From 7d7271ef037fed5e513431142fd9393e199232cf Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 1 Dec 2024 17:12:03 +0100 Subject: [PATCH] Add SAMA CSF Framework --- .../library/libraries}/sama-csf-1.0.yaml | 1188 +++++++++-------- tools/sama/sama-csf-1.0.xlsx | Bin 32759 -> 32982 bytes 2 files changed, 620 insertions(+), 568 deletions(-) rename {tools/sama => backend/library/libraries}/sama-csf-1.0.yaml (85%) diff --git a/tools/sama/sama-csf-1.0.yaml b/backend/library/libraries/sama-csf-1.0.yaml similarity index 85% rename from tools/sama/sama-csf-1.0.yaml rename to backend/library/libraries/sama-csf-1.0.yaml index 7ab680670..1cc2ea5b2 100644 --- a/tools/sama/sama-csf-1.0.yaml +++ b/backend/library/libraries/sama-csf-1.0.yaml @@ -11,7 +11,7 @@ packager: intuitem objects: framework: urn: urn:intuitem:risk:framework:sama-csf-1.0 - ref_id: SAMA-CRFR-1.0 + ref_id: SAMA-CSF-1.0 name: 'SAMA Cyber Security Fundamentals ' description: 'SAMA Cyber Security Fundamentals ' min_score: 0 @@ -48,25 +48,30 @@ objects: - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 assessable: false depth: 1 + name: Cyber Security Leadership and Governance + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: 'Cyber Security Governance ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-1 description: A Cyber Security committee should be established and be mandated by the board. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-2 description: The Cyber Security committee should be headed by an independent senior manager from a control function. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-3 description: "The following positions should be represented in the Cyber Security\ \ committee: a. senior managers from all relevant departments (e.g., COO,\ @@ -75,8 +80,8 @@ objects: observer\"." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-4 description: "A Cyber Security committee charter should be developed, approved,\ \ and reflect: \na. committee objectives \nb. roles and responsibilities \n\ @@ -84,14 +89,14 @@ objects: \ a quarterly basis)." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-5 description: A Cyber Security function should be established. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-6 description: 'The Cyber Security function should be independent from the information technology function. To avoid any conflict of interest, the Cyber Security @@ -102,48 +107,49 @@ objects: ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-7 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-7 description: The Cyber Security function should report directly to the CEO/managing director of the Member Organization or general manager of a control function. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-8 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-8 description: A full-time senior manager for the Cyber Security function, referred to as CISO, should be appointed at senior management level. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-9 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-9 description: "The Member Organization should :\na. ensure the CISO has a Saudi\ \ nationality. \nb. ensure the CISO is sufficiently qualified\nc. obtain no\ \ objection from SAMA to assign the CISO." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.1-10 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node3 ref_id: 3.1.1-10 description: The board of the Member Organization should allocate sufficient budget to execute the required Cyber Security activities. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node13 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: Cyber Security Strategy - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node13 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 ref_id: 3.1.2-1 description: The Cyber Security strategy should be defined, approved, maintained and executed. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node13 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 ref_id: 3.1.2-2 description: "The Cyber Security strategy should be aligned with: \na. the Member\ \ Organization\u2019s overall objectives; \nb. the legal and regulatory compliance\ @@ -151,8 +157,8 @@ objects: \ Cyber Security strategy." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-3.a-b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node13 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 ref_id: 3.1.2-3.a-b description: "The Cyber Security strategy should address: \na. the importance\ \ and benefits of Cyber Security for the Member Organization; \nb. the anticipated\ @@ -160,32 +166,33 @@ objects: \ remain resilient to (emerging) Cyber Security threats;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.2-3.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node13 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node14 ref_id: 3.1.2-3.c description: c. which and when Cyber Security initiatives and projects should be executed to achieve the anticipated future state. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: 'Cyber Security Policy ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 ref_id: 3.1.3-1 description: The Cyber Security policy should be defined, approved and communicated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 ref_id: 3.1.3-2 description: The Cyber Security policy should be reviewed periodically according to a predefined and structured review process. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-3.a-c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 ref_id: 3.1.3-3.a-c description: "The Cyber Security policy should be: \na. considered as input\ \ for other corporate policies of the Member Organization (e.g., HR policy,\ @@ -194,14 +201,14 @@ objects: \ best practices and (inter)national standards;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-3.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 ref_id: 3.1.3-3.d description: d. communicated to relevant stakeholders. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.3-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node18 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node19 ref_id: 3.1.3-4 description: "The Cyber Security policy should include: \na. a definition of\ \ Cyber Security; \nb. the Member Organization\u2019s overall Cyber Security\ @@ -218,14 +225,15 @@ objects: 6. compliance with regulatory and contractual obligations are being met;\n\ 7. Cyber Security breaches and suspected Cyber Security weaknesses are reported;\n\ 8. Cyber Security is reflected in business continuity management." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: Cyber Security Roles and Responsibilities - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-1 description: 'The Board of Directors has the ultimate responsibility for Cyber Security, including: a. ensuring that sufficient budget for Cyber Security @@ -239,23 +247,23 @@ objects: 3. the Cyber Security policy.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-2.a description: "The Cyber Security committee should be responsible for: \na. monitoring,\ \ reviewing and communicating the Member Organization\u2019s Cyber Security\ \ risk appetite periodically or upon a material change in the risk appetite;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-2.b description: b. reviewing the Cyber Security strategy to ensure that it supports the Member Organization objectives; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-2.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-2.c description: 'c. approving, communicating, supporting and monitoring: @@ -274,59 +282,59 @@ objects: Cyber Security.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-3.a description: "The senior management should be responsible for: \na. ensuring\ \ that standards, processes and procedures reflect security requirements (if\ \ applicable);" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-3.b description: b. ensuring that individuals accept and comply with the Cyber Security policy, supporting standards and procedures when they are issued and updated; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-3.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-3.c description: c. ensuring that Cyber Security responsibilities are incorporated in the job descriptions of key positions and Cyber Security staff. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.a description: "The CISO should be responsible for: \na. developing and maintaining:\n\ 1. Cyber Security strategy;\n2. Cyber Security policy;\n3. Cyber Security\ \ architecture;\n4. Cyber Security risk management process." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.b description: b. ensuring that detailed security standards and procedures are established, approved and implemented; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.c description: c. delivering risk-based Cyber Security solutions that address people, process and technology; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.d description: d. developing the Cyber Security staff to deliver Cyber Security solutions in a business context; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.e description: 'e. Cyber Security activities across the Member Organization, including: @@ -343,15 +351,15 @@ objects: 5. performing Cyber Security reviews;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.f description: "f. conducting Cyber Security risk assessments on the Members Organization\u2019\ s information assets;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.g description: 'g. proactively supporting other functions on Cyber Security, including: @@ -362,14 +370,14 @@ objects: 3. performing Cyber Security reviews.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.h description: h. defining and conducting the Cyber Security awareness programs; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-4.i assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-4.i description: 'i. measuring and reporting the KRIs and KPIs on: @@ -383,34 +391,35 @@ objects: key Cyber Security improvements).' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-5 description: "The internal audit function should be responsible for: \na. performing\ \ Cyber Security audits." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.4-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node24 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node25 ref_id: 3.1.4-6 description: "All Member Organization\u2019s staff should be responsible for:\ \ \na. complying with Cyber Security policy, standards and procedures." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node43 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: Cyber Security in Project Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.5-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node43 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 ref_id: 3.1.5-1 description: Cyber Security should be integrated into the Member Organization's project management methodology to ensure that Cyber Security risks are identified and addressed as part of a project. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.5-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node43 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node44 ref_id: 3.1.5-2 description: "The Member Organization\u2019s project management methodology\ \ should ensure that:\n a. Cyber Security objectives are included in project\ @@ -422,45 +431,46 @@ objects: \ risks are registered in the project-risk register and tracked. \ne. responsibilities\ \ for Cyber Security are defined and allocated; \nf. a Cyber Security review\ \ is performed by an independent internal or external party." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: Cyber Security Awareness - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-1 description: The Cyber Security awareness programs should be defined, approved and conducted to promote Cyber Security awareness and to create a positive Cyber Security culture. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-2 description: 'A Cyber Security awareness program should be defined and conducted for: a. staff of the Member Organization. third parties of the Member Organization. customers of the Member Organization.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-3 description: The Cyber Security awareness program should target Cyber Security behaviors by tailoring the program to address the different target groups through multiple channels. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-4 description: The activities of the Cyber Security awareness program should be conducted periodically and throughout the year. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-5 description: 'The Cyber Security awareness program should at a minimum include: a. an explanation of Cyber Security measures provided. the roles and responsibilities @@ -468,29 +478,30 @@ objects: events and cyber threats (e.g., spear-phishing, whaling).' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-6 description: 'The Cyber Security awareness program should be evaluated to: a. measure the effectiveness of the awareness activities. formulate recommendations to improve the Cyber Security awareness program.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.6-7 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node46 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node47 ref_id: 3.1.6-7 description: Customer awareness should address for both retail and commercial customers and, at a minimum, include a listing of suggested Cyber Security mechanisms which customers may consider implementing to mitigate their own risk(s). - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node54 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node2 name: Cyber Security Training - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.7.1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node54 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 ref_id: 3.1.7.1 description: "Specialist or security-related skills training should be provided\ \ to staff in the Member Organization\u2019s relevant functional area categories\ @@ -499,41 +510,46 @@ objects: \ maintaining information assets. staff involved in risk assessments." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.1.7.2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node54 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node55 ref_id: 3.1.7.2 description: "Education should be provided in order to equip staff with the\ \ skills and required knowledge to securely operate the Member Organization\u2019\ s information assets." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 assessable: false depth: 1 + name: Cyber Security Risk Management & Compliance + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Risk Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-1 description: The Cyber Security risk management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-2 description: The Cyber Security risk management process should focus on safeguarding the confidentiality, integrity and availability of information assets. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-3 description: The Cyber Security risk management process should be aligned with the existing enterprise risk management process - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-4.a description: 'The Cyber Security risk management process should be documented and address: @@ -541,26 +557,26 @@ objects: a. risk identification;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-4.b description: b. risk analysis; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-4.c description: c. risk response; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-4.d description: d. risk monitoring & review - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-5 description: "The Cyber Security risk management process should address the\ \ Member Organization\u2019s information assets, including (but not limited\ @@ -568,137 +584,140 @@ objects: \ components" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-6.a description: 'The Cyber Security risk management process should be initiated: a. at an early stage of the project;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-6.b description: b. prior to critical change; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-6.c description: c. when outsourcing is being considered; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-6.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-6.d description: d. when launching new products and technologies. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-7 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-7 description: Existing information assets should be periodically subject to Cyber Security risk assessment based on their classification or risk profile. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-8 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-8 description: 'The Cyber Security risk management activities should involve: a. business owners. IT specialists. Cyber Security specialists. key user representatives.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-9 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-9 description: The result of the risk assessment should be reported to the relevant business owner (i.e., risk owner) within the Member Organization; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-10 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-10 description: The relevant business owner (i.e., risk owner) within the Member Organization should accept and endorse the risk assessment results. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1-11 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node57 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node59 ref_id: 3.2.1-11 description: "The Member Organization\u2019s Cyber Security risk appetite and\ \ risk tolerance should be clearly defined and formally approved." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node75 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Risk Identification - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node75 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 ref_id: 3.2.1.1-1 description: Cyber Security risk identification should be performed. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node75 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 ref_id: 3.2.1.1-2 description: Identified Cyber Security risks should be documented (in a central register). - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.1-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node75 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node77 ref_id: 3.2.1.1-3 description: Cyber Security risk identification should address relevant information assets, threats, vulnerabilities and the key existing Cyber Security controls. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node79 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Risk Analysis - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.2-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node79 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 ref_id: 3.2.1.2-1 description: A Cyber Security risk analysis should be performed. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.2-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node79 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node81 ref_id: 3.2.1.2-2 description: The Cyber Security risk analysis should address the level of potential business impact and likelihood of Cyber Security threat events materializing. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Risk Response - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-1 description: "The relevant determined Cyber Security risks should be treated\ \ according to the Member Organization\u2019s risk appetite and Cyber Security\ \ requirements." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-2 description: Cyber Security risk response should ensure that the list of risk treatment options are documented (i.e., accepting, avoiding, transferring or mitigating risks by applying Cyber Security controls). - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-3.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-3.a description: "Accepting Cyber Security risks should include: \na. the consideration\ \ of predefined limits for levels of Cyber Security risk;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-3.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-3.b description: 'b. the approval and sign-off by the business owner, ensuring that: @@ -708,16 +727,16 @@ objects: 2. the accepted Cyber Security risk does not contradict SAMA regulations.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-4 description: Avoiding Cyber Security risks should involve a decision by a business owner to cancel or postpone a particular activity or project that introduces an unacceptable Cyber Security risk. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-5 description: 'Transferring or sharing the Cyber Security risks should: @@ -730,8 +749,8 @@ objects: risk.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-6 description: "Applying Cyber Security controls to mitigate Cyber Security risks\ \ should include \na. identifying appropriate Cyber Security controls. \n\ @@ -743,19 +762,20 @@ objects: \ for any residual risk by the business owner." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.3-7 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node82 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node84 ref_id: 3.2.1.3-7 description: Cyber Security risk treatment actions should be documented in a risk treatment plan. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node91 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Risk Monitoring and Review - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-1.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node91 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 ref_id: 3.2.1.4-1.a description: 'The Cyber Security treatment should be monitored, including: @@ -764,25 +784,26 @@ objects: ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-1.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node91 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 ref_id: 3.2.1.4-1.b description: b. the selected and agreed Cyber Security controls are being implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.1.4-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node91 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node93 ref_id: 3.2.1.4-2 description: The design and effectiveness of the revised or newly implemented Cyber Security controls should be reviewed. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node95 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Regulatory Compliance - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.2-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node95 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 ref_id: 3.2.2-1 description: 'A process should be established for ensuring compliance with relevant regulatory requirements affecting Cyber Security across the Member Organization. @@ -794,66 +815,68 @@ objects: c. result in the update of Cyber Security policy, standards and procedures to accommodate any necessary changes (if applicable).' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Compliance with (inter)national industry standards - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 ref_id: 3.2.3-1.a description: 'The Member Organization should comply with: a. Payment Card Industry Data Security Standard (PCI-DSS);' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 ref_id: 3.2.3-1.b description: b. EMV (Europay, MasterCard and Visa) technical standard; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.3-1.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node97 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node99 ref_id: 3.2.3-1.c description: "c. SWIFT Customer Security Controls Framework \u2013 March 2017." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Review - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 ref_id: 3.2.4-1 description: Cyber Security reviews should be periodically performed for critical information assets. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 ref_id: 3.2.4-2 description: Customer and internet-facing services should be subject to annual review and penetration tests. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 ref_id: 3.2.4-3 description: Details of Cyber Security review performed should be recorded, including the results of review, issues identified and recommended actions. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 ref_id: 3.2.4-4 description: The results of Cyber Security review should be reported to business owner. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.4-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node101 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node103 ref_id: 3.2.4-5 description: 'Cyber Security review should be subject to follow-up reviews to check that: @@ -863,73 +886,79 @@ objects: b. critical risks have been treated effectively; c. all agreed actions are being managed on an ongoing basis.' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node107 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node58 name: Cyber Security Audits - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.5-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node107 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 ref_id: 3.2.5-1 description: Cyber Security audits should be performed independently and according to generally accepted auditing standards and SAMA Cyber Security framework. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.2.5-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node107 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node109 ref_id: 3.2.5-2 description: "Cyber Security audits should be performed according to the Member\ \ Organization\u2019s audit manual and audit plan." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 assessable: false depth: 1 + name: Operation & Technology + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Human Resources - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-1 description: The human resources process should define, approve and implement Cyber Security requirements. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-2 description: The effectiveness of the human resources process should be monitored, measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-3.a description: "The human resource process should include: \na. Cyber Security\ \ responsibilities and non-disclosure clauses within staff agreements (during\ \ and after the employment);" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-3.b description: b. staff should receive Cyber Security awareness at the start and during their employment; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-3.c description: c. when disciplinary actions will be applicable; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-3.d description: d. screening and background check; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.1-3.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node110 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node113 ref_id: 3.3.1-3.e description: 'e. post-employment Cyber Security activities, such as: @@ -937,27 +966,28 @@ objects: 2. returning information assets assigned (e.g., access badge, tokens, mobile devices, all electronic and physical information).' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node118 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Physical Security - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node118 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 ref_id: 3.3.2-1 description: The physical security process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node118 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 ref_id: 3.3.2-2 description: The effectiveness of the physical security process should be monitored, measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.2-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node118 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node121 ref_id: 3.3.2-3 description: "The physical security process should include (but not limited\ \ to): \na. physical entry controls (including visitor security); \nb. monitoring\ @@ -966,118 +996,121 @@ objects: \ \ne. protection of information assets during lifecycle (including transport\ \ and secure disposal, avoiding unauthorized access and (un)intended data\ \ leakage." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node122 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Asset Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node122 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 ref_id: 3.3.3-1 description: The asset management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node122 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 ref_id: 3.3.3-2 description: The effectiveness of the asset management process should be monitored, measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.3-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node122 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node125 ref_id: 3.3.3-3 description: "The asset management process should include: \na. a unified register;\ \ \nb. ownership and custodianship of information assets; \nc. the reference\ \ to relevant other processes, depending on asset management; \nd. information\ \ asset classification, labeling and handling; \ne. the discovery of new information\ \ assets." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Cyber Security Architecture - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-1 description: The Cyber Security architecture should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-2 description: The compliance with the Cyber Security architecture should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-3.a description: "The Cyber Security architecture should include: \na. A strategic\ \ outline of Cyber Security capabilities and controls based on the business\ \ requirements;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-3.b description: b. approval of the defined Cyber Security architecture; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-3.c description: c. the requirement of having qualified Cyber Security architects; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-3.d description: d. design principles for developing Cyber Security controls and applying Cyber Security requirements (i.e., the security-by-design principle); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.4-3.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node126 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node129 ref_id: 3.3.4-3.e description: e. periodic review of the Cyber Security architecture. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Identity and Access Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-1 description: The identity and access management policy, including the responsibilities and accountabilities, should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-2 description: The compliance with the identity and access policy should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-3 description: The effectiveness of the Cyber Security controls within the identity and access management policy should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.a description: "The identity and access management policy should include: \na.\ \ business requirements for access control (i.e., ned-to-have and ned-to-know);" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.b description: 'b. user access management (e.g., joiners, movers, leavers): @@ -1102,27 +1135,27 @@ objects: and revocation requests should be established;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.c description: c. user access management should be supported by automation; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.d description: d. centralization of the identity and access management function; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.e description: e. multi-factor authentication for sensitive and critical systems and profiles; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.5-4.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node134 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node137 ref_id: 3.3.5-4.f description: "f. privileged and remote access management, which should address:\n\ 1. the allocation and restricted use of privileged and remote access, specifying:\n\ @@ -1133,113 +1166,115 @@ objects: \ of non-personal privileged accounts, including:\na. limitation and monitoring;\n\ b. confidentiality of passwords;\nc. changing passwords frequently and at\ \ the end of each session." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Application Security - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-1 description: The application Cyber Security standards should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-2 description: The compliance with the application security standards should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-3 description: The effectiveness of the application Cyber Security controls should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-4 description: Application development should follow the approved secure system development life cycle methodology (SDLC). - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.a description: "The application security standard should include: \na. secure\ \ coding standards;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.b description: b. the Cyber Security controls implemented (e.g., configuration parameters, events to monitor and retain [including system access and data], identity and access management); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.c description: c. the segregation of duties within the application (supported with a documented authorization matrix); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.d description: d. the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.e description: e. vulnerability and patch management; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.f description: f. back-up and recovery procedures; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.6-5.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node144 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node147 ref_id: 3.3.6-5.g description: g. periodic Cyber Security compliance review. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Change Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-1 description: The change management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-2 description: The compliance with the change management process should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-3 description: The effectiveness of the Cyber Security controls within the change management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.a description: "The change management process should include: \na. Cyber Security\ \ requirements for controlling changes to information assets, such as assessing\ @@ -1247,8 +1282,8 @@ objects: \ of changes;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.b description: 'b. security testing, which should (if applicable) include: @@ -1263,77 +1298,78 @@ objects: in case the source code cannot be provided;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.c description: c. approval of changes by the business owner; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.d description: d. approval from the Cyber Security function before submitting to Change Advisory Board (CAB); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.e description: e. approval by CAB; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.f description: f. post-implementation review of the related Cyber Security controls; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.g description: g. development, testing and implementation are segregated for both the (technical) environment and involved individuals; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.h description: h. the procedure for emergency changes and fixes; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.7-4.i assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node156 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node159 ref_id: 3.3.7-4.i description: i. fall-back and roll-back procedures. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Infrastructure Security - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-1 description: ' The infrastructure security standards should be defined, approved and implemented.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-2 description: The compliance with the infrastructure security standards should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-3 description: The effectiveness of the infrastructure Cyber Security controls should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-4 description: 'The infrastructure security standards should cover all instances of infrastructure available in the main datacenter(s), the disaster recovery @@ -1347,8 +1383,8 @@ objects: mobile devices, PBX).' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.a description: "The infrastructure security standard should include: \na. the\ \ Cyber Security controls implemented (e.g., configuration parameters, events\ @@ -1356,48 +1392,48 @@ objects: \ [DLP], identity and access management, remote maintenance);" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.b description: b. the segregation of duties within the infrastructure component (supported with a documented authorization matrix); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.c description: c. the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.d description: d. the use of approved software and secure protocols; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.e description: e. segmentation of networks; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.f description: f. malicious code/software and virus protection (and applying application whitelisting and APT protection); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.g description: g. vulnerability and patch management; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.h description: "h. DDOS protection (where applicable); this should include:\n\ \ 1. the use of scrubbing services;\n 2. specification of the bandwidth agreed;\n\ @@ -1407,45 +1443,46 @@ objects: \ as well as the disaster recovery site(s);" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.i assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.i description: i. back-up and recovery procedures; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.8-5.j assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node169 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node172 ref_id: 3.3.8-5.j description: j. periodic Cyber Security compliance review. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node184 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Cryptography - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node184 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 ref_id: 3.3.9-1 description: A cryptographic security standard should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node184 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 ref_id: 3.3.9-2 description: The compliance with the cryptographic security standard should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node184 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 ref_id: 3.3.9-3 description: The effectiveness of the cryptographic security controls should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.9-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node184 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node187 ref_id: 3.3.9-4 description: 'The cryptographic security standard should include: @@ -1456,42 +1493,43 @@ objects: c. the management of encryption keys, including lifecycle management, archiving and recovery.' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Bring Your Own Device (BYOD) - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-1 description: The BYOD Cyber Security standard should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-2 description: The compliance with the BYOD Cyber Security standard should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-3 description: The effectiveness of the BYOD Cyber Security controls should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-4.a description: 'The BYOD standard should include: a. responsibilities of the user (including awareness training);' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-4.b description: b. information regarding the restrictions and consequences for staff when the Member Organization implements Cyber Security controls on their @@ -1499,135 +1537,138 @@ objects: terminating the employment or in case of loss or theft of the personal device; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-4.c description: c. the isolation of business information from personal information (e.g., containerization); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-4.d description: "d. the regulation of corporate mobile applications or approved\ \ \u201Cpublic\u201D mobile applications;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.10-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node189 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node192 ref_id: 3.3.10-4.e description: e. the use of mobile device management (MDM); applying access controls to the device and business container and encryption mechanisms on the personal device (to ensure secure transmission and storage). - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Secure Disposal of Information Assets - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-1 description: The secure disposal standard and procedure should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-2 description: The compliance with the secure disposal standard and procedure should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-3 description: The effectiveness of the secure disposal Cyber Security controls should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-4 description: Information assets should be disposed in accordance with legal and regulatory requirements, when no longer required (i.e. meting data privacy regulations to avoid unauthorized access and avoid (un)intended data leakage). - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-5 description: Sensitive information should be destroyed using techniques to make the information non-retrievable (e.g., secure erase, secure wiping, incineration, double crosscut, shredding). - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.11-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node198 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node201 ref_id: 3.3.11-6 description: The Member Organization should ensure that third party service providers used for secure disposal, transport and storage comply with the secure disposal standard and procedure and the effectiveness is periodically measured and evaluated. - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node205 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Payment Systems - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.12-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node205 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 ref_id: 3.3.12-1 description: For Saudi Arabian Riyal Interbank Express (SARIE) information, please refer to the SARIE Information Security Policy, Version Issue 1.0 - June 2016. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.12-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node205 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 ref_id: 3.3.12-2 description: "For mada information, please refer to the following sections in\ \ the mada Rules and Standards Technical Book (se appendix A):\n \u2022 Part\ \ IIIa - Security Framework, Version Issue 6.0.0 - May 2016\n \u2022 Part\ \ IIIb - HSM Requirements, Version Issue 6.0.0 - May 2016\n \u2022 SAMA CA\ \ IPK Certificate Procedures, Version Issue 6.0.1 \u2013 October 2016\n" - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Electronic Banking Services - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-1 description: The Cyber Security standards for electronic banking services should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-2 description: The compliance with Cyber Security standards for electronic banking services should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-3 description: The effectiveness of the Cyber Security standard for electronic banking services should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-4.a description: 'Electronic banking services security standard should cover: a. use of brand protection measures to protect online services including social media.' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-4.b description: "b. online, mobile and phone banking:\n 1. use of official application\ \ stores and websites (applicable for online and mobile banking);\n 2. use\ @@ -1659,8 +1700,8 @@ objects: \ of SAMA before launching a new electronic banking service." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-4.c description: "c. ATMs and POSs:\n 1. prevention and detection of exploiting\ \ the ATM/POS application and infrastructure vulnerabilities (e.g., cables,\ @@ -1673,8 +1714,8 @@ objects: \ remote stopping of ATMs in case of malicious activities." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.13-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node208 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node211 ref_id: 3.3.13-4.d description: "d. SMS instant notification services:\n 1. SMS messages should\ \ not contain sensitive data (e.g., account balance - except for credit cards);\n\ @@ -1685,43 +1726,44 @@ objects: s mobile number for all retail and personal financial transactions.\n 5. SMS\ \ notification should be sent to the customer\u2019s mobile number when beneficiaries\ \ are added, modified and activated." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Cyber Security Event Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-1 description: The security event management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-2 description: The effectiveness of the Cyber Security controls within the security event management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-3 description: To support this process a security event monitoring standard should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-3.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-3.a description: a. the standard should address for all information assets the mandatory events which should be monitored, based on the classification or risk profile of the information asset. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.a description: 'The security event management process should include requirements for: @@ -1730,195 +1772,196 @@ objects: (i.e., Security Operations Center (SOC));' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.b description: b. skilled and (continuously) trained staff; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.c description: c. a restricted area to facilitate SOC activities and workspaces; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.d description: d. resources required continuous security event monitoring activities (24x7); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.e description: e. detection and handling of malicious code and software; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.f description: f. detection and handling of security or suspicious events and anomalies; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.g description: g. deployment of security network packet analysis solution; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.h description: h. adequately protected logs; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.i assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.i description: i. periodic compliance monitoring of applications and infrastructure Cyber Security standards - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.j assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.j description: j. automated and centralized analysis of security loggings and correlation of event or patterns (i.e., Security Information and Event Management (SIEM)); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.k assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.k description: k. reporting of Cyber Security incidents; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.14-4.l assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node216 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node219 ref_id: 3.3.14-4.l description: l. independent periodic testing of the effectiveness of the security operations center (e.g., red-teaming). - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Cyber Security Incident Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-1 description: The Cyber Security incident management process should be defined, approved, implemented and aligned with the enterprise incident management process. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-2 description: The effectiveness of the Cyber Security controls within the Cyber Security incident management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-3 description: The standard should address the mandatory and suspicious security events which should be responded to. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4 description: 'The security incident management process should include requirements for:' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.a description: a. the establishment of a designated team responsible for security incident management; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.b description: b. skilled and (continuously) trained staff; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.c description: c. sufficient capacity available of certified forensic staff for handling major incidents (e.g., internal staff or contracting an external forensic team); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.d description: d. a restricted area to facilitate the computer emergency response team (CERT) workspaces; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.e description: e. the classification of Cyber Security incidents; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.f description: f. the timely handling of Cyber Security incidents, recording and monitoring progress; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.g description: g. the protection of relevant evidence and loggings; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.h description: h. post-incident activities, such as forensics, root-cause analysis of the incidents; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.i assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.i description: i. reporting of suggested improvements to the CISO and the Committe; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-4.j assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-4.j description: j. establish a Cyber Security incident repository. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-5 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-5 description: "The Member Organization should inform \u2018SAMA IT Risk Supervision\u2019\ \ immediately when a medium or high classified security incident has occurred\ \ and identified." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-6 description: "The Member Organization should obtain \u2018no objection\u2019\ \ from \u2018SAMA IT Risk Supervision\u2019 before any media interaction related\ \ to the incident." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.15-7 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node233 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node236 ref_id: 3.3.15-7 description: "The Member Organization should submit a formal incident report\ \ \u2018SAMA IT Risk Supervision\u2019 after resuming operations, including\ @@ -1930,28 +1973,29 @@ objects: \ of services, unauthorized modification of data, (un)intended data leakage,\ \ number of customers impacted);j. total estimated cost of incident;k. estimated\ \ cost of corrective actions." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node251 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Threat Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node251 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 ref_id: 3.3.16-1 description: The threat intelligence management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node251 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 ref_id: 3.3.16-2 description: The effectiveness of the threat intelligence management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.16-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node251 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node254 ref_id: 3.3.16-3 description: 'The threat intelligence management process should include: a. the use of internal sources, such as access control, application and infrastructure @@ -1966,63 +2010,69 @@ objects: and the action-ability for follow-up (for e.g., SOC, Risk Management);f. sharing the relevant intelligence with the relevant stakeholders (e.g., SAMA, BCIS members).' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node255 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node112 name: Vulnerability Management - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node255 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 ref_id: 3.3.17-1 description: The vulnerability management process should be defined, approved and implemented. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node255 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 ref_id: 3.3.17-2 description: The effectiveness of the vulnerability management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.3.17-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node255 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node258 ref_id: 3.3.17-3 description: 'The vulnerability management process should include: a. all information assets;b. frequency of performing the vulnerability scan (risk-based);c. classification of vulnerabilities;d. defined timelines to mitigate (per classification);e. prioritization for classified information assets; f. patch management and method of deployment.' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 assessable: false depth: 1 + name: Third Party Security + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 name: 'Contract and Vendor Management ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1 description: The Cyber Security requirements should be defined, approved, implemented and communicated within the contract and vendor management processes. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.2 description: The compliance with contract and vendor management process should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.3 description: The effectiveness of the Cyber Security controls within the contract and vendor management process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-4 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-4 description: "These contract and vendor management processes should cover: \n\ a. whether the involvement of the Cyber Security function is actively required\ @@ -2031,116 +2081,118 @@ objects: \ Cyber Security reviews and audits." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.a description: 'The contract management process should cover requirements for: a. executing a Cyber Security risk assessment as part of the procurement process;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.b description: b. defining the specific Cyber Security requirements as part of the tender process; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.c description: c. evaluating the replies of potential vendors on the defined Cyber Security requirements; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.d description: d. testing of the agreed Cyber Security requirements (risk-based); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.e description: e. defining the communication or escalation process in case of Cyber Security incidents; - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-5.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-5.f description: f. ensuring Cyber Security requirements are defined for exiting, terminating or renewing the contract (including escrow agreements if applicable); - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1-4.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1-4.g description: g. defining a mutual confidentiality agreement. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.1.-6 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node259 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node263 ref_id: 3.4.1.-6 description: 'The vendor management process (i.e., service level management) should cover requirements for: a. periodic reporting, reviewing, and evaluating the contractually agreed Cyber Security requirements (in SLAs).' - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node272 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 name: 'Outsourcing ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node272 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 ref_id: 3.4.2-1 description: The Cyber Security requirements within the outsourcing policy and process should be defined, approved, implemented and communicated within Member Organization. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node272 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 ref_id: 3.4.2-2 description: The Cyber Security requirements regarding the outsourcing policy and process should be measured and periodically evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.2-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node272 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 ref_id: 3.4.2-3 description: "The outsourcing process should include: \na. the approval from\ \ SAMA prior to material outsourcing. \nb. the involvement of the Cyber Security\ \ function. \nc. compliance with the SAMA circular on outsourcing." - - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + - urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 assessable: false - depth: 1 + depth: 2 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node262 name: 'Cloud Computing ' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1 description: The Cyber Security controls within the cloud computing policy for hybrid and public cloud services should be defined, approved and implemented, and communicated within Member Organization. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-2 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-2 description: The compliance with the cloud computing policy should be monitored. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-3 assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-3 description: The Cyber Security controls regarding the cloud computing policy and process for hybrid and public cloud services should be periodically measured and evaluated. - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.a assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.a description: "The cloud computing policy for hybrid and public cloud services\ \ should address requirements for: \na. the process for adopting cloud services,\ @@ -2152,8 +2204,8 @@ objects: \ cloud services;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.b assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.b description: 'b. data location, including that: @@ -2162,16 +2214,16 @@ objects: Member Organization should obtain explicit approval from SAMA;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.c assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.c description: "c. data use limitations, including that:\n1. the cloud service\ \ provider should not use the Member Organization\u2019s data for secondary\ \ purposes;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.d assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.d description: "d. security, including that:\n1. The cloud service provider should\ \ implement and monitor the Cyber Security controls as determined in the risk\ @@ -2179,8 +2231,8 @@ objects: \ of the Member Organization\u2019s data;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.e assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.e description: "e. data segregation, including that:\n1. the Member Organization\u2019\ s data is logically segregated from other data held by the cloud service provider,\ @@ -2189,16 +2241,16 @@ objects: \ it from other data." - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.f assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.f description: "f. business continuity, including that:\n1. business continuity\ \ requirements are met in accordance with the Member Organization\u2019s business\ \ continuity policy;" - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.g assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.g description: 'g. audit, review and monitoring, including that: @@ -2212,8 +2264,8 @@ objects: at the cloud service provider;' - urn: urn:intuitem:risk:req_node:sama-csf-1.0:3.4.3-1.h assessable: true - depth: 2 - parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node276 + depth: 3 + parent_urn: urn:intuitem:risk:req_node:sama-csf-1.0:node280 ref_id: 3.4.3-1.h description: "h. exit, including that:\n1. the Member Organization has termination\ \ rights;\n2. the cloud service provider has to return the Member Organization\u2019\ diff --git a/tools/sama/sama-csf-1.0.xlsx b/tools/sama/sama-csf-1.0.xlsx index f70b7ba34a5160a43a9fda3ce1f04ffb85c7cad6..35c8a32ef6be0ebe06703d47c71bf6fb750a477f 100644 GIT binary patch delta 20430 zcma&NWl$Z_7Bz^wy99T4cL?t85F`-XElA_;uEE{i-60U%-6gpDkoVry%=c$%{@kiw zeS4p^_u6Zp?%Q=AK0p`zz-rE*VBOr&1IEBWKoS$~p(ub<+3>vJGU0OZ75&_G146o8 z9Al0q)z$61vX8FaKqYFXbxtt8dxT+gv&qzm@hEzKOfHQdNu-WgxxREoY`MuaZS9?~ z(9|{2Wsz7qR~R;};wk+Xn~V!9{1c5na3I3V82gh+utUlFdMchpvQ<5GQxYoBvh@Q^ z?3reqhikwnm|Gt8P&`}^Uf_TigcuW+|5cb-(%u*caWM8AsCP!hOw*5eZwLjI8?_{o z**b{OR_egjg&gWw`ZUHQPGQMrd9HHEg{n>Oz+_y+lFnxY;b%B#-k!}1Xa&e?y<|Kl0hqzo?wrpK} zqOAZNX#!50BdmUSS`BZ(0^DZNq?NYD*y)mmzLs@q!J}~bZ3D}@SY_gqsgaZt`q!Ix zL2Z->X&v#&OxP`N-X~b~Cs|D;G9}R_tL;)I(FbLggxFzhM}?sTcY6YZsG)r3^V{d` zBQMdu41)_VW~(cg$1tC9;NxQsk5 z0P@S!B*y0_Dcf?V+b#cf5#V=tr*^hZn${zXf!nN@1vFFfs)1poC_8%Xg=QwXr@~Hz^;-+VPK__CDMwu+;HxX^r5VQ zkse=n;{oh}m#{!F^$$=GkdF_Le;Ei2^w z=29Vl9hY8oqVyAj;gz-L!82k1J0`H1L3?hXsCcB7F}Il5E{+av=jTt2GlmfHRd^aU z_ff``07@0IUsx6$%anTp5T#-8&P&i+uqJ5J6c#xZ8MXgB3_LiU z(gTI8gkF#6{8}vhBiGk|Az%jMrr<~ozw2V~xj^CHNf%=k=XmI_oq;?+g*GRLq9j3C zgbLIJKdv^+Kin8u)-M&?{W^YCM)yx}V;QHh%buw%Wp&S%mOM%BQii64`86E>kjAV$ z^?eJgK!PT@v?Y})QinFZx|*{Cv(;o)(2M$L8eWL!}qy%hyjeR#~K zBiVTu+XHoTvWTi~^4$XZi`B&7V70D;QC6!Y%`D;UrXN+p1adAM+Bz;SIvxnfa(e;` z0xrPH=x$@3nXnqZ%8U|x0q+f+`|@aw9zrhb#H@cLetd6VIkKxYP^Tx&V?EyGIXs36 zMnS)nOn(L3#F(-B@Qwuk6~@n9fko`}Mf=f8E8hNVifA*UHx|uATenW4kvX^e+tKXp zZpf9vaa1WNy@;q4WkXXF{!`aBhm;xrya*7%moyWv{W@>8>5Qj!{I%{XpLoP;^s8)4 zV4P22Zkdd|7IjzB)C$>Gv3~kzuEwL^X_QZ7+@rT>2NOWTU=;#Ts;P&}yLM z$UC|3wlBP@<}s`0FW6~}Y)n&L=2Un8k2K7B4_4|tZQhX`a-zNCJe&fNRQkigijj~} z{H$nMKg{!bQoJ(QH;m|HWkMBz*OlN_wP$1Pci8uG>>s|mJ=7!=8ZL%8bxuF<)FdrL zM~Mpe;LW`S^0|u(F1C|YGJf4fmVp5Mc*95ithR$l(a#>CG^v}D(n6Bh?}I~UuhymZ z-XH1-m~70N6HLl0c;4G@w7JHsLk8F(8_d!E+>tZm2V9LG2*&!liCbl-b;?g|ApNyx z)1}yVge{iL#6DpdZ+C-L-=VqAW3HG-F>!Q53BST_;+5|$kB8aM8Fyx34JQDcowaww z5Xhq<_WUC8Jz^ioW3^uuqIZ|OQ@%^b-cj8E!57gxME`N_f9ywF^l@{REwpC{EDOC|cbmN2zZky11BP86k8dwRACITS~M?G?cru(+^)C9U5~w{!ZV>*K9)AWrH$*4DFf zIyXx==gH=`7fx$OY*RjJq6ijK@GpCk@lO|Sug_jq3|`6-1ezuZ;cb5gx`+!lXBav+ zBZSGOLj)x3^mu7B5-ogpq@5BC+n>QNIQyB9665z-beM_9_=n<#f7k>Yl0DyC5K@gY z<;P7Js-+D-CZG0m>tq~b!?|ag7Dhs0bd<2hTp?16MlP5^eS@IUX3X~^ug~)u8ls|k3Eyh{t-xDw_4xsqB z)^*X|6la-x*Ju-NE6aQW_sC_xO@6zfe5>d03vecb5yJQVTxR)Njp!oRjvV>7!ldSR zK^%`s=nR1lPF|J_jsHb;KGDsXFnZOzY!Sd_I_#- zqZa+ayT>+~@cl%PW-8z;zNQYraQ^RjvI2lJ|388MkK>B8$^f=9xy449dYtK@YTU$l zj(Qh+i6oCmo=M+{iT~dKQvO#S&wb6$Vs4HA$5OB`JCjaWQGM16hAeO=~fO@`*>0m>b_U}p8c+uYmJA~L$U(s#Q2Q&BSc zQ^nR0>+b?}@ME0`cj{?F)P2_Ey$9#@m@?8$D}369pKLuApflS4Xi!ruTV4RB-v27C zO=NxkU-2*gPe9{-V_E;Rxmh;#eJA=qQ$!2gDx%_9RV;I{IzE|Mz3yx@CZGc2-Dlag5^@cpV6K$;*uvWMn>5>0^0>u4am*tS+ z9jdZ^SB^P5hBD*3)-3l&<)J6|b-Ow?f7an<4UrQ$8(UfCdZ#g=T|I3$_0YD)hbKdh2o#Z#*Qy9yyVS?EFQGw1k^Mw$2jcx4w23psrGaQLkm=?PYzaa2-d+NhL-ybRC$GcBUNXrdk@WWvn)T3S`Ec0i zN$WqzBa!FacLK-fj+;eWpc(1US*2S9#h3M#i zTU~1YbKSk~1hb2QdE&x8bG2;CPu?Y`@*2s&LPWqYwquo1WD;MB{Kn$qKRqm>P1pPsBF#$4iCkp6=L;pgBW z^dS5k92FcGvyBU*!0rQWOa!yHW$dun8*a;&2tE8YK2I3+1Cz81k{+`_IChMBv<6RT zaJ4i^=_RC^5N1frLpWiUaa{t07EK)DzS}Udc&(;y$Oj$nNd?n3^a>l&)uf0J&o%z-mHp=Vmd@1%%P9NWir8ns`^n`>uNob)@YH7RB zOOZ;k2LljyL|NXx)aE7Cg1<`a$|mix+?cnNjeKEdBSBt#m9UW+-867Mj`T!A9eD|3 zhuwf7!B%Iq)=XM#wy%ZDu{raECzqX>j%U2fUV3HDRWtl*Qb(TO#(fuS*}8rgCd}+( zbbL|o`vG3=fLMS_W!{h`OI3|LJxQ7IzFyHqw`-!$TdF^~KJGA@z^8Mz9knoyYjr&{ zdLhG&`d)?v737rW{8_weMb(z{PO<3 zV2%jLzQgodBEJYUdIq=EBWAD7Iv*|fs72?pUb7KPlpOFIyLY9mjd-T7?X%;_moxzi z-iBND?j9etZwf#~(oN8K=7HB1H?k^OctU-@v`^e>o+Uw6;(kviRJp+4j_Fg|BPGT; zjmc_@iO59+ja@9X(uDf2WotVzTyCYU6On5O8f0pTV_CT52rEEN(v4L(+b(y&e9Isu zMC^@xVPOVHWu_rp7VbQ5MKH}NKP<4UFlkW8>t(L3F)tD)qe>20ZZtFcM+uZgZk;09 zGJ=JnIYb?bIMbp5@1drm=ahLrg>i1OvX{Gb`h7+C!#4JI^4>s3`27)&5q8QkBTY!O zW~JXEdqtc4dvz)UUc*{ea!hPPH%K{Znd06qkpb2M6FQEC}= zKE5(%qXv|GQ|a-24p>Y^Btn+v+{{i^=a!jjv4+`Z!5sb==y4l{nHy^DKeY1Z_*!S% zw*;N%e;@T3Q~4}f$c4(Q`PBg7KqZl%1D9(Q{93lENY}%t`Fq01qW%lrLR9YvE(HdY zj=B-B0y4A>GB?VN+-zbjG(WSjn+PmX^Y+c!MG@i-a&^jaX=SEQJ7NQ_bJY%qAgC1! zVc4D@qaIqhnYx%K$1R|KoGHop+!8}rytQYQZ?`Or9@m|$2}LHr5^Mm^zJdbULc*G3)>ni~C+uqQ*Q_)|eW zjUpY;L(7N=0U6dNnHwcgJ2{HeKg!}fp6GVUb%nvjGCQObVnJ_FG#GEVpLcT^?jdP! ztblI-LCzJqE%XnFatlUeAQ;Yl;29wrtNCT>;Lu`+j!3;HVQL7uQ(l%q zk{_W;BJWxp#EgQiiC^Oa~GrJ6>!Def(tiaX6u=7Zr zw)?3iWJlPA#Fop9TRs-xl?dUO^jYy=SPrp%w(L9&!>=dmu!B$LLF>x&H{jI?$xkjL2cM4QNVS(k zOuUjFf7QvnQjQ-|PmhThOaKHZ9WLAI(|u?JPAj(Kd8)dum5e^n#$S6*3%>ivz(Q)5DUFvIi;@xvqh}X&?}l+HOmemm5I#j<)TvYZ z%>3>z02*V?O-X}e-BoghK`*u|3P=O|94Fa_TV$ZDnQgHnIa>=hb`tN z!eq|XA_M#3UP3|TjiS=_zD}PpWjZy!j9BG3hM${EpPbM{ctCr(V1C3wEgo`dXf!Sp zwjZS=iv^$CgiKuhN9%Tf&sw{2=}cu*>pMuFon$#~MAv5?;)Vp_FXJGrp4>aUxR(xK zAUbLBHEh-Xix%P801BAS7Y~{?ddZ|5OfC7@_Y3n9UyY*2(V!L4@^~7i`COhF|9OPU zletM#7#+NMqw#K}X$8Yw-y1=B@i_bxtc}D9H=0rMUH@hwKYMTkx3*q&R!_3^M0c^4 z3l$Ey80xvO0I#$isxRt=*#Q4s{0HNF{!@wnd|M!5RYE-?U>gC>R9H5TM@jGApi?w? zqSwFW^7(bHG6tl`sfF1fQ0IGby3)jm4fj9_<4os=*kHeluHjvb#M#|MEE1o@NcW_o z7yKHX+N1H&Wje74Od%Paj!*kBkXB47p>#6d^y+f0>Vzsg?uJPH7gbj}`xRQNr7Kce zXEOoJI|5EKhr4=>8gvatN| zkK}LK(t^Ea4#s&TaqsUm7;lLdx10ZXbfMKyv- z)*4)6Teq^IN6CU^P+m0|6gn*rdWz_=M#+DI{2P7$MO!W7MNd9akMz$Fko+tZMs`fb zk_eP)j+BB)ZXes^K0mOJgT1m*THfdyB*m&D?j$qDV(khtnhAhNA#|Y*{^1~RV^>I7!tLAQ$Bw&OFvKA&%?Ya$?%KjCw*U>EA-Yam+6?jChm6?T*GKu z5ri6@E7?|sNx(7V`c$YZST?$QZazU7av+rGH)M5$4{P(_RSN05qZ+KS?>t-<`qZg$ z7JAY31%AHHnbMr5pr%m>TFGxogg@lAv{RS*I!|{|O63IMHKl;Bv^t~yPewaa>dT8@ zu38V7>1r<4Fz_x!#6#sCK*Wknv?yL3(WsAcAa12LP7wYmv&ii8ho7C}vtz1^?vwOM z{2D|Vt|YwnbNi4eoH_Z8nRDY+gO|4-yT7cw>OcPl*;2%vvJ7H6|H;GCkMZZDQO@P=Y`;Fk=ghNS9GjPH zx!|(*!%m$rF^|84(aI-aYE@ckX(&uimCXZ&-;&=T)zU*O-6ZL}@~}G@HL@wc~?dFAKulGnVaPJ zBII-JZYP^D+4G6CwY^uBkIK*S)yACj#Y5dCG46i?DkPbU9}D_GcD@_Vx2wTT_gbAR=@}f;FNy z47Y7sHw;F&P5+@K zFJ)lg6s^X$>Y~V8SSU$$7yFc_`|5Y(KbG~LR|{@?hsz?wfAMlJddya=S|yi65so0X zWZw>#g^0J9waz}<^3XcqC)h%v_kWb-M@)DJ`_UL=%*|xpS~>r}K4V0vSutkGOsKzU zPyqZEJpfmfOZ~UIi-T{z=P$ejV0**YRqxLahcPw{*Hwd8*%ZTug->ENdqqP| z72KcLq}snuTf!Tj+&F4Xt?WF)Q*w8x#ZtjR3eZ4xsJG|m8SyHviZ+G zw5?w*=Bu2ugnu%lFpndF(oRUu=gnjN+n6OHx^w^nFtcS6;lj@$sZo0b z-(lNuR6a|xrM~p`G>ORlj(=*zsr%(aEQ89S?@F>uBg`Y zkH%qH_HV%P#VuOp;7s=Z!=ZXQ;Q2N);CB!~kqnT5e z{!OeM<}>@6%l|G=vAJPgdy9NVs^*W=GqWjLO!#@Rg1}68UcCji_VWo{c6m)V?Abyz z&M#=`$S6VG&4&L(eZk+lwDTj11Pr)_kdv!$E0r1Oe!~oZJVqUsh+}=Rf8`qUw{mzj zfAa85IzR`x=ZX^nH{iNgSGTyF#-0C^ziURR*Ao6;;NKrmAhrNW+k+mCm{LS4Ye?s&6M*XL`G|L14?IvOcC#XEWWgnAksxDX#NT6u5~kWiR^ zuY~HEX`exXqYfAmG@#T0;_kjFBd!rG@*}bHl(4PLwYZB2>1+zmyL~M|m&`G)#mdw5 z(n2?UFK)bPl`uPG!{yE6$JZv>z-a;rx7Z*mq^=kVTez%fiQ;un7ozGq4p~>9`@(OJ z!fJf+Rd8BD~{IJge>I0NC+=gkK+E0~9DJ2?G8ywg_ z7J-qhv2UOYlnr&lXf+@E)sCz;ew*hLgA|b}=_cx-|6TOf9 z@#=1`1O}c*@Xe0i1ZrMBP@Z~IUP(~k1hIh!10|%8NR+~ep(VbW4z-Ev%%!#BgSMac z^4O)ZLMO8^r{(f2V18lIB)4s4@~}ALXK&I8-PewBWfdbcDt=w{RnZJ1R_?<&D5@~} z9b(Qk73*8!Wfc?5DWiFQvVu)_y1xt|7QS}-&YI(QO_k2Sabz9D_Eq&%s4!&#?JhLQ z=j37xDxb$QytbdR;@T$8OC(=rJ-pR5>;DJ^1Y1$!1<_5%0#{G{x}2rlzJt5GW+Ajw1pNs zcViCbIS`|d9#79Y*4P>5rP+TrL0A&pP=(L4-jg&DrnTRItO2Pjb^{wO ze#$9#lw>}ESQXCFnxUjhJ_6;D6}+N&NjxGV^@y@UPCh~;XD4tW*Lt6G__>7o<4f?r zW5XFgf0A81yQ?yUCB zO5>KSfDBCDrHWSQ8F`cT@#;7YpCdzK>(e|+u`O9$U7hS(w$o5YASO2t@>rAfU@$-N ztd|f-On5B{y%yBN3Zj7liY!0hE$m15tv+sVue3cB*{KM3Jj7|3DVl!d^rU0Sj+6ur z#gvy?b!nAYBDRqi4+l$fVE*kQ2>xoFD{W5>I@2p`!sjPNUyb|18$#L)L8chT{Pjx* zx`%jk+@w#aOOBXtOKO+i;qFkVTMH6S^MF$ihFqKrg)5q7U2$$JFu9IY!srwX5ReGX zOYoVMgbzIVKZ93|)#T%xy&c8=!l-u)kXoLjtzb}QcuDhau{=fI$3P18a)}0qw2u9? z0G$cu^;Y0+xE}pF6-2C%S5g9-6Uc9L60LgqTg}Qo-OExojBR~G*pKk-syL$YC;2N* zRn9jDcIi&L&i&>ufbPLKficF#(Va0+J5kDI8C>sn@D=P%iKPoW6W{fcT&~J#Y=Rsr zX!hxcfRno#_^_4;pb(}(WIk{^n&xKxY_fggRbsAGuM{{-V}G6lr*WAl&SoxNPPLSU zyv%hTDvJ`eg?l-g`{VTPrh?)`l)d|VuV*g|;3i;PB!HJ_Eq;xN){aZ^pfw+`tg1wt%1gu7lCqca-S0nw6 zI4j#&Bn0|6k0%~n#$M-jY#U6v?O;)UvG&Di{7qs-;&|Il6R33PMB`H9s+wef%6PyG z(s`9}it(}#0PKb|JB~MEr2K7oB@#pfJjIg8{D2?z{gV-kGv?c9P_ z)}E7+cNPf*qtslG=HArksM~$ZcKD{8+=9bLvuWRnF@oyYj7T&lgr1MCCp?UAO76A| zAF^Y=Dd#y!Q0ZohQHIr!eFZ_G5PO3V=S85NYc^}E1<(xRX3J7~1UV0+coi7TLU9Pv zU8O0L_x&<^oEf%ta;ncy`8t7c zXqTRLAY?Nmy#_VdA>TQ?k|9XTb<)zy_8|H){jd{g3RrS6Wh1wnHxfK( z+q%Oxa#a?9KrfWS@Vu4E4$(!WK&cUSGvF~7n zuX>yBL-w+Y%4|Hja|#lXO%9Eq+;ZdVU*|!e(Y%PGUAJGmW@O;~5In5q>jbGbZr>ob z2ul4qeDg}v#-E*Qh@(N{3u_e5O+$=>z-41xv!i2*YXJ{h^|fpwTFOV#$^ZIKJ@72k z^TTxMHf+(RUVplN@T0qn25a@HDA=5dd9E(~rR{mSG=uI)rH`kXi%TH3yv_U6ybMAv zsh48}{;Fp~@i6S|F|x?HKHl0%hHYOyQ^TLUEKeUAu8 zev-=fCP+?#NFz6LroR33^p47bx8g`005hdRaaoYc|FO}g%11u1T_V+&c$yQ}&HV>4 zP?MBf8>fIMRuGlXYmd1f%Fb(%wq&QYs(Ml)a8z^T*OAc?e+}_VU{&0gAiqMtU{nKK z3fjK!rw@0TzUe58k^0v@%U;0O1xys01k*ieRz1-oMV0Qf9zOJ}vk4YvkhT3<0l`>u z+T@=IaFB)G^WQdc7Awc;_U!)lI5F;(NpmCiiueRxg9b-VX}8kuLyu_EG>BA)Wb>7R zmXOVVxh3H=`;+4k%u+N`dE71qk)}huYDLY(xZ{3q0=m=U2(z`+=tKyl;r*;AA=M`p z@H->TWPt1pQ)ZT=n>o%A;>F`KBCP?5Lr|ir@4o$}>9ho4P+8Y~Tf?M3km^YLUaD8| zOZQ~Ra8!(b?H2(O&c-^Dy1zsZSul+O=eLb{C7!&~&s#+7E3O~ltP&8bBAm4E?c3L2 zG^9EbSVT$^x}+q9iRiFEQLh8^%pOxueE^!zOVAp%(7YV9f(s&>VH1P}r`&w12WvHd zedV7uaxjHZD2T1bfNj+JpUWYSkrbv-TQ@Kg5|GH7dQR;kAMNf;kgsXuh;eHD9T50g zzl3Ym43KZOuoNM~88WvbeQ>oWG)dg?4yO`KR&S0Lbft+^{veA1O@hplD)lqpiA$Ny z1Dx?Sv|MrVogw=a%m&EP%Xa@D1W{a>Omu(}*c=cEJNt3rh-)vy=2UdkrAidj8YZ*~ zM54|9f%#)CVrVXt1&JtS26IZ!_A{k3e6v>;`I;s`5$p^DjYT6Njwg?9Ia|a*En9u- zWjw%CVc0)eOYKA%5PnTKW>W#`o1r{puI=sN;x^cSod~--Cpr4R9>t}!b!dtjuHkff zfuD%d>DAjJ7fHRU6c*IB_>T7V)j#_Oye38b`tIb`bEDJuXGnqafscZFl6Mu35ie{j zR-vvR9Ai5OVT$wD>NbJ(otwW!bi2i*3r0dMDM^?iOg7aZ5OS6od8eghq=qm3^P=AY zNoOD1?BnfDAhNQ8YKD+KlPap}a^Ay7^P7CHelOlI8EgvSiDXBH#~UGTTSgJ8=)*T@ z7ikn*=~0DmF>`W#U)YsR79(fADNeQ&A}!CYs)*$oN2$qB#D$5HIR2_5#Xrw=yen9c zHLCeF7e+X912EK_M zj@lB_+QQMqF*AOd&FWenkcqPD(V}Vq_y&K&!#eBK>YsNIjoP`5pG?L)L}3ZG?F3s4IhfoAu~+K8q2%hb%lyq=c!An_mcfzZ$S!K zu2cBI!}j0Vs$wnYRU`-LkpPS%ZXt^-ky|jwd9GZE@58(#1$qH35#XtRjCgJVd*H$EnoC&>WE>L#bOpEPoPPAb7Umduv{PI5NFjEP#$Z3P*SSCHu$+v zC;?dxpgw3@X`EGgBPfwBNB{UX}lF zK$Ap?JA852&mAdfmuXmHtqDq(+DPP67r0JK9*u;$QjoYK07OP&MF}q;|$L{@Q{gw0L^mf^w1sg1C)Xh1|>K zuGGH|bUt3`qoQ7F=>S!je@}NLnP=$|J31ua?ml`@dXnh~g}iR(4K!7w8@aU2Gx#6~ zZ)W678hJWtiya}9Uzi$M^{taYVD}wqij^BfYYt;^2_qS{%dj61aoj2JoQ2@vTLTbJusjxOPFDoY0X%zE%Z9RqpCOFMz9^CytiQ9c5! zzq}m`bX(WTe&Fm2vknS2KlYrb*S)7Xp^8_NjMAmp``p?}i$ar?>y4-IBY4{OYarvp zPo*Id=qbxUp2Cz>oDcSAZ=DG$b)JMY2iV>)ptk~UNtVv zUL>4j7Yw#A7m7XN9F*=gdq+n0`2Gb{GMnKG5E;i7w;s+Io>I zn;cmgXs&OJ>=L`mY{AQ&nFyhPudqou;6OqbgZFBwl16Q z?xJe6wtGn9+HJnOBY924^GFA1%a^|SsE|s-N|kvaH-OizgG81|z2v%xu3(>1{8EPJ zvMT$%if@{j3L#~{Iz+k=YzKLIN-&K8vQIdz?*5J5v@!Fyou`y?`8l9n&}oOf9h)IL zLrfzWAY4$;xvU5sSTQ-$cWlzCK@Y*x#5x-&G$H11@|NpQ4bO}Jyqekl@>Jk{b$-|O z__jI@Hrbcx2zJ#w1ZE)W1kP>!Xea#pS_=Y8O9Tscs#G|(P+T}3eI7^dJ=Z2Z$Qc_1 zzCg#Pgak$nZt3HE@e4o!bNDvQ!}=oxf1RxCn4xCR`2_72%>k8UHjxJp5bmrT=Ye1W zA?(3vB1UeyGn{X_M6s8TZW=eCiT|#c-ymgC5Mfx;=4jscDqY3Do+Kx2bfIwj4z&Po zpGKAXVjx&yA(4xx>-H664MHwKh>MuZo*^ikMJ$3m)>^}7=oipke~vP9Mveh79IN@X z#bOuktM)7ly9G-nb)PfdtlN4mWd@~PmjK2OmNQ~j*+ZLlg`6OygI4C9JS#mlnYpEf z@bD}meHB^U$V#$aQ|6bC`%`)}L7;KJ4blDtc?^{;9F{|9d;4u2@bi`bnIfD(hE8`k zW^%vSpm)cH#sZwnqo)#trY@AVQpTcR@(00O~)*lA0u`Qz!R3Hq*lpYA5x%dE`}l- zz<#O13pslxUJ&cgOZzg;5?3DQYbl779Ap_F4fSJJUkxarGRM7car?<0UKf(l&3XcZ zre5yp-gVnpR6gvKkw^~Lfm&FQYt$b95)5Z}KrP{hC;V|ceAGgv1qOQ3wakMI>)fEo zv(8?O7VGGCX2-hf#j=~z>BI;Dy4q!0``hjb5|kEZ#92VQ4-(NZmj~Aid}?h8;$PB&rLSEPL)RM$p1XtiW;bEOU7*$hN!F=#;PoI8=I>{P})M%VK0LL@d!2t#k+`lDG$9^uqh*YOHrC zc*-lSXf@7zUaMqVQ_kSn=T3Vsy@bKH5df4Zq(3lko6W1VC+Dvk^Xp~|C{;J9vpR=5 z_}v~55TRp}(SsDR>6{#KMW2+kt$A<Y(s`2S5McjuYrf2XS~^%uA_t%e zi2q@`T``{3vG5-Y4hQR?K^dB?nIf>Z1P6sO-MwA*&fQ8X3DG|aR}H>Z7+I-B|5i{# z#ja7UtVJc%-dSnxcG)zedB9)2*QxSoDS3{RTCTd1z?j{7WTA^Z_$aO?+OJ1;8B(@) zD;dZNH^@4ZK9oP60`NY-@G4F!%>%n3PJ9nN$VUhi(~~QFx)sNs0vEqwRZV(QCP_hVZI*xqJBcUl2pU2rfMaxy*dr!z(ZAVK%W=>Vo#Yyj&W0>sTFAcMy#jud8Xo4@ z$^ZR=yxcnj)ftkaY?t(-3dRO?%mU-SFZ>;^g8$k*4)V+|_4eJR>et(N>|q_` z3a{^o+~Vz+r<&b1IG$6!=cRx{_gGMsr(qk_bkdyAY$qE9h1NG1a4p%C+wY4jd8xv< zC|;52GJ?g=8#Rpg#J8ar4}Ci%=(#mBU>ahUzgk`fFcqqTGbrF0cGG@iry9`h{@y{< z5ezbRyCa+~>K=w92BFPj`3Aky()LSvtl21-8_Q`}114T2_#*K={yYTWU`H)##`F!r zQoHAN#G7kg%q$fIYmlM4PuJXWsr_)}qCUOz9=OC>4g0loxt#EJY$)b?7LaA6S-pgP zle&F`;ewIQk!W4n1&SaMPv;OXx^3VpbbYoa^>*sIvM=&I`^4fc)P9KY5?mi6167W8 zgnd<0_P3N`+#PvYh{10l7Rwm-OIV@Z4dxTv4$I9RynGIozN<&mC??D}poKiCZty<}5|hmCsp~?bX9JT2CEyK1 zAqNzGEQ9{6H258Dwab|+C`(eWXBKN2TK6?n8Jh zulF&zY&5iNqQiQ8wzuM-{^s-yMTCdsfl`J91V9BZWC2|N>?1^YPZ>{)!WZ# z&5r+@(?z4GHjd>C;2-AQ>@JV!r@iM>D0T|gTe^Xcy7F~bER~#OPW+%}aC|&rXNTea zkStxAj0)_&-RH2tS2g;6Mow}ypJXpPUdUk=nVJ0si;%EZ3Foblvf`>*k6IM|QBmV} zRy^f|5I2$zf(aE7|bgzb2aIO*upFldKS>R{hGa`ka26?HQvo)ZkX zv`9EL##Q|hrHx~RL@VS}y;RXV9W3@_glbaNA|Y97%Krs~9$L|(ASs?gh2ii<8CJ|r zi#%;@CPeW7Xmj*?3aXb7ziy$vfS$>cc#Jk5#S)b=dT8JA$9qDx=u!Ov+@G!|zT07y z7zZ<%^rzfc{k}mcrw_f#8zbpu77<@nprlDk1!0u>28RGmyyn#ao4jozAXbk&i2bPF z@)ncr^Gtg-0rSBeU$`k%4cE1$N3YR48O^MdGNxw+lr!H4iy&W)H(M6Bk)**-zRHLk z&41xRkT}@%X4&{?c!KG|wTxau2x-j%tMtEXH_3Ajmk9z3ul3j;I?}SUn`gh0*>nN0%t73(;Iyyx!t_f-+#qCO%T+CohyF}ip=Z` z(5Br4)_NB+o-ZP6cB@0YyRWi3en*JK^-fvK5+T)D$ZpG91d<&!Wn97<9eZu z{*_veXw_!pE(HwUPWSVTls*h?DoL><%aP%FI4ICAHyF*a{kiQZa7P!k zSd0v}uuutLGqpt;bedP;uC%%?{9X37f(FBSH}~Ng_e1&#P5Ec1?pPk}FonfiU2V%G zurh)5#%eq?DH?f*=L3kw;Kt(badgz7x`}TY5N~s@U`ON|q9|Mz!JrxAx=DX%LBMEu zq)yfN$w3Cf%EEzl#)>j;mM`TRGb3f+P2BzVNC9#3O~pBGDo<4OmGz6*@thGjs$-Tb z2iaa&y>R_&If?yuEE@7Ad=U*7oZq1YFon&V?2k$+XE;AfeSfq2;F}tpWjb8!zrjb3 zDUuXWJZ_MzHtd2jNn@G@nm` zp23`mU2+J^<9VxKJ*{K@g+Cl!9g``l^EYIdRFfvmh(azREgq{loq>jta9s2;&>d~s zmpQtf&N6E|UO0xh`4$skRYRJOR_n}wxvOYan&{x`kK{1giCYcC#2lgOnT1A#c|6#3 zFe)9%{neE%Btemv>Y=!MdBK(c*=?R&e!h#M6`<_*T3Gx1vKa1)1d^It!q|ez8+OFw zDz>9O;%I=?A|RU=rq&#b<%bpzV7c|e8vb^UI^%dwtWc&l2D~dY;~R;$lNjV~;bOJH zCqN#8*7qHDNiRAem}0!)>d>9=+0R?1>NXR|Pm_$Wn6IQ(GX-1Z!zfN z7+N8Bdv3&MCGTd1s8-yY+H{VM##%L+CyImc zDqPCiFF<&6#YtOB3w6XSV@>2>Gu7aqpW^Ngy`(cc%gg=sA&&=E!~rEk-kk0u5JYd= z*Bs&RZE{aTE?3jN+4fulGz=x)&NNG|--&|tpn@T4al z{CWNO(!$R3gYQ)WYffaM74;e^#hz3`~!>AB8fcRd%8#76tOO zw0fsAOb>fY0@*s*xK?MT7+lt^#tAGn!@)F1LY}mDk0MjrGmem4LmKE{xYVD2L?iFC zQwgaG&X~1iW!~~1Tdwyq-qj0~$vB7E~ zIL*Cob0nOIM!Km6)S-@~xI&%V#(>Y5#>g^W$Fsi78JBIpzihsvD_>c3@&|43>(A9M zcZe=7sIDDH|6V6}0GTuKykeaBeptGZb+n8*tJA5OV?#rwGw}5?c#59;%*Dz?woE7_ zLljQ$N=%hHJ!p!(d5%F-W(C08KKU_xK8 z4~B!wu&p98Qi$;kJ8n0+XokzC00ek;PPdlsI>-#bP=Z(40G?Oo*8=eE)U%eGrb%R= z4b5v<*YwSfS*<*FO32N7EWb<8$k7_0KE8`2K{{d@gz+kN!D9ChL^kNzNhMi3V-eE# zjx4uJ2k46dut>X)V=rQ4cU9AE`g(!S>NV&~Dp|Wdjm#kebN#k_4`dqf>2Pxr9I|3f z)7*YedAj{DhQ=bDAGql_2IY|u&x2jiZA8o6bx=S1e@*dEyL>(VWyXq_-vzp8SWSy^ z!Hf|}B+c*Z2~n=7+7M_2WjyskpEG}jrGMYsFitxRc$%2t|CP1FvY;13<^BdQ0mlw; zWr|*oE9D}@*tzE{>76zhB{1@<9D5R;J;E;5QTXWvL4owd)`&^V2vug(l{&^WT_a(- z)Q}%G#Gr#yBzb1`<0w}zc;MM=RDvoBfpUbYz8~svI|!v$J;qDgY7o_)*uwtLZPBc% zk%5~y5Xb+2b#azqP4HhIr$kV?OKOxfNXLLlBLk!)MuS7TMvO5U1#S?A^e73H!N8$_ zqtk%`V$j`6NDZa@b3ZR0pXdL3b*}4tuj{-y*YDNmd_1!JgWso#6=Xi`+_IO|Gp5U^ z{P3Ad8=^IHUu}AwU3M=dq6PIODdaL>!SOYU1ZTwHiEpzQG2FOLMNTuvXRhc^#Tj#X zEoSOa=U0Q~OU=3z}fX`3So2!Gr1wc+CpaQt1nO^9GmvM=u zvmix+Q-$u}t@va@Epst2f0u(!T|Dd&V^b{+58@TeH?ZD%KT1h2?72)#9wnwrS%>3KW&{uyhhmX<;OlL>Q&xGonh`yA+p z*lE_>jf#0SYwd_zINvNwsrhkLJckD==w%!j$TNJ)N8q{@=8TT)2IftfSq=GF7q?dU7pq7l@;E4XDo zwz{*2y8a_ODJQpn!X`VWz3eufW2G(lzUwkujX%!s9g+R&-@K0(D^5)wOv>+(N<#s;dkVgysiKE+M$_NSMmAD!;aARVY9sfU=Ha6?*G z?!g@HY$MRVzDXY0sE;M4;>Y75uDsfWvjkn0V-in28T)-^IdF||sv>U!5UwE^+aV1a)t0hSOaPVE^ZQO|2%HrLd zIY47TB|L^l#p-uKq%P)Mq9X8h7Yy&j=`7Lu=A~nWZ^Q`n!!_;J0N|l|6E|vltIUq9 zj%DVM*A%|$Wi$JbsXg!9M1yFpN)DsBtsUzJq)qglciiKsH6TlU^U93cccydcZJuTr z&sv=7lVAQYg2v@jYv>H)Ya(%)?RKb7iaT34&0$+Iu6h%_$N^!qXH_Axe069W&NY2m zxn!tu*j~&{;R7YrA;(7?bK$Do$Vkb)*PvdyN0KVz03Hvnkp*Pq5Z-F!$fO|2Ped){ zr$UW|XG2YPb3?hboj>CXX?K9GbsK9^bJR{ehFDWMg|8llVCXh|Z_hc9m{JF>^d`-T z+MJb9<`SNGG}yd6wNm}a^^wklliI={*0AHfzS;0fCXH~Mx{byq;cesS!s zrxA!!0m!Ch>ZvQY@yLI{u)QrGJ+A;TI2C2^o^of8Tp;8QILNC5#&_1L=PKAx8f8e( z9qFxMy&Edh&|BbpxQ|P4F1^Fw07com6Hc+0^F7dX#bT!VvW-HLE|Djk#co00X(ryh z8NSG#H!@&$UEo(jRt(z5d5`Exjn%d|#9ZphPIZMzs#t@gTD`{|qnpN$mhjGn?%R7z zr85w8pTO2BD*S-4L@AjPKkjQm;O1{ZF=n`p^ga8c&*JwT*&^B8Xn0D?e!J99G!f0^LylZIc;g6 znW{L|jDHb|61db8UgB|7LD`qWMYgs6URax2NNl^s#@0V?Y09J}(Jk&>n#XRN#FPE| zJRl#BC@cv>W9aOufuXo27h0lb;>8%(XP_(LB6wL6Cusa&=0RPcC|Q7Dpz~?O`Tf*$ z5{^bVlo1)$?>3M{^4f;|hOc8v!~t&qV1Kw!UsT{kqm%fjLV<%>zY@+Jx)7&10#hV?c`~zCmGlHVhrJ>eHBZ zrwoj`RLiioRk64=bvFJA!>+pAP~7`1LYva5avv$aT)E8G7(80(LeW3{eEU22I?P<3 zp=dq4(M(@~1rbtG4&U@2&Rg;01ZoZyEwfU>IBCB;Y5!wa2>#Pk!e?{?rY&Jyluaw3 z9U=ZIjcJ^rYO2BE)pO}%dnT`?;n^)sb;AL5toG)@nxGza@IgnhPMy2t^r_)Ao?c{J z(*{Xput@;bGr^U9guQfu(5;cm(__2PL$(i}uS5~JX_u6qu83)KRmOy*WrPlW(OWv@ z@weJ^FMJze(Pl%5eRJbmyX5sMUE+NgPJTH+ReT>1+wDi%5N|*g!0*xv)gG#KWiC~_ z#*$?C82qlR`n7H097l2Xgf?~@?sz<2+>N}S6qguq%|>9o^wx<@Af@iMdhu zFWjA6u^SMw=6CNZ;Ggxu94r)3mQCYlBG?)V!>{d-y0LpbR5QKGLhXn0Cgh)$hHR0) z1u_AQ@@{@uW>!C6UFCN+C<4NJKp-_$8-NHXz&M`uO$AfuB!QGS4o8#qF9}obNaaDo z(ibcv9Y_|_>-%U{+-HYye;-&JnZ!GlZNx2Zkw=o!zAclbOxc=4vAn@k z9xA|_K%3>m(3sMg(dwL+mQG+eMQ;0_Ze7ghQ9CCOVfr=AFl5`!Sse=!w<0U$XG7#7%=s=P z@iS$^Tq^z25MLk<*V=5rd(Lq6onF;c2#07hl=;MG;o_N0e2U|2WG5j;Gpan`s6UbR z6=XSblkN`|{YRM>7PNSL>m)$wP?q@{AMCL2f{piMJ7g8a_N>wisqoyvax1Y`I*Rhh z_U1IeVCsTuPtY?^(n35mO~CQzx|$M`q!XgzFg7)Fm|Y9fwp>>nPw|L75Zm7rjh&#- zn*QAU;&EZT;#dGBtt8(?$)901T862}sbv)5BzZHPPsR_ ze>7*uQ>`SZCl1jlwTUti-*O7FxbdtxA?04sV$S(X(9ClX43RLBJ$tZVVj;5fV~LVJ zMpTph-GTY=PMBgvZ|O`@(EAi`HuHKasCEMv#Dch+e4_L-ICi(Ab=TV&Gf}knN9JE^ z6?ME2_JQ@48Ok4L8VVpqn)P0RhYP0X^t5|Y4Ilfn>P^0E6ZDvyq0xXqJfj1DEbQ!L z+`ks0u%88|O$? zgIx<`=}ORzi}7Toy4l2gld986E}R2S+hyy(G`d^;<1K|L5ur#2-_~D?4qX6HbxU%W zFg;Im*B7F0D9HE|V5g>5EtZ8t{Dsc-OmF@DOy$_xi&Azq&qa*2%H-tM750(4EJoaI zw{35{y2a!Smvf6rU9icNfqb>vg4vRpXPI;-lJllZOkWZku)!J}Z*O8+=xbYk+>dKh zXOR#t-mj)1Sen|2lM)6JhW7*96T=}HGO_pE)L`4eHco>l^go2f^*t1fZX4Z(SoXY6 zH}%@{%Sb!(n_ejcR{hRXF*XtcbGEuN%k!6z>gAmsq_8aDx?zz2>$np|fJwihUME!T)nE};_U`27ou=4yp8Tjwe3-SL6xx~nj zNl2rzVzfwmP@iJ>x&N~CBqS_QRL delta 20212 zcmYIuWmFzb6D1Gs?oM!rK!Q8LgS)%C``{Mbg9Qlg?(VKZg1fsrOWyPC?w>hx?sRwE zs#{glb9(0e!SCNeRj1H!H@~dON5R3sk`nHqDFJO#!9Vi#Ri)pSbaGa8iRrg-4Zk!f zEpO(QymxF1HYKLm68IB&g>192nT_qvX(q14Tl6N4$-ASG#z>YpGU4F0w7#C*$C)w2 zanU9j<1MiSR)pwvYF8xsrqSN+fc)6;=*r3!Bas+WN%w?RWCBbo>PWGZJ^jDu;|+iB zP6eZ- zZQF63_4_0@*DndMc^U%_C)BlBD3|1)6e~eqwlI=`wJS z54iO}UJL!xoyOQ)x|x+E%RfZ-*N76PiUoLJ*Myz1tcw@E;t!i&b^0-N;W#1f+L=@# zUUI~NR-s6FC1rThn4y(yRs?! z1jS{A_p&nl6NMbXzBQ6NZKv^UH$h=k92UUw_^hF@M#WgASqb^A-DgRI+hy*kUS+B2C zAs9|ulnxco5x2<=2;|TK!|0ZfQbTTxybj;ONGRtl9v;x|E4MGrc`slT1TLR{%dV3^ z2F9&Rdv3EdM(cB+a}&)c@h>9On1fmo>zkLW_QGf+4%TPt8%twZ)=#-RY~OG8;%sku5F1-s z!*rfDsb-6LWaO@&>kv#**YQy3@pC= zMtlb)QrFxU=*%pH0I#ZuR!SrFM_2r;9#Dhy~%#LMJAv$z4Hcw3~7ysnKVl zO+25rX(Zw~r6dp&DH|)$iNn#B)eGk&ACg@11h=8#`_$mcC`dK%O|lGE4Hkd9;Y|UR z{-DdgFy^p(47kveHwZAW_jj;=m&9ZR+dvjn(aHdCzaA<`8Ayrmj%cEBPf4mE%G1+U zE5)|8w1`)7mb5|rbI#ibe#F`Q^p=JWAKrK^qb`bVGdH5kqb81FoE;s&`?&+rNI<)A zz?hk5cAigCPvM7~*o%+db#BQl;H6dgdVLt4fnU3wMyJP4dxcFC@l^z(_cMmP<0qPS z^ge@BOE$!MeuG0Koi_}w@St5Lg$m^5^6-Kl9`!fxnIQ&nT(k zbpE!-(iTyesy73fDcY)?H$v+2^$POh^J?R5RTI*($5JHz1+fxiS0mF7x&)1^<}KlU zk@SUw9yYs{M{ohYHI9AA39UqK3({DBDgtKx;T1kPj=QBt>D`CNQX3mfXkc zjLcV(lmN?K|847C*9wEF;-cwx`=n!z>!xU@uJG-=3ngI;B?n$y?IzU%4-5>oIe`Tc zFCi8c7Klz~K@B;lza?T=$LNa1lpiYL%C7kHqhz_a-Y7&L%E*$Zu;S^AC@j7#G2NUp z_N036`Ta7oP)>X-F*X1-ew(w#_iXs<5n_{^9J&cIcr{ zdU-jBP)OLyNt0*6q{HqTQp9rHS$2Pd6hS|cEigXNmAkTm2g_$BOX89!G9(3N}!Q#cWz^7b3h#^{l>~XL-8hVHmhhD z`dkv`PgnS>*SbGm?$599p>R)>oBHcz;oHYJ=7OApNwMgKt(Ef4Q0z#iwO}GZy()9S z{j0Hpl%znfRe2-dFJzpo8G#;3=W#DiZ2FP`yjUpL=*TR3Sy#7sC3%S3 zCCUG%jBX>u6yN@N&K0`EuEaa@xzh{&u@dvc97S=#cn6%BAc1z8}B8 zt=s8!zP{a(tiRuF-lV*3&JM1-9Hd9{vG3g5T^;}WB})RlUe6Bd0YGHaGa8ckOAN`h zL!X^*Ul-c1*RV(aEkNxNXn)^-I(~0%edBn4scWUjUVE>leUV}{!^LQk_VOAS~2ffvnmUG37{e0b8UtwCoRQ4NEnuz=))4#L^6`qA1K=Sj;t zGi&1FBR1GyanQAH^i9-8#a@k5e5KQOU0`J4k*+0qrg$<$n9^y>+PU@IHYg~s*XP*J zY?ob_4d~uO`e#NzeCoJ;V$fc%%igL4)xErQ6lZH&0Sg`=wst0ETB-EM>k+g z{tP&MhE=bJ#{~}b`SDl@{U$7zwSCt5CWm`WRD^<)y8~c*^X*)oLi&Dn8v+ANPwL$v z$^L<`A|&Oq097~%95Tb5*+p&)mY+GEa2U(Y^ikyNDI^2(mFo;VjYCTJ=1k+EZxyfn z@I9mS!zV=Q-lMWR#M?m(5mvY<-Qg$hROljDa%Lg36W}j={z-jH{H<5=?Kj*fbC-eW zQ+)?i`}3r-%D_k70Syx80ptrBO4xOJEf}IPpGXdrY&O>*m_rKKbp*eEmZ(OyhA2F; z)f_vJ_Y%Uir8#e8F+XT zAE8Ba)*kaq?3aNu6ANMcU7WT~_OOdv&8u;R5wfQe!ox;%SGmXsfF3Z*}DOC7w{2ftb!db9x(p z-PcnmF4}qdx$BJf3l)0WBY#C6L9p6SAJ79aYO$?`OB2(kXig166L+dwrqpj2jVuKB|9SLP4{TTkTNr(*pWTf+dp6!^OX{WFtD zzU>?(8zZH37n;npjI!;j82-` z{G1_Ajj@7)aAt}6f+lti;vU7C|F8*KfQSB%7ASjm;BBHUTym`in`MJ3@ONbP*DO5$ zBrP3!4{ez1$FOV80|qtArto3k6V2i6e*yvf4pSBtbk-ONy)RZKC?7eMa!CyCoK}h; z!b*?Ws>&h={}SdB!a0o| zeYwxL(Xn(R^q)o#Anx&`@Q+|T{hJ6KYK3qI`oUWCL3H#V(X#Fz9bO3F38R=1MrA7e zLMvNxs8_X7UuuBuCY7ru*9VoJj?pj_N`1Ba%ni@=x>{Dv_PaWR4o;^7F7H|x z*Cx9@gq+02@d=h*qdl{xu43i^O|#t9^@gWvX(H0ktt1a{eGG}4pvxKXSLHdkGcd2u zl$^0C9C_Qo{XQEhwXG5S0<7uvPg(LP!COI*?xag|mj+S6Xr7*UlvOFP z4j*uafT)?+4V3+aJFfDs(M6yv8Ed1wrlz}&4C^vnOS1b}xixHpI17R8N2+5w`e{p} z`lRxn)DGbI-~tW&viT>vls5CXBPUl#3cao^8c5%3M{CkKuZiW)>67Dg=!QF(=5Zl# z5OquayA9tb9JPXBU#Zr2YP#Gn@`!W@>eA?&L`zS59JQjPGM$RQ;ZK(I|1^#GOu~w& znocXaf-MNg>L~ohNI6io)w6`3G@@91MVpaKY@!q}?X#S+RJ$Lk8vaWkIFqh-o|!OP zir0x>w=@@uwGmY;yJA}J#}SVQH>z2@G|BE`(&xS_i?c_$tj{i15AA#BNGLj2`!nt& zad+9We=gCsyrBmdx_mE!4TWT^tj5j4gs+pol=fJ&0}n&Z0A|aQU1gHNkHD+7*uL`o zYL^ojFvynYP%Zu|MR8=r4hW!WU6R*v))J;;mNPlohbyRWDoRtwJI7pRYd-5z_~BNV zVw5)!jM`9sb(KC`q>D1cLhb(J!rz5d_El-LY1|UTYFyvH1M|AdWRtuswQ`gkU#fyX z`D6TW^fF-j$Z$;m(Opjp_mDU+wk)Rea!d!PNOVe>T~QT|Otf5uUC;yo{*5zuZa1zE z6Fv3bHK>5s~iWmC4 zjt{lwDRnX^5&D%I8N$Nz{9!>9zt!@xp!Jj7T&>m5V3puVMxA`aj-WT&H{9dI1t5_| zCpG1ywtgvMzu%H^A!_4dlaGk;?pqnHUdx81C*8M$xxsaJxBS*K-_{JGJ35;W^bVvo zf;Lp9S$@X-TAZZ=Ru`-RXQx=9OeXrf!njz~Xs)PX@dVgWDi4V(V86Ky{vO2KB=l>M9Q_ZnPoc_dZ=CXLYYxpUV+S z8T$!@$85XybSupDQ)+Rl;d!3R56wHi`NTH9lGkajHX=ZlW`0Eklzm+cRF&Gu5bbDB zs(((qA+7A3eAo6^hEkh-MauEu*a&e`Tdo;B1gF{jE_Ih2Kpt-kW~W^obcA6|Y(iVLL7lDz#vsN{V>u)_5S_SvFc-GJT0isnxW& zdQWPCCIvyDKJiTCZhpfY<-N1trV7j;SkLL>?6S}NO?cdP@oKBYG%+Ejd~w7A|h zA7Wmg4$m&LMLE#?2jA44{GWIjvu_vs;DTH_V3ci=9{Y-e653F_to^nEI^RB&Qf=C| zQzTBEpz9`>I;uD();ui$x6%4H^zU)h)WWUXHSu}c`Kcqm>IX!7qPQ=C4F+TkG!uK5 zn7z|myXB4D2pqf4RU2>6Jc+Q?Op^7h#*U$kZpX8EDAfBE6yeQ*^)0nen$V*- z{ks~$hf|u-10kw7yVXfySBxejrR=^zejFTbwvei!w7yHG^+6o8Ivr>oZEtUV2@Z}f zTj?1#_DN9h+-rFm9>v3ywU(Er87s|b>O=((7U^>{Z({0an}9!E)jCXh9^Lf1)(D_x z(X=FJvkX!lh%@Z!lTtA}Gf@Z;6s``O3S8>ap zB<1ww+0iEHeiW1I`)6%0fjVw=K%khvqR)P$P)+MU^u;Gg-=&HQDDNpwsZaYT6vy+0 zk~sjs`_+Nwqim%j06w;YGH==zs((bAY=IK9cwVdfg+vuS`!9TQUa0r4W#DT~$v`N| zxgAHK4)_$^pSRX%5Ylosx}T6OwJUk4$dw|&P_l{vd%O9QISfe(a2l64sJ z1u9YMvFB$~bo9))LH`Tu)hDX@i+qpaj;^9|cipo2&m@7q{KAPC_6apF@udKsVNv;_ ziXfuejmv|+X_Dzc5ArV4x3?X%9^$@47aIk2p-5!!=T{xg{L41=42=T5{z>sL$1A2) z>H9R2-yS`r9O=L3VQpjUsZ9dc$h5W|q~n0(5V%2-`jAcu>@s8}{}6<1=TQ$it~WX) z958bv;1|QlVN?xebms-yj0Qj%2GZ>Pf+AWP=z?-W8U6mTPbr0D_3IVTh7tNu5uv-{ z<$1w@bN8XN+#S?~+*gmr>+NnTrsUsHJ_o+G@*LRTsg`gJK5x!1m*90XsY4?P+0;V7gpk|373vuvHk*^jE zce!-IR(Y~g+03nEyZ$hm#{S^~5%I$Te}%0FglEdp$P-JKHojFAk=(iN60%@TB}tC= z-2j&W4)^eu(%+okEVU!LoR$k^`}buD$RHv+O}BM;S1yE7#Za(K#C!z54J30UH_soc zFvlL$3^_C4L$ZCqAJs69DUf~>TSRZ@J~#`Oxt4m;9miw&Y0MkwnN%5Q z(yehnr7__RT)4Q#W43e9?xT$)F|+hYNG;F_(NEzMt8;K6m7;6zsx{ZPt_WE*5m*O1 znwVwI72YZW{vTT#7}8fLd8?+}N}Y+XP5E!&e5cIWGb{jv-@N@dJ#&|;TxJ7Xm3WmU zJwcoPiXM+N`X_F0cPjc>SHuLB{LZd+0dCl)6r%%F7IlYX_eX*hkYhkuth3Ip11vuYm+~hoK+b22L7>!sGwS~wMnUEyZqpjrMp!z z^U|+S(bJOZajR%ID7Xc9 z%SMyojv|v?8jQC%2NnP*DFgwmE`&Zrq;z{kzU_~mAZ+ws1eil+zmHPuJ#|bj`^W3U zr~J!*#cRmM9#$TLHEQc z{}v(Q=e=g44>`_1gB&!^0!g@m|G}?#od4IFg-h#r{9|Q@!K-jNbgmiayqNqfB6=F? zHJ_dmbOo4S)V4~#l^&+q6=%65wG*baVBFjwdnOIwb>&Vwk2g*o8B-boIy?|5_C3E%*;IcS*}- z8H-GM1Fr#=B-+88VN*|-{_3{4z2RnxepJr^N!7~$kWhPFrwD+^SPNrfNukZZt09J} zQhx+u>N=$?O8l zDMpRpcOw5W@uuHCJp;8bct*}o!zurEzy13Yx)r?B6LmfKG|D3Dq^jm^o zpfmrj7aHuS8LD!`OiF}RQ!n*|kUf9nqW-~(yG#o3Z>?kH+#7GV7hLxrUW&N=;AzA@ zNH9YNR-gQP_1v*xm_bKo9hgN1(M72dY(yRVg{T(N!uO7;AEA<-63onrT|n0r{6nc3 z@s#e~Mv)|+e#7|b+4#|X#7E8d_1NOSuK4jqnW0hP)U(<9jIUefB+Tsa5;HBSA4>#p z|5DhhgHtX$4=Shc>|iOy3ly{IuZ0iW7C)}yC~%h22Wk-=tN1Vu^{bP|@NiNK?$!%HFUKJ;`Zn)*n7qAAZ} z5uPqqZil23yKIR6p>8p*Ci|UPY9Dd2q}MII2<~?g13d!Sr|xUYFp`W!2ww9Aky&8Kb!%cUd!WP<&eDs`sXd7<=LnC$4@PX z1iwid%`Rv}8Nj{lDzGb}i(z%Et(UeRb=(?GD}2aubv{MfvU&zE@K)Ok;Ce{7aN-g* ztWP`gr%hEyj1dkBvqZ)Q2{TnG!cVFSNf5~Nk+N6~tgyjXD1}8DBac!n#sH6Nq>|m~ zW$}vQ5qNNPQ50CL_QA)P!ts%sR6=11Z)fq&6s{DMs=3eEp9U(t#n99n5Cf-7Qyp2> z#MQ%l-31;IgLg++I1k6G#u_ zOKWB{k&Ql_uf+WS9q`r8Fy6z%w-%!nUGso}r7tJUa(;nUS#4gmgiAo?(f~Opm~-i( zQLppTG>kq8G|V->ji%@c_$DlHJwWJn4kXNQ^MLqkk$J>Hz_yjS6AdY{v_OzlkET7P zp2{cd%H?B6jdzt0m5teBOO1L?D~kTG^M2WW{1gJ>v}3JvSYG}i+{#lppjcw8S`2q?(9_9?j*I*Ncwc@G z$_a?^;|iq=t?{k!8YCGnwZbQyzFb)LXtvNSNie^$hWo?4Cx@92dLE^IlV@7LChU>y z?lp!C{067w=yrd3m{5D=?C9r+TOq@hE_7a=fK`n1N5!y>s~0Z%MFmME*aI;H@;O5Z zd)TlW;0}-5vS?efb(hJ$BxP{(B+a*0G>D?ta^ud8t^XoJ8N<%cUxKY7ZR5&Ic(4cU zdt&;!f>T6oHoFP4m=wctdn2}Xds(1~{0la{t=OT$qOV!1>X|pKc+$j7Smh5U6A~hL zBX=WlZxr89iqC9Uz-si1I{pu8n9Rf^{%j{RVChIi$EQ!Xyre-)khP!IPx?#dSH|B6 z(;TU`Ujmgcc#EN|8kNo%GKt?Zj#-1%n|q!_gIwzNqE|_fnOYPt;!LX+wzlU+=UkQK zu?ZOLemE@(`_bxOIkhP8M5aAf0Pdyh9elJbjA*`IT>Ea96a0L>Oiy0z!9M;3G!?I9 zwNw1JAYd7nuak)I^W>5MpO3fd8pe2dsJpHLyi7PFK223YKl*37oXc&?qcmph63sxS z;lt`ph3`W%3Udbnij_fzT z($6O}VqOB=dDQ)7E2N5F>*1}Wl}CL|Nh+3}M7V+>KIvs{3xWvp3U5J$V0r?yYif<; z0?uS%2{d$;;51}%sV&=>yliv$8C1WP6t`p=Ipnj&0dKEr)tDfXUMx(8XsY7-a*mf| zBVg3KStN3cs9pDjxq<6eY~22CB10mZm~P-cz^NBGD`?n7w)tmYwmmmVxfybd6>FS}=F3-O4)8=L&H#w8?3Wa$;{p?=V+7ojRsZD)C4A@*p(7U5a>l=m9}LXYoU zEOJuEb>P{=N-die75z*(V9<4_PJ(=;fy>Zj%LvcHl!h%T>NdK)gu!5P)Y6<2pC{-mmOFub5g=C8T9BhDaomd)g25x-3hIo@u; zMj499r%&3P&o+T$(1ZK9KHRm4LAmm-R1AG3kK!ac9sF|E#P$3y$8Q+u3{uV$2gW~~ zhA7ZngJ8jOjf;L|ON4@gpXOyaRDmseN6lOG#lZnW$-&}&M6}=JY&nGx$kYMX_H-bg zNxSzF{EVr{jdQ1_eDqt`Cfe!p9hYpLD%P|e4UT1OP?aV(o3!_sd4O}@i$v~5D~j5=LVQk;vDClzTna^GsOS7y(}y&?DgKdXGY!KH)I&EIlU$p zby#zJ=4&s06Vz2W`=Mgsuy#O8t1Ef*OKfo#QSWKd#@5#LCcfzB=F4}s*_Xoa+~Lcl z%`(?0J52rK2U>LM)V8|rBKKI*CS2H@wmjfI@sQ?(VVz~Mn8#h}Ub(=opcIl&;^$AS zU_hBcsOjayr;{B1Xds9zyjU&R1g;5m0d-nF=!)7JZ5^^x&OJ7$jnmcvo(pb_$BW$2 z^rYN-5fv3Z&4J4IZSkvHRm@MBq)2Gx^l2FO!1G``kW%x27u0Qo`nu|daxMoL|5df8 zs$j%AIZ9>f7UeIUFB!9VM0_?9h5%)<&u>CNa!I zGC8ns)b|$`FM!zWx3um}HlInSgs`vLnyr%(#P~k1Yaz~tiuD2kMLDX{xqFttx0HRh z8-!juC>AmqbZRKbz|Dg1h^pE@7|3nNx{@U7|Dp|_o6E|-d8h(HL>1HVyQi z4G-@N9Q}qo>whjzph7fNo%GZMcwC&Ibfh@<@Ae8{990_aUS*Q}ia$3&dyo+?E|*yA zu-%>f`C=4W!TO@QVJ|irUW|00G8OH&Gm*0ewU0;MabzNhhu-d=9+@!Wf2I$<=?-y3 zVwK5XgPg)*I7J2!a3_Mg6O_qhzbR?DvQIVnT_m3#9zn|xgVy=i{38AGEKQ-r#ZsfY za_GZs*w=m-|Ju3vyHr#Xd;zB-g=)tmwAw9810|Y6`a`OLOcxe9)nH|+Hq2deEZ*#l zK+80Xd~dut(>nOp#Lu7JU_bQj5>l7vE{L`V7GCXC*>4#r!bfc<7nRGSb-xluz#P|dvkVR5B*c3zmS5YMhLutn4vZd zjUhB$+=x2Ygi_(1yPf+R#_~vBL+y#njlwX*pJPQKZlG_GZ4jg;79L^$_sNHkI-4p8 z!6>Co?<)xq=K>`S99F%*zQ85zNiQItGOzJR+YsP*})9@5>^` zfXnd}{38L+MFv8%CAzGLeJn|iw;vg~vucIZBj`#6-UiibYG2k8>`3AZj89n9UpDg$ zgGgFOt0yLOp#tooJN%KTADmgw>VBLRgy5X6ry1fvK?pH@iA0KooPH~;nY56dA?Db0 zgfsU+O!UC_R9FT<3JB$q6K1}}Il{00YNa1{C(<~q1sM?l9ZuKe^Vaaj*Fp1O25)!n# zq5*(~{fa;PBf`Z=cF?*n8OMm+msx)$o!+q&Mxit$r7xygWAu~O$7~$oei*qRko&2= zdtaIE9T~q7+)vO0Z$O+vcQ41nitW@p)0#90*mD%2m}6n?7AvHdXGmJ;>kF9Da^fPOTMcL8519jYMhzH=t(Q zLi;{;zJNejQ8Zw^CB&@Cvb5_@P;lSwnUuTmD1< zGzD9bOEO;jsBZuHMn24AVmGzFD||R^>F^NYbkfOWHfPBs-Noy!(C0!UA!!D>TN;4$ zZTJSSxbv@8ATOl{CugvP9lo3kDQ}AumyqwxkhIPkeGaoNqFx8cB?qfQqY*}l!nas) zMqRth*kDt`r(5W4El(H~Zi!`#yKXuzFlSBc=+ z=_Cys{bB`a-mGq!ABX&|$VH_ZoY<+~9+(47%1qrUtWRY7fG~W=Q>A~tcmo%^_gC5) zI|sbz(f*-dOZXORfceu#{Ej`H4+kiHO9}fy(_{hnN9Ha>Ax$|vteM{WFPd%fYsTFI z^1lZ?&k+F=Fxwn4$$66IHC@2dooOACs=|VUt80hDJeYh=La{LiDi%j@q698Z^r7s! zwPF6i7yUAfrOr&lyf8g0Z=D8UTydN3gcr@^qb z3#3sr+->wP{uj+bvjK+EI^b8zymmA^oesDxoTOHm4TspRD990dnR5=L4soKI3eR^J_J`V``!vW0(4u@~+bE&DCpIQXG7Wuq+59m;y{}m7?)a zcT)a@mZ2;tPMbt?Nji%T=$0|6Iqae<{T@o})dlo*-cyk|Mf6;)uz0YpCdw(MX2Rd` zES}@}LAk!|%?jsyIo80_EV3mk0(?l7XQYsD0jePg-_vgf_fa~_zt8aFZu(S)LXIo%U}Y>quU18VNIoV#%ku&hTMO0ULcCIAy?0+piJa+r=JYm0HJR zeci+JX(-C>+mmrrRGF%7u7Pd=_9Dn7nP_WeW176clj}JQle?BK~9lsK@N_!^ z3hKG#0dDLDo|5@o0eBT)fvnn%7(^lQsb82&G&=o0|921Bf3S^xR^3Lna-^70=+B#U zxeSgLrJ!)L_K1ZtPLLi@u*6 zLxxQdy+kXM7l>kx-3r%4K-fP4%Sl#CAbio1YxCmoa=nrbg=$5%8-;K3R^9-Mx^>P_ zBEaX;ady+Ii|RgfHA$sHkGjaTEuqad`BR2_Ghi5P%Vq7Kx8Sz+(P6BWSq}10j%8M7cgMaFjxL=poxG)@(=D)+JZ_W#}#K-Ci(-o z63@>VR$LD%2B;$V(om=Y>m2eELirHGHQ@PT_ca@^rYIM|W=|Zi(a4%Ox^-TY_{-rZ zrti$Up->VB8~bHQ@Eb|6X!1+MDS4AL7Gc(2^7;ktJ~sjL`IOOTA(Sq*wKxYT+42sO zVm3m*sBdI5wusSh3uMMQrc7Xp?=&evIq>^C)# z^g$Sai{PCCF;|Miyah)muSQCnSMpQEmzrR3>pbjqAz02f8y_EX235`~i5*)lyetU4 zT4UK6eN`pP&R>ZVis121KS*Gh^@iJ;TlZ^o*y`UEe|DQBr~8QzEOw zI5xGqpFG9cAq1Pnow0~<5i}U7ua}7x|CD$E*cRu@BAh#W@$3>2lccD$7It^DAhJ@n z8v7^p3M>Sn=<+f4O}XpX4RxT1bR=LR(i4G!E3*Z%T~u3ih}|T5fJENz*b!L>(GP|tgmEa)=2fkpkrz@s z;rHp4dW7-cSsF$~{KGArvWk_TEI>THoExQ*;$kaCd#C>`nD!prUPlUwRhmN4z&sHe z6bEQ_XA)@$Nn3i;Y;5Wi97TH4uj+l^yo@KvnFkK4n{`Kp-+e6o6KT?$BDi}GTs+^w z)v0O)Z~RZ87gFu$TQEr2_`7{9(6KRpwNK zjxsxz6xnGpfhIXi`thJ8cN{F>a9AUR_bih*D)(e_uQHN5Ky>biIE&e*{P5^07&31~=Q(}stKJx= z`FRF{P*(%92E(c@pGqo6r^xjucPqusvR#WzwXTTY5Sf6XzrLF3(_&Ogg@RBJc(Rp) z8OE}gj2V##_1p}S4JI^vufjE#okrO7q9?CTg610;Idm&mj>JL{(u2=Ni_q)p36P<8 zUJS2Wk>O?z5r<2%E*SfXI#^AadlE1uAyAcx_j=XDv+7HoUt7Tk>~P(j80--iNT|(l z!s@yP^70PE`h+i6i)&z4)BpNmR*yR z3uXr&RL#cV43oYj=m+}C>Eo(L<4$>GfYY*-NY;)~<9Y&#OM3zrHD`r6KRjt`cl?*A zt^6j5Ym(lh60>6|t`%bMDDf_D)Qrh>sZS|x($>Y@X2lpahQru}F=m==9SH>h5GF;ng z#B=-c0{T9jrkik={k~?Pt-5UED#xPd{Oj?Y(|K#}cJ)>E*AqXr8XL}Yxk7+nOCGFU z&ZS6b0K)1gE(vj+1zs*J^Ni%!Yb1vmvu?VE+rk%jUZ8epfy;ckh<#H6gJ)30wW?0& zeADEQ7G)Z}uvU;GesFtLZYMO;=;SC{4{e|V*58s9K{v{wXqX)PW!_~eiOj<<^Nxr`(nHf|5t{0ybf-}(j`DtTx~lHUdKlf@kzWk2{} z`L>?htK5e~Y0B#S=3>*R&-fjJ6G}HthlNMosji_47DhO0-2;>5au#*k#p@2w9YC;t zQf7#Y{+tyRW{FoesbtapE7e#5d5N1m`JH*s1_09cphFv|jU1>XzUU0-+tV**B{5*- zGZF23N$xr)ovTPAo<1b3ZT+sfg`D1Z#=z48s{XUS+2S1iT|ciWC-*m^U{fSYtx`L% zz_=Z$j6C_Kl+_q-9uCF#mP}U<`M-spngX9Ps$pIPar#Xm6W~9O-_4=3%_tf3g&*bM zumO3&i@lF9hao=BZ(A^Wl1hubltiKac$6YTuZZ9=` zFPc;wVo1Tu!`~`-3({nrym3fqn`crB8v>?k;g!)@eVbTB-jB-GalKDd(oQ3wI`~&K zk>D3II=VwcAoSL|Es@rqVt&AO+|i1|OloGJA1_L|;ulYH!Ue92GfD)1%ZUrwkddxI z%(v`@oF65Otwe_=JPB{+iEkAhXy|bh#lBHR6McC&)wI>q$Gs;&SzPfdm&XoCs{`~6 z*BNz{MD($n^$w?61no=iMT5RhKcG@c!n(w9*d4ND1?+6YRXTTH#is7tY=y4*Zz~2(EoC@uqXYG=+Xy|oYbDS&4!2dWXdMt4-6 zhXLj3kdIg2?Pzd@S75C+kBwLU82tmEGEkd6{WVdmSot@?RAMTBfq5;S+2+gyY zy#615U5N`mD@y2IA#v}Bmq_cX^2O|AftVJCuSs+}ynX(rLzSd%jxJv0x6@zq_R=93 zwiP)_u*k?yHzY_(QBwIKpr?ZOf?zpFYywOk)F-D-L@uFxactkW3x9P;d9n2fL>eD1 z%#;Q&bK?9^sj4N9oX`K9@)w|sY&V#Kc)5yNDz=r_3t;P1MD_e4jvN^G=%yEWFJQwT zU>A}`{UHg)os_MEVs7ovP!Ba7uhC9>4deIs8d80%awOm#AHvvd9A5e~rZ; z*kIkxo0|E0OWv4;eR(D{kiqgnz@iW1c7Ma8+O4!lO;r{8m*{66#XCb=RYZk78vod5 z&%H)hFPO=PI@@Vn3ip(pLdUi)B)sIN_m#SbHQP-#YoCo2{GM_1gWn!xVK|$e9W|KL2^r9ej940{nYgXp6pc7YYIa&PRMY~lwck1;Q>$xHx0^%O ze@z)d??8JXRa*Dypf%x0a7N$tZyn$SVYJZ(1gQ_`%m`qE0#t~p*sV#GKn6YW0fNkV zsAKnZu0^$>X1)#C99`NiC{KJDo)TWe51?u#B%G7gvNT9Q@ z8~9~IMWPHk()|w!8gwRv+1Vo6j&=jb>)Yg>kSTauhK6fC1eFMw+!)XEiWab<80hwr zuW!C$32Wy+cT1i*A?Nj#Ndb$px3~J-Ob9Sjni2%tVA)Te(W|lUSTz|bP_~ot=AY&m z^S)&V~DR7vM1aQ{nP5^qvi4k_n5Z@<1pT)CijzmRmuA4Jg z(=m-}9<=(t^L5)^q^^`|sCOPTYE{td6#KdVummE)oz!cwyU-C8oz=VCWr&In4i1iq z!xB_-^}}7>gGMDRGn2ZgCNGbd`yJ}KH4ht@YQ+srp+?w-$0Iw?RIz z+eO{BAI^V0O5CVDUHj`)&p&=D8wtl|MQbBtN09YeU0RGkn%p#K#V~OWTSB6f7Kdpb z&8{BcXD8pIN1Cp>Bs(-(Xai?z;GPE(-)uz3>~o`H*0GByVDj+Sei*-jAr z>1FglWGjIThb->~G~`YEwS(1iClc&>`dL`X85al?DG4%zVWe3c?`&uE7vzC}Ue1oI zw<(Est2$d8oE%@Q6UYYTeNKDEF$0v_s^y8-u(^N&@Op*unOGZk*^P{Yd6u3Ob@_83 zgeqi#j@;k3`rQ9a{I0Uhf31p|UCx;=Y)V4S}$_8=w(JUsT zL8?FQjR1nVOWU^;AC}XakxO80aS{4?CjA@!s5~U{Vn7@?k`V9TK1*oD)fj1Ju2ls+ zQwJlIn*F2TYw+X`H~zqcuokUF1XcAQ#Tud!@}C8B#?D7Lay>aXmEU9YZ*BxU zX;R3lJ2YyhCCLNfu0~I)x;@;JQZ304MS>80 zqK(ezB#0WKi)hj16rD) z^`ZuJuENeb4}?8i4s>h`bKw${yFDOH%0XQnhT_txT^hDRP4g%K$=5p|K7ps1&xBOu zb7Wsgj8x`7CfgAq)hQ5(mopM#7cytXH%p&28y7}f-mIWo>f9<<%pc$o#xP7VOEwFj zFoY0V=u0tEgX8*=s;V6+f7h6}fRs9?9ufHzBuV3WMU;KEKBr-C(rGLv6mB zBd~#~ra%Ov*fd~{u|D3maL>k3b&sfYZI58n3~^4AONli7uMzB4Dz+|bD???Xfn{4a z#}DD!AP}*hj~3U(0yZcd`|6y0GPrhsl2lm2!A_%XquU^0cbeSp5kGCvgXFVTa$4E6 z#%vhmMjEAbRXdtq_sQGJ%lPdR^td>6S<$i|Z>g^V3iyut>1r1nawxYX%2#MeU7E&T zQp)T)Eb})bkFAk-MdF`~I!{BmRIwm`EAjl8o0aj)ZtS8^ow`Y7m0N^FDe}Qp>CDQ= zKI62H;@ACqWr{JAd7*(ZY<1T+Wr%9U$D<%aSYT+y}b?%8seKiNVsSEks z$iU?h3-(&>rvBKYO_dWME<^2{z<~Dhb z#TO1M2jZ3{SDJn^dd?*_8AWt1z1@XM^sXl1AH=Yw?bbYWP;Q)ONCOwAaJNASWQ=iM z1LX1|ToMkvs7Zaxu<@--1TeZa(^lpjz8|XX1AH@tA}^Ff3N-t3996Lmyw~07MdQrB z{nkEbSuK)Th(o~cYD~|YuN4IZ9Z|1(KSaKfvFuYu!>dx9`{;TFP$9)72GQ&F!j>b? zwOmvBC%#zLn}GNSXrnTi*Ew&r8-6JbPb8mC&zwTup*s+c?O;_1IMQQ6f&l`)1zyh=UXzZ*US9&QRMpEB}}8L>hzrD7XvDMmc$z- z3f51W?J&uh*MwPfaTAz|yX@a2g#`J6v)i*NdOLx`&}hq~ozPdMs{S&fyD~2q42Te} z^YT2fGMt462P>e^fcaDgCr|K$yB<$GBx~4N^quQ}r<8h#%hQUGZ+77VdPM4WD6PZ8 zy$~!-^_@}(Wq7E4r?uIUk#Dj%%_nNk@T4DN3$Fd8=A*s>@6PN8>0;#Sq6(w!E>5Xy zA3BqONml2OW-g)NsoHNYkH|?d$Xda_lt_V*c_mfge9Y#3a>D0ysGs27-CBXI-1ELV z>-oM&`u6>pzZhEYI`*xviM^m(5Yf#t0>dlvM! z!QOc6%FJr2r{iU;09``&^WJX>1dH$Ov&-vM*~6I=PN#cT%R&A=*k*=Hx*uvMK`7un z5U&>K5cBY0~Y2;x$$=_$bPLfoE>RuyUmau21IW3{%cks6vQoFE@itQyQ zho8Krv0MHo?~JCb-nEoVIuO6VfJHjx{j7BV9bJE1u)$AIUtV~UcYOif#I+_$Otyp? zCwUeYzFn@Vs_rg$D}*n~HHLNq@K``sPp8ZdtzC<05kh?DgPInputSa9v&ln`aouZp;+;&?;UmlpIY0!9tVLuhsk?v4 zDo@0MO1gasj$0(I%K;K#L7jwl1=Dvc=oRkjk3;AuabvT^+x8EyA&r|Dm45_Bn`q0j zQKGXRUg%tEu+AjbVq!vFnUe4P03(nO=3kdGsQKaEkiMZ|Dy0g@}|Rn6;To zW}@uMi^U~um}8gw37e|Qy4}i{yN%0heDRF_hi!THJ~=~YSpmJUc7{8ns+QBb9@83p z*Ey87?8*yW=-0r~3>aK~pOt&@YFO_U{W2^KBrL>%jtoEqJ=b5oZ*k7)ZSLWpdkmOJ zT2Wx)X(wl)3AI{(nHBQzc=A7wBh$v*iva(K(V_gn1Hx|@^@TfMFHpMA5$~D^YhL

Kd{Y222iP3vO-d3Hc;S=tkwDco<4=`Yq#?ila|o_Y?45B2#WkSEVpPz41q}I~;TR-4`EiPXu?&t5<1;J?cro9!9?1tMSibn@4SXzuj>R zMx$L;>$%^Hhjs$!qkOn<;s>89XE4If=1hlZTpy7#36h6UrmVaI%S#nnGTSg#Csd~b zpB-qDlY1Gxcf7rSTrOl$Il%iqc0r7xOxq{fZHuC}L($TN0M8I(?n{=Ixz_$B<*u9d z+YdOKHV8gF?7_-jql!s(Y=YPg-V@Ko%hwVy34|Y^?Y)tzVJM%Yt~fe<$Cc0x`YTNS zl{{CF-_ktS$)46v$?KEcL1JB(H@WhGcDwHyH(w{a2bSBIZN`QF;XoW&(aiGe%v_S~ z@s$KaO>_bgytey~m4n!!kr!I);5D8si3R(M9#Lg-s_~o4_E%5O>@k{=b!9%r;&S9A zg^R+sJ`2jm5+!T`bzE%R7A-j`eg~Qg+b`amXW09k#ojgR6S4nlcw>XYmy&n`Kq&3q ztp5_Qm#ZMG308@y(c{DDi>HzBQbBWXOB`UOiaqvheM5!}`!{BlGuh|YyPnu^gB~4s zq~<@_^i2r+1fxq!`wE+tq*~1l6XC9|%65_C;)Xi{>px5T=>ybTxx@~f48&JP9*Iwe`+ z7s;b={%UtJ`Xq_rlJgmYjDL&-@1=n-@I&OEk%1 zB66AnNhY8qt0LoO_ORZpWijfH&iYj~rjnX;k7S1`F{YKm7+RGa{a8QpX&f@M#CB+S zLD5jEA%Y=erbjuG75h4U;0!39ar}0AZ4S)UbwFm|`#=)!OGEoBCoxs`%aHEn(>{70 z1vs;Skh|1NO5%Z%DaTMA~QiMOYqZ>sr&$?oIESbgeTe8dB@M6Wl6xmmoLuGpycz4Ph45N+Sv1ftWEu zVWCMtxN3XFm^umHKKQA_I=UrwkNXhPr+pwqrN_yffz0kU%YCpoE5v#-hr7JXMS5u< z;HWa#8<)zQOQ1~@ygRwpb|Ek$k3@;wsI3py{l7Fgibx~y6w)G6jN>1a784l=Bti!Q zvHeN5|2yo+{76yGe?dzBtv_KzhBMwm5+fNo|ECu42Y!`E`QN51VWbG4MG`HB^aa$x zY{)8rhvVPSJP5?{@4Y`86LJd>