{REzjYXE|LdU&`a=rJe~ zf1L0sIP}dutTwiLdfKCfMK|Am`})FD4OqR#Y7$x@NkL}#)t4_`Uz|4=U-D!4`SsVY zKgyrab@y~f^mEQ(<`J?=dM-8C50rX2ZaHGXjznhuni$K=5O&kH@&2=zn-tCMa7ZR$pzj!IB8#Xi++ zlX}K_!sd@mB6*&IJ2Ov3?zP1C;;CnW;&QEjx%NHQMmMPXzB(IcagRoW7P4b?m$y#n zK9{AFVaq*+8=R>EEkZgrkh7CoQ>rl2dJb6aH{W%tj;0+GN6v0jR5TG3l|GN;evkBj zLk{1})2wSaodk|j*phcMER8J`a9RK+@HF->LLLcVFod2@d^Z<0uI9^|R)0KsGO>$E;fW9|^~yG$Ky4=`6{gln zWD@5pC#oE^SGJJNa{HU@1^h2SmZ^2BMK92ls&<#ttp za!T#HtVEep!VBu3Q?6LXkPGyG1;r&E% zJJDE4JHg%OJM5P^U=5mjtMa`xD{erSxE%&));~!LED>D%NI6GIIFk0PgbTh#%qRKg zRS75tRcsgrpUBE!r|p>H^#%XwnvZn$!S&UnIcH|L0*g{S9aD^j0cV1JOjXwFGR}p2 z=CiWS(N1=;yL&$h%jkoDH0IOlC{$#J{*`#2M5(WQ7eO-DnwuYy{9*|kRtJw2N`eDi zK2Gk{_$EI7Xp5qgmbW=2(_Qc=P%K`RMor2ZKW&RhOvVbXh`_U*NsjZg=-wTZ! zST}lL&8Q0Lf}S9>VbfaGnvlG-=6^=1q!f)(gxPk_&iJjGQgo!HU?RjfF7M!bSjoP3pP@0&$437rHB7 ztfm7Zyayfps_rsVryO6j)LAs{!3e7pj|I(TVOjKwFpx{jiDhi?0NeCVSrX+W|B}PQ ztg=L))Ah9KuY4tcGvXFM@p70OI7tRRWhJLX3^t6G?+xjp6(38bDvr83i4hSL+YNzK z)(L4${Y8^F+Qahr+SJ-0);V{mAHa%##^EGdq3J-@cdF0}z2`yV7S)TGF{uuf3DFZV zN_DhkF$2eCFM?@FfWtB(Wk8O2P3sWZ?4 zN?s*N{UeEJ+=I)VighEJGCVa65j_rcK0&le4XPHZGbHs?y#{ zs(Ije>JMEoer5j8Lm@kH(t@K&{jw(^kV}AfNfFt986Ey%l}|&fYk$FT;A9i3*Erb> z5N3SE@zi12>(oTjxudx{txp8+DM?;4{m?T+%Vb$M7nPBtVixReW>z*=h+bE z;O$s{3&FN3HK-*1ZOY1(C)QySy+2M4e(Xpt@Ca% z2Dr%ptL%tbs;6{$k7vvjNg0%AxrzOu#h*!k+8B%pr!#NJ3D0rnOZn!_sOERYAt=dL zYBOUYMlo`fQABb>IGapy6^`7({Bziulp-lctKeF8yrIhkRLZU*24*`YVNf+l2stdr zZl28|3K{_Gh>!I?Ir8hc0cRCi&gLKqf;L|u`E#SeDr0oCa~z9Sqh}o2A_19Ee2BS! z2R@MK}`-go`VxnhG3SPu&@R^cI2+ zsTJ+H4O$&%8+Tf?J7v8CaAZ-}up8U9ZQGjIwry+Dv2EMQOl;f6B$J8lbnM)`-@Wy{ z_5ZiKs%xLx>#Vc(>fNXI+P%(t#((GOLRIrcyG`o2o@ktxol!|--4P!B{J2QWm7COA zfzd%kRW%NDsOzO`#z_C73|@*-F51dtUyL$>!Yt=q5v~gY4 zQ<`&D4Wy^^cUGrVgfVb$A)iQVu5)IuDMo%#BP3a^kcWDC2qojC(;m=bA8>`*SAN!$ z<9&YwhP|^T& zMI=r*&iB0DGnuA-?_7l^Ek;#2ve%K71+~s9^vm1Mb`_qip3gvM;*C z3lgVsH3+cON~)zFZbyGCfQATS7^yDX*3YZW4h`~fK?ad3_t0!Gt;rU%*SjIObwU0_ zjbahT4ylR4F_?Jvxvo6rGL>2AX^Q|Dp9-pkJGh*)h{%R7@_!<7&8q9-l=GZ~hPuR{ z|LcaBC}$GK^r@>X9=gGLkm@@Ko{IlfMS`8Ug)AaIk)#b@POB!JW!G1AD6hFLaT${! zBA82qNX(DG&KpDHw&H$#ME$O^oZnV<7*>f}4)X7Wgc;n0OZ}zM-;~g}D9PI^bsGxL;&Wk6?w*XR8bZG^jfi}R zHx6v0sS!@mQ@j>dRc$;w#gqd8nuh1*jct7nZbu^x{WyWG<;o5T^W#T?LSK((1R^00 zD9>(a7-7VA`!HQpb&LdVp`j3Z6yDF=8GOmdEg5Fnreg*F(0ICg>cHQU#*lOt8x#v3 z9n(uWU)Td$E8C{!oP0H~Q#dj)o2&^hA0g|2f(a-a|0bDWP*(tSaVGOWYD_X&kYv=mN;dYo&!Evf)6R=i=W zj=Cyuf)8s3+Pugr$Y=x6oZ+yHYMQlE=-_JvLEJa_!cq-y+e=+!iJ@V0fZVzcXYJ^m zwu+`{1Bheb(9Q^8M|2lycJh%#TOe((bwfmRc#AhFHOfHsQ(}# zl%8m|_Fwp`KguUW7wED~LZx7tBI|#{GoG~U)7GEL2H*&H&IJ+##DEVWd5PrdYfd9J z>O|-5>Y&O3QWJoYiif>5naNUmUE;xh3r?QH_Jk7MJ;0+>dQ$vBdvqXF1r^(P=cO5ox6Z z+2oz_QfA9y&0|5?Wde;h3(>$rjSlved*4bk;{8OZ zQsO^6uDF;U)e8daMihC{v4>x*7daVa;Otsf9yRO#`t#2bhIG7CF>6cdiaq?|k|~7m zTWT>q3UyZ!ia7=6BB`4xZ>8*|Gl$cOavxQ{6VC82{=&u;^AuOFOUHk{b3i@Dn46=R zUNPVUTyDVXEsJB=6bkq=)Gr7@)mahQO+(Ua6-gDAR3}r{@tQ{EW}$sFo(z-4!;cpg zrS)w53+-Ugk}De8WTElEj{ilUMvD!e%n%b#1e?o)D&3Xa_}E4iv;VEPRZ7_{1yc=I zjoJ=qyFaj6e$eCQv<8#Jzm-Oue&87R6;opjfN!(v#c|M!ZAvI7Eap_h?C@|`SC^36 z*LqkK8LbqEZ=z#Lx(v+7!PxV~N0IU{H;lq#LA+>He=LV7TCS4Ptmx9xi!@$Hy;P+J z*TcXpJE0o2UUUb~3d|?~++AMxvJNm&um1(@I9Gk)$^1iK(>_DlLfTz-wx;$o^ie+m zfSK`GjEX(O5g#8KIgOSob-X476G=czmcpf8aRK=^Lr7+RO%cB;p>MHxxa7C529Uii z`L9$ObyQ8M1a(!Pda#^-%5ghe2CYruE%zzRkF#6@JtxduoVGKb2`{0g$B(D>SGV6) z0(bMb)~&r~yU-!_rthZtRfB!?uzNE^MggkJCTG0HCvDg5~CzELRVs)GKfN_|K*TT8d*FxvH|g3{ITA{H|INI6K&>)fp+yDS4~X{H;RP05G9QXKbeb z@+(XC;s#UOfB{{A`_Qj&WtOngWAKdA9x#VKA&^;CAMuF19R^S`s5Y zqdZB-md2UdxdfTTvO5Krqb?%#E}Ed?W=g|fs~1)~NEQYLIV4!?=vhUL{eq@c-9`W5 ztbCrm-Fk_vR@YR+Cct=l*!=(!oS0sTOL9RV1E`PEDX1i58ABw3e*qp2cG%{0ONF6<~f|XhAAgyM!7nKVA?= za5yutXxZWT@+W$sg0d~ozUH;HBdg*F41`2t3!Ol45a%BcusfE3`e2f!UU|Kh@#WNr zd&H_Cn&`=|0~MNT!+2I)!zB4Pc;0-nB+>?=emn3v zV;m%u(C09l5dbl|B2C*mA449KQXc{^(nJQXH{HMU6i4PlXLTPbeWfy-= z00B61EN@X>h%+%(bg!rqN3)$-)TA*ZwtS_YHiy0RN6;-L+IypvZYg=r=TQ`ES-`f@Xjq8JoG=Fm3%W>{@7uVUZ?wNIGJ zkdMilqof5>Z>qqe+fdxu&9Fx|Sxc2z^bA-?fHnUJbY76B(}9-pJV%1l*9ulMC$CZR zw;w`)2(wk~Tmo^vsV?u_C=U6*nUM%-2&1Hvi*s4$?Z$2BA8*u?ei`wG+;nZk^Y9?<^@H! zV3-u1#G?H~+(^|hNd*I=L93QfR>66_g{NE_%A~>;MBOUvohsM3aLa`hLVX{mZEAr) zf?h7PQQkwpWEHgv-YR_vv9>aeum9;5_>+=hx-SN{Wvyg+XQU0Co5pHNMh9TD${?$_ z^F+pcf{4fOhjAr9#o#zPWDrhHk~UkHRqbAAiH{_BNZE21`%TXHY&Ic zMz9gS6XP_t#3UDng9__I+5vg~6NX`jm?cJ;dC}B(n{U7Ru}q*voA-OUtao*#N21-y zfRB#aBfiJ2FniAu2`4hpWd}HjzzbQ^@cRd=)m*5yw5WAWHa^TW~@^2-11_2Nw>h75Kq`1)Y zVD*?93(&-w2+MiZIEr~083TO;2S^j>8mKpYs6YOKkDN1sPb&;(Laoc?g%0S+F$CL+ zpeuJE5?GFV2P)7SzCS}1-N6+xoL5QM1S+G6D-iXM=dTXesppU*?d@5cYiR$JAJmm; zjIIwmdWNI4TC$mIGX_YKW{wF)aJl{|i^_cIHA^#Pkph!T7A1;-3Bp+@lj=5za0#`D z^q=+-AZQmCD9UWu3EHP`=wILY9f?NgX{hcvGH8}xWrMQj`%(GqiK|bVksdS$N9v$O z@xC@e8ZwtGV6WLcO^00=wZZ}6w62*$m1`^LlZ0lBz5{7E#0cOZWQvKRUEOuo)$n0r z#u>Lx)%{%=++aAs(G2r1=U6$cIXfOO*-OGgRO(`^?oF|)yT%dpBr07zsGvWM3#29@ zLj~2{5%MDt^+;>QMe|cMg#XoxBy|BeiroZ>=Y7s85)n(EmDu;wq#R=9=;g6bzH1$ z|G^P@q*D~(n4zsBp|S7^gQa?3L;b6(nU3^8as#v$)uylVY8wtcOc3iaUFI$wRV#>S=D9HHDUQf z_-d4-8cO`AXn+dSQ|*ZKD3XryZ08h*I1)0O4gbHw@}cgejZ9=8k($Y&?b5$AjVr z=h)o<9tc#Z61r9@3zR-tUhu~?J>(XIrP4;5!qUT;^a8e=scQ|w@?Br7#K1CS%jWRY zK{alSYy*#C+XvpVesOKKQeBQmb$NzDlHwr?4*AafF=J5BwA~&TMFYF_1qP6xu5%58jx`X@d-$tgKrWPh4L zygpvse>n8A&jgBFL?;MQF^Az{fhUkY>cmkzcmCnhtBDFm4dslnTmB#`r$yiu1K8C+ zD*wnehQ<1^RIPz)-V~?`wKc8$6W#OVsZIo_jSY=xL2P80JLadbF5I1(rB+L%&8|Ph z51R+mRk;0n>(77-A#=u++A%)H0OjUW)}HJ4+$X5sp?r_))xkm|)H~ptfEyT-8RGhx zJ6Xga;gv=J3UdZG*vj(S?O5$q(C2;Ih)ntv4g*5Mpsoc6{~@hc&`|mUHO}9CeF_aw zf(wRppF-CxtR*!R>IhqNKoY{I`|BpK6r_q+j>a}BrpP#A5=O2^a$Yy<_aPy_wtJY_ z-XJ=S5Rxa!LsRLo{+lI@qfLlLo6HzPTOZE^b1-WH`xb;j6vE>2lh~5oDK%Dredx*!QYOE`4t`9uHJ<|R`7&(lce~FWW4Ufm)Q$C~oj-@h1Ej%O+ zei+r4RN68nm?otK#bfQm%1L7bv~-KN(YhewN z=^`m4G}6{SGmk4$2M5x1UR|&?o-lZ*xTFh+uCAO~dfIZyIsTrV-HY;!b^qyo_`&`L zdNn!doULs+&pW|;KLl3_0OTBoC5VP>PWwyP5f<%7+)xg*NT0LwAVet3sMJX$|Et{c z;~eF=xSg{b$oLhMnqELOc7_=fh1VQS7K;86vOvF}4L;r%JLGbB4zk`3OjcxKU*HN! z)ntpJbzcMDarBYjBxz79?d(|UHb;AbQObm_qHQCZ%r?7D{r=n?z{6R7=af>F22R&1 z&WkkVaRYXYC~9;~7v{c5|9EP#TUy-nI63a$WZCO;mdnINvI|c<_Zh}69eKN;tLn_$ zpcP~qxO6?g-t9Q3J2*WCr?Hlf{2Tg7tS~{OL$~rt$k;FTu|hA5gnx((_AjdV<_n{= zI!x8bai4;u#pw$-0QNRVg%q{&AsZ`Y4m1e+sR%qqVq3e)Igx$v<;c=J{3a9iQU{uR zGmfAtNgg63O(_EpYFkK5|AlA9wYoL=!h2fBV8+gaqy4VFyzl4ok0n*t|9*!n-l1#V z$%#0M3^U;Zbb>wCNt`@)KnO{ut>8c~ZEOfaPhY{CSz7cT0Bk3lnVVnjdMB|b9&&QM z1ik4l_eTic4yMzcGVU5RkxN+1xRM*yzg=aVfh5Nq&WOC*hub<_Dyq@@6BWh#E`aI4 zgA#kM;N;Xh4GERta_VS{^?(y%0JU(rLQ)I*H<&aM>mp|Wsk(5eIR9R|qZ0A|d z=BlWnyWx6w0@i}1;FGV|$<+0nc^JA0mT>d`KtwU?S)dct898V0cg+!lZ2*-wc7vnc zb1~liM=7%(?~i3|#3XU9X~7?H4K{v$M$+OB@(Hh`K9*JCByU(>^tK;XUz*MjHErBE z%`rJG6nCA>J9NP%A;vsci<7PJTB&vK@scMC{ZM834KTDY<>I-ywL(rpr&VCaYY|@z zE{22>QOkhPDwShYmo2AYaDJYW6ughY4`RCP2PHh3l4iDr^tVZ1Ba%Pz$jeEU=7FrMKMiFs;bD%g(P;B%7MZ?kovCq+yrtdj7i$aOIoo3bf&{` z-K_U|2biifVrJ5tr?^f-Ws2-nMcn1?Kwj`5f_{ScpoM3lYtyy`W$64#{i@)QPG9f~BIbc;_}PLQaE4zf^6P_cL)?c*|nw4Q?(3 zG>fD!KE@9r3DNN_1>D{?KF|gri_9JcmN?vB0D!FR->d#5k(N5J8K0BkR%BYs3)(au z#@8ioMFh!%1ih-Z{6d==;-V8HK(FhkaAmSrf}GKl@JC!;)D5)+^?Wbe%xHO`gaqMB znkNU7X2LIUiy5-EX(S0bt=VgwviUlkG)%z;1DbzP(&1PmDL79Q(qjQt;VozhhDt9~ z8XyEw(fqIHuEu(``I3CJH?p!LsJ+N~wcf&I^4Z8~;z49OPR2pkI8PYJj=JfB+8}9* z&Q9Hsr%l*!7p=)Ghgp~)ybD)iI@t3YKV3}z#A~(+;mOnR{d0o6$2~MaCrNb@LA7H{-$DQHciq|#NVZM}WKN$>TJ6ct|h)YZE zJ;wNevwRDK(L9V?t7nIyh<9CLQ}Tt2L1K)PL5AY^r+!cuEc8fM%N#iKIJBZbT%YN{ zx8`2dIMKeoN$UYkD?J9TkVL1+L9j&F;Kv1vbS^Gm$dn*}0(FftlWuc%6YLc23uqXM z_wr~~G(7A*_n;97euYMs7X2Xv;;*OKFu-if(yut;e=6ZV zV0LxI4vV+eo9tWv8474AmR>@MFM=32tW#`%jM4Cbx*#*JP@S-Z3F5;}21K#_Nf3gC zWJ{1#gT;0Gu39efH)wmOWpp^ouu~}XKnelvj^&M1e#+N~3su@j^XINCsLGG_^$XE> zJe6Ih%&==6Bvcg`A+cKChZx9*((bcR(s|B{fD}io{nTMW)_2#&fEOTuDo?ayeY9=A z3Hj+Wf#i22%6f33_xvn9C7^7ibFg|dm?q+E=Q6B9raXW{bWhF;uuQo;XnDX-l%2v3 zV&=~|K$0w3&xYX#$Sm-!lA1Dl&BUj5%Ba*=?A?W-R-(Ct1`8imllo`yw{N+ooIo?M z^?sZDg0D|ZAiefl6|!J+Ma`!IzV&;TgtZo$KH6*}L#)9y`Q$Z=4`AU`pB#~fNR_L6 z(Cl@EOkkOEW1rmiYrM$SBSiHuHVene_B*rs&Sy-AM|Jon(~AKRoKiwYG_lUgH9gQV z@cXw)A$j~usdsCGMh7S2#Pr^#KA{Q#J0VRTub+v*A?>&b+l4o+So-4D{fFDe9MxJ% z-dsx!BWrlNq~2TrEufTP&x95m<7U!I{KfEw4kcUxl77Zb3BTWEYHJJ5&4s;!Z@<9FH~e2y3O~ zQYP8J7f9Sh<;1kTacg>TfclQn<`MDn62i5`eJ&?4-=-{w4NzUND2{ImGoc0Gp>fL| z56U&_fYzEp8z`vDGudAx?IfWPAx}b6_@b~N9?1@AyXYr+L&=b6>efhi=HvLtk7k3A zTJs6GF_e-Hyx(0OT6&be5UvM{xxj-SHJL-t+)~yAM8r)#i3_<@`ZNvZ%?2s_h)L4D zqtU~qn8K*|j(=|?Qu+6NCrD_Qjy;1GKNOaZ)|%BXlJtWU=&7z7-~~1 z{P4O2U+;eL4VJ@vq5f9hzmqvy6EwRIP0f&$(#}^!$)ek-79D;@!yA){_TXwgS&VT7 z`DoZ=Md8JaWJ(ln_R-@*S4*Jc+cHPnj-+4IUW)_*0Z-D6B~w18dkQ6^r3H%~l+b7G zxMZbZXUYg%J#dr8W<%BuS}`MZ?gCNuab>Qtrxye$CDl@{SdIIV{O&{ob<5`MOEysh zk}6pedz>O2{RpB532ZVfYF9$P6^Fe!^f-4HnlehChgrk0`+rVt6Pap*u+V`>s%F}# z+xH?q1Ek?8sg+GXS>1Dho3Z86ZaSp@}n4euTYgb;pR!CC z?s@R!6^Nqq4N9HGE8n{9LLxn5fb?rnr}$S9zH@kv1Cy-tfafhsS^_0}$n0EW9trX9?8vExOxtM`dZdut zgJ(ExX9^H3%j=t$5?Az!+8bqiy9dVty4Ii zY!d?%HE+uLoPPu9NX_={R2FNyMF#0vAo#7uuHp(R3o4h2rc^x0K>as zS%Zy5j$nd2Q!%);9U#-JU-o|P@3w9{U#XfXzmCUYj<$`<7iUi2ho0_`^96L?DWE;v zWF|gM#ueRYhqE)Sq*7_vgM)@n1l^P=t;+pe)!dbtr+Kgvs_^3m`CEuU1v?I(;-b0) z(CR#bWWWj&MWyZSu`Me^>Vii zD%K>ElxRsR9-wulsJrC{NTq0q0ZzaXe=6t-Y+0<97}OHTJme$wC$tn@11y;i&7zm= z9^maiM=roY)bltu*Do#BCP07(uV~Ltxy+6uuEo2|ezu10tXmF9!!ade9?qGm3ApUk z`PWK8H=q)-4`hHqz&qT3jD99ij}w0G(2)J}QmqpZ2`0NSLA&5|eWrd+|m5s+tN zcchK4^at2}eTr^4?m-b(h?&CLW*=cxmNsl8C}i;{C6tOE;{xiQ4$)=PRZi6VrsGFt z*h{*)21;;<1yygnp8AZV8o?2>7%_euI9j!>-l6e$a92?37Sm9u+{^Ev1n%t(C_Dr2 zxrd=F-e9hQ0AKrXw2;+c+wEl^mblCyUQnlulbgD~xJ@|Y6RG_@J18Q^QSh~`|80R4G}mmdMzunhHv7Nckt?d@yx z;c~JXg|NR-PEOAI_=Cvo?N}&6EelR$ZnN!t<)*&ugoLo==^STCEG!f(k;K$>s4rtq z1{XzS#W-4kM1OuI99%1dGGz3?)dXmaeW$D?S*L|HCIVHixojliUOFoB29ca9tR2!| zXu@0D0soi_Zy#kpVPdrEfe~=Lh~7nruR8>Mq$%8{+`IY3jxF)bYSxMeCYj8Xu<@gc zimvWVl!F^bRlm>hB<1U0NIjX=!7uv2G0+zFd z6P-vE_f{xIdPr6gnvrcFdx|irJSz{n)|Rm(KmvV7OyM@zpGu-Cs4G_le`}yX_pYZuI@$`KBgly#hmW5s!a3XUK7rzX-h4P|27WaF; z_$%BQ+|;b5l2qf^PEL}Hh{+%>*{Fs%dn(=qsor<^L>-m#sty(u)T^+I6wUEZEOo>@ zK)JIa`TNHSmFC7k@1=+J4mA+^K2= zX<_v;?EWawo{_1`KvHkq;o5PRgcYrKwVL42+_`7yz@)atcDhtG{}IHU+D@qOLw=<5 zF_d+%{>Iex=Kj^KJLDgCVhnIHNxB| zl0J}$s2abZQ7%05N0GgVLr&ebZt!|vl#IU4zAQ9)-%XG2kB-h>2R?gWg?jl0a6itx zyO?DMKX*|lU9Gs^X!3{*uD@PC|Mac*eLeKLUTY=!^;J7vr6u3h{YFa2KoS3%_XyW(}7N#I!~t^gWm}+j zl;YYF$cS{~p2a4;f)?TOPXzSId6gl|0YW2-@E3kc+RSg9!YVWy@3Fs8fTF9|dYrq_ zmv|-%Y4&xP-3~pSuaT^YFThN)uKqc%{sPKvqbw$`Qtq94rp7xzLar{mqDYG|C5fAO z#%jwopSsCEm#JFdBc>unS0utfL;9|KxT#*doRw;6!nlw)n0Pve_4QZk`())gCJ#LM z@m!iJe%lSCJGcnmmdjCYFiohS(ampqARAH87yyyZ5drO>9O&u40;qvf0<2m~A{td* zRa82_M?kCFZOt24^;Hg0Gp+s#TSu_zbzabQ-B+-9dUbhy?BsO&C*#xo>A~O= zN6AZA?dkpYaL#Dzd}HdIn>8O`rGoEAsE`={H<5~5UtDZ=pjDlmryR<~ub_G99xm0a6*ou3p77OvhM1HOgn z)fccvUN7D~R$nqxD81VLmg8A1l2iyHt5j60$wL>@OOy`j)#ZizsKUlD6vQYz&&W)^ z2|}>xV3P&6_`9tpb{1y$jRPQ#Q2P@cMS_} zKEBBw$gqn2Qo3XGDQ9QX*2Vp!aAzAX*bv#4W4WfQwa1={f-0-ngJX7z?gnt(EA7tO z9cD81j5Ln_J#0mjx*-wy0w9Ub(t#@bVZup`A(0NA3t2h!eI7QQ1{p+NHAb<@!s!tP zqe}UgGQSQI2yEoLtp8{*ntW=7-HKKTnKXS;S4uOmD`h=@2!A;w-3rN%0Y=OLM<4Mw zaarc6g>olQ(@l)lg14Wp128+V^r2sjIr!Aldy=eqHHsuQ{r1;`$z^WiCoQemKLv70 z0VW+*H)_Sr9NwZzw5}SRwL+haj((3B(#O@x9hPykRyQs;F`I8~v!Z#@{-a`YMd!em zp+XhZ(zGq0zg%h>gSvJ)_`Ng@cGR5q2?L(k=L46_x0Si?l#?WYBFzQ@kr^{gDj_q` z*>Bv0hf~Cl|LOhs?ky^8AOJygr3A_xFPfOX8>tLtSdzPTKeTH=3Sxo6x(XTx4d9RN zXzW(1EJ(OPWzghUFYBa(%X6GD?6IelphDGU>{3}e`^d+vT6$tD_vRxMhq%CHqf9@J`s)I7h;&D%s@#(8Z}<$VppbJ$4NbC zKq8fF;r=ZyLiLv4aMEd0`N*?6SYmLdgBy$S$^*U~X17jc`^8BYJd7FmZOVUoL|il0 zKI4t)Hpkf^mCdHo4eNxXUZi%rJ`OkDe~U0OmfX&QWaAS9XQRRu^}5|CwoY%@LbLRE8yB(zltwP0P``jF>}^n$Sy9U=|$4 z7Asucs!3cli3?l?jUMH<;Q(+Ev0ic^wIa)JFj16TqKCS3zeg={A))3s0RqLN=o_ik z<*iZrA1k^M|1;Q9t0~YU+%mLpb-&cdgcAOcYV;;x3nkWl?=BS_f{+pRCB0z<(5dgn zvwFwjQAA$l>KR@)u&n3YcE1JtpKGHFtuQ%r(Ea7j4W^v*L;|p79fI&f<3sPUWBL}w zD?6)2U~uoU(flf@>5v3k@g5}Bcabxxoq9Lv-TUIky>#ur_hjj5#rY%0+iHrb$j+2G zjGc7F)0AJwFFjd0s=P#PZl3R)Qfb{l{@fxqb&7*SN*1u}a%4C2>d{7Wz5+#c$&wR3 z^YghkyTlFooMLJS6XNLKr^cFy%DBsO@T(@R;+W+yTL9L zA)ojfV3O|rV^j$rX9Rg!!6Un6Vz2If`|wKo`o@<1e_$St_yMF~78D6U*}9)37-BjM zEa&A+LZwNNl)H>haTIV{60yz4&71v4A4>-do0Ji1LrtNKTn!t_oHkR@ubr~ysaVBd z?owro>)navEOE_J$8kcHDNARFGCyHk{U;z(tz-Y&6QJmQfaGjrVlyvNDzE|v7x@XfUNS)^#8wE-1i_pZEmC41d@JdG^8K|+rQ7m6lzeB!Q& zqbVm#SY+Q>9!uIIVS1uyWwyFN`i{Elha`VS1DRQY6SX96+0(R9RKx5fO2855iN2J6 zC`?#wKfQ~*Z)U1U)6g*~C_usP-+z{oVV}??ewwr8p^es2 z)|NA!eZ6KmJX=S~Ck{e}hJx8i%QIDvI`FUt2zD+VIRr9G-MBVDm2CFNf@+Yoq1=&MxLm2e&f05tB@qE36y-`#_!q0Cizu#x~q5D*MV?u2l;HlV(1kO)%KuNz}#c%L~K9gZ&6a4#Pc* z`V=p)Gv{iD_7UT4jN|iz;My=*W|J8ooH_ZZ5Zx8gTmA-!Hl&Yp%p9mti;vFdD8GP= zZ3t{wAJY@R;kvsk{;NSHI$)RW$%eTsn85$CWv-Ux9Jr^zeb=zimsSB3Kbbn03`o1X zwc@1QF6jOIrl#?17ePi49PQ}}-=t>0pJ z-^<1Sz6POE?9Ukp{+C$_3j%`t-`?-mJ4_1mIVr*ajW+zR3@T#E*ah)7@(mA+0wtx6 z0y8D&0)^ne;J0rk?|+5ATZlL*A{Uq`6X%!&|2L%SzjCkmDPWgW1pke6{%xoy?S7ot)j6O`M(o YgQruLgM|8z5d8Oh^jl?Y#D9+dAF(KT?EnA(