From 38aa91e9fa93731342dd0069ceefd587317afc92 Mon Sep 17 00:00:00 2001 From: melinoix Date: Tue, 24 Sep 2024 16:20:01 +0200 Subject: [PATCH 1/7] added the toggle button on non assessable nodes front but no liaison backend --- frontend/messages/en.json | 4 ++- frontend/messages/fr.json | 4 ++- .../[id=uuid]/+page.svelte | 31 +++++++++++++++++-- 3 files changed, 35 insertions(+), 4 deletions(-) diff --git a/frontend/messages/en.json b/frontend/messages/en.json index 1e469a5ef..d72b3ff9d 100644 --- a/frontend/messages/en.json +++ b/frontend/messages/en.json @@ -739,5 +739,7 @@ "nameDuplicate": "Name already exists", "noAnswer": "No answer", "successfullyUpdatedClientSettings": "Client settings successfully updated, please refresh the page.", - "xRaysEmptyMessage": "You have to create at least one project to use X-rays." + "xRaysEmptyMessage": "You have to create at least one project to use X-rays.", + "ShowAllNodesMessage": "Show all nodes", + "ShowOnlyAssessable": "Only assessable nodes" } diff --git a/frontend/messages/fr.json b/frontend/messages/fr.json index adaf70cee..f3d49a504 100644 --- a/frontend/messages/fr.json +++ b/frontend/messages/fr.json @@ -672,5 +672,7 @@ "owner": "Propriétaire", "waitingRiskAcceptances": "Bonjour ! Vous avez actuellement {number} risque{s} en attente d'acceptation. Vous pouvez les retrouver dans l'onglet risque.", "successfullyUpdatedClientSettings": "Paramètres du client mis à jour avec succès. Vous pouvez rafrachir la page.", - "xRaysEmptyMessage": "Vous devez créer au moins un projet pour utiliser X-rays." + "xRaysEmptyMessage": "Vous devez créer au moins un projet pour utiliser X-rays.", + "ShowAllNodesMessage": "Tous les noeuds", + "ShowOnlyAssessable": "uniquement les nœuds évaluables" } diff --git a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte index aad68ae6e..852de21f4 100644 --- a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte @@ -10,7 +10,7 @@ ToastStore, TreeViewNode } from '@skeletonlabs/skeleton'; - import { getModalStore, getToastStore, popup } from '@skeletonlabs/skeleton'; + import { getModalStore, getToastStore, popup, SlideToggle } from '@skeletonlabs/skeleton'; import type { PageData } from './$types'; import TreeViewItemContent from './TreeViewItemContent.svelte'; import TreeViewItemLead from './TreeViewItemLead.svelte'; @@ -174,6 +174,7 @@ }; modalStore.trigger(modal); } + let assessableNode = true;
@@ -353,11 +354,37 @@ {assessableNodesCount(treeViewNodes)} + +
+ {#if assessableNode} +

{m.ShowAllNodesMessage()}

+ {:else} +

{m.ShowAllNodesMessage()}

+ {/if} + (assessableNode = !assessableNode)} + > + {#if assessableNode} +

{m.ShowOnlyAssessable()}

+ {:else} +

{m.ShowOnlyAssessable()}

+ {/if} +
+

{m.mappingInferenceTip()}

- + {#if assessableNode} + + {:else} + + {/if}
{/if} From 08c7a21b5e62179fb8467199e0adefb5d3caaa94 Mon Sep 17 00:00:00 2001 From: melinoix Date: Wed, 25 Sep 2024 16:50:28 +0200 Subject: [PATCH 2/7] changed the tree view, connected the assessable nodes tree view --- .../TreeView/RecursiveTreeViewItem.svelte | 1 + .../[id=uuid]/+page.svelte | 34 +- .../[id=uuid]/TreeViewItemContent.svelte | 305 +++++++++--------- .../compliance-assessments/[id=uuid]/store.ts | 2 + 4 files changed, 179 insertions(+), 163 deletions(-) create mode 100644 frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts diff --git a/frontend/src/lib/components/TreeView/RecursiveTreeViewItem.svelte b/frontend/src/lib/components/TreeView/RecursiveTreeViewItem.svelte index 8fd463986..66c69e4f4 100644 --- a/frontend/src/lib/components/TreeView/RecursiveTreeViewItem.svelte +++ b/frontend/src/lib/components/TreeView/RecursiveTreeViewItem.svelte @@ -135,6 +135,7 @@ {#if nodes && nodes.length > 0} {#each nodes as node, i} { node.resultCounts = countResults(node); + const hasAssessableChildren = Object.keys(node.children || {}).length > 0; + const hidden = !(!$assessableNode || node.assessable || hasAssessableChildren); + return { id: id, content: TreeViewItemContent, - contentProps: { ...node, canEditRequirementAssessment }, + contentProps: { + ...node, + canEditRequirementAssessment, + hidden + }, lead: TreeViewItemLead, leadProps: { statusI18n: node.status_i18n, @@ -89,7 +98,7 @@ }; }); } - let treeViewNodes: TreeViewNode[] = transformToTreeView(Object.entries(tree)); + const treeViewNodes: TreeViewNode[] = transformToTreeView(Object.entries(tree)); function assessableNodesCount(nodes: TreeViewNode[]): number { let count = 0; @@ -174,7 +183,6 @@ }; modalStore.trigger(modal); } - let assessableNode = true;
@@ -356,7 +364,7 @@
- {#if assessableNode} + {#if $assessableNode}

{m.ShowAllNodesMessage()}

{:else}

{m.ShowAllNodesMessage()}

@@ -366,10 +374,10 @@ class="flex flex-row items-center justify-center" active="bg-primary-500" background="bg-green-500" - bind:checked={assessableNode} - on:click={() => (assessableNode = !assessableNode)} + bind:checked={$assessableNode} + on:click={() => ($assessableNode = !$assessableNode)} > - {#if assessableNode} + {#if $assessableNode}

{m.ShowOnlyAssessable()}

{:else}

{m.ShowOnlyAssessable()}

@@ -380,11 +388,13 @@

{m.mappingInferenceTip()}

- {#if assessableNode} - - {:else} - - {/if} + {#key $assessableNode} + + {/key}
{/if} diff --git a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/TreeViewItemContent.svelte b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/TreeViewItemContent.svelte index 292f849bf..feba8afea 100644 --- a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/TreeViewItemContent.svelte +++ b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/TreeViewItemContent.svelte @@ -7,6 +7,7 @@ import { displayScoreColor, formatScoreValue } from '$lib/utils/helpers'; import { safeTranslate } from '$lib/utils/i18n'; import type { z } from 'zod'; + import { assessableNode } from './store.ts'; export let ref_id: string; export let name: string; @@ -101,163 +102,165 @@ $: classesPercentText = (resultColor: string) => (resultColor === '#000000' ? 'text-white' : ''); -
-
-
-
- {#if assessable} - - {#if canEditRequirementAssessment} - - {#if title} - {title} - {/if} - {#if description} -

{description}

- {/if} -
- {:else} - - {#if title} - {title} - {/if} - {#if description} -

{description}

- {/if} -
- {/if} -
- {:else} -

- {#if title} - {title} - {/if} - {#if description} -

{description}

- {/if} -

- {/if} -
-
- {#if hasAssessableChildren} - {#each Object.entries(complianceStatusColorMap) as status} - {#if resultCounts[status[0]]} - - {resultCounts[status[0]]} - {safeTranslate(status[0])} - - {/if} - {/each} - {/if} -
-
- {#if (threats && threats.length > 0) || (reference_controls && reference_controls.length > 0)} -
{ - e.preventDefault(); - showInfo = !showInfo; - }} - on:keydown={(e) => { - if (e.key === 'Enter') { - e.preventDefault(); - showInfo = !showInfo; - } - }} - > - Learn more -
-
-
-

- - Suggested reference controls -

- {#if reference_controls?.length === 0} -

--

- {:else if reference_controls} - + {#if description} +

{description}

+ {/if} +
+ {:else} + + {#if title} + {title} + {/if} + {#if description} +

{description}

+ {/if} +
+ {/if} + + {:else} +

+ {#if title} + {title} + {/if} + {#if description} +

{description}

+ {/if} +

{/if}
-
-

- - Threats covered -

- {#if threats?.length === 0} -

--

- {:else if threats} -
    - {#each threats as threat} -
  • - {#if threat.id} - - {threat.name} - - {:else} -

    {threat.name}

    - {/if} -
  • - {/each} -
+
+ {#if hasAssessableChildren} + {#each Object.entries(complianceStatusColorMap) as status} + {#if resultCounts[status[0]]} + + {resultCounts[status[0]]} + {safeTranslate(status[0])} + + {/if} + {/each} {/if}
- {/if} -
- {#if hasAssessableChildren} -
-
- {#each orderedResultPercentages as rp} -
- {rp.percentage.display}% + {#if (threats && threats.length > 0) || (reference_controls && reference_controls.length > 0)} +
{ + e.preventDefault(); + showInfo = !showInfo; + }} + on:keydown={(e) => { + if (e.key === 'Enter') { + e.preventDefault(); + showInfo = !showInfo; + } + }} + > + Learn more +
+
+
+

+ + Suggested reference controls +

+ {#if reference_controls?.length === 0} +

--

+ {:else if reference_controls} +
    + {#each reference_controls as func} +
  • + {#if func.id} + + {func.name} + + {:else} +

    {func.name}

    + {/if} +
  • + {/each} +
+ {/if}
- {/each} -
- {#if nodeScore() >= 0} - - {nodeScore()} - +
+

+ + Threats covered +

+ {#if threats?.length === 0} +

--

+ {:else if threats} +
    + {#each threats as threat} +
  • + {#if threat.id} + + {threat.name} + + {:else} +

    {threat.name}

    + {/if} +
  • + {/each} +
+ {/if} +
+
{/if}
- {/if} -
+ {#if hasAssessableChildren} +
+
+ {#each orderedResultPercentages as rp} +
+ {rp.percentage.display}% +
+ {/each} +
+ {#if nodeScore() >= 0} + + {nodeScore()} + + {/if} +
+ {/if} +
+{/if} diff --git a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts new file mode 100644 index 000000000..6c38487b1 --- /dev/null +++ b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts @@ -0,0 +1,2 @@ +import { writable } from 'svelte/store'; +export const assessableNode = writable(true); From fa4939d61a1b4735dc4abeb8d52f8fb6f3705f84 Mon Sep 17 00:00:00 2001 From: Nassim Tabchiche Date: Fri, 27 Sep 2024 21:00:04 +0200 Subject: [PATCH 3/7] Rename assessableNode store to displayAssessableNodes --- .../compliance-assessments/[id=uuid]/+page.svelte | 14 +++++++------- .../[id=uuid]/TreeViewItemContent.svelte | 4 ++-- .../compliance-assessments/[id=uuid]/store.ts | 2 +- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte index 8602c2e2b..e12040ccf 100644 --- a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/+page.svelte @@ -2,7 +2,7 @@ import { page } from '$app/stores'; import RecursiveTreeView from '$lib/components/TreeView/RecursiveTreeView.svelte'; import { breadcrumbObject } from '$lib/utils/stores'; - import { assessableNode } from './store.ts'; + import { displayOnlyAssessableNodes } from './store'; import type { ModalComponent, @@ -73,7 +73,7 @@ return nodes.map(([id, node]) => { node.resultCounts = countResults(node); const hasAssessableChildren = Object.keys(node.children || {}).length > 0; - const hidden = !(!$assessableNode || node.assessable || hasAssessableChildren); + const hidden = !(!$displayOnlyAssessableNodes || node.assessable || hasAssessableChildren); return { id: id, @@ -364,7 +364,7 @@
- {#if $assessableNode} + {#if $displayOnlyAssessableNodes}

{m.ShowAllNodesMessage()}

{:else}

{m.ShowAllNodesMessage()}

@@ -374,10 +374,10 @@ class="flex flex-row items-center justify-center" active="bg-primary-500" background="bg-green-500" - bind:checked={$assessableNode} - on:click={() => ($assessableNode = !$assessableNode)} + bind:checked={$displayOnlyAssessableNodes} + on:click={() => ($displayOnlyAssessableNodes = !$displayOnlyAssessableNodes)} > - {#if $assessableNode} + {#if $displayOnlyAssessableNodes}

{m.ShowOnlyAssessable()}

{:else}

{m.ShowOnlyAssessable()}

@@ -388,7 +388,7 @@

{m.mappingInferenceTip()}

- {#key $assessableNode} + {#key $displayOnlyAssessableNodes} (resultColor === '#000000' ? 'text-white' : ''); -{#if !$assessableNode || assessable || hasAssessableChildren} +{#if !$displayOnlyAssessableNodes || assessable || hasAssessableChildren}
diff --git a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts index 6c38487b1..63631771f 100644 --- a/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts +++ b/frontend/src/routes/(app)/(third-party)/compliance-assessments/[id=uuid]/store.ts @@ -1,2 +1,2 @@ import { writable } from 'svelte/store'; -export const assessableNode = writable(true); +export const displayOnlyAssessableNodes = writable(false); From 3d2d6a73d3e2e2f001d088df61561c1fd75fe0c9 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Sat, 28 Sep 2024 03:06:50 +0200 Subject: [PATCH 4/7] fix delete library broken id should be uuid, not urn --- frontend/src/routes/(app)/(internal)/libraries/+page.svelte | 2 -- 1 file changed, 2 deletions(-) diff --git a/frontend/src/routes/(app)/(internal)/libraries/+page.svelte b/frontend/src/routes/(app)/(internal)/libraries/+page.svelte index e23bf7dd8..2c7a0ff75 100644 --- a/frontend/src/routes/(app)/(internal)/libraries/+page.svelte +++ b/frontend/src/routes/(app)/(internal)/libraries/+page.svelte @@ -35,7 +35,6 @@ @@ -45,7 +44,6 @@ Date: Fri, 27 Sep 2024 17:28:10 +0200 Subject: [PATCH 5/7] add CCF show typical evidence in frontend --- backend/library/libraries/ccf-v5.yaml | 9769 +++++++++++++++++ .../[id=uuid]/+page.svelte | 12 + .../[id=uuid]/edit/+page.svelte | 12 + tools/ccf/Open_Source_CCF.xlsx | Bin 0 -> 294969 bytes tools/ccf/ccf-v5.xlsx | Bin 0 -> 77500 bytes tools/ccf/convert_ccf.py | 143 + 6 files changed, 9936 insertions(+) create mode 100644 backend/library/libraries/ccf-v5.yaml create mode 100644 tools/ccf/Open_Source_CCF.xlsx create mode 100644 tools/ccf/ccf-v5.xlsx create mode 100644 tools/ccf/convert_ccf.py diff --git a/backend/library/libraries/ccf-v5.yaml b/backend/library/libraries/ccf-v5.yaml new file mode 100644 index 000000000..e7ce020eb --- /dev/null +++ b/backend/library/libraries/ccf-v5.yaml @@ -0,0 +1,9769 @@ +urn: urn:intuitem:risk:library:adobe-ccf-v5 +locale: en +ref_id: adobe-ccf-v5 +name: Adobe CCF v5 +description: 'Adobe Common Controls Framework (CCF) version 5 + + https://www.adobe.com/trust/compliance/adobe-ccf.html + + ' +copyright: Creative Commons +version: 1 +provider: Adobe +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:adobe-ccf-v5 + ref_id: adobe-ccf-v5 + name: Adobe CCF v5 + description: 'Adobe Common Controls Framework (CCF) version 5 + + https://www.adobe.com/trust/compliance/adobe-ccf.html + + ' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + assessable: false + depth: 1 + name: Asset Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-01 + name: Inventory Management + description: Organization maintains an inventory of information systems, which + is reconciled on a periodic basis. + annotation: '1. Design and document a process for maintaining an inventory of + information systems for management of assets within an organization. + + 2. Perform inventory reconciliation on a periodic basis. + + 3. Create and maintain periodic reconciliation documentation.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-02 - Asset Inventory + + E-AM-03 - Asset Reconciliation Records' + question: + question_type: unique_choice + question_choices: &id001 + - 'Yes' + - 'No' + - N/A + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:1 + text: 1. Inspect the policy and standard to determine whether requirements + for maintaining and reconciling a system of inventory for information + systems are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:2 + text: 2. Observe the inventory of system devices to determine whether the + organization maintains the inventory in a system of record. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-01:question:3 + text: 3. Inspect periodic reconciliation documentation to determine whether + reconciliation was performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-02 + name: 'Inventory Management: Applications' + description: Organization maintains an inventory of application assets, which + is reconciled on a periodic basis. + annotation: '1. Design and document a process for maintaining an inventory of + application assets for management of assets within an organization. + + 2. Perform inventory reconciliation on a periodic basis. + + 3. Create and maintain periodic reconciliation documentation.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-02 - Asset Inventory + + E-AM-03 - Asset Reconciliation Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:1 + text: 1. Inspect the policy and standard to determine whether requirements + for maintaining and reconciling a system of inventory for application + assets are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:2 + text: 2. Observe the inventory of system devices to determine whether the + organization maintains the inventory in a system of record. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-02:question:3 + text: 3. Inspect periodic reconciliation documentation to determine whether + reconciliation was performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-03 + name: 'Inventory Reconciliation: ARP Table' + description: Organization reconciles network discovery scans against the established + device inventory on a quarterly basis; non-inventoried devices are assigned + an owner. + annotation: '1. Design and document a process for conducting network discovery + scans on a periodic basis. + + 2. Ensure the results of the scans are reconciled with the system asset inventory + at least quarterly. + + 3. Ensure necessary actions are taken to include non-inventoried assets in + the inventory with appropriate ownership details.' + typical_evidence: 'E-AM-04 - Network Discovery Scan Records + + E-AM-03 - Asset Reconciliation Records + + E-AM-02 - Asset Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:1 + text: '1. Inspect network discovery scans result to ensure periodic scans + were conducted. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:2 + text: 2. Observe the reconciliation report of network discovery scans against + the established device inventory to determine that the inventories are + reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-03:question:3 + text: 3. Inspect the device inventory to ensure non-inventoried devices + have been added and have a designed owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-04 + name: 'Inventory Reconciliation: Logging' + description: Organization reconciles the enterprise log repository against the + established device inventory on a quarterly basis; non-inventoried devices + are assigned an owner. + annotation: '1. Ensure logs from enterprise logging solutions are reconciled + with the system device asset inventory on a quarterly basis. + + 2. Ensure necessary actions are taken to include non-inventoried assets in + the inventory with appropriate ownership details' + typical_evidence: 'E-AM-03 - Asset Reconciliation Records + + E-AM-02 - Asset Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:1 + text: 1. Inspect the reconciliation report of enterprise log repository + against the established device inventory to determine that the inventories + are reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-04:question:2 + text: 2. Inspect the non-inventoried devices to determine that the assets + have a designed owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-05 + name: Inventory Labels + description: Organization assets are labeled and have designated owners. + annotation: '1. Ensure all assets in the system device asset inventory are assigned + appropriate labels as per the organization''s labelling procedures. + + 2. Ensure each asset has an assigned owner and accuracy is maintained.' + typical_evidence: 'E-AM-02 - Asset Inventory + + E-AM-01 - Asset Management Policy' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:1 + text: 1. Inspect documentation to determine whether requirements for asset + labelling ownership assessment are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:2 + text: 2. Inspect the asset listings to determine whether the assets are + labelled and have a designated owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:3 + text: 3. For a sample of services, inspect the asset reports to determine + asset are labelled and have a designated owner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-05:question:4 + text: 4. Observe and compare physical assets at an organization's data center + to determine whether the assets were labelled according to in-scope asset + listings. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-06 + name: Media Marking + description: Where applicable, Organization marks information system media indicating + the distribution limitations, handling caveats, and applicable security markings + (if any) of the information. Exemptions must be approved by management and + remain in a specific controlled area. + annotation: '1. Ensure that a process is established and documented for media + marking and handling, including distribution limitation. + + 2. Ensure that sensitive information containing media is marked as per the + organization''s media marking requirements as applicable. + + 3. Ensure that any exceptions are approved by management, documented and retained + by authorized personnel.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-05 - Evidence of Media Snapshots' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:1 + text: 1. Inspect information system media marking to indicate the distribution + limitations, handling caveats, and applicable security markings (if any) + of the information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-06:question:2 + text: 2. Inspect exemption cases to validate that it must be approved by + management and remain in a specific area. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-07 + name: Asset Transportation Authorization + description: Organization authorizes and records the entry and exit of systems + at datacenter locations. + annotation: '1. Ensure a process is established and documented to control the + transport of assets in and out of data center locations. + + 2. Ensure appropriate records and approvals are obtained and maintained against + entry and exit of each asset.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-06 - Asset Movement Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:1 + text: 1. Inspect the policy and/or standard to determine whether requirements + have been established to authorize and record the entry and exit of systems + at datacenter locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-07:question:2 + text: 2. Inspect evidence of asset movement from a sample of data centers + and colocations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-08 + name: Asset Transportation Documentation + description: Organization documents the transportation of physical media outside + of datacenters. Physical media is packaged securely and transported in a secure, + traceable manner. + annotation: '1. Ensure appropriate records and approvals are obtained and documented + against entry and exit of each asset. + + 2. Ensure all assets being transported are secured as per the organization''s + policy and can be tracked when offsite.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-06 - Asset Movement Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:1 + text: 1. Inspect the policy and/or standard to determine whether the transportation + of physical media outside of datacenters are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-08:question:2 + text: 2. Inspect the logs of physical media evidence that have been transported + to determine that physical media is packed securely and transported in + a secure, traceable manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-09 + name: Use of Portable Media + description: The use of portable media in Organization datacenters is prohibited + unless explicitly authorized by management. + annotation: '1. Ensure policy and procedures are established and communicated + prohibiting the use of portable media. + + 2. Ensure necessary controls are in place to detect the usage of portable + media inside the organization''s network. + + 3. Ensure any exceptions are documented based on business justification and + need and are approved appropriately.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-07 - Portable Media Configuration Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:1 + text: 1. Inspect the policy and/or standard to determine that the use of + portable media in the datacenters is prohibited unless explicitly authorized + by management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-09:question:2 + text: 2. Inspect Configurations to detect the use of portable media. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-10 + name: Maintenance of Assets + description: Equipment maintenance is documented and approved according to management + requirements. + annotation: '1. Ensure a process is established and documented for maintenance + of assets. + + 2. Ensure all maintenance is approved by the management and is carried out + through approved vendors. + + 3. Ensure proper testing of equipment is conducted post maintenance before + use.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-08 - Asset Maintenance Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:1 + text: 1. Inspect the policy and/or standard to determine whether management + requirements have been established for the documentation and approval + of equipment maintenance. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-10:question:2 + text: 2. Inspect equipment maintenance requests to determine whether equipment + maintenance is documented and approved according to management requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-11 + name: Tampering of Payment Card Capture Devices + description: Devices that physically capture payment card data are inspected + for evidence of tampering on a semi-annual basis. + annotation: '1. Ensure all payment card devices are inspected on semiannual + basis to check for tampering. + + 2. Ensure that appropriate documentation is maintained regarding maintenance + activities of these devices' + typical_evidence: E-AM-09 - Payment Card Device Verification Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:1 + text: 1. Inspect devices verification records for tampering check. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-11:question:2 + text: 2. Inspect and validate whether these verification were done at least + semi-annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-12 + name: 'Component Installation: Inspection and Approval' + description: Prior to installation in a production network, hardware components + are inspected for improper or unauthorized modifications. + annotation: '1. Ensure a process is established and documented for approval + of hardware prior to installation on production. + + 2. Ensure each asset is inspected with agreed on procedures before being enabled + on production.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-10 - Hardware Installation Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:1 + text: 1. Validate if a process exists for the approval and verification + of hardware prior to production installation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-12:question:2 + text: 2. Inspect hardware components installation records in a production + network to determine that modifications were validated before installation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node2 + ref_id: AM-13 + name: Software bill of Material + description: Organization maintains a comprehensive software bill of materials + annotation: '1. Ensure a Software bill of material is established. + + 2. Ensure that a process has been established and documented for the addition, + removal, and update of components from SBOM.' + typical_evidence: 'E-AM-01 - Asset Management Policy + + E-AM-11 - Software Bill of Materials' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:1 + text: 1. Inspect and validate that a Software bill of material is established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:am-13:question:2 + text: 2. Validate that a process has been established and documented for + addition, removal, and update of components from SBOM. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + assessable: false + depth: 1 + name: Business Continuity + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-01 + name: Business Continuity Plan + description: Organization's business contingency plan is periodically reviewed, + approved by management and communicated to relevant team members. + annotation: '1. Design and document a process for Business Continuity and Disaster + Recovery. + + 2. Define steps for recovery with all roles and responsibilities in the Business + Continuity Plan. + + 3. Ensure that the Business Continuity Plan is approved by the process owners, + and is communicated to all the relevant team members.' + typical_evidence: 'E-BC-01 - Business Continuity Policy + + E-BC-02 - Business Continuity Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:1 + text: 1. Inspect and validate whether the Business Continuity and Disaster + Recovery Processes are designed and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:2 + text: "2. Inspect Organization's Business Continuity Plan (\u201CBCP\u201D\ + ) to determine whether Organization has established recovery steps and\ + \ phases, recovery capabilities, and identified personnel responsible\ + \ to execute recovery procedures." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:3 + text: "3. Inspect the most recent version of Organization\u2019s BCP to\ + \ determine whether it is periodically reviewed and approved." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-01:question:4 + text: "4. Inspect the corporate intranet to determine whether Organization\u2019\ + s BCP is communicated to relevant team members." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-02 + name: 'Business Continuity Plan: Personal Health Information' + description: Organization's Business Contingency Plan addresses how to access + facilities and obtain data during an emergency. + annotation: 1. Ensure that steps to be followed in case of an emergency are + clearly mentioned in the Business Continuity Plan so that access to the facilities + and data is facilitated during an emergency. + typical_evidence: E-BC-02 - Business Continuity Plan + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-02:question:1 + text: 1. Inspect an organization's Business Contingency Plan to determine + whether Organization has addresses how to access facilities and obtain + data during an emergency. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-03 + name: 'Business Continuity Plan: Roles and Responsibilities' + description: Business contingency roles and responsibilities are assigned to + individuals and their contact information is communicated to authorized personnel. + annotation: '1. Check that roles and responsibilities are clearly defined in + the Business Continuity Plan. There should be proper demarcation of responsibilities + during each phase of the crisis. + + 2. Ensure that the contact information for all the stakeholders is defined + within Business Continuity Plan and should be up to date, documented, and + communicated to all authorized personnel. + + 3. Ensure that people with roles and responsibilities within Business Continuity + Plans are well aware of their responsibilities.' + typical_evidence: E-BC-02 - Business Continuity Plan + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:1 + text: 1. Inspect documentation consisting of business contingency roles + and responsibilities. . + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:2 + text: 2. Inspect whether the contact information of personnel with business + continuity responsibilities are documented within the Business Continuity + Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-03:question:3 + text: 3. Inspect evidence to check whether roles and responsibilities are + communicated to all applicable stakeholders and audience + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-04 + name: Continuity Testing + description: "Organization performs business contingency and disaster recovery\ + \ tests on a periodic basis and ensures the following: \n\u2022 tests are\ + \ executed with relevant contingency teams\n\u2022 test results are documented\n\ + \u2022 corrective actions are taken for exceptions noted\n\u2022 plans are\ + \ updated based on results" + annotation: '1. Ensure that Business Continuity testing should be performed + on a periodic basis as per the organization policy. + + 2. The business continuity testing should emulate the Business Continuity + Plan and should check the coverage and efficiency of the plan. All the relevant + team preparedness should be assessed in this testing. + + 3. Ensure that the test results are documented, and any exceptions are noted + and appropriate corrective action is undertaken.' + typical_evidence: E-BC-03 - Business Continuity/Disaster Recovery Test Results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:1 + text: 1. Inspect whether Business Continuity Testing was performed on a + periodic basis as per the organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:2 + text: 2. Inspect the most recent BCP test and inspect DR tests results to + determine whether tests were executed and results were documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-04:question:3 + text: 3. Validate whether the results of the testing exercises were tracked + to remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-05 + name: Business Impact Analysis + description: Organization identifies the business impact of relevant threats + to assets, infrastructure, and resources that support critical business functions. + Recovery objectives are established for critical business functions. + annotation: "1. Design and document a process for conducting Business Impact\ + \ Analysis to determine the criticality of business activities and associated\ + \ resource requirements.\n2. Ensure that BIA is conducted for all processes\ + \ and assets to identify criticality.\n3. Ensure that recovery objectives\ + \ are established for critical processes.\n " + typical_evidence: 'E-BC-01 - Business Continuity Policy + + E-BC-02 - Business Continuity Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:1 + text: 1. Inspect and validate whether a documented process exists for conducting + Business Impact Analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-05:question:2 + text: 2. Inspect Business Impact Analysis to determine whether the threats + to assets, infrastructure, and resources are identified and the recovery + objectives are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node16 + ref_id: BC-06 + name: Capacity Forecasting + description: Budgets for infrastructure capacity are established based on analysis + of historical business activity and growth projections; purchases are made + against the established budget and plans are updated on a quarterly basis. + annotation: "1. Ensure that capacity forecasts are created based on the business\ + \ forecasts, growth projections and analysis of historic business activity.\n\ + \ \n2. Ensure that budget allocation is done for infrastructure and resources\ + \ basis Capacity forecasts." + typical_evidence: E-BC-05 - Capacity Planning Meeting Minutes + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:1 + text: 1. Inspect and validate whether capacity planning was done and forecasts + were created. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bc-06:question:2 + text: 2. Validate whether budgets were established and capacity forecasts + were taken into the account for the same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + assessable: false + depth: 1 + name: Backup Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-01 + name: Backup Configuration + description: Organization configures redundant systems or performs periodic + backups of data to resume system operations in the event of a system failure. + annotation: '1. Ensure that Backup and Restoration process is established, documented + and communicated to all the relevant stakeholders. + + 2. Ensure that all the information systems have redundancy or should be backed + up periodically. Periodicity of the backup should be defined basis the criticality + of the information system and data. + + 3. Check the backup configuration for all the storage/database resources whether + on-prem or on cloud. + + 4. Ensure that alert are in place for backup failures and all backup failures + are handled appropriately.' + typical_evidence: 'E-BM-01 - Backup Management Policy + + E-BM-07 - Backup Configuration Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:1 + text: 1. Inspect documentation to determine whether requirements for the + configuration of redundant systems or performance of periodic backups + of data to resume system operations are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:2 + text: 2.Inspect redundancy or system backup configurations for production + systems to determine type, frequency, and storage of backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-01:question:3 + text: 3. Inspect sample alerts for failed backups and validate the remediation + steps. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-02 + name: Resilience Testing + description: Organization performs annual backup restoration or data replication + tests to confirm the reliability and integrity of system backups or recovery + operations. + annotation: "1. Ensure that the requirement for backup restoration testing is\ + \ defined and documented appropriately. \n2. Ensure that backup restoration\ + \ testing is performed on an annual basis and ensure that the integrity of\ + \ backup restores are maintained. " + typical_evidence: 'E-BM-01 - Backup Management Policy + + E-BM-02 - Backup Restoration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:1 + text: 1. Inspect relevant documentation to determine whether requirements + for annual backup restoration or failover and failback tests have been + defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-02:question:2 + text: 2. Inspect annual backup restoration, or failover and failback tests + to determine whether Organization has tested the reliability and integrity + of system backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-03 + name: Backup Failure Review + description: Failed backup jobs are periodically reviewed and resolved in a + timely manner. + annotation: "1. Ensure that alert are sent to the system administrators in case\ + \ of backup failures.\n 2. All backup failures should be handled appropriately\ + \ and resolved in a timely manner." + typical_evidence: 'E-BM-03 - Evidence of Failed Backup Review + + E-BM-06 - Sample Alerts for Backup Failure' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:1 + text: 1. Inspect whether failed backup jobs are being reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:2 + text: 2. Inspect alerts are configured to notify administrators if backup + fails. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-03:question:3 + text: 3. Inspect and validate the remediation process for failed backups. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-04 + name: Alternate Storage + description: Organization backups are securely stored in an alternate location + from source data. + annotation: '1. Ensure that the backups are stored in an alternate location + than the source data. + + 2. Ensure that access to the backups is restricted and backups are stored + securely.' + typical_evidence: E-BM-04 - Backup Configuration Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:1 + text: 1. Inspect whether backups are stored in a different location than + the source data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-04:question:2 + text: 2. Inspect evidence showing that backups are secured and access in + restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node23 + ref_id: BM-05 + name: Alternate Telecommunication + description: Alternate telecommunication service agreements have been established + to resume business when the primary service gets disrupted. Service agreements + contain priority of service provisions. + annotation: '1. Ensure that alternate telecommunication service agreements are + defined to resume business when the primary service gets disrupted. + + 2. The priority of the service provisions should be defined in the service + agreements.' + typical_evidence: E-BM-05 - Alternate Telecommunications Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:1 + text: 1. Inspect whether alternate telecommunication service agreements + are defined to resume business when the primary service gets disrupted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:bm-05:question:2 + text: 2. Inspect documentation to determine that the Service agreements + contain priority of service provisions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + assessable: false + depth: 1 + name: Configuration Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-01 + name: Baseline Configuration Standard + description: Organization ensures security hardening and baseline configuration + standards have been established according to industry standards and are reviewed + and updated periodically. + annotation: "1. Prepare and maintain Security hardening and Baseline configuration\ + \ standards shall be established.\n2. Configuration of systems (systems can\ + \ include AWS, Azure, GCP, and more) shall be configured with the baseline\ + \ configuration.\n3. Configure required permissions for the configuration\ + \ management server. \n4. Configuration of Security Groups, NACLs, and virtual\ + \ firewall appliances shall be in place.\n5. Configuration of VPC Firewall\ + \ Rules and virtual firewall appliances to allow traffic from the configuration\ + \ management server to the other system servers.\n6. All production systems\ + \ shall be able to demonstrate consistent system configurations via version\ + \ control number, last update date, settings, or other.\n7. Process shall\ + \ be established to ensure that latest version patch (hardened as per industry\ + \ practices) is applied wherever possible.\n8. Ensure that security hardening\ + \ and configuration baselines are monitored are flagged wherever deviation\ + \ is observed.\n9. Establish a process ensuring regular rule set reviews are\ + \ conducted by relevant teams for network devices." + typical_evidence: "Log Management - \nE-CFM-01 - Firewall standard\nE-CFM-02\ + \ - Configuration Management Standard\nE-CFM-03 - Periodic Rule review documentation\n\ + E-CFM-04 - System generated Latest patch versioning documentation\nE-CFM-05\ + \ - Configuration deviation samples" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:1 + text: 1. Validate whether Security hardening and Baseline configuration + standards are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:2 + text: 2. Inspect baseline configuration of systems (systems can include + AWS, Azure, GCP, and more) shall be configured with the baseline configuration. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:3 + text: '3. Validate whether the required permissions are present for the + configuration management server. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:4 + text: 4. Inspect Security Groups, NACLs, and virtual firewall appliances + configurations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:5 + text: 5. Validate whether VPC Firewall Rules and virtual firewall appliances + are configured to allow traffic from the configuration management server + to the other system servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:6 + text: '6. Inspect production systems to determine whether they demonstrate + consistent system configurations via version control #, last update date, + settings, or other.' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:7 + text: 7. For a sample of in scope servers validate whether latest version + patch (hardened as per industry practices) is applied wherever possible. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:8 + text: 8. Validate that security hardening and configuration baselines are + monitored are flagged wherever deviation is observed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-01:question:9 + text: 9. Validate that regular rule set reviews are conducted by relevant + teams for network devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-02 + name: Default "Deny-all" Settings + description: Where applicable, the information system default access configurations + are set to "deny-all." + annotation: '1. Prepare a list of in-scope network devices and production accounts + and ensure that default deny-all rules are configured + + 2. Ensure that deny-all rule precedes all other applied rules in terms of + priority.' + typical_evidence: "E-AM-02 - \nE-CFM-03 - Periodic Rule review documentation" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:1 + text: 1. For a list of in-scope network devices and production accounts, + validate that default deny-all rules are configured + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-02:question:2 + text: 2. Validate that deny-all rule precedes all other applied rules in + terms of priority. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-03 + name: 'Remote Access: Prohibited Protocols and Commands' + description: Organization defines a listing of prohibited user commands and + prohibited protocols that can be used in a remote session. + annotation: 1. Prepare and maintain the listing of prohibited user commands + and prohibited protocols that can be used in a remote session. + typical_evidence: 'E-CFM-06 - Security hardening standard ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-03:question:1 + text: 1. Inspect security hardening standard to determine the listing of + prohibited user commands and prohibited protocols that can be used in + a remote session. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-04 + name: Data Execution Prevention + description: Organization ensures data execution prevention (DEP) security features + are enabled on production hosts to restrict code execution within memory. + annotation: '1. Ensure that configuration setting includes data execution prevention + (DEP) security features enabled on production hosts to restrict code execution + within memory. ' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-03 - Periodic Rule review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-04:question:1 + text: '1. Check configuration setting to ensure data execution prevention + (DEP) security features are enabled on production hosts to restrict code + execution within memory. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-05 + name: Client Run Time Technologies + description: Organization disables prohibited client run time technologies on + information systems. + annotation: 1. Establish a process to ensure no prohibited application/software + is installed on the machine. + typical_evidence: E-CFM-07 - Authorized application/software listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-05:question:1 + text: 1. Inspect Organization's software compliance dashboard, to ensure + no prohibited application/software is installed on the machine. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-06 + name: Prohibited Activity Monitoring + description: Organization information systems are configured to explicitly deny + a predefined list of activities. + annotation: '1. Prepare a list of activities that shall be denied on Information + Systems, e.g., removable media restriction. + + 2. Ensure that the denied activities are enforced on the Information systems. + + 3. Ensure that the logs are being maintained for monitoring. + + 4. The list shall be reviewed periodically.' + typical_evidence: 'E-CFM-08 - List of denied activities on information systems + + E-CFM-09 - Review history documentation + + E-CFM-10 - Information systems activity logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:1 + text: 1. Validate whether a list is being maintained that has the activities + that shall be denied on Information Systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:2 + text: 2. Inspect the activity logs to validate whether the denied activities + are enforced and monitored on the Information systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-06:question:3 + text: 3. Validate whether the periodic review history documentation is present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-07 + name: Configuration Checks + description: Organization uses mechanisms to detect deviations from baseline + configurations on production environments. + annotation: '1. Ensure that security hardening and configuration baselines are + being monitored for in-scope servers. + + 2. Deviations shall be generated for in-scope servers for which remediations + shall be tracked to closure. + + 3. Design a process for security hardening and configuration baselines checks + being accurate and updated at least annually.' + typical_evidence: 'E-CFM-11 - Security hardening and configuration baselines + checks review documentation + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:1 + text: 1. Validate that security hardening and configuration baselines are + being monitored for in-scope servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:2 + text: 2. Validate that deviations are being generated for in-scope servers + and remediations are tracked to closure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-07:question:3 + text: 3. Validate that the security hardening and configuration baselines + checks are accurate and updated at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-08 + name: 'Configuration Check Reconciliation: Logging' + description: Organization reconciles the established device inventory against + the enterprise log repository on a quarterly basis; devices which do not forward + security configurations are remediated. + annotation: '1. Prepare an asset register to ensure asset life cycle is maintained + as per the defined policy and/or standard of asset management. + + 2. Establish a process through which the device configuration logs can be + fetched and reconciled with asset register quarterly. + + 3. Ensure that a process is established that tracks the deviations to remediation.' + typical_evidence: "E-AM-02 - Asset Inventory\nE-CFM-12 with E-AM-02 - \nE-CFM-05\ + \ - Configuration deviation samples" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:1 + text: 1. Inspects Organization asset register to ensure asset life cycle + is maintained as per the defined policy and/or standard of asset management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:2 + text: 2. Validate whether the device configuration logs are being reconciled + with asset register quarterly. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-08:question:3 + text: 3. Validate for a sample of deviations whether the remediation is + done in a timely manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-09 + name: Time Clock Synchronization + description: Systems are configured to synchronize information system time clocks + based on International Atomic Time or Coordinated Universal Time (UTC). + annotation: '1. Ensure that the inventory includes all the ICT devices such + as firewalls, routers and servers. + + 2. Ensure that a process has been established to use only hardened images + for the servers. + + 3. Ensure that the NTP configuration (primary & secondary NTP servers) for + these devices is configured. + + 4. Ensure that the time sync is enabled and stratums are defined.' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-14 - Sample server configuration + + E-CFM-13 - NTP Server configuration + + E-CFM-15 - NTP server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:1 + text: 1. Obtain a list of in-scope ICT devices such as firewalls, routers + and servers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:2 + text: 2. For servers, validate that security hardened images are used. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:3 + text: 3. Obtain the NTP configuration for a sample of devices and check + whether primary and secondary NTP servers are configured. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-09:question:4 + text: 4. Validate whether time sync is enabled and stratums are defined + and the time servers are working. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-10 + name: Time Clock Configuration Access + description: Access to modify time data is restricted to authorized personnel. + annotation: '1. Ensure that the ability to modify time data is restricted to + authorized personnel. + + 2. Ensure that access reviews of authorized users and all remediations are + appropriately tracked' + typical_evidence: 'E-CFM-16 - Logical Access Management Standard + + E-CFM-17 - Access Review Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:1 + text: '1. Obtain a list of all users who have the ability to modify time + data. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-10:question:2 + text: 2. Validate whether access reviews of these users were performed and + all remediations are appropriately tracked + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-11 + name: Default Device Passwords + description: Vendor-supplied default passwords are changed according to Organization + standards prior to device installation on the Organization network or immediately + after software or operating system installation. + annotation: '1. Ensure that the security hardening and configuration baseline + checks include enforcing disablement of default accounts. + + 2. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:1 + text: 1. Inspect security hardening and configuration baseline checks to + determine whether they are configured to enforce disabling of default + accounts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-11:question:2 + text: 2. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-12 + name: Process Isolation + description: Organization implements only one primary function per server within + the production environment; the information system maintains a separate execution + domain for each executing process. + annotation: '1. Ensure that the security hardening and configuration baseline + checks include installing one primary function per server within the production + environment and the information system maintains a separate execution domain + for each executing process. + + 2. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution.' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-18 - Sample of server logs + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:1 + text: 1. Inspect security hardening and configuration baseline checks include + installing one primary function per server within the production environment + and the information system maintains a separate execution domain for each + executing process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-12:question:2 + text: 2. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-13 + name: Collaborative Devices + description: Where applicable, collaborative computing devices used at Organization + are configured to restrict remote activation and provide an explicit indication + that they are in use. + annotation: '1. In case of collaborative computing devices, ensure that an explicit + indication is documented confirming its use and requirement. + + 2. Ensure that the security hardening and configuration baseline checks are + configured to restrict remote activation on collaborative computing devices. + + 3. Ensure that the security hardening and configuration baseline deviations + are being tracked to resolution' + typical_evidence: 'E-CFM-02 - Configuration Management Standard + + E-CFM-19 - Sample of collaborative computing device logs + + E-CFM-05 - Configuration deviation samples' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:1 + text: 1. Validate whether the use of collaborative computing devices is + being flagged and justification of its use is documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:2 + text: 2. Inspect security hardening and configuration baseline checks to + determine whether collaborative computing devices are configured to restrict + remote activation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-13:question:3 + text: 3. Validate that the security hardening and configuration baseline + deviations are being tracked to resolution + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-14 + name: Software Installation + description: Installation of software or programs in the production environment + is approved by authorized personnel. + annotation: '1. Ensure Security hardening and Baseline configuration standards + includes process established to determine whether the installation of software + or programs in the production environment is approved by authorized personnel. + + 2. Prepare an authorized approval matrix for installation of software or programs + in the production environment.' + typical_evidence: "E-CFM-02 - \nE-CFM-20 - Authorized approval matrix" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:1 + text: 1. Inspect Security hardening and Baseline configuration standards + to ensure that the installation of software or programs in the production + environment is approved by authorized personnel is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-14:question:2 + text: 2. Inspect the authorized approval matrix for installation of software + or programs in the production environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node29 + ref_id: CFM-15 + name: Job Schedules + description: "Schedule changes or the modifications of production jobs require:\n\ + \u2022 documented approval from authorized personnel\n\u2022 documented monitoring\ + \ details" + annotation: "1. Prepare, document, and periodically review Organization's change\ + \ management standard.\n2. Ensure that the change management process includes\ + \ tracking to determine whether schedule changes or the modifications of production\ + \ jobs require:\n\u2022 documented approval from authorized personnel\n\u2022\ + \ documented monitoring details" + typical_evidence: 'E-CFM-21 - Change Management Standard + + E-CFM-22 - Sample of change requests + + E-CFM-23 - Sample of documented approval on production job changes + + E-CFM-24 - Sample of documented change monitoring details' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:1 + text: 1. Obtain Organization's change management standard and validate whether + it is periodically reviewed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:2 + text: '2. For a sample of change tickets, inspect change management process + flow documentation (e.g., ticketing/tracking tools) to determine whether + schedule changes or the modifications of production jobs require:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:3 + text: "\u2022 documented approval from authorized personnel" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cfm-15:question:4 + text: "\u2022 documented monitoring details" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + assessable: false + depth: 1 + name: Change Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-01 + name: Change Management Workflow + description: Change scope, change type, and roles and responsibilities are pre-established + and documented in a change control workflow; notification and approval requirements + are also pre-established based on risk associated with change scope and type. + annotation: "1. Ensure that the change management process is established and\ + \ well-documented, and should be approved by the management and communicated\ + \ to all the relevant stakeholders.\n2. Ensure that roles and responsibilities\ + \ are defined for each activity and change scope, that change type is predefined.\ + \ \n3. Ensure that the change workflow has a mandatory approval and notification\ + \ requirements incorporated based on risk and change type." + typical_evidence: 'E-CHM-01 - Change Management Policy + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:1 + text: "1. Inspect Organization\u2019s policy to determine whether:" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:2 + text: a. Change scope, change type, and roles and responsibilities are pre-established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:3 + text: b. Notification and approval requirements are pre-established based + on the risk associated with change scope and type. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-01:question:4 + text: 2. Inspect change management ticketing and tracking tools to determine + whether the change control workflow is defined in accordance with the + defined requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-02 + name: Change Approval + description: "Prior to introducing changes into the production environment,\ + \ approval from authorized personnel is required based on the following:\n\ + \u2022 change description\n\u2022 impact of change\n\u2022 test results\n\u2022\ + \ back-out plan" + annotation: '1. Ensure that all the changes to the production environment are + tracked in a Change Management tracking tool. All the change details should + be documented. Some of the mandatory details for each change are: + + a. Change Description + + b. Change Impact + + c. Test Details + + d. Roll-out and Roll-back Plan + + e. Change Approval + + f. Change date and time + + 2. All the changes in the production environment should be approved by the + authorized personnel prior to implementation. Make sure that the approver + is independent of the change requestor and change implementor. If not, check + that there a secondary approver to ensure segregation of duty is maintained. + + 3. Make sure that the deployment and change logs are retained as per organization''s + policy.' + typical_evidence: 'E-CHM-02 - Change Management Tool Configuration + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:1 + text: '1. Inspect Change Management tracking tool to determine that requirements + prior to introducing changes into the production environment, approval + from appropriate personnel is documented including the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:2 + text: a. Change description + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:3 + text: b. Impact of change + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:4 + text: c. Test results + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:5 + text: d. Back-out procedures + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:6 + text: '2. For a sample of changes, inspect corresponding change tickets, + and verify if it includes the following information:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:7 + text: a. Change Description + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:8 + text: b. Impact of changes + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:9 + text: c. Roll back plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:10 + text: d. Evidence of successful testing documentation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:11 + text: e. Approval of change prior to implementation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:12 + text: 3. For the sampled changes, validate that the change was approved + by a person independent of the person who requested or made the change. + Alternatively, ensure that there is a second level of approval to ensure + that segregation of duties is being maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-02:question:13 + text: 4. Inspect whether the change logs are retained as per the organization's + policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-03 + name: Segregation of Duties + description: 'Changes to the production environment are implemented by authorized + personnel. ' + annotation: "1. Ensure that the permission to implement changes to the production\ + \ is limited to few authorized personnels. \n2. Ensure that the change implementor\ + \ is not the change approver." + typical_evidence: 'E-CHM-02 - Change Management Tool Configuration + + E-CHM-03 - Change Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-03:question:1 + text: 1. Inspect Change Management tracking tool and for a sample of changes, + inspect that change tickets were launched and appropriately approved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node45 + ref_id: CHM-04 + name: Communication of Maintenance and Downtime + description: Customer-impacting product and system changes are publicly communicated + on the company website. + annotation: '1. Ensure that all the changes that impact the customers and customer + product or services should be communicated to the customers on the company + website. + + 2. In cases of any planned downtime due to a change, it should be communicated + to the customers in advance on the website.' + typical_evidence: E-CHM-04 - Company Website Link + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:chm-04:question:1 + text: 1. Inspect the company website to determine whether customer-impacting + product and system changes are publicly communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + assessable: false + depth: 1 + name: Customer Managed Security + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-01 + name: Customer Administrative Access + description: For products that enable customers to manage their end users, privileged + user roles exist with the capability to manage end user access to the relevant + applications. + annotation: '1. In cases where customers can manage the access of their end + users, ensure that ability to configure privileged user roles exist. + + 2. Ensure that the customer''s privileged user roles can manage end user access + to the relevant applications.' + typical_evidence: 'E-CMS-01 - Customer capabilities in access management console + + E-CMS-05 - Privileged User Roles capabilities' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:1 + text: 1. Validate whether the customers can configure privileged user roles. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-01:question:2 + text: 2. Inspect whether the customer defined privileged user roles can + manage end user access to relevant applications. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-02 + name: Customer Authentication + description: Authentication to organization customer-facing applications are performed + through secure log-on procedures. + annotation: 1. Ensure that authentication to organization customer-facing applications + are performed through secure log-on procedures. + typical_evidence: E-CMS-02 - Customer Authentication Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-02:question:1 + text: 1. Inspect whether the authentication to organization customer-facing + applications are performed through secure log-on procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-03 + name: Customer Systems Monitoring + description: As necessary, event logs are made available to customers. + annotation: '1. Establish a process for the customers to access event logs as + needed. ' + typical_evidence: E-CMS-03 - Customer Admin Console + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-03:question:1 + text: 1. Inspect the customer console to determine how the event logs are + made available to the customer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node50 + ref_id: CMS-04 + name: Customer Security Engagements + description: "Organization supports customer-requested security inquiries, questionnaires,\ + \ and audits:\n\u2022 in accordance with customer contracts and agreements\n\ + \u2022 to facilitate due diligence prior to licensing organization products" + annotation: "1. Establish a documented process to support customer-requested\ + \ security inquiries, questionnaires, and audits:\n\u2022 in accordance with\ + \ customer contracts and agreements\n\u2022 to facilitate due diligence prior\ + \ to licensing organization products" + typical_evidence: 'E-CMS-02 - Customer Authentication Standard + + E-CMS-04 - Customer contracts and agreements' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:1 + text: '1. Validate whether a process in place to support customer-requested + security inquiries, questionnaires, and audits:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:2 + text: "\u2022 in accordance with customer contracts and agreements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:3 + text: "\u2022 to facilitate due diligence prior to licensing organization\ + \ products" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cms-04:question:4 + text: 2. Inspect a sample customer inquiry, questionnaire, or audit. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + assessable: false + depth: 1 + name: Cryptography + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-01 + name: Encryption Key Maintenance + description: Cryptographic keys are invalidated when compromised or at the end + of their defined lifecycle period. + annotation: '1. Establish a process to ensure that organization approved key + storage solutions are used. + + 2. Ensure that access to the cryptographic key stores is limited to authorized + personnel. + + 3. Establish a process to periodically review the users access list for the + keys and document the confirmation that these are authorized users. + + 4. Establish a process to ensure that the keys are rotated during either of + the below events: + + a) Suspicion that the key has been compromised + + b) End of key life cycle + + 7. In case of termination or transfer of an individual with access to the + key, establish a process for access review and key rotation.' + typical_evidence: 'E-CRY-01 - List of approved key storage solutions + + E-CRY-02 - Periodic Access Review documentation + + E-CRY-03 - Sample of Key rotation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:1 + text: 1. Inspect the process and location of where Encryption keys are stored. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:2 + text: 2. Obtain details of the process to ensure that access to the cryptographic + key stores is limited to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:3 + text: 3. Review the users access list for the keys and confirmation that + these are authorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:4 + text: '4. Obtain confirmation of key rotation at the occurence of either + of the below events during last quarter:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:5 + text: a) Suspicion that the key has been compromised + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:6 + text: b) End of key life cycle + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-01:question:7 + text: 7. For a sample of termination or transfer of an individual with access + to the key, and review the process of key rotation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-02 + name: Encryption Key Distribution + description: Organization prohibits the distribution of cryptographic keys in + clear text. + annotation: 1. Ensure that the Key management policy hass a prohibition on the + distribution of cryptographic keys in clear text. + typical_evidence: E-CRY-04 - Key Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-02:question:1 + text: 1. Inspect the Key management policy that shows that there is a prohibition + on the distribution of cryptographic keys in clear text. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-03 + name: Encryption Key Storage + description: Encryption keys are securely stored in an approved encryption platform. + annotation: '1. Ensure that key management standard includes management operations + using one of the listed options below, for encrypting and decrypting cardholder + data: + + -Key-encrypting key is at least as strong as the data-encrypting key and is + stored separately from the data-encrypting key + + -Stored within a cryptographic device + + -Keys are stored as at least two full-length key components or key shares' + typical_evidence: E-CRY-04 - Key Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:1 + text: '1. Inspect and review the key management standard, to ensure that + the management operations are using one of the listed options below, for + encrypting and decrypting cardholder data:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:2 + text: -Key-encrypting key is at least as strong as the data-encrypting key + and is stored separately from the data-encrypting key + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:3 + text: -Stored within a cryptographic device + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:4 + text: -Keys are stored as at least two full-length key components or key + shares + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-03:question:5 + text: 2. Inspect the process and validate that one of the above methods + are being used to protect the keys. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-04 + name: Clear Text Key Management + description: If applicable, manual clear-text cryptographic key-management operations + must be managed using split knowledge and dual control. + annotation: '1. Ensure that the key management standard includes guidance on + management operations being managed using split knowledge and dual controls. + + 2. Establish a key custodian acknowledgement form. + + 3. Ensure that when split knowledge is in place, both key components are 2 + full keys, not 1 key split into 2 components.' + typical_evidence: 'E-CRY-04 - Key Management Standard + + E-CRY-05 - Sample key custodian acknowledgement form' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:1 + text: 1. Inspect and review the key management standard, to ensure that + the management operations are managed using split knowledge and dual controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:2 + text: 2. Observe and confirm a sample key custodian acknowledgement form. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-04:question:3 + text: 3. Inspect that if split knowledge is in place both key components + are 2 full keys, not 1 key split into 2 components. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-05 + name: Encryption of Data in Transit + description: Organization restricted data that is transmitted over public networks + is encrypted. + annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\ + \ Standard and Data Encryption Standard includes requirements for encrypting\ + \ data at rest.\n2. Ensure that the data sent in transit is encrypted by performing\ + \ the following:\na. Latest TLS version and cipher suites usage over browser.\n\ + b. Use valid digital certificates by the endpoint.\nc. Period check by running\ + \ a Qualys provided SSL labs feature that scans and endpoint and enumerates\ + \ all ciphers and TLS versions permitted on an end point\n3. If the service\ + \ does not have public facing endpoints, ensure that the configuration of\ + \ the load balancer and corresponding Security group with details of TLS versions\ + \ allows and cipher suites allowed.\n4. Ensure that the expired SSL certificates\ + \ are identified and remediated." + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard + + E-CRY-08 - Latest TLS Version evidence + + E-CRY-09 - Digital Certificates Validity + + E-CRY-10 - Qualys SSL Labs Scan Results + + E-CRY-11 - Load Balancer Configuration + + E-CRY-12 - Security Group Configuration + + E-CRY-13 - Remediation & Tracking of expired SSL' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:1 + text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\ + \ and Data Encryption Standard to determine whether requirements for encrypting\ + \ data at rest were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:2 + text: '2. Obtain the list of all public facing endpoints for the service. + Inspect each public facing endpoint to determine if data sent in transit + is encrypted by performing the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:3 + text: a. Inspecting the TLS version and cipher suites being used over browser. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:4 + text: b. Inspecting the validity of the digital certificates being used + by the endpoint. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:5 + text: c. Running a Qualys provided SSL labs feature that scans and endpoint + and enumerates all ciphers and TLS versions permitted on an end point + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:6 + text: 3. If the service does not have public facing endpoints, obtain configuration + of the load balancer and corresponding Security group with details of + TLS versions allows and cipher suites allowed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-05:question:7 + text: 4. Obtain the list of expired SSL certificates and validate whether. + tracking and remediation of the expired SSL were performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-06 + name: Encryption of Data at Rest + description: Organization restricted data at rest is encrypted. + annotation: "1. Ensure that Organization\u2019s Data Classification and Handling\ + \ Standard and Data Encryption Standard includes requirements for encrypting\ + \ data at rest.\n2. Where data at rest shall be encrypted as per Data Classification\ + \ and Handling Standard, ensure the following:\na. Ensure encryption is enabled\ + \ along with type of encryption algorithm being used as applicable (e.g. for\ + \ AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases).\n\ + b. Ensure that only strong encryption algorithms mandated by Organization\ + \ Cryptography standard are in use where applicable.\nc. Establish a process\ + \ to periodically check the list of all cloud storage resources and determine\ + \ whether encryption was appropriately applied as applicable." + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard + + E-CRY-14 - Sample confirmation on databases/storage location list + + E-CRY-16 - List of cloud storage resources + + E-CRY-15 - Evidence of encryption enabled' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:1 + text: "1. Inspect Organization\u2019s Data Classification and Handling Standard\ + \ and Cryptography Standard to determine whether requirements for encrypting\ + \ restricted data at rest have been defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:2 + text: '2. Obtain confirmation from teams that storage of data is in place. + For services storing restricted data at rest, obtain and inspect the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:3 + text: a. List of all databases/storage locations (AWS/Azure Databases, On + prem databases, etc.) where data is stored at rest. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:4 + text: b. For all the above locations, obtain evidence showing that encryption + is enabled along with the type of encryption algorithm being used as applicable + (e.g. for AWS S3 - AWS SSE-KMSetc., full disk encryption for on prem databases) + to ensure that only strong encryption algorithms mandated by Organization + Cryptography standard are in use where applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-06:question:5 + text: c. Obtain the list of all cloud storage resources and determine whether + encryption was appropriately applied as applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-07 + name: Approved Cryptographic Technology + description: Where applicable, strong industry standard cryptographic ciphers + and keys with an effective strength greater than 112 bits are required for + cryptographic security operations. + annotation: '1. Ensure that the encryption is enabled along with type of encryption + algorithm being used as applicable (e.g. for AWS S3 - AWS SSE-KMSetc., full + disk encryption for on prem databases). + + 2. Ensure that strong industry standard cryptographic ciphers and keys with + an effective strength greater than 112 bits are required for cryptographic + security operations.' + typical_evidence: 'E-CRY-06 - Data Classification and Handling Standard + + E-CRY-07 - Data Encryption Standard' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:1 + text: 1. Validate evidence showing that encryption is enabled along with + type of encryption algorithm being used as applicable (e.g. for AWS S3 + - AWS SSE-KMSetc., full disk encryption for on prem databases) to ensure + that only strong encryption algorithms mandated by Organization Cryptography + standard are in use where applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-07:question:2 + text: 2. Validate whether the keys have a strength greater than 112 bits + for cryptographic security operations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-08 + name: Key Repository Access + description: Access to the cryptographic keystores is limited to authorized + personnel. + annotation: 1. Ensure that the access lists of the key repositories have authorized + users and reviewed periodically. + typical_evidence: E-CRY-17 - Access List of Key Repository + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-08:question:1 + text: 1. Inspect the access lists of the key repositories and ensure that + the users listed are authorized and reviewed previously. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-09 + name: Key Store Review + description: Management reviews and authorizes key store locations. + annotation: '1. Establish a process to review key management services to ensure + that they are still authorized key stores. + + 2. The list of authorized key stores shall be reviewed periodically.' + typical_evidence: E-CRY-18 - Review history of authorized key stores list + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:1 + text: 1. Inspect and review key management services to ensure that they + are still authorized key stores. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-09:question:2 + text: 2. Review the list of authorized key stores and their last date of + review. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-10 + name: Full Disk Encryption Access + description: Where full disk encryption is used, logical access must be managed + independently of operating system authentication; decryption keys must not + be associated with user accounts. + annotation: '1. Ensure that the decryption keys are stored in a Trusted Platform + Module (TPM). + + 2. Ensure that the decryption keys are not stored as plain text in insecure + storage locations.' + typical_evidence: 'E-CRY-19 - Process documentation for Decryption key storage + + ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:1 + text: 1. Confirm that the decryption keys are stored in a Trusted Platform + Module (TPM). + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-10:question:2 + text: 2. Confirm that the decryption keys are not stored as plain text in + insecure storage locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-11 + name: Key Custodians Agreement + description: "Cryptographic Key Custodians\_and\_Cryptographic Materials Custodians\ + \ (CMC) acknowledge in writing or electronically that they understand and\ + \ accept their cryptographic-key-custodian responsibilities." + annotation: 1. Ensure that Key Custodian Acknowledgements are signed by cryptographic + key custodians, which will provide assurance of appropriate acknowledgement + to the key custodian responsibilities. + typical_evidence: E-CRY-20 - Sample of signed Key Custodian Acknowledgements + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-11:question:1 + text: 1. Obtain and inspect a sample of signed Key Custodian Acknowledgements + to validate that cryptographic key custodians have appropriately acknowledged + their key custodian responsibilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-12 + name: Approved Certificate Authorities + description: Organization restricts the use of digital certificates to those + that are signed by approved certificate authorities; a certification path + to an accepted trust anchor is established. + annotation: 1. Establish a process for executing periodic SSL tests to ensure + that only digital certificates that are signed by approved certificate authorities + are accepted. + typical_evidence: E-CRY-21 - Sample of SSL Test results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:1 + text: 1. Observe a sample of servers and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-12:question:2 + text: 2. Observe the SSL test and confirm that only digital certificates + that are signed by approved certificate authorities are accepted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-13 + name: 'Installation of Software: Certificate Verification' + description: Digital Certificates are verified by information system components + prior to installation on the production network. + annotation: 1. Establish a process for executing periodic SSL tests and configuration + files to ensure that digital certificates are verified prior to installation + on production networks. + typical_evidence: 'E-CRY-21 - Sample of SSL Test results + + E-CRY-22 - SSL Configuration Files' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:1 + text: 1. Observe a sample of servers and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-13:question:2 + text: 2. Observe the SSL test and configuration files and ensure that digital + certificates are verified prior to installation on production networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-14 + name: Public Key Infrastructure-based Authentication + description: Information systems are configured to follow an established certification + path to an accepted trust anchor; in the case of network failure, a local + cache of revocation data is maintained to support validation. + annotation: 1. Establish a process for executing periodic SSL tests to ensure + that the identified Certificate authority is authorized to act as a trust + anchor. + typical_evidence: E-CRY-21 - Sample of SSL Test results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:1 + text: 1. Observe a sample of servers and domains and review their SSL test. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-14:question:2 + text: 2. Observe the Certificate authority and ensure that it is an authorized + to act as a trust anchor. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node55 + ref_id: CRY-15 + name: Software Signing + description: "Organization uses a software signing infrastructure to restrict\ + \ access to organization\u2019s code signing private keys used to sign organization\ + \ authorized software builds." + annotation: '1. Ensure that a process is defined and documented for software + signing. + + 2. Ensure that the private keys used for software signing are accessible only + to a restricted set of personnel.' + typical_evidence: 'E-CRY-23 - Software Development Lifecycle Policy + + + E-CRY-24 - Configuration evidence for accessing software signing keys' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:1 + text: 1. Inspect and validate that a process is defined and documented for + software signing. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:2 + text: 2. Validate whether the private keys used for software signing are + accessible only to a restricted set of personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:cry-15:question:3 + text: 3. Validate that periodic access reviews are performed for these keys. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + assessable: false + depth: 1 + name: Data Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-01 + name: Data Classification Criteria + description: Organization's data classification criteria are periodically reviewed, + approved by management, and communicated to authorized personnel; the data + security management team determines the treatment of data according to its + designated data classification level. + annotation: '1. Ensure that a Data Classification Criteria is defined and documented. + + 2. Ensure that this criteria is reviewed and approved periodically and appropriate + documentation for the review is retained. + + 3. Ensure that a process is defined and implemented to ensure data is treated + according to its data classification level. ' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-02 - Periodic Review Records + + E-DM-03 - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:1 + text: "1. Inspect Organization's policy and/or standard to determine whether\ + \ Organization\u2019s data classification criteria is defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:2 + text: 2. Inspect whether the criteria is periodically reviewed and approved + by the management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-01:question:3 + text: 3. Validate using sample testing that data is categorized and treated + according to its data classification level and defined controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-02 + name: Data Inventory + description: Organization should identify, label and classify Data based on + the Data Classification Criteria. + annotation: '1. Ensure that a process for identifying data is defined and documented + in the organization. + + 2. Ensure that the data is labelled and classified as per the Data Classification + criteria.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-03 - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:1 + text: 1. Inspect and validate in the Organization's policy and/or standard + whether a process for identifying data is defined in the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-02:question:2 + text: 2. Validate for a sample of data, that it is labelled and classified + as per the Data Classification criteria. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-03 + name: Terms of Service + description: Consent is obtained for Organization's Terms of Service (ToS) prior + to collecting personal information and when the ToS is updated. + annotation: '1. Ensure that organizations Terms of Service are defined and documented. + + 2. Ensure that a process is defined for updating the Terms of Service which + includes recapturing of consent. + + 3. Ensure that the consent is taken for the Terms of Service prior to collecting + personal information.' + typical_evidence: 'E-DM-04 - Terms of Service + + E-DM-05 - Consent Records + + E-DM-06 - Terms of Service Update Process' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:1 + text: 1. Inspect and validate whether Terms of Service are defined and documented + for the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:2 + text: 2. Inspect whether the Terms of Service are updated periodically and + ensure that consent is recaptured after updates. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-03:question:3 + text: 3. For sample of customers validate whether consent was obtained before + collection of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-04 + name: Personal Information Access Requests + description: In accordance with Organization policy, upon request, authenticated + individuals are provided with a copy of their personal information or disclosures + of their personal information in an understandable form and within the defined + timeframe. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting a copy of personal information. + + 2. Ensure that on request a copy of personal information is provided to authenticated + individuals as per the policy. + + 3. Ensure that the information is provided in an understandable form and in + a timely manner as per the policy' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-07 - Data Access Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for requesting a copy of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:2 + text: 2. Validate whether on request a copy of personal information was + provided to authenticated individuals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-04:question:3 + text: 3. Validate that the information was provided in an understandable + form and in a timely manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-05 + name: Personal Information Deletion Requests + description: In accordance with Organization policy, Organization processes + requests for the deletion of personal information. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting deletion of personal information. + + 2. Ensure that on request personal information is deleted as per the policy.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-08 - Data Deletion Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for requesting deletion of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-05:question:2 + text: 2. Validate whether on request personal information was deleted as + per organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-06 + name: External Privacy Inquiries + description: In compliance with Organization policy, Organization reviews privacy-related + inquiries, complaints, and disputes. + annotation: '1. Ensure that a process is defined, documented and communicated + for review of privacy-related inquiries, complaints, and disputes. + + 2. Ensure that these inquiries, complaints, and disputes are addressed in + a timely and well communicated manner.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-09 - Privacy inquiry Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for review of privacy-related inquiries, complaints, and + disputes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-06:question:2 + text: 2. Validate for a sample whether these inquiries, complaints, and + disputes are addressed in a timely and well communicated manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-07 + name: Test Data Sanitization + description: Restricted data is redacted prior to use in a non-production environment. + annotation: '1. Ensure that a process is defined, documented, and communicated + for redacting or not using production data in test environments. + + 2. Ensure that sufficient tools and processes exists for creation of dummy + test data for testing purposes.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-DM-10 - Sample Test Data' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:1 + text: 1. Inspect and validate whether a documented process is defined, and + communicated for redacting or not using production data in test environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:2 + text: 2. Validate for a sample, whether any production data is used in test + environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-07:question:3 + text: 3. Validate how test data is generated and used for testing. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-08 + name: Personal Information Updates + description: Organization allows authenticated users to review and update their + personal information. + annotation: '1. Ensure that a process is defined, documented, and communicated + regarding access and update to personal information. + + 2. Ensure that appropriate justifications are provided for any denied access + or update requests. + + 3. Ensure that a process is defined, documented, and communicated for appealing + the denial of access or update request.' + typical_evidence: 'E-DM-11 - Access or update process document + + E-DM-12 - Personal information access/update request records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:1 + text: 1. Inspect and validate whether a documented process exists regarding + access and update to personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:2 + text: 2. Validate that for any denied access or update requests, appropriate + justifications were provided. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:3 + text: 3. Inspect and validate whether a documented process exists for appealing + the denial of access or update request. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-08:question:4 + text: 4. Ensure that the access or update request process is well communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-09 + name: Credit Card Data Restrictions + description: Organization does not store full track credit card data, credit + card authentication information, credit card verification code, or credit + personal identification number (PIN) which Organization processes for payment. + annotation: '1. Ensure that a process is defined and documented for redaction + of credit card data. + + 2. Ensure that the organization does not store full track credit card data, + credit card authentication information, credit card verification code, or + personal identification number (PIN).' + typical_evidence: E-DM-13 - Database Screenshots + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-09:question:1 + text: 1. Validate that full credit card track data and sensitive authentication + data is not stored in the databases of the Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-10 + name: Primary Account Number Data Restrictions + description: Organization restricts primary account number (PAN) data such that + only the first six and last four digits are displayed; authorized users with + a legitimate business need may be provided the full PAN. + annotation: '1. Ensure that a process is defined and documented for redaction + of credit card data. + + 2. Ensure that the organization restricts primary account number (PAN) data + such that only the first six and last four digits are displayed. + + 3. Ensure that a process is defined to provide full PAN to authorized users + with a legitimate business need.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-13 - Database Screenshots + + E-DM-14 - PAN authorization records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:1 + text: 1. Inspect and validate whether a documented process exists for redaction + of credit card data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:2 + text: 2. Validate that primary account number is stored such that only the + first six and last four digits are displayed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-10:question:3 + text: 3. Inspect and validate whether a documented process exists to provide + full PAN to authorized users with a legitimate business need. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-11 + name: Personal Information Inventory + description: Organization maintains a documented inventory of media containing + personal information. + annotation: '1. Ensure that an inventory of media containing personal information + is documented, approved, and communicated to appropriate stakeholders. + + 2. Ensure that this inventory is reviewed and update periodically.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-15 - Personal Information Media Inventory' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:1 + text: 1. Inspect and validate whether an inventory of media containing personal + information is formally documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-11:question:2 + text: 2. Ensure that a process is defined to review and update the inventory + periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-12 + name: Changes to Data at Rest + description: Organization uses mechanisms to detect direct changes to the integrity + of customer data and personal information; Organization takes action to resolve + confirmed unauthorized changes to data. + annotation: '1. Ensure that a process is defined and documented to detect unauthorized + changed to customer data. + + 2. Ensure that appropriate alerts are sent and actions are taken to resolve + unauthorized changes.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-16 - Integrity Checks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:1 + text: 1. Inspect and validate that a process is defined and documented to + detect unauthorized changed to customer data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-12:question:2 + text: 2. Validate whether alerts are sent and actions were taken to resolve + unauthorized changes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-13 + name: Data Processing Integrity + description: System checks are in place to ensure both complete and accurate + capture of data in process. + annotation: '1. Ensure that a process is defined and documented for ensuring + data integrity in transit and at rest + + 2. Ensure appropriate tests are used to check checksums or hashes to ensure + data integrity.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-16 - Integrity Checks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:1 + text: 1. Inspect and validate that a process for ensuring data integrity + in transit and at rest is defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-13:question:2 + text: 2. Validate and inspect the tests used to check checksums or hashes + to ensure data integrity + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-14 + name: Secure Disposal of Media + description: Organization securely erases media containing decommissioned restricted + data and obtains a certificate or log of erasure; media pending erasure are + stored within a secured facility. + annotation: '1. Ensure that requirements for destroying media containing decommissioned + restricted data are defined and documented. + + 2. Ensure that the requirements for maintaining a log of such activities is + defined. + + 3. Ensure that appropriate records are maintained for such activities. + + 4. Ensure a security facility is designated to store such media prior to erasure. + + 5. Ensure a certificate of erasure is obtained for such media post erasure + completion.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-17 - Media Erasure records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:1 + text: 1. Inspect and validate whether requirements for destroying media + containing decommissioned restricted data are defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:2 + text: 2. Inspect and validate that the requirements for maintaining a log + of such activities is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:3 + text: 3. Validate that appropriate records are maintained for such activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-14:question:4 + text: 4. For a sample of records, validate that a certificate of erasure + was obtained for such media post erasure completion. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-15 + name: Customer Data Retention and Deletion + description: Organization purges or archives data according to customer requests + or legal and regulatory mandates. + annotation: '1. Ensure that a process is defined, documented, and communicated + for requesting deletion or archival of personal information. + + 2. Ensure that on customer''s request or as per legal/regulatory mandates, + personal information is deleted/archived as per the policy.' + typical_evidence: 'E-PRIV-01 - Privacy Policy + + E-DM-08 - Data Deletion Request Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:1 + text: 1. Inspect and validate whether a documented process is defined & + communicated for requesting deletion/archival of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-15:question:2 + text: 2. Validate whether on customer's request or as per legal/regulatory + mandates personal information is deleted/archived as per the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-16 + name: Removal of PHI from Media + description: Organization removes electronic protected health information from + electronic media if the media is made available for re-use. + annotation: '1. Ensure that a process is defined and documented for removal + of Protected Health Information from electronic media if the media is made + available for reuse. + + 2. Ensure that validation is done to ensure that no protected health information + exists on the media before reuse.' + typical_evidence: E-DM-01 - Data Management Policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:1 + text: 1. Inspect and validate that a process is defined and documented for + removal of Protected Health Information from electronic media if the media + is made available for reuse. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-16:question:2 + text: 2. Inspect whether validation is done to ensure that no protected + health information exists on the media before reuse. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-17 + name: 'Secure Disposal of Media: Testing' + description: Organization tests sanitization procedures and equipment annually + for effectiveness. + annotation: '1. Ensure that a process is defined and documented for testing + of sanitization procedures. + + 2. Ensure that the sanitization procedures are tested annually and appropriate + records are maintained.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-18 - Sanitization Procedures Testing Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:1 + text: 1. Inspect and validate that a process is defined and documented for + testing of sanitization procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-17:question:2 + text: 2. Validate whether the sanitization procedures were tested annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-18 + name: Personal Information Retention and Deletion + description: Organization retains and deletes personal information from Organization + and service provider systems in accordance with Organization policy. + annotation: '1. Ensure that a process is defined and documented for retention + and deletion of personal information. + + 2. Ensure that the personal information is retained and deleted as per the + process from organization and service provider systems.' + typical_evidence: "E-DM-01 - \nE-DM-19 - Personal Information Deletion Records" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:1 + text: 1. Inspect and validate that a process is defined and documented for + retention and deletion of personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-18:question:2 + text: 2. Validate whether the personal information was retained and deleted + as per the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-19 + name: Temporary Storage of Personal Information + description: Temporary files and documents containing personal information are + deleted in accordance with a timeframe consistent with Organization policy. + annotation: '1. Ensure that a process is defined and documented for deletion + of temporary files. + + 2. Ensure that temporary files are deleted within a defined timeframe as per + the process.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-20 - Temporary Files deletion configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:1 + text: 1. Inspect and validate that a process is defined and documented for + deletion of temporary files. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-19:question:2 + text: 2. Validate the configuration for deletion of temporary files and + ensure that the timeframe is as per the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-20 + name: Social Media + description: Sharing Organization restricted data via messaging technologies, + social media, and public websites is prohibited. + annotation: '1. Ensure that a process is defined, documented, and communicated + which prohibits sharing of restricted data via messaging technologies, social + media, and public websites. + + 2. Ensure that appropriate mechanisms are in place to detect such activities.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-21 - Sample Alerts showcasing restricted data via public websites is + prohibited' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:1 + text: 1. Inspect and validate whether a process is defined, documented and + communicated which prohibits sharing of restricted data via messaging + technologies, social media, and public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-20:question:2 + text: 2. Validate whether appropriate mechanisms are in place to detect + such activities and alerts are generated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-21 + name: Publicly Accessible Content + description: 'Organization protects its public information system presence with + the following processes: only authorized and trained individuals may post + public information, content is reviewed prior to publishing, information on + public systems is reviewed periodically, and non-public information is removed + from public systems upon discovery.' + annotation: '1. Ensure that a process is defined, documented, and communicated + regarding publishing of information on public websites. + + 2. Ensure public information is reviewed periodically. + + 3. Ensure appropriate process is defined for removing non-public information + from public websites. + + 4. Ensure appropriate access control exists for posting information on public + websites.' + typical_evidence: 'E-DM-01 - Data Management Policy + + E-DM-23 - Configuration for posting on Public Websites' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:1 + text: 1. Inspect and validate whether a process is defined, documented, + and communicated regarding publishing of information on public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:2 + text: 2. Validate whether public information is reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:3 + text: 3. Validate the process for removing non-public information from public + websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-21:question:4 + text: 4. Validate that appropriate access control exists for posting information + on public websites. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node71 + ref_id: DM-22 + name: Data Loss Prevention + description: Data loss prevention capabilities are implemented to protect sensitive + information as it is stored, transmitted, and processed. + annotation: '1. Ensure that Data Loss Prevention solution is enabled on systems + to protect sensitive data as it is stored, transmitted, and processed. + + 2. Ensure appropriate alerts are sent and actions are taken to remediate any + deviations.' + typical_evidence: 'E-DM-22 - DLP Configuration + + E-DM-21 - Sample Alerts showcasing restricted data via public websites is + prohibited' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:1 + text: 1. Validate whether that Data Loss Prevention solution is enabled + on a sample system. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:dm-22:question:2 + text: 2. Validate whether appropriate alerts are sent and actions are taken + to remediate any deviations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + assessable: false + depth: 1 + name: Entity Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-01 + name: Board of Directors Structure and Purpose + description: "The Board of Directors provides corporate oversight, strategic\ + \ direction, and review of management for Organization. The Board of Directors\ + \ meets at least quarterly and has 3 sub-committees: \n\u2022 Audit Committee\n\ + \u2022 Executive Compensation and Nominating Committee\n\u2022 Governance\ + \ Committee" + annotation: '1. Document the Board of Directors responsibilities and members + within a charter. + + 2. Ensure Board of Directors meet at least quarterly, and document meeting + minutes of each meeting. + + 3. Ensure Board of directors have at least 3 sub-committees defined and formed, + audit committee, executive compensation and nominating committee, and governance + committee.' + typical_evidence: 'E-EM-01 - Board of directors charter + + E-EM-02 - Board of directors meetings minutes' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:1 + text: 1. Inspect that the board of directors information in the form of + Charter is available on the Organization governance website. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-01:question:2 + text: '2. Validate that board of directors meet at least quarterly to provide + corporate oversight and have at least 3 sub-committees defined: audit + committee, executive compensation and nominating committee, and governance + committee.' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-02 + name: Audit Committee + description: "The Audit Committee is governed by a Charter, is independent from\ + \ Organization Management, composed of outside directors (Industry Experts),\ + \ and meets quarterly. The Audit Committee oversees: \n\u2022Financial Statement\ + \ Quality \n\u2022Enterprise Risk Management\n\u2022Regulatory & Legal Compliance\n\ + \u2022Internal Audit Functions\n\u2022Information Security Functions\n\u2022\ + External Audit Functions" + annotation: '1. Ensure documented information on the Audit Committee and Audit + Committee Charter is created. + + 2. Ensure that the audit committee is independent and meets quarterly as defined + within the charter. Document the most recent meeting in the form of an audit + committee minutes. + + 3. Ensure that the audit committee includes outside directors (industry experts). + + 4. Ensure audit committee reviews financial statement quality, enterprise + risk management, regulatory & legal compliance, internal and external audit + function, and information security functions. + + 5. Follow up on any open items from previous audit committee meetings to ensure + they are being worked on and closed out.' + typical_evidence: 'E-EM-03 - List of members on the audit committee + + E-EM-04 - Audit committee charter + + E-EM-05 - Audit Committee meeting minutes + + E-EM-06 - Evidence of follow up items or action plans' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:1 + text: 1. Inspect the Charter of the Audit Committee of the Board of Directors + and meeting minutes to determine whether the Audit Committee is independent + from management, and is composed of outside directors. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:2 + text: '2. Validate that the audit committee is independent and meets quarterly + as defined within the charter. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:3 + text: 3. Inspect the minutes of meeting audit committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-02:question:4 + text: 4. Validate meeting minutes to ensure that financial statement quality, + enterprise risk management, regulatory & legal compliance, internal and + external audit function, and information security functions were reviewed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-03 + name: Organizational Structure + description: Organization Management ensures that its organization is aligned + with the corporate strategy by assigning key managers with responsibilities + to execute the corporate strategy. + annotation: '1. Ensure the organization has defined and documented a corporate + strategy including the responsibilities for key managers. + + 2. Ensure the strategy is available to the respective stakeholder and is communicated + effectively.' + typical_evidence: E-EM-07 - Documented corporate strategy in the Information + Security policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:1 + text: 1. Validate and ensure that the organization has established and documented + the strategy with the responsibilities for key managers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-03:question:2 + text: 2. Inspect whether the strategy is available to the respective stakeholder + and is communicated effectively. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-04 + name: Operating Plans + description: Annual operating plans are aligned with Corporate Objectives, which + are established on an annual basis during the Company's planning process. + Priorities are set and plans are communicated appropriately. + annotation: "1. Ensure that operating plans are established. \n2. Ensure that\ + \ these plans are updated and approved on an annual basis.\n3. Ensure priorities\ + \ are set and plans are communicated to the respective stakeholders." + typical_evidence: 'E-EM-08 - Operating plan procedure/process + + E-EM-09 - Evidence showcasing the plans are communicated to the stakeholders + (MOM)' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:1 + text: 1. Inspect the process of operating plans creation and update. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:2 + text: 2. Validate that the corporate strategy is an input to operating plans + update process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-04:question:3 + text: 3. Validate whether the plans are updated and approved at least annually + and communicated to the stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-05 + name: Cyber Security Insurance + description: Organization purchases cyber security insurance to mitigate risk + of material financial impact that could result from a cyber security event. + annotation: '1. Ensure cyber security insurance is being purchased by the organization + and is active for the audit period. + + 2. Ensure that a process is created for renewal of Cyber Security Insurance.' + typical_evidence: E-EM-10 - Latest Cyber Security Insurance + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-05:question:1 + text: 1. Obtain and inspect the latest cyber security insurance to verify + that the insurance policy is active for the audit period. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-06 + name: Internal Audit Function + description: Quarterly, the Chief Audit Executive meets with the Audit Committee + to review key risk issues. The Audit Committee approves the annual Internal + Audit Plan. Results of quarterly audits and subsequent issue tracking summaries + are presented to the Audit Committee. + annotation: '1. Ensure key risk issues shall be reviewed at least quarterly + by the audit committee and document the issues identified along with the plan + of action for risk remediation. + + 2. Ensure the Internal audit plan is annually approved by the audit committee. + + 3. Ensure results of quarterly audits and issues identified as a part of audit + are presented to the Audit Committee.' + typical_evidence: 'E-EM-11 - Latest MOM of audit committee + + E-EM-12 - Internal audit plan + + E-EM-13 - Internal audit report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:1 + text: 1. Inspect Minutes of audit committee meeting and validate that it + highlights the key risks identified, plan of action along with the timeline. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:2 + text: ' ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:3 + text: 2. Check internal audit plan to ensure it was approved by the audit + committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-06:question:4 + text: 3. Inspect and validate whether results of quarterly audits are presented + to the audit committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-07 + name: Financial Control Review + description: Internal financial control assessment results are reported to the + Audit Committee by the Chief Audit Executive on a quarterly basis and support + the CEO/CFO 302/404 certifications. + annotation: 1. Ensure Chief Audit committee shall report the internal financial + control assessment results to the Audit Committee on a quarterly basis. + typical_evidence: E-EM-14 - Minutes of meeting showcasing the Internal financial + control assessment results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-07:question:1 + text: 1. Inspect Minutes of the audit committee meeting to ensure internal + financial control assessment results are discussed and reported on a quarterly + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-08 + name: Information Security Function + description: Quarterly, the Chief Security Officer meets with the Audit Committee + to review key Information Security issues. Results of continuous monitoring + activities and current security compliance status are presented to the Audit + Committee and the Board of Directors. + annotation: '1. Ensure audit committee reviews the Information security issues + at least quarterly and document the issues identified along with the plan + of action for risk remediation. + + 2. Ensure Minutes of Meetings to be documented stating the compliance status. + + 3. Ensure results of continuous compliance activities and current compliance + status are reported to the Audit Committee and the Board of Directors in the + form of PowerPoints, documents, etc.' + typical_evidence: E-EM-15 - Minutes of meeting showcasing the security compliance + status and issues identified + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:1 + text: 1. Validate whether information security issues are reviewed at least + quarterly by the audit committee along with remediation plans. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-08:question:2 + text: 2. Inspect minutes of audit committee meeting with chief security + officer to ensure security compliance status along with the continuous + monitoring of action plan is discussed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-09 + name: Information Security Compliance Review + description: Information Security compliance results are reported to the Audit + Committee by the Chief Security Officer on a quarterly basis and support information + security compliance certifications + annotation: '1. Ensure Minutes of Meetings to be documented stating the compliance + results on a quarterly basis. + + 2. Ensure results of current security compliance status and issues identified + as a part of audit are reported to the Audit Committee in the form of PowerPoints, + documents, etc.' + typical_evidence: E-EM-16 - Minutes of meeting showcasing the security compliance + results + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-09:question:1 + text: 1. Obtain and inspect evidence that quarterly Information Security + compliance results were reported to the Audit Committee. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-10 + name: Common Controls Framework + description: Organization maintains a Common Control Framework (CCF) that is + used in the implementation of control measures as a risk mitigation strategy + to support organization operations, technology infrastructure, and security + management activities. + annotation: '1. Ensure that a control set is created to govern the organization''s + information security program. + + 2. Document the control set and ensure it is communicated with relevant stakeholders.' + typical_evidence: E-EM-17 - Organization's control set + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:1 + text: 1. Validate whether a control framework exists for managing the organization's + information security program. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-10:question:2 + text: 2. Ensure that this control set is documented and available to relevant + stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node94 + ref_id: EM-11 + name: Service Agreement + description: "When customers sign-up for Organization\u2019s product and services,\ + \ the customer is required to acknowledge a service agreement which includes\ + \ considerations for protecting security, availability, confidentiality and\ + \ indicates the responsibilities of the users and organization\u2019s responsibilities\ + \ and commitments." + annotation: '1. Ensure that the customers acknowledge a service agreement including + considerations for protecting security, availability, confidentiality. + + 2. Ensure that the service agreement contains responsibilities of users and + the organization.' + typical_evidence: E-EM-18 - Customer service agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:1 + text: 1. Validate whether customers acknowledge a service agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:2 + text: 2. Validate whether the agreement contains considerations for protecting + security, availability, confidentiality. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:em-11:question:3 + text: 3. Validate whether the agreement contains users and organizations + responsibilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + assessable: false + depth: 1 + name: Identity and Access Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-01 + name: Logical Access Provisioning + description: Logical access provisioning to information systems requires approval + from appropriate personnel. + annotation: '1. Design and document a process for Logical Access and requirements + for access provisioning. + + 2. Ensure access approval logic is mandated in the access management portal + accordingly. + + 3. Ensure that the access management portal is updated with the relevant approvers.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-03 - Access Provisioning Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:1 + text: 1. Inspect Organization Logical Access Policy and/or Standard to determine + that the requirements for access provisioning were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:2 + text: 2. Inspect evidence of the workflow from access management portal + showing access requires approval and is provisioned upon approval. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:3 + text: 3. Inspect the system generated list of identity and access groups + which are in-scope and associated workgroups with approvers from access + management portal. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-01:question:4 + text: 4. Inspect access provisioning system logs for a selection of users + who were granted access to production systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-02 + name: Change of Access Notification + description: Changes made to system access trigger a notification that is sent + to designated personnel. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification. + + 2. Ensure that any change made to access triggers a notification in the access + management portal accordingly.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-04 - Access Modification Logs + + E-IAM-05 - Sample alert for Access Modification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:1 + text: 1. Inspect Organization Logical Access Policy and/or Standard to determine + the requirements for access provisioning were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-02:question:2 + text: 2. Validate for a sample access change, that a notification in the + access management portal was triggered to the management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-03 + name: Logical Access De-provisioning + description: Logical access that is no longer required in the event of a termination + is documented, communicated to management, and revoked. + annotation: '1. Design and document a process for Logical Access and requirements + for access de-provisioning. + + 2. Ensure access termination logic is mandated in the access management portal + accordingly.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-07 - Access De-Provisioning Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access de-provisioning or terminations\ + \ were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:2 + text: 2. Inspect the list of system generated population of terminated full-time + and temporary employees and contractors from the HR system. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:3 + text: 3. Inspect configurations to determine that user accounts are disabled + after they are no longer required.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-03:question:4 + text: 4. Inspect removals from the access management tool for a selection + of terminations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-04 + name: 'Logical Access De-provisioning: Notification' + description: The People Resources system sends a notification to relevant personnel + in the event of a termination of an information system user. + annotation: 1. Ensure that on access termination, the access management portal + triggers a notification to the relevant personnel. + typical_evidence: 'E-IAM-02 - Access Management Portal Workflow + + E-IAM-06 - Access Termination Logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-04:question:1 + text: 1. Inspect resource management portal to check if the relevant stakeholders + are informed upon an employee's termination of an information system user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-05 + name: Logical Access Review + description: Organization performs account and access reviews on a quarterly + basis; corrective action is taken where applicable. + annotation: '1. Design and document a process for Logical Access and requirements + for access reviews. + + 2. Ensure access reviews are performed as per defined frequency. + + 3. Ensure that the necessary corrective action has been taken, if required.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-08 - Access Review Reconciliation + + E-IAM-09 - Corrective Action in Access Management Portal' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access reviews were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:2 + text: 2. Inspect the access reviews reconciliation report on a quarterly + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:3 + text: '3. For a sample of services, inspect the access review for the selected + quarters. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-05:question:4 + text: 4. In case of any discrepancy, ensure that corrective action has been + taken and appropriate approval is obtained from the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-06 + name: 'Role Change: Access De-provisioning' + description: Upon notification of an employee reassignment or transfer, management + reviews the employee's access for appropriateness. Access that is no longer + required is revoked and documented. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification in case of transfer or reassignment. + + 2. Ensure access reviews are performed appropriately. + + 3. Ensure that the necessary corrective action has been taken, if required.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-08 - Access Review Reconciliation + + E-IAM-09 - Corrective Action in Access Management Portal' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access modifications were defined\ + \ and includes the case of employee reassignment or transfer." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:2 + text: 2. Inspect the user access reconciliation report to ensure that the + user access reviews are completed appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:3 + text: 3. In case of any discrepancy, ensure that corrective action has been + taken inspect the list of terminated users from the audit period. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-06:question:4 + text: 4. For a sample of terminated users, validate that access was terminated + in a timely and appropriate manner. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-07 + name: Shared Logical Accounts + description: Organization restricts the use of shared and group authentication + credentials. Authentication credentials for shared and group accounts are + reset every 90 days. + annotation: '1. Design and document a process for Logical Access and requirements + for rotation of shared credentials. + + 2. Ensure that shared secrets were rotated as per the defined policy.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-10 - Shared secret rotation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:1 + text: 1. Inspect the Logical Access Account Standard to determine whether + Organization requires the restriction of shared and group authentication + credentials, and that authentication credentials are rotated + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-07:question:2 + text: 2. For a sample of services validate that shared secrets were rotated + as per the defined policy and appropriate evidences are available. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-08 + name: 'Shared Logical Accounts: Group Member ' + description: Passwords for shared and group accounts are reset when a member + of the shared group leaves. + annotation: '1. Design and document a process for Password Policy and requirements + for changing password of shared and group accounts. + + 2. Ensure that the password is changed if a member of the shared group leaves.' + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-11 - Password Change evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:1 + text: 1. Inspect Organization's password policy and check requirement for + changing the password for shared and group accounts are clearly defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-08:question:2 + text: 2. Inspect shared credential storage tools to check the operational + effectiveness and ensure passwords are changed when a member of the shared + group leaves. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-09 + name: Shared Account Restrictions + description: Where applicable, the use of generic and shared accounts to administer + systems or perform critical functions is prohibited; generic user IDs are + disabled or removed. + annotation: '1. Ensure that there are no generic or shared accounts used. + + 2. Ensure that production access is controlled and does not use generic or + shared accounts.' + typical_evidence: 'E-IAM-12 - List of User IDs + + E-IAM-13 - Access to IAM groups' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:1 + text: 1. Review and ensure that there are no generic or shared accounts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-09:question:2 + text: 2. Validate for a sample of services that production access is controlled + and is configured to use unique user accounts and that a generic or shared + ID is not used.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-10 + name: 'Role Change: People Resources Notification' + description: The People Resources system sends a notification to relevant management + and relevant information system administrators in the event of an employee + reassignment or transfer of an information system user. + annotation: '1. Design and document a process for Logical Access and requirements + for access modification in case of transfer or reassignment. + + 2. Ensure access management portal sends a notification to concerned personnel.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-04 - Access Modification Logs + + E-IAM-15 - Configuration showing trigger is configured' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-10:question:1 + text: 1. Inspect resource management portal to check if the relevant stakeholders + are informed upon an event of an employee reassignment or transfer of + an information system user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-11 + name: Temporary Account Termination + description: Temporary and emergency accounts are automatically terminated 90 + days from the date they are generated. + annotation: '1. Design and document a process for Access control and requirements + for automatic termination of temporary and emergency accounts. + + 2. Ensure that the access management portal is configured to terminate temporary + and emergency accounts within 90 days.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-14 - Configuration showing 90 days termination' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:1 + text: '1. Inspect Organization''s access control policy to check policy + pertaining to temporary and emergency accounts are automatically terminated + 90 days from the date they are generated, is clearly defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-11:question:2 + text: 2. Check the access management tool to ensure the effectiveness of + termination of temporary and emergency accounts within 90 days.. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-12 + name: Unique Identifiers + description: Organization requires unique identifiers for user accounts and + prevents identifier reuse. + annotation: 1. Ensure unique identifiers are used for user accounts. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-02 - Access Management Portal Workflow + + E-IAM-17 - Existing User listing' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:1 + text: 1. Inspect Organization's Authentication Standard to determine whether + unique identifier requirements are documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:2 + text: 2. Perform a walkthrough of user account creation of an existing user + to determine whether identifier reuse is prevented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-12:question:3 + text: 3. Obtain a complete list of existing users with identifiers to determine + whether same identifier is not used for any two users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-13 + name: Password Authentication + description: User and device authentication to privileged information systems + is protected by passwords that meet Organization's password complexity requirements. + annotation: 1. Ensure that user and device authentication to privileged information + systems is protected by passwords that meet Organization's password complexity + requirements. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-18 - Password policy from console' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:1 + text: "1. Inspect Organization\u2019s Authentication Standard to determine\ + \ whether the policies contain requirements for the creation, allocation,\ + \ change, distribution, and safeguarding of passwords." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-13:question:2 + text: 2. Inspect the accessmanagement tool setting to determine password + complexity, consecutive re-use, and change frequency requirements of passwords + is in accordance with organization password complexity requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-14 + name: Multifactor Authentication + description: "Multi-factor authentication is required for:\n\u2022 remote VPN\ + \ sessions\n\u2022 access to trusted data environments" + annotation: 1. Ensure remote connection to the corporate network is invoked + via VPN and VPN in turn invokes Multi-factor authentication + typical_evidence: 'E-IAM-19 - Remote Access Standard + + E-IAM-20 - VPN Connection walkthrough + + E-IAM-21 - System config for Multi Factor Authentication' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:1 + text: "1. Inspect Organization\u2019s Remote Access Standard to determine\ + \ whether requirements for remotely connecting to the corporate network\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:2 + text: 2. Observe a user remotely connect to the Organization Corporate Network + via VPN. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:3 + text: 3. Inspect system configuration of VPN software to determine whether + Multi-factor authentication is required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-14:question:4 + text: 4. Perform a walkthrough of system connecting to Organization network + remotely via vpn software to determine whether Multi- factor authentication + is required for remote VPN session. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-15 + name: Authentication Credential Maintenance + description: Authorized personnel verify the identity of users before modifying + authentication credentials on their behalf. + annotation: '1. Document and validate the process of modifying credentials. + + 2. Ensure that verification is done before modification' + typical_evidence: E-IAM-22 - Access Reset process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:1 + text: 1. Validate the process with the IT Helpdesk at least on an annual + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-15:question:2 + text: 2. Inspect whether necessary and updated documentation is available + on the process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-16 + name: Session Timeout + description: Information systems are configured to terminate inactive sessions + after 15 minutes or when the user terminates the session. + annotation: 1. Ensure that information systems are configured to terminate inactive + sessions after 15 minutes or when the user terminates the session. + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-23 - Session timeout config for server' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:1 + text: "1. Inspect Organization\u2019s Logical Access Account Standard to\ + \ determine whether the requirements for access reviews were defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:2 + text: 2. Inspect the server samples from the service team. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-16:question:3 + text: 3. Select the sample from the listing and inspect session timeout + configuration + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-17 + name: Session Limit + description: Information systems are configured to limit concurrent login sessions + and the inactive user interface is not displayed when the session is terminated. + annotation: "1. Ensure that the systems are configured to limit concurrent login\ + \ sessions. \n2. Ensure that inactive user interface is not displayed when\ + \ the session is terminated." + typical_evidence: 'E-IAM-24 - Access Management Policy + + E-IAM-25 - Active Directory Screenshot' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:1 + text: '1. Inspect Organization''s access control policy to check clauses + pertaining to limited concurrent login sessions and the inactive user + interface is not displayed when the session is terminated are clearly + defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-17:question:2 + text: 2. Check logical access systems to ensure the effectiveness for the + same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-18 + name: 'Account Lockout: Cardholder Data Environments' + description: Users are locked out of information systems after 6 invalid attempts + for a minimum of 30 minutes, or until an administrator enables the user ID. + annotation: 1. Ensure that user lock out parameters are defined and implemented + to lockout after 6 invalid attempts for minimum 30 minutes. + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-26 - Account lockout parameters' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:1 + text: "1. Inspect Organization\u2019s Authentication Standard to determine\ + \ whether the policies contain requirements for the account lockout post\ + \ failed login attempts." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-18:question:2 + text: 2. Inspect the logical access systems setting to determine that account + lockout policy is configured with Organization password requirements to + lock a user's account after 6 failed attempts for a minimum of 30 minutes + or until it is reset by a System Administrator + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-19 + name: Account Lockout + description: Users are locked out of information systems after multiple, consecutive + invalid attempts within a defined period; accounts remain locked for a defined + period. + annotation: 1. Ensure that user lock out parameters are defined and implemented + typical_evidence: 'E-IAM-16 - Password Policy + + E-IAM-26 - Account lockout parameters' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:1 + text: '1. Inspect Organization''s access control policy to check clauses + pertaining to accessing system by multiple failed attempts are clearly + defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-19:question:2 + text: 2. Check check logical access systems to ensure the effectiveness + for the same. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-20 + name: Login Banner + description: "Systems leveraged by the U.S. Federal Government present a login\ + \ screen that displays the following language:\n\u2022 users are accessing\ + \ a U.S. Government information system\n\u2022 system usage may be monitored,\ + \ recorded, and subject to audit\n\u2022 unauthorized use of the system is\ + \ prohibited and subject to criminal and civil penalties\n\u2022 use of the\ + \ system indicates consent to monitoring and recording" + annotation: "1. Ensure that the Systems leveraged by the U.S. Federal Government\ + \ present a login screen that displays the following language:\n\u2022 users\ + \ are accessing a U.S. Government information system\n\u2022 system usage\ + \ may be monitored, recorded, and subject to audit\n\u2022 unauthorized use\ + \ of the system is prohibited and subject to criminal and civil penalties\n\ + \u2022 use of the system indicates consent to monitoring and recording" + typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:1 + text: '1. Inspect and validate for a sample system that Systems leveraged + by the U.S. Federal Government present a login screen that displays the + following language:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:2 + text: "\u2022 users are accessing a U.S. Government information system" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:3 + text: "\u2022 system usage may be monitored, recorded, and subject to audit" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:4 + text: "\u2022 unauthorized use of the system is prohibited and subject to\ + \ criminal and civil penalties" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-20:question:5 + text: "\u2022 use of the system indicates consent to monitoring and recording" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-21 + name: Credentials Validation + description: "Organization systems utilize Federal Identity, Credential, and\ + \ Access Management (FICAM) components and conform to FICAM-issued profiles;\ + \ systems verify and accept the following external credentials:\n\u2022 personal\ + \ Identity Verification (PIV) credentials from federal agencies, and\n\u2022\ + \ FICAM-approved credentials from non-federal third-parties\n" + annotation: '1. Ensure that the organization uses Federal Identity, Credential, + and Access Management (FICAM) components and conform to FICAM-issued profiles + for Federal Systems. + + 2. Ensure that the organization accepts personal Identity Verification (PIV) + credentials from federal agencies and FICAM-approved credentials from non-federal + third-parties' + typical_evidence: E-IAM-27 - Sample configuration screenshot from Federal Systems + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:1 + text: 1. Inspect and validate whether the organization uses Federal Identity, + Credential, and Access Management (FICAM) components and conform to FICAM-issued + profiles for Federal Systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-21:question:2 + text: 2. Validate that the organization accepts personal Identity Verification + (PIV) credentials from federal agencies and FICAM-approved credentials + from non-federal third-parties + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-22 + name: 'Password Authentication Standard: Federal Systems' + description: "Organization information systems obscure feedback of authentication\ + \ information during the authentication process (e.g., the system does not\ + \ disclose error information such as \"'user1' is not a valid username\")\ + \ and have the following password requirements:\n\u2022 minimum of 12 characters\n\ + \u2022 contains at least one upper-case letter, lower-case letter, number,\ + \ and a special character\n\u2022 at least one of the characters is changed\ + \ when the new passwords are created.\n\u2022 the password life span is between\ + \ 1 to 60 days\n\u2022 password reuse is prohibited for 24 generations\n\u2022\ + \ only allow the use of temporary password system logons with an immediate\ + \ change to a permanent password" + annotation: "1. Ensure that failed authentication notes do not contain any error\ + \ information.\n2. Ensure that the password policy in the logical access system\ + \ is defined as below: \n-Minimum 12 character length\n-Password complexity\ + \ has one upper-case, lower-case, and a special character\n-Temporary Passwords\ + \ are immediately changed to a permanent password\n-Passwords cannot be the\ + \ same as the last 24 passwords\n-Passwords must be rotated at least every\ + \ 60 days" + typical_evidence: 'E-IAM-28 - Sample error information + + E-IAM-18 - Password policy from console' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:1 + text: 1. Inspect that failed authentication notes do not contain any error + information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:2 + text: '2. Inspect that the password policy in the logical access system + and ensure that it is defined as below: ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:3 + text: -Minimum 12 character length + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:4 + text: -Password complexity has one upper-case, lower-case, and a special + character + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:5 + text: -Temporary Passwords are immediately changed to a permanent password + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:6 + text: -Passwords cannot be the same as the last 24 passwords + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-22:question:7 + text: -Passwords must be rotated at least every 60 days + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-23 + name: Privileged Session Management + description: Privileged logical access to trusted data environments is enabled + through an authorized session manager; session user activity is recorded and + tunnelling to untrusted data environments is restricted. + annotation: '1. Ensure Privileged logical access to trusted data environments + is enabled through an authorized session manager. + + 2. Ensure session user activity is recorded and documented. + + 3. Tunnelling to untrusted data environments is restricted.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-29 - Authorized session manager evidence + + E-IAM-30 - List of privileged users + + E-IAM-31 - Access approval evidence + + E-IAM-32 - Tunneling restriction config evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:1 + text: '1. Observe user access management process for managing privileged + access to trusted data environments in accordance with organization policies + and verify the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:2 + text: "\u2022 Creation and allocation of privileged user accounts/IDs on\ + \ the information systems is controlled through a formal authorization\ + \ process." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:3 + text: "\u2022 Privilege access to trusted data environments are enabled\ + \ through an authorized session manager" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:4 + text: "\u2022 Privileged access rights are allocated to users on a time\ + \ bound need-to-use basis and on an event-by-event basis in line with\ + \ the access control policy, i.e. based on the minimum requirement for\ + \ their functional roles and shall be revoked post that defined time period;" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:5 + text: "\u2022 All session user activities are recorded and tunnelling to\ + \ untrusted data environments is restricted" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:6 + text: 2. Inspect list of users that have privileged logical access to trusted + data environments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:7 + text: 3. For a sample of user, inspect evidence of screenshot showing privilege + access to trusted data environments is granted by authorized session manager. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:8 + text: 4. Inspect configuration showing that session recording for user activity + is recorded. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-23:question:9 + text: 5. Inspect configuration showing that tunneling to untrusted data + environments is restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-24 + name: Zero Trust Enterprise Network + description: Organization users are authenticated against a Zero Trust model + prior to gaining access to organization resources. + annotation: '1. Ensure that a process is defined and documented for the organization''s + zero trust architecture. + + 2. Ensure that a zero trust access authorization infrastructure is effectively + operating for accessing organization''s resources.' + typical_evidence: 'E-IAM-24 - Access Management Policy + + E-IAM-33 - Zero Trust Implementation Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:1 + text: 1. Inspect and validate that a process is defined and documented for + the organization's zero trust architecture. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-24:question:2 + text: 2. Validate whether all access to organization's resources are via + a zero trust method. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-25 + name: Logical Access Role Permission Authorization + description: Initial permission definitions, and changes to permissions, associated + with logical access roles are approved by authorized personnel. + annotation: '1. Ensure that access to systems is granted after appropriate approvals. + + 2. Ensure that production access is controlled via authentication methods.' + typical_evidence: 'E-IAM-12 - List of User IDs + + E-IAM-34 - Access grant evidences + + E-IAM-35 - Production access authentication' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:1 + text: 1. Observe and validate for a sample user, that the access to the + systems was approved by the appropriate party based on the business need. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-25:question:2 + text: 2. Validate for a sample of services, that production access is controlled + via appropriate authentication methods and is configured to use appropriate + logical access lists. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-26 + name: Source Code Security + description: Access to modify source code is restricted to authorized personnel. + annotation: 1. Ensure that access to modify source code is restricted to authorized + personnel. + typical_evidence: 'E-IAM-36 - Source Code access restrictions + + E-IAM-37 - Changes made to source code and logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:1 + text: 1. Observe and validate the change management process for code development + process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:2 + text: 2. Observe configurations in code source management tools showing + that only authorized users are able to make changes to source code. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-26:question:3 + text: 3. Observe a sample of code change tickets, to show that only authorized + personnel were able to make the appropriate change necessary. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-27 + name: Service Account Restrictions + description: Individual user or administrator use of service accounts for O/S, + applications, and databases is prohibited. + annotation: 1. Ensure that Individual user or administrator use of service accounts + for O/S, applications, and databases is prohibited. + typical_evidence: 'E-IAM-38 - Service accounts listing + + E-IAM-39 - Shared credential management tool screenshots' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:1 + text: 1. Review all interactive service accounts used within the environment + and confirm that they are disabled or removed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-27:question:2 + text: 2. If interactive service accounts are in use these accounts should + be stored in a shared credential management tool., and access to these + accounts need to be tied back to an individual user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-28 + name: PCI Account Restrictions + description: Organization clients with access to the cardholder data environment + (CDE), as users or processes, are assigned unique accounts that cannot modify + shared binaries or access data, server resources, or scripts owned by another + CDE or Organization; application processes are restricted from operating in + privileged-mode. + annotation: '1. Ensure that in cases of multi-tenant environments one organization + or user cannot effect the security or integrity of another organizations resources. + + 2. Ensure that users are restricted from using privileged-mode.' + typical_evidence: "E-IAM-24 - Access Management Policy\nE-IAM-40 - Network Diagram\ + \ \nE-IAM- 42 - " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:1 + text: 1. Review the network architecture diagram and confirm that in cases + of multi-tenant environments that one organization or user cannot effect + the security or integrity of another organizations resources. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-28:question:2 + text: 2. Observe the application processes showing that they are restricted + from using privileged-mode. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-29 + name: Least Privilege + description: Role-based access is defined and deployed to restrict privileged + access to information resources based on the concept of least privilege. + annotation: '1. Design and document the process for assigning least privilege + access. + + 2. Ensure access is granted as per required approvals.' + typical_evidence: 'E-IAM-01 - Logical Access Policy + + E-IAM-41 - Access approvals' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:1 + text: 1. Inspect logical access policy and validate that each role is assigned + the correct level of access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:2 + text: 2. Inspect the logical access systems and review how the access levels + are granted for types of roles (Developers, SWE, SRE). + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-29:question:3 + text: 3. For a sample of employees, inspect the level of access available + and correlate to the job role and confirm that they are congruent. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-30 + name: Virtual Private Network + description: Remote connections to the corporate network are accessed via VPN + through managed gateways. + annotation: "1. Design and document process for requirements of remote connection\ + \ to corporate network. \n2. Ensure all remote connections are via VPN." + typical_evidence: 'E-IAM-19 - Remote Access Standard + + E-IAM-43 - VPN Configuration and process' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:1 + text: 1. Inspect Remote Access Standard to determine whether requirements + for remotely connecting to the corporate network were defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-30:question:2 + text: 2. Inspect a user remotely connect to the Corporate Network via VPN. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-31 + name: 'Virtual Private Network: Restrict Split-Tunneling' + description: VPN configurations restrict split-tunneling capabilities. + annotation: 1. Ensure split tunneling is not enabled. + typical_evidence: E-IAM-43 - VPN Configuration and process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-31:question:1 + text: '1. Inspect the VPN configurations and ensure that split tunneling + is not enabled. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-32 + name: Ability to Disable Remote Sessions + description: Organization has a defined process and mechanisms in place to expeditiously + disable or disconnect remote access to information systems within a defined + time frame based on business need. + annotation: '1. Ensure that the server configuration for idle-session timeout + is set to 15 minutes. + + 2. Ensure that access credentials expiry configuration is present. + + 3. Ensure remote connection tools such as (VPN or Management consoles) have + session expirations enabled.' + typical_evidence: 'E-IAM-44 - Server configuration for idle session timeout + + E-IAM-45 - Credential expiry configuration + + E-IAM-46 - Session expiration enabled configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:1 + text: 1. Inspect the server configuration showing that idle-session timeout + is set to 15 minutes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:2 + text: 2. Validate that access credentials expiry configuration is present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-32:question:3 + text: 3. Inspect that remote connection tools such as (VPN or Management + consoles) have session expirations enabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-33 + name: 'Remote Maintenance: Authentication Sessions' + description: Vendor accounts used for remote access are enabled only during + the time period needed, disabled when not in use, and monitored while in use. + annotation: '1. Ensure that vendor accounts that are used for remote access, + have the following configurations: + + -Enabled only for the time period needed + + -Disabled when not in use + + -Monitored when in use' + typical_evidence: E-IAM-47 - Remote access configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:1 + text: '1. Validate that vendor accounts that are used for remote access, + have the following configurations:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:2 + text: -Enabled only for the time period needed + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:3 + text: -Disabled when not in use + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-33:question:4 + text: -Monitored when in use + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-34 + name: 'Remote Maintenance: Unique Authentication Credentials for each Customer' + description: Where applicable, Service providers with remote access to customer + premises (e.g., for support of POS systems or servers) must use a unique authentication + credential (such as a password/phrase) for each customer. + annotation: 1. Ensure that remote access to customer premises are using unique + individual credentials, and that there is no shared administrative access. + typical_evidence: E-IAM-48 - Remote Access credentials listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-34:question:1 + text: 1. Inspect that remote access to customer premises are using unique + individual credentials, and that there is no shared administrative access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-35 + name: 'Remote Maintenance: Authentication' + description: 'Remote maintenance and diagnostic tool utilization are restricted + to the minimum required level, strong authentication is required, and remote + sessions are recorded. ' + annotation: '1. Ensure remote maintenance and diagnostic tools have the following + configurations: + + -Restricted to the minimum required level + + -Strong authentication + + -Remote sessions are recorded' + typical_evidence: E-IAM-47 - Remote access configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:1 + text: '1. Inspect remote maintenance and diagnostic tools and ensure that + they have the following configurations:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:2 + text: -Restricted to the minimum required level + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:3 + text: -Strong authentication + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-35:question:4 + text: -Remote sessions are recorded + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-36 + name: 'Remote Maintenance: Audit' + description: Organization documents and maintains records for vendor remote + maintenance, diagnostic activities, and permissions granted. A listing of + vendor remote maintenance connections is documented as well. + annotation: '1.Ensure vendor remote access is documented and that they include: + + -Maintenance activities + + -Diagnostic activities + + -Permissions granted + + 2. Ensure that there is no unauthorized access be vendor or third parties.' + typical_evidence: E-IAM-49 - Remote Vendor access listing and permissions granted + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:1 + text: 1. Inspect documents and records for vendor remote access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:2 + text: '2. Review the records and ensure that they include:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:3 + text: -Maintenance activities + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:4 + text: -Diagnostic activities + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:5 + text: -Permissions granted + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-36:question:6 + text: 3. Review the list of vendor remote connections and ensure that there + is no unauthorized access. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-37 + name: End-user Environment Segmentation + description: Where applicable, processes that run as part of an Organization + shared hosting platform will run under unique credentials that permit access + to only one customer environment. + annotation: 1. Where applicable, ensure that the platform will run under unique + credentials that permit access to only one customer environment. + typical_evidence: E-IAM-50 - Credential Listing + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-37:question:1 + text: 1. Inspect application processes and validate that, where applicable, + the platform will run under unique credentials that are permitted to access + only one customer environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-38 + name: End-user Access to Applications and Data + description: "Organization applications secure user data and maintain confidentiality\ + \ by default or according to permissions set by the individual; Organization\ + \ authenticates individuals with unique identifiers and passwords prior to\ + \ enabling access to: \n\u2022 use the application \n\u2022 view or modify\ + \ their own data" + annotation: "1. Ensure that individuals are given unique identifiers and passwords\ + \ prior to enabling access. \n2. Ensure that passwords used by the consumer\ + \ are protected using proper encryption in transmission and storage." + typical_evidence: 'E-IAM-51 - Identifiers listing + + E-IAM-52 - password setting mechanism + + E-IAM-53 - password encryption evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:1 + text: '1. Inspect the authentication method for consumers, and confirm that + individuals are given unique identifiers and passwords prior to enabling + access. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-38:question:2 + text: 2. Ensure that passwords used by the consumer are protected using + proper encryption in transmission and storage. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node106 + ref_id: IAM-39 + name: Hardware Tokens + description: Where applicable, hardware token-based authentication is facilitated + only by approved organizations. + annotation: "1. Design the process for hardware token-based authentication.\ + \ \n2. Ensure that the hardware tokens are assigned to the corresponding users." + typical_evidence: 'E-IAM-54 - Hardware Token Based Authentication Process document + + E-IAM-55 - Hardware token granting evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:1 + text: 1. Inspect the process by which hardware token-based authentication + is distributed, used, and collected. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:iam-39:question:2 + text: 2. For a sample of users, inspect the inventory of the hardware tokens + and ensure that they are assigned to the corresponding users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + assessable: false + depth: 1 + name: Incident Response + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-01 + name: Incident Response Plan + description: "Organization defines the types of incidents that need to be managed,\ + \ tracked and reported, including:\n\u2022 procedures for the identification\ + \ and management of incidents \n\u2022 procedures for the resolution of confirmed\ + \ incidents\n\u2022 key incident response systems\n\u2022 incident coordination\ + \ and communication strategy\n\u2022 contact method for internal parties to\ + \ report incidents\n\u2022 support team contact information\n\u2022 notification\ + \ to relevant management in the event of a security breach\n\u2022 provisions\ + \ for updating and communicating the plan\n\u2022 provisions for training\ + \ of support team\n\u2022 preservation of incident information\n\u2022 management\ + \ review and approval, annually, or when major changes to the organization\ + \ occur" + annotation: '1. Prepare, document, and communicate the Incident Response Plan + and Incident Management Policy and ensure that the following are documented: + + a. Procedures for the assignment of Roles and Responsibilities for the design + implementation, maintenance and execution of the incident response plan + + b. Procedures for the identification and management of incidents + + c. Procedures for the resolution of confirmed incidents + + d. Procedures for the restoration of data and business operation + + e. Incident coordination and communication strategy + + f. Notification to relevant management in the event of a security breach + + g. Provisions for updating and communicating the plan + + h. Provisions for evaluating the effectiveness of incident response + + i. Post incident resolution including post mortem analysis and lessons learned + + 2. Ensure that a process exists to periodically review the changes which displays + revision history of the Incident Response Plan.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-02 - Incident Management Policy + + E-IR-03 - Review history' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:1 + text: '1. Inspect the Incident Response Plan and Incident Management Policy + to determine whether the following are documented:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:2 + text: a. Procedures for the assignment of Roles and Responsibilities for + the design implementation, maintenance and execution of the incident response + plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:3 + text: b. Procedures for the identification and management of incidents + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:4 + text: c. Procedures for the resolution of confirmed incidents + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:5 + text: d. Procedures for the restoration of data and business operation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:6 + text: e. Incident coordination and communication strategy + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:7 + text: f. Notification to relevant management in the event of a security + breach + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:8 + text: g. Provisions for updating and communicating the plan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:9 + text: h. Provisions for evaluating the effectiveness of incident response + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:10 + text: i. Post incident resolution including post mortem analysis and lessons + learned + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-01:question:11 + text: 2. Review the changes which displays revision history of the Incident + Response Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-02 + name: Incident Response Testing + description: Organization tests incident response processes on an annual basis. + Results from the tests are documented. + annotation: '1. Ensure that a process exists to test the incident response process + on an annual basis. + + 2. Ensure that Incident Response Standard is updated at least annually. + + 3. Establish a process for conducting the trainings such as table top exercise + and ensure that all necessary personnel attended the training.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-04 - Incident Training Records + + E-IR-05 - Incident Training Material ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:1 + text: 1. Validate with the Incident response team of the completion of the + training and its documentation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:2 + text: 2. Validate that Incident Response Standard is updated at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-02:question:3 + text: 3. Review elements of the training such as table top exercise and + confirm that all necessary personnel attended the training. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-03 + name: Incident Response + description: Confirmed incidents are assigned a priority level and managed to + resolution. If applicable, Organization coordinates the incident response + with business contingency activities. + annotation: '1. Prepare, document, and communicate the Security Incident Management + Policy within the organization. + + 2. Ensure that priority level are assigned to a sample of incidents and that + they are tracked to resolution. + + 3. For any crisis declared incidents, validate that business contingency activities + are performed.' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-IR-06 - Sample of incidents' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:1 + text: 1. Inspect the Organization Security Incident Management Policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:2 + text: 2. Validate that priority level are assigned to a sample of incidents + and ensure that they are tracked to resolution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-03:question:3 + text: 3. Validate that for any crisis declared incidents, that business + contingency activities were performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-04 + name: External Communication of Incidents + description: "Organization defines external communication requirements for incidents,\ + \ including:\n\u2022 information about external party dependencies\n\u2022\ + \ criteria for notification to external parties as required by Organization\ + \ policy in the event of a security breach\n\u2022 contact information for\ + \ authorities (e.g., law enforcement, regulatory bodies, etc.)\n\u2022 provisions\ + \ for updating and communicating external communication requirement changes" + annotation: "1. Ensure that following details are documented in Incident Response\ + \ Plan and Standard:\n \u2022 information about external party dependencies\n\ + \ \u2022 criteria for notification to external parties as required by policy\ + \ in the event of a security breach\n \u2022 contact information for authorities\ + \ (e.g., law enforcement, regulatory bodies, etc.)\n \u2022 provisions for\ + \ updating and communicating external communication requirement changes\n\ + 2. Establish a process that flags the alerts as the defined escalation metrics." + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-02 - Incident Management Policy' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:1 + text: '1. Inspect the Incident Response Plan and Standard to determine whether + the following are documented:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:2 + text: " \u2022 information about external party dependencies" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:3 + text: " \u2022 criteria for notification to external parties as required\ + \ by policy in the event of a security breach" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:4 + text: " \u2022 contact information for authorities (e.g., law enforcement,\ + \ regulatory bodies, etc.)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:5 + text: " \u2022 provisions for updating and communicating external communication\ + \ requirement changes" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-04:question:6 + text: 2. Review the procedure for alert escalation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-05 + name: Incident Reporting Contact Information + description: "Organization provides a contact method to:\n\u2022 submit complaints\ + \ and inquiries\n\u2022 report incidents" + annotation: 1. Define a communication channel on the company public website + which shall include a contact method for external parties to submit complaints, + inquiries, and report incidents. + typical_evidence: E-IR-08 - Link to public website + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-05:question:1 + text: 1. Review public website to determine whether the company provides + a contact method for external parties to submit complaints, inquiries, + and report incidents. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-06 + name: Incident External Communication + description: Organization communicates a response to external stakeholders as + required by the Incident Response Plan. + annotation: '1. Ensure that the Incident Response Plan and the Incident Legal + Communications Requirements Standard include a process for communicating a + response to external stakeholders is required. + + 2. Design a process to maintain the list of confirmed incidents which involved + external stakeholders. + + 3. Establish a process which sends out communications to external stakeholders + per the Incident Response Plan.' + typical_evidence: 'E-IR-01 - Incident Response Plan + + E-IR-09 - Incident Legal Communications Requirements Standard + + E-IR-06 - Sample of incidents' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:1 + text: 1. Inspect the Incident Response Plan and the Incident Legal Communications + Requirements Standard to determine whether communicating a response to + external stakeholders is required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:2 + text: 2. Obtain a list of confirmed incidents which involved external stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-06:question:3 + text: 3. Inspect a sample of confirmed incidents tickets to determine whether + communications required a response to external stakeholders per the Incident + Response Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-07 + name: 'External Communication of Incidents: Protected Health Information' + description: "Organization communicates the discovery and status of the breach\ + \ of Protected Health Information (PHI) to the covered entity within 60 days\ + \ or as required by the Business Associates Agreement (BAA) and provides the\ + \ following information if available:\n\u2022 description of the Event\n\u2022\ + \ description of the Information that was compromised\n\u2022 identification\ + \ of the Individuals whose PHI were compromised\n\u2022 steps Required to\ + \ Protect Individuals\n\u2022 investigation Plan\n\u2022 contact Information" + annotation: "1. Design the process to validate whether an incident includes\ + \ Personal Health information.\n2. Ensure that all incidents where there has\ + \ been a breach have been communicated to the covered entity within 60 days,\ + \ or following the covered entity's Business Associates Agreement.\n3. Ensure\ + \ that within the communication all the listed information was provided to\ + \ the covered entity:\n\u2022 description of the Event\n\u2022 description\ + \ of the Information that was Compromised\n\u2022 identification of the Individuals\ + \ whose PHI were Compromised\n\u2022 steps Required to Protect Individuals\n\ + \u2022 investigation Plan\n\u2022 contact Information" + typical_evidence: 'E-IR-10 - Business Associates Agreement + + E-IR-11 - Sample external communication of the incident' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:1 + text: 1. Validate all incidents have included Personal Health information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:2 + text: 2. Inspect whether all the incidents where there has been a breach + have been communicated to the covered entity within 60 days, or following + the covered entity's Business Associates Agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:3 + text: '3. Validate whether the communication was sent to the covered entity + and included all the listed information:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:4 + text: "\u2022 description of the Event" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:5 + text: "\u2022 description of the Information that was Compromised" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:6 + text: "\u2022 identification of the Individuals whose PHI were Compromised" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:7 + text: "\u2022 steps Required to Protect Individuals" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:8 + text: "\u2022 investigation Plan" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-07:question:9 + text: "\u2022 contact Information" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node146 + ref_id: IR-08 + name: Problem Management + description: Organization resolves customer support inquiries. + annotation: 1. Establish a process to support customer inquires and ensure that + they have been resolved and documented. + typical_evidence: E-IR-12 - Sample of customer support inquiry + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ir-08:question:1 + text: 1. Review a sample of customer support inquires and ensure that they + have been resolved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + assessable: false + depth: 1 + name: Mobile Device Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-01 + name: Mobile Device Enrollment + description: Mobile devices (i.e., laptops, smartphones, tablets) must be configured + with the appropriate Mobile Device Management (MDM) profile when used as a + medium to access Organization internal resources. + annotation: '1. Ensure that a Mobile device management process is defined and + documented. + + 2. Ensure that all mobile devices are registered and configured within the + appropriate Mobile Device Management (MDM) to access the internal resources.' + typical_evidence: 'E-MDM-01 - Mobile device management policy + + E-MDM-02 - List of all mobile devices registered with MDM tool + + E-MDM-03. - ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:1 + text: 1. Inspect the Mobile device Policy to ensure that a Mobile Device + management process is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:2 + text: 2. Inspect the list of mobile devices to verify that the devices are + registered within the Mobile Device Management (MDM) tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-01:question:3 + text: 3. For a sample of devices, validate that the devices are configured + with the MDM tool and that it cannot be disabled from the end user device. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-02 + name: Mobile Device Encryption + description: Mobile devices (i.e., laptops, smartphones, tablets) that are used + to access data from Organization internal resources are encrypted. + annotation: 1. Ensure that mobile devices are encrypted and is configured with + the Mobile Device Management (MDM) tool. + typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM + tool + + E-MDM-04 - Sample mobile device screenshots showcasing the devices are encrypted + in the MDM tool' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:1 + text: 1. Review the Mobile Device Management (MDM) tool and ensure that + a device encryption tool is enabled for all registered devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-02:question:2 + text: 2. Review a sample of mobile devices and verify that device encryption + tools are enabled on devices and cannot be disabled by the end user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-03 + name: 'Configuration Management: Mobile Devices' + description: Organization Mobile devices (i.e., laptops, smartphones, tablets) + are configured to ensure unnecessary hardware capabilities and functionalities + are disabled, and management defined security features are enabled. + annotation: '1. Ensure that mobile devices are configured to ensure unnecessary + hardware capabilities and functionalities are disabled. + + 2. Ensure security features defined by the management shall be enabled within + the MDM tool.' + typical_evidence: 'E-MDM-02 - List of all mobile devices registered with MDM + tool + + E-MDM-05 - Sample mobile device configuration screenshots showcasing the security + features are enabled' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:1 + text: 1. Review the Mobile Device Management (MDM) tool and confirm that + there is a policy implemented that restricts the use of unnecessary hardware + capabilities and functionalities are disabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:2 + text: 2. For a sample of mobile devices, verify security features are enabled + in the MDM tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-03:question:3 + text: 3 Review a sample of user devices and verify that the end user cannot + use hardware capabilities and functionalities that have been disabled + by the MDM tool per its policy and that these functionalities are not + able to be re-activated by the end user. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node155 + ref_id: MDM-04 + name: 'Configuration Management: High Risk Travel Locations' + description: Organization has a documented list of travel locations considered + high risk for the use of mobile devices (i.e., laptops, smartphones, tablets). + Employees procure alternate equipment before traveling to these locations. + annotation: "1. Ensure that a process is defined and documented for handling\ + \ travel to high-risk locations.\n2. Ensure that a documented list of travel\ + \ locations considered to be high risk for the use of mobile devices is maintained.\ + \ \n3. Ensure alternate equipment is provided to employees before traveling\ + \ to these locations." + typical_evidence: 'E-MDM-06 - List of high risk travel locations + + E-MDM-03 - Sample mobile device configuration screenshots from the MDM tool' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:1 + text: 1. Inspect and validate that a process is defined and documented for + handling travel to high-risk locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:2 + text: '2. Validate the list of travel locations considered to be high risk + for the use of mobile devices ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:mdm-04:question:3 + text: 3. Validate the process for providing alternate equipment to employees + before traveling to these locations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + assessable: false + depth: 1 + name: Network Operations + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-01 + name: Network Policy Enforcement Points + description: Network traffic to and from untrusted networks passes through a + policy enforcement point; firewall rules are established in accordance with + identified security requirements and business justifications. + annotation: '1. Ensure that necessary process and documentation are established + for network traffic management. + + 2. Ensure necessary requirements are defined for managing network traffic + to and from untrusted networks in the policy. + + 3. Ensure firewall rules are established to determine specific configuration + requirements have been documented for network devices within the policy.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-02 - Firewall Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:1 + text: 1. Inspect Network Security Policy and/or Standard to determine whether + requirements have been defined for managing network traffic to and from + untrusted networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-01:question:2 + text: 2. Review firewall rules to ensure they are defined according to the + requirements of the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-02 + name: 'Inbound and Outbound Network Traffic: DMZ Requirements' + description: Network traffic to and from untrusted networks passes through a + Demilitarized Zone (DMZ). + annotation: '1. Ensure necessary requirements are defined which outlines the + use of a DMZ and firewalls must be used wherever necessary to enforce perimeter + security between separate networks in the policy. + + 2. Ensure DMZ is enabled and configured within the network traffic.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-03 - DMZ Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that outlines the use of a DMZ + and firewalls must be used wherever necessary to enforce perimeter security + between separate networks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-02:question:2 + text: 2. Observe a sample of network security rules or firewall rulesets + and confirm that the DMZ or DMZ equivalents are operating in the rulesets. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-03 + name: Ingress and Egress Points + description: "Organization maintains an inventory of ingress and egress points\ + \ on the production network and performs the following for each: \n\u2022\ + \ inventory is reduced to the minimum possible level\n\u2022 permitted ports,\ + \ protocols and services are inventoried and validated\n\u2022 documents security\ + \ features that are implemented for insecure protocols" + annotation: "1. Ensure a process is maintained for inventory of ingress and\ + \ egress points on the production network\n2. Ensure network security rules\ + \ are defined and established with the following: \n\u2022 permitted ports,\ + \ protocols and services are inventoried and validated\n\u2022 documented\ + \ security features that are implemented for insecure protocols" + typical_evidence: 'E-NO-04 - Network security rules inventory + + E-NO-05 - Security Rules Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:1 + text: 1. Observe the inventory of ingress and egress points on the production + network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:2 + text: 2. Observe network security rules and validate to ensure no insecure + ports, protocols, and services are present. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-03:question:3 + text: 3. If applicable, for any insecure ports, protocols, and services, + ensure that additional security features are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-04 + name: Non-disclosure of Routing Information + description: Organization does not disclose private IP addresses and routing + information to unauthorized parties. + annotation: 1. Ensure necessary requirements are defined that prohibits the + disclosure of private IP addresses and routing information to unauthorized + parties in the policy. + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-07 - NAT Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that prohibits the disclosure of + private IP addresses and routing information to unauthorized parties. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-04:question:2 + text: 2. Review the configuration to determine the non-disclosure of private + IP Addresses and Network Address Translation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-05 + name: Dynamic Packet Filtering + description: Where applicable, Organization enables dynamic packet filtering + on the network. + annotation: '1. Ensure that Network Security Policy/Standard specifies when + to use dynamic packet filtering on the network. + + 2.Ensure dynamic packet filtering is turned on applicable systems.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-06 - Dynamic packet filtering configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:1 + text: 1. Inspect Network Security Policy and/or Standard documents to determine + whether requirements have been defined that outlines that dynamic packet + filtering on the network should be enabled when applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-05:question:2 + text: 2. For a sample of applicable systems review the configurations for + the devices and ensure that dynamic packet filtering has been enabled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-06 + name: Firewall Rule Set Review + description: Network infrastructure rule sets are reviewed every 6 months. + annotation: "1. Ensure that a process is defined and documented for performing\ + \ Network Infrastructure rules every six months. \n2. Ensure network infrastructure\ + \ rules are reviewed and appropriate documentation is maintained for this\ + \ review." + typical_evidence: E-NO-08 - Network Infrastructure Rules Review Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-06:question:1 + text: 1 Observe the Network infrastructure rules review documentation and + verify that it was last reviewed within the last 6 months. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-07 + name: 'Ingress and Egress Points: Fail Secure' + description: 'The information system fails securely in the event of an operational + failure of a boundary protection device. + + ' + annotation: '1. Ensure that appropriate fail safe procedures are defined for + network boundary protection devices. + + 2. Ensure all network systems are configured to fail securely in the event + of an operational failure.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-09 - Sample of network configuration settings for applicable systems' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:1 + text: 1. Inspect Network Security Policy/Standard to determine whether requirements + have been defined that outlines that in the event of an operation failure + that information systems fail securely. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-07:question:2 + text: 2. For a sample of applicable systems review the configurations for + the devices and confirm that in the event of failure that the systems + will fail securely. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-08 + name: 'Traffic Flow: Managed Proxy' + description: Organization requires egress traffic initiated from within the + Organization network to pass through a managed proxy. + annotation: '1. Ensure that a process is defined and documented so that all + egress traffic from within the organization passes through a proxy. + + 2.Ensure that proxy servers have been deployed on application systems for + the filtering of traffic.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-10 - Sample of network architecture for applicable systems' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines that all egress traffic initiated from within the + Organization's network passes through a managed proxy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-08:question:2 + text: 2. For a sample of applicable systems review the architecture and + ensure that all egress traffic from within the network is passed through + the managed proxy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-09 + name: Domain Name Services Security Extensions (DNSSec) + description: Organization establishes a DNSSec implementation standard and uses + mechanisms to verify the DNS infrastructure for compliance. + annotation: '1. Ensure that a process is defined and documented for a DNSSec + implementation. + + 2. Ensure appropriate mechanism are in place to validate DNS infrastructure + for compliance.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-11 - Configuration of DNS Servers' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines a DNSSec implementation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-09:question:2 + text: 2. Review a sample of DNS infrastructure used and ensure that they + are following the DNSSec implementation requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-10 + name: Email Spam Protection + description: 'Organization has documented procedures and protection mechanisms + in place to protect its information and information systems from spam and + ensures that signature definitions are updated whenever new releases are available. + + ' + annotation: "1. Ensure that a process is defined and documented to ensure spam\ + \ protection on emails. \n2. Ensure that appropriate controls are deployed\ + \ to prevent spam from emails.\n3. Ensure that spam signature definitions\ + \ are updated when new releases are available." + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-12 - Email Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:1 + text: 1. Inspect the documentation to ensure a process is defined for spam + protection. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-10:question:2 + text: 2. For a sample of applicable systems such as mail servers ensure + that anti-spam filters are enabled and are updated to the most recent + version possible. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-11 + name: Denial of Service (DOS) + description: Organization implements a Denial of Service (DOS) protection plan, + identifies threatening DOS attacks, and configures boundary protection devices + according to the DOS plan. + annotation: '1. Ensure a process is defined and documented to prevent from Denial + of Service (DoS) attacks. + + 2. Ensure that boundary protection devices are configured as per the process + to enable Denial of Service Attack Protection.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-23 - Denial of Service Protection Plan Configuration on network devices' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:1 + text: 1. Inspect documentation to determine whether requirements have been + defined that outlines that a Denial of Service (DoS) protection plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-11:question:2 + text: 2. For a sample of applicable system ensure that configuration aligns + with the Denial of Service Protection Plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-12 + name: Trusted Connections + description: "All trusted connections are documented and approved by authorized\ + \ personnel; management ensures the following documentation is in place prior\ + \ to approval: \n\u2022 agreement with vendor\n\u2022 security requirements\n\ + \u2022 nature of transmitted information" + annotation: '1. Ensure that a process is defined and documented for managing + trusted connections. + + 2. Ensure that all trusted connections are documented and approved by authorized + personnel. + + 3. Ensure that appropriate agreements with vendors exist before establishing + trusted connection.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-13 - Vendor Agreement' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for managing trusted connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:2 + text: 2. Validate for a sample trusted connections that it was documented + and approved by authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-12:question:3 + text: 3. Validate whether appropriate agreement with vendors existed before + establishing trusted connection. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-13 + name: Network Segmentation + description: Production environments are logically segregated from non-production + environments. + annotation: '1. Ensure that a process is defined and documented to ensure that + production and non-production environments are logically segregated. + + 2. Ensure that for all systems production and non-production environments + are logically segregated and this is reflected via appropriate architecture + diagrams.' + typical_evidence: 'E-NO-14 - Network Architecture Diagram + + E-NO-16 - Configuration of Logical Segregation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:1 + text: 1. Inspect and validate whether a process is defined and documented + to ensure that production and non-production environments are logically + segregated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-13:question:2 + text: 2. Validate for a sample system whether production and non-production + environments are logically segregated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-14 + name: Card Processing Environment Segmentation + description: Where applicable, Organization segregates the Primary Account Number + (PAN) infrastructure including payment card collection devices; Organization + limits access to the segregated environment to authorized personnel. + annotation: '1. Ensure that a process is defined and documented for segregating + PCI Environment from non-PCI environment. + + 2. Ensure that network segmentation testing is performed on a semi-annual + basis. + + 3. Ensure that the Data flow and architecture diagram is updated periodically + and reviewed by required officials.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-15 - Network Segmentation Testing Records + + E-NO-17 - Data Flow Diagrams + + E-NO-14 - Network Architecture Diagram' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for segregating PCI Environment from non-PCI environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:2 + text: 2. Validate whether network segmentation testing was performed on + a semi annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-14:question:3 + text: 3. Validate whether the Data flow and architecture diagram were updated + periodically and were approved. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-15 + name: Traffic Flow + description: Organization documents the approved traffic flow at each managed + interface and configures the managed interface accordingly. Exceptions to + traffic flow are documented, reviewed periodically, and removed when there + is no longer a business requirement. + annotation: '1. Ensure a process is defined and documented for managing traffic + flow at each interface. + + 2. Ensure all managed interfaces are configured as per the approved traffic + flow. + + 3. Ensure all exceptions are documented, reviewed periodically, and removed + when there is no longer a business requirement. ' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-18 - Approved Traffic Flow and configuration + + E-SG-04 - Sample Policy Exceptions' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:1 + text: 1. Inspect and validate whether a process is defined and documented + for managing traffic flow at each interface. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:2 + text: 2. Validate for a sample of managed interface that it is configured + as per the approved traffic flow. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-15:question:3 + text: '3. Validate for a sample of exceptions whether they were documented, + reviewed periodically, and removed when there was no longer a business + requirement. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-16 + name: Disable Rogue Wireless Access Points + description: Organization employs mechanisms to detect and disable the use of + unauthorized wireless access points. + annotation: '1. Ensure a process is defined and documented to detect unauthorized + wireless access points. + + 2. Ensure network monitoring software is in place to identify unauthorized + wireless access points send alerts to the appropriate personnel. + + 3. Ensure that alerts are regularly reviewed, and if necessary, actions are + taken to fix any issues.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-19 - Network Monitoring Software Configuration + + E-NO-20 - Sample alerts sent showcasing unauthorized wireless access points' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:1 + text: 1. Inspect and validate that a process is defined and documented to + detect unauthorized wireless access points. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:2 + text: 2. Validate the configuration of network monitoring software to check + if it detects unauthorized wireless access points send alerts to the appropriate + personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-16:question:3 + text: 3. Validate sample alerts and inspect whether they were reviewed, + and if necessary, actions were taken to fix any issues. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-17 + name: Wireless Access Points + description: Organization maintains an inventory of authorized wireless access + points including a documented business justification. + annotation: 1. Ensure that a formal inventory of authorized wireless access + points is documented which includes information of the function of the wireless + point and its business justification. + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-21 - Wireless Access Point Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:1 + text: 1. Inspect and validate that an inventory of authorized wireless points + is maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-17:question:2 + text: 2. Validate that the inventory contains the business need and the + function of each wireless access point + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node160 + ref_id: NO-18 + name: 'Authentication: Wireless Access Points' + description: Organization restricts access to network services via wireless + access points to authenticated users and services; approved wireless encryption + protocols are required for wireless connections. + annotation: '1. Ensure that a process is defined and documented to restrict + access to network services via wireless access points to authenticated users + and services + + 2. Ensure Approved wireless encryption protocols are required for wireless + connections.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-NO-22 - Wireless Connections Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:1 + text: 1. Inspect and validate that a process is defined and documented to + restrict access to network services via wireless access points to authenticated + users and services + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:no-18:question:2 + text: 2. Validate whether approved wireless encryption protocols are required + for wireless connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + assessable: false + depth: 1 + name: People Resources + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-01 + name: Background Checks + description: New hires are required to pass a background check as a condition + of their employment. + annotation: '1. Ensure that a process is defined and documented to conduct background + checks for new hires. + + 2. Ensure that a background check is completed prior to the hire date for + all new hires.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-02 - Background Check Evidence for sample new hire employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:1 + text: '1. Inspect documentation to validate whether requirements for background + checks have been defined. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-01:question:2 + text: 2 For a sample of new hires, validate that background checks defined + in the policy were performed prior to their hire date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-02 + name: Performance Management + description: Organization has established a check-in performance management + process for on-going dialogue between managers and employees. Quarterly reminders + are sent to managers to perform their regular check-in conversation. + annotation: '1. Document and maintain a check-in performance management process + for on-going dialogue between managers and employees. + + 2. Ensure reminders are sent to managers on a quarterly basis for performing + regular check-in.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-03 - Sample Quarterly Check In Reminders' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:1 + text: 1. Inspect relevant documentation to validate whether a process regarding + check-in performance management has been defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-02:question:2 + text: 2. For a sample of quarters, inspect the mail communication to determine + whether quarterly reminders are sent to managers to perform their regular + check-in conversation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-03 + name: Hiring Process + description: Job candidates apply for roles that are listed on the Organization + career portal; candidates are interviewed to determine their knowledge and + competence for their prospective roles and compatibility with Organization + values. + annotation: '1. Ensure that a process is defined and documented that outlines + the requirements for hiring of employees. + + 2. Ensure all job roles are posted on career portal for application. + + 3. Ensure appropriate hiring process is followed to determine competence before + hiring.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-04 - Career Portal Snapshot + + E-PR-05 - Hiring Process for a sample employee' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:1 + text: 1. Inspect and validate that a process is defined and documented that + outlines the requirements for hiring of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:2 + text: 2. Validate sample job roles and check if they are posted on career + portal for application. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-03:question:3 + text: 3. For sample employees validate the hiring process followed and evaluate + whether it was according to the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-04 + name: Organization Property Collection + description: 'Upon employee termination, management is notified to collect Organization + property from the terminated employee. + + ' + annotation: '1. Ensure a process is defined and documented to notify the management + in case of employee termination and collect organization property. + + 2. Ensure termination procedures are followed to collect organization property + from the employee.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-06 - Termination Process Evidence for sample employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:1 + text: 1. Inspect the relevant documentation to determine whether a process + is defined and documented to notify the management in case of employee + termination and collect organization property. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-04:question:2 + text: 2. For a sample of terminated employees, validate that termination + procedures were followed to collect organization property. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-05 + name: Exit Interviews + description: Upon employee termination, management conducts exit interviews + for the terminated employee. + annotation: '1. Ensure a process is defined and documented to notify the management + in case of employee termination and conduct exit interviews + + 2. Ensure exit interviews are conducted once a user is terminated in HR Management + System and relevant stakeholders are involved. + + 3. Ensure that a record of the interview is retained.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-07 - For sample employees, evidence of an exit interview' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:1 + text: 1. Inspect the relevant documentation to determine whether a process + is defined and documented to notify the management in case of employee + termination and conduct exit interviews + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:2 + text: 2. Inspect records of the exit interview for terminated employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-05:question:3 + text: '3. For a sample of terminated employees, validate that termination + procedures were followed including the performance of an exit interview. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-06 + name: Disciplinary Process + description: Employees that fail to comply with Organization policies are subject + to a disciplinary process. + annotation: '1. Ensure that a disciplinary process is defined and documented + and is appropriately communicated. + + 2. Ensure that the disciplinary process is followed for all employees violating + organizational policies. ' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-08 - Evidence of action taken for employees violating policies, if any' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:1 + text: 1. Inspect relevant documentation to validate that a disciplinary + process is defined and appropriately communicated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-06:question:2 + text: '2. Validate that disciplinary process was followed for all employees + violating organizational policies. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-07 + name: Code of Ethics + description: Organization has a Code of Ethics for Senior Officers. The Senior + Officers and CEO certify that they understand the Code on an annual basis. + annotation: '1. Ensure that a Code of Ethics has been established for senior + officers and the CEO. + + 2. Ensure all senior officers and CEO have documented certification of Code + of Ethics on an annual basis.' + typical_evidence: 'E-PR-09 - Code of Ethics + + E-PR-10 - Evidence of annual certification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:1 + text: 1. Inspect and validate that a Code of ethics is defined and documented + for senior officers and CEO. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-07:question:2 + text: 2. Validate that all senior officers and CEO have documented certification + of code of ethics at least annually. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-08 + name: Business Ethics Hotline + description: Organization has a business ethics hotline for employees and external + parties to report ethical misconduct. Allegations are investigated and Organization + will take appropriate action for confirmed violations. Hotline reports are + reported to the Audit Committee on a quarterly basis. + annotation: '1. Ensure that a process has been defined and documented for reporting + ethical misconduct. + + 2. Ensure that allegations made through the hotline are investigated and appropriate + action is taken. + + 3. Ensure Hotline reports are reported to the Audit Committee on a quarterly + basis.' + typical_evidence: 'E-PR-01 - Human Resource Policy + + E-PR-11 - Hotline Case Tracking Evidence + + E-PR-12 - Audit Committee Communication Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:1 + text: 1. Inspect the relevant documentation to validate that a process has + been defined and documented for reporting ethical misconduct. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:2 + text: 2. Validate that the allegations made through the hotline are investigated + and appropriate action is taken for a sample of reports. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-08:question:3 + text: 3. Validate whether the hotline reports are reported to the Audit + Committee on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-09 + name: National Security Clearance + description: Organization conducts screening and rescreening of authorized personnel + for roles that require national security clearances. For national security + clearances; a reinvestigation is required during the 5th year for top secret + security clearance, the 10th year for secret security clearance, and 15th + year for confidential security clearance. In addition, for law enforcement + and high impact public trust level, a reinvestigation is required during the + 5th year. + annotation: "1. Document and maintain a process on screening/rescreening or\ + \ vetting of employees that need national security clearances.\n2. Ensure\ + \ list of roles requiring national security clearances is reviewed and kept\ + \ up-to-date.\n3. Ensure that screening and rescreening of authorized personnel\ + \ are conducted for roles that require national security clearances.\n4. For\ + \ national security clearances, ensure that rescreening is conducted for the\ + \ following:\n\u2022 5th year for top secret security clearance\n\u2022 10th\ + \ year for secret security clearance\n\u2022 15th year for confidential security\ + \ clearance\n5. For law enforcement an high impact public trust level, ensure\ + \ that an reinvestigation is conducted during the 5th year" + typical_evidence: 'E-PR-13 - List of roles that requires national security clearances + + E-PR-14 - List of personnel with national security clearances + + E-PR-15 - Screening and Rescreening Evidences + + E-PR-16 - Reinvestigation Evidences' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:1 + text: 1. Inspect relevant documentation and validate that a process on screening/rescreening + or vetting of employees that need national security clearances is established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:2 + text: 2. Validate whether a list of roles requiring national security clearances + is reviewed and kept up-to-date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:3 + text: 3. Validate for a sample employee requiring National Security Clearance + that screening and rescreening was conducted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:4 + text: '4. For sample national security clearances, validate that rescreening + was conducted for the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:5 + text: "\u2022 5th year for top secret security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:6 + text: "\u2022 10th year for secret security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:7 + text: "\u2022 15th year for confidential security clearance" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-09:question:8 + text: 5. For sample law enforcement and high impact public trust level security + clearance, validate that a reinvestigation was conducted during the 5th + year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node179 + ref_id: PR-10 + name: Code of Business Conduct + description: Organization has documented the Code of Business Conduct and Business + Partner Code of Conduct, which are reviewed, updated if applicable, and approved + by senior management annually. + annotation: '1. Ensure that a Code of Business Conduct and Business Partner + Code of Conduct is defined, documented, and approved by senior management. + + 2. Ensure that these documents are reviewed, updated, and approved at least + on an annual basis.' + typical_evidence: 'E-PR-17 - Code of Business Conduct + + E-PR-18 - Business Partner Code of Conduct' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:1 + text: 1. Inspect and validate that a Code of Business Conduct and Business + Partner Code of Conduct is defined, documented, and approved by senior + management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:pr-10:question:2 + text: 2. Validate that these documents are reviewed, updated, and approved + at least on an annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + assessable: false + depth: 1 + name: Privacy + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-01 + name: Privacy Program + description: Organization privacy policies for individuals, including relevant + updates, are communicated on the public company website or on the internal + corporate network. + annotation: '1. Ensure the organization has created a privacy policy. + + 2. Ensure the policy is updated and approved on regular intervals. + + 3. Ensure the policy is communicated and is available for employees and relevant + stakeholders.' + typical_evidence: E-PRIV-01 - Privacy Policy + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:1 + text: 1. Inspect privacy policies and confirm that the policy is updated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-01:question:2 + text: '2. Confirm that anytime the privacy policy is updated, these updates + are present on the intranet or public website. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-02 + name: Privacy Program Review + description: "On an annual basis, Organization performs a review of privacy\ + \ practices to ensure the following:\n\u2022 consent is obtained for users\ + \ whose personal information (PI) is managed by Organization\n\u2022 PI inventory\ + \ integrity and accuracy\n\u2022 data access request response template is\ + \ understandable\n\u2022 standard agreement templates are up-to-date\n\u2022\ + \ requests to delete, access or update PI are processed accurately and within\ + \ a timeframe consistent with Organization policy\n\u2022 compliance with\ + \ Organization's privacy commitments\n\u2022 known privacy issues are remediated\n\ + \u2022 opt-in and opt-out compliance with applicable law\n\u2022 Organization\ + \ privacy documentation and practices are relevant to applicable law\n\u2022\ + \ compliance with relevant industry Codes of Conduct (e.g., EDAA)\n\u2022\ + \ if applicable, joint controller responsibilities are clearly defined and\ + \ communicated to both data controllers and the data subject" + annotation: '1. Ensure that the organization has established a privacy program. + + 2. Ensure that the program is reviewed on at least an annual basis. + + 3. Ensure that the privacy program contains controls regarding consent, data + access requests, modification requests, SLAs, privacy issues, roles and responsibilities. + + 4. Ensure that agreement templates are reviewed and updated.' + typical_evidence: E-PRIV-02 - Privacy Review Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:1 + text: '1. Collect and inspect the organization''s annual privacy review. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-02:question:2 + text: 2. Validated that the annual privacy review covers all components. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-03 + name: Privacy Readiness Review + description: Organization performs privacy readiness reviews to identify high-risk + processing activities that impact personal data; identified non-compliance + with Organization privacy practices is tracked through remediation. + annotation: '1. Ensure that a process has been established for privacy readiness + reviews. + + 2. Ensure privacy readiness reviews are conducted for high-risk processing + activities. + + 3. Ensure necessary actions are taken for the remediation of findings from + privacy readiness reviews.' + typical_evidence: E-PRIV-03 - Privacy Readiness Review Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:1 + text: '1. Inspect privacy readiness reviews and ensure that remediation + activities were launched for any non-compliant actions. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-03:question:2 + text: 2. Validate that remediation activates were resolved and remediated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-04 + name: Privacy Notice + description: Individuals are given appropriate notice and an opportunity to + consent or decline to Organization privacy practices such as accessing, collecting, + processing, transferring, or storing personal information. + annotation: '1. Ensure that a consent notice is established for users regarding + privacy guidelines. + + 2. Ensure that the users have an option to accept or decline the consent.' + typical_evidence: E-PRIV-04 - Consent Notice Snapshot + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-04:question:1 + text: 1. Inspect Data Protection Policy and procedure documents to ensure + individuals are given appropriate notice and an opportunity to consent + or decline to organization privacy practices such as accessing, collecting, + processing, transferring, or storing personal information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-05 + name: 'Personal Information Notice and Consent: Additional Processing Activities' + description: Where appropriate, Organization obtains individual consent for + processing activities for which consent has not been previously obtained. + annotation: '1. Ensure that consent is obtained for processing user data. + + 2. Ensure that any change in processing activities is followed by an update + of consent.' + typical_evidence: E-PRIV-04 - Consent Notice Snapshot + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-05:question:1 + text: 1. Inspect Data Protection Policy and procedure documents to determine + whether organization obtains individual consent for processing activities + for which consent has not been previously obtained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-06 + name: Notice of Personal Information Disclosure + description: In accordance with Organization policy, Organization provides notice + to individuals regarding legally-required disclosures of personal information. + annotation: '1. Ensure that a process is established for disclosing user data + in case of legal enquiries. + + 2. Ensure appropriate notice is provided to the users regarding disclosure + of their data.' + typical_evidence: E-PRIV-05 - Legal Disclosure Process + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-06:question:1 + text: 1. Inspect Organization policy related to disclosure of personal information + to determine whether process of providing notice to individuals regarding + legally required disclosures of personal information is documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-07 + name: PII Processing Agreements + description: Personal information is handled and processed in accordance with + contractual requirements. + annotation: '1. Ensure that appropriate agreements are established to define + PII processing requirements. + + 2. Ensure all customers sign PII processing agreements. + + 3. Ensure all PII is handled and processed as per contractual requirements.' + typical_evidence: 'E-PRIV-06 - PII Processing Agreements + + E-PRIV-07 - Customer Sample PII Agreement' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:1 + text: 1. Inspect and validate that appropriate agreements are established + and documented that define PII processing requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:2 + text: 2. For a sample customer validate that PII processing agreement has + been signed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-07:question:3 + text: 3. Validate that all PII is handled and processed as per contractual + requirements and the employees are briefed of these requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-08 + name: Record of Processing Activity + description: Organization documents, reviews, and approves a record of processing + activities related to personal information. + annotation: '1. Ensure appropriate process has been established to document + and record all processing activities related to Personal Information. + + 2. Ensure the records of PII processing activities are reviewed periodically + as per contractual requirements. + + 3. Ensure that the record is approved by appropriate personnel. ' + typical_evidence: E-PRIV-08 - PII Processing Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-08:question:1 + text: 1. Inspect a sample of reviews related to processing of personal information + and validate that it is approved by the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-09 + name: 'Document Management Standard: HIPAA' + description: Documentation that impacts personal health information, including + policies, procedures, and the documentation of actions, activities, or assessments, + are retained for 6 years from the date of its creation, or the date when it + last was in effect, whichever is later. + annotation: '1. Ensure that a process is defined and documented for retaining + documentation related to personal health information. + + 2. Ensure that this documentation is retained at least for 6 years from the + date of creation or when it was last effective. + + 3. Ensure this documentation consists of polices and procedures of actions, + activities and/or assessments.' + typical_evidence: E-PRIV-09 - Personal Health Information Documentation Records + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:1 + text: 1. Validate documented retention configuration is set to at least + 6 years for policies, procedures, and assessment for the documents that + impacts personal health information. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-09:question:2 + text: '2. Inspect a sample of documentation going back to the earliest document + or at least 6 years. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node190 + ref_id: PRIV-10 + name: Law Enforcement Requests + description: Law enforcement agencies may submit requests for evidence; submitted + requests are reviewed and tracked to resolution. + annotation: '1. Ensure a process is defined, documented, and approved for law + enforcement agencies to submit evidence requests for investigation. + + 2. Ensure these requests are appropriately tracked and resolved as per contractual + and legal requirements. + + 3. Ensure any evidence sharing is done via secure methods to avoid unauthorized + access to data. + + 4. Ensure only customer data relevant to the investigation is segregated and + submitted if needed.' + typical_evidence: 'E-PRIV-10 - Law enforcement Process + + + + E-PRIV-11 - Sample investigation requests + + E-PRIV-12 - Evidence Sharing method screenshot' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:1 + text: 1. Inspect and validate that a process is defined, documented, and + approved for law enforcement agencies to submit evidence requests for + investigation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:2 + text: 2. Validate for a sample of requests that they are appropriately tracked + and resolved as per contractual and legal requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:3 + text: 3. Validate for a sample request whether the evidence sharing was + done via secure methods to avoid unauthorized access to data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:priv-10:question:4 + text: 4. Validate how customer data relevant to the investigation was segregated + and submitted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + assessable: false + depth: 1 + name: Proactive Security + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-01 + name: Endpoint Detection and Response + description: Endpoint Detection and Response (EDR) software is deployed to continuously + monitor, detect, and respond to cyber threats and patterns of malicious behavior + and activity. + annotation: '1. Deploy Endpoint Detection and Response (EDR) software to continuously + monitor, detect, and respond to cyber threats and patterns of malicious behavior + and activity. + + 2. Ensure that the EDR configurations are periodically reviewed.' + typical_evidence: 'E-NO-01 - Network Security Standard + + E-PS-01 - Network Security Standard' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:1 + text: 1. For a sample of endpoints, validate whether Endpoint Detection + and Response (EDR) software is installed and continuously monitor, detect, + and respond to cyber threats and patterns of malicious behavior and activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-01:question:2 + text: 2. Inspect whether the EDR configurations are reviewed periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-02 + name: Threat Hunting + description: Organization performs threat hunting to identify, track, and disrupt + threats that evade existing security controls. + annotation: '1. Conduct cyber threat hunting activities according to an organization-defined + frequency and/or organization-defined event to detect, track, and disrupt + threats that evade existing controls. + + 2. Establish a threat hunting methodology in accordance with the organization''s + security objectives. + + 3. Define threat indicator information and effective mitigations.' + typical_evidence: 'E-PS-02 - EDR Configuration Documentation + + E-PS-03 - Threat Hunting program documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:1 + text: 1. Inspect whether cyber threat hunting activities are performed as + per defined frequency to detect, track, and disrupt threats that evade + existing controls. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:2 + text: 2. Validate whether a threat hunting methodology exists in accordance + with the organization's security objectives. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-02:question:3 + text: 3. Inspect the threat indicator information and effective mitigations. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-03 + name: Threat Modeling + description: Organization performs periodic threat modeling to ensure that potential + threats are identified and assessed. + annotation: 1. Ensure that an organization performs periodic threat modeling + to ensure that potential threats are identified and assessed. + typical_evidence: E-PS-04 - Threat indicator documentation + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-03:question:1 + text: 1. Validate whether an organization performs threat modeling periodically + to identify and assess potential threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node201 + ref_id: PS-04 + name: Adversary Intelligence + description: Organization gathers intelligence on adversary personas to assist + in the prioritization of security activities. + annotation: 1. Establish a process through which an organization gathers intelligence + on adversary personas to assist in the prioritization of security activities. + typical_evidence: E-PS-05 - Periodic Threat Modeling documentation + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ps-04:question:1 + text: 1. Validate whether a process exists through which an organization + gathers intelligence on adversary personas to assist in the prioritization + of security activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + assessable: false + depth: 1 + name: Risk Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-01 + name: Service Risk Rating Assignment + description: Annually, Organization prioritizes the frequency of vulnerability + discovery activities based on an assigned service risk rating. + annotation: '1. Ensure Risk management standard is in place and documented which + defines the frequency of vulnerability discovery activities based on an assigned + service risk rating. + + 2. Ensure all the identified vulnerabilities are remediated based on the risk + rating.' + typical_evidence: 'E-RM-01 - Vulnerability management standard + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:1 + text: 1. Validate that the organization has a defined vulnerability management + standard. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-01:question:2 + text: 2. For a sample of vulnerabilities, test that it was remediated based + on risk ranking. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-02 + name: Risk Assessment + description: Organization management performs an annual risk assessment. Results + from risk assessment activities are reviewed to prioritize mitigation of identified + risks. + annotation: '1. Ensure Risk Management Standard shall be in place which RM-01 + defines the requirements for annual risk assessment. + + 2. Ensure that the results of risk assessment are reviewed and mitigation + is performed on priority. + + 3. Any identified issues should have a corresponding risk treatment plan or + corrective action plan in place. Each issue shall be tracked to completion.' + typical_evidence: 'E-RM-03 - Risk Management Standard + + E-RM-04 - Risk assessment report + + E-RM-05 - Sample evidences for the risks treatment plan for the identified + risks' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:1 + text: 1. Validate that Risk Management Standard is in place and defines + the requirements for annual risk assessment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:2 + text: 2. Validate evidence for the review of results of risk assessment + and mitigation of risks. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-02:question:3 + text: 3. Validate that any identified issues were tracked to completion, + according to its corresponding risk treatment plan or corrective action + plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-03 + name: 'Risk Assessment: HIPAA Criteria' + description: "Organization's periodic risk assessment for systems that process,\ + \ transmit or store Protected Health Information (PHI) includes the following:\n\ + \u2022 identify and classify assets\n\u2022 identify threats\n\u2022 identify\ + \ vulnerabilities\n\u2022 identify controls\n\u2022 perform threat likelihood\ + \ analysis\n\u2022 perform threat impact analysis\n\u2022 identify residual\ + \ risk\n\u2022 identify appropriate safeguards" + annotation: "1. Ensure risk assessment for systems that process, transmit or\ + \ store Protected Health Information (PHI) shall be in place and includes\ + \ the information listed below:\n\u2022 identify and classify assets\n\u2022\ + \ identify threats\n\u2022 identify vulnerabilities\n\u2022 identify controls\n\ + \u2022 perform threat likelihood analysis\n\u2022 perform threat impact analysis\n\ + \u2022 identify residual risk\n\u2022 identify appropriate safeguards" + typical_evidence: E-RM-06 - Risk Assessment HIPAA Report + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:1 + text: '1. Review Risk Assessment for a sample system that process, transmit + or store Protected Health Information (PHI) and validate whether it includes + the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:2 + text: "\u2022 identify and classify assets" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:3 + text: "\u2022 identify threats" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:4 + text: "\u2022 identify vulnerabilities" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:5 + text: "\u2022 identify controls" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:6 + text: "\u2022 perform threat likelihood analysis" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:7 + text: "\u2022 perform threat impact analysis" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:8 + text: "\u2022 identify residual risk" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-03:question:9 + text: "\u2022 identify appropriate safeguards" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-04 + name: Continuous Monitoring + description: The design and operating effectiveness of internal controls are + continuously evaluated against the established Common Controls Framework by + Organization. Corrective actions related to identified deficiencies are tracked + to resolution. + annotation: '1. Ensure that a process is defined and documented for the continuous + monitoring of internal controls against the common controls framework. + + 2. Ensure any gaps identified are remediated as per the organization''s policy.' + typical_evidence: 'E-RM-07 - Compliance Review report + + E-RM-08 - Sample evidences of corrective actions taken in case of any deficiencies + identified' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:1 + text: 1. Validate that a process is defined and documented for the continuous + monitoring of internal controls against the common controls framework. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-04:question:2 + text: 2. For sample gaps validate that they were remediated as per the organization's + policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-05 + name: 'Self-Assessments: PCI' + description: "On a quarterly basis, reviews shall be performed with approved\ + \ documented specification to confirm personnel are following security policies\ + \ and operational procedures pertaining to:\n\u2022 daily log reviews\n\u2022\ + \ firewall rule-set reviews\n\u2022 applying configuration standards to new\ + \ systems\n\u2022 responding to security alerts\n\u2022 change management\ + \ processes" + annotation: "1. Establish a quarterly process to ensure that the following policies\ + \ and operational procedures are being reviewed and approved by authorized\ + \ personnel: \n\u2022 daily log reviews\n\u2022 firewall rule-set reviews\n\ + \u2022 applying configuration standards to new systems\n\u2022 responding\ + \ to security alerts\n\u2022 change management processes" + typical_evidence: 'E-RM-03 - Risk Management Standard + + E-RM-09 - Quarterly Review Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:1 + text: '1. Inspect whether a process exists for reviewing the following on + a quarterly basis:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:2 + text: "\u2022 daily log reviews" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:3 + text: "\u2022 firewall rule-set reviews" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:4 + text: "\u2022 applying configuration standards to new systems" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:5 + text: "\u2022 responding to security alerts" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:6 + text: "\u2022 change management processes" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-05:question:7 + text: 2. Validate using the last review whether any deviations were noted + and if applicable, were tracked till resolution + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-06 + name: Internal Audits + description: Organization establishes internal audit requirements based on the + Common Controls Framework by Organization and executes audits on information + systems and processes at planned intervals. + annotation: 1. Ensure that the organization sets audit rules based on its Common + Controls Framework and conducts audits on its information systems and processes + at scheduled times + typical_evidence: 'E-RM-10 - Common Controls Framework + + E-RM-11 - Audit Reports and associated documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-06:question:1 + text: '1. Inspect internal and external audit results. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-07 + name: ISMS Internal Audit Requirements + description: Internal audit establishes and executes a plan to evaluate applicable + controls in the Information Security Management System (ISMS) at least once + every 3 years. + annotation: '1. Ensure that the organization possesses an audit program document + that enumerates the particular controls slated for testing within its Information + Security Management System (ISMS). + + 2. Ensure that the outcomes of internal audit for ISMS controls is reviewed + on a periodic basis.' + typical_evidence: 'E-RM-12 - Audit Plan + + E-RM-13 - Audit Checklist + + E-RM-11 - Audit Reports and associated documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:1 + text: '1. Inspect audit program document that lists out specific controls + to be tested in the ISMS. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-07:question:2 + text: '2. Inspect the results of internal audit of ISMS controls and note + the cadence of such audits. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-08 + name: Remediation Tracking + description: Management prepares a remediation plan to formally manage the resolution + of findings identified in risk assessment activities. + annotation: '1. Ensure that there is a well-defined and documented remediation + plan in place to address and resolve any findings from risk assessment activities. + + 2. Ensure that the findings identified are resolved within the agreed timeframe.' + typical_evidence: 'E-RM-14 - Remediation Plan + + E-RM-03 - Risk Management Standard + + E-RM-15 - Finding documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:1 + text: '1. Inspect documentation of remediation plan for any risk assessment + activities. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-08:question:2 + text: 2. Validate whether the findings created are remediated in the defined + timeframe. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-09 + name: ISMS Corrective Action Plans + description: Management prepares a Corrective Action Plan (CAP) to manage the + resolution of nonconformities identified in independent audits. + annotation: 1. Ensure that there is an audit finding document generated following + an external, independent audit and used as a basis for implementing necessary + improvements and corrective actions. + typical_evidence: 'E-RM-15 - Finding documentation + + E-RM-16 - Documented Corrective Action Plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:1 + text: '1. Inspect audit finding document prepared after external, independent + audit. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-09:question:2 + text: '2. For a sample of findings, examine evidence of resolution or a + plan of action for audit findings. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node206 + ref_id: RM-10 + name: Statement of Applicability + description: 'Management prepares a statement of applicability that includes + control objectives, implemented controls, and business justification for excluded + controls. Management aligns the statement of applicability with the results + of the annual risk assessment. ' + annotation: 1. Ensure that the statement of applicability (SOA) is approved + by the management and in alignment with the outcomes of the annual risk assessment + to ensure consistency and relevance. + typical_evidence: E-RM-17 - Statement of Applicability (SOA) + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:1 + text: '1. Inspect the organization''s statement of applicability (SOA) and + compares it with the result of the annual risk assessment. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:rm-10:question:2 + text: '2. Validate whether the statement of applicability is approved by + management. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + assessable: false + depth: 1 + name: System Design Documentation + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + ref_id: SDD-01 + name: System Documentation + description: Documentation of system boundaries and key aspects of their functionality + are published to authorized Organization personnel on the Organization intranet. + annotation: '1. Ensure that appropriate documentation is established for system + boundaries and key aspects of functionality. + + 2. Ensure that these diagrams are available to authorized personnel through + intranet.' + typical_evidence: E-SDD-01 - Evidence of system diagrams + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:1 + text: 1. Inspect and validate that appropriate documentation is established + for system boundaries and key aspects of functionality. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-01:question:2 + text: 2. Validate that these diagrams are available to authorized personnel + through intranet. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node217 + ref_id: SDD-02 + name: Whitepapers + description: Organization publishes whitepapers to its public website that describe + the purpose, design and boundaries of the system and system components. + annotation: '1. Ensure that the organization''s public website have published + whitepapers describing the purpose, design, and boundaries of the in-scope + services and system components. + + 2. Ensure that these whitepapers are reviewed periodically for accuracy and + approved by relevant personnel prior to publishing.' + typical_evidence: E-SDD-02 - Evidence of whitepapers + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sdd-02:question:1 + text: 1. Inspect the organization's public website to determine whether + whitepapers for in-scope services are published. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + assessable: false + depth: 1 + name: Security Governance + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-01 + name: Policy and Standard Review + description: Organization's policies and standards are periodically reviewed, + approved by management, and communicated to Organization personnel. + annotation: '1. Ensure that the organization''s policies and standards are well-defined, + documented and communicated with relevant personnel. + + 2. Ensure that these policies and standards are reviewed periodically and + are approved by the management.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-02 - Evidence of periodic review of organization''s policies and standards + (with version history) + + E-SG-03 - Sample of communication mail sent to employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:1 + text: 1. Inspect organization's Policy to determine whether requirements + for periodic reviews, management approval, and communication of policies + and standards are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:2 + text: 2. Inspect a sample of organization's policies and standards to determine + whether they are documented, periodically reviewed, and approved by management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-01:question:3 + text: '3. Inspect the corporate intranet or email communication sent to + employee that validates these policies are communicated within the organization. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-02 + name: Exception Management + description: Organization reviews exceptions to policies, standards and procedures; + exceptions are documented and approved based on business need and removed + when no longer required. + annotation: '1. Ensure that a process for the handling of exceptions is well + defined and documented. + + 2. Ensure exceptions observed have thorough documentation, approval from higher + management, and are promptly removed when no longer needed.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-04 - Sample Policy Exceptions' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:1 + text: 1. Inspect organization's policy and/or standards to determine whether + requirements to review, approve, and document exceptions to policies, + standards, and procedures are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-02:question:2 + text: 2. Inspect a sample of exceptions to determine whether each exception + is reviewed, approved, and documented based on business need and removed + when no longer required. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-03 + name: Document Control + description: Organization's document management criteria is periodically reviewed, + approved by management, and communicated to authorized personnel; management + determines the treatment and retention of documentation according to legal + and regulatory requirements. + annotation: '1. Ensure that the organization has a well defined and documented + document management criteria. + + 2. Ensure that the criteria is reviewed and approved by the management periodically. + + 3. Ensure that the criteria is communicated to authorized personnel. + + 4. Ensure that the documentation is treated and retained according to legal + and regulatory requirements.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-05 - Document Management Criteria + + E-SG-06 - Document Retention Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:1 + text: 1. Inspect the organization's policy and/or standard to validate that + the organization has a well defined and documented document management + criteria. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:2 + text: 2. Validate that the criteria is reviewed and approved by the management + periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:3 + text: 3. Validate whether the criteria is communicated to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-03:question:4 + text: 4. Validate for a sample documentation that it is treated and retained + according to legal and regulatory requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-04 + name: Information Security Program Content + description: 'The Chief Security Officer conducts a periodic staff meeting to + communicate and align on relevant security threats, program performance, and + resource prioritization. ' + annotation: '1. Ensure that a process is defined and documented for conducting + periodic staff meetings with the Chief Security Officer. + + 2.Ensure that the meeting agenda consists of security threats, Information + Security Management Program Performance and Resource Prioritization.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-SG-15 - MOM of management meetings' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:1 + text: 1. Inspect and validate that a process is defined and documented for + conducting periodic staff meetings with the Chief Security Officer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-04:question:2 + text: 2. Validate that the meeting agenda consists of security threats, + Information Security Management Program Performance and Resource Prioritization + for sample quarters. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-05 + name: Procedures + description: Organization's key control capabilities are supported by documented + procedures that are communicated to authorized personnel. + annotation: '1. Ensure that a process is defined and documented so that all + key control capabilities are supported by documented procedures. + + 2. Ensure that these procedures are communicated to authorized personnel.' + typical_evidence: E-SG-01 - Information Security Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:1 + text: 1. Inspect and validate that a process is defined and documented so + that all key control capabilities are supported by documented procedures. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-05:question:2 + text: 2. Validate that these procedures are communicated to authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-06 + name: Proprietary Rights Agreement + description: Organization regular employees consent to a proprietary rights + agreement. + annotation: "1. Ensure that all employees are required to sign a proprietary\ + \ rights agreement prior to joining the organization. \n2. Ensure that appropriate\ + \ records are maintained for retaining this information." + typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's + network access agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:1 + text: 1. Inspect the procedure for employees to sign proprietary rights + agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-06:question:2 + text: '2. Inspect a sample of employee''s proprietary rights agreement. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-07 + name: Review of Confidentiality Agreements + description: The Organization Proprietary Rights Agreement and Organization + Network Access Agreement are reviewed on a periodic basis. + annotation: "1. Ensure all employees sign the organization's proprietary rights\ + \ agreement and network access agreement prior to joining the organization.\ + \ \n2. Ensure these agreements are updated on a need-to-know basis and communicated\ + \ to stakeholders." + typical_evidence: E-SG-07 - Documented proprietary rights agreement and organization's + network access agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-07:question:1 + text: '1. Inspect organization''s proprietary rights agreement and network + access agreement and check for periodic review. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-08 + name: Information Security Program + description: Organization has an established security leadership team including + key stakeholders in the Organization Information Security Program; goals and + milestones for deployment of the information security program are established + and communicated to the company through the periodic security all-hands meeting. + annotation: "1. Ensure there is a dedicated information security management\ + \ standard which consists of requirements pertaining to security leadership\ + \ team and the establishment and communication of security goals and milestones.\ + \ \n2. Ensure the organization's information security management standard\ + \ is uploaded on corporate intranet and made available to all employees.\n\ + 3. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes\ + \ are documented and communicated to relevant stakeholders." + typical_evidence: "E-SG-01 - Information Security Management Standard\nE-SG-08\ + \ - Information Security management Standard is uploaded on intranet \nE-SG-09\ + \ - MOM of ISMS steering committee " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:1 + text: 1. Inspect Information Security Management Standard to determine whether + requirements for a security leadership team and the establishment and + communication of security goals and milestones are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:2 + text: 2. Observe organization's corporate intranet to determine whether + the Information Security Management Standard is communicated to the company. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-08:question:3 + text: 3. Inspect the most recent ISMS Steering minutes to determine the + participation from the security leadership team, and the establishment + and communication of security goals and milestones. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-09 + name: Accessibility Program + description: Organization has an established accessibility leadership team including + key stakeholders; goals and milestones for deployment of the accessibility + program are established and communicated to the company. + annotation: '1. Prepare a list of accessibility key stakeholders and objectives + of accessibility program. + + 2. Review ISMS standard to ensure that it includes the information related + to accessibility program and made available to the employees of the organization.' + typical_evidence: E-SG-01 - Information Security Management Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:1 + text: 1. Validate that the ISMS standard lists key stakeholders and objectives + of the accessibility program. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-09:question:2 + text: 2. Observed how the ISMS standard includes information about the accessibility + program and whether it is readability available to employees of the organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-10 + name: Information Security Management System Scope + description: Information Security Management System (ISMS) boundaries are formally + defined in an ISMS scoping document. + annotation: '1. Ensure a process has been defined and documented to create an + ISMS scoping document. + + 2. Ensure that this document is appropriately reviewed and updated to refelct + accurate boundaries for the information security management system.' + typical_evidence: E-SG-10 - ISMS Scope document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to create an ISMS scoping document. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-10:question:2 + text: 2. Validate whether this document was appropriately reviewed and updated. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-11 + name: Security Roles and Responsibilities + description: Roles and responsibilities for the governance of Information Security + within Organization are formally documented within the Information Security + Management Standard and communicated on the Organization intranet. + annotation: '1. Ensure organization''s information security standard consists + of roles and responsibilities for the governance of information security within + organization and uploaded on the corporate intranet and made available to + all employees. + + 2. Ensure, ISMS steering committee is conducting monthly meetings whose, minutes + are documented and communicated to relevant stakeholders.' + typical_evidence: E-SG-10 - ISMS Scope document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:1 + text: 1. Inspect Organization's Information Security Management Standard + to determine whether it was communicated and defined information security + roles and responsibilities for the governance of information security + within Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:2 + text: 2. Observed Organization's corporate intranet to determine whether + the Information Security Management Standard is communicated to the company. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-11:question:3 + text: 3. Inspect the most recent ISMS Steering Committee Meeting minutes + to determine the participation from the security leadership team, and + establishment and communication of security goals and milestones. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-12 + name: 'Security Roles and Responsibilities: Risk Designations' + description: Organization defined security roles and responsibilities are assigned + risk designations and reviewed at least once every three years. + annotation: 1. Ensure there is a risk management policy, and risk matrix (which + consists of risk severity, risk treatment, risk mitigation plan, and compensatory + control) which are updated once in every 3 years or on a need-to-know basis. + typical_evidence: 'E-SG-11 - Risk Management Policy + + E-SG-12 - Risk Matrix ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-12:question:1 + text: 1. Inspect Organization's Risk Management policy and risk control + matrix and ensure they are updated once in every 3 years or on a need-to-know + basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-13 + name: 'Security Roles and Responsibilities: PCI Compliance' + description: Roles and responsibilities and a program charter for the governance + of PCI DSS compliance within Organization are formally documented and communicated + by management. + annotation: 1. Define roles and responsibilities for PCI DSS governances which + is approved by the organization's management and documented well in PCI Charter. + typical_evidence: 'E-SG-13 - PCI charter ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-13:question:1 + text: 1. Inspect Organization's PCI Charter and organization chart to determine + that roles and responsibilities for PCI DSS governances are appropriately + documented and disseminated by Organization Management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-14 + name: Information Security Resources + description: "Information systems security implementation and management are\ + \ included as part of the budget required to support the Organization\_Security\ + \ Program." + annotation: "1. Allocate resources as per the Organization's Security program\ + \ and the defined budget. \n2. Ensure management meets monthly or on a need-to-know\ + \ basis to discuss the critical security requirements across organization\ + \ based on multiple factors as well as justifications basis which budget is\ + \ allocated for management of Organization's security program and corresponding\ + \ records are maintained.\n3. Each department spend and allocate resources\ + \ as per the defined budget and security program which aligns with the business\ + \ objectives.\n4. Ensure budget is approved by top management for spending\ + \ to be aligned with business justification." + typical_evidence: 'E-SG-14 - Approved budget allocation documentation + + E-SG-15 - MOM of management meetings' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:1 + text: 1. Inspect all the security requirements for which budget is required + as a part of Organization's Security program and corresponding business + justification are identified, documented and maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:2 + text: 2. Ensure that as a part of regular periodic management review meetings + identified critical security requirements across organization are reviewed + as well as analyzed and based on multiple factors as well as justifications + basis which budget is allocated for management of Organization's security + program and corresponding records are maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:3 + text: 3. Inspect documentation around representation from all the key departments + to ensure allocation of budget for security program is aligned with business + objectives. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-14:question:4 + text: 4. Inspect the approval obtained by top management for spending of + allocated budget to be aligned with business justification. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-15 + name: Management Review + description: 'The Information Security Management System (ISMS) steering committee + conducts a formal management review of ISMS scope, risk assessment activities, + control implementation, and audit results on an annual basis. ' + annotation: '1. Conduct ISMS steering committee meeting on monthly basis or + on a need-to-know basis to discuss and review the current scope (products + included), audit progress, ISMS scope, risk assessment activities, control + implementation, and audit results. + + 2. Document the attendance of each member.' + typical_evidence: 'E-SG-09 - MOM of ISMS steering committee ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:1 + text: 1. Validate that ISMS Steering committee meet at least annually, and + inspect meeting minutes from each meeting. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:2 + text: 2. Inspect attendees of the steering committee meeting shall be documented, + and members of the information steering committee shall include relevant + members from the offering's organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-15:question:3 + text: '3. Each meeting shall include an discussion and review of current + scope (products included), audit progress, ISMS scope, risk assessment + activities, control implementation, and audit results. Included shall + be action items for any audit findings. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-16 + name: Enterprise Data Catalog + description: Organization maintains an enterprise data catalog that encompasses + key organizational data, environment metadata, and product information to + facilitate continuous monitoring of the internal control environment. The + enterprise data catalog is updated as part of the continuous monitoring process + and upon the introduction of new service offerings and acquisitions. + annotation: '1. Ensure there is a documented enterprise data catalogue which + consists of details that include but not limited to: key organizational data, + environment metadata, and product information to facilitate continuous monitoring + of the internal control environment. + + 2. Ensure that the documented enterprise data catalogue is reviewed and updated + annually or as in when required. ' + typical_evidence: 'E-SG-16 - Enterprise Data Catalogue ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:1 + text: 1. Inspect the Enterprise Data Catalog to determine that it includes + key organizational data, environment metadata, and product information + to facilitate continuous monitoring of the internal control environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-16:question:2 + text: 2. Inspect that the data catalog is reviewed and updated periodically + and further, upon the introduction of new service offerings and acquisitions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node220 + ref_id: SG-17 + name: Software Usage Restrictions + description: Organization maintains software license contracts and monitors + its compliance with usage restrictions. + annotation: '1. Ensure there is a formal documented software license agreement/policy + which defines the criteria for the installation of software. + + 2. Ensure software license agreement/policy is reviewed and updated on annual + basis or when required. + + 3. Continuous monitoring of installed software to ensure the compliance posture + as per the defined criteria.' + typical_evidence: 'E-SG-17 - Software License Agreement/Policy + + E-SG-18 - Software monitoring compliance report to ensure the compliance posture ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:1 + text: '1. Identify and document the inventory of software license contracts + corresponding to different software. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:2 + text: 2. Inspect management approved procedures for license maintenance + and usage are in place and maintained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:3 + text: 3. Ensure that monitoring is in place to check the compliance effectiveness + with usage restrictions defined as part of software license maintenance + as well as usage contracts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:4 + text: 4. Ensure monitoring records of period review/audits are maintained + to ensure adherence to the requirements of the software license contracts + and usage restrictions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sg-17:question:5 + text: 5. Licenses and contracts are reviewed as needed, and increased supply + of licenses and contracts are obtained if needed to meet use/demand. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + assessable: false + depth: 1 + name: Service Lifecycle + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-01 + name: Service Lifecycle Workflow + description: Major software releases are subject to the Service Life Cycle, + which requires acceptance via Concept Accept and Project Plan Commit phases + prior to implementation. + annotation: "1. Ensure there is a documented standard for organization product\ + \ lifecycle and secure product lifecycle which consists requirements for acceptance\ + \ via concept accept and project plan commit phases prior to implementation.\n\ + 2. Ensure the standard for organization product lifecycle and secure product\ + \ lifecycle are reviewed and updated as required. \n3. Implement a procedure\ + \ to document the acceptance via concept accept and project plan commit phases\ + \ prior to implementation for each and every major release." + typical_evidence: "E-SLC-01 - Organization product lifecycle standard \nE-SLC-02\ + \ - Secure product lifecycle" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:1 + text: 1. Inspect Organization's Product Lifecycle Standard and Secure Product + Lifecycle Standard to determine whether requirements for acceptance via + Concept Accept and Project Plan Commit phases prior to implementation + are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-01:question:2 + text: 2. Inspect documentation for a selection of major releases to determine + whether it includes documentation of acceptance via Concept Accept and + Project Plan Commit phases prior to implementation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-02 + name: Source Code Management + description: Source code is managed with Organization-approved version control + mechanisms. + annotation: "1. Ensure there is a documented organization's source code security\ + \ standard and it is updated on need to know basis. \n2. Ensure source code\ + \ repositories used by service team as per the approved version control mechanisms/systems." + typical_evidence: "E-SLC-03 - Source code standard \nE-SLC-04 - Source code\ + \ repository " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:1 + text: 1. Inspect Organization's Source Code Security Standard to determine + whether requirements for Organization-approved version control software + are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-02:question:2 + text: 2. For a sample of services, inspect source code repository used by + services to determine that source code is managed with Organization-approved + version control mechanisms/systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-03 + name: Secrets in Code + description: 'Organization manages source code secrets in a centralized repository; + secrets are rotated at least annually and immediately if the security of secrets + is compromised. ' + annotation: '1. Each service should have a central source code repository where + all secrets are managed. + + 2. Secrets of the service are rotated once every year and in cases where the + securiy of secrets is compromised. Logs for the same are maintained and documented.' + typical_evidence: 'E-SLC-05 - Central Source Code Repository + + E-SLC-06 - Shared Secret Rotation Logs ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:1 + text: 1. For a sample of services, inspect the Organization's centralized + repository to determine that source code secrets are managed in a centralized + repository. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-03:question:2 + text: 2. Obtain evidence to validate secrets are rotated at least annually + and immediately if the security of secrets is compromised. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-04 + name: Project Budget Approval + description: 'Approval for project initiation and budget is obtained from IT + management and business owners. + + ' + annotation: 1. Prepare a project management plan that includes but not limited + to project initiation guidelines and budget from IT management and business + owners. + typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting + + E-SLC-08 - Formal sign-off on the project plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-04:question:1 + text: 1. Obtain evidence of approval for project initiation and budget from + IT management and business owners. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-05 + name: Project Scope Change + description: 'Changes to finalized project scope and requirements require the + review and approval from the business team and project manager. + + ' + annotation: '1. Prepare a project management plan that outlines the project + scope, and requirements. + + 2. Project Management plan is approved by business team.' + typical_evidence: 'E-SLC-07 - Minutes of project scope and budget plan meeting + + E-SLC-08 - Formal sign-off on the project plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:1 + text: 1. Review the changes that have been modified and finalized for project + scope and requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-05:question:2 + text: 2. Obtain evidence of approval from the business team and project + management for finalization of project scope and requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-06 + name: Information System Operation Authorization + description: Senior management authorizes the operation of new information systems, + based on security and business requirements, prior to implementation. The + information system authorization is refreshed every 3 years or when significant + change occurs. + annotation: '1. Ensure there is documented service lifecycle program which is + updated on a need-to-know basis + + 2. Ensure there is a documented information system operation authorization + which is approved by the senior management and updated once in every 3 years + or on a need-to-know basis.' + typical_evidence: 'E-SLC-09 - Service Lifecycle Program + + E-SLC-10 - Information system Operation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:1 + text: 1. Inspect the approval matrix for Service Lifecycle Program Management. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:2 + text: 2. Inspect the approval matrix for Information System Operation Authorization + by the authorized senior management to determine the operation of new + information systems + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-06:question:3 + text: 3. Review the information system authorization is updated every 3 + years or when significant changes occurs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node238 + ref_id: SLC-07 + name: System Acquisition Approval + description: "Information system acquisitions require approval from authorized\ + \ personnel based on verification of the following documented evidence:\n\u2022\ + \ security function, strength, and assurance requirements\n\u2022 requirements\ + \ for protecting security-related documentation\n\u2022 system development\ + \ and test requirements\n\u2022 acceptance criteria for releases\n\u2022 enumeration\ + \ of Security controls\n\u2022 security control implementation and monitoring\ + \ requirements\n\u2022 components are FIPS-201 approved" + annotation: "1. Define and implement a procedure for the formal approval from\ + \ an authorized personnel Information system acquisitions based on verification\ + \ of the following documented evidence:\n\u2022 security function, strength,\ + \ and assurance requirements\n\u2022 requirements for protecting security-related\ + \ documentation\n\u2022 system development and test requirements\n\u2022 acceptance\ + \ criteria for releases\n\u2022 enumeration of Security controls\n\u2022 security\ + \ control implementation and monitoring requirements\n\u2022 components are\ + \ FIPS-201 approved" + typical_evidence: 'E-SLC-11 - Formal Approval/documents from the authorized + personnel ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:1 + text: '1. Obtain evidence of approval from authorized personnel for Information + system acquisitions based on verification of the following documented + evidence:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:2 + text: "\u2022 security function, strength, and assurance requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:3 + text: "\u2022 requirements for protecting security-related documentation" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:4 + text: "\u2022 system development and test requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:5 + text: "\u2022 acceptance criteria for releases" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:6 + text: "\u2022 enumeration of Security controls" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:7 + text: "\u2022 security control implementation and monitoring requirements" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:slc-07:question:8 + text: "\u2022 components are FIPS-201 approved" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + assessable: false + depth: 1 + name: Systems Monitoring + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-01 + name: Audit Logging + description: Organization logs critical information system activity. + annotation: "1. Ensure that the Organization's Logging Standard includes logging\ + \ requirements for critical system activity.\n2. Ensure that the following\ + \ system logging configurations (at the least, but not limited to) for a selection\ + \ of production systems to determine the following:\na. Log aggregation tool\ + \ is configured for the service.\nb. Whether the below logs are being sent\ + \ to the log aggregation tool:\ni. System OS logs\nii. AWS Config (configuration\ + \ monitoring resource in AWS)\niii. Cloud Trail (All account level activity\ + \ including API calls, IAM role/user)\niv. VPC Flow Logs (Showing all network\ + \ connections to and from a VPC)\nv. Guard Duty (AWS provided threat detection\ + \ service)\nc. PCI Specific - Whether critical information system activity\ + \ is logged such as the following:\ni. Access to all audit trails (Covered\ + \ through CloudTrail)\nii. Invalid logical access attempts.\niii. Use of and\ + \ changes to identification and authentication mechanisms, including: All\ + \ elevation of privileges. All changes, additions, or deletions to any account\ + \ with root or administrative privileges. \niv. Initialization of audit logs\n\ + v. Stopping or pausing of audit logs\nvi. Creation and deletion of system\ + \ level objects\nvii. Alerts are in place to be triggered when the aforementioned\ + \ logs are not forwarded/face an error in being sent by the log aggregation\ + \ tool." + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-02 - Logging configuration + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + requirements are defined for critical system activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:2 + text: '2. Inspect system logging configurations for a sample of production + systems to determine the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:3 + text: a. Log aggregation tool is configured for the service. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:4 + text: 'b. Whether the below logs are being sent to the log aggregation tool:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:5 + text: i. System OS logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:6 + text: ii. AWS Config (configuration monitoring resource in AWS) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:7 + text: iii. Cloud Trail (All account level activity including API calls, + IAM role/user) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:8 + text: iv. VPC Flow Logs (Showing all network connections to and from a VPC) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:9 + text: v. Guard Duty (AWS provided threat detection service) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:10 + text: 'c. PCI Specific - Whether critical information system activity is + logged such as the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:11 + text: i. Access to all audit trails (Covered through CloudTrail) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:12 + text: ii. Invalid logical access attempts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:13 + text: 'iii. Use of and changes to identification and authentication mechanisms, + including: All elevation of privileges. All changes, additions, or deletions + to any account with root or administrative privileges. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:14 + text: iv. Initialization of audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:15 + text: v. Stopping or pausing of audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:16 + text: vi. Creation and deletion of system level objects + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-01:question:17 + text: vii. Alerts are in place to be triggered when the aforementioned logs + are not forwarded/face an error in being sent by the log aggregation tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-02 + name: Secure Audit Logging + description: Organization logs critical information system activity to a secure + repository. Organization disables administrators ability to delete or modify + enterprise audit logs; the number of administrators with access to audit logs + is limited. + annotation: '1. Ensure that Organization''s Logging Standard includes logging + requirements for critical system activity to mandate log forwarding and storage + in a central repository. + + 2. Establish a process for periodic review of appropriate access of the administrators + to SIEM tool. + + 3.Ensure that only a defined list of users are allowed to delete/modified + SIEM logs.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-04 - Access review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + requirements are defined for critical system activity to mandate log forwarding + and storage in a central repository. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:2 + text: 2. Inspect the list of SIEM tool Administrators and validate that + their access is appropriate. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-02:question:3 + text: 3. Validate the list of users allowed to delete/modified SIEM tool + logs and ensure it is restricted. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-03 + name: 'Audit Logging: Cardholder Data Environment Activity' + description: "Organization logs the following activity for cardholder data environments:\n\ + \u2022 individual user access to cardholder data\n\u2022 administrative actions\n\ + \u2022 access to logging servers\n\u2022 failed logins\n\u2022 modifications\ + \ to authentication mechanisms and user privileges\n\u2022 initialization,\ + \ stopping, or pausing of the audit logs\n\u2022 creation and deletion of\ + \ system-level objects\n\u2022 security events\n\u2022 logs of all system\ + \ components that store, process, transmit, or could impact the security of\ + \ cardholder data (CHD) and/or sensitive authentication data (SAD)\n\u2022\ + \ logs of all critical system components\n\u2022 logs of all servers and system\ + \ components that perform security functions (e.g., firewalls, intrusion-detection\ + \ systems/intrusion-prevention systems (IDS/IPS), authentication servers,\ + \ e-commerce redirection servers, etc.)" + annotation: '1. Ensure that the following activity types are being logged in + SIEM tool: + + a. individual user access to cardholder data + + b. administrative actions + + c. access to logging servers + + d. failed logins + + e. modifications to authentication mechanisms and user privileges + + f. initialization, stopping, or pausing of the audit logs + + g. creation and deletion of system-level objects + + h. security events + + i. logs of all system components that store, process, transmit, or could impact + the security of cardholder data (CHD) and/or sensitive authentication data + (SAD) + + j. logs of all critical system components + + k. logs of all servers and system components that perform security functions + (e.g., firewalls, intrusion-detection systems/intrusion-prevention systems + (IDS/IPS), authentication servers, e-commerce redirection servers, etc.)' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:1 + text: '1. Inspect SIEM Logs for a sample of in-scope production servers + to validate that the below activity types are being logged:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:2 + text: a. individual user access to cardholder data + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:3 + text: b. administrative actions + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:4 + text: c. access to logging servers + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:5 + text: d. failed logins + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:6 + text: e. modifications to authentication mechanisms and user privileges + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:7 + text: f. initialization, stopping, or pausing of the audit logs + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:8 + text: g. creation and deletion of system-level objects + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:9 + text: h. security events + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:10 + text: i. logs of all system components that store, process, transmit, or + could impact the security of cardholder data (CHD) and/or sensitive authentication + data (SAD) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:11 + text: j. logs of all critical system components + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-03:question:12 + text: k. logs of all servers and system components that perform security + functions (e.g., firewalls, intrusion-detection systems/intrusion-prevention + systems (IDS/IPS), authentication servers, e-commerce redirection servers, + etc.) + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-04 + name: 'Audit Logging: Cardholder Data Environment Event Information' + description: "Organization records the following information for confirmed events\ + \ in the cardholder data environment:\n\u2022 user identification\n\u2022\ + \ type of event\n\u2022 date and time\n\u2022 event success or failure indication\n\ + \u2022 origination of the event\n\u2022 identification of affected data, system\ + \ component, or resource" + annotation: '1. Ensure that the below information is being logged for all critical + security events: + + a. user identification + + b. type of event + + c. date and time + + d. event success or failure indication + + e. origination of the event + + f. identification of affected data, system component, or resource' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:1 + text: '1. Inspect SIEM Logs for a sample of in-scope production servers + to validate that the below information is being logged for all critical + security events:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:2 + text: a. user identification + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:3 + text: b. type of event + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:4 + text: c. date and time + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:5 + text: d. event success or failure indication + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:6 + text: e. origination of the event + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-04:question:7 + text: f. identification of affected data, system component, or resource + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-05 + name: 'Audit Logging: Service Provider Logging Requirements' + description: "Organization establishes unique logging and audit trails for each\ + \ entity's cardholder data environment and complies with the following:\n\u2022\ + \ logs are enabled for third-party applications\n\u2022 logs are active by\ + \ default\n\u2022 logs are available for review by and communicated to the\ + \ owning entity" + annotation: "1. Establish a process that ensures that Organization's audit trails/audit\ + \ logs:\n\u2022 each and every third-party application for every entity.\n\ + \u2022 logs are active by default\n2. Establish a process in the Organization's\ + \ logging and monitoring mechanism which ensures that logs are reviewed periodically\ + \ and on a need-to-do basis. Additionally, the same shall be communicated\ + \ to the concerned stakeholders." + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:1 + text: '1. Inspect Organization''s audit trails/audit logs for:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:2 + text: "\u2022 each and every third-party application for every entity." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:3 + text: "\u2022 logs are active by default" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-05:question:4 + text: 2. Inspect Organization's logging and monitoring mechanism to ensure + that logs are reviewed periodically and on a need-to-do basis. Additionally, + validate whether the same is being communicated to the concerned stakeholders. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-06 + name: 'Configuration Management: Remote Logging' + description: Where applicable, devices are configured to send audit log data + to a remote server + annotation: 1. Establish a data flow mechanism to ensure that the devices are + configured to send audit log data to a remote server. + typical_evidence: 'E-NO-17 - Data Flow Diagrams + + E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-06:question:1 + text: 1. Inspect Organization's data flow mechanisms to ensure that the + devices are configured to send audit log data to a remote server. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-07 + name: Chain of Accountability + description: Organization implements audit trails to link authentication events + to individuals users in production systems. + annotation: '1. Establish organization''s logging and monitoring process. + + 2. Ensure logs contain identifiers to establish audit trails to systems and + users.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:1 + text: 1. Validate the organizations logging and monitoring process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-07:question:2 + text: 2. Validate whether the logs contain identifiers to establish audit + trails to systems and users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-08 + name: Audit Record Time Stamps + description: Organization records time stamps for audit records that can be + mapped to a centralized time source. + annotation: 1. Ensure that the time sync is enabled, stratums are defined, and + the time servers are working. + typical_evidence: E-SM-05 - NTP logs and configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:1 + text: 1. Validate whether time sync is enabled, stratums are defined, and + the time servers are working. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-08:question:2 + text: 2. For a sample of audit records, review time stamps to determine + whether time stamps for audit records can be mapped to a centralized time + source. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-09 + name: 'Log Reconciliation: CMDB' + description: Organization reconciles the established device inventory against + the enterprise log repository on a quarterly basis; devices which do not forward + log data are remediated. + annotation: '1. Design a process to prepare a quarterly Log reconciliation report + which includes reconciliation of the established device inventory against + the enterprise log repository. + + 2. Wherever deviation is identified from the reconciliation, ensure that the + actions are taken for remediation of the devices which do not forward log + data.' + typical_evidence: 'E-SM-06 - Quarterly Log reconciliation report + + E-SM-07 - Sample of remediation documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:1 + text: 1. Inspect Organization's Log reconciliation report to determine that + the established device inventory against the enterprise log repository + is reconciled on a quarterly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-09:question:2 + text: 2. Inspect the actions taken for remediation of the devices which + do not forward log data. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-10 + name: Audit Log Capacity and Retention + description: Organization allocates audit record storage capacity in accordance + with logging storage and retention requirements; Audit logs are retained for + 1 year with 90 days of data immediately available for analysis. + annotation: '1. Document Organization''s Logging Standard which includes logging + retention requirements for critical system activity to mandate logs be available + for a minimum for 1 year. + + 2. Implement SIEM tool configuration to retrieve the relevant logs for a minimum + period of 1 year with 90 days of logs be available for immediate analysis.' + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-02 - Logging configuration + + E-SM-03 - Sample of production server logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:1 + text: 1. Inspect Organization's Logging Standard to determine whether logging + retention requirements are defined for critical system activity to mandate + logs being available for a minimum for 1 year + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:2 + text: 2. Inspect sample logs for in-scope services to validate that the + SIEM tool stores relevant logs for a minimum period of 1 year with 90 + days of logs being available for immediate analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-10:question:3 + text: 3. Evaluate the SIEM tool configuration to validate the retention + settings for 1 year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-11 + name: Enterprise Antivirus Logging + description: If applicable, Organization's managed enterprise antivirus deployments + generate audit logs which are retained for 1 year with 90 days of data immediately + available for analysis. + annotation: '1. Enable configurations for Enterprise Antivirus solutions to + ensure that antivirus logs are being forwarded to the SIEM + + 2. Ensure that relevant logs are stored for a minimum period of 1 year with + 90 days of logs being available for immediate analysis.' + typical_evidence: 'E-SM-08 - Enterprise Antivirus Solution configuration + + E-SM-09 - Sample of antivirus logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:1 + text: 1. Inspect configurations for Enterprise Antivirus solutions to validate + that antivirus logs are being forwarded to SIEM. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-11:question:2 + text: 2. Inspect sample antivirus logs for in-scope services to validate + that relevant logs are stored for a minimum period of 1 year with 90 days + of logs being available for immediate analysis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-12 + name: Security Monitoring Alert Criteria + description: Organization defines security monitoring alert criteria, how alert + criteria will be flagged, and identifies authorized personnel for flagged + system alerts. + annotation: '1. Document Organization''s Security Monitoring Standard to include + requirements for security monitoring alert criteria. + + 2. Establish a process to periodically review and maintain a list of security + monitoring rules.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules + + E-SM-12 - Sample of alert rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:2 + text: 2. Obtain list of security monitoring rules that are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-12:question:3 + text: 3. For a sample of alert rules from a sample of services, inspect + the monitoring tool configuration to determine that rules are implemented + to flag events, and notify authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-13 + name: Security Monitoring Alert Criteria Review + description: Organization reviews security monitoring alert on an annual basis. + annotation: '1. Document Organization''s Security Monitoring Standard to include + requirements for security monitoring alert criteria. + + 2. Establish a process to ensure that the monitoring tool is configured to + review the security alerts on an annual basis by the authorized personnel. ' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules + + E-SM-12 - Sample of alert rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-13:question:2 + text: '2. For a sample of alert rules from a sample of services, inspect + the monitoring tool configuration to determine that security alerts are + reviewed on an annual basis by the authorized personnel. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-14 + name: Log-tampering Detection + description: Organization monitors and flags tampering to the audit logging + and monitoring tools in the production environment. + annotation: '1. Ensure Organization''s Security Monitoring Standard to include + requirements for monitoring and flagging, tampering to the audit logging and + monitoring tools in the production environment. + + 2. Ensure specific mechanisms to monitor and flag tampering to the audit logging + and monitoring tools in the production environment are defined and documented. + + 3. Ensure appropriate mechanisms are implemented for protecting integrity + of logs and to prevent/detect logs from being modified/tampered at the storage + location. Additionally, ensure such activities are recorded and controlled. + + 4. Restrict and control administrative permissions to manage and modify audit + logs to authorized personnel only. + + 5. Ensure all administrative and operational activities are logged and events + are captured to trace back to a particular user in case of any modifications/tampering + performed. + + 6. Replicate and store all applicable logs on a centralized server and restrict + access to only authorized personnel.' + typical_evidence: "E-SM-10 - Security Monitoring Standard\nE-SM-11 - List of\ + \ monitoring rules\nE-SM-13 - Log integrity checks \nE-SM-04 - Access review\ + \ documentation" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:1 + text: 1. Obtain relevant organizational policy/standard and ensure defined + process regarding enabling audit logging and monitoring are adhered to. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:2 + text: 2. Validate specific mechanisms to monitor and flag tampering to the + audit logging and monitoring tools in the production environment are defined + and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:3 + text: 3. Validate whether appropriate mechanisms are implemented to protect + the integrity of logs and to prevent/detect logs from being modified/tampered + at the storage location. Additionally, ensure such activities are recorded + and controlled. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:4 + text: 4. Inspect whether administrative permissions to manage and modify + audit logs are restricted to authorized personnel only. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:5 + text: 5. For a sample of events, inspect whether all administrative and + operational activities are logged and events are captured to trace back + to a particular user in case of any modifications/tampering performed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-14:question:6 + text: 6. Validate whether all applicable logs are replicated and stored + on a centralized server and access is restricted to only authorized personnel, + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-15 + name: Unauthorized Devices Addition + description: "Unauthorized devices connected to the Organization Network are:\n\ + \u2022 detected within a maximum of five minutes, and\n\u2022 the unauthorized\ + \ device is disabled, or a notification is sent to authorized Organization\ + \ personnel" + annotation: "1. Enable Organization's monitoring tool configurations to ensure\ + \ that unauthorized devices are:\n\u2022 detected within a maximum of five\ + \ minutes, and\n\u2022 the unauthorized device is disabled, or a notification\ + \ is sent to authorized Organization personnel" + typical_evidence: E-SM-14 - Monitoring tool configuration + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:1 + text: '1. Inspect Organization''s monitoring tool configurations to ensure + that the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:2 + text: "\u2022 detected within a maximum of five minutes, and" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-15:question:3 + text: "\u2022 the unauthorized device is disabled, or a notification is\ + \ sent to authorized Organization personnel" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-16 + name: 'Security Monitoring Alert Criteria: Guest, Anonymous and Temp Accounts' + description: Organization defines security monitoring alert criteria for the + use of guest, anonymous, and temporary accounts on Organization's network. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for the use of guest, + anonymous, and temporary accounts on Organization''s network. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on the use of guest, anonymous, and temporary accounts + on Organization''s network. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: E-SM-10 - Security Monitoring Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for the use + of guest, anonymous, and temporary accounts on Organization's network + are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on the + use of guest, anonymous, and temporary accounts on Organization's network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-16:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-17 + name: 'Security Monitoring Alert Criteria: VoIP Usage' + description: Organization defines security monitoring alert criteria to detect + deviations from Voice over IP (VoIP) activity standards. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria to detect deviations from + Voice over IP (VoIP) activity standards are defined. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on deviations from Voice over IP (VoIP) activity standards. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: E-SM-10 - Security Monitoring Standard + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + requirements for security monitoring alert criteria to detect deviations + from Voice over IP (VoIP) activity standards are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on deviations + from Voice over IP (VoIP) activity standards. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-17:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-18 + name: 'Prohibited Activity Monitoring: Remote Access' + description: Remote sessions are monitored for prohibited activity. + annotation: 1. Ensure that the monitoring reports or evidence of logs from remote + sessions are reviewed for prohibited activity. + typical_evidence: E-SM-15 - Log evidence from remote sessions + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-18:question:1 + text: 1. Review the monitoring reports or evidence of logs from remote sessions + to determine that the remote sessions are reviewed for prohibited activity. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-19 + name: 'Prohibited Activity Monitoring: Client Run Time Technologies' + description: Organization monitors and flags the use of prohibited client run + time technologies on information systems. + annotation: '1. Ensure that the monitoring software are installed on information + systems. + + 2. Enable the alerting criteria to ensure it monitors prohibited execution.' + typical_evidence: 'E-SM-16 - Evidence of monitoring tool installation + + E-SM-17 - Alerting criteria' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:1 + text: 1. Validate and inspect if monitoring software are installed on information + systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-19:question:2 + text: 2. Inspect the alerting criteria to ensure it monitors prohibited + execution. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-20 + name: 'Security Monitoring Alert Criteria: Wireless Access Point' + description: Organization defines security monitoring alert criteria for attack + attempts against wireless access points. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for attack attempts against + wireless access points. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on potential failed login attempts. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-11 - List of monitoring rules' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for attack + attempts against wireless access points are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-20:question:2 + text: 2. Obtain list of security monitoring rules that are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-21 + name: 'Security Monitoring Alert Criteria: Failed Logins' + description: Organization defines security monitoring alert criteria for failed + login attempts on Organization's network. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for failed login attempts + on Organization''s network. + + 2. Ensure a sample of security monitoring rules, to validate that the rules + are defined to look for and alert applicable personnel on potential failed + login attempts. + + 3. Ensure that alerts being generated are sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for security monitoring alert criteria for failed + login attempts on Organization's network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on potential + failed login attempts. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-21:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-22 + name: 'Security Monitoring Alert Criteria: Privileged Functions' + description: Organization defines security monitoring alert criteria for privileged + functions executed by both authorized and unauthorized users. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for privileged functions + executed by both authorized and unauthorized users. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on privileged functions executed by both authorized and + unauthorized users. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for privileged functions executed by both authorized + and unauthorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on privileged + functions executed by both authorized and unauthorized users. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-22:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-23 + name: 'Security Monitoring Alert Criteria: Audit Log Integrity' + description: Organization defines security monitoring alert criteria for changes + to the integrity of audit logs. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for changes to the integrity + of audit logs. + + 2. Ensure that the security monitoring rules are defined, enabled and alert + applicable personnel on changes to the integrity of audit logs. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements for changes to the integrity of audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on changes + to the integrity of audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-23:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-24 + name: 'Security Monitoring Alert Criteria: Cardholder System Components' + description: Organization defines security monitoring alert criteria for system + components that store, process, transmit, or could impact the security of + cardholder data and/or sensitive authentication data. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for security monitoring alert criteria for system components + that store, process, transmit, or could impact the security of cardholder + data and/or sensitive authentication data. + + 2. Ensure that the security monitoring rules are defined, enabled, and alert + applicable personnel on checks for any impact to the CDE. + + 3. Ensure that alerts are being generated and sent to the SOC team to support + remediation.' + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:1 + text: 1. Inspect whether the security logs from various sources are sent + to the monitoring tool. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:2 + text: 2. Inspect a sample of security monitoring rules, to validate that + the rules are defined to look for and alert applicable personnel on checks + for any impact to the CDE. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-24:question:3 + text: 3. Validate that alerts being generated are sent to the SOC team to + support remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-25 + name: System Security Monitoring + description: Critical systems are monitored in accordance with predefined security + criteria and alerts are sent to authorized personnel. Confirmed incidents + are tracked to resolution. + annotation: '1. Ensure that Organization''s Security Monitoring Standard includes + requirements for responding to flagged system alerts and confirmed incidents. + + 2. Configure security monitoring tool to ensure that critical information + system activity is monitored. + + 3. Ensure that the events are triaged and resolved by authorized personnel + as applicable.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:1 + text: 1. Inspect Organization's Security Monitoring Standard to determine + whether requirements are defined for responding to flagged system alerts + and confirmed incidents. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:2 + text: 2. For a sample of services, inspect security monitoring tool to determine + whether critical information system activity is monitored. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-25:question:3 + text: 3. Inspect a sample of security events to determine whether the events + are triaged and resolved by authorized personnel as applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-26 + name: Intrusion Detection Systems + description: "Organization has an Intrusion Detection System (IDS) or Intrusion\ + \ Prevention System (IPS) deployment(s) and ensures the following:\n\u2022\ + \ signature definitions are updated including the removal of false positive\ + \ signatures\n\u2022 non-signature based attacks are defined\n\u2022 IDS/IPS\ + \ are configured to capture malicious (both signature and non-signature based)\ + \ traffic\n\u2022 alerts are reviewed and resolved by authorized personnel\ + \ when malicious traffic is detected" + annotation: "1. Ensure that the Organization has a policy or standard that covers\ + \ the use and management of intrusion detection system (IDS) or intrusion\ + \ prevention system (IPS) tools on its in-scope systems.\n2. Ensure that there\ + \ is an intrusion detection system (IDS) or intrusion prevention system (IPS)\ + \ deployed on all in-scope systems.\n3. Ensure that IDS/IPS tool is configured\ + \ in a manner that:\n\u2022 signature definitions are updated including the\ + \ removal of false positive signatures\n\u2022 non-signature based attacks\ + \ are defined\n\u2022 IDS/IPS are configured to capture malicious (both signature\ + \ and non-signature based) traffic\n\u2022 alerts are reviewed and resolved\ + \ by authorized personnel when malicious traffic is detected\n4. Ensure that\ + \ the ability to disable IDS/IPS tools are restricted to limited personnel,\ + \ and can only be disabled with a proper justification and for a limited time." + typical_evidence: 'E-SM-18 - Sample of security monitoring rules configuration + + E-SM-19 - Sample of alerts generated' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:1 + text: 1. Inspect the Organization has a policy or standard that details + the use and management of intrusion detection system (IDS) or intrusion + prevention system (IPS) tools on its in-scope systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:2 + text: 2. Obtain a list of all in-scope systems, and for a given sample, + confirm that IDS/IPS is running on those systems, and that they are up + to date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:3 + text: '3. Inspect the IDS/IPS rulesets and ensure that they are configured + with the items below:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:4 + text: "\u2022 signature definitions are updated including the removal of\ + \ false positive signatures" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:5 + text: "\u2022 non-signature based attacks are defined" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:6 + text: "\u2022 IDS/IPS are configured to capture malicious (both signature\ + \ and non-signature based) traffic" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:7 + text: "\u2022 alerts are reviewed and resolved by authorized personnel when\ + \ malicious traffic is detected" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:8 + text: 4. For a sample of alerts, confirm that they were reviewed and resolved + by the authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-26:question:9 + text: 5. Observe configuration showing that IDS/IPS tools cannot be disabled + except by authorized personnel and can only be disabled with a proper + justification and for a limited time. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-27 + name: System Monitoring Legal Opinion + description: Organization obtains legal opinion with regard to monitoring activities + in accordance with applicable requirements and mandates. + annotation: '1. Design a legal process to ensure that only approved monitoring + criteria is established as per applicable legal, contractual, and government + requirements. + + 2. Ensure any change in monitoring criteria takes legal sign off into consideration.' + typical_evidence: E-SM-20 - Sample of legal sign off on monitoring criteria + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:1 + text: 1. Inspect organization's legal process to ensure approved monitoring + criteria is established as per applicable legal, contractual, and government + requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-27:question:2 + text: 2. Validate whether any change in monitoring criteria takes legal + sign off into consideration. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-28 + name: Privileged Session Monitoring + description: 'Organization monitors trusted data environments for unauthorized + logical access connections. ' + annotation: "1. Ensure that Organization's Security Monitoring standard includes\ + \ the requirements for session monitoring.\n2. Configure monitoring tool to\ + \ ensure least privileged principle is followed. \n3. Ensure that the organization\ + \ monitors trusted data environments for unauthorized logical access connections." + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-14 - Monitoring tool configuration + + E-SM-21 - Alerting criteria for unauthorized logical access connections' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:1 + text: 1. Inspect Organization's Security Monitoring standard to determine + whether the requirements for session monitoring are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:2 + text: '2. Inspect configurations of monitoring tool to ensure least privileged + principle is followed. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-28:question:3 + text: 3. Inspect evidence of the Organization monitoring trusted data environments + for unauthorized logical access connections. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-29 + name: Availability Monitoring Alert Criteria + description: Organization defines availability monitoring alert criteria, how + alert criteria will be flagged, and identifies authorized personnel for flagged + system alerts. + annotation: '1. Ensure that a documented Availability Monitoring Standard is + present including requirements defined for responding to alerts and confirmed + incidents. + + 2. Establish a process to ensure that the availability monitoring rules are + defined and implemented to flag events, and notify authorized personnel. + + 3. Ensure that the system configurations of monitoring tools include Availability + Monitoring Alert Criteria.' + typical_evidence: 'E-SM-22 - Availability Monitoring Standard + + E-SM-23 - Availability Monitoring Rules + + E-SM-24 - Availability Monitoring Tool Configuration' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:1 + text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\ + \ determine whether requirements for availability monitoring alert criteria\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:2 + text: 2. Inspect availability monitoring tool to determine whether availability + monitoring rules are defined and implemented to flag events, and notify + authorized personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-29:question:3 + text: 3. Inspect system configurations of monitoring tools for a sample + of services to determine whether Availability Monitoring Alert Criteria + are configured for monitoring and alerting purposes on in-scope systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-30 + name: Availability Monitoring Alert Criteria Review + description: Organization reviews availability monitoring alert criteria on + an annual basis. + annotation: '1. Ensure that a documented Security Monitoring Standard is present + including process regarding availability monitoring alert criteria. + + 2.. Ensure that the availability monitoring alerts are reviewed on an annual + basis.' + typical_evidence: 'E-SM-10 - Security Monitoring Standard + + E-SM-25 - Sample of Availability Monitoring Alerts' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:1 + text: 1. Inspect Security Monitoring Standard to ensure process regarding + availability monitoring alert criteria is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-30:question:2 + text: 2. Inspect evidence of availability monitoring alerts to ensure it + is reviewed on an annual basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-31 + name: System Availability Monitoring + description: Critical systems are monitored in accordance with predefined availability + criteria and alerts are sent to authorized personnel. + annotation: '1. Ensure that a documented Availability Monitoring Standard is + present including requirements defined for responding to alerts and confirmed + incidents. + + 2. Ensure that a process has been established which generates alerts against + the availability incidents identified. + + 3. Ensure that the alerts are resolved in a timely manner by authorized personnel.' + typical_evidence: 'E-SM-22 - Availability Monitoring Standard + + E-SM-26 - Sample of Availability Incident Tickets' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:1 + text: "1. Inspect Organization\u2019s Availability Monitoring Standard to\ + \ determine whether requirements are defined for responding to alerts\ + \ and confirmed incidents." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-31:question:2 + text: 2. Inspect a sample of availability incident tickets from alerts generated + to determine whether the alerts were resolved in a timely manner by authorized + personnel. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node246 + ref_id: SM-32 + name: 'Remote Access: Activity Log Audit' + description: Logs from remote sessions are audited for prohibited activity on + a weekly basis. + annotation: 1. Establish a process that ensures the logs from remote sessions + be reviewed for prohibited activity on a weekly basis. + typical_evidence: 'E-SM-01 - Logging Standard + + E-SM-27 - Remote Session logs + + E-SM-28 - Periodic log review documentation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:sm-32:question:1 + text: 1. Inspect evidence of logs of remote sessions to determine that the + logs are reviewed for prohibited activity on a weekly basis. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + assessable: false + depth: 1 + name: Site Operations + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-01 + name: Secured Facility + description: Physical access to restricted areas of the facility is protected + by walls with non-partitioned ceilings, secured entry points, and/or manned + reception desks. + annotation: '1. Ensure that the Organization-owned data center facility is protected + with: Non-partitioned ceilings Secured entry points; and/or Manned reception + desks. ' + typical_evidence: E-SO-01 - Images/Physical inspection confirming Non-partitioned + ceilings Secured entry points; and/or Manned reception desks + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-01:question:1 + text: '1. Observe the Organization-owned data center facility to determine + whether the facility is protected with: Non-partitioned ceilings Secured + entry points; and/or Manned reception desks. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-02 + name: Physical Protection and Positioning of Cabling + description: Organization power and telecommunication lines are protected from + interference, interception, and damage. + annotation: 1. Ensure that the Organization-owned data center facility has power + and telecommunication lines tagged and labelled properly to protect from + interference, interception, and damage. + typical_evidence: E-SO-02 - Images/Physical inspection confirming data center + facility has power and telecommunication lines tagged and labelled + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-02:question:1 + text: 1. Inspect Organization-owned data center facility to determine whether + power and telecommunication lines are tagged and labelled properly to protect + from interference, interception, and damage. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-03 + name: 'Global Coordination of Critical Functions: Information Security Safeguards' + description: Organization consistently applies information security safeguards + in datacenters and campuses. + annotation: "1. Ensure that information security safeguards are in place in\ + \ datacenters and campuses including but not limited to : \nAccess Machines\ + \ at entry/exit\nFire extinguishers\nFire Alarms etc." + typical_evidence: E-SO-03 - Images/Physical inspection confirming information + security safeguards in place at Access Machines at entry/exit, Fire extinguishers, + Fire Alarms etc. + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:1 + text: '1 Observe whether information security safeguards are in place in + datacenters and campuses including but not limited to : ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:2 + text: Access Machines at entry/exit + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:3 + text: Fire extinguishers + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-03:question:4 + text: Fire Alarms etc. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-04 + name: Provisioning Physical Access + description: "Physical access provisioning to an Organization datacenter requires\ + \ management approval and documented specification of: \n\u2022 account type\ + \ (e.g., standard, visitor, or vendor)\n\u2022 access privileges granted\n\ + \u2022 intended business purpose\n\u2022 visitor identification method, if\ + \ applicable\n\u2022 temporary badge issued, if applicable\n\u2022 access\ + \ start date\n\u2022 access duration" + annotation: '1. Ensure all physical access to organization data centers have + management approval and documentation. + + 2. Ensure physical access is granted after appropriate approvals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-09 - Approval evidences for physical access' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:1 + text: '1. Inspect the physical security system workflow to determine whether + requests for physical access required management approval and required + documented specification of:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:2 + text: "\u2022Account type (e.g., visitor, vendor, or regular)." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:3 + text: "\u2022Access privileges granted." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:4 + text: "\u2022Intended business purpose." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:5 + text: "\u2022Visitor identification method, if applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:6 + text: "\u2022Temporary badge issued, if applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:7 + text: "\u2022Access start date." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:8 + text: "\u2022Access duration." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-04:question:9 + text: '2. Inspect physical access request documentation for a sample of + new physical access requests to the Organization-owned data center and + data rooms to determine whether access is approved. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-05 + name: De-provisioning Physical Access + description: Physical access that is no longer required in the event of a termination + or role change is revoked. If applicable, temporary badges are returned prior + to exiting facility. + annotation: '1. Design and document a process for temporary badges being returned + prior to exiting the facility. + + 2. Ensure access is revoked in case of employee termination or role change.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-10 - De-provisioning evidences' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:1 + text: 1. Inspect Physical Access Policy to determine whether it contains + the requirement for temporary badges to be returned prior to exiting the + facility. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-05:question:2 + text: '2. Obtain evidence to ensure no physical access is active for the + terminated employees or unnecessary physical access for employees with + a change in their roles and responsibilities. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-06 + name: Periodic Review of Physical Access + description: Organization performs physical account and access reviews on a + quarterly basis; corrective action is taken where applicable. + annotation: '1. Design and document a process for physical access review and + frequency. + + 2. Ensure access review is performed as per defined frequency and necessary + action is taken, if required..' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-11 - Physical Access Review evidence + + E-SO-12 - termination Process Evidence for sample employees' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:1 + text: "1. Inspect Organization\u2019s Physical Access Policy to determine\ + \ whether requirements for physical access review are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-06:question:2 + text: 2. Inspect quarterly physical access review documentation for a sample + of quarters and a sample of Organization-owned data rooms to determine + whether the access review is completed, and corrective actions is documented + and resolved for any access that should be revoked. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-07 + name: Physical Access Role Permission Authorization + description: Initial permission definitions, and changes to permissions, associated + with physical access roles are approved by authorized personnel. + annotation: '1. Ensure all physical access to organization data centers have + management approval and documentation. + + 2. Ensure physical access is granted after appropriate approvals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-09 - Approval evidences for physical access' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:1 + text: 1 Inspect the physical security system workflow to determine whether + requests for physical access require approval. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-07:question:2 + text: 2 Inspect an approval of authorized personnel, for any initial permission or + modifications of permissions, ensure they are associated to physical access + roles. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-08 + name: Monitoring Physical Access + description: Intrusion detection and video surveillance are installed at Organization + datacenter locations; confirmed incidents are documented and tracked to resolution. + annotation: '1. Ensure that the Organization data center intrusion detection + and video surveillance system are installed at Organization data center. + + 2. Ensure that event logs are used for resolution of incidents.' + typical_evidence: 'E-SO-04 - Sample CCTV video of data center from intrusion + detection and video surveillance system + + E-IR-07 - Logs of Incident maintained' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:1 + text: 1. Observe the Organization data center intrusion detection and video + surveillance system to determine whether intrusion detection and video + surveillance systems are installed at Organization data center. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-08:question:2 + text: 2. If applicable, for a sample of incident observe that event logs + were used for the resolution of the incident. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-09 + name: Surveillance Feed Retention + description: Surveillance feed data is retained for 90 days. + annotation: 1. Ensure that surveillance feed data is stored for 90 days. + typical_evidence: E-SO-05 - Configuration from the camera management system + that shows that it is configured to retain surveillance video data for 90 + days + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:1 + text: 1. Observe a sample of video footage showing the date and timestamp + from the day of collection and one that is from 90 days before that. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-09:question:2 + text: 2. Observe a configuration from the camera management system that + shows that it is configured to retain surveillance video data for 90 days + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-10 + name: Visitor Access + description: Physical access for visitors is managed through monitoring, maintaining + records, escorting, and reviewing access monthly. Visitor access records to + the facilities are kept for at least a year. + annotation: '1. Design and document the requirement for visitor access, maintaining + records, escorting, and reviewing access monthly. + + 2. Ensure visitor access is approved, with an escort. + + 3. Ensure monthly access reviews are performed. + + 4. Ensure retention of visitor access for at least a year.' + typical_evidence: "E-SO-08 - \nE-SO-13 - Visitor Approval records\nE-SO-14\ + \ - Visitor access monthly reviews" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:1 + text: 1. Inspect Physical Access Policy to determine whether it contains + the requirement for visitor access, maintaining records, escorting. and + reviewing access monthly. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:2 + text: 2. Obtain and validate evidence that visitor access is approved, with + an escort. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:3 + text: 3. Obtain and validate evidence of monthly access reviews. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-10:question:4 + text: 4. Obtain and validate evidence of retention of visitor access for + at least a year. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-11 + name: Physical Access Devices + description: Physical access devices (i.e., keys, combinations, access cards, + etc.) are maintained through an inventory and restricted to authorized individuals. + Appropriate devices are rotated when compromised or upon employee termination + or transfer. + annotation: '1. Ensure inventory of physical access devices is maintained. + + 2. Ensure access to inventory is limited to authorized personnel. + + 3. Ensure rotation of physical access devices when compromised, or employee + termination or transfer.' + typical_evidence: 'E-SO-15 - List of physical devices + + E-SO-16 - Access list to inventory + + E-SO-17 - Evidence of Key Rotation when compromised/ employee termination + or transfer' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:1 + text: 1 Inspect the list of physical access devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:2 + text: 2 Inspect the list of individuals who has an access to physical devices. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-11:question:3 + text: 3 Inspect whether physical access devices were rotated when compromised + or upon employee termination or transfer. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-12 + name: Temperature and Humidity Control + description: Temperature and humidity levels of datacenter environments are + monitored and maintained at appropriate levels. + annotation: "1. Ensure temperature and humidity monitoring system configurations\ + \ at organization-owned data center are set to determine whether temperature\ + \ and humidity levels are being monitored and configured to alert appropriate\ + \ personnel when temperature or humidity levels exceed set limits. \n2.Ensure\ + \ that temperature and humidity alarms are generated over the threshold." + typical_evidence: 'E-SO-18 - Temperature and Humidity configuration + + E-SO-19 - Temperature and Humidity Threshold defined in system + + E-SO-20 - Temperature and Humidity Alarms triggered and remediation' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:1 + text: '1. Inspect the temperature and humidity monitoring system and configurations + at organization-owned data center to determine whether temperature and + humidity levels are being monitored and configured to alert appropriate + personnel when temperature or humidity levels exceed set limits. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-12:question:2 + text: 2.Inspect the temperature and humidity alarms generated over the threshold + to determine if any alarms were triggered. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-13 + name: Fire Suppression Systems + description: Emergency responders are automatically contacted when fire detection + systems are activated; the design and function of fire detection and suppression + systems are maintained at appropriate intervals. + annotation: '1. Ensure fire detection systems are in place and emergency responders + are contacted, if required. + + 2. Ensure detection and suppression systems are tested at regular intervals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-06 - Images/Physical inspection confirming the fire detection/suppression + systems in use at the Organization-owned data center + + E-SO-21 - fire suppression/detection certifications ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:1 + text: 1. Inspect Organization's Physical Security Policy, Alarm Management + and System Maintenance Standard to determine whether requirements for + fire detection/suppression systems are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:2 + text: 2. Observe the fire detection/suppression systems in use at the Organization-owned + data center to determine whether they are in place. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:3 + text: 3. Inspect the fire detection system monitoring contract in place + to determine whether Organization has contracted with a third party to + monitor fire detection systems for the Organization-owned data center. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-13:question:4 + text: 4. Inspect fire suppression/detection certifications at the Organization + owned data center to determine whether the design and function of these + systems are tested at appropriate intervals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-14 + name: Power Failure Protection + description: Organization employs uninterruptible power supplies (UPS) and generators + to support critical systems in the event of a power disruption or failure. + The design and function of relevant equipment is certified at appropriate + intervals. + annotation: '1. Ensure UPS and generators are employed to support critical systems + in the event of a power disruption or failure. + + 2. Ensure that UPS and generator are certified at appropriate intervals.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-07 - Images/Physical inspection confirming UPS and generators at a selection + of Organization-owned data center + + E-SO-22 - UPS and generator maintenance certificates' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:1 + text: 1. Observe the UPS and generators at a sample of Organization-owned + data center and data rooms to determine whether they are employed to support + critical systems in the event of a power disruption or failure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-14:question:2 + text: 2. Inspect UPS and generator certifications for in-scope Organization + owned-data center and data rooms to determine whether the equipment is + certified at appropriate intervals. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-15 + name: Emergency Shutoff + description: Organization employs emergency power shut-off capabilities. Access + to shut off power is restricted to authorized individuals. + annotation: '1. Ensure process is documented for emergency power shut-off. + + 2. Ensure access to shut-off power is limited to authorized personnel.' + typical_evidence: 'E-SO-08 - Physical Access Policy + + E-SO-23 - List of authorized personnel with access to shut-off power' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:1 + text: 1 Inspect documentation related to emergency power shut-off capabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-15:question:2 + text: 2 Obtain and validate a list of authorized personnel who have access + to shut off power. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node279 + ref_id: SO-16 + name: Emergency Lighting + description: Organization employs emergency lighting in the event of a power + disruption or failure. The design and function of relevant equipment is certified + at appropriate intervals. + annotation: 1. Ensure emergency lighting equipment's are tested at regular intervals. + typical_evidence: E-SO-24 - Emergency lighting equipment certificates + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:so-16:question:1 + text: 1 Inspect certification of relevant equipment which may be used during + emergency lighting in the event of a power disruption or failure. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + assessable: false + depth: 1 + name: Training and Awareness + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-01 + name: General Security Awareness Training + description: Organization personnel complete security awareness training, which + includes annual updates about relevant policies and how to report security + events to the authorized response team. Records of training completion are + documented and retained for tracking purposes. + annotation: "1. Ensure that the requirements for completion of security awareness\ + \ training are defined in the Organization\u2019s Compliance Training Policy\ + \ and Security Awareness Training Standard.\n2. Ensure that the Organization's\ + \ Security Awareness Training Material is well defined, documented, and up\ + \ to date.\n3. Ensure that there is a record of active employees and contractors\ + \ maintained and updated by the organization.\n4. Ensure that security awareness\ + \ training is provided on a regular basis and the progress of all contractors\ + \ and employees participating in the training tracked and documented.." + typical_evidence: 'E-TA-01 - Compliance Training Policy + + + + + + E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:1 + text: "1. Inspect Organization\u2019s Compliance Training Policy and Security\ + \ Awareness Training Standard to determine whether requirements for completion\ + \ of security awareness training are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:2 + text: "2. Inspect Organization\u2019s Security Awareness Training material\ + \ to determine whether it details: Version history of the SAT to determine\ + \ materials are updated during the audit period. How to report security\ + \ events to the appropriate response team" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:3 + text: 3. Obtain the list of active employees and contractors. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-01:question:4 + text: 4. For a sample of active employees and contractors, obtain and inspect + the security awareness training completion records to determine whether + training is completed annually and completion is tracked and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-02 + name: Code of Conduct Training + description: Organization full-time and temporary employees and interns complete + a code of business conduct training. + annotation: '1. Ensure that requirements for completion of business code of + conduct training are defined with the organization''s Compliance Training + Policy. + + 2. Ensure that the training material for the Organization''s Code of Business + Conduct outlines the responsibilities of both full-time and temporary employees + in adhering to the code. + + 3. Ensure employees have completed the Code of Business Conduct training as + per the policy by examining training completion records for a group of new + and existing employees.' + typical_evidence: 'E-TA-01 - Compliance Training Policy + + + + + + E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:1 + text: "1. Inspect Organization\u2019s Compliance Training Policy to determine\ + \ whether requirements for completion of business code of conduct training\ + \ are defined." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:2 + text: "2. Inspect Organization\u2019s Code of Business Conduct training\ + \ material to determine whether it includes Organization full-time and\ + \ temporary Employees\u2019 responsibilities for adhering to the business\ + \ code of conduct." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-02:question:3 + text: 3. Inspect Code of Conduct training completion records for a selection + of new and current employees to determine whether new hires and existing + employees have completed Code of Business Conduct training in accordance + with the policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-03 + name: Accessibility Training + description: Organization personnel complete accessibility awareness training, + which includes annual updates about relevant policies and how to report accessibility + events internally. Records of training completion are documented and retained + for tracking purposes. + annotation: '1. Ensure that the training material includes information about + annual updates to relevant policies and instructions on how to report accessibility + events internally. + + 2. Ensure that well defined and documented records of training completion + are maintained by the organization.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:1 + text: '1 Inspect training material to determine whether it detailed annual + updates about relevant policies and how to report accessibility events + internally. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-03:question:2 + text: 2 Inspect training completion records for a sample of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-04 + name: Phishing Awareness + description: Organization performs periodic phishing campaigns. + annotation: 1. Ensure that the organization conducts regular phishing campaigns + to help employees get better at spotting and handling real phishing threats + typical_evidence: E-TA-04 - Evidence of phishing campaigns set up by the organization + (Eg - mails sent etc) + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-04:question:1 + text: 1. Verify that the organization performs periodic phishing campaigns + to evaluate and improve their employees' ability to recognize and respond + to real phishing threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-05 + name: Developer Security Training + description: Organization's software engineers are required to complete training + based on secure coding techniques on an annual basis. + annotation: '1. Ensure that review of the security training material includes + guidance on yearly Secure Coding Training for PCI developers and software + engineers. + + 2. Ensure that the secure coding training was provided and completed by the + employees within the last 365 days. + + 3. Make sure that engineers are registered for the Security Engineering Training + program as required.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:1 + text: 1. Inspect the Security Training Material to validate that the standard + provides guidance on annual Secure Coding Training for PCI developers + and software engineers. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:2 + text: 2. For a sample of employees obtain evidences showing secure coding + training completion. Validate that the date of completion is in the last + 365 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-05:question:3 + text: 3. Ensure that all engineers are enrolled in the Security Engineering + Training program as needed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-06 + name: Payment Card Processing Security Awareness Training + description: "Organization personnel that interact with cardholder data systems\ + \ receive awareness training to be aware of attempted tampering or replacement\ + \ of devices. Training should include the following:\n\u2022 verify the identity\ + \ of third-party persons claiming to be repair or maintenance personnel, prior\ + \ to granting them access to modify or troubleshoot devices.\n\u2022 do not\ + \ install, replace, or return devices without verification\n\u2022 be aware\ + \ of suspicious behavior around devices (e.g., attempts by unknown persons\ + \ to unplug or open devices)\n\u2022 report suspicious behavior and indications\ + \ of device tampering or substitution to authorized personnel (e.g., to a\ + \ manager or security officer)" + annotation: "1. Ensure that the training materials to check if they cover the\ + \ following topics:\n\u2022 Confirming the identity of third-party repair\ + \ or maintenance personnel before giving them access to devices.\n\u2022 Not\ + \ making changes or returning devices without proper verification.\n\u2022\ + \ Being alert to unusual behavior around devices, like unauthorized attempts\ + \ to tamper with them.\n\u2022 Reporting any suspicious behavior or signs\ + \ of device tampering to authorized personnel, such as a manager or security\ + \ officer." + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:1 + text: '1 Inspect training material to determine whether it detailed:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:2 + text: "\u2022 verify the identity of third-party persons claiming to be\ + \ repair or maintenance personnel, prior to granting them access to modify\ + \ or troubleshoot devices." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:3 + text: "\u2022 do not install, replace, or return devices without verification" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:4 + text: "\u2022 be aware of suspicious behavior around devices (e.g., attempts\ + \ by unknown persons to unplug or open devices)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:5 + text: "\u2022 report suspicious behavior and indications of device tampering\ + \ or substitution to authorized personnel (e.g., to a manager or security\ + \ officer)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-06:question:6 + text: 2 Inspect training completion records for a selection of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-07 + name: 'Role-based Security Training: HIPAA' + description: Organization personnel with access to personal health information + (PHI) are required to attend and complete HIPAA privacy training. + annotation: "1. Ensure access to sensitive information including (PHI) is given\ + \ to limited employees (based on roles and responsibilities) and records for\ + \ the same shall be maintained. \n2. Ensure all employee that accesses PHI\ + \ shall complete mandatory training of HIPAA security and privacy.\n3. Training\ + \ records for the same needs to be maintained for tracking purpose." + typical_evidence: 'E-TA-05 - Access records who have access to PHI + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:1 + text: 1. Inspect the population of Organization personnel who have access + to PHI. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-07:question:2 + text: '2. Inspect completion records for a sample of employees with access + to PHI, for evidence that the employees had completed HIPAA security and + privacy training. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-08 + name: Role-based Security Training + description: "Organization personnel with key security responsibilities complete\ + \ relevant role-based training on an annual basis:\n\u2022 personnel must\ + \ complete training prior to obtaining access to privileged security systems\n\ + \u2022 personnel with contingency responsibilities must complete role-based\ + \ training within 10 days of assuming the role\n\u2022 records of training\ + \ completion are documented and retained for tracking purposes" + annotation: '1. Ensure role-based training material contains details around + key security responsibilities. + + 2. Training records for each employee shall be maintained for future tracking.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:1 + text: 1 Inspect training material to determine whether it detailed key security + responsibilities relevant to role-based trainings. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-08:question:2 + text: 2 Inspect training completion records for a sample of employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node296 + ref_id: TA-09 + name: Security Champion Training + description: Service teams select a "Security Champion" to ensure security engagement + responsibilities are assigned and tracked to completion; Security Champions + receive training on how to execute responsibilities. + annotation: '1. Ensure there is a process by which the service teams select + a "Security Champion" and they complete their security champions training. + + 2. Maintain training records for the Security Champions.' + typical_evidence: 'E-TA-02 - Training Material + + E-TA-03 - Training Records' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:1 + text: '1. Inspect documentation related to Security Champions and verify + that they are defined for selected service teams. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:ta-09:question:2 + text: 2. Inspect training completion records for a sample of Security Champions. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + assessable: false + depth: 1 + name: Third-Party Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-01 + name: Third-Party Assurance Review + description: On a periodic basis, management reviews controls within third-party + assurance reports to ensure that they meet organizational requirements; if + control gaps are identified in the assurance reports, management takes action + to address impact the disclosed gaps have on the organization. + annotation: "1. Ensure there is a documented procurement policy and information\ + \ security standard which consists information that includes but not limited\ + \ to third-party assurance reviews. \n2. Ensure a formal questionnaire is\ + \ prepared, which will be used for assessing third-party risks during the\ + \ onboarding process.\n \n3. Ensure there is an action plan for control gaps\ + \ identified at the time of vendor security review for their third-party controls.\n\ + \ " + typical_evidence: "E-TPM-01 - Procurement Policy \nE-TPM-07 - \nE-TPM-02 -\ + \ Questionnaire for assessing third party risks\nE-TPM-03 - " + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:1 + text: 1. Inspect Organization Procurement Policy and Vendor Information + Security Standard to determine whether requirements for third-party assurance + reviews are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:2 + text: 2. Observe Organization Risk Assessment system to determine whether + a questionnaire for systematically assessing third-party risks is defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-01:question:3 + text: "3. For a sample of vendors, inspect whether the corresponding Vendor\ + \ Security Review (VSR) is completed to determine whether management has\ + \ assessed the third party\u2019s controls to determine Organization requirements\ + \ are met and management took action on control gaps as applicable." + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-02 + name: Vendor Risk Management + description: Organization performs a risk assessment to determine the data types + that can be shared with a managed service provider. + annotation: '1. Ensure there is process to conduct vendor security review and + all vendors must go through the review; records for documentation and risk + rating needs to be maintained. ' + typical_evidence: E-TPM-04 - Vendor Security Reviews Evidence + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:1 + text: 1. Validate for a sample for service providers that an assessment + was conducted and a risk rating is assigned to them as part of the VSR + process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-02:question:2 + text: 2. Validate that the vendors are listed in the vendor management tool + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-03 + name: Forensic Investigations + description: Organization enables procedures to conduct a forensic investigation + in the event that a hosted merchant or service provider is compromised. + annotation: "1. Ensure there is documented process for conducting a forensic\ + \ investigation in the event when a hosted merchant or service provider is\ + \ compromised. \n2. Ensure documentation for the same needs to be maintained\ + \ for tracking purposes and corrective actions." + typical_evidence: "E-TPM-05 - Forensic investigation process document \nE-TPM-06\ + \ - \n\nSample Forensic Investigations" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:1 + text: 1. Inspect documentation to determine whether procedures to conduct + a forensic investigation in the event when a hosted merchant or service + provider is compromised, are defined. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-03:question:2 + text: 2. For sample investigations validate whether appropriate documentation + is retained. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-04 + name: Privacy Risk Assessment + description: Organization reviews the privacy practices of service providers + who access, collect, process, transfer, or store personal information on Organization's + behalf upon initial procurement and renewal; non-compliance is tracked through + remediation. + annotation: "1. Ensure that a process is defined and documented to review the\ + \ privacy practices of service providers who access, collect, process, transfer,\ + \ or store personal information on Organization's behalf.\n2. Ensure that\ + \ the reviews are conducted at the time of initial procurement and at renewal.\n\ + 3. Ensure that any non-compliances are tracked to remediation.\n " + typical_evidence: "E-TPM-07 - \nE-TPM-08 - Privacy Review Evidence\nE-TPM-09\ + \ - Remediation Evidence of non-compliances identified during Vendor Security\ + \ Reviews" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:1 + text: 1. Inspect and validate that a process is defined and documented to + review the privacy practices of service providers who access, collect, + process, transfer, or store personal information on Organization's behalf. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:2 + text: 2. Validate for a sample vendor that the reviews are conducted at + the time of initial procurement and at renewal. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:3 + text: 3. Validate for a sample non-compliance event that it was tracked + to remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-04:question:4 + text: ' ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-05 + name: 'Network Access Agreement: Vendors' + description: Third-party entities which gain access to the Organization network + sign a network access agreement. + annotation: 1. Ensure that all third-party vendors sign the network access agreement + before accessing the organization's network. + typical_evidence: E-TPM-10 - Network access Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-05:question:1 + text: 1. For a sample of vendors validate whether a signed Network Security + Agreement Exists prior to onboarding. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-06 + name: Vendor Non-disclosure Agreements + description: Agency temporary workers, independent contractors, and third-party + entities consent to a non-disclosure clause. + annotation: 1. Ensure that a process is defined and documented for all agency + temporary workers and independent contractors to sign a non-disclosure clauses + before accessing the organization's network. + typical_evidence: E-TPM-11 - Sample Agreements for temporary workers + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:1 + text: 1. Obtain listings of agency temporary workers and independent contractors + from the Contingent Workforce team + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-06:question:2 + text: 2. For a sample of agency temporary workers, independent contractors, + inspect Agreement to determine that non-disclosure clause is acknowledged. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-07 + name: Cardholder Data Security Agreement + description: Organization managed service providers that manage, store, or transmit + cardholder data on behalf of the customer must provide written acknowledgement + to customers of their responsibility to protect cardholder data and the cardholder + data environment. + annotation: 1. Ensure that a process is defined and documented for all the managed + service providers that manage, store, or transmit cardholder data on behalf + of the customer to provide a written acknowledgement to customers of their + responsibility to protect cardholder data and the cardholder data environment. + typical_evidence: E-TPM-12 - Evidence to Acknowledgement to Customers for Card + Holder Data responsibilities + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-07:question:1 + text: 1. Validate for a sample Managed Service Provider that they have provided + acknowledgement to customers of their responsibility to protect cardholder + data and the cardholder data environment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-08 + name: HIPAA Business Associate Agreement + description: "Organization Business Associate Agreements must contain provisions\ + \ for the following:\n\u2022 permitted uses and disclosures of Protected Health\ + \ Information (PHI)\n\u2022 PHI safeguards to prevent unauthorized use or\ + \ disclosure\n\u2022 communications regarding the unauthorized use or disclosure\ + \ of PHI\n\u2022 PHI availability\n\u2022 contract termination and disposition\ + \ of PHI" + annotation: "1. Ensure there is a documented business associate agreement which\ + \ includes clauses but not limited to :\n\u2022 permitted uses and disclosures\ + \ of Protected Health Information (PHI)\n\u2022 PHI safeguards to prevent\ + \ unauthorized use or disclosure\n\u2022 communications regarding the unauthorized\ + \ use or disclosure of PHI\n\u2022 PHI availability\n\u2022 contract termination\ + \ and disposition of PHI\n2. Ensure that a process is defined for all business\ + \ associates to sign and acknowledge to this agreement" + typical_evidence: 'E-TPM-13 - Business Associate Agreement ' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:1 + text: '1. Inspect Organization''s Business Associate Agreements and validate + that it includes the following:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:2 + text: "\u2022 permitted uses and disclosures of Protected Health Information\ + \ (PHI)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:3 + text: "\u2022 PHI safeguards to prevent unauthorized use or disclosure" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:4 + text: "\u2022 communications regarding the unauthorized use or disclosure\ + \ of PHI" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:5 + text: "\u2022 PHI availability" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:6 + text: "\u2022 contract termination and disposition of PHI" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-08:question:7 + text: 2. For a sample business associate validate that they have signed + the said agreement. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-09 + name: HIPAA Business Associate Subcontractor Agreement + description: Organization requires a Business Associate Subcontractor Agreement + with Business Associates from which it receives or transmits protected health + information (PHI); Business Associates under contract are required to provide + assurance that they adhere to Organization's security standards, which includes + the security of PHI and reporting security events that potentially expose + PHI. + annotation: '1. Ensure there is a documented business associate subcontractor + agreement which includes, but not limited to: security of PHI and reporting + of security events that potentially exposes PHI. + + 2. Ensure that all business associates are under this agreement and provide + assurance that they adhere to Organization''s security standards.' + typical_evidence: E-TPM-14 - Business Associate Subcontractor Agreement document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:1 + text: 1. Inspect Organization's Business Associate Subcontractor Agreement + document. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-09:question:2 + text: 2. Inspect an executed agreement for Organization's Business Associate, + for evidence that Business Associates provide Assurance that they comply + with Organization's security standards, which includes the security of + PHI and reporting security events that potentially expose PHI. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-10 + name: Network Service Level Agreements (SLA) + description: Vendors providing networking services to Organization are contractually + bound to provide secure and available services as documented in SLAs. + annotation: '1. Ensure that a process is defined and documented for ensuring + SLA in case of network services. + + 2. Ensure appropriate contracts are created with network service providers + to ensure availability of network services. + + 3. Ensure appropriate monitoring is enabled to identify any network downtime + and SLA breaches.' + typical_evidence: "E-TPM-15 - Vendor SLA document \nE-TPM-16 - Results of Network\ + \ Configuration Monitoring" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:1 + text: 1. Inspect and a validate that a process is defined and documented + for ensuring SLA in case of network services. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:2 + text: 2. Validate for a sample vendor that contracts are created to ensure + availability of network services. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-10:question:3 + text: 3.Validate monitoring configuration to confirm that it is enabled + to identify any network downtime and SLA breaches. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-11 + name: Personal Information Processing and Transfer Agreement + description: Appropriate data processing and transfer agreements are established + for the collection, processing, transfer, or storage of personal information + by, or on behalf of, Organization. + annotation: '1. Ensure that a process is defined and documented for establishing + data processing and transfer agreements for the collection, processing, transfer, + or storage of personal information by, or on behalf of, the Organization. + + 2. Ensure these agreements are signed and retained appropriately as per organization''s + policy.' + typical_evidence: E-TPM-17 - Data Processing and Transfer Agreement + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:1 + text: 1. Inspect and validate that a process is defined and documented for + establishing data processing and transfer agreements for the collection, + processing, transfer, or storage of personal information by, or on behalf + of, the Organization. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-11:question:2 + text: 2. Validate for a sample agreement that it is signed and retained + appropriately as per organization's policy. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-12 + name: Approved Service Provider Listing + description: Organization maintains a list of approved managed service providers + and the services they provide to Organization. + annotation: "1. Ensure there is a documented process for vendor onboarding and\ + \ termination. \n2. Ensure that activities for vendor onboarding and offboarding\ + \ are logged and maintained appropriately.\n3. Ensure that the list of active\ + \ vendors is reviewed and updated periodically." + typical_evidence: E-TPM-18 - Vendor onboarding/ termination document + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:1 + text: '1. Inspect and validate that there is a documented process for vendor + onboarding and termination. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:2 + text: 2. Validate that activities for vendor onboarding and offboarding + are logged and maintained appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-12:question:3 + text: 3. Validate the list of active vendors and verify that it is reviewed + and updated periodically. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node306 + ref_id: TPM-13 + name: Vendor Information Security Standard + description: Organization has documented a Vendor Information Security Standard + that defines the responsibilities and governance requirements regarding vendor + information security engagements. Contractual agreements are entered into + with vendors who process or store Organization data that define information + Security terms and service level agreements. + annotation: '1. Ensure there is documented vendor information security standard + which is available on intranet for employees. + + 2. Ensure vendor information security standard defines the responsibilities + and governance requirements regarding vendor information security engagements. + + 3. Ensure appropriate agreements are established with vendors who process + or store Organization data. ' + typical_evidence: "E-TPM-07 - Vendor information security standard\nE-TPM-19\ + \ - \n\nSample Vendor Agreement" + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:1 + text: 1. Inspect and validate that there is a documented vendor information + security standard which is available on intranet for employees. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:2 + text: 2. Validate vendor information security standard defines the responsibilities + and governance requirements regarding vendor information security engagements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:tpm-13:question:3 + text: 3. For a sample vendor validate that agreements are established. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + assessable: false + depth: 1 + name: Vulnerability Management + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-01 + name: Vulnerability Scans + description: Organization conducts vulnerability scans against the production + environment; scan tools are updated prior to running scans. + annotation: '1. Ensure that the requirements for periodic vulnerability scans + are defined and documented. + + 2. Ensure a process is established for updating the scanning tool version + prior to running the scan.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-02 - Scan Tool version evidence + + E-VM-03 - Scanning evidence for a sample hosts/accounts' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:1 + text: 1. Review Vulnerability Management policy and/or standard to validate + that they define requirements for periodic vulnerability scans. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:2 + text: 2. Inspect scanning tool version information to ensure they are up + to date. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-01:question:3 + text: 3. Validate evidence for a sample of service production hosts/accounts + to ensure that vulnerability scans are conducted and tickets are created + as appropriate. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-02 + name: 'Vulnerability Scans: Cardholder Data Environment' + description: Vulnerability scans are conducted against cardholder environments + at least quarterly or after significant change; critical vulnerability resolution + is confirmed via a rescan. + annotation: '1. Ensure that the requirements for quarterly vulnerability scans + against cardholder data environement are defined and documented. + + 2. Ensure a process is established to initiate a scan after every significant + change. + + 3. Ensure all critical vulnerabilities are tracked to resolution and confirmed + via a rescan' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-04 - Resolution and rescan evidence for a sample vulnerability' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:1 + text: 1. Inspect and validate whether the requirements for quarterly vulnerability + scans against cardholder data environement are defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:2 + text: 2. Validate that a process is established to initiate a scan after + every significant change. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-02:question:3 + text: 3. Validate for a sample critical vulnerability whether it was tracked + to resolution and confirmed via a rescan + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-03 + name: 'Vulnerability Scans: Audit Log Review' + description: When vulnerabilities are identified, Organization analyzes audit + logs to see if it has been previously exploited. Identified exploitations + are resolved through incident management. + annotation: '1. Ensure that a process is defined and documented to verify the + exploitability of a vulnerability via audit logs. + + 2. Ensure all identified exploitations are resolved through the incident management + process.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-05 - Sample exploited vulnerability resolution evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:1 + text: 1. Inspect and validate that a process is defined and documented to + verify the exploitability of a vulnerability via audit logs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-03:question:2 + text: 2. Validate for a sample exploitation that it was resolved through + the incident management process. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-04 + name: 'Vulnerability Scans: Trend Analysis' + description: Organization reviews vulnerability trends over time to include + in risk assessments; high and moderate risk vulnerabilities are remediated + in 30 and 90 days, respectively. + annotation: '1. Ensure that a process has been defined and documented for reviewing + vulnerability trends. + + 2. Ensure that appropriate SLAs are defined to remediate high and moderate + vulnerabilities in 30 and 90 days. + + 3. Ensure the results of these reviews are included in risk assessments.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-06 - Sample vulnerability remediation evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:1 + text: 1. Inspect and validate that a process has been defined and documented + for reviewing vulnerability trends. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:2 + text: 2. Validate that appropriate SLAs are defined to remediate high and + moderate risk vulnerabilities in 30 and 90 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-04:question:3 + text: 3. For a sample of vulnerabilities, validate whether medium and high + risk vulnerabilities were remediated within the SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-05 + name: Approved Scanning Vendor + description: At least quarterly, Organization engages an Approved Scanning Vendor + (ASV) to conduct external vulnerability scans. + annotation: '1. Ensure a process has been defined and documented to conduct + ASV scans for PCI envrionments every 90 days. + + 2. Ensure all findings are remediated and re-scanning is done to maintain + compliance. ' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-07 - Approved Scanning Vendor (ASV) Scan evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to conduct ASV scans for PCI envrionments every 90 days. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-05:question:2 + text: '2. Validate for a sample quarter that, if applicable, all findings + were remediated and re-scan was done to maintain compliance. ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-06 + name: Application Penetration Testing + description: Organization conducts penetration tests periodically. + annotation: '1. Ensure that a process has been defined and documented for conducting + penetration tests. + + 2. Ensure the results of the penetration tests are appropriately documented + and tracked till remediation.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-08 - Penetration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for conducting penetration tests. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-06:question:2 + text: 2. Validate the results of last penetration test and verify whether + the findings were tracked till remediation. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-07 + name: 'Application Penetration Testing: Cardholder Data Environment' + description: "Organization conducts penetration tests against cardholder data\ + \ environments (CDE) and includes the following requirements:\n\u2022 testing\ + \ covers the entire CDE perimeter and critical data systems\n\u2022 testing\ + \ verifies that CDE perimeter segmentation is operational\n\u2022 testing\ + \ is performed from both inside and outside the CDE network\n\u2022 testing\ + \ validates segmentation and scope-reduction controls (e.g., tokenization\ + \ processes)\n\u2022 network layer penetration tests include components that\ + \ support network functions as well as operating systems \n\u2022 at the application\ + \ level, testing provides coverage, at a minimum, against the security testing\ + \ requirements defined in VM-05-01 (01)\n\u2022 testing is performed with\ + \ consideration of threats verified in the last 12 months from external alerts,\ + \ directives, and advisories defined in VM-06-02\n\u2022 testing is performed\ + \ with consideration of vulnerabilities reported through Organization's PSIRT\ + \ process within the last 12 months\n\u2022 risk ratings are assigned to discovered\ + \ vulnerabilities, which are tracked through remediation" + annotation: "1. Ensure that a process has been defined and documented for conducting\ + \ penetration tests for the Card Holder Data Environments.\n2. Ensure that\ + \ the testing covers the following requirements:\n\u2022 testing covers the\ + \ entire CDE perimeter and critical data systems\n\u2022 testing verifies\ + \ that CDE perimeter segmentation is operational\n\u2022 testing is performed\ + \ from both inside and outside the CDE network\n\u2022 testing validates segmentation\ + \ and scope-reduction controls (e.g., tokenization processes)\n\u2022 network\ + \ layer penetration tests include components that support network functions\ + \ as well as operating systems \n\u2022 at the application level, testing\ + \ provides coverage, at a minimum, against the security testing requirements\ + \ defined in VM-05-01 (01)\n\u2022 testing is performed with consideration\ + \ of threats verified in the last 12 months from external alerts, directives,\ + \ and advisories defined in VM-06-02\n\u2022 testing is performed with consideration\ + \ of vulnerabilities reported through Organization's PSIRT process within\ + \ the last 12 months\n\u2022 risk ratings are assigned to discovered vulnerabilities,\ + \ which are tracked through remediation" + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-08 - Penetration Test Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:1 + text: 1. For PCI in-scope services, obtain and inspect evidence to show + that external pen test, internal pen test, and segmentation tests were + performed appropriately. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:2 + text: '2. Validate the pen test reports documented the below mentioned requirements: ' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:3 + text: "\u2022 testing covers the entire CDE perimeter and critical data\ + \ systems" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:4 + text: "\u2022 testing verifies that CDE perimeter segmentation is operational" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:5 + text: "\u2022 testing is performed from both inside and outside the CDE\ + \ network" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:6 + text: "\u2022 testing validates segmentation and scope-reduction controls\ + \ (e.g., tokenization processes)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:7 + text: "\u2022 network layer penetration tests include components that support\ + \ network functions as well as operating systems " + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:8 + text: "\u2022 at the application level, testing provides coverage, at a\ + \ minimum, against the security testing requirements defined in VM-05-01\ + \ (01)" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:9 + text: "\u2022 testing is performed with consideration of threats verified\ + \ in the last 12 months from external alerts, directives, and advisories\ + \ defined in VM-06-02" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:10 + text: "\u2022 testing is performed with consideration of vulnerabilities\ + \ reported through Organization's PSIRT process within the last 12 months" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-07:question:11 + text: "\u2022 risk ratings are assigned to discovered vulnerabilities, which\ + \ are tracked through remediation" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-08 + name: Infrastructure Patch Management + description: Organization installs security-relevant patches, including software + or firmware updates; identified end-of-life software must have a documented + decommission plan in place. + annotation: "1. Ensure that a process for patch management and end-of-life requirements\ + \ is defined and documented.\n2. Ensure that patch updates are implemented\ + \ for all compute resources. \n3. Ensure all end-of-life software are decommissioned\ + \ with a documented plan." + typical_evidence: 'E-VM-09 - Infrastructure Management Policy + + E-VM-10 - Patch Implementation Evidence + + E-VM-11 - End of Life software decomission plan' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:1 + text: 1. Inspect and validate that a process for patch management and end-of-life + requirements is defined and documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:2 + text: 2. For a sample of servers/virtual machine validate that patch updates + are implemented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-08:question:3 + text: 3. For a sample of end-of-life software validate that it was decommissioned + with a documented plan. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-09 + name: Enterprise Antivirus + description: Organization has managed enterprise antivirus deployments to detect + and respond to malicious activities. + annotation: '1. Ensure a process has been defined and documented for deploying + antivirus to detect and respond to malicious activities. + + 2. Ensure that antivirus is deployed on all applicable systems.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-12 - Antivirus Deployment Evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for deploying antivirus to detect and respond to malicious activities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-09:question:2 + text: 2. For a sample system validate that antivirus is deployed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-10 + name: Enterprise Antivirus Tampering + description: Antivirus mechanisms cannot be disabled or altered by users unless + specifically authorized by management. + annotation: 1. Ensure that appropriate policies are configured to prevent users + from disabling or altering antivirus mechanisms. + typical_evidence: E-VM-13 - Antivirus Configuration Policies + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-10:question:1 + text: 1. Validate whether appropriate policies are configured to prevent + users from disabling or altering antivirus mechanisms. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-11 + name: Enterprise Antivirus Scope + description: Vulnerability scans are periodically performed on systems that + do not require anti-virus; management determines if anti-virus should be required + on the system based on scan results and associated risk. + annotation: '1. Ensure a process is defined and documented to perform vulnerability + scans on all systems. + + 2. Ensure the process identifies systems on which antivirus should be deployed.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:1 + text: 1. Inspect and validate a process is defined and documented to perform + vulnerability scans on all systems. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-11:question:2 + text: 2. Validate whether the scan identifies systems on which antivirus + should be deployed. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-12 + name: 'Maintenance Tools: Inspect Media' + description: Organization checks media containing diagnostic and test programs + for malicious code before the media are used in production systems. + annotation: '1. Ensure a process has been defined and documented to check media + with diagnostic and test programs before using in production. + + 2. Ensure that only media without any malicious code are used in production.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-14 - Media usage logs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to check media with diagnostic and test programs before using in production. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-12:question:2 + text: 2. Validate using logs and scan results that only media without any + malicious code were used in production. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-13 + name: Code Security Check + description: Organization conducts periodic source code checks for vulnerabilities. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-13:question:2 + text: 2. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-14 + name: 'Code Security Check: Cardholder Data Environment' + description: "Where applicable, security testing performed prior to releasing\ + \ code into production includes the following:\n\u2022 code injection\n\u2022\ + \ buffer overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure\ + \ communications\n\u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\ + \u2022 cross-site scripting\n\u2022 improper access control\n\u2022 cross-site\ + \ request forgery\n\u2022 broken authentication session management" + annotation: "1. Ensure a process has been defined and documented for performing\ + \ source code check for vulnerabilities.\n2. Ensure the following aspects\ + \ are covered as part of the testing:\n\u2022 code injection\n\u2022 buffer\ + \ overflows\n\u2022 insecure cryptographic storage\n\u2022 insecure communications\n\ + \u2022 improper error handling\n\u2022 high-risk vulnerabilities\n\u2022 cross-site\ + \ scripting\n\u2022 improper access control\n\u2022 cross-site request forgery\n\ + \u2022 broken authentication session management\n3. Ensure all vulnerabilities\ + \ are tracked and resolved as per organization's SLA." + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:2 + text: '2. Validate for a sample scan whether the following aspects were + covered as part of the testing:' + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:3 + text: "\u2022 code injection" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:4 + text: "\u2022 buffer overflows" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:5 + text: "\u2022 insecure cryptographic storage" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:6 + text: "\u2022 insecure communications" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:7 + text: "\u2022 improper error handling" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:8 + text: "\u2022 high-risk vulnerabilities" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:9 + text: "\u2022 cross-site scripting" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:10 + text: "\u2022 improper access control" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:11 + text: "\u2022 cross-site request forgery" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:12 + text: "\u2022 broken authentication session management" + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-14:question:13 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-15 + name: Third-Party Library Check + description: Organization scans third-party libraries for vulnerabilities according + to the service risk rating assignment. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure that third-party libraries are scanned for vulnerabilities as per + service risk rating assignment. + + 3. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:2 + text: 2. Validate for a sample scan whether third-party libraries are scanned + for vulnerabilities as per service risk rating assignment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-15:question:3 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-16 + name: Non-disclosure of Error Detail + description: Information systems are designed to ensure error messages generated + provide adequate information for taking corrective action without revealing + sensitive information. + annotation: 1. Ensure that a process is defined to design Information systems + in such a way that error messages generated provide adequate information for + taking corrective action without revealing sensitive information. + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-VM-16 - Sample Error Messages' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:1 + text: 1. Inspect the type of error messages configured in a sample of applications. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-16:question:2 + text: 2. Ensure no sensitive data or user information is provided via error + messages. Additionally, ensure appropriate corrective actions are highlighted + in the error message. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-17 + name: Embedded Authenticators + description: Quality Engineering checks to ensure that static passwords are + not embedded within application source code or access scripts, prior to deployment + on the Organization network. + annotation: '1. Ensure a process has been defined and documented for performing + source code check for vulnerabilities. + + 2. Ensure that static passwords are not embedded within application source + code or access scripts, prior to deployment on the Organization network. + + 3. Ensure all vulnerabilities are tracked and resolved as per organization''s + SLA.' + typical_evidence: 'E-VM-15 - Secure Development Lifecycle Policy + + E-RM-02 - Latest vulnerability assessment report' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for performing source code check for vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:2 + text: 2. Validate for a sample scan whether a check was done so that static + passwords are not embedded within application source code or access scripts, + prior to deployment on the Organization network. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-17:question:3 + text: 3. For a sample source code vulnerability validate that it was tracked + and resolved per SLA. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-18 + name: External Information Security Inquiries + description: Organization reviews information-security-related inquiries, complaints, + and disputes. + annotation: '1. Ensure a process has been defined and documented to receive + information related inquiries, complaints, and disputes. + + 2. Ensure all of the received inquiries, disputes, and compliants are reviewed + and resolved as applicable.' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-VM-17 - Sample Disputes, inquiries and complaints' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to receive information related inquiries, complaints, and disputes. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-18:question:2 + text: 2. Validate for a sample query that it was reviewed and resolved as + applicable. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-19 + name: External Alerts and Advisories + description: Organization reviews alerts and advisories from management approved + security forums and communicates verified threats to authorized personnel. + annotation: '1. Ensure that a process has been defined and documented to review + alerts and advisories from approved security forums. + + 2. Ensure that management reviews the list of approved security forums and + updates accordingly. + + 3. Ensure all verified threats are communicated to authorized personnel and + tracked to resolution' + typical_evidence: 'E-IR-02 - Incident Management Policy + + E-VM-18 - Management Review Evidence + + E-VM-19 - Verified Threats resolution evidence' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:1 + text: 1. Inspect and validate that a process has been defined and documented + to review alerts and advisories from approved security forums. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:2 + text: 2. Validate whether the management reviews the list of approved security + forums and updates accordingly using last update evidence. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-19:question:3 + text: 3. Validate communication and resolution evidence for a sample of + verified threats. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-20 + name: Third-Party Security Assessment + description: Organization engages qualified managed service providers to perform + independent information security assessments. + annotation: '1. Ensure a process has been defined and documented to engage qualified + managed service providers for performing independent information security + assessments. + + 2. Ensure these assessments are performed in accordance with organization + requirements.' + typical_evidence: 'E-SG-01 - Information Security Management Standard + + E-VM-20 - Sample Independent Information Security Assessment Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:1 + text: 1. Inspect and valudate whether a process has been defined and documented + to engage qualified managed service providers for performing independent + information security assessments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-20:question:2 + text: 2. Validate whether these assessments were performed in accordance + with organization requirements. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-21 + name: Security Testing Window + description: Security administrators notify relevant parties prior to executing + technical security assessments; assessment details and results are documented + in a ticket. + annotation: '1. Ensure a process has been defined and documented to notify relevant + parties before executing technical security assessments. + + 2. Ensure all assessment details and results are appropriately documented.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-21 - Sample Assessment Ticket and notification' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + to notify relevant parties before executing technical security assessments. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:2 + text: 2. Validate for a sample assessment whether details and results were + appropriately documented. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-21:question:3 + text: 3. Also validate whether appropriate notification was sent to all + relevant parties prior to executing the assessment. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-22 + name: Vulnerability Remediation + description: Organization assigns a risk rating to identified vulnerabilities + and prioritizes remediation of legitimate vulnerabilities according to the + assigned risk. + annotation: '1. Ensure a process has been defined and documented for assigning + risk rating to all identified vulnerabilities. + + 2. Ensure vulnerabilities are remediated and prioritized as per the risk rating.' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-20 - Sample Independent Information Security Assessment Results' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:1 + text: 1. Inspect and validate whether a process has been defined and documented + for assigning risk rating to all identified vulnerabilities. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-22:question:2 + text: 2. Validate for a sample of vulnerabilities whether they were remediated + as per their risk rating. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:adobe-ccf-v5:node320 + ref_id: VM-23 + name: Backlog Prioritization + description: Organization documents identified bugs, prioritize bug fixes according + to risk, and tracks resolution as part of the product release cycle. + annotation: '1. Ensure a process has been defined and documented for creating + documentation for identified bugs. + + 2. Ensure all identified bugs are fixed according to risk and are tracked + till resolution' + typical_evidence: 'E-VM-01 - Vulnerability Management Policy + + E-VM-22 - Sample Identified Bugs' + question: + question_type: unique_choice + question_choices: *id001 + questions: + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:1 + text: 1. Inspect and validate that a process has been defined and documented + for creating documentation for identified bugs. + - urn: urn:intuitem:risk:req_node:adobe-ccf-v5:vm-23:question:2 + text: 2. Validate for a sample of all identified bugs whether they were + fixed according to risk and were tracked till resolution diff --git a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte index b896c16e1..1b9ae9dbb 100644 --- a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte +++ b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/+page.svelte @@ -14,6 +14,7 @@ const threats = data.requirement.threats; const reference_controls = data.requirement.reference_controls; const annotation = data.requirement.annotation; + const typical_evidence = data.requirement.typical_evidence; const has_threats = threats && threats.length > 0; const has_reference_controls = reference_controls && reference_controls.length > 0; @@ -173,6 +174,17 @@

{/if} + {#if typical_evidence} +
+

+ + {m.typicalEvidence()} +

+

+ {typical_evidence} +

+
+ {/if} {#if mappingInference.result}

diff --git a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte index 926160ef4..59e6834a6 100644 --- a/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte +++ b/frontend/src/routes/(app)/(internal)/requirement-assessments/[id=uuid]/edit/+page.svelte @@ -7,6 +7,7 @@ const threats = data.requirement.threats; const reference_controls = data.requirement.reference_controls; const annotation = data.requirement.annotation; + const typical_evidence = data.requirement.typical_evidence; const has_threats = threats && threats.length > 0; const has_reference_controls = reference_controls && reference_controls.length > 0; @@ -269,6 +270,17 @@

{/if} + {#if typical_evidence} +
+

+ + {m.typicalEvidence()} +

+

+ {typical_evidence} +

+
+ {/if} {#if mappingInference.result}

diff --git a/tools/ccf/Open_Source_CCF.xlsx b/tools/ccf/Open_Source_CCF.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..92e0608dcd5279a493417ca676087e5976828c58 GIT binary patch literal 294969 zcmeEt^;;f6kS2lP5Zo<6g1fuByF+kyhX8>guYu-s%||C0VGqm=G`!a1am>A0UVj6A9+uKtSjsKtNzXz(MMYI@r6K z*}EF5c{!T7=refQ*}l(v3rUp&0SU61Koy za9oSb7NAEty+~WZSm0#*@*wlWB(A2m?nuO?w!JOw#+U6r4b(rde@HBvyqANw-yg-MSe+HhexlN^i) zL&g7%;^w_ZjhLT6rr%DlwumgoFutw8LjaO=*BTvIMo@W)?(qJMdTf>8Ru=m5i@(+m=LvJO-`B0vX* z&SthQj0~^W|4#$|gKPi4EWIL5UKZ+=1_EC`jCSxY(~wTvGK%lZn?Ai^PJQ~snHp2j z`g9{9?3&w1?442Vk>!zY4Jvc@?uZMzzP&))1;c+ORpRp=Q#%Vvv6emKP~Hu5Ex*aQ z<^(7D_}Y(qAPWDzWE?m{XhndMiGzWFz=wc)<7vzIuWCFToNbI99Bf{D=zmtw8=#Q_ zvj4Mx+7sn%`k0Wuoql}^`Tej-e%y+Zc3H!`?*{&)xkW|7R{OQkexxh=*9YxfPu?Is z$hfoe5X~PyR(+e~|G>Yqu~9(_iG}O7OkXIH>wnnT*)@18HN0I`3!^dx6{hd*+u$24 zfo9lScEa=t>uYIAXsaZ(vgRZWk{#?fMFg;pIAN=by9|jsJj?gINY^fQG4~?8qYJfW z-|;IH-@(L}`9^VN8_&l3*}z;xiUN&DzcMvDEwvVODl8KkQlq7}PAw?9rou^{A8 zO%Qe*f1LNMjKP0RbdKqY-TJom)-~z6ha8bN{`S*mu#qvzsQEmH^7@|CHcTzqd8cVCUYQ`ebqxCd`$L&;^n|x038-xs2Tvs}Ds$ zqs5(&@kVxWsQYM#tDz2$dG->uB5=*2cs2|jb=<9+wi zNG?#ZAq!-xc>h^@vcCN?l_y}?&1w!8^?BK*mgbwgAw3-|)BMU8XF`RpzF4$0Ztd&SA2-Nl7gS9Qpg-n+51pN?)dy zFZ zP~?0GAGt-4Vj4iqd5g-p?iwLmV(R%q=s_qbwc3rJ(f@r1x&0@?OtTGz@8HFgy&ydQ z4Xo*hK&maJR%20CyE+T+?ov+K1<$!EE_bz=$NrbPj=S1RpVO(Tr^(dAZ{D&)DxFI5 zD3NnSmCl{EDqhxIz69vH9Eculn&J~jx4BK34CxsPkYJ7G4*5Mvw9=mt#BqfEkct2M~|{_R5W z$shcE`$0Cbf{xIU_Nj@J=M5(I&K`QB2rv3CIf(vymJp~8(XIGtPx(63fvj7s1p(y| zNB6-44g4!0!3;W~T*n;cx0leOHnX=e5mf>wOJ95(Z2D}p7C&aj<5fyk^`oF3MQ{kM zRBNectre?<^9&#;)&~8-onRtpS`vx3H}EUXYvTgoJnM?9XD|afg}*25iBbPB~5kPb+tB{XzF!naN#f*YOml zU?c49igIy{Lz%K&%=V zd{R3uk`R<#(ta0>fDM)-$e!dl>z0Q=-o|~InjOse{XB_d2ibOneGUD;0@7!ep*Y`l z87NkvtoS6#ot#dKa^6(u))IDh3F2S9q>=kKGE8iQc?|WkhkaZu&CFa~82|oadu@Rk3AzqTOqhe~l*hbUejzJg(8Nlb6Dn0m z%G{DIwlYw|7sqW~Y#L5Gw;ZXlrh{lGYPW7*cr`6No8qxRUus3lBP5Pv(3SM|MCe)X zF9zG^ihuGHIcr!! z>!g568XT#QnEa?PyV&0t5PFP??sNj3VM7DLxG&d}@){}Awwr#FvzEK9 zZtBd3YK6))`$83po%i&qSoL9J4RnO_M8s$I&<^l&r&`Td(@FP4Hnuw2k;B4fSNAD? zW&89f*BbTmQEnC<$u@}bHv!FaimdX@XxRFvAy}gh*3se-qqY>PR+uV(&GLmo*P;{E%=v22~zR`!Dk{QE{d2)#i9=tC8d2o-0z!_X7 zlAiK*Aak)B!+vC6gtxfxWsMLaL^gPeF$cdo2XZC+nV1~*C)>&IH9>hezmru#hs%L= z)pgk!M61KX9`4JLJ8I;M-3orZAD^&`TJPzdHI3D9z28CWYMvM~TYF55tY2Ldgqj_w zPF}e;SD}U}k_Nxf|F-(nX1+q4D$RT7)@u-f+S!}`~GK94Bf4FwPFkBIcGN{f6?~$5|Igx(ra=LG8CUgERjC3d5`#ORCrC43F&s? zJCv-GfuL<%<%Yo(R_hDi$ebE7qqw~@*4@=$w*TYVh2grt-^=yYY1i}V%zBrvLbl-3 zZT9KQQ~vXUf5Jre^P~2Q$;0C@`1I!GF8k)?VR_H@;jwhUfA){yx{N?mwc+#K_0`BJ z)RjcZR+ty;sPjYcoeJnNFM%nR4dBEH{?qs`ey_%W3DxN+RE6S=d!|A+2|b)mgaNFmi&BlGU2ctx=#^ zZc5_dpEmxA=%kKDnVu+9U<{(a3S2T{GUOi!y-Iv1!u@N5=vEB4jghW}f|B{=C|v|q zOz^{MLx?hYD}U?iOpIwmG)HB6(6O0Ky*2EN5$$BjE3q>!2(>!_HTjB}yedd548zJv znk3(7c9PcEcK99_TT_H?@Vi=l0T(waT_%faWbdvtWAcog#&`CX;6jYdUN}q~+z-P@ zwLe=|dSfS@!+YhJ-UlsZ2w0ylS<;QWr3&{wZ%yELzm>pXk4j4Rjd6IPzgn3wNB8k*3~MCCY%fXH2e$G ze4DE7Q&UYuL+OFfghWa`ey+@rdEe|v2v4(X$D}(-0}7X^x7W73*4!cigf1!AYj0$9XOF-NJ{V0~?VYw3zeg*r zWf2);FjvmhuG7`R>o;TXO+d4DcQT1&=gl`y<_do=hv#G@QO9cIjwnkcpS_-M5syzx zHha|XD^O>i?4yOLa*x&%#w4PqJxbbEW8PH56vsmf%&LBEJfLGVW^ZKIz%`Fr1{u zkjdfYnmZI(Fq*gFo4JScw>{mLijbDsR$0`UGg8&H9pzxifkP2p_|w^agi}`wExPK* zIf7fV#?m@+Mo*^e45w{XQ^24K5aRF=1OEfX*nd7WKb@|7)A)02*n@_SafYeosJ5~K zL{FFRA8iPFt16+lXw>;b6L11sLh^C=BQBH3n84_;zZu}S_MKwzWi?sg8zBA%e||4n zSAb}TkI)A3dy=ert=re-jm#@vZB@9DKfx6c;ZD69W+7771OLik4IJIwiFk;i?f!yh zeQo6aqybDYpGDO42%ysul53QBc^E*%u#^rm8v*Xd+uu>*uM*f2#Swm!M-(IX6iTrji`M84tO#plTSfu{FxE@5-_DYN8NWh@CAh_uZ2l`nmNNMJPoY3rvoB}foWACYwKC%d0|__RTrpVReCgF{qH@N= z-%zH+!B$07rL8)vg0&~e=nu0JX)L5{qRMpx->}Y}9DI2kj%e_KZ5b=iSU?9XxGP#A zYf4nC@=|=Om_Y;YZ!lIimDYFzZ%%Q%HXexJlyF1ow_kZgj@?t?2G!e4{HK0ENbh7pYx3CVq$~8o7 z3PAJ#`M-6g^Q|PC{{v;FIY0;u;Fu4r^x&_(=5iDb2{+)I!wkc1LzpMXH)lyE>}}5% zR2=gpNLX19L|Lq%GeJN@rb#xIORE(ij3Fhc0~m?sBX@ZCR{`4m=3lRwK5+l~vTgPs z_piZD6+an@0}@8X;QY#mKlDXtoDTF5@q*3M{$` zKt)Wia8OJD$$N8j=R`FFXq_3mv!RML1sSiObfGkq7NBZiCnv<%)2;AV*-;L?9N#e3 z08#%Ae=xAQy45SAf`KaO7JT2K`xO(>vo&{L#v5`o6br|~+q<~?eei9Q)(RnXIlp>y70aTYZ&hp5M-MFH!wbh=E5e_Bj#Tw6hXB#r+R2FB441FM zn6<1Ib)Hj7_$NeOFM z`dilQkrUnzcwvYtSa+d3MQi0Yw)Nf3(nXOFKcMJRhMj$Y;rbzkPD?j_kDZPerRJHSphX~$$L-TG^EIy5a9R|p~08us*C39g<72MkI_^*6b&X=RN4$01zwoQ z#{636DP00M$qJ?A)c{}X6RAT@s(~qA-NX%cJ4&reZwqtVHA!P}f^A)82ln43RZ`0f z)QImdY4eXwe~jwJVzF$5Vp%;LPQ%BYXY}jngmTo9+8OHSiL&^O5GS|l{Cts*k~J1z>QqR@$gLV}C6Z50`xOt@G-$TS+dF)C z9jMBx)r%{(wZpR`&!>YbmaY}sSREhEJDaH8lyB&qxiXESQE;rJS#S(a5J%I(vy+6{ z<=Ii>)0%1}dKJC)L)hw(+pp5Q`i9V}j5w`U`_V@_7|`u=4z{6@TF$LfS}u+Vn+%j# zo{DHW)W-_SZxyj?(qv|g3w`vBP&%3C`gbVmmgFSI z$za#YZc#nqk?&YC&#vBnW^)xulQot-dT!i`T%Y>;TX>)2YF)3Jk;V>=KF?yM@&Iz3 zZ3OS}bS2_n^q}_t? z`7=uewWc&86~y+h^(fo?OK9sdB*S-kGRpPghuiqILNhwl?9$V?yF44*0Vq0D5^HlNlKQAwjYO zR1^^YY=spl+B)^Gjbm;sFM@}M>~@^5Rc4#>{c}!3l_?OEGTK@9Jtu{+QFxOWxva#* z>+6O3%<%N_6;VWdJ4wNPp3DY8ojdBDU!|>mffStdKTld6lNH2xsR_6y>70E>0gL` z_4*{^X=qUl0En~$Wj@ub%i}B69jjX67~bLwqK(!-nL4hXtbm6W#a}7Mn-@>wJC=1D zKe>au!le5TuU&nWehi=>{b1xQPI94v>UMC=9A64CK#S7a7@u(6CDuy4#Jh|t<0S(| zavPULolQvO_eu1(#%3J=hHIuYK^aPiPq@djbYCl0{3D6jS#)eEtzXP~V}poKU_}bH zFrzSuaa7XWC)Yoo@~!g{(T{y%J$3%7_bOSWF7nm>_ikPoD7dzH zE;vY3r{Hwi^~8@TWDEwuH~c8qES>-feIo`N{*i;I9ahKO1O~Zy+4c8x3B8hiK`_Fp zJ&V*BhfG6o9GwT=<$8#^!1U(%(FOF!@NayDUJHtry&vdjJ$-`K2@BM8sfN9S6yK>8 z^zXDl5t)d{?~AN%Q$zjyK%c>O^r6!!?_+(Q$T>YQ**N|+=K7*C#=SCU3k0N-RCwb# zr%!|fUn#tAK|1jk21DU3^!drK3xWSYO4?*9LTVM@c**%VZFU52!{Am`-$#2dz^s~= zkEsJ)89aYkIxz_2omKAeGON#)s=TFIFs2^h81UTEVYCc>6?ne%@44#3E;n?d#vyU&Y9_9nXW`?{;H-~dM{MD;c81F)?4;}PDyJZH;l*NZ^a`;tbb zo#KuNuy;APdMTQ6V)4aG?HXw@?L2m}g#hyp=GyD#{iMZ1G}wAQFY}JX$nb{2M2*Ku zNy2H7M33uxTiXi$s`|}jfz24~vi6I`yFavh3IbOM%hhyChU3&G{a^InqiS*_tH(qpHVhUvl9xj`Y3Vj6d5}DSJOM4M z{(Q>6QAyT}Nw-SGM^o26N4P&Vv=U>OAZ*y()uGS<>}UaY5a<~uI+V?iD)63)(@nA8 zN8!hgxRgSJZUHOzNd?&NU*}fzdoH)f6SWy=;^Q2m7y7%5A!rbn&Z~dKnEzy=o|SYn zC{u^ZbT~lx!ml#f1|)Fxo`WCri{0WcAzzcvuIDFgU!;Z#$JSsUX9!FmD3o$Os_Dj2 zHBX$}Nf8ZA_Ra=~xEZdgiOsQ7VWB?pEP<8V3P0?@)`#1%Lfq|L*+PkZ$v@55}XHookRT_cB%>7|`ZLLeKy z^duv7`dJt@=YJ{(jO#}{uKWyiL+cFZ#(v2}E~;}+$0OGRk9< z8kjNB{vy3Tz;ZeZa78y7d`xBB3|HYFRx8WX^-G45U1(l&G+K? zxImn|6i4O?#5axIeUEKoU}tGdMz;0Q^XsKmGNm3UbB+)AARbLie{kNnd!K<_`gqd5 z3%b<Vw(ANV9m9_JVObi?>ZT(2gV9|I`VBIXE=KNUa z=v8NQa4(EqQ59Vg%hz6(tn({G?^n<(XiwYkT2eKQ&hd)orDW%I|CZ^=Q;@A*B|k$X zS0P`N1fl!fWK%sFyrz4yV@zaa!ys9uD*7K($p-eLYNL5aMrzY7AnSPFXI7!2mmses zbVBP!giLJ5`WEqDcw$w7GS(S6Wk4ZK50UlJBT#m=;nK~%p;x;*P^l{y!nLs>HkbuV z@wt_KB%H^t-0?`xQeH3kdGV8Yp_2kJ-AKpRK)2+afuHO(rHJ&>6GDJk#m>mdn)TIO_}a(_;JIx6X%;vIoIE)Www0>_IKs4peWg4=V>GPX_q8k{ zO)vJXfJ72~&sn?DiDV*B1E`R}hWuZ8iN4okh}J_SEAmpN?I~U`6~P3==u)AEGyu7& z%KbGKfDk|7SOlZvj4b}rQNqVYI*uQ2wBK68jFP)+B##XFLE1Ake<|;L*uH5sVvap} zPszk?NQxYAoru6E%&5KUN?_}nSf_x3EY?vfe8j~ikGX9gQ6x4gLJUX^!^GJ4f#bB0 zaQ4|GKH>nb0%)49w(zSur?%_nUrD<^kea}%u>czF7{a|M*ii^nVeMmP z%!-A(8zzzU+pK_T#N_jtK1|_8u2>e7KAQpxFg{=&)5}9vf+K3-HJR%seZ%+d4!OUU z^{`F6#`^N{tz})b;UpW(hFxGE1}@S-9?_`8?6XPLU_9o zw}SBywUfA7w1~T4!@gbqYfm*R^_8z;Jscd=LfHI`ka%rM=*P@H=yjY@e*ALdPiYTf zcilI5YfvtoS|sL${uXFcBQC6NtW~`(*~f{MOT5zr8Jlw+PBnz;%k zw$E2mYic`pjjWIxD5?YBztWrEFgXIG5r^%!LiXvnerlizmOZ*^4kaelcFxliqr+9w z_oC7FCa!)Y#{=7pT@}T8{!)|YdTphwMkc;vebe4{Khw1)(SSZreQM7?v|Bnyoc!eA z^@Qd0+O9gZ;v%ma2F;A}VNJLC=fJ%%Zv!38vY$sMcjQTTYU;nma_z83`jYn=*#XRc zQ}R~FT-Q%a$7H?L_vw5B_)h9aG8pBM`gcLAgMV!`pzVO&v`hh_D{F7NCno^EvPmjN z$ki41YiAWQuc*Gd#c>6HjK+BXjv#ipZoJX9qMD!B2ApC~i>L3WWtcsWy)nFz1vfNs z|4L2*hJSTc?)o|gl$+qaj99buI--7>v{r8`>$;Y-_U~*0oPIgss)6)(#Q-U1NHu#m zsNvQo0{peHw)N}P(EY;D9=N8{fFRa#s`1h2q9Edm9Yq#M9{*(t5YT@| zvyFi@F_0-6>E}?buVYg>&nee548G;K zK)`J5`meAzr!#nF_Pg57M~TIl=NE`Ib(}ha|91RLt>C52hR=A>&9C{%;=_+cCog^7 zW{@Wcg)f{JY8w|e<~U4k&`tq;HBJeVeyx^z3vc1i_YXINWbX*j)Yo=?V4CgLdkUc?(x6HEc4R84vENC{p;Btnvs9a zD0{VZlL5}#I1Qc&g|2JZ};n7?Z#XB zUvyaRa;_3v`2f^e7rX`$K;7rbdxZMQd++A*|5O`-t*jOUfUnQ45&;08tdecjhc_v} z(ihm|oX=RDsJ{n>bFQvZe((|33w4x^q@PESHNBdXB^%CV0#H%4llf5cpZ0%|hSvje zFP9Y|OKafMF^sm9@}m7q)-!Vy0ZG~;`TtD$hNDxLj^q!wiIx5ZMr4T#sgB`ypmWMj zQ2m4XyzW0I7*O*5SwA>8wJPiko?kF&ZQWjK3cR|S$-X)d!S~@>LD2aG##q{rLU6h= z{-xA*+U3|FFIbhzwIWYNq4g<|xYRXHSKEi%NnH3+!Yd$a=o4KJLiweod{)uyHnYeS zx-2lP>3!0hgico*X`o;0$Hq|BsJAjb;#GM4s<2FtG_O_3uj0@Wd{vnvo@DKifV1Dy z!m4GONL+U7N-~=7WEB#!kF1wtVc$U2LsK3ZZY@w~#J4|nBy4g)i$(XH z(>duoXlM)AWI^Q!v&KR3Z#yD5ubVrfl{)5rEpq@C-yieLu<_C8>q6Ql3vowmU-KqA zgdp1xoCNBlpusdr1vYmSE(e|n*R9e*4Z-UW49dXgoL4zeo6rc|RBtA6a*5KbbzqCY z;3^CNXY6CK56XWSJ3g<^R%{Tj`*lDpMm@l?3@}RDW4N{A{E~Akj&fM-D1fGEhL^nI zXjr3a0-a(X^#85sYAqWnMdRPf`A=*zj#C*mL_bT-uhGL0XBk-GBP^j9N>86Y<5@0w$q}BVv<_PI3r>|P8}T$)U1=&N6zBc zFvzY?Ppq7=9Eo?tV*3(goJ>a=)71f+1lcNS@xPnzWc!3qsfmp5>&M3jexE^$aTRdR zKA%IoE(JlGWL7GADU-|uL4SQ<5{>z__94@E;-warT z>bF&)oWu|pE>#UAEXA(JvCn@dsS-c2a~+=-@!fP-w%1*?zC#bCCNe4E+X7B!?s5E# z^k`fw6^bm8)C$d)5KC-2AiC+lMUkqvKI1B#mCZFH-?W8j2yUJ`o*+22Ww$ma8@8bP ztEz!I_5i#Qm(h6ysxjtFPms2qhL&@aMt`+L3h;ceRP%q zD6cM{4YL6E)HZsAN9Km~m&q&NtQNlS_XL7%HKfL$mE7T{FS<^u#|@0Kta=&b1@sHELsNsxM5D7Ii0ygXw8Ja-b1Zk!c)>|`b8^&19w`v69+BaPeZ z0QMK#8R8AE7uo^$x7sVPt%1CM%d}D~==}wp{W9J-RnV&S!K^!WP_c*3tmB{V%9r)j#*3%S0qj`K09;v)ZMAu5B%!Hm z{q~fFTCw7!w&Bey8lK>&# zm)SY+_~yh1^}R}J_O0|rA_=8A&CKdIJ7#&GZne5iS%z`+W~eL~2pp>IF%^;{w`Lb# zJU(vZ5qzG?MXMP$&a}Kf5r&?r@3Q%ry~xLTUonKAyoGQS=iIno}nC*Z_f#n~4`ty8QhHo=R9l1)0| za5r9*S)waNWA6)PC5%ZRI=+X7Mko;Hgl+}rr9&KZ7Fy0k?^AHcNrj)2xld}^b|-O# z+!(A4ZcyxP&;xLe|F? ztrW$I`ryh}#4HR&&$5(?c*=a6Mq3JN{86F7a&wGnajKvU&G}=STn_8#652lA*~J^L zLeif#YJYNw)JGNTYcCw39FpTxbXXTs7dQoX+MRnXRakk%S@ftXuL&w)eGub$Pcc}VJkhyB_G1Es7(+}J{py;F{lQ;-b=iiw^S3)hFCQswUFk8S1 z-(q(+(NKK;9%!p&nykUR+oF?fgXcFSP6C1dt0s?Ir7keS2}ygUAEcy2mHC8HPm=2(|}bn$|n+ju$u`x?b*YvJGLk zPZ9WBH=xqczGua_xc0JYWt>HHL9$?SrZY=1Uzz{LG=&wr>2_oIGlW!!S_P%x=rjTC zC=1st=z9S2P75o|dovb2GYUoQG|r>^iCr=lAmoVQT%uyKVw-?^6akb@sLZ66fH3lqrTAHx|W z(hp=-k}qD<2AU%tigU8=Fq;PMdqtWP^Noil!;7V9%+6HuO$tOc3F3WvWnSPKe=wByYPU?L+s_VDq}4iPW!oIxGJjF!S9>o}RiRhN(1ZDCQ& z7mB#Fx(LJNUeeJyqOaGdl&WeSz<0aYU;QX^L3Yg|(`wI{KsK_vY0AyxAX#Z%iIuk;wKL9dnC2?1=BS^{_L2BF!D$3F}DvDOL~BGc|t%r}G#r ze(Kb=iS(*z%sDo9;xr7SzT?#iOCNZtE8Ks2Yfo`VMihX15)UoWYOsukL$lK@0=*J< z1+7)54tvtvnHspMj<+vuWZ%C@u(9p9n@F}PNZ4ZBvfVC|qCq8;a zi{6p@?iSvWHjtCJu|p(g?#6a2fK6D(n^0uS6xNQ#O1aU9x^0=)A^*2Q`;jY-cdpEO z@k~c<9nM&4^>}&zNZUj@ciUyno=wvXax;F|wek1EYfHZv<^bl?`IQC3&$sB19k7h} zMRL*)2pd={D(n|jz)J)VL8e);bQ9baY<2!*&IATB;ZLLmQZRW7bxwq`DW zn^dMvG{I0}Q5R#)O8}J#Hfy*%?I}()Id3&Fl*IDBy~#}<1dO`4w5w(;JDo<;Qux#9 zLk4*&p7h7~WYSbR>I%FDHBvG~v5XO)H5bzJv8;iap*8|=)9%HwgXHOt7h4(%uJQTh$?nDH z=i4?;hb()+XyR{*U6}$=A0I~s4~~qu_Nwa?9kPfm@;6rFKOby7N7|)5r-y8KI@jTD zc%U>rAe}R1JY7Cot|*WYhg_V6oIQCy+i=g1{oc6t@V{qE9sfphf_4?Y^UeX*kj~#6 zrE~PQ%knDc+>j&dim5YGKD&ryugmO+b0(T(uqj_YHlK4UeZ!6)J)eX#Zl{C!c;K;X zG>UM@mzCg&FNwZlJ55|NYDd#Vobz;DA&Vp|(TyQ});O$LjURfyYX#=cn~&{pb7am)83pe+Iulg3n+to)-_3v+VVk&c{WP z=Vu2_hqW%>y3hL$O(ezf_aMLSz8%Wbb%7_BKNo+pD0R>8mJgm>Ia2c7_}U(aOmCTV zK9dryMGKA&oYzM80c)=gCs{uKs-m2n?Sq@ovD1g6sO1wy{h}6)KQYkvFb@FTPan;N zuZ6%Duh!bgMqft#o9dxTUTxEtmD^0I6pKV##Rtg`t2w_bU4ZPk*yry8CwXMBDW! zkAes9agShMisX`(E^diyx6TD@@fpi=YI}r#h8sIwZUmJLep{#R!Jhy}t`(v-_o()& zy1~fLx$hgRkR+l1JSmCW)c85o7;?6@9fT-*3*sw8oJwYAorVxC7Cs)n%cvQ2ya3%6 z#~wN=(8bl+YcpnSO4x$<4Mg`)vJJMtCpvF=TsaVa$5g)?9wUBa^2RMzeZReJG0Cr!yo4V4-(xI))=Eg@tG2SIlzCVp-u1yrPgUg-cbraTcXe`c zKNl+I+EF?2{DcMz>QB13L|Nu&E3`5khWz0QC@1^Y;91|k)t}Y<&(v+Fx8x2dzdJQ>W!6Ugc}H$Wzc3 z11=CvlKHa>TuaUhM3*QueRQZNm`o3H6?xC%N(B#M!dvI0LoOAn4-qAH3siWD7i4cP zm+Nx!6?x8}QGAvf=sX_#C_WolsSzkTD>~R9W?k3s>Xxm1`*V%QXL>NmneFO*bCM`* zxg{M=l09FU(Iei(81Hj$rV~^#hRpqx(T*;W`GLzGfAt`^X`(P^uwwA(c4qHxop^at z?_giCp$>6>AfAr}`q|>`EO(#85t+w4aaE@Km{SPg$vL55!Za-d}=d;Pk`g;UeP$#dR)0T>H7#Ae+&QS{wx43T=<`te#-}*z~e;QZzwGvy!oz z=hS8A&f8hb-9=<*nYt0>aKt-E&s$xwb*xCwYUn7l=ld%zU0_O-Si)m#FJ!Egjy99h zd$>_wI|&PAuAN?^LF);4|2Vtr04`@wm4{4b`y5lp9CMx6BNL~*O*?}(Smg^#G4vv1jNsnRfH6pCM zqi0-m;MwpF{>y1hn?9cENsIbq(V8s;pQ8q5dYcPl&(>8acYCmU*pCHLnkeh&eqLw) zcZmg>ZF;7B)iT>qV>>jv?#+Xs8A#1KFkV0gHB$RD$oJ{?Oz4;olRpbrKU1665Onlz zemrZhsq54hrtV39^NrST$mqqHgAQ^;eh6*@NZM2GtqV$Z3wN8$zU*%VydO%ZWQYAx zNtP{LcoFg1K<)$ZKd4-x7LfEN42bQxP{iBrj^@#6%-~Da3AM|#k{H3NW4z&5>FbNa z0``7JIEM9ik*cG$0vlbYgozGEoRT|;KI6)F171|OWoTS%WBuHvI7$9VQ0~>c_`z*= znVA$hW7S6tkam81nBMV==jBH?tKydQ&`O=P*=tmWi>eL@4jC~S4qUUVVBdt7Ra%mD zm)xD8m(A-CP9IGn@7#*yu-sqeqcs?+_I?*!=wMP55ac$;UJXWjr|XiB$gu2bZ)wd_ zYErSPye{(1tZrKqOlEIgQ~FjD$3z3t>D4ki&=~Aj_c#Hg;2)HC*dzYf#RjZ z_m20UpJ5OB9|cLu1r*ck4o=to?n?9)CwPgs)4W^S44;2x@{I^Gr19YR8x1x3N>@Dy z-pcAdDf^DN*~1*x!SoFdJ{WfS_}wz4VeLGS$_x!>e>7XRe!5Ain~e`q_DY@_+YI;5 zl;6u=_PT=!|1syA{+rL8qIos`?LrMg84@A+p%>--G_)C3Ghgwky5qxwWEIMR57vF0 z&>VCW_|g_lY9{>cFwNw}(hbe!PO94JVzT!%KLm;red>F zs)K49EA$Jb+QtvcKLy^!S&sGC!uxg|2;Nv46sVPmIym(V35nfi%1XLHjc|5oW#Vi~ zpA~<}2TZnu+Z`|`#JirD6lCDLid|*gqMuw0lCa+hRci{1BpE<=AYcvVJ_R<0nk8pl zBQ7yob~(;aDe1on>V!nQr+G(B)%k*s$2ohgUpPY=8Zuv=qnT?xxgb$WZ~Wb`!En+~ z_yM}X`UzQA466So$gsLRe;2>`me$g>EpS|xKG4zL8|#v$B1Q6_k9xwot=L8#rIKw$ z#QLg$#%xrj`|PDFpU_QzwXT^WUgjZj1KcL=CC$FN)(6giO8dCEU)^*KADh5L1Rv1zg81C0_`L4Ikh{3=x!di*nXgu*dhnFqPU ztj7aOdEOS@>;J&nSMW$Rz%RzNxBtH0zQ#J6qSBSX^Q2R!9e5{COS~ zRBsG6fA5%&Yv_{=>x)51okyK?Qx`TB~Eh)KReG$x3X^pmS|o zK6%6?F&OJc^XnaJua<1jIP&#f1d~Rgv7H92dp@w=F+%;&Q9gKQ}#;L^Y9>G6ILn$cz1orJWY5$Y ze(y9MIxEJtjW=y86Qy+`qjF}>f1rBd;$|q#h)m9APl1qrYR$vaWXalHwXhBYS!(Tn zYzm8q|4joS8;1^^f;u=Z1}QBm#M|S(X(7|BW02jl3V~B+%W!b_{`vq}K6;T{BC3$$ zlIPHkPhe%pX}vs;kr7U`sZh_i7UtSr^&~_lNmIL#CS+OPikoPQS`(vQ#<8@0Wp%*w zx`^D@N#9`>2a?eMrJ@~gu{W0R!u)qnax||YT17X5e@9;X{XIHzqFGkl@cQ+Vffw_E zOul=hM(-R}kpb1!p#wrBBStlR+{6s%Hv6-3NfU)Q%i??acV)aK=+*JxZDt(cR^mhV zv}SP_azv;a8FR2I(37FF?AI^mmh%}4p$bp6ci+I4*j>ym%&Aq0rWR)3Vx?raUc!bx z$}>KVM5yWS&|W!H;?!yva8pr9ZH;iObiyGl9L$g>G3qb%7yk*|x#n>WzUcoHIx&8} zG8EfG8(znV>EY8~E>cJ{G!J{pTO0~(7%tM2jb}3LEfXo(1Libry&Zk0c(nqfoO?IE z(qo#w91w1A?~F~ZDm)jK`)H9mTT|YOJgDcI)+v86J2)R6Q#+ZiF@O)S);dd9?Otxb zrWQi)04{S>!YNmpj6G;P*>N6UJctC zT!{SR*m_c7T1|(ONA}WjgV=qhYFp9peUjskBog(9neiXjBc%4hv}2JFUphDp+xJE} z-1n~Xw&@$cEVzy->z91U9%Rzsaed8}NvAUG5W3kMpJId4MDa?>9z@VvQjz zM>lln;N~5!T3c5yw#+@a#7PsPsRVs9WWOjK!{rUUE&p*PQMoa_zwN2}qT{jqiBiMu z+TRVW$o|h$Sh0KM9`m&@XCuguY(^7R2wa-^`K!WI63xw80}f>rv?Y;zey0k&6-#LK zrV%fXmd9GAku)?I9P|cOu~H$edY!@{Q!k&cT{!rdwKi**7P-d*w6^9JkK@imb9`Vk zo;!HGmzuGf1g;7T_x??@7>YyVYc0bWeu!z)hc>OOaSA4hiceyohNJppYOce zARsQ&}IcT+SmGE*|2P29)&uq~q+^30lE@dw4!*>uWf#8c8 zM?7mG{P}*@Rdf9;d0%iqvRxFiU}1Hhms}40;gIMcl0a+6m%Li(koLOYIagi$Bj^0m z!CB1pnMJ|&d<>Z1B&UAYUUJDGx@B>SlZ#E2kh|c4#@*<_%J{U5pa4t!FhwLf_F%t_ zGwpM_)(}{!pt9h{`w*K*Z6dKfET5NS72awJu(rP&=o!Je=Uf%)qBHD5YFYXIe*up` zaKAx*vt5p6oBuK}2Jx-j+FF^m zWUb;*E!Un@@`^!D=~vG%$+dsji5+e!%AGo2wgKZ z+%&Tz&-2YF^LC3lsH|CNfz{Zdn`Kd$Mn)c*p5a7pXoN}1Iux#-d2Zllez47TR{`CT3y>?oKhQ1(55L6fwaj zhl=UcVhXZZiJ2FU8Kt>vn5mT;rXylnk!QG3kmrt>C2sEQ6tiM&gy*isl#8?v71OQ7 zER(&JoJkh>p&4d|<(iIR7id&$$ElIUxl`D=>BZ^pU9WNjd4;1YC>wXEpq?VAXwyp2 z!f`Dx&mtoXQrBQ*Q!F$}4JVHaGfAB=bIhF!T4ey1xZQe1g$+JbP+t*LwWGvLoy4{? z!}QXG-|#1Kk~oIxd!AJkn3>=1O58SAA~$NN8p;CiBWPnRMNrj}JXX%nP|U&$3d1Sf z%t+!SFcQZM;vg&BG*4PrR2{rBc)1Ed6%@G-6;!c!OSL5@4ScgG3d4?F%kU!CHNpZP zmDow(CT`?~Uba)v%H-v}UaFw{^-w_-n=g-jt#s7MGapfNBloh@$gy!F%q{jm^?lq{ z;#%SEt*?w;no(3^Vg`o_s#v|eCqVJ_VVt^AVMIadi7|g}d6$(sre z6;!c$d24+gnPWe({oFF_z|4%ibWc&_7+&Uuc99`@(Y~U7D}Y!trac{gW31ZhOa6DI zqj5?s@`BuOQa3QN4EGcfIgK>*0%E9dhkiSRPzSH9zI>Io5Hj?s3T}{C1_S8 znUw{uVVki{+ys(Exf2*xWJP9Sr^dUf#1>gBDYYOFuPm=vp*H=0&D8o80ZrTC#1Ek}u)KoxW6Q~Bd?UBBBJfhnkMguj zK!zsTS3^sNv$9XHOrBac`%@ILk+^u1IFAFvw1R9mB@~xMWcnShrTx zHx8ApLRD-DkuFGl!^AxsK`yDZM{bsSiHB~Oh2sU?`&M}uS2Z)+M}=(^I0}*iaK+Ll zK2{gyNks5U6FY48u+{oj&Y)~uspKV;*ttixlgDIg1?!8TWIz~l9>uorNA0n&8n@!( z%YKq--$KX)&+!dJGmXd-WSt1cVhh7K_q?QN2dve&6-h1_rPhZWP9ij81INO+j->x7 zAk%R?qPcH7NwUK(D(1TEzNm65FSl(o@r*o8G9&g_hY+-Ce}k=v zGbaquFoKS6SR`;jcE>c}DxB1ZZ2-S_szZIJf~UqY6aNq}d&5ui6k|YKY%UT1>j1Z+ zEQq_!xU!0}s#ST1I7$&TfdD}pJRd7&{0xuoW^NwXX&QI$S{1{~N>hbn+z_e)7wOpO zffcX{5st{ne9ub5JPd-QJ?gHMp|Xjx`m-7~wURU_K$t#U5Ew~tT%N*MAtpNFqQdPl zay4va5@kiElGZY@HOny^pn(xtEGsSnwBTguUgp@g-K}D^MToAghK)>CzyleZp6MEa zpiUfoXqc8ABx&jdUeZp7tfZ|BqO4q02JAR)=nIZ55R@%*@a0}$1ObTy=4*q)J2kAb z2f3}clGcStvXd|}0w2Gdg>Hmjh;sDJ_OrvD-z zB_PluiY(7I?1YFLClVM^7MA67Guw_cH|PosGPDxbUFSX%i6KNl?#(&U)8t?peeT_({O!MIdq6*aT1}$pdJS@n}zA})8WE^t*h;;^HBNp{zH{Maon}}MRm<`V z7m5Rq0&x^m;1a;>vbt&Jif&0f>jGagv=Y`s)wl{jakCWIRV0=z)HFmukrx7-AgnAm z@{2BCD?=+`T`qa4bqiJ-X97k9Gf4?4F(RP20S7?%jlw8&y27NRg!NFhu+)P~g*qp_ zAtxgQyc`5N$z_wyrmIkP)<=H z)gYf81o2P_^rIm1ckEl`#-av%Bp?9)0~lQKiMbHt)I)H;vFn(gV+T$b98-!{Q6oho z?akf5H1dpK8L&^_QycXSJ=bD=3)HxCdF!xlnX0{kpmWEfOTjB*5-F2xD#nq)XJI0N z2cy?Xk~(#}f@L<~Bc&?3Hb_!(Q;@EtswN?hQc>o4KviH)r@)n2;B*^l3b>0b2Q8q| zjNjx55l=_}{c$9j><%wnnT2IGqFRxAY&tm9qF6xMik?}p@uf}RdHkT0UvLJMS-|6} z@H}u*iue-N!RSJ8!tsie&rR~`ET@U1TYoFFu;lKMI-Q`G!t`(mx#L4+VPFE!3GOC{ zC#6v)jJoicQwMj;RPD_voV*|~#?$&Y&_2%T(7X#3Of$F){%vUxC6Ht-z`(MG4MwUvvLT-G|Jshm6frT0Bc@D6PBK%*Rw6ub zOU=~C(|jN5&JP$7xInx}Op6*~V8IF4QJ8fhCszsaR+$u6%sH?gbWci^z`11*jc{%x znXH6g_$i>o>53H$T*Y{+%!*e72MI~3Wb7e1g+Z49MgjRy_IH^O+(FhEEEu>-e!yYM zQjnNY%xCVFuw*giX?9QAk-Qx4*o_@O?80aaTt#`S44^BCiIb*pWwL)sWOyan4{vCo z)jniB&*+5c3|wn)89^)V4H+}Q3B_K?g20l}IYU?qt+a^1n-l;#{3HX{4y}CQLq!|M ziIrzm<1-Jy!-Ap}p(RxX6NkjEMqBzaR+dr+daKd!VN;_Pnhnl{LM2|FrWA_nRBWL8 zb0?OV(JgW9(xly^W(I7}V-?6(VvCSWZAFqcpU7leK}yMy^tgNADq*4Wr3{>dY=Ad# zLj_7^+F(B*9}dV4LTZ*m4s-=i*0^?RB*^hBxNdwrEs6o< z@J@+qHEwi(Bofu3a}6TCX9OSzyoJx2us|T-$muRo&{$F>@kBFaCCDuy0;tpbP9cCt zqGy4#bJ)-@rN7KGy9KVzqtOZC`GGVnMWjUmX>2ZwOSm^&>Uk6s0-rKu=R(xhA#ETv z2_=~kE)v9p?WKY$6Q3Fzm2!dyAux5jP?|fajib>JV#ABLv{b+|Pzb`ixl(QODUT*` zmKJ&Jn4Qr`iS}}BSS@et!J0*h5u~|8Wko!u&lW}&NlfZH@b=yQr#6j7UkLG$q?>?T zpc;k+l>^R}QXWM%DgyLh1>N#0mZ6$l7?>dhI;@_DYmh>z@X1ozEiyKdVRz_5Z5ZX* zx|LzLnMrt~)=mtFB|U`ZOCU*1 zE9&C*WNbCs%ey~nFIi+Z{#J_ma8OR!%S3i%fB*|f16q)aE`a8#(O$YlYN9>?+TrS{ z&tM4_RW)D)wFQ{zFvzVO8m7yJ8Mu!2P6JZX9Tq}p84!BlDmn&axycVB2NKGI{*1d) zZw9X2q_m6FlrM=y5(YNaOSnC97px5sPotbov!9)%SIAA&g-;y0Ri9u1%xS zO2T&o@+}GrG1U;37=k(pSPzI!7!@-Q?HyWC=P#}bE}_mzwMkf#ge=QY8l{y&J`Oi?D9Qov~M($_`s(yC}1JrBaK`dGh&mZnN$lJ z8#Etv!eO;{y1Wggs_I4wy@}AsYkcu`JH4Em$9 zCYOOJYS|{aCyNkgw7nDNI#;4Lk47g6&1h8F2%Kq1G7|?vCpw@A!f`@#GQ5G?#nE|# z+BzDYB%vSJu9MR`LR11f2%9ABh4@lvh%5}vq}!eq<7kj4X_nD0Pc4%&;etE~rEv$J zFC~7@O~dYSYujjal28O-kAx|p?OmchQI4=l83T{WiqNpxg)6;5Z5oYE5;~JuN%9Qv zn6#fQo==MiHK(Qy=PR zU*5D)rE^4i2co{a# z9m^_XtI@vENCIe*dL|pi@gW0VLi{DI;jp-rj9n*yxa=IeuF6wkQegyjD-R_FLZV)7 zA;?wCXoOuy|BBmHay+1R%U<4A^4z1B)LUS<0 z1Nc8m=usdN;d?DOa?ljx+de#97s<@Pwaqp9OW-v^(3(&M1?@mt8SRPtCN9aMk1t5m z9h+CXv_^LcFd`SiQVs}YQXC=1$!{FHiCN&R!1s6SaqZI@?IrZXIT;NJbi}}Qq*6qq ze*^y7G7~HCqcpO+5EV;NJGDlCiRYnGRQEAsT5TXyrJc`@aK{lysK_JF?g|>}0VFxy zUBhg8br6^iR}XlC`-RC5*+p7xNDLARQJv*e#;tSvMuUk-rNnb-fS`5OWOQ*u@N1|X zofUL@2Hky8zQW`;8cgDxg|vY^9?_Z15O)#6#=yNNX@o&Xv`ltxU2PqW29q#^p`zA@ zok=$?`v|*8ha){8p`Qv}S9B#{zLMKF8cgW4%rj)Ap_)}Dxs?VJ+SNIe5<6j$I5cf^ z%3Iq;qrn8m3<@54BZLJf!54a1C=VQH96~h~gy_z3Ytv{nnB*oc83Z5_QP33KZGcsK=BJiPio;weKZVm4Yx9BE^9 zWBP14a7O7$(jK8*(gKd!iZc|cJ=mn5N4Gx>($W2WC8acxs8a6P!B~%^3aJLJ7zdYN z+fsE$%YA8efG0)sDPko-g3E44H2K5h=i$@%X;4!EjouN!AjN&CF`p*+1rtjfGO;m- zUa*`*4&=1jP&IH(1vI-yU~*ViY7^w=l9IsG(^EsQ10Af?V<~Ixkhlg1(m_&Z>@>9} zu^2q9o5H-Y6jCqeI6|5RnMc{XJtF2`9`A>f;e0y#b@1cp%e>w-{EK?xWzSt(A5Yyo zl@zgTd{n~T(WvMM697t}g2z@elN27&+|md4$LX}TPw631RSTK-F#s7u6|BL1Se!A) zIg&!_0*4vNz#yP0)sQ1VS_v!SwP&M$oQ?1PIGa8{jwheWI|QnwY;=w=LHej5Z8(lv z#y_%BLI9qciZciC=?!ep#{Oe8yklrZXQgvQnZ2N;eP&+`q%1+BS%kIE3T^^`7bFoa zyG%oR9-)6IZP+Ge%M08 zVyZPT;9=y`11Duhr~oO9a+-*YA>!N_=>lnc``%1OpFjyekJ9P=bhh$Ad|ZhZslY;N zCUO{(b)e!bT^UqXsD_a5B~~1_W3KN;&-2-^3hm{~SXBSJr|m3FlAFuBkg_+s!MBFDSJJyqmI4E(aCt3~CR8os`O# zbkN0)v)GI2D5XavXvYDoaVtk?n~mg(bBSc!;ER;T4Nnpa(pkcw#{~+ZMnFh zaa7X|X%i1E$7~PbOPLjU8znQ2kp_;JLHPQVeC1XRVi_kJI86mhRmg<^UGl0oN;JAc zOwNee^kPyGkO~RMZzScW{?E-sF5ZP^k@jG@lDE#e?M7D!ZN?M?r~%+cpsnc+mIfK_ z*x*bVCxgl0wj?vlftB@D%`VKO?k)ETQ0kP^i6tS$y*Kor1WssD+}h%vO8XzEH&!%y zLTJyRsgy3*keV^anPubXGay29N`z_}Tu*y0zmiv72-WgZ1`at(%hqAglrV^SJ_cf^ zW=vjd#?=41wyq-3I6|o?8fA(ipnzrImSG%xIYX9-1#(mZrZpvH?A$o@MvO*BNN!T* zhY(@U;N!?bS!QTfj!Do+Xl5CQ0NY7|_$6?6~NI-7Z0wOl%{No7D^S$fqnq2hVp9H>QaR{)d#0zLcSy< zV^m1Q3nQ&dnSt(ZpVRH_)Y)|c6NOwfK<7^DcKmfTlMC6@an-;@4iu!+`=opXkwe{pj8RP0 zWi#k?fxv4w`R_-M)7f0G`DoV26YWOhhYKU@;yMhELmSc~2(N(yr0pT+Dm5kr&DkpV z_tRhgJoi}LE2bq1B0@?yl(;0JCS#Izxppe4nn>$fsq6<;*PLH+X9{%-TJj)R zNKqo}hEJmXFz7 zFE#pc!2#ztDgSwrnQ@IEsjW7PGNd?#FY+?V`9<;GFjV==|>EZaQocn?Z5??|+ zL@w=t66e4R<#cOHi_n&*sIzHQHCT%gD9dkno1&0`lMu)fL%FV zCtdQC^DBj?rCR;y!*tFqxqFVb_;A;N zgS+wY({wVt|J&oc8?f@~ui5mMiTvRGTY1CLo{y7{zJEI#fBL-dH_Fc*ygnyegM~&v z&1d7EMuVS+_cCKNefm6y{8fMQ^m%wU{YCl6^Wx8w>0~6|kawAuH#aYS{9*Vsk`d&e zp8mP`8QhKBja=^g@OeI6-f%1zE-yY1-%US^()-bHVthaPL@jhye*O0IX!VKJ)3#aS zU}k3UTwBwzSEosIvA zpODr1G@6V`zI5|lu5*fQ-{WDWpj&E|`o80V$RgKIqjCS>+UN1dU;jLOnnN2SH$Qv& zJcEq>aaxQQpP4OcLw^x#TJF(?7x|#<&RF^L#_rxu<>622_9E+Oa(5jXFep`E@Wbd~ zoGvB3dzm7XYO_-hYV|l&3nYykLB(HQ2^LOqmk%2(?RkekTeFWhyS&-@=WAak)>XP` ziJC3GeBpM!7KPO=YfqQ8pSE^H+|y}jYd~KgzQiIOv3C9QU1&qAe1(_4r6_%+4qB@} z;7x*Q&yk=ZE59K3M!`^#aL{(jGZar*{+){va-5qf~iu>P5S1?W*6t>Jp#U zU=6kVg4){4@2Y}pG}C|MQbjUxwqdU}sp<>#|H&5)Xp+*;T5o1Kd<}JDn{M1Y#OAcV zoK|1757RzOx{1ry;cuuJSZ%J>Ht=#A_*&Oc$D7w1Z}i@2tgtu}(;eR~>ANnWle-SO zv^HWKdCcXIwo~15tBaJcut@pU9&S0|Spj{jWpPSPpK6hlXy5ojJYA*JRXW`erw<^0 z=KS@x!{)jfS~o+_hL3VFg`7PFzGm??i?3OHxoz~@x=L01e(n3U@7KOx`+n{F-`%XDfxe)yzARt&FX;XS-M_HB zz5k8AocZf`g@VTY8ux45uW`S|{Tlac+~4++ERFj$?$@|q{+jSVknq=NUZZ)9<~5qvX#TCfszG1Xps#9J-p%m0N4W;GqUvAG1yqPoHP{b-#D-R*lYwT~PR1UvsnZifi49Ihc)xcjL*Yzs%^q6w8oweJX#^t(cpw zm|F2Q({pq6myDl*=hTX?6<;g91jp&(MPQ3`vkaF{pNDtTUz8s_FaF%?Te39Nxfy7T zKl(D#7+)W^(ind}ec;;h)r)gG?;qFia6R@NuDV2feI;5A+%<65z+D6P>8yMOp@Ii> zQw|MFi%Q}8r8oDZkG!B`HvaT^z89BLep0^+^s={z>kRi>%5Xc+qG-r|EM)(*ynJME zt&L^x--xZzKowd&{}1V!n$R_&^bYK_&cSvQ0K&)yO3HVVUj1@%26 zfdojkP8txTllE}B?FU##RU{}Cgj;u~`}Z@U1zK8mo2K4+$5VmEv9TQ|cI@yu&XT`8 zUHl)v>pfcDk4eS)l-mA5oAI@yx-FpL9>&;G!NxjAr8g`0Yi*xTWpOdP1%U+{5(9jevJ5{d=f+vl8bM%i7i?Eckt$@z5h5zKJh$?>gy zJGqQfRZlixq_wTT{qVAeria-mVcC@F9e5BJ+t{n!?qeSNE|;yY+}cGMp0e^WiJFb= zPVbQXCQoO)6anXE2vMa-InJDMAGA`j1%!I z&Z$F)!%WlR*uh*NRqU+~jgCO@xU|gJR?uwuc0Exgos3_KEXmR;YpX7FLknd+8koy19-v@~(iKD)`mPJO&X8 z*XF(m4CG+fLDY;G;>`6yqMqyf0mlXg5o((>SryX_p|i_StOGxv7;^ zy%><)rJWlVzGVcXz{CVmD|C=!nG6Mt7`{ba!2;HyoxP8Cf^|Y#;@MQjsXFjtpZtgJ zQy52ZJMa?vP7=C0Lgc>U)Xi@I009600{~D<0|XQR1^@^E001EXmMwz&cZ~r6&LIW> z6aWAKcx*3oXkl_?WK(oMn8E_iKh?0wsA8%vhuy8-`0!UJ^67>VYcl6{UFG9`DZ z%RbgfI;X4VWso9M65AwG#Uy2`o*MHP^VXQR0{ScJQ|e24t-T{6FFQ!fUDZ=SVG5_r zP+lT4BX;cT+B<&uhp&ry@{p~HS-$-7MW@w%kz~tBKAkOZe|+)t)%%0P7fG>Bm(z5f zFS8$CJZ8mTvdVT-;)vIE1mo3twmEUJeoVm$Yi*$`YSGTW< z`&E`si@PjaFXpeh?e_51BAqQ?B$IrzT>toD)F0tFo8|0xn{2Fy`t5f6#oHf>+1nr1 zZ$IG;A7V3Xk>qW=Y{5l)YvvhfIk=<_Q>53P;l8)AIs3B4lJ~20k$uTm zpOd}u`2EXdRwQXsWa}iq!Ovu~nynubj1oR*aX+7>%Snc&-mEXpmwn3n_S)a`!kmKF z#eF)#)L@JY3{&>vZSsAO{JtUjayOgYC6jcS+-39oWPO(<*Q-38W~=&0tY*dMWRWh@ z+ia0x^f59E%rM7kayQE!GTu5{CHa?Sb<}S2bY8TQGaLlXtU-r=W8=pG0}bsbLTezJ zbpH7JY$^je0Uc$lSqifH8~f^R`@bhES#RrnrAq}%bW^PHM_53W#dG5qT#vnj-TmRx{nGDz?bGyH@5 z^JS6G(cKy^HRmzNwaj0PZ!b3Y_xWlqAK?iq!6V3@zjuy1qd#B5{T1lSlZcW92LT#P zlepID^_&A=Bn7BunOtX}I-#;Fo=G~%G%LX6uW=Ct!E|4{@6^vCHMTK4TGOZMJfo+aY} zSjqVD8j95^q}_5ogJ!g!{QPSi#VxZ*I>*DE?io1C-uUb?c{s$a@3ZMey0}lS(it>j z(9+-GuQ$oZ9I6@?Ixd(k!9UPz+0EG!OL`6Fk&G|T!7kGIMm}gi`8B#opFjImmd?Sm z&X%g)g9egwlEw9G?p5I9iD>oy(D7uQ?EUKO{P-B}#QQ*^;6JzEGNAlva!g5H;}X-JVhLe(KOSG=n?7#l>)FAF^br$`_giNZ{XCjc*?uyIBqO4$`IAa5%qrK0ZrMEbWd)*?rPEms;V`^f|f)@@ch zl&vQ%%X`Ge!?-Q7<~e8*n0*>Pdd(8oP>UgPz?_T&xbuZ1B*juz97(I(6 z{tcnDryM*v<>>tOW%EToLRSiAU?7vXSJC&Yie>6L>lxl0MyATJCrd|Xq=mWjulPUt zipN*x9jl}5^|Ebqh!?lS68JY|=>+Wg7L0>tVOqR~_()$S_gM~kv!Bf5Qy%$hlWeu5 zrvsBa-GGhjC2w&3HLhRf6EIeLgFBHGym0aoYTV>*38%^JqrJ8~_h#$oJl-49zseK3 zYf7THS>+3%_Ir^2Jvklhe@x1kJE+Ly+M;7)M*U)0zy*bwQ!Pnc38E{*gd~&0ByfiE ziE0`U$mk2CIje}JFxQmSqy)2g&!O^89$$IZXxHy5qthb8dYvZsda?S#@Cxb%nXd35 z`jY<5YxWplT2wf^VMRaKHkM~lN5qm-NwW*nRUI!%IMpHP1O=SK(jufdqRDKB7e- zwxc7h(~A$yF2Xy+Md2|7-|{mio+Ci&m_{XL=;dm*o||c=(DR(t8{Ds82FR$hV<#!h z069y;Oj~JJSYcE(>d{{2Fgsveh|?3Mn5a%*0u=|Y*X-}}Voh=*o57t6xPI3{dvsL8 z#1Z?PQj2=|rr@CD%lV^y>neNF%L`C5oUZ7vX{U)z6!?d{p1P~1c~&g{ex2N=n-yLp z1Ix=eWRSyRQN1diU{>3}mDJXvtVUSuL%N#f8~Dsh_t}D`9H(NPLtumV@>wz%dWIv3 zulIz&QKAgWzE0*FGCs$;Idb~Z=Cv*>R$||!StOyh=(kb&AoaYT>K$PZ(tH6 zm=OOcyhXN}%nF^n@_q3&>2!*rr-@9jOLVfl`eXQ&e7!%rh37^mP#uu4L2k1p_~x9# zSACeJQb#J{AnMyZ z#QvduW4dS8ANncY9c`}Yb8w>j{22^1XP70&%VqX8IW{U+u*$Y{(=p$6^_%~7 zas2T-u?Ech(-S%4P32~n{=B!Ho9D&64aSyvA=t3?C1HS?!9O;G1#9hq)*6hp=GDJ` ze|gqC25&=R+$Isj5z^EiTc_f;Q1ot$1AU!BIUs?*n&*9Dbr`w-CDmbp9L zGP0iTe(A?=B=N=12nq6(A)@1t2X@iZU9(O~AC6fl%Lm9;#*DUKQ**u1@>kca7zF-q z=ms_GK%7Xhj#Q6_bfd6_r7(v?0fSFrOhJ@RAu7T2XO>T&owV>hU{%^M%uGJ^`7{0u zo8Kf}n_${XY42`M&U>E!?6< z`n~}#n;sdq&fl@!!-&XbY+xAlNCz*~>9o2yhF9tE7M#ZbO0(PQo00Ff2CdG1(&2B{ z|MJKYPqfT5@^KM=*U%p1Oq&Tii%{?D%xqAm6|QSRVLmX5lt;OI^PxX17baPnHB2WGka*fod4~ z15I^WO?TznZR?M;2BHy)bHDmG$VC1YGL=@pHE_RX8F0J}WtNoE9PbbL?QO*WRU?$j zXwxwQj+w3QVI*e>{5mv~@?xfe_rKNtIkYcIhG$%MBt1A zpf+^6dW34`yjq9`Rt1d}1nWRX5)~CHvSPro?B-IaGHQ6)$f<>OgXX}%L3H3?Mxi4E zZFi5r1cjA$J0op@l~T^|Y_BWv2ex{U0CMcG=U8*QH^Ot}-p--Bx6>X4#@&t5Ihdz1 z+pcHGUC)rgK>aDlkh@lBab^tPi;BIE*%Tq2kLl`jgq;7GW?bUf8koy|(%^)M*+(Qe z%z1W7Cn&igY%dL~B7npoIO9e0*i2B#ehe8(&5YjTehllk+U1}BllVDX4V}bpS|9~Fzrns}_ zh42t#Gn~pXqb7%r$5bH1NL-`VVKc7s_Tzbs&5Lj!d72v>Igt)ZD+PI=!=2QJIGPc+ zDv`ZF?vb9Hlmvdo5&1SQRWew%7+xIHnXmr#Z zTBtuzx#N+((fDoT+mB%Pz^(<$ft)XQYhRu6B?!cxt3(EZxW9WWB;KyvCf}?JIA=*JC4B(2cwWB@Mg@?W^s>4TSO(>VY#=-U zCzKa3j1QKF6O&AUB48Xbt;O?#U?P|?tJ9kGFhrD8M@ZxkR+Ng=>6n#G{ToxSig?eH z0*?73A~|>s7kZsIhN5*TA(#h}5X=H1M=(VAGqfAbfWi;JxkbD*KbTQM0BLxkunmH6 zyvV3an95AjO$;7>H@k+beTslBa2^GGkyN?i2*)IPZX$7$lF1v+z%exxEC&()kBv9J z)DHGXnzR|g8uB4R>_(|M1q|?BZ~$TfyUQzXbEnt@@st9mu_Dl$uHTBF+8NtW4hK$# z2I$6^M(39id)HB|x9-|jiJ<)mCCSXOvs^ueg2$l~4xF{gXx!qQGEDyXD}^_9!H+I4 z4musM$gU0F?zov<8G`goG<~^8Ci)QNq3vEfXlv~tL)*{<)sQ|iY>a#r=7=|M-5RPK z!M$qv(%e2M4kx;yZKu7zQAE&mjBU3rT2b>K}R zLcC)xyaECVZWWLm7j6}{GEVO$NOK~#Uj)oWlhDDK=%Gr8!8H7a%~03K33~&gaf>#$OWpra4QX zlIV%)yg72fmf>x&CTSe|yH!qrDNQ#D6LLm1HQLqm3vFJ8UgWWA0@ptt(cu;1U5Ku% zz|SiDO9SoOG#gnm<;t;4cA+?4W@tDgm^P9DND6nR8 z63|B&W&q2Z0o>+7kr7&DfE*Nr9~900fG?B&4E4#UjCw{0z8gmv(K`oE7xc|+xryLz zB9|oR^V9&Asvm-+6c2ot_#YM#ki3t{J?;~E<=mAZm`51=gkNM+SU1~^5f?ru*hCN& zjLbbSHoDHz1%%`R$U|%JUX0J+_H0hrJ2Gl$1M&;rBfsE0@@sSyCl5MiilGBi4uB%| zQUK1hb?sY!`rrTVkKM{K=#lP9ZDsCg&)p40V^8lMk;>drZR>Ho$shj!u6Zau`D3EA z@F4h}yGh&r0v!M2AH;~4OQ!N%xx~FA+hSO2FQO~^rhhxV#=oKatLzq5IQ+5xA^5A- zb#L#cdTvh##CLgDIoGdz0StOKAiNU#Tjd=8D!-3^O+qjHt9%#!r9VzMUv1TpHiHyQF&iXnz2Qy=uP+}3xyG%o{-A13vcFC>-2BGjNB2cMmDFAgu zI5gpF6!iJEpf*G;0q{uy0ts+lE9uL+rk#cEluJJu9j+`rSdWdDUrdCQop_Kd>0+YqZ4&3H0O_<0hv|v=fP5GN~DUK zLfl{ulXz}MOBk)JG;NVrfQraS$@95T`O8H)z~ZD_;V&FZhZiUSaM#7fN3A&r)zw$Uh^qqyjBTPU8WRy zctNTT{wD~PK@eU8uQd#UlpX|aVGv~1AjqkqyY;n)~*J-c=VAQb>m_nuQe#fk70k-XRsf zxxseXA9PdEJVnfe_2^BOrqNOMLt~`Wo1KW#%YBz}Nu|qfSmeCbtD|h+nPpPdG~;XA zy5X>>!8%3p#M)+d8QUYYBe7hnFExGgH0~bj_AN37uPoRXtX$VD)l2%cRDq1xpAoks zd`eKnAX?ue>uQ1}5D7cJ+e~kfQz$~GzEJ2}(%UJTs`!K;bR>5liHa}I78Sv`<>Z<2dpkCCBFWeU$&poqd&P{g&osPtsTU<@E(6eTaYL_!&t z3sfL4MWB`kA;WfQ7Wb={c!Lm^1WM%P-ZWy{QzF~jC^15V)T*9FTX?cjzeqv7mPJ90 zC13$oZ9e{844L*0v762P4%nHy06^lK8B*oG9cF^MBv)d-k@*P7Fug54*a*j5Q12?( zGrofmn3xaHsHy1ycdxf4^yxWtxl0B>Mu(=8A;heik~c^I1?RWAK}PUKng$90n(Yzt-g6e!Ws=m7fd8-+^3 zrbhIVIVr!g!IbK`lBLl{z%%%6;cWWDfa(^sT#dmowRMLXt;o9Vfr8GU@8KE)>oiw~ zKi%^qVUDz@;Xh$J2IvqslT~2^cSjW_f@Xttjqe>p8x&0je0IELkr>7c`w^zD)D-wG z1131zWsQNR!8~0O$4VXe04)WCo7ylSepx{)O(lcQGpptuGe&mnvuz#eU&|WC`l%R1 z<&rTgqDJ~q;^lAJ3{>U~pOGO&q(mbuQE*LI8F2a7neDWVOBuu$C0W`l^s$mH(!cdo zT6K_3j|&2M`RJ2oG82k6Fs}~TE5JvQ!al;U$M~_@qMofS`g62Jjayr!S8Xwzq%Dl3 z@0sBw_Yewr*DO2lM8E)+OsRHnCswPGD@T8?{16JQttqvB%d-UU=(YcnU#oETEV<@i z7jX>Y&F94XNGN|jTQJPOC4R32ww02$0TCml<3`MCLNRdR@fb?=KgwUS{#b}z4OQxczvWYF^uEI}C<&j?B9l#ZGIr!qE_L#90@ZILh z^1H8?sjL;KG}hI;zr1wayp(Csf=EqoSD7ocBk;iM4DO1mW>|{nU_eQRD`7@}V@in` z-656aYD?E%bpS>{xxZ2w z;j?hzcqL5J%tH;@P}Z4pFQlGGQn!zj$vXBvrRqvIRD5#UIzBxB%Tj-mHsCypLRQF| zK0$QgR~9}vru>3m@|Os^^UF(s609MMjwKVI6G1=)P+e2y5_EuM4hTY?>Xu=n;@EKt zl>pKX!IgnYwUX$=NsCc$8)+aQLZuOd5fn=LW0MiKUWpI?070ieRwLPQpBI8u*uXlh zu&n4|1LE5l&M^6xqRsE?eu&vol!p^MZ#MReac1qFq|EBy-Xhx<)S@%^k!$+ zb#K}}>V+?2iiCdKVfeN~{~g0&cvC_awZBpL4o09nceb40p?|;j zaNv6x__^%#JngoJAswfC=*OxXMzZU1;O*ha;Lv1sL&P$}MiOE=7HtWW11D9-jkrHG zAA(lJej;!VaoWU;#b^=@2!jq(vXL>ES@XUz#ggGaC)rJk$U^esBwIcnKp%Sn*}0~3 z$9PdKs9Y*pRjWj(i9B_Ex&U5H+Nl1=EH#Mt7Z6VJ(AJB_+s2L9z^j|z_8v9+zToA} zJ0Jh7K;C{Fm-`pvJcx<7W&B^xdOH2T1e*av{7W#Gr!tLhu*pkSF|sIB68vyKLBP*O z0EB*xW^j=$5YkFeCJV7*1g1-%DXT!`s9&oJ3SeZgBBr}T10Y-$!$dv-i%d9VT@||u zeNp17>`A?c<@0czd!CeWs}}bWTLx7n`KGMT1x3^7LdWBSj)iCQAlwN2fwtd=nBGp& zf(u5Pl#XGyMGuiM5++X_3s=#9>C&@`2-$;CaHQ@P(lQXQld3Mk->XndQlxG@4XiOi?I=R>^lPegg2sXQ#Kar4sO+RNm zSxOpKXlkOJt_i<3bp5?@D+;Q zq4F?nC|^x@i!~C-5EjpTaNG(|t^x$7G+?eUOk-JyW%W$w`^S*jbrU!|3&NO2&LdnB*u>~mt6F0^MTT$)r7b{lr8LVS(6&vf=s*&Ha zXzA00|9iJxi&vnRpWM|jl*&10(|V5;&cOJKTbvzg08o-6S>a4!@>*_`ec3Qo&50rt zD4}=OCh#fP|CyBFT?y8;Ozf?>!|^n1&DKUeDya)UMV(|66ao$aQ0-dfzlv)}HEPzZ zM(!q^Ur~c0mL`G}xn!S-a*}T?zoErUY#xb)IH)O@sJ2K#6lR@#MorP>bExE zM@x?CYu9B#5pG0Vdy`QhfFD+V7f@HmzBGxq)70f&bzI82HcX~{H?>yUwMc5nxj4Wv!|GM!8 zsKNbh6kNoS;NjT&bU-NHcnc_S2ACT^#M_`j{1k_Y*N8P)hvaxKM6b-U(ftX z8&d=gSx=oeMm28*IW0wjS_f8X{{>Y9^VI=?Hqf3}<3Nqrdw+xK8B%o=RST-ASv7sE z^n8j_Sh=+;mr%(T!BVBATf5blVc_ljJ@bWK`?hpQQnJd#ZgnCV~$DzL*RAK5Wx9%^ga|=q{PF( zA=f52^*v0AA$$oJ;HOgiF)kk8xcaYUDP=d_l@d1S43)JRxhc&Ct<|SEN$jQJ&tSgr z92%7|OO2qsuEbja6*eQGZqPw+a2$QPRT)B;jPFh9V%N{9}j%@9EVF$^Ha)=9;;o|HtXV{94?rNw2J1Zd-LU0h& zak-wMuz)NmJOQf;O9nl|K*m$eNCQwBi^_*_vX&XyiZNnCu2VIGtU1KhbCS016PgGm z(OTLpnV@x7%gnKgf+qXeR5FB~#51KT1Z*_!bFig^5mY&c0&xk80Npj;{$o0qY%V$> zwDfgE8?y}8`K*GQ{wTPkgZsUAXdWi%<#c6g19xi!AE6BmQcL!MibQFuOmtvB$Vs*g zbK)w1*8(DAi_kE0{!jTe3ecm}%?3DnqieVmt^~DU7s$(NiF%UHTu!M(sa@XgYlT>s zkZYF%1}#Fg_}CnqTd?_&vzKWMAR=yFQ(3Z|ALR3GN$MN_DjH#;4 zJ8rPAf}t0^QZ~~F6};CdPpm~gzLB*68~&gg%M~=et03Tm`>rZDYHWJ~Buoh8S z!qZn2L4X!xUMmMIrHST6PKQD5VI_{8yCy*=$WfO+;O*UGb(at+Ab^kB0_QU1d2;#- zvW8&)O9K=wzaV`1HEJW*Eu5KQ0b8Aog=cWu+{r+`dAb}_Q_3uZ$~hNL9Ee9~i5r@v$oi?wkkan_u?Kx+>2|Lk6~oiA1%A@l>O7WDi=r!ooo5~HQSq=>Og7B z_XF@{+=W;%?SIB;`cG$<0*i3M`F^sQ2+>-7nF&{%EAdzP|2au3Ct zs{tNYt$gC^E~ZD}=T;}-KF&BJs|}k4IbQ14pKjeEX(`GuOZ>fFVY6TK2mv(*C>kQk zy2hqamq=|@VxDw$x?d2`C+8|5U_eU3@Yl>3S1$xw^BHc*ely-LE6b`VbhB>@@mJ32 zB_QCqRrO!9YNarNl%8>mpMqN#KU)e-V@siFY*l2vUygzdmc^tQB3w99%)~D>e<23g zts%fNT}yD2a^X>_V!$0_>bnm3I)fJ0-heM5bx=lI)>t$zUKXAadt6+W@d68pV)?!< z_6Zbbqiby0mcuQvoeNBLU|(`xi(N&vM}yb}a0bC48@8dC!pJC{H@^`K4uBZR{^mdA zhcOXEr(TqNpCVsEQ6m=%_Y;ldm8RihZWfIu%n3AK8INOe0wbw`vR|UB@hIgE$|^8a z0!~npj{Xlr52!@Pf?E@tp- zqqLIb8^#?=$Pn>^0FgEpVq1uQ2>r2zmcM^G0<{3EGS{b zxabx%WbG_pt6H@@jLHEsomua^QqWX5gHL6kD-M3u&F!5-lCmDh`|7lu+^4zIIW@(mWmCi_n9wd>F|A+&uEJs~ ztoKvh9nG;L^R48-b__3m8{-43$NM$63qvuW=KP;7Cp^pe{jcGzsZ`H0lv4Hr7yRe! zQ70Z%WwHC1?oA;0UGl&c-1MR&u2>gP3kM?NFT3%89hC9kn{4tp0qam4siBnL7}+Lr zjinW_#iOWbJ%wZ%!eJT$E~Agh`Z9U0*|o-y1HNq-@MyzMz}5LYfKL0!h6@y7Dt;3w zZ41$hL0CB6$oGsdG|Q}HjIJ<7ZZY`{oeiy_N@^&hy3Yg%R@0IpKHw1B zIXI{kovY-r`8uk4mLio5q(IzcoqS&AUjVeh7A@kQkte7##v)8O?1mI80}8SbtPlu6 z3P;Y?I|N4HkC4 z9uZA@Bn3?AY6a=b*&{i7BxjHGtgx;QLAT@*qOo@@-6LTy0_9>I4LW}qpkUiLm&^si z201cVsXMFMhpH()N3X1-@=!T6Vd;BX7Vx3qip>1U^u788Qa&|~(rky)_=AAn?Q#?a ztvm>L-@zzgdrLHW2)^_^QoP+~*;u)^KXf>49P|BkOQ6cYLnOOLW`R4_O=Ct3Nik)$ zMN?K=G@Z3YgPARF8%9c+3`-C$x8s5!0HfmqQ}xIeVi zpT%QpV@s(ZoDB&N?o;?=l}CJ@zAW$651^gzK9t?)&2ixrMJEd^Ig)=NYtgXz2xozw zfc(hsV=K6aoMt!IkgSp>SHL%lC1BPLCXjO;(XAY#X!1Sf2wV8Vb}rED1}n3x3$(jy z+ljD1cQ3~st8G9Ir1=cwJDOK;=z^KZZ}jV=AD~_RLBw_DNS)zKSJBovf%J%Dqf#7B zk4SKf*O2;@4%Jg2X=~wFol3WmA*!Ou92rVv4P69T@mTqX@C&q~5DUr(iv#hB!MLXE z1_Y>4pKbURx>ODkY!ay&A{`qdqlmkj3!<%vJ;7)yHo4YnKj0#s6savW8{9pF)#r*1>C z)Vfvqj^Y#AM6&nI{GNU4@W~s-#F{!KxgE+KU(e% zob|aSBQGy-wmjz7%P3^{jJ$;DjC`&SdI?g;%cKqxl-vsIg*$p7JE&Lr4ljv%)GB06 z_QDtS!rKo*zD~cAxf9+r>|W5exzcXQm2!$JNS9%K$>}kQ1GZ$|oir%r0`J|jGzC%y zJUV4bT)Q{)MZ5E&+;!tyXeRLw8C#SYx1v7E4hBz0HEnV0Ry9caL-{wp`swDVXn!@m zuX(S{y*n}b5q#uY{?Sbp<+V-=d8f8GE!y%^DtH5Tj1#VBJ>S(Zo*tu?;rgSN;hJUN zvOSPHT0V!mw7=F951h5-qa^O;ZX+dWVvpej5&=L*#;&EwC9E46Rca>34KO2@NJ_L0 zvn~1RmF>?poz?kk$_)>|i#2_F#})=sc0E!v1w>*a!0$IGzzfU#b5c=y;xw+pkc(>fd*hGemvHcvRx@nfFD%a`9=Swz?T2@fh-hsJYgvNgAVE%^$0zXyJ2c>lS(1i^8f&mu8J=BpHly9JW+N zo|P_yNcih*V+$n(hp7X}?HMqg-D2+;xG~BOos&MtrUEixQYAq*o5CK-q26-k4!>Oh zU*Qe1MQR(qVv7il!5!(NF5UMmjptDL-U?Qp?5~Tbxa+R8`BLW7&I5-0Rx( z{(`#Ke)HVsDmrnqS0M-0G2y1+?&7k0Lj<*5siYoIwzXpH4qjWq9yoAql;AsChS)56 z4uf_2sym51;H*~3??5pNr0?y49NYp2psSkTx3w|ANCi9y@UfC6@O^ap#zPHJX-&4N z@OWcaehQEbkv~{W0IkXukXLR`oq*x?&{x%Vd|g84j*lfFs$%&xDy7O}(U}2jd5Km0 ztqd{AmO*7L54Gg}VC1Ha+HqP4M3er?&|WnN@~40OKP-3)xT)`gQAEa4L}Uq~6}|9e zJ$O=yvX>R?H?#TFM$%~dn8hYO&+TwKIX#|p13ka2k}*UEE939-kD^erxJ4)RTUk+( zw@OqnT0>`Bjd}&`J*6bD;;7~6mEF6%pIXb=Go@*TK(H%y3o|rb%VsHV51%^Zp0;RZ z@3+{8p;msR7_sgIW$VzmydtN9i}My5sr*JXMVx}V*c@%e_TZd@)|wmDF{@5malcv@ zpp;9a28^s+*HenUg*XvOjI>5Rxt}Y^rFVXRPDo1 zXrX=R490dZ>?YbDnqH-5zv9pYR^bY2sxi+a&SB%WPvH^gumQr+Ukp`V`*DUptEae9 zo4#x3Cm=8o?u;;?6)wahGrAsCGq#96319-??p~1Z3Ref7HNA z4O6#^uNbMxS2X&-6&A2mLcG*+OlAO33yJZ2*5j0l>yRO=N88v%quEWeca>kh)EZ0F z!2`-pBPVHayAgBCIQF?CmsP@~Dj5JI7(eO1V- z83tQXV*e(@er5yy^)PCV*cIk<13g~Qk?=)>6PG%MK%px&-Jwgkya`tv9Qtj3FLs*Z zWTJzJY2j|L^IWs;LlixFF+mE*wtxk=()1?+bEwt`%~jHDd<>qbDAYV&Sg;aUm_?Du zkQ<&&8Z-x^Lw*7~O3(&>?w~gV+61OZtx%myp=P>@rv8E4)ht4zHb;;g!zkzcLL0{T zD#?j+)TMwrf(>TQmJUv0xHbalz(pV_m6#9l^+rjlVP&!A9=BJM-VcCu5}fIrq$O~Dct5@c~4po zq!Z(48>5H=AO>UREsM1BB*7wkJ0;>Y$10_NNs1&U;_c#Aj-TNykv_w=WT5WKk-Fci znm=5>PR&(^1f|We&w{3|r}BeUAp2dxmm6;2lhXq&)~j7>IP|Tz5(M++%#M+5#KoMv99@ z(lrIxKZ68;P4!ji29^pl)i;zyaPz2ZfZS%DK4w#RYRX+6mFzU0l>q4pHp1P)$}PE; z8TiB^#pdJ{c_@#h>+}5hr^v_(TuL(8qaGX(sdXSmSJTt)HSR0Yu=W4%Vdt95)9u_ivj>f7SO3<(`zMv18`AhpK4l+7rdz_iE_&kOuX)? zr&c?Qx%xuGMD$j7%d0$}Pl+ge#Pozj+7|RO!oM2yC(z)Mf(Ob(> zlr)}eTnnvA8j_+6oXG_gl2M1LokTy_24Q8RT*e--qdokxgvB$HeYe3PHz9U_Qt4Xk zgjg7_Z=jxWh8yu7a-9 zSK&jF*Mg0ryG7XoP+DTth+b}n3j*Vh86O>LHDRR?sI!6l5qE;v`G=-^*d^i%Kv$+F zXl18hb6@qG?iguPe$_|dJO=!+dQ5$H>HxTEV=s*@dtYhpdLKg~(S@>{%|G#b8H9% zL4ZqS8EnXmv4Q!~BjQ@%5m`cPFaXIwwv1S3;D?GH{E2#+ ze0MfV2?v9E7GnCJb+3ku11IURk+B#{lEUH)nVriQn`GRAM`Nv}*ewGUQJkl-RwN@Z ze+P({>mjJYBXqx;+YJm2lvyJ%6|6gAP7q3IzZTgo0t+xqOGaN5X~me?m`L1BgJmgx znds=5RmEa~Od|%1Ises}W^jL-+S=P2(s6hM<>BKY<=j$teTVWI2d=wHPh&rkjK1?{v5{S>*}_Td@)Mwqw8=r z?Ov#0JL-8%XwTz$p3JraCI@%Kd>|czZHcO&7f>0#b6u}kSb+PvaoajF0!&lX|0C2{ zFYSR_YK73@8VVb!L~>dpeue zff!MgoVpkD&2((Rsth|kuaK(b%lHdh@D8Ag7qIyWSK-DR4XdF9n~xTjoTiFlS0iG0c?eAXz7r<0 z`}RoC93?H_e)pchS{l8tOO&D9t=Qrf%Ua4=tU!JZ$1-hc==jK)*Z6nkiF6UlYikC- zZgpKc>Ewpu4l}u56LQQt)V}i1iANpu&SU1$~PE$|J{ic@zFeckc)Vb^HW5VPHQsOLkDY}50twQ)sP zgLj^OmQVqg8>0DrVom-x%t)tVfHQ*$NV07$ZbAa$=&2pFUrn5G>q@IvMb?mb=*`!i z#=_gDkV4quTe>YYDTMC$(DyMGVWOij|!5ruta{hNmuaN zvzQwMBQ}&vdP%XlJ`k%GiAh{{nzeb%R0@f=B9HQ}VSV;RD1uE{v`*zNW%qRQBGy%+lWBK*uOAxYfFezZ@?my|gS^Hq9b<6aMG0Uv&+}Bp6Ywb1;Fq)etb6 zx?dukJ29=eJ+gA1BWP1c9~u7%%N*4L;md`Bwp-Z?JCaW1_DWR&cRL9L(qo3>1ZAkDB2Jg8V*3L zC}c;Ajko23;C9TqzdA<0BLAhhgAgASfPx?pLB!yB)VC&|C6#)EjU`whLP2?=x6?7? zijOotAYv#xZi}iff?#qp;u$D`R!q!r_^fX0y!-=*7x#zOY71y8xmuGv9G)u1C5&xe z%2Zl1tjQPO)Gv%+NuR!mAGgUa3c&&@f%-HwXmi^~g=}>@NyI8;yGglcw|eX8r&r_m zpORj?`>GFXpa!?KjwsTx@x@e;KSrQGiJHS*pKgHn1jG0)a*jUVlXrzeIoPx1Cf~q| zSeBM7_efCm*k*<7K*VS12c%Y1ftLXIv&PM2*=lI+m>MxDquP2Lp4}graaCmlYJ&hH zEFS@n@gs8eW@ytvJaS)d3qFl#PwfU>3j zGNLMD3CrC6j=nWW!{&1&Rot2yksJujQe-n#7(W;Z$1jTHJ%M7V+5LH^T&xDqY44Oh zlpQ2{&UWvZ=nC-qFz!4EEZ=;aH?H-isZ9MsQuyP9{a}8W|CCov^Z$oUYfM`U#Do6LUjp?2XTp z->gDM%;2hn#y8bq&4381L8XQ>Y%D}{d_q7a)u!P2MRnYvG!w@9Q>8f}kqp)kKHU+& z0DkImu{?$yU*LVb?BGLmu-=7FOpC}&Ra{qeEX#^}?hqeH8p;~472dzBZE#BpbU^ZW zRrgXE7nfOQsu?5RfiZ&hc6)v{+&1B`!w%;Swx64a1HmZ5wXj#1$9Gb zRo%Its)=G*8jjvBM{`Smzl$&apUp>(gl8>y1@bou2OEp&CQ`j|nLPd+$-BNy;%vDxcUqkZnCcBT zmJ}y@BP>~?R@o|VSsbPmFm9l$-I$A6IkhbwC6g)eLWJ&8`ygm*Di!B%QB%(|u=oWj z>u^QMx;>zK~O zAkzVmka-N}L6du#j=W@=bKdt#RZ3Cs;(F1i^KR~rcx_xY)YW69V?;M7+%5+T2UK9k50P-xIYfWiq|8)WJjk2p_?$(8CRC7Ry58=?6j)Mph?M3w$2 zgq=*Sk+5UHkKigIVO*udEye^~0-%BlDG7mdrP5bjNmNv7kcG-f1!7(kE+ZxFt6W1r zp^^NBIh0r9$}ko>0ApQVe>_F>1il}7L7a#VGBm_z?%pwkJpu*fOs4N6k3x5K zAFHR{sO@Sb0MfR;T@7v%V#RDw1s87#3rl`bZwc!Oh;7dpalG1A>Yxi-&9P9$YY>bB zeJ*#G$j$zn`fBkfb@%tD$~7y?V=HdRVfvVkRbn-!zW%apTK34N9IkP|LwfIw>wc-VrYNB9MAid3R{f>bL&|djvP`Q3Tw{P>NI~n zmVQMy`#+}4jl`f){GsG^;D`AR;Ls&-r`UL4q5PECWgz=^=!CLz%gV^^E0b}+-{w#x z3xSYTwJ!azGoKkaA*4TCArU*YJdX|_D6dKD6U<$4HjMQUN{+HCS)6ftG+ee&LyflV z(y_GBXEcWEsr#%&Cq~g)M4cBeBO4V^xKGG)(S3po&c_9<#07~&DK#eiY(`ZWk%)KP zE`bTsOG6M%E`gGvveKbTrl3AeZsbnQ?>5ytv1E%}g#b=4X3Gbg?Aebpq~uzaUsf$T z^Qt`+2J_UZ%5OzOUcRTDu~f?Gn(g{?lIZ$)N_35{GotIaec7_zDhTW(UCYL9D;Bz0 z=~^aw+{n2n?T_}X);l(&{jt$ZU9EQld-YV1t_D|=C9^i~OaYjmQBD%)B&e?LEJ<59 z*H-SO3ZfM5k!%B)z)<2>3K`?;b54@nC9*GnWAJ-iIIv7sjcg`;jEymRBb3>`YJ|gp zs>`GkZzdI(@0OT9tELBWI#9(GS|F?)ljN}z=8rH89Ji?Xp%~{HY>gv+eh*~_4}3bB zo~<&ecI>G?Y*~hz$TFOt+(jQ^lnSBZEipKimFF#Z`lt{Qdy6^U%$niL7NNPf#Bdj# zw70|=JJe5dXm_$usA+C5I!mQ+|4_QNSv>q`*|Ipjd#Gq>#f>T@hDnH7#n@p-F^Vs@G)%=5zi^x||% zC}F1UsGb7$W`1sQ(=pqCw)<>%9J;ZIS)pYo4juMd;=DyjYsp&iyirUdmX!|G!Ht?M z(^x-Rc%ku4?=Yqq-0m&p@C@(5ZrN66VRy6&mB;k7++6#nE*~IafLq<%lvrW>t(){3 ztXf?&suM60#l(F4*zd{X!=xN+c7#cAlkAeY;=JIbV0DsD%@w zx_Q>!I9;t6e`G`6M(zgs{7>YIi$1 z;h!a6`}+1~(M@Mz<5>Q%1ch=J+}bJ-BH+DSkPb>>uaT}l(ves3k2JSBiNso27Jt3~ zlRDNHk3SM6o%HIk3y7Rw>Fn-Hk6$qes1PQg9eTd&rb za|3t!Be+@u5diq}^~tXo!C=Tmj??+|CDUS+%Jt&vZxX_ql2{1SbH1}gZ7b^|b)+&^9kY-^WFBIdKIEtf{_tn7CCaW zu51J$NoR+p;NqHmMCo#Z5`~0Gvgz`5x$CDpFSYJ>u&PrS^b>BkYY?7&Q!{Sqvb|b- z1AO}F?Yv{mHFJmDG^|`GYbcgw&XvEc9jz_C#X5KkXPEQHKRar2c-XEB{hdrpp;2Zk4V|| z?OV2J6#`cO3z>-M_9NKdrLM z*Nqq;6se4on$dnJ_Ps!nI;J#&pn3=w!~ko&1bM@YG4D7@)_%r~4TstN_AbUc#uXC( zq5!8~sc&^)i=Q9L&OvFqFg!?!);eQ`~ua z0O5Rds$|l3g|MSDDVXPt0LpL^d{lFojYw>-PCtyCRFt9^$?_3LsaFWH=ApX0cn7hD zOgNtE&FTFIis}u{zFmjId`#P4o>}fY5`bK>Hn$!2F#g&HnHzw#kLvG~qm8_xoituH zbTUXk=P~kz-ix<}bY(`~QAX2{LKuM}G7s-fpla30E@7F&!2cBYw*zloWuj`=WK)e2 z(P?fhhg6Stp4CQSiWX}_^xPvZ8Ap9;D7s9AYhW=<)iW|cAsNH+2`4-B5qcg4toNFy z32^^_W&ZLqP}xX>_qH8GXt8-VxrT_rCaEDEIWy(Pr$> zXikjD?(&R0vwP$B9Gc4Jo^`18T?p6Er__EvY~NT%yK827G__J(JL_Ri0Y}-zR>t_- zZ8Ra8fm^5`5NA~t+(RUpX48WO?H{KHP4Cu{{I)}%S z(ZdKxs{o#NmJd`wcRWp;aRXIdT8*Z*SMcH0LE3n_Va)XM*%si!$hsG**zK1~Q6F<11!y8)z7b z;Nb^R5s{Kmk8zMhcq6oyt#XfALQuU&p2g|_#KYk}D+3n$7%t)Uu9YoFSIp@yvb&ZG zYN=vjVy^;bfPn+c(p#2#)-uINL*Om!LkKmYWqhTTth};+KEe<+m~k|i$=%B81fSw= zGM8I2xNYn*v}Hoc-EPpa`oUfuynGb=WTHEtTwch$G2d`|&&qxq96O@99mPkGet7tT z{3NQYhVZ#l+Dsyk&4hIdZiX=s!S?1+aF#yId5~D=a5B#24NOzzinHH+E4(nMZIEFn zRDB3Gxq0qj%+ein{eiR;oas0t5Ty&;8t-TPm~dzeFJ_>KN|;r$v5PKX;CT@9Z0b@^ zDTKRNpt`*MSyVYqwVF>SB3z=PQamOT0Zx%Go*21Pq4ty}pGuBs>_e>^0$5{Pqsjfn zq#6bti!7-I1>F=rN;v$;)ATb*O3FZ#~b*%ih31 zm934v`*txV@+F zRXqsUR!bBq5|z^Ox`wR~D7WB~7#L)-BG}-l!`veG9>c-+=YSHPod@(4Ku%boAA0c0 zN5yxGcFV5DgV%`dA0r0ZjgO8{GK9s9D^&MmohXm{e|LstO!WWZyzs1Ee{2w2LhZOZIk1$oeMTO0YO{^q8%_)!YU7rg`lMPJl=r1*p3_6|uOTnHP1 zJIKl4i@pHA21wunIm-1`M1-1=!jO{Iy{QvD4_%2pklGW@OnAeF1?&l;zB4lMnXmS;qRgfgGC(#39 ze^U4f5w9zD8%RgU{t0iFp4wp-JtUp~4UenHEfpoa0qCAV2xs3rd-^%Y$P7TD4GfUP*^RK|nJa3BWLfE~t5qu55g24*6Z z=WxFY+@0hU;Hm!csJYw;`<9+~_r*e0c&V%(H}!M+LI?l(;>lh3XyLyLU+X{LoRhx) z3v)K}5%Y$+z1)qQZk74_>2da`U`L!rEFm7Q&a1dMKDz>mDWK!`*B~cy_#@~Qp^p#F zvLs(h?{Q03Rh>Z*Ng|7N1;#3~QT5V>FtsjXU*6hcJ{Gv-ZOLfvinT5oIYh{8QbO>o zj09vht;00~k&5F}4juo^b2et^s2e%&S|1KB;}X((+9XayJp2!nY=Hq-jV|S7QUtyVu#Is#>i&Z*-|H92zZ6TLG*X~0H-bd z<%stLB7GW4vt4%1VMWGf(Aq2h_2B}AW_YX$rR5YG$E0NBsn6ib8r)QreGC?~`8~2J z`_g@HyW>2h^W#~kezW9zapJUYi#Q)vN>pz~?YUT`x!4i8uySOL4f`mkVIM)O0F$Gw z5VycIg>iRGKDt;dZdI^@@ZRPHL)Iyn`9doiCNjCSmV65X)ARRU?=d9F!Qc?wYD;5jq%ii^ov z#!)M@Q=yqk(X;J@^ld*MJlJVe?d~)KZzp}!I}N_KL|LBShrvXxz z<*scEt7ttcPopA3SJIW?{2kmZAE+VxgdDlbK3V55CZ!L!=K<+Rn8h|B>s;$aWCBt; z#wEkY4&zRS6BwcE-6O6{Tp<-=R$edUjxXmsEXW?XT3*ZPVZ_D##~Z@c2nOaWBq&JY7Yt{~?Wx)G$iPj)C5-Bfq%(Bunhew%grS-iE|Z>n+{*V(E*`&*b5gz|KMdi-A8=2+;)5o_-Sm2)V`jJ|Iv z@1rcKN^Q|tzuq9Gdve}7&^#KEW5a5E5$R7!p2EfZ`e^O-tEaH6(Kz_=Ddd|Qud(=Tj<6tee z9K;#tGf&P8?0JO!NU)^OS|Q7Ye!#a37sj64fO{3{FUDesxFX<{ucUOPEjJ;Z;c}Y0 zdippXgko`3hHN*5Jjds=qDhjjo)BJqQ1au0VjmwBXS8%rEHghDwcZKbtT;;7PW(&I z=9f(R{vs!}6SrJ^Q6H6y-p*buaO-d&hW}$@plNDB-My{mpJCT4p0KeM3n7k; zrE`6wRfz%TNbc9pvboug*e)*@De+#W?N!`DwAJoJg>X0MSTxDCTl7D=MXaq`993@7 zC+QYe+ty~pUYnhCZw75Vn6`>^1`Rc$^`Sx z>Oj7Oj-Tt`K)1+`>Py1ltpT*MfU}-$$JI445?lC3sk`9B<+C7Kdi)hqNwQ866LrO<3CNA=vG)s^0Z9e z7X6&!_8%r>%M9jR6?I+6x0F^QuZwLdNX%pFBT|sK7N57JAfZ%f!YnspmqE^S7}Fdf zDkEOgV3jN>{l&L6-`I*ekh*qIVWGCAeX!ag?Kmjv$u)%RGPOh_9I_IaQlBp$3#5$D{3%{YnN112RAo-^gETIC^oA!tz4Ej-7 znmOk>l(t+@aOa)XTKbVVPYEv6>TFOBE+Ve_B2o`TQm-YuH_fUv9M)=@d9#5V9 zu+LN;P_5}ZMT)P}%W!$ilbKUhoHWupGe-!3(tW~0qQ-^YSYApHr!Kw5@vDI=b-t@z z%JBLO;r|tjNC#uVcPikW(d~m!)xs6mLpsHGFTtY@tTSGg z3aP=9!|Yis4-ugZu(_PK^#y;E5z75UC*BRTrl;r(NQe*rBqOPd=9D#dHXh)?Hrsz;n0he45#IAWC<6S zu*ct`J}`e$ufdIqd_Zm?R9=#R*EqLQDw>yMqa{~tKF=TliWr9Xrnl&FBdSj^oL+BwDTM2+V~B<%!a;Y+q*;sZ~T_O!jR^-vQ%jrly@{A z-Y2&oZzu--A;VkY0Y*+VCWmpTkX)_g+nnSBP}0B*-Bbr&qNIZk&k2)S_qs->Q>k|o zy1U-8CJ?%sKXSa(e5dW@GHqQ&C_7FGb#mWTk*K4Qtodp&>HgJrSM2)x1dI~6=qSO} znF<8Oh^4>qMhFCAm0NHZws_UFs3-jY$x_Dx7g-}Ju`hvj8G$zf?&GK4=S5k@UO;!&p~L&LjMFEk2)%YV-V>^#G%5Hu2KFxwb}4YX6?&)F zgjZE{YzCHkeBWYbE^-rZrQXNY88lM6)?T>Tm%0=CYE&hTwFT%DxQ4PN2+MH3Q#U1C z0j?1%7wx&X4@#T>xJId}COb`z|EY%}VZI3v8?L3yKb*;$ACF2%DTcNNG5t ziFE_v0I~w%u!Nb4+ql0zxxVz1M^2qXfO(CJ!1#zPfk-BwYJhoGWw03qtqvZ}!Dm2P zt+^-Lb*p^Fd`1;P%|Cl~IsF}r>DU3zg{s1l@clm2RjNiys@`bev|ZvIq=@XMbVAy6 z8;>=^j6+=3T_=s1Q@`BQ4+2wY8V8kS6(-W0=ll z(!s>3$IdO-1{3C*Kq_@yFHqS%r;7OFla-B!A3>l29pn{QJ^-Qo_JUeuCum)Pbd&j% z^iXf(bT>X7cwKzDoIEjO%6)^PLDD=HhobRY2o;g66>>fho%gww%IW5_uA*0D{$Lj&i9TW>Ew4(s%#Zf?^dJ4K00G**Cpx-6s&;5A^D=3T#$yasP z8*QBhQ(J69X`3oHJIM)rz15SmOge%i<{11%EnLrILqiFTBPP4=7GReCSwEa5WvO1{X=F!YRN`&!3$fCH>&*-m|hZ#&>0be}R6& zjK2YNHKGll#SljC$5408>EMP53oSoP#WT1eDgAv7(Nw2^MGQGtc{R^$s;54K0Xl zeJuBGwsdABVWxu8O7X0t@?*@V^)`ogb_2G!v7R7Av~t#MH`wC#P7!EOyX7a-$|@F^ z&V;Io$cLv_jFsXk;zKTEVvr^DxpFo zrAazTL1aY}th;95${>_z$sv@pJQ1(d$vdNb5uAX1)HiO{8;QhDBR-z=cUz!)s#cB2 zi0KAn68^}{yq>?0eYkFtv}v56%>g@_b0Wr5nO&T22}{e@(o=>70TVO6rV zP?WZCgJ>-@j}wtH5S7(>m!_2-jrAQyhOBedqVmG4P>b$Vz@%s`<0W;%Rq14qxoJ0! zxzZ)Bf{O?G(;bxvX4Hq)KzhNE#W_B*jB2>w4v(Hfte9`TjLHeWI{New<(28pdW0tc zED7^>w1*BP2aW!^E&tf_j`Hq898lrP3Wj%8{YX+;wwv2{d&K6F?&ZxI6;NgrW;6Uk zZUUNNW0WdjYuPBJ*MTMn1*ANS(V|bv+rp3yP6#@h@D{;V?L28l>QF^ae#( z;2r4|k;27nphmVa5La^%XwU?AV;T&jopMRM{D_#*Z=|x3F3iWDTxPPs5EaRMMS7b= zY3%AnL*_DXGkMW*q&T#*dN1s{1oeyp3H{XXI(o@~Q@OV&yLX$av+=yE@Rr4)F*;nI zq0Z62!oEjP1o$H3Egs<|bRnv_djIy6#%iREn=^v%FT!~fH_eBM z(sI|;OBh#823f9o{hr!N?z4@pR{Lj*fpIefHP6Ua=C>drre-ohv|tI8H#j~^uN&Ia zQ!0x+_Zhvv+($cNrR(?bkjzMWjv-Ln4`g-Thcsu)%Z_@O5QbU?lmemh;7zhizxte! znEV4{`IU}?=KCc<&yxNKfktSa3uFg_B6+fr`UjT_#APG?YbOD?J0K@xf3v6x0=h

P-i=8Ygy}q;6W=|p%uq~Y>TMR0DZc))O&LM;2>)Yx2Kr7F(-D)#zHz&w;@@iqf zyo2rMVd$-IKhLXeZWZ;@LGBj!&KTNOi=lPg?<)Kr;3a-wvRel!z5NP_3Po?5mlm9N z>Nl|7SO*dV?BM(qmRyk%Fvvld9h{SmMI*gnSVe|2obU{W&0&a%KS$Za5W7gCx0I$P z(9?)92GDcP7_GMMcb#WjUKt1jv}765Jq9=e1}py7zC#SIYh5CHuxiv9JrxHSV{dLi zV{-#<*bR&$H}Gg~;GMgHDc}a~%MGgd(ZXFutDT&{32sw_xXD~IOwR7 z95S^p93d0-U^%37q9)SUGzKsLYtNzZl!of)Y@@Vf*h(TCr(A;RbOu}m3|;s$qyr=k zcJL}Y-jd}eQE~QP9smSAy@ee{<{TuqfMbWYcO&kXQy3e~J|Q{}4??GrFw;5i4+9l` zr#so!H8#smW1;p=l$w24hRk=!7{G&sB0hfy|Lyt>NU<<6==8!JBU$dFiIha@+JbuI zTY=^lfy^nBB_0!QG6olqFTb9gjS3#irG!R^N2dnFs+i)szzqEL>iPr7tWlJ~O6mI> z>;NVx-GloF?}a?*Dx?uqvrb{ZK@SB9mjEe~yF%php;JSa3kB!mQv4a%^N`yjBnDb< zvc;;}9PO-s6|H$!qKL24%#<6d%vDbc3RNYaR9peySeeX|=fHczcm*i_pjj!i3-^VN z3RAaos9A*u8vLa2v`g3km*Y@!SVFUes=R|y%BTyQGDsC*vW_d1)p{XqC?|`G2pNJj zAz@;KeW7y&y(Eu7O-b=0#ZXrS^U|pkTUzCKnd2rImoe|AjCpg4-~cu{pk2O+a+@zu zr4e!37{O&BdR!lK-9e;}nRPf@n-5M4qxzpOXWX6h!PV_W-gD1%IY9*)Qo4RzHtPon zpe8s&Ym`fhEjaz6lT(*K(Q$PYk0;=8K&=(4Oe|UD6VHu(pc#PFi?r#q#qY-#apzvQN5{-jb*a8LaoTt4BzDol=nDU z4FfhZRBX`g013e(c(%!^ON{v(+)<4G9M>9n!?4;}i zUjXD&{71$OQvO|Z@OXdjyfTir((5e`#}B#q?)n~s?{ua6!VlX_D)6bGdlu(D(&TRq zq{?-nB!FVDM)sSI#bY4JCMFu_!Qjtv*2{ouaUx8>S|$=!q*}}-vlRmeHnA1tA;W6t zkXvS?|Lx)$R9tj}tmSjYePrz3lsM@l+Gq73NbdLYTVp7o*BAfRG=+ZGi%MKXrh%w} z{Q9QqPMwSxzMqO%&<&%9l4N{wfLIos=_jk-Q4?E8ghKs~q>h2w-M(X>_E_HM`a@{w z3k2NIb-0rT9y-Z8L4SUWLB47a7@6qnX-<=XP+?Avs2z8ZYV#4#XeHwMh8MgADx+T4 zb!9fz#|Ny~nPYKda(21Vvg%_!KNtvD4$XGQm%5)>8nLFX5Z(xcF^lx(0hn7LdsW;Z zm;rzHlXuLSPFOdkO`F1qFL9~*p4N-Wh$foX^d83oy)et~uH{mLE@ z91HsjT+LO|sJE7lH%gEn2%Y?Zj8ZzwFH-gg9XrMW*W}|XEXt>E?vNtSWXMp$TUt#a zUoOwSPj;30Ge9R5fKu8iTMSHi8y)>iKz6TQvm2|0=5EaXS^|Lju`E0@PL43m7z(x@ znX6~(UshS7ziE{3GJ#A+?j}nB=%-1XdmjY(Mm8HL{#ekXfa8qKhFtV7$iufw?A{XVfvV7z*F)<7ffGCXb(0 z*ew^+DD@QJ)9agiTJOA1Hc2ZnfMKFQR1+1*(EQ-@&r6te0L_~+QLK6)=8{PF#UT=tBN=!q+kRmphN$6~i|Voq2K5+34mmoT9TuD}%F+uZel8RC8B|OjaH%z`3GAZI<4_C;xhY zj=WtkL_U9&-SKkML=Q{4;tPv%CYwDRKFG-JyK5{iiwTik^aJ?*svb7Z2j^%!y8v2Z zqMcspI13&4GjFJNg7XD(NM@YnALjkrQ`8xuv*mhj(|aBa&(+A7v$!TJm^v;h-f9V>Cea_@ik?Vu%6(~6VO)T(6N3f(-7r=}6`yNhH+IM@@G1nlwguPy zn(pF(h*i4VeTbu;TwXIXwY)G4XhoR&D@J6h&DDcsPKoi4VLedxk|N>^@qCU%+J7LE zeAzgygECs65O; z`b+K9U=MgfE|KxDASnt4>FK+7aOj8SCy*_cRlbtj8vIqs`dxV9pRhVhap-AyRmAe2 zLDn@+rzK$ui4N!e&i%&Ouvx}eHKK!ssj1e=$Rc$Ud?zTZDUK#aMcNKy8&*@ZsS5O0 zHCnN@hk-NGv0d{>1K!Coc|Pe}TGl@9xEw zt%6xYkt|A=i>n7OG*O!xbpE<>Vtz=#EVcCH;~QwT(3$|(wK|Fj4l~aslHY@j;Dk#S z7O?YUEMBNZCY#C?OY6We9Tm`VrH`1sIN$h_F1z>+S<;^()@(+oZ*_6*W2i)>{uxZz zenhM-w-2f`?I+Xhh4}#AFI@hn@E=@5l*h=uE6)=*_&rNbKKc$5V->whiujhTAB+&L z2!JdZJUBF#*8PmlC5YPVh^Kysk7NI>;*qdw7z;s_Sdw6__8!9hijr`g?85e}tK`LRJKh1`H1 z70`a8sGi#hP=D`{RBI^RJBfoUID~NLe|xxu&+9nClq%Juw64)&)QZN@C!fXpveKbU z9F{e@I;%54zyU=g`G?9c{t8c9i#H@pMm%_mehSPf7K9)hYt&;{_YrbK*oD!u8n#E? zR5z&{*9Xb=Ius_*f)4Epb#lUGE5f-ml!a>y5xb2IVy}UD_s9gGWA|Dr=U&Sv+GF~= z&)kyF_jW2cP3RSJ2aMh8y}>fe8E#bfgNLg{VDyfM zb$7!<)pop|ATXJWLW8w^v2wJ1(H{2A=)QLUU;pEO`ZC=8U0f2QWOSOX z(P=u-OkG;64hnC3e*R-;DWK)LA2DU>ZrnP>{kp|F|I}<2<3o|1!6?D$zG{af>_B+j zMwj(veQz`2XFEe7$Og#W$y}z5oiy1uAP?sELJYlJ01ZrU`UZ?UmR=O`u4*vyb-RHP z>qhJ&&PHy5W7|JHGc5?WDE}Pn<^E}h)}1oaO-Z3+yhUY7_>=Gi?qj?I$Wn4hn83m? zd~YMxfZ%>_V~T)VfLLXT>=N?Un2lS}Q`9+kAm!%(AGi!Z1PSU0Yl^ON_)K(twU9}& zI0z2jdFRhPxq<68CD9ISaHT=nVkhAp5L)Q_xfh|1xE$ROiIY!VDX4gjGYh*t_Wxjln zU7p3*XRUHfLNaYKH#6UJgipTBBzuBrBjK3d2BcdKWZxUfQYGY zJv6B#Rr{oN)sx8z8d|7^yv5QfuBAbi1``}XT>6O(h$~9%kaU8{aSI#ThYjt+hSRBp zK2?epTTZshUyZJF{E~@J>?&`g>yG6rL#T39 z1liqSb0QX(i;AlejqwHQ%Sn=QMW zD+nGPR^+3Xk0K%2L7nJB3)wD^bb0b?$Ky7-Q$*81n3ymb zgl6pg0K$M(z{-P$rv)z(a|3$fxCD4OV#gXL<5oejUSxBB7>(4^(ZP!+2m7zYif;%~ zXCwi#z%>nAN~Z3e4k#v`xU>qgOeLGU18GZAZtxE*?^&&4JG*5Sqxp>v?DSTR#US*B zc}@fo?0~2MYlrBgBxt__v6K%dO^6`r4Fmk#tjDl700sNS_5i|#V~V=8N9@b*r+FHZ z{2QxWV)e=+)<&M?1)>*c2xL(1t+=(u0uS+ky0o&4ct~Keizl!@H|QGk%i}WU*4r}0 zjt&ny9`Pd!-9sB~ldxmaEo0Yl=y1NzG;T>(y$=eq71>mX;;<&?v9fsbk&*i|W}(K< z1f~)DD!$oi8vPt8gorIw&0aPVR1096PisP-C@kQ7ORCscVBIOcZGs-b05N~cq)er! z3nU?2uIIZze!xzUS|`qTeTPmTTZ#nI+bQ$sU(bQ@yg6oUq$u&XXUA6=6UmNZy@+;% z0#q1NfgDZ5r~*K)SOF!UqwVJ57DSN%2#!qm(F-Hl3Wu@ZBo%;Y5-J7OQ1BAh6?se< zI_l*tMWo(FG9^F;yX;ULf1H`Sx6Ig^MBI zD}M-vcYGuXEPgYQM)(#7N?81YgThmXFTP9^PsF+DY|*Jv*QK?6MC5?^D)Gfvi7&oN zeA&_Q9DKy#@?37aK%?8fo)e(*PMqHqPiceKm)G*Ywu#HDFX%jty%hLZ!+o3JgwKo; zP@^w?me|c_^B0~?>!h5qewg^h4-;RKJ4L(sX=w7`I(SUJ0e)kl8=sBsJcMl@VQ(rg zS)|gRdQvSJg#L7m@Y+=`xgj{VIh+%V@d#WZk*nm)PC+(Ukdjv;iirWK<({A4r-pGo{fGIf3D{@hLyGZY2EW_}dmCg>jVr5*zw<@49;A&o0? zICnfR@{g!eZF8|P?UGJ5YM*LbS@mY?s>;j^?b+>N_lWVF-9Bk&^7|P+eQkg8#`v8}I|_)#ldz3IjqL6x?f#Go%Vf=?2R_N6LO(W#4ATSwt2$$W2-lfdQ9xLmYwE75AFXLoX&ZrF|3U%qs2iM>UV;w^DA zSo8C6+)OGyXz_#!Du}Pl?sCyRHm)<5OZ7H7)7_#o-7UM{c^*6GrC_vQc{OVzMZuQR z7QS_l8V&@sdI?I>o~bx|Nx-T8@I%NADJ~=)!3HS{ERUpWO4=Xq^2>!@=$8weT7UR~ zNYDds! z$^ngS>+z-5m^a4^^D#}=fCwFFEl__3kNel-BdE|UWr_s(sn{QyeSCEq=wmpak1+JlR1JH%wG(d6My6rE!#$(Z^0QFM1#Xv+KiJ5y=Vtj%W42R4 z<>l2M)w5lR6qk;-L~pBx8pi%2*)vjyvHmg8Yhe4Z3+7j2;Gk)cs-0Ap5jzKe8=s;f zd2+|<5|MT@zeO$6>)T}nd4VXCQ{p8g!~ZW*sb?cqf;V{$4KQ!+_{eY7ps&>rm(#f) zoL`)h_|kPoXHLtaYq7V$ZV1!P zJlrvNPs0~qKcFNtGYAdCbRt%XwE(^bBMFO{37v|gS0)oJnyi{jOQxu}gFq74QYMGI z-g0P@Tp0q(&TXvrP$gs^urM9QJT8vE+UGIFelP$f-sG&s7lF|DNt1z}=lCSFs~H11 zuSj4s*a-qW!8uYzD7ndGX;pjjrxuwad24;97(iPd9PfCYeE>_`^`RThehfW?$ZnAHG^(c8);C1F$rN{faRU}8EN=rtF=fi6#(5-1 zOgd=QJ$=16y9UBSy^6YDxIBv#E0Tp6;pMdnki*wML2u-uj=`)omxjTFO3(Cb17ig# zf$^pp9w1dk=0z*i(6oR&D-`0V%w8lnu2h1auk)K1%0WC_L!->-Z$hd~R%}wbY3Uw0 zFPAE+!VB~5%O&Xsj&t;5=nna|u$rQT}d|p*?abGNpQtYK?T|y(GY2 z-)n`QcSqZBtKM(32W_@9L%{*cBCqH;gbjHD+`z@?3u{iX00v@lNsP9fA|t1mY=y)g zN+A$tVuUnoHY0yPxvZ;E93F# ziV|*2uTRka>(~#ORiOBaKZsehsYxvaC*$kXGXa+vQlYREm-^+jl!oA3kAIj(7FId{}&fIkc}J zEMLCbc=_f@k}nU`mE)1OcpPrzt1=G!6Xd5tTVj2>+Oz|NP}43QuVFK7^=alko^o^{ z-c29U>jg(%lB8AlYX?{uc2LfNX0}h@6$Q$m9AQlPS%-$f)n<-pP*)`r%d4%V{Cc}P zjs636_gB_0-H=DdqPW)8N`2=m`EL>j+|Q+URwyciwsR??S ziB*&o%wE2IJEq%$c6*ReRf!fVcR)~N9Rvojh+Nhzw1_8KBH;qSJQ6Sde^0|8vTQXL zy%qYf@F!Ri6g|x7{l*T6nzrJ#jhg!L{aOY>v0gh?5PTPGxJu((W~Lz4S5I>KpE`PRzV^qg(-U`=p;_ z$qjBAORCEWHXU&OGB7!SfX7Y4vq_Gn8njV^M~g{E zv4ulCGuv(w8**jGOLm>)ac@<{rNW0n?PgXi_=#5k%!A-Hw`0S<*zs{Gr{Gz~rJTb4 zWiW6%)6g_JcHp;tZuoOMW^`J%B(6nW9mn)%@5UzjCAwTjQF3;TE-iW~^x0z(Y~U!5=)vNuSTJmm;%3 zwB=@QpL$si6E%ajnGi-F=ErIg58j?i?ZOVkUjG?#tl=KDZP47w7^&S+Y%wTNMedvL(L79(@bGGnm#bc z`6pS2?RRzxmKTE`Yp>!L6Zyr&=~iX^6waFC448nUL$DK_wYT;Nu+_IamEq<9@2>N< zrw37kh_>{l$6Sy1w zu=yGHqxXR-NA`PeM>|oFUjJ6nDE&eY=|}Mk)Mu6R?0)=h++(jCVgAeAEI2Etm3czP zkk^pycA9oivEvd7J)=G5c)2=|3{rvuM4&Rs42cu_u$ND!?8th>kP4zppKfFH*3LR+ z?}&zsI)Mj4uo;!If5;j1jxhh>ks@-RQ08CK*3x82Wy zsiPw;q@yFeP?F=E!k$wOV3kT-IgO(q^#x&v3Tg$hFVu==**XsBqG(eE%jp`4)xU{Y z5Oq2`8|X)(X4dM*oW=Y6lM`p--{8+zElyW!G_|y~7&tm>p>hY+5N8V7>HO!=jXP%5qVg zoP7Dxu*4oi4MafLr<%h-%{i%x)Tfr@Hln;BIlCr%wj^tQu7M+QuUwa#%-=j!rWABUG6a*i! zMnLs!oW297tKZzl>;w~hvAik>SrAy1P+ZfHpfRKipqJ^Uu+Qz9i%U@a*2P?Wrzj2{ zy>>rbWZ;bIUFTP?C6@xdeEk}gH`|+ArNk`hUzl1535JT!%ZJ9V%+}oJUWRcoX}30W zMRED@=8i}n(~|9RaGDHRtznU}Hc8(uPfzb7K1KM0Jj0Oq$5^ku?QLwvcOAoL&LK$I$Z|?Nk;>st2U7dbU?;N+rpREiaYrZo-p2UBd*H6hYR8TR77{{ol z>cdL5_6w|JkMIi1hE(ULcEvql@>98z{fN%(kvUSX(Qa{wc1U-n^LC%cwxy^p6 z=5!Sh%kDuMB8xy+@rt8NRF^6aR6nBQV3n(MO6YZc21tb<2`kQGFld9!U>vDi(tO zdnt?@DHX*io>Gp;e5JECcFNIiIf8NM-|qVnvox%W!5@_}jcZ0EZOMQ`F+*kl)ZOoJ%EduoP%c9?mc2cU>iBfKJuiWgZiVx(kxljkp)T>Najc_U}+rC zu{z*#aXHk%fKpEEVfQoo&*L7)(37oQV%lxDm0iAH`o-@RO3%H$*t7f5qho8Yg3Jzz zT!@a>Tl-~~?+YX=Gb*G3zIA}w<^j7XOF}$*7CXQ8*WTX^NwU8ikhXnd?_EL=ccClq zr}x7mwuO#er-iKaBR?&l=O|K-ZF8XAzCs${`s8eR0obRd1zt5V`Umwt&^n+$Q0*>f zleW&i$MptE8#JN$m0M%AX~v9Av7%8FYcqyFb~d%T+QH};tpohKvP$t>)Zgj~4}Z$O zW@}McgZS?J(m&F^U?!MRZ0);2lY1m8Xl9?UK3P~?56GrKxX|gsuVGFfoMc^vwj_Gs zL_36H?k0*327CGT_po_?2Pa|psw7CqBO=Ge4o)z|5%<1E8zzx{^77^T zo8yfx-gRp;_feqW&Y4pj?y8{c3Mb;78iA&T?U z2bJ!?ex`>bvcziyk4V3UbsmKLYb1&b6m8O=qOz@RtLo+sQ4Op>UC=&KR}cm$*ksO~ zDZLC@P^keso`hlpO@q|kr@b6P4-h0Jgdl!c{?;xtd;sZHH5$PSS>|)R^tBJk)W%p` zZ-!FvXC%xcFN4$y{oU&@O4hRN4Q8h0+5_Vl)WQS+EU>=7HIF$ygQpu<{wVFiF#M#EFHJ*Vm(g zC0xC0K;%;9GmxT+I}LTax0g3=ZLZz$1)>Bc+AbkHIJ%2`97|K*@1uTN)-V(IMtq5A zfkrZSu}DwdwME1~M}vDsPPUu871TS315)#Rx?0bDRb&~@M~Mv1*ZK<7O-MQf$B&Wd z1n1Q!tYMqWVR)Sa$OG}Ystz`9t^tCrxVd}a_T%QWOjOSklFNlfi1mn7MR0|L7i9Z) zFJIg%viSoKowfxywpN=qqyxU}iW=c^t-egR`}Fg&@U08)$x=P!AZgIH2VjS;8ekTFa=4j>v zF&T96X+_GvOA-Sf97T+>bLPv=buc!Bi*^~sJExd`Xue{KDTwU2 zgD>9Pu!sS|7LPlUK9>(PXsSbKKj50sDQZHxzaBPL9rZ7W?!K*KUanY6<5n|tIbwvD zR(A2f+g{a8U$ozNsyzzU3(=He>y6qpEW1+p&ko6F{h($KUdMuDWkl~AB-mV+i3s`Q z+1c_ZxI(;iiJJd(Zp7jrF6O7FB1VHIErg}qnU+j~Y_@JtBz2^b<3A`Agks>H2}poP>-CL{PU4=3>K41Z^$KhW~e~n}rjYC=>*tOpiiLvDk;iZEI|nI2A=; z?v2!r&%_T1J(xY(VwaqV;*jV{``Mu?EZ(*dKH~j;yqmnF+)84^uC+Jd!g@eJ*hs9s zNVMR(^tR44{C;xl zJb*qhSn1d7AeJweR#5%wWx<8U4-MJ(gvO8IoJ+I6wMx;quLV}P$>0%|OSlnUgkAAL znoWPRL{pU7r>$6pE&Ox*1W&U;i#*aqX2Am4ig?q6fJK>9ij|&m3w9?m{ov1+jhuPu zW`6YW9bbKLa`*(W+%5r}GZT_NXSYfnCX)M97UUo&68b36z<>q%^ZBRSPc-5`Fm8kB zG5PbA`gBJbm%VMDG>kk@4O!F~#FFfZNc*g&U=a^iqu__|<#v=a(;1y4lx19U6#%F; zsDFqiGkz?A$o!M6d|399_FAZt$!+!3?2l~KiEIJ5uJ1mvBP1=bcc5G#nvovRdI!M@ zhaRG}O1%p_9nQ_E-FO~1_Wr53Gb}++MX+NrZ%>MVI)9`O@ScXLW zWU!!7)F%5F63TmrSoMo)r7=-oJoq{L`+&j!aryeqOc>|2qT~w(Sy>V0>*Z^B+*eqG zAD8gCXDs2I;iivxYXmtxg-hS=@`R0#GKUyeR&ve|gE>PfDYt3F(VLuei3nI7_4wU9 zT)=LA3QN=9ak=L)5%|Dy`FO%9CwP2u;}gVQvjbJ|5v`Ut7$tpDZ1=s`(FNKU-OPTt zy`0I1eun`1<&q)y#rloXQwJ17wi%iiMiY77;Tm_4&y2||ci>*=z<7Fd)_LCtEXcng zrVB3^3@sKOe6vKz__tb{v^LR%79Ak?2OFJW{8PkR*sM5iYz6Hg0>+K=V)XJG<<;o! z^t94;2S@JIS!?9r*OokirpNRAmT%lv?-E#K>(o)3ITCNNjlB1%Va#yvs0WU^s<<~?he zx`KO~?h(kgl7eeR9qmxJb^>rn1g7He5>!xDL;(RI;yTuEi6yWLAo2ssXn|Qtk%uqo z@%O{qjl(~YbR7W(fXA>+Ez$r{?_Z6FO3fwcW-{~uA3oY23~1Bw`PVd%p(@pEOue@6$fp7W;W%Uzf~VyYZgcF=o0S_w0Nj2ghT6P;9vZ=T;U z*{VHfrIOlOQKwl+$qa=KzF&YZ>B@p%48)r(QJ_;>uH*m-cu`O4)eS;yww7%|-{a>0 zdZItNf-0+L4mU#edOT3;pbrDx!ADZN_0kjxotvSN(lw|@&yO9cQiX;g=~+M_qTJQ; zf(*vYO!gv@f`Qk&`$bus6OR6PZn1F*^)qbV)7(_bHnw8+T&P}AgW^cT?UoiOihTK= zw?tw#FZ(qo-_0+Oz$txpnYl}1opHbJhczbH@9Dg?U4WcVOHCTk6b`1^WNQT3B%4oD zGD4Ik%2;^fqHixx;oci-`P;=Qmf`n+{ow7^?ylu~hU$Tw(=W)w#PLvG27HdpbHPPz zL)+$ovgb!fJ4Lf8q_qd78eB`rEfC(&X|T@3;8ww_KHJZ5e`wi`PwTiRG%YdLbQ(te zkm92#F{YTIqnrR@iiiv>So)C!Te}nFu`pF2_e+L0a}k7sx9q!-ySd=4Gu4?T#H^dw zughF`Zp|+B|7Z3BHMK9_K1n-K9akVl^cPAy6|rSw(b*+(+zTA`K({5fKOo z9hAc1I*?DaJorZmimg0t%nT$W!JLhX#x4S2_aN|>+t1Rr7pdM;^V!ngz+>gBHn`#ONQkR+L7+KVbhfzlB%s^q)J8%CE7S2XFF=Ea&m#nBi-tFnGq& z0-Rc{wLn636=v^_FAnoHxIL^-j`-+$stGIgh^>WSf#!zRzQzn>PrYghBpzYa`?m(= zck|FcGbleltGIb$?qU4FkmU93sFPG0FI_F*UL-toS$oLQqFV5@BkW1Eh@cPS0l*hP zy0DnBAdi}8rSdk@u}VXK{IpnnL{(@%&E%CCv5WUIHygc`ysi;)g&Ou^s1&C%%sv7% zMlF)U2XD^qR;_}8Dh`?p8ffTgP`V^KI|-^<$yfmFm2xsL+kOJt!!d5O0|{J{9g7Pb zFChETc@-F8#s}~T>uc{kn5O_gA+=E4Y)lN42uKrX9e_XVV^-s&+dFb5zSnP_P_9Ms-m_{NUl zzxZsgI?0*oGeH-QeP@+pV)vNH7LVI3sq2!pOd2m|vk-UjEMCmxj0c+s#k$-iS-z4{ zTYFi#iTYdH(~h{^?TFjmj=0_Jh^a0+;&!(qZg(D8%HNLSDke1SGrLL%0~N7Iq}Wk> zyO*oE;Iy;FOov^>o*?T&WU-Ur!>&srrED8y2UH8GJTgc=AVOPZa`KLI<{jeKHEXQDCI z;s=SI3d!srTbu1y{1=PNfN!E89uLfJ9u=(WyeaviDUO4n>cA$*6p*4v_XWjfhPD)V zlw+rull0*qFP86NDIYC?wQf+#B>+}p)L-?PO5e^uEKYBk@mlN7zyx2R_6Tx}1^LD0>b)&;hBMC9C*4@>ppCJ8FXc^)SFHW>`U7gHGc&` z%IXQv_RfT1f3(;*-C&`KAm5Ck|4_A-Xg- z1?}FB)xP%27MPTw-^t!}wgdtId=AzBbmTxuPrsjoT@cD~bxW{S=Tv_*yaZrcbX3cW zGQWma7fQ~Kr;I!EAd98lWaP5|9vh8XBoxi~TAfp@OGUEek66t2=K`~t^qc*Bb+m3fhZzvyuui<_!&kb zq)?cZneB=Tc|0aSXP8r92bd^3z%)_O8@rXyVsAWiFOq1HV2qf2@q31J+%uMv9~NS1uYHx;4BhuSH>V zK@e=5-^Aj*Z?LFGlqs#J5kR(DEss%D;ApeKDxgqz(qx-N=+EgmcX#6_iHb#cd#7CyBMXHH`d?--=htzYQ@8JK6=(UgqPX3!1{DO^ooKty8lnwGxr$ z0IRpi#fzdsfR@EWLZg>B5crmKL~ll=;Ki6iy_OfVawqlkjibJbNFf|Ua53!6>a&Ym zx}16Z8!xh_lf_jKHgrZ{Fi=7gI|#9fjGawS5ccDi7GnHiC1OI(u9vr`XH7ET zF)T=UH~5dL!fTIEbqc;F1Q{+*qYE9$#d(GcT!fl$&MxjYX7OA_5PNx&wajtVqweBZ zZXe0mXpkf%E9Sr;%~eCv-ykGny>4xj)@K(@a+U7^?W z5;MyRfvgOcG383p^Udw2bJUmIO*I}JpMMtTt5Cg^6q#q&QvRCVQ&EhTpt8km5=|bF zkE~s-D}-p%Ll(K(?oe<-kf3v}B`-(bJzRbB;3e%_=N>|-{e}@>6J}{edoT>97J^|) zVC*V$5rMI^iYf9e#MPfDH7|kI8Afz08YCLQ&h&N|Q=p47ZU5Im4bI-8=^rG!SQ#hs z|F2N9jtZk=c86ti6ZQeq#=$mNeu5*0q#H~$5=Q}VO7+fV&Z2rxJGXW6r5cwT!pKFe z0fJUoVAl+OKDYqa1R3b#VFwr;7kqiGDBJ@OKqo*-yUv!&z3XJRT@Cn0T@5{ENnZpW z3tcniX%|WZ+H&x~Cqhn}88wm?goO;bNX#JNQCHmND2GC7#BXw!*AU(Kv4^GL;ND%L zMi6D-4ANZRA`;EwX^YQsmK5oE^k;%RIB{N}Mg|(zDO;n-N{7C;mx5}=Fx&qw; zVZK^&Z|vO@i>EYbC3Bn+sX=)jqv#9qlP_5&*5f7*+b@+e;G1S&G?O3rM_o$KIwYmL z14+_ZN?Cu(?A_WCMxt4hi`|ygr4G|ENmVi`uWboH>gNtX*QYI#YxaB)F>FoN-g4t@JEGO>Vd`rVlPJ zZxMDiJQ>-tmRNX2mPDI+i8NM`$}2(u=ceAI@)Hn())*R^D9p-VR;t zz9DQRf?wW$`e}AS*^`)<4*X#v595#?sB?<_fI0q-jvh9T##5wPghz+nPhWINfY8Dc z4`EQd}obzVHo=XzAKmlhZMvoxQTs& zo7e$vVh6gA%u@SARj~ZZoB8sdNy5KflM9wqrlqn zXTedq{#JdOatD@c`t_b|ym?Wc5|TR0n{Onh!9gu)q(Dn|^#+h+>F`=P-$^&>uocMRpH zhAHL|-wCsxd;~lu>h}}^_P^F!0x>TCw^7OQjOb<6=@UvhpOGeHgNIZDpj~}i9wfFu z+@ja63brh{8&UDvyqcd|FBfk)LeUPA6u(>HT!t5-+lEk0ZlVjouHfT`d9`?%kq$G$BnIjpv!aC~Omvr66Vn!?%?Y9??M-DKtrnDi zP~k@q1^CqkAQWN{hcNbFBwXgOHCJaw>UgR4ewKmiQJ5-vQn;@ zxebYYF$dQx7lNJ+R8I4A(8Ut1MxlMFG)1w^8!mhS4)nvb#ixed(!Am<=9+Rk*GYb3$wB=h?c)LhDn5)~>l~-=OU!2W9 zpR?u`_a_R&=@=YcQA%)u>ASuBcnLx{XNFOPMNlzOo%vFRw{uTo_kq0?4bGQD-efa8b6r;4%^!YK}BhnQKq!*&AEC zK{~y;Q|O}ia$Lnc7kUuZy-KB9R&)$u-dZ@OKXsB&)7eFPlg@xAi-)nHf%eywgvYW;FoC4 z5wtwu=BX^FP5Tk*5$PKrYgriB6?Z`4p?UA9)8>#55TLtg^>I1}F{MBRQu7LsdnlfJ zEt;L^ZiD9~@&>;&zD+8clM|+ATB>M-?vF2)Y?GtAK&iqzwBDHQBhH)mH5JUS5u1no&O{)7?+AC*bKsx)3x_%Cne{jOe1;0?bSF1kl#Vzzo`52D z(5rN^S`qY|$^j=9BOxS%=fwYIweDm(6?+kOJ6Zc3ioEF)24mU}9nb+s0r%3S{Lk9j z==W@r;UTLpM9L#j6@?i)%wHI0eh*O$3tmM*7K$&^xEt#l9A)np&&Y=N@3TN-iFZ%} z8vKSw3h+rPBFg9TabK|(`_>|pJdYU;`^=noenzyTea29W9Vyh}hYY1ye5HxB>}()> zq>u4Tyq2scrkCH;e{A_bB7MusLTlV%M|@U0qExpdKC2z^S?$QKudH7AjL&M{>RJ8J zp0x=Jm9UbZP;bOgnXX_UGJdaso%c6P#-7T5JE(sIk`5F$!rt(|7EXe;^na6b6=&s8 zly@|dJ{zmXBb3`=z>kg;ab}@Ap8eIZHRdfj zfqBQgDX_F-|4$*JL+fLR@HAGpu5l>bL#{$FvG7IWqboPG$@imbcx&%z6jncd7E$ZX z+`c%XmU|m7Ix)(Qu_Z;F?5nSrNG72)3$+TL!N+!fYRp}0XBs}K`lDb%ju*g_a~9E5 z!lQ?CVw>!m!~vCS4%2y>_Br@ORiR8~e?T9pcGGkdxz*r)((HHFzh1UemSEnDmNg6x z=v#XEYhO0(3NG95hOQWe5Rte#EnbsUoTW2jhewIp8PvHFu!KJyg8lt7e|ndGM~qICmp&=;^NROSNqPwbXq zW*#vlWnj{P9GVkYLGR=tRBH^N=oSc+(EK#36l)V;5oa}Qtlu(@EG^>M3U9EKvUvhT zqfjlB2FEIc(_7?(03;SO0T{1t2GpxeiUpWN7X|eFLYrqD$o@N!TtARt&jsnD)ErF^ zrhrUo^T-mib`;-QO4dG$Op>K$?K2t_c0}XHjv~*5>#-A4cpddP zs!`t9V`~NLlzMlQz`j<~pKA+CN^qhpR_ccVN$H}|dsQAIG_!4z`ea%OIodq-M%saAT4_nio~p*{=tcundWiDkdUi z>o1@po^M{)r)U`&;_B@4j8IQoh#Pp*o$x9=6@kUn|f8u2&@=5y9rE)!R@d`>>!c@RwPW8ZtY z3X6lO4OmfFKrKhWRJ{9n=UE8AWGkO|L&b2~n0QEy8pWv*qWOsmrm)gR{J=G+8?3eo zCN=H>#?{LOVVMmsyip%A@5BY!gIKW8!i%4=bO1R0=5;q3mwRl4`4vIPZ`mWaF*at8 z-hO+Sk{NEAxnavEb6d(DQdX}l|3P||v9K6a;K5jbrX-LFP+G{&(O{Kpr7MPed0089 zQC%LR?=Gup=``Tk`h2VqfQlsxVJ&*|kV^e-Vw{fTT zL&+=n5UrGKa1XZ}7_@z` z!#1M`27A~`#<824)#wa>lHrHV5Dl}>@Wb|57?_Cq6oWMkOsu9@LO2WqlYU3FZL853 zreeJ#@-TiPmSaUsWkW=(EEyKog&g}b_e29(!F^cYs1~AnxWM^J!lNuf1&h=6U>I0M zL?}!j0(vBc`_Z8k_pn$r1|SfLWKF~X1^JQ8C7 z$av-osC3}kWDOA~JQg6tc1Yf1K9&2lt6DV0gC`0P!MPpvX0T`?TaC?jI94@id^;ixfat$U0?XyNXS8-WI zXk6L^G=E}b4|Wv(G(f3-V;9i&wFI;u){9H-`ls=f_*uPEi2&f!1H5mNEoNSLAVYb8 z@hL~}O z=QExO@0%TIXj%qcZGl;!U4cp?bj69d6$_+)*m(U0^%mO8h}kE}tS!tD3sPtHk-`tj zZAZAb{^I8%agM*3bp1Q2mwm%(cN%r0ZF`VC!#vDcJO#jHdy-%k!7zok)`z*&^vN=r zSVSar!~-%hfqJ_Ry#Aik>rbC{(eztTcfN`Do)uB>%#)PhTydKSM@1;`flNG;-0Z1Zb&=gjut0({nL6Q zZB75Q-b$HEW*=ldVxx*f3RktGUQwzUTs@LAX8ROVj=$b}N4`Y)EY6~DAnwB)tAk?^ zMY?Hmm8>A*qGN$UsgTovgH5a5zP4d;x@d3Hn}bNHz+ysg!_frK+E(UdWUw0f%4b4g z;Rk4QMfgSO#K^apGr-LdjG9AvQwbO>ofHHPpU>y8Me!}9OjiGF)Up?-qODzSLM`H7 zwCsBWp5#VHyteHb`p_8kxxF07*I*hbUHCv0HFVN}6uNE|%=P11g>hcJWWW;SWW$#+no)!3Yqn{0&@ZDj?dmI5xMd znAxeKC&bL&Gwf8K7f+aO?FDxUj*5}~%Z1hE)@F#e?ZSJ#M>Xw2E$+L&o83TK1ii^m z0-`(l?~u_$(H|!ad~j>MfJjvim;MbefS4KkFIiuoB@ASPE+e{f%@jX^T%HSEJ)fPS z{!+mi0Ew+Nrp{@v8Vjs8i)EnZ>85_>j2^@klXQ)&@u*4|KRIn$Xu|Qw(puvWEgSjk z7C~3!d$cQj}Mbn8f`Fhd+2T$u?4pS#b&A?E~W(sl0_#%Ew+Mg?e!x;w`iBKnumZX4KJ};oH9r)%}1*Oh*XfOu8a+5)u~jD|DDg7OL-^Kp3-544Y-1+6jEcK~|2xwFVUj&buRh@W`>_5yaK73#E{o^NtX$tr~r^SVxlFMMKrZWq{)k1wQ$l|oMO-8AkGf!I; znXZ1xz+;?XsY)9^ddUBC&nQ+j5TZuhBz9_KRlW8u(EXVUWCiI`QMJh^wis3^fofO04tu-SzB#2RkUT5sN2S&* zPKWTkcElz(`3WdHo?M)NKrU?g;YKGae=dmkyba}^h^pE71yQ0!a;=$4wUS+65sLAk z2-FKaZ*PoU^W{3^sukfHqwDs>Y{>ZCp#n8Ccqa_;oxS*Mr#1&9C`jjRg%N+RVIT2> zy=M_W*n1WZz&?4?Wf?xL5r?fw1edw{3i%}~AjSwbLZ?*Q>$v%+n?_LPKt<S>k?j81_FP3g0!BHr5H3Eyg`e748bt(MYu z_~e^=yS=Fo@VJo$SP+SyS!{<#7SG|41&j>yJ$`(I(;v@-0=GZ@FBoh5utSTj-eR4l zkX^yvQkcDqg4E=B00i*)9F2WYrox!V`3gx5Iu@w#L^)=3k!Gd@#eb5?EVD$)gNO%p zSS?K0OwKnfD>$##)1*}anuhGHL7V1GboYhc(n3k&F%ceW{es4HLJ~NP2w^c!mTZ$9 zRv^~;&G{3J&GWV}h!mhgo};z~yxQfYnV0cm)C%syt82WmV=dTb3>x0-?FAdhvQo10 zvC=nAgT--4QuVv0p7$LC+9ZgVhdldkadJLiyZ@nVjz4nJaiY=186yz>d3p&DH4xlJ z{{TY-mJ@1&u`Za2uPx2Q_war}bhd0SyOx6LtTCcqxh^qyAL#UEEC%l^cfN3Tphz&$ z6u99H*1w}6$g5un?Ra|)Xtkc)M?j>W&ARDHFa^#PH#e;RL5Cqn=QP#tNkp4++bdC~ zOkCilgp?arRG6;8Vab{|56c(%SP1uF1}j0lH$7pAd9j^~yHWEbuw3S<#@A?~v|NbB z@EH0YmOEAci@(x*U0!?-4YEim%-}IW^lO!b}SkBe&O~e~X(^GlSmgA2tQW-T} zTe~~1%TT`>N6+?q;rUD<*Va#dd;VVC>yIcX)^0P)y|s0b7y2z7kWK&JUe3nz@p)9D}@!`Ww`Qwg8NhCOYKJ*HL8PHkOv96nlkxpuOb}UMZ~y{iB$MJE+xKWxK-@^?yYSA(7o+7dE{JWdp@4{(EE=vW?%gKwc9Zs z)WQU2Uew5d!bPdQiK^nfwLDhotpi&smKlq@#3+!4QP6_r9-Ypo+5Tq{aI*V_CNbi; zr^dsSk{T-f?bQ8xCVH#iXY^M&f%oQqIwtsbdhk|`)+&aF)rUo-AL0WJJ^4}B6gEKR znr4QasZ~3z%qigCCMA@Rqr|Azzr0LHF_iV7VW*-^CtB~#$$+iv#^V`JtT8v z=@+tC;MLE1Mnlk>?|ahPXwgTjnx@U#jcO{6*u_@yVOP~OYtF(#4roxI7?^KuYVHVr zM6X(W0Uqc@{^c<_T)H&=&nMe%}B@j6WBspf|M1 z=6`|e8l;oK{saObzV!X$8o)*PXEm+-{+8YR>d?*b0itR@i!-4a84iY*y0N^GBOI+3 z7=C62p%E{sKvVQ~T(xrqUXJgMFLI^Za3DwT+;4;;SmP4NYfw9@tkL4^f4oJw9*xsd z16@aDkH_7*O?N zISvGoTU6#l7Mcy5Macv|IBW&-N}nPSVKWVSDPWd1*cFA=87>*E0LU?Od5k`dHacY3 z8S#1Ow@(2RrM|MnNFavmnWM|Z;?YHupxgpf!Ch=&%rtBoooMl;_;o}G$i9yASo~EJ zOPx_u3rTw!HiPh}1lL)8U5;CCJk3J=fJ*q27_0B!)1o$~yk3B%#nwzV__I8$XJz#9 zsC=(>0!k+fOMcbsNp$)Zac!ggi6M_sDg-O*hIwkt2J`z9cVD=nX<}YIVd<#KFzgVn z&wu?dc9`>|zjj@>_N=eo|6JBK05EgjX$-I2U=oFjpa0_w09?W_s7!_8btX;;rc)~Mf4@i)5tkS)I>8fA+S{?=Tf=~>|DuE z)~S$%@?lxd=NT`22-Z{}0=y@dt*MxS&Z_k{9WUO=fvWrDKYaOiY_iq@nOtVW;ZZfH zI*(%CH86+&poNCgQ`(E$_#q?x3i{d7XHGi1J954b~kW9_Ok}kK>2C_KLF=8~N z&s6iV=*hHB!VS#X2im6g6!n>_NUbphYl^TKn4Rqu`!%eFPer{YZB~q8;dM-|Q{CGQ zdqPB^H4`Hg60qpMX5`gD+JCPyV7;S-htD;M`d=+QIS^L^26cQ$4r;Dgwdzpo86 z{Z*JGA6U>>00M-0udPX|JNzIjmpT}&+kSre1jv{xEkihPEO{h=Wr7UV%zQleYIpi+ce=V#BqKR=w00xMOmh zyUj^jVo_@z95u|A(i7-yG&?h%ZQylrQyDl6TvH>X#K@yA2}$>Mo*s0F?1B>8BuP}+@KI(Cj0ajOb~ z_*O}Mtse9{ldv@UUKejoo5N7YP}ttzkR673@2V0W9*6in3C~JBE}(SlLlM<}Yd3ux z*!M|ege<_XqsJ`G-_#u3d&SrGrZHG$9g(tuQLGqpfE+&?-pw7yGlBhEuAsrr@!%WS7NS|I$>2aB`yMjgXFI{cspEyg%gVgRPevC* z$&jrX3F^9N%l>uTXj$w!Z*&pDajk)_4JyG(!9d|7Zc<5r1JOzxFGx(t1Pq+Y-VpjU zHgix7Jk8%&mo^zSC5z8Mzinv^ygg7=;;q2++kL5NN5ZB$AO({xwqOTwhKWapAYC!I zFb3D8l|-ocIMxSCCGx6nXvI3sy0KaK1=mzMzx);CO{%1m!r(BYsfD?ReA=QP8qwJ) z>6whSPD{Ds4|m6sYDb=KX~V2OzL+!31D?DO1-=s6#cHs*yoj_gCvZOuXv-iZtOVfS<9-gZ0k! zmA7wUE$*NPvpZ>AIe=g;KAn57KL`@?io!@E-b9I#(n+P~IkcA7a7qRaGDbB>*xGTc zkYzW2A$~ouwI=Ekp|7@ki6=h{?o@lf=q<+c&c#v;=O*cbn-4Cj7~=`*V`|AVN9u_U zRYzKy^hijO#=0qayZfCyTR}*&V}pW3`9viJB^&Q`3?=baah}sr4cxO%yM=8@>!>Br zC{5qxW(^rJaGc`M!tr|Tn{{~YAHzMNlT+Ru)-_87V<(pv)x4+-#{qfWH*XNF?I4UN zxeQrT<1`qwur6hBG#8ENa1Mp33r}fAqty}12!58Ka7T}HpMFW$@yVeKGhp^M%1c1( zp~XS00h+9XYIqPh=SQ;-CJ%qQqK*tMiNA3xpU`ZxMXW3Auz;}jBQf|q0UjkK4 zy#Nna)71G~zGHhQ=FZ}u1`46kQ&7g{b?`xX=>lG2OBMuifPuVDp}EN&7VhzsdgwlR zcYLE!8b^*`r^v$$LwRF~H7e$t9H&SB`1}8QarEXNfB)aV>xYvEC`~T=c8`}Swpr&R zUEv(oy_K(y=T}A>gjALfdWG@Seny2)7Y-V6sXr4S##!)1G>Wt%Xxzr9Khe6xxumUT zVXxDswh#Z0zyIrMhF9&sCPFk;->LpF;-xg;Ww<#WI@CBLbllz?!4x>0h7P6+i%@RY z-0MC~X9f0GUJ`(i2``QWlCXnZrnd}G^0ZxN5nJt9JTsyV)~OC}jUCCzpyE20P5W&w zLI9)Y*KnqY=f+Um*=zUXiXb&crc2{-p8jD@z>lDTTFzvY#DMt6$`c^DV&szb5!MAi za;$!|^o=L|4J#$@og~qmc;g*xKW}~HuP}Ociw9bO@gdJVF=xm~s$3RN0X3!B_~J6RxtT+O7^LdxGq0Zi@hh%cjx0v3MHIN)oQVrc{UCTV)Iy&KUVhDR*iv{*75CDV4zJlylJ zCbX^ET}HQ|F~$Vqy(*=~lo>ih7*~wC!c4eY+n%>JgPYW}8?&*hXpv&QDP#PubUxH@ zjBY7YquY0^@ne0Q)~-*Vg@0%7+m_?Hjx66D;eV*;iI|`w2vQ&=Punx&2%4mAMoTh= zRLe1sxD+lepbA|;iKd?VH~Muxt-oZ}TA8_TXP;A5AV5hDci3(as5)m~a_7#=%9VrA za`GS({%+im(7EVb>1E!elsh^5>yrz{us5j5o(kLwpVzY1%-T^iml_HMzD zrf!Rnr{3ZP^1T8oGQiQoQYZ44^{$Q?EHX;C9F)aKc)xn96%=4uYt+v(E4U=@(Jdxh zpIBIrIs{#IY({cx%Cq0##X{Eb+|@A((aG6CWLfSWIMpD=uD2GdIchHN1dB_%1wb|L zmmt5YFLa5yv%PtH-K4jQP?64mQLYPkxN1tvWOMI=`@@?TP8H`&b#!@nv$>n$j*f!> znDsTQ_d}wf!=QSHBU!x5BNbGlMbaSkz;`8fn)E_FZGa{p^N3^XD>{krk&38Ffkzx$ z`1VHGZi7nMD{GL1yCC+UB<3)kK=3|y$5x~$2jDK6)8_8N_~H%p0gA{<29V5cI_^Fv zlqD=$Sjmt=N*H!!4wIQR;Ixs2Qb#NYMzlg+9AA>a^x4O=v(@rF+VEoOy@1wSWOO$Z zrJF)_xb9Idfxec}oWmuU5(Kzn3H-#6j@Ia10(Ej3*;PuaVvmkGFXzjp%j;?(+n0kW zZ5^eXbbQlN@q!W88MUiLMKO%LfQHDl6%6SbC@q_&>!m?vZn!I^zhH9`uYeQD4S_L_ z_5-Tu)xUv3BAR3vYNM+)KrFDD1@`BzBI94<%D=_9={wS4jl)-m-UjfLjRA|&uI{O> zu)lld2g;L>C<>(FG6;Y_uy*F~4Ua6}iWyhTY%J!G+nl=x&O*r+ju{UX-E)MV!<@!8;a*r;hnGvJ|lOQgD6EM;@D5=V;dQ zKMPXt+Y#lv%Ia`CpSSZf99uaG)wBId&OoRqQ-(;2aNP;d8l%+VE2ri=EGknDpWDq* zx+R@+z$1{AH2?O=>M_EnjXiq1P!e~PL1v3CUj&=Fnf=AeCVm;6#Z59e0k5}^8%xd| zePmtzH~@b~Q@C3M{Td}^#w835dWEfm%WA%><{WeeJU@9(y+-#6tgjHnJ5^-%wj>9BUFiEf^?B_8YLag*HiioS$aj9=@)7T_bJ2VI#a9p&>#uwm^JBvg;0<@@R@=nJv z?qM}w+^p8uq}z6pX3)qBqEjHJ>Wyp-_l71}R7?2NCmNn~wk`|TPcY@!@QG_A-MG<_ zs91kRJ898bF}hZ5xMCx+(1R}@SZqxCE|n%Hk_4g%K(oq{VCacIz#>HrN!B~&1O(cb zu{9d9FuM!aCic2Qr>SDXO}j^7KoL9|)psxc`VO3!KjJt(p8e_Nf!R-2IHjNEmlWDB z6$R309u6^C;-N1gxI$VX`9~%-l++M07l@47J}*E^Dr#O?wH@s3!IaXv{b{v?N&0y9 z&5M^`c?uCUZnrd5z@y1_#wh$@EdZ_AV%@@4*MPt5yy3fpm$N^{6W*>PIX(4oVyWR) zzh@kbVN>Jl9opT4c``V~k1g>(@Ttrswk5D@H7n=K3?CF&T{*<#IX_G6=Rb>Ic5gGm*3s~QyRs>ZQu_5KGc_MIf4CzeHNrOq3p z(uilqYej}Sdt~xYAIJ(mKq&%TDfC+Em;IUN?JtQ!g!&`n0eltEc3ni3$3NE^H<5h1~FcI*b_+2?10K4tgC!<#Z{ljT>$J6pjpZQ*%dE~1Sgia0kN`b@vOjFn43Kv zZ_*vjFL#~Y_z)jJ4-E)TG-E)zJd&5zkAijt zYhbK;4`#^A;N@PoX%u32Tjf~75)>0jZL1rF4D||YHZ3w^E7`?!#`cLN?>ZO-&lz1f z^gLr!6UJ^;C`QDvIUJoBkzg=QMH*P--8U7o+dj}KJHz+x_mgaYIi89E5`2DN! zZ;MC?K(XrNrW8C>eEm&%Q}4mkeO@NWimw-#Af!-9Kov2f!1W|&nIqeAf==vibA%no znoMK=i)OEhrE0X8sw^KeRS>t+_Hlz<7P&R1Jfu*jCpN6P!7@@h(!M#q(De(I;Mr}4 zzRD`+z1teQc!RVrtox3Z$yS`RBQ^M^cc%BQkt5V`j zNdPd-nMete=I&ji=Lj^Sx1ou;>2n5SQfA1)LMm!^lks%UHa~&6gRucTJA+9e|8D1( z7`x(ZQ~-k!@Q1;`we6;CQ*_ErrX(N}clS-x+*53!Khe5(wXO4a)wY_Jnc^7Pyxmqe zy-2vcf?KFq!5aOTQ~!aMx@)GgqO9aSfYx6UiNPN}?|8t?bwD{RSvu93(;Q9y>CMY; zQ!VbzTBK7cD$X(-5H}EBPj%8<1bzAIR<_}6ssMk1lx>RQA}2+%{0Oy`PX`F2d^*SZ z&9?{5IeHXnt^W?*Cp7XV|LY0UT>Pj%?X!4%uH{V)dQqJ3$*%^j!`G>k>CK15u?iX8 zT-PFyqgsUMDyA~VtB#`j%MnR{5atbEJYS1EX?5nz7RNQyOlPIj4~S6$m4ncZCNFboDm!$XJy<`~CUSSQ;r46BA6tmP1qDQsBh|@F*NPe?D>F87uTr zQyB{aX#>?az|9CSm2W7=*xAUj6Tn!UbvHJ@jF}s6i^Xy_u|#=HFoK3-?%qy@thBVV ziR5dog3|}#9Zm)Esu8U5>@&Vp5z`eM$>Py1KA?44=f_$XaxxGLWM?SQ?b~YdN2EB7E$P;b$!x=J;pfFq~O2M5V$T-Z9|7A2gFX6 z;#{MyS4p1#1zY71qfafbI|fLpK>7*V_JleCf~4@5u;4$d^RTZLW)r^Hn_S_GSU4yu z1w;qYJY#y+ox|Bt5E2VsY1Z(f9M}n!pi9MN$k?f@=BPBX4JH-++3W)GU7C;P(k4=# z`;pSZZ!I7!WjNV``3f#2ijxf!?)hlD-#3M;vAf3adP+`%wPEz!3iFx*-N2= z#1f+Iu&F9&1tvpwv&BnFV4V}Aj$I_fZ=?z<^8gS-TLCofO_YY`=Z3L8g1PKTNZuPu zan0St@|oNiRUmW+M0$J7lFg0PKgenrY_NBdtfyr0m7L^>76{|sVUwgAU$VONC1L^- zBq*`QE&9e^VJ){1Z;JBe@wI0+&?b-a$P#Y$5bVa&Vq1`;A7Q5Xh3t+Uq-WmCMhB<} zW;`nb7|%Ar%V~j32=$Qao4gZyS(dzTD%JCCV1)eWLchmUV#&i?w)V9r`i;l?i7CrwQy5o>sFj9KH2F3Kf9(tMw1Ifv~8s~ZRWcCdUTVj%m z<%CYE`PCWoslQ*BGTY>H<-7viK0;@;XHhnnq^Y?Xif}sl<`rk9EQn5z_PRI<0cuWr zOncVELbXQX%v7Oc0=CDWt0Mo7h4<&&gz6=K-j2_J(``ZzQIZ-LiG#t%LIYU)2n;C( zJ-lEm4VkGrd}*UoVo~dnDDIzt^bZkFH}@=6ww(zWKv?DPzI^065g z!>@mJ3=jgb-`0~CZJ$q`%-+Jg++#CbiktqSsyvb~{rXq)^oSQOh`;{TY5E;e=_V8i z)4Ci5FG(!swDnq0l<4^|mVv-lsI(K_wOSA+BheGO=+^fH*3I`ogjsVXs3JYU9*9P6 z3@YY^oxZldfZjBk^bm@|>qMugFHr&U25p3vx9Bk|n$)m7Ap{KnL}=cXb(tu=K`|z% zP*pt6DBT)`nHWk@gz0WlXY55k-eOoO>9%68O%i)KR=??h;>0Esfyxac+j4baMJx4F zaFe1FHz+n}q~#5tJU`HlwVB0#c|WPlWK@SM%(=2!u^>UizbeTGzO#~iryn6>rPOp5 zey38A@c#i8ri5R{r+US>9QSRh(ug9n4d~+$V@b33?xs-(LxxjqI-U6p&7*7@kDJ0T zxexZ_L2jpmvx~#b~sy%L?isEZ9ARsIM^chv>Pq&Z*|OE zUb!*~x2PiwQ&&7Rm~#RICHE{Ych?@(RV(Ma_yKi{bqoxn!}+9V>_-&6TJb5d<%RGy&gAg4vbk3WUKOdffJRjWUABCq z=aj3q-C2cQ$}25w(e1CdPE9oXS<#kAE$#zGgTfLQgMp_`PlYSYQS?S&fU zNCz2uOO=Fnp z#Gl3Hf}KQ%Xz)QYow^o@=b;M#+(J~RCAVYx)iiicelTJRt5J@(Pwb&aUk|oV?-;AI zXX{7(=th`9B&;qkR$3)RYZQDP1Ncx5yO)mQ2^x5CFD$eA5>$xrhQ=9%JQfe3kz$Eq zl9PYoF^}M@A@5pZ5u8Ifm8ES$^x$(QO#=>Iii*>;`2p}GR=e>lz=p6gK~ztpAru!T z#9#W~E`}FFX*fPpty_Uc-mbi@7D>Ko!(3WNqf(r4ED~m{yBgE;*={b-tY5!N-D~yp zCTIecAGuVWgcI9V_3TYjOVUx+4_oIeYfT{`O{9Zh(h`VGaeH-O*$ZkR>r*#zipur+ z2}k7XH{i8Ev61>h8eZsYL%VW0-gzLfnc6rRO9%WHFs6L+2mrCutI7rgCBw{M>l46n zrua=t$)(UDu`h*~LyY2*#a&%K8U}?-ki#FqG!nJG<)eC9hmtnvi2O2y{Y5QTBMZgG zv}I*$5q*q^DHh{qeXZVFNf@*7l#)aj3#RwP^en>)dBMdYDy-dHJp|F_?Tv>;spuQu zJl$RL>2bdqa4nbYTXYnI$rQo5Y)+u=$n5J32-JH}+DKX|bzJlx4{d+bIR+gBd=41% zlEdTw?$)8@LkXm0+6voJn7`GAsy7%|_@2tory3*Vww$lghQ*$eR;6wH-$+;ae&VL^DH1Km&& z)0Zma;XeFq_HKQ14Nlo&JTtCb0+-UTTrI&BF+V{N=`)~3;enm%GnW^E`=)4uc%XnO zz#Rjkzyls|5!qc01ToH0PAmdkQ}RL>0J|cu!TVt&jcEP~!6!?Q!_}lW6aaF=LQBw7 zNJKT5j@fdr7ZM>ZMp{ne$O(JJA)OI{^HnWWZ-u_7W_1tJ`Bp3ilB6vpPbS!o!shd< zzUsRjOU$k~@?BYb5d8$lr3^}6lna-j+k|2|M1#H6{YzdOp!sO=GX#t(ib}a@)}p6T z-~QihQ1a){uKam${r?MOcUMkIj)&hX@~fVmz@cTB1LA1i?I6eQ9#&0Z83t=rrRtv5 zECA7=zuivdM#kUorF%;dX%wMRg8PUfat7#>97rIG0i&5YBqhyC0uzQECO*}$eX z=edC`3;LBMALYd*U;%5tK#|3l5~-J=5#bK2H4k@<*y-k5c=tP_Sn=XrL;@<=FkG1p z(QwfI0*3Koe7Emm=dF=CxSTJ}P*B717rlY78oG^9kT6HAa>B1^j@`&El~t=Lyx89` z!{q;C(>{9BL|t5#fRno~YIGX`8H0<%igQ$Vl*zKzj3E}v#|?_3Z)e{xmhVv)2KWj^Q5K44EpzjX z!ZMMd(}hF7P&!HJ>v|*9z*P^QD7v`zeacLk@A7zd1ZIl%6mj*Q>6pnnd8`=fzMU+M zT~x`>ii0<$#UJFP*%{nPhcGI}?+W06IDMqEuy z-_npb^pW3Jmc{X+lU`a*@QAOBXYAXr-X*RvB{MIsMY4vT8SvBAH)@(oCb1(>tt0Y@ zF(GmNuWZrCo`R@#I72`C%h@rAQf+ncHBS;Fs(HP{8Nhdt4Kt=|Pt=mgYi%^?BiRdzBVE^VZ5jhsB^@UY;CK(q7rMm0Ysq{ zo;G0_Jk&AiA$sZr_r#I0MjH)BaZ&ac6^ZIL(cjdnDieXQ+_21=ICZ~OXH1~#?&XZS z{){s`eOB!X)jck%wossb{v1Uz{5b&p_<8^H{F(j0Zu0kq zixpXYZcR_GbFw-Rr%7`T8B$89?Mi zACmQq-S2)r-np@h91ryQW&jn{*5`1Z zaE}-BVJDUWK0!pR)rvphZCb5XvN(6XN(*Z8O43K^|9jy{i*BIvs|THmZWB=}p6G>V zj1y*v1v~XXs7Ho@#ECNtFtD)7t&gnvW-)U)9{%GrDGD|!K)XW8S4;#1wOs|n>pL*b!q&F8iVc%DY1%V zee*GA@&C`^sJEQOKgBU0G3q|`86GXl=cPDuaqb5T124tmGy6kEldYSg{DSU?CS~Z? zLt?Z}y1ov3mX4irL6)aNJuUhiSPMfu$)cTr_Ocf{{l>*?9}F@_tk>k-k?7WWht)4g ziTE5{)|Iv`G9snG?|Qobak8PjAspT6U2VCpA)rR5_j%i`?G!Bx4sFN(ZQ+!j|D+)i z;4*~((a&Iszzl9Q_CG#E)V0fOvNg$I&Gtv+u=sVx-$}EjjZavX(sLwDk~;?=VUFPf z{NZA`zUegDvXI(-k4JLE_Odw+;>6Z8Lu_2lIE`HceR|oRAgAG#vtV*0g?_)qm6%Mp z-UqXhzVkvC0ogXfeGelqQpeL1;4oltqV2IVwzQUM+SqhPT($eQ2V=>^2hvF8ZU9&=szKV+isRJleczd1lnwqF<<2)HSsl{~Sxa~L<+pb}ScLNZN zES-XwMxIO{wYPy(?3>jf1Fa|fV_E zhYz-_yIWj&tOYY1jx&r$Vw;1upimH5WHC+kVAx9arHsEkIzw#c!!f@j8vA< z+4@xV2ifkCWd)fAzr)a#l$w+B7zmncWzW9?ywF%>50(fb_PR`r60?r9;iMK!v?|nJ z2>*$@fQFDlBV6(mfR z!V0U7O|0wSJml;=#aT1{q${VPV61B*96pPDZx;>X=QNlY;6DwS7!(ZOgsIyq&~d0J zU7L!3i8wbD>S4hHV_1<~x9v#n+I7R`v5#_mHTehJ$#j8MVdL}{uZXQF%>!xdrx=fq zO5h&kWK@V!U7pqVxn~qXN4UNUmmB}g1l!f_2!P+jF@wMD~vGC~I3jUx{- zG`$g&3p~;}wyHEL_M-#wW`d>M98XJTpjj+*l5|HBnKc^Me74k2*uEy@kpG!#{1$`}iv+|N%q3O8lNXP{U-O_)vkoLuK?=IH*o7qRuxe>^ zy<^lXKkq&}+As{RnKB?&EKIB@kKQRm-1dOfO1|Pn01Il|KB8Q2NLY^w3g$Oxk zi}$`3eqar6zxov3v_MnKKd=i5ibAfTdAil(c3tmIB=+F#o9|NT2~R>dWL~nvrgErq znOhRFiUXjL^%L~Y4o;gpNPF)qw&i$iecf-Sv7ubvzff&E!zr=qPLsQ@hv#{2%LX#o z=t20s<+R$c(PKJIUW4FbZ&8a>) zK|D7#`g3i=T_#sv#qmH`585K_eE;56<=n%%^zFaGIr+3J^?Gk0RGSh3J)3Q-oAQL@ zfvloh3Gr+`QxSnQcY<9w5$P&;*mD6!p~G(0?CpKQb^y0aa?nvgJm?*i8P@san64}% zoDk@f_0<)^G<<>HCSMx=l4ZAEA(Ptg>l}vGz3Q5eUXQLUF}-5QG4Z}++SBmX6w*?@ ztGCP`XiSe4143FW+!eVY78fGL#@ylUTutAhu}(J8HuhD!gJ_XmZ6)$8k1uIt*GgZq z&Io4Az+CT`Vr9yyV&S$NM!NmwwSiA3wGouH5)O+2KbTh8HWahP!NJhxsDZ%2v25nz z0+uCY+2=cW_x)%?an3Nbbm!%*!+_f^oHN6D=jl$}m9 zqp{5>FW|xT)$Y`Uiyi=Hn0JP6-jJ=`Hg=3!4Qgf6j?k1K|4^B#)ZZ5}<-+b0P z2#rt@c3ck11};rWJ%TU-pf%u@D?KhQR_M|q1@AE*{zdrCC=@PZOuKA2V%y;ICnS!PHczO6C z_t4sy;jto8B3w=84qkkt{7c)`$?$uqr$zx8`gI|(b41I7P9|xB?p0fwm$b!+YEmRC z3~aclMNRkptm&OKe3KDDSd!D~ajYK^8%*M5piV&_ zy`s{F0a5E zbptaAi#{l^*(p6lhiCBi;Lf&~J7{(V-&0>z;`4FK8}nD02X5L9lv09J$8zNy6;1PY zYu1_`Dm9XAf6)pf=>*AisypF#usFb%C|m}OVMehYWJ{HDN+>2zZMeTooDl@h&IW6V&=oVHv zusiPIKS30BQ@*F8lw0%e6e^5$@XTmMIk@+${m zJjz`-9`Nh^k1P4ar^;npfGmc1{lI~FK(cQwJdA*BKf{405yi~NG|l9%=egN!yGyFE zXWRp;$bcQr8khDid1PT5I$?d9NVz9UJiNIaSd4_ok7~zjGFpZERzHA=C35{Rvcxt2 z0Ir>#|GTV2cdJJe&0DU=*!HVsmyYfJU9y6`{V#X?c76rAYDT^U{_lpH>yPM+M)o`r z7Y5#psp8YsA-WrsFc{nNhdH8K%%-qFg*`jH$R!Ujf+n7zD=-PRK?EcH~ zqm%&Ncws#2RzZE7oaJPsh|+G(UC2sXj)XCjQsaMZ@NfO9T`y>Gd$<&}p%^$E5H=l0 zwOB6pI&adw(;HtAR;Y>}bz3>u+xmbQr~ya?ffhDQ{l4Y91IGKfO&N&m9k!>^uw~t& ze3Cov#(3bsQ@!`MDFYR~iL^=(_^+0*V-6s1we^`>c z3J%dLa4;StmO_J=&FOMwv=sW)oJn#tG6Hdz5WToINzdLGV4cTZ%~8>o*q@!%osHLI z%*R;xDIPoUSP>E^%CJLZh5h#pHYUC1B#qi=EP`bEIj-%aJ%yD)tcmB9^##mrDSyYl zB?1SMeG?!7udGG3h9OayQRW_UpbNA$V2c7$ax++MU*KQPNNKoG9eVo9l;xQ4y+^V1 zc@otPV{NiHSgr;-FLJ#_^_@D&c=(}WCo9I&H2A9ZQ|I*~Tjh#CdGpjTcgATWY<+II zukDuqcK}6vvNeCb_u49$?1w>-?!kPCUZCTlg`!_hb7j(RHcd^%UN~GuNdyf`DUgvPMU*HLcUasTkTDp z#j$dL!I-1{I(ow15Mz<$`ca}#0>vW}r^dWdSTMC%c>Wl63l7~vCO(qs@clRes1SBR zBR?Sy1cEGpzp8CDWJ(!qyl9fP$9S{=kP7eh;!na_7KFD)K&W6&d40- z?1GH2goi-DBu1<=)_Gdd%#+q|g3VSy{ns6>9THdS%EnO~j!nm5qecbb#xyEw zs_X~Ab?t}Abbj5!R9%Bcsz6!U1Yk8R8AM)TS|YK|RQ~ZL&Zc8p2Sy6RW0?zSHFW&T zN5R=|yRq?siL5Q*cBC61&Q%g8(Yo~kIY}U-R|@x)N2LlNvT+iEs-Qf*0HVMuSc_Xn z5!sl2>T z#%Mfy+h4T6YNgXHUd-bHr8(zRYI!-aQKpJWh1wBnTTO*IoIkLJI0lSx~^>tl=yn z7|ZtH1kwZ^F&wMpzeOj7)(Wh=I!@T1SrYjd^w9VK#m|Zpl;csJgS5`U_0LvqZCY-Q z1aW1s=^q{d^%rmsUmVO0jVaiG1T{E;zGBRHojiM*P zlW3O;QP{DKrVO^Pv+vukYO+Df!bJ%PJlJ!1VQ7?jPG&CedBfd=3*kU_I=js(mlWOP z?qz*05YAX=BybR}d3ioR{=P7gH9BcKqL<#h(vwKy$@NG4yN7yFp*XhQQ+S*RQuUmOG#bWYW#<8-}H%&B* z8`WW>2U0M_a(``sDfwp5h=qAZk2K6tLFnXHk`VrO-P#<5d{bC(&_Q5Yc%yb%xlw}U zN4rE21}iv)#zYD(*>jyLn9?|^W3)tEnT}uAc>M=Ur1lTk2?x-rm>ZkNfK2NzqE^ZL!C(1_HQj81=|T4t(D3I}4Jr=z*{i)D+hWDdFgYI=>dy z)MC84SsEgM?tz3Qgr>~aUJiGA6&fsGQaG%Z-l>dyog|d?&wn_CW}3A1f#M&gOH^pH zT3#X;2D}9$T4i=p@u5(scbL?WKn;49Z}ZhF6t~>P(*NIXQg+D={Mv8NFIFde2e1S` zBu1kbpm|rYa>E`gV(VombXbaxf~nnCYLi|>KuEg-<1SJ?G?_h9#}$lIjNqlsk`%Xy zm*QKeW)doZ+QrV`)`&i1`Ndu#)kzIO?|FA&sE0PbvDFQdiGVgte>4v#gD4g}s=0W% z-q#wH_3fqK+*zQ!7&Yfr8?+hGB|XI4D-{RSW=~Bk_7%V|$8b=cNZZV}e_tatMpM+1 z|DJ(XQ9A1^ASccKM=iYkCOnN0n`7#o)Cb44wtui{DZFB%y+r(nxLEC8<=CyYxgLHO z?}=zm5$SSWP?u)RT8XO63c~h4WHtu^qbJ6F%D`PI&0T$<`z~-x{N%$PE~ix z)PMrvqstc^R}$%^wh(F|cErQxX%Arlu92xtABaUS>G&;&U9d0&qq`{r=qzbN+ZHwX zLyq_S0-0BXL+#ywWXc+x!n+~bigqVw6dy)HI5;VhAD*0Igv^sGXs<1W(!mFmJ{Mf* zBN3@ty}2E*_vcI70bFZxwtdYEv2e1s^7IiX=2*%6n-`HT)K795_0zDddXy6MUJvUP zI>o|JRT8=zu>u&v>K6_Cj@idLtS-*Zn65u0ZAxwpy4wkE4%_IYV>>_o1a?Zdwmp2w z-r!}JARGa_0mknPDL)6>@3bZiaopN^W{<1l_1tQmUhg&XrR<4*w?l88dzG(~`QGOH z08utWKH&U)?3J*k_WrN`_|KbJqrq{vE!QwRryGdT6c|(A&1_l7S zWy1v;SV0NGRIUA+q?-yds1_`%0#B4p^@5fWbFs`aN?hn_}rWg&?0Jdbz67jP>(4FqeCSSn-^o#i= z7HvYXVflf#0u=&7n+H#{!dow8>bfC*4;yC5?|XEXauGsxTzNnlhG0&JpEikfX{A(b zw+RfCHuoR;fORH#ud2x7fqj!Sf`v8xw*%QDg?y?i!Nu{Y>A3*>1t4-%4j`FEteZGm z%u-+?_Gk{YhH!d-hOmi^%&*=04Bxxbim7i>PRV9uxQ%`q^u#gTJ`)0uUU!4eZm73~ zs?qq6FqvF6UcIL1M$BUm1>MBE*cbAe<@m4r`h1O5U_1 zW~7!V=dg+4H{=@U)sjths%}>Kl-})@R=!f_0c~U-`V^D~AE^ss?S!s9g`yUFEStTb zE$G_qbX@Z4jk{;R$TL!|T78XM>Mmeu3bwd3hW^A!$;&B|fIwy}bqmyoiE7yzEm&+NTgnLphuam7YQ~D)S}B<+GV_ zmZET{+o5u*{8F;K87vFfDv62BC&smvYu@sY6*D$eqd7yF7MccZ@gd7JapmSGo;Vo0 zB$@_SK9b!QZ=m8Mieg4=!fV~ll(fd*chcVnP!NcBpo5&qu{}H5gxBPTi$N+r%^G79 zqGCtPi5Ve-LY6ze%xJ${R-7A{bja_DqR!(<{#@JT%Q^ZtZXFndy_jB-J8HNYT6j*n z+tZ{dyyuH zu0@SFC$s_h_jNW2 z7|^g7fXAhV>-y#uBk+h<*}`_x2DD8L-lCs+_?8C?O5WW@9Xi86O_5Qlj#p9@z>xtm zAB#9@%2QS&2KhklHY?`Li%G8csOjjR+tLgF{U9)y1J5Z$*hLF$-c|(7Xsaf8l5jn3 zVrYH4WUS!04J71Bd!4GQ`3mBR))>t4P;h&vd@`^yI1o{pD1^t@JeJ&CN(Np@`b*pS!K^h@Saecsl8s39OfExdc9B8Uk84QGZtv%55`x zFkD{Lrs{Mgcrb`ME-b*?pb6W-e5G=zL*N=OzrQ_SE!St~JkI5i4Ts^;UPRl(1VqzM zAHu%mfNUg-^HN|Gya=%KKr~XRWcJ!XwIt6lb&syzU?rFt+KJWez7uU~@ty#Hs%|i@ z5sTI$d35`JY3ci2jOu-a1KSYc{xCk<8W6UGqF51OO2g%>%pI8cP^Kkkv5jD=y^CWU z@By?}%SNAWPt`8A&AGy!HfQ^91pk!jfo+9P35lJ=PZl%%1riH7d}5fHP(;F84ZtTu z`Isg90M+n>6(VNv@s8HH7VYNn6s2v>Uk}kt%g~EhnD#3!Tj>rUVhp%g%4)Lj^I8cp zLNJL!rK|ZK_Ry>OH9V*|1W9!%R7sa|R94C8&;a2WmEN!L`khx#ZqrouAWP>yLU$d9 z&(j0UY@oUbTZ5RFayK5|&y^P5-PUIC!;P9Cmzvi(t2o=2dKx5cR@6Z@WK z&bj<>4PJ!h>Fs+}^Y@gz4UoK^!_6;8m`Fb$ewsE+G?qB*5TD*hEZS7?v(M8{xSM>!lZ8>huX$Fv}?t#kUkhXB%nLl<}dr~rts}(EB806nPFyVc<9Yzqb zQD_k_Rbur3L;;^x1HJt(GabT;En18b!0e3pw#5Sdn>$@-KUuO$E!Yu6QZv9Jw;aI3 z+qq*^0la&sl(Moq_W5jAGny?zUm}w|N#*OHdKQ!v8{{$4<#);eJ=@$=f!BC&rdVhn zI7__L_WAMxY!Px}9b`=u1(b>Jb+^zlNrd)Vh3e2NvKwi{rOpRgC}QG}^6ZQ3U|etT zlhC~vLs8(naFjGP2GilAcPE!B5$Zgr{r&!od5UrS2>o!^^N!4$<%yy+ZgQwJ+eNix0lSZ4LS6w#i1qXraHP4 zLBETu_0{b8=ZUmo7klG@Ok0l>0A*rRAORKbN7(o$f)XJ*>yzl>Z5-9=k{KJ>HC`=# z<`AL$I(CAWmz@=_Zk+16Pu6E;Nx=ruW*y2wg7+DdiGA>SRNH`Hvu^}0)w~yslOker zfd;Sw^0SuhmM+ZU%y@fdFHZPH6=yG3yBGq=7kkzRX_R0X>5?5Ka7!t&^(kXbZJ?#E zKx}V?Sr>s37v+jJG>$+>N?Kv5*2#E@p=s_}19T$czHR6|4Ih4WNRQR~egEr|cSx8b zwYY)``jeP}R1WC%i`a43{xGz3ogpMNkzBKksb*yI=q6zy9O@1H4zChvZlUi-ksiJImblArNcjHf8M zGMGDw_^}ida#|U_Rbby2Mam-xwEnT9Var&M>gTefQ$GK*&Cw^N5?5zn`gF=?Su=4^ z-zZGR5}B6?7GQx6cfpJ5tw(=+^YX>lpD9WQ?dt%!S;sgCf2#*+uNS9vPhtS5CUf zsF>p_c)9UVAvnsrCFWX;2^SC8B;ao0u9S=CEYbW~4e6eJk)yBG_pVUVC;ALS&*X>( z&4mxM-&huF;xy?>y02}`*XQQZ~Z4|_|jtY!aWp2whcjYO6x{%+5gtBW7;m53NvcAzEljK6y3OHGpGONFUe z6(r^?*0*Z})Gw{|ERsvWcT5a05N!RHiV=v8xS}ELJu8a_7B@`E(^W_klZqdv1ch$ZPLk5R1jfF>3{WFQ3K}KHEtQp!F9>r8 ze6C`cBftkhsES6Kd$&vGl#HcI0%ajzWk&aoKJ4iS|1)kMGSmnPP*!jRy1_h7WYwR{ zpYSVqxi4=x$f=s`loi;A@nyB)Mfq-$EBC!d}x0m}MT0{RhHJI6H{ z^{eUCTZtd^R1|SCB9dFN_VklV3alKVP9ep+wE*!=TW>nbbo)j%nI;YX&bTKho@|>Y zmV%E^ZrfEqJxfWR=PAkaJOMDCZ%#vO+t0Z*eG$z0alUeuf#VGF6gEOYJiBKo9#$VV zO;9T*Sej@whl@bZ(8Y9mYV|j;$1-o7eDf6BXeb~8*Y!Y+Rd!#4A-@Gqf4+0ZhA;KV zgkrUB2nC-n2c<@nK5vRWKi{J3v)90(x1jTc7pKkwniVg*7uR$lUYo#=np^FO*zCGH zmy*q8cCrf6nCfW>1U#V~)9KQX73D(oUlH>vFNM0Jv#Zs95pe+k^%CN(7NIOx>Mn?t zrzpPF07c8)Xw)|q{$MF55fKSb_&m$Z=6ppKWy=mD`>irYwo|uswpAb49bf3}NtkAL zzXgLaM9GMKr7t= z;3H^Z-G3D5s#uY@I5T*{vz3q?4Z++_4M?ne12xsveln@f^_SI<#ttgq*yXpPH z1Qw#@4^A2IT@qN&Q~Kcf<`CK&#A87LPgYf3r9`-tX$$^VZB-2`ookSJod5FlojPYD zBV+9eoc#7!8=gx->UD94i4FK3rQ{ z6?1YQy|UXBUgP80yT881|Ga%|T^WG7Y5l*%SW%aQ>s3bGt3rc}uj24DNzxq$WbogX zN46aHSAb*&dKee@*$R--VPk`~OyY|{v#=U9dBE@xdwTXjaUDvnQmk4uYZoj!08_R| z9!3xb-?WVhbmT+`_|suPr?>?S{@~Ndn9|tMaolG+GuyrlT>N5!i1!ARr^xmyK*F=_ z6;K|e+U`;-N`j~~2()aB!#1$J;jOd&jHc$1oE8VX)qw>b%8QfB`Cf}z!*q!c!401Q zfL+hqt9y!^AG)hth~UBiXcio_Vgs^Lhm|^kfnGv&SjWSg*(0tRMpr&MEP6{Llo-!JQ@&FpZ|RIHtyHDkWvl|6+Jl>q&`M(0a9kuCG_UZI*#E(t)h zRP;317wmtDGDq-L-E1fPZ=GSm{4E}pCY1mjBh4s?_&fHdKWl0}@O!_;1MTbd-9#eG+ots}eeyVG^QYpdlnxP#Bk7f7V`u-3GxA%3qt0Zs|VY+lr+Fr#4 z;`gWm!3i=*2Jh*xtV@)eUmM}~~%UfTfM5G6d$|69|a33QSN!=E)i>ZA@Y_{V- zH{~^lw~u+(5v^HF;w}Ss(lhI=sxXh4eY%jh9=|EhFF)_7oI0)(@gsL2aZ_+*MO#o6 z^gch2)^$10> zma{tDI${j60p~V-r5QOGnSU%033?EwUX1U=#{iFb;GyOl_wQ(BTq;sh@ynDd_;P|r zq7A|T)pg=!ao^7udzNLX%X`PVdEu%mzw6)u@tfs4S8)Wkq*e1bMfW!CaX9nHC>xpa z7Go5GEy`^Pg{F9hBwQN9U1;fEejHL$a&4hb15&nxH|99$!Bl%{UFn89%-?r1`3+xw z*`D+_z<(0vT6%M%ErJio(zk-zjY}-n;pz&?04K)~ap{>bl-M$OK09D9Cmx>h*Xhr# zI?u58x-uWP{;z*^_ymv^kLK77sz7F;k##F? zWMpJ~oH$XS8@?6*(UC(M|J<;DDIqoW$KG zR(<`|+u^dpO1gQWEK+_SD~-ni_sU> zsncui>&vgd0!F56(aBmM`ifwxV;@L!5Hkb6{_5<>(cdziG%SAMEKM)zI8g)dFo$0! zue=3N>IA^gbG^X(rMYH;XIx>u(ax6^;PW0iR^{uj-c3G+VHB&oI)|sFh)UANLQO@# z{%VPbuoEfoYY4m!nH1pXf@5}==09G2z#u`XF0vmt?9pT=3TSBt{$vGSh`B+vLW`D3 z(+{`9SUpwvu<~7Su9sF2{sm=&*+5jmT>w6$;G`T!Z)|y@Yc}?aEYM~kzMB4Tb72dz@W3Z zKH(JaKAXV`N^R}0s0g+MBHFWwGx6k+5v(9BPN|@@%G;L9oZaT(qd6&SP`Tsp*O0meVBpBo35K z;%d)>@O+zvr>)o~GZiXf1(^342+gz=W;IlFTg9XX9iZ$&Te|n+7g{hDFgCbOVI~oy z91(V(dvA{cat8q57c@Ju?bYyyrwcT_A_ik4o__}Vgg*fslrloiq&D<1o02~+5IK=A z#&aVEEF+}d!QIySsENpqHtW>Z80K2B(xb(bbKs9w$3G+6f?uA<2C+f-oHH)yiN3{D zng#ToBO<@?*MQ;Q(U&jp)W#SYn(tR~IM##v#oD7*$GA-t39dljM}&p`EAaV?8#vn* z(;&wKqU5c^x_8)XCb_2kZd;tp_b2s)953DThAl4RHbrR)|qtJ&p6c*v1N`J~G=qrRcwS3njUPH*G*{dI8; zi~OPnEez&=G_z_BSM`5wbil;3&GF80$t)-V9ws}F$DHt!aR#SDkc!U?@hcOBZIu~| z`pY2y<2r;4<9fxp+eK5FnVd0!Z(u(yCu)ql#*$Rth{DKMPxBs3!Z)&P@_rA1eJC^UocC%bw-*TU@kP^In#md1&}x8gVSSH*J4QKvZ=c`DX3kqkHOqvTDU{)#ouW5kJO&(hh?q z^OfN0ty{#G;#W`!l>w&fYd#HIUgUNu4i0|DymIeNg~f)KX=O7HCBI{7!g>}5zs>WD zZF%@A*h_pH;V8&>%G-5nS%;z$;x9%d5BxS$=k!!Ran# zNdGbvQvlvLw^wJ8!Tvp5+O*_Nu%cE+)FQ~kC?h+T|m{hd|NFWQGG3LC5_Cz8myu@MYoQpr*5Loe`3PF_JSEH7hJ?5L(F zJ(smpUV|QkAW@b6dT?f9phCW_d{A}y{(Zl8=XR7IHPN77)%RL%OfCUrq$+6QqTlO3YpA(ZuD#4 zFH;VE{}O~lxSayMqN1dy7HVVc#xaCE$n9(UI2)lhDz>Hw$HhEo$g9E`_AB_9%uXV_ z_JcpcX-H;-m87#(B5Mv`{Q9dw$AUk+Ps>pZ`FjI?OlWGPh#_r(1Z$3v{GEjgrnHKc zp;<`kSWBEec>r|6BR%u4pOpI7Pk$IW%~`nyisdjE*DLJC@FkkVGEgRnZvNOOZE-yq zK4F@$cj0EJjwr_y8;Md*YK8h|tTyZ^%{`QIPk@v$A)(aqBHg$Jo0|&Z?xkig-oabsa*Ch<=2BH9pU42EJv&1py4v_o-|H7N z{g1j&oS&M{D_mRA866L%gUb7eQ+O-!m;V(y{4KBPqcS5qX|Qf|f-W#}hd^#IFmqCqcWn8?@8?x`2j#M?H1g4;`D*U=vkdFy9d8N(;L|O)Fl8t4N;gd|1~VjZK;H zU6rb~lMIvIbL#KvWsC#Au4qF~M;s|3u;NsiAz-exF%2BXJHh5tO}RDrYyJ-}OQe{M znirO&GEBJ%(zEfTL7>*C^M)4XhFh!N;4-)k@*7tT+*NOuu^+G2tlUMJ5I0f`#&jXH zh|(F!WUDOLRI>UdlC3m_@GO|LwJsQ@l9@n4^^lzwYs?+B1(q?Fe0sbFDMqq);Q8O0 z6RD@FgcYUtH2dzfzd*<{2C)_oeeu9#WV(un3bR+bIdNwGscJGY>$I-8lbAu`8<9E7 zd*md*9Fx0$0tU0=6WgAr<5Li^1DA$+$T;wTZlflAGHrkP?lF~GodNt|gG;@GjkaE@ zYhwj>yv6e7WVKcX$>}a>PhY(TJJ2ar-x(D#OHc6bjFN$%n|?c|neJSL4PNUfG@dvq zVki1oFWueZmUz!?{EgY?uSwI5cy28G=Z)|~PX4b)|IXei1IKJLg4^1cXSU#J@rK-A zgBsWbBaIw9I{k2oVaX>zMv)K;R-W!S{c`8*^mFP`@qlRdL%5VVhYgmB1fr$mF6iz) zzx$VCA9j-fX~LXEs$^m`*t)!BXilHEn98APJn)$)&e{-RYR*Jt+~4eKOLcXQ_rdHB zdd!$9qXpUq%iEQ=(vg5vnovU20W;O4IT1#>eY5<9(<5%*-So|9aV2y-l{FNxb`8G< zbH;u$V65{5K%UPcJz09DDtMHyxp;x$8oXVk{We|6DFuogH4AqlCNB$4;f;Rr#}L8T zk>3Wh$?r~faukQooREpYE5}c!h$ciU%3r22y|a@5>n`bAavp?y+YG_^nOgSc@+8ns zGXX$ehR>(_l7CF{(*5s|YQzrVbK}f!TB+vU&^6K>J00YLMmCAu-}0PHlO^ z0d`=pd?jxBJ;$~gA!iG*8VWS9@B(elyRmL}GUoG0zAWm5T_W6QGgO-$OV65aHxpX*E6S5L&g~R= z>|^U^hfvB~F@k5E64cx;W}VVMHH6Q!z)p^fu`ord!@%7^X^2 z5?&^}_dz0|#bBS|gyHfx=J_VXU~>J+P|uPCfyQ>%ypjRGaJnVjzP{&~t-j1xvP6jN zB6@vAS!2a6k~Y$vuta{M7+rz;lH6^TYADsCpY+tpvob9`Qn?!U0KZ@tNslclob-v@ zi;vJkZg-Xb>=!NSUZlaPXgp%`QuRgl-5DN8)GznjnmIe%M;2 zcAEKJ?)g`sGT&6=H--}2mJ0s;fpUcbR8O?C)rZpDq8mjgGuw=_lxQ?@@A_mLD0sk5 zS_k-f#QWuesUspmePpqmM}%Ht`SYB5I5=1suk*<#-0&CrZG_GsAjRZ<=p}aMMwW)Knz}aoJyK}h>^3CV9^7F1Bi}) z%cb%uoHHE!8m!aCvp49yD6;%Sq-Z@enDL|rZ^FpG{w|rDndjHQI#w9N3&49}n3c;^U zU<-G4%BnYA5QQFeyBbs%l363eC2tc<0iXD0&ZUa|jXH{6)f(D{d-s;W70yY+@4yX> zu%^mmi}aZBw;kja1%2s7Ma(+u5Xwqy*P(-C^H?2kK-H7;2CWwI3RmWg)-Ys@=}o3N zq(`;l_X)Co5E22U@MM(Ms|@LV=$Vqs{;g50ke*>|G$YSu7if+UHlV~ASyKDto_@&= zS>-86dLL2s?r4%%nB*h)o2A0Jrv!=aa!0rJs1#dDN2wF2RZtzZBM9Ksjfc~-=x1LNPjN}Olney*kS&v|=a9%TgvFN(n*@MtC zoXy*Sc$Cs_`m9v30-1^c8Pj0kJ0sT?L*kFLVlB5Ib_Qy{;Y#FR&Kt%lz1WVy^+y(1 z4=)Uf;P?CbtJ*ly{W5B| z^xI@aIi<#0$cbcip(*Eg^p_tqWBVJ;Z`KW8G^n9ya^${mcw!6BNQwvwweiO z5P_oYCB8Lb_Ze#Rrd^3VV@z1_FuC0&qcpyA|zTal3#>}$g1=}5^&wTIq)XV@~K%&2J=CEv8xJrrN0?bup z-m4EYccKW{aQOGYGWH>q?v}I#JbRc10`H!uP3yri0}+_#9Y%*5ug=21%1al=P@vm) z2D6o$x>kdyLmh+H%l*`*POo%1w?w(v?l$|2KgQN(L5clr0R+G5`5l_3MD@4?V>t8} zx{{(fMYr29aJ!p@h-3~W(P=95qsY}lw#4(~5)F9|i?#1Qmh}6(%h<8>ug~^Lsl;Y* zehG$w!8%=@KSdfWerB`i`^BwYAt~^+BA-UATSSo??oK%KgUOjbn-)X{He1=EMjn?< zk1&VJYpuLHe?mnT0D{N2>&Hy9jl8$Ie8Uu^*MVnXJkI}VrP~{#$X1=Fsl%*EIl9U` zyxq7=E#rUKNa#(k)3z&SNn5$pecb|!M?j^KAC-ty>CZ@&AUd#9_VT%k+u`)3QlI^^Igy8B`hb) z7nQoOkp)6cVdh||Vu2fOuNgzMsVex9lwUpYwcmJh{nd*7$2=F~dV08s4zf{mm~JBM zbz$6i5$D)W`~0b*1LpUfquBf;cqV4^foNmld?cFZmH}0@UE6g0vpf_2=F_8by5(#P zj&h%*Cyi};URps74$RmQdWM-Qc4w&XnI4e_Df5TzfVJ=m3y5#0 zpYhl6N7aR_Eh=IIPLiL8iR%}=29JSOZn@@_v10G@!b$GnajeBfc$X< z8NnamgtF_n)X+GX@e=cBZ62UakEQ2_7eGPm0uVo-P%DX&{qvi@J{LWR>9K*6fIur# z79n&_d@NHI!%b`o*ah>BA$sWK01DUVUnj5EcXkwpz3`-aM)dIQ^HzXv+tItBjNWf8 zE;VFe!-g;&;l!iE4;YO%o`$fUB`1v51xw5DdZEf}=nd++KW0-Vb-~A&Y)S;2Exive zX8&&B+*ejR4}e5dlZg?M< zkKFT>zq`)$wi^BF`0f(rVdFR>fR6a^XouvWXQdxXuYY@$Odc%VR9T|oNRGc7P8)jt zBNbtLjTUE828#6=B>G{^`sA76dg_r437y{o%qTXjIeTKC6g&dK$=X=ni5tQ(M>Gi= zc)B>@6O@eem266R2!)+{p(-C_DUYQ)xOO;<2PEfwj=#SelekvqlrT*ebfhYqGH`1Vd_uG3A3*Y^SR{) z`alV)+F>_%T99n+LVHnSaD%j8beO!71stibo{q3kXUMp|D}PHf2@SFA@)a%N`tF7! z+Fg#LcbY{@^#{ypavJ$l!cj_Qx)S^WqETn@psn5wlo*=;?cz8bp%r*5^@q5n<}o}7 zui#Ca(+qlZzX@@_yh?&1TDG5> z-FVXI>lysa^UB9D+Dhv>?m-m4ZsIu;OhluYUcY*kPfLbv^n1zc-HGgBKsXS(`*3Y~ z>~2eX2K-yRqxfV!W$nV{e_0Ezd@$(x9aO4W$$q7Y-DE&(nzHrsJq!%hzt>18O-;Xy z6KL}mbK9eQ?D$_(@Kayyl0=#mi$66gDM9H}(VWDq>2vUR^X#nWpY?Y13li<%DT2CTj> z+yJycXEDaz5`FPCHCaU>AZ^ZbEZy0rw^= zMCOYsQ`09ohGfqz1fYk5=5Mn{U&2liq+s5+wYLG(`_ID+aT6s80mA0X<>lZDV;oRw_#iLrrAX#|4Wkes9;i7Svso7p;4GQ~dsdr3`mz!$+xwuFgv`Eb0_3D<5w;Nom{Jr^XlUps( zr^A^pYs5GMx%*ORghTH!bJeLxZRVoh?D+k9i8hPetQ0d>VAjKFM-9L|&-EoCF78fP zf~Ayc95z3x|J1g4-EAgJP4{AF)dC*n!;!6@baTgr7+8TwGL_7WQTw#en8R%Ocn!XQ z0^}A%Gqg4|f+dDiWP2W}5@iYR&?CN&PT0Jy;7VwfV(z-K=}`(wSs{0?W?Ug(kYWfL zdurWYFV%xd!^u;GmK5gk7Dtc1d->xxN2RIKLUNSH?<@@SUOy<7J|6wR{IDXRlMipj zKEo8abs$`EO8YgswbV;XR2H6u@D9leB88L&Fn48w$&ExEmeg8z&-kXsWY3w64^0nQ zMYE^%o~6Q56f5_X59|m!(SUegc^E*i|Ic z_|ZG?{dZ}K23gMBRKn>!4*%&)C-f4P5~u^cgW+EpEtWS0oFJ1en_()5p!E6cTw>~jGqtl$2FOiHNs zhZpryOqjkjMcGKR<0YFx;Y@j+o!KV=tBN6q8z~_|XSePFiM9(TgWsc5*&j}_6Rgm2 zynSd$7O*x*&D#%?a~uR70N+ohG#(;s7*y!L&ywellQgd*v7cu$8QL@(?E8QJD|)@m zZQgOlM|VzQ^W<`hiy__*Rhu&9C1=d9K<9;{2;VdggaF|_t201$@^r^0bGn1=(XC5z zNtcy0F($K0_N6-7?)Ag_?v^*Y-yrQ_o^><~(Q$>=0^Lgw5Ja?ZQNeB(D-eLmS>?TV zsva!T(OST5z8`4e;Cx3rAX^`C8vnCYKFUF_Y0QzMHaG$iIJ&+E81i#jwCVaJC-);~ zBYiLO5s~n0S7Ci3_3B{5E>F?P$C#`zG;|3o6N1?!YwWIf0vw0;cPn5lY~a}k&;4Std}CpfqHyVhKg(ZIoUX>#kAUY(6C#n4KBsCRlr#cH7&cP1EP~c(n6Nr^ha_D zJRw3}SMnqHq=uvKj!^*7^Q+Jz9+Cr&s`+A6klLOpkrK>q(d0l%6YsStMbk^DT`R{d z^V9v`v{AS+)86opak7dF)t)2qq)c|k=sHjo{K<+j-oK6rhxw<}-^lrP57;>9$N01e zY)0)C*o;4HC~)+eN@)cLo;J;I3olthHdG~6D=|yk*gEl=J`+8U>VAYt+X&z$htJRx zC#yS*`c@S~4>SF--j~jbgN60JZB-GHc80TuytwT?Ae;6>U&ER2b4;;BWp@Zay@FZ_ zWUSJWM*%?zEFUeVVnC{Za6jJy$qdgR$n=!%3V7!X9q+&Rl&({7V1FQyY5>B_hBcGW z9<#{dC>cA`X+HYwvF59p_QzoA>pbXIva*lA|QHF zFU;T}A83fvKZn87$$(X1$B%zr)9(18(O456jQ~;L?}14st`CDikyu_{Ec(lNYcqPW z(|qva7tPQ`Bb2>|g$$!A8txHh)m>U!#|2EJMPB(Bcjn)Qw-Va76!a`Rd3kq%n3iZ* zK14&$PVQFdeJU3VXLC8UF{o>OkO_sDy}r`Zk|T8^33&AC&G&D#j5T&2w`zTY;s)(Y!u>3iUiW}Obu6B zV4gV@n4*rV64C;^a{GSN6dpQ5Ng{d7vL^n@rV{Wo(}r?$J)U`vklKSdU=Qu#qz|Y& z&h%2lR6-=}ad&r*Y$xj-zYZXruxz}>&R~Hzy+%2_ zeR?al6J3?RU|1kZv?a%2Nd>?87$5`UpsY(^PpqpsFKzY&I}tQba34qPM3g}z4lfHm z4r)WGH}-NxaPy-#KRo|t1W!sHmBr}jJwWzSPpQ?WWTu5_5&^*EgjAQ+0Xnc?mU(wP z0tN)pI`RMQyTScUhn9=2uge!=9tIkKOCPz&CE9hBH`N6k>@zd@J{VECjMXCe>Sz~6+mnYbS9jNN{NS47-*I@YD4mqR0IIOvk3pDm1w&z@e+(kw`6C__ zZ#Qaz=cxrWFTv6U1D19(dM6mL%;v*B1Ya~noX16QDrTk*7tVL$Krox+XtfAH$ zzI6!1u${u1GO(6!lT6sYM!VZ4Bb*&?&!h@doO{nNph>Wn0d0-PE7Nplz0kws?SlmD zI=<3iOkMyqL)LM0jv$hwbXSu59Q&LV9u)(0 zDv|d#x0Y%&o05L@^@B~da1iMHM&3)&UZWjYY?U9)3@%A`QL`XM!7AzaeWWgb^dN*k z_CSRlxxOOz6{b zf{ZMpY%XLkBRt2tIlghU75M$tt(sHPM2b4?z;ToVZzm(shso7IB5hH(=Fs3`wxbfS zfcqdzCQA^1TQSJxOYHBv6ygpCCW+WlJS}ytIMB-<<+kIp)YEpYxzIi3SZ^kPRC&8J zb|en8X%b0&Q8ybT68om-K?Qw-F4n**886)295X)by;JVre?Q^onYYZ1jhW!*z2i8( zm(OjE{ESPd=Tw++3C$<|nTpPyE36#>x#(#yX=D$XKuOhOG7B}dIjQv z7nvmZ+xAU%%UHH!#(M0uV^d&7mhEi1y}eC`do}^?^a`=h#*OjF?e+yu13K|BwsCUG zJkI4Maj1HkXL)%~6sG|yafazR3ji0`Ctf1I7w^!rRXKQm;Owi#wO<+iS@(}0Ve%0m zL`(pdu9H%v@aproTl1kPn=1{A_9_;e1?S{}0QPx(ca2Qn>jv!gaQJ;={5_9*Fj3X% zS;Z{;n$l9t;dQ>CSs!`ujl=S6YX|5K1h&(YL-Wq`53aNXRg*PJ&SYAtne zO1*A3`10)atDMj~*?|4}Jb#@x9fjka`*E*#b*r=GI@buY;F@=^mUkJm49Tus^(-Mi zMVlKhEck*fCKX1J61n~Z!w@1EZ@uP0ES)nt(M8FaA!af7S+$$go+_x6%*I|otQX_fS1(_elGb z=FxK3ViKS#Qgr!Ao%quw+HWis?ny`wPz@Z0+v)y%M}5F>@AucrIP}9P5?`j4EfGm&fQ16yksJwx@h>NE- zlnkgc)~&GBX^Q$;01D36V6f6BFP0egc8hcu^6~u%olyHU<>GkO48r&hZBAGydcujq znZ)c|pSWn-d@5qu39+|1Bk(I&14XG3+oLX$3xM%RBP%Cf# z+*uHVz)Su;YZR9S`kSrxMVcKiO?VTU5Iftfs+RJX=zOF8D~X}vP-t!^TnoGpa+Idv zk1j)$#yE~}Ag`@jhg&x&JDpSKtrfB8UuDy&qg*?lm?dgI;I;kOYDZK0iNYCRTR?}i z>fw$JSR}R255LH43){Y$^DW^PN5hlxjhnC&c)wk@Ary8H3BP@#So{PaErv@=`fMi0 z1vH%LcZ})+LH;w3mLM{MlvDx7r_n;uNT+gY>?j!z(`rBYHm+-IvDM;P$~GyY3_`OR zCUNX~t4;d^I2qKsqpk-Z3D;ekv8h)LCqOy4v&9O$ybw9jZ@}Pj8XEe(QG<-U=GGfU zWxSn3z$wV>a1t3LB(hl8Hr%#SH`$LlUOhSJ6Mpz@S>n#~8A`F_f*J>7mNBqw$vInk zE)|svi!^X%JTu;800n+XcfOhPd*Ay72=lAo`%$OglD+;RHPj*kc$iDzY#>d@rwq2Y zC=EA!o(=LIdz)XUa}Z9Cx_ABTJp^JS%~$;1@?hw3F>mlNKEs1u?@jS}i7*7i%D7*p ze!cad{cjh?x7Qe7{AdtY@YgqJ+(ttE19(IEpQS;{|2wt)5W7R<*+#)$E3ce0FGl=v%s8R}NRDr=h@aZqWv4Zl- z9->a4GLJIZG!h|Ri^!)IdzJCL$9qnhX1a(BGy*rAjH!4US;DLmsR?$R*nGBg&Gk8e zeT>=J5vSBMu5e@HqR=}%EYRM-$wuHE_{Fz(r{{~?K8#L##gO!-1gP_eL%0BN3*Lc) zHmV-TEpUDfJSl?Mnvn7M>s=b)2NSzeY<*WssWX9hs1S-w)IV*@5ol~6Rfnm}sdG*iyVfNj{R zb_WdW5Tc5;czZV?eW?mkN~#@QL@o9uNu+*}Ta3g=vQXC`7po+tP|*SpI*QElY&ay=LD?NZEJ^UZk80J>ZMqf zL~7o1P2(i=GfRwno`(jbm5zW~7CEAYO7`14G?64}tC`0(dK!5I<6}=b5N4C9P>h)C zVN*krUz~p0JZtDDKsw%^D&AE*QWHg=o~NA5DaevS%L^mF=}a-9Q4EnU2)-M-4|X|c z!*opG$&s0v)W2rqFSOTay7yczGD?4Ndm<5OW_34fFQ-O5YG(NF00`$)0AUp$!IW7O zk0&Bdzk!n`Otp+0VC4}k@$cQOt9|>4rGdoE>JuUeeI=x{6vQDtO>d58g@ZuFQXNRV zB9!;G453;s78jtL+5@oOmb}`O9s?h9*eTG=$A5`N;uTz2N(#-Mgz|=sC{DdHeZDA_ zy(d*0Eq`I%HnOeLta9vR>EO;lHf68%!fM#zBbtzG`Z#-xZyfG#pZ8!=O9YXa*r)t9 zLdYgB7A&B=A={uRZ{)|_#=7T3sR5&aB4K@_XOA*M0z(;y0dFFHZ#k^x2(Qh$r& zA6k`=r-j0*ru8o}ta8bP_Dm$R|H_rOi;9cFHJcw$^b%#>#-@kgk+p0U12E&KlSi@N+eW(VKw)Q6y=I@ zWAVQ1?pvST{tQR0Q`qg_HK(NFRHUAIXoEYr)lxUA?3p#LzzM~GRtSC1M2t1Npq`r5 zQuiR|$KMe&UIWMoOB$HtxJf&cbA_Cp9ppVuC$ld}La;U_b{%&Z(Vj?!X{{wSMBYQl zH440;uoDi0Tj$j^wclug*v`BOrr*Q=@Lhc^vOf;rheT{$ZX+?$|$}_Dt zF?`#xb!fm-T~&QFn+j>ir#R8-Ud2oD^_tktt2~qC)?KZl&hM;+VkY8WO$*Efqz|df zGG_WnL$v0nC6j>cK={C@lK5O5G}fd~y5_Y$m;A2yYrwcx3Ed?DS!{yB zMAfVlI!)t*vCkEo)+cTALpgsLt`+Dfag5d8t!a_h?>Rln5LorfFO3PLv~)In@^Qds zlDK7gb8++38DI9u%fB&Pv_@N&yj{`j-843zlgG2mEO!x&M`6bE6u_U=*zMqAx+C5^ z$zFJi#D{YG&`YgTPx%J`OQt8GZu#iy?vD-dc5N6G zQQ)>xR7<8@lZd)9EJ55j80(?p7iOG)yi=V}`b?T!Bx03LM zGmgSpf)~_e;&ldW-#QTwGLF=|==tE!qo$9F`@&}F`pETO-XuBsfRfE5`#=X?9|Q~= z#KXEC>fAa@bE{5ec(_;p-ZYak2~K__PCs1#3<8WH@AVIw0oJfT)K)=g)nEyfWaN?A zOt}B|`q>q^m`?6!Ld=fx17b^K{Ir{~S|wS%nvQXtOOm~C>%Wa-L99C+6D)M#0z!P_Id#lny#4ATw&fJ*C5dJ}qcI=m<8n_W}TvpY!g-)uIs_JB)>7IL515Yxlj30_b zo;MOM%i?D7C}h2+hw$)x?^k8Nh zEMb)8IpK!&QEvP5*RK%QtyV1PKmY!S5WA-wXlu`Wk1^`6UmX1zB;gjyJ$i$N1%8gu zj_C5kIx$dOB_Yuhvcx2_!w>60c+S6(Z~N%w9f{HSlGrw%qAMf9YR>`}Pz}mMqz60yZYdXt;pAF=!V_ zmQO8F<>PvdA~W+Zr+`I*l9SHsduFlgv!!p?(^rc85MvjY-DJlT!N0+uyaComZ6Ay& zj*StQB9M&B-%)irMIrD6u|k!i%*dDq8`#GlPKiEWp>@$tUl}xFXdTpTu<_hExodJP zapfu0!q?#6%eiG$9lt_F5M6{%Q3+@I{s<$(v1U9q9c%YcN5^`PB-_N~4)bb5^DCYs zhvxGF-)4#(KCs9w=hq9JhxYcYTVkyPVr{&t3+NB?s86WA%r34kyA#x)MZgg5)Wd;_Ham) zh-*0lzz#mKJJw_ufF?U-mSjp4^J}Rj)vIQX;jewO!v>OR03gt z7Ss&x8GMGt(~>dNb9sY)UiaQ%_96p_Ln=j(N6%X!(_fn~U@hT4nN!&|vHC7#Djz5f z$Irnja=~vAxmG>=Zo`~2n}4s_;5H&A{)Gx ze~9YS8C-aC^iVeBXBJO9=WUL)IlyziwxwOU$m;v@A!mFGmOR4oWoFB~T)EfD&9!tU zeD4zDoj<7)*;V^;U%Yy{k0+k)yC=0DMQ9kpWsBO6O zmp1^AYNhb{R{%GI2?0=&zTVXB2O^=ry!?hT5&awV4kAEY(1j{OBtClc{H3C!f3$1t zz16x{%Jrx2g~%I8Lqr>DF+l%vKFzI4CvuI5+ZIpGpL~mw!u8^33vWr{iTGoE3C?}x z5^KWXY5g6V7zl&QuJ5B)FW)>x8crDaCN6Vr1Kjp8F*plSiXq~_cN$uv{{Hsl2?VmC z_eKW=fq{dQV}K4ew~*%MM2E{J7a9vGm}Mm*DRVSFoL|nPg{WW7quTxY^Y#D3c^p*E z+beRLOR3@}2k135CtUc=EvVp{$(Ttmnc4CH@TaK>~C7Wex8rL;So4R=O3Guk!kc4sx^hlSt6XNG#K@y ziTn!zcds>;cmw;~28`*c&I`k9fhEQ|2D-5kL=Cl$&WQTlArq z^xfmX{qVRz>UX#$%OUPCv@>TGt}XAZ4x=uuVI7^|y3&g5S*TxgfUltA#gt6FpC^JBazsFKau zXCkbEU%)A)Gm}52?{~;Al%?-soiV77gPReldQYh>`WCf`8LWB!1NmCsQ>@1ztH1&d zpodpib|_mcr+rum&=G`uW}@>;jeJRoI;b52M-Dy0Ki0XTi0AMcyamu(Y2Fs0s9;HO z@K>}Oc7NnBn>=aAtPDK4Xwu3fXj4}u6Oa||8V3qRYsR(6ti-@cs!bv~D3pcmO4vwR zyQ-AU@H#JFm3JE04%I(V2fF#4soeqX+1~}XkAUgv;x~wY$pv1;# z)kPMQFYYd+F3-f;R1k!vA*kk9Tj&FJ7^^~C1oBN(!qU_(gWEpe+vcE!_AOS_{^#G} z`u!l#yFN2n;4;A1$T!*i@sF6;9twEZ((XXmx~|H!usL~my6W8(MTFDgOvCI_-6M^r zXM>kB3_M^nrY|tq53c_Y2oT@|-m%s~P1v9@DJM^j37KQIt<5K(m|PKur6XRc^x!i> ziJwUg<pwIpebMbs4;lv#~E`L&dV9O4;DYQ!|UL|6nWOQ5cQb{CtBS|_Y6NQe| zu4=!Nq&GzH_Yz239@$MK+}R#u>?+$mfSa;|@_r72Gy@)#yznkYl)Q5WydX}$ulUj2 znpG)3I`C}4q$YP(gT9rMYR2M>(gpBsrqi^VChWu>Jo+xpklv>WEx3PXUUb@TIJv2| zzw(%uTA@bN<7VH*dSjBojPl(UU&pPwT4-fS=I76B@^ zgWc_IZA?c;gUt!9x3R27y)&}q^e(FQxRL`zL!DidQGF`@FqF$>OitZ zCLiRDm?b5O5JUAk*IAF9B@|t3S@I99)6!c(z@9>z92fzCkVg$W1ncNKLB|nn>;x;f zC|#;l>4*Zx!mGeB5Q#CKzljx}ENgjuMM4<~82A7bvELqJLWxq9OzbaD?pDXwhSxwQ z?gUH;24lwTi#68oFy$MUI$cb!%)6NWNHKwIMGUB_=M$A+U~4NG(AU;JEBl_iZ7oSE zVFkP;;XVw)w9Ac#Vu<(26i2XQ&N4osr%gw{>qYSEcoGod#5vF^d{L#|l# zozqHuP*(LDI{Z@|;^MoLZ?bYLVKk{8>29(K6=he!Z?s&qhT+>`*?-2>4gLm1YCT@g z{0JopIzM8g2R}&=++8MzJk^rCzGoL5yBKUnFe3irUlj4i{fEJ0 zna>1oqn8TU;b9>`beZ7S(YutElwXc!{f5mxs|^`~2T6lV&&^sa8UIE^pxFM|SWRjU zeIK8*bmHA7yroAaMX<~I{0@E!b!2_{;bMK~At4)-fKCSIo3{Wdtm)S1ZC+h*t`r;R zqvRAIvydRg(?xE{hhzYXUXjKB@T+FlFs0N|RAFu-W{t8(-#w$;!1v~d7skB9!lF%+ zWc3ypKb3PnyQId!cYPC8)Nw*7&T0XopwWb2%ZcQiH~wt3UfW!U}1U%z?{ z{BN{YhMR1;r*2|-U#&j4jkxDpBTx4mvIh6D{U2pdM}tT|^{Id0wttfIoo9A>_Msv8 zWc{C%+YPIc)y~*7U9dr(FKBXKo+f#>d@Bm*(s(~GCW-9iAzwc(t{-BN;{>Q#N3d6I zv5#G^~Qui)MVN zF${lpioSkL*Zclje`r@4hIR&^yscJ#m=f{>_VIJ@rgq%OPZ$+dWW=)(G9nxFPkR59 z22c)9xO9M@IRHo+kc@GC3woKF+ZFgYXZ8$8qv`wJ;jN0iKnh9N!1GMC(Cp0v7G-VXK=p__#BSdetY!a z{shhR;j2z}5R!pi=midQK%IniW0G0JV(PfCAWASS&x@De{dxgj)BhIULro&RKfYd~ z$m87RmZHr$>#juE<7|J;=wery|8~zB3e}jq6$4y_7K0NRB)m>&M~XmV&#zHyBIloa zbxMPrF+{Spdz66{ZnWmFl&;y8F3~l^fjiy3!&@`qhJbtGV1dBqtXIxVKBSxFIM!0} z|8#Y;zN_K@!tW6pgW(hde?B&48hPG(Yc^hxzE4g5Hd~F4vyWcfDjiB&!#Ju`12Mo5 zBR1A);yknD1&(EE%yN{mcp{>55IVg-v@c+sn}- z61|8pOQrB7QuVdBK+oyBRHG2?Z1BuDA7TlZm%Cbj@V+y^WrnNh&ZiUAX!#wRt=Pu^ zJVc>e=yivekj4C1)8rIo8cC?qazTb)sbaZRO#GvpgYdtz;}v#56Ke=VDNk}bWdIEx z*QeXSW6KUU6+=U;#KL)6+aBr@!zKdt0{Ecrv`31y>!S_YKKU|i;x$++mM6~cT!}(U z>pwq9(u$3COYEWb+x?-!(g=gPIHj`JDc%Jaar~A8H92fJP&faNy|3Mk>qxSEmBK7A zV*_HVCAVjRZeReKqDRC?GKXZVvGcD;7RefsRRoJ=OY>`AV_$EdWY39+{Eoc$mPC2n z3okI+GRd1aZ)RjfIrwyW=rT4N8GD`tLr62J4(h9yOBq*2hIxQcL5mA+I2d7P?dEPt0pp zYdXRX0Soo8U9FfA5=6=xA8CculQ2)zgh2)Kz}7p$o>3Oo z>NuI~3m31rsnW7mNS%H^v=fbu$%oc0ZU8vSY%diG>;if#vFlM+bx01;gCSEn0I~hk zx!{<~dO|jL5;ASk8KrW-nI|oAe&QD&rSlu2jlO|Jlkw|midgdwera3)0SR51nF_m< zmLj;iGB+dURY_M6s?2CRYDcpi49fAXZ8#F#U<%X|cg?F`I~sefXaXi4bk^#$Lj|}K zVAVQU9^@-{i?G2h?`$v-f*>1qwsvb7(v~%;MQ24~@3UWX9a^mIS6dM=_Fg^#k}2AF z5y_;sMpMVA9mmsh2FEq|LpAs|$)|J`NK}q&Kuf=hl-H0+1)Z{GStv8Eh!65T4{`-V z6ve-R7AtSMtwDnVgbVLHXNQNd1=9R4^oEj!oVPv5ZG9)3Td(90&abNZh3)rbs~oP$ z&^#s(*%mHA{2-RsPF;-$L+0Q5~?VP6=N-PTOTiK%j#f}GyS#NQr z2LSp901}0O#MHy|fB*OY*>s28vE${uvzTR(^&phCGeSRV(0gYKtQ82-7t{vZ28N?L zedE;HZVR5pR*wByf})zXy*14i-%-_H%Bo8d+V%nNDK2|~f$d4#y*G z`|)xN)L-a;VW_Tm{@bduX#!=pUkPp>I^5IBX@^eG7_Pz~bD#S~>Q(kGbuw1VEwq0dA?qNDN%pNKy<# zXUtJv3M2w5V~j&XEE0nv;}#m6S}3aH%>3F)d^k!x?c(*Kv4x<91Hlolq)K;-?_g*%gVvlb=ZPeGg84`2d2{sUHwRA$7=cX!6}N z@!$4&|AL+W3H{|Kz|^Pi5OwrD`fZ>vlVk?~HYYAq^3hu(VUSB$&h2)Ns3030Xb>33 z2kXTD5N-rHkHok7vCQLAa9s$Jr@H@ye1zYw$dt4IO(m)#?MRi0$D#in<1@o$^Vtm#WhJozQsbK zhTDWa^-&4Sr@ubJO0Lj*FSQE4SJzE{{a(kf8ztVM5$77DwQdPOEe&~k)4#usJp+gK< zoQ|LrR2@|$zdPLI)yd2G9e!Sa5HL(+pusLPM~)jrdcB&YB5sB*rj`ZR`3y#j%>+ZO zGk>AsUXl=qwMfQG8Y9-S_sv4!o5dpDWg+VB&MBh30v}R!(xI4)SU*&Phozx8XUiqk zhsbWig4=9Z{9lj4XVV``CK9yCH}jRYF~fGDzZDl*Q<)m3+@L5C32#sheU`L!yPr#r zCRfmPgS1B331u6fxRPVJx~Mx7n@}0UG%aHoNx1h@J}O3G!w6!Nr4`dYR18-L39@LG zphW+$llQudyftzBR+;Fx!*-}DvV(V;$f-Ne7S~{-!R&F}_Z%kJGja#il!OWN)=oRY z7EkOn2W8D21c|paQ(~hjE4v_zNs71^7!C;4ZgjSDx(uiubqmfS=#0j*PWWq#-n$LwLEIJTy9C5f6g3vDRf2dE+FT@xCsI zyrc(gqB+V~z>x?SF00LEeE|v#O$RiRM9ttGg1R8H$ns>CnhT-gPP1b)i8#<1Y*FY3qq z1S{5lhA)652syIABbi?rLno&>Y{n3 zpdV>3^j9}P>!^AGz!brc5m*to-4}jvOwIptgR32pZNnanJ^iJdWB2|{|6jQEkqgx8 ze;^Z>T65qd>MJo2yFoC6)Tb0zfG))dMj8r#A0eFR9MnUYB^)q%`6c~r}Z!_q24YXjd;r620PSX#}hwhIKhG7}3hmsdw* zZHvvP6K$KUYyKLnYy3QW3-OB>n6ng_hM%ZWmBK9SO?9quPkv|0l?gc&h3WAIwi>$! z5BXm5htu~!{f`2kGQJOfrsB7~{`ooXii)lO(At;6$5kWsQF770j_n0SG~3 z7va=rjP@JMKy^F73@l{Hl4`-7xl4caXbn`U!DllG`ZMzuDqT34Q!Q(GODhW00Ca|S z#4VLe_`LUZRVX2Mbta4eYg0-Dl!$vI8P-emsoRO6?r)KA2{v3VxUM)90AO-+v(a@J z#n+WhF_KVz<2l|Q;9!MSCoL~$%$!Qb&9t}lnsx*-1mcFjJlHqkljL)<4Kc=Z3f={& zsv_xjU^p-4-R6P28B}C%34)eznNeGqf0jxf#OF^ko-;uAb(mUf9MJ^3Pkx`zZPc2^%+ZE~bS2@ghAYUvI5~bhhhM2_=O-mf*Caxt9lfCVtxt z8Ls8M)cL_Gw)gF_CyhV?wh```fxK|QvXya14UvbNMf2R7o9*KsstNoQ22No30~5;$ z#(h85SjK5VgBGH3>Aovxg{;ZF)}%2+FSnfQO=Wdd9#^@V=n{{WHq-W5Qbi#z>_l_I z-TrbQp_`_DyS%=U)KJ{?e^NcL(@h(FghD#0-eM1cBvguqyF>g2v0{l_A^9g1|IvVm zv$BT76BUgcNohf)XAc$&`A0;Q{xaMD1$qz2fX(cf-BB@_#RRZP+p|vt>byAc-Kn!m z937XUhG23KoYQex0MiE?Z7H@!oUUca#3TtAgEaa0XTdh{^lqK_#AZhu$QkM_WF1g% zRQbVW1Oz4|JDz2k0SzCug?UvBnqgx|mc^eWd`^bjc;Q%zD;NR1j*fwdOy$ zpB66l{GCHPpcpNN;}|lOS*bOt?S&-dsJ&sXX@$yc*;(E!8@VgR;?=Y$@>}do!2wS+g@~cP$dPvNG15z>bqwr)*M)>k} z^XJ)n_!K;0H%rEwB?3&5KHWbnKQ4@@x-3YJ=^4p~Nf#0AxAuqGYxJJRyRBzzl$=!B zFOM+wW6%@J#L^*|-x+S-B4&BW#Zts6#cQsv*vF8fAh%6*hOZw}X@ z3c{zq7lc;YT?*}itz9$6w1`?m%0D*V2HYxf6;H64L z5W0rpkfe8fp?N$2sC&2+iz+GrmEtKG^!B93t;w;URJ{XmTTDXx!Mg8{4)T z+qT`hI?q>I#TW5TWpDE$)tZ`(^^%js5cqKCF zR(A8vxa)zfT8;>o26}z`oMy7mbGO545yNA0M)LC}c13E7;`7hTi1v>b$!3sg<|YW+ z%z>FX9!XIQgRkT@35?l2vK9EJDg;HcXKvds^onhDs8cPa4ays!uk1Riy`f zHrT|8eZjGhGbp&ILf#eve`^V(x(uuAW2JqDL}oX;R~KuyVZruuN5In4NFa zWB4t@%B*ftIh@LRKHVR;0D)T-Q5fSI_psJm0I{s?3KF~VZRiaoGzQc73U|Lk+&$9j z_Gvp@mj|m}IcW zXPWKjR+wKH15M6{o+hh}ogwYJeCXDS)(e^XOr%8W=>!EL8X8C_FL4J^a?edf?P4&k zV`D5Rci_nDwEOe0n8~m^!gmz6K7HaC&LNXU5$wh}(XhBr4@_Zg_ijrLq%MujetBI!L8!TevvLHyDb(HFq zrNQ~d8HL4s`4isQrfmxzeeRXr(9*V?ERN)p(3ToU`@JIUOgN7HLH51hogTes>CQ}IJScKpqJ{+Tl3?r7jPEs0)l zhq3$Y0lEYZs8ZzUugsh$P~U5uk~m97x?*CD&V)oAUR7@7X7o#~e(&j)lsV?c)fj3N z#f!CtFbo!n#a{~YOKz@y9S~5MZl{E!Fj)_+FT==bS9+9YN91R&aOCk+HQeEpqo#O-n-61LM&&9V0FNo-!Op@tq%MmksS$j(oTP&ajqQ>bS zy;tNIzhhW-nU8)9{U};XHE22_F4Lwq1K;**L)Lf;W|)~34J{q*01JC8cP-HeOc32R zq69YfhYa!cEvuJ3)TJK0vCOV!#UTO(Zm-j6d?PXmsDfdfY`cux7qH@t}0D(ay6ge_0fK*15) zkrKuMZT{KiwRe0N!D5_R(OKG=D4nddT6|Xpy^;^3VR18BjV@qxCV2qL1i47wZk!t) zXUFat)HNDL^jG*do0kRkUIo;QflVaCaX0r3NUA&*e)zH$Ycv)k6lLVio+ur7ue0C+ zsR|Nu^a4lr!{X^aFne2=^#&xmBJ^4J-^ekQL3pDiq*=f7M~x4>_I8E1oGU~v768YsJdMUwL)EuLG%{v}z#Hem^tBUzkO3X?c-cLNX^% z62b`tHWFGWIC`r7v}Ql1l|UmB)xy&av-b)ipJ)`Q!{yDDC1Its`#>=hAogJ*$ajlf zSbFjwNGYW#yjz9FScNyL_9twPC_F&SG@XpQxb?NyTzJ6ZW!AO0qHHxjLk^494xnm9 zT*T8ay|}sY^^CBD6Sz0ezX>442N%GME_O{er6-H7GzS|eD*PDU->H3u)4;hfjUmUw zb7PkAK^&Wnt*h#@z11iNC9P}&DAc_*`mEq2v?-ErCk#$i${kuAZ|$+^SooS6#KFX9 zkS`LRnV+wn)bvupXclDW%13sRQnfRf@cJ)~US&OgqcT!8T>-gNX+Sj>LY-(Lp(G_s zmWQyDy7^?|m*GIGUO##z$%I<)DR=dZkN8;Fo;!*bO%Fa_6M0@}^;QpV5cnPt9|?!% zPHZ$WXk-KM93o)(;^ z#PBLA<3aW-Zz>pzm2H_lL+%J~fC$q{88bxt3GoK&D7oKN>w!2wIOM*d73YkTvNcR3NKD(?il`7vamFy85>ePEuoqe^PB#It!uHO^iE95^XqT_C#66Rk8d#Vw zsP>3Kg*uug=y9fC_YiaHvEuHgPy&Jj>9!k(iXYY9jaeNiN>riZLE@kV2aq#2JBepIQO-mns_ zxUqQDfxR{*)4`&a4+t^f8$4N_R7Kl(48Irun6a`y^_A`Yo^+{KLn$PIqcMdH-5_0V z*@?~9(cY0QhEw;!vz1rI3m0Q&bz^;=`FqaklI@%2edZB!RHX>MdKa!mkAC4D4rGH? zEn;r*_lD})g6xU<;m}SqXE-Ju8ql8yG};V=V-RSd)6NEc^WW<7nfR5II zl-PBDi`f^ncK9l`k7Z?iif~>HTkYg7mH0iEqoqyvSNhEzTO~z7EZlHX0u894rv1{$ zafGdIpX1-e^Kn8-Pudd7G4f)Csk=+ux2grK6X)%Aoih#DHY(fFU3F5DMbU5bGq z9w1rn2(RIgg*aK{jNoF}c2G5I#*%ES-Q6`Obo(4MZkR7V}t29qsL6*3GeYh7zLvZzTr&V2W8VGReBVqpi(Y| zz9E$uF{1I3SNeVQvyS1Sr7~Sn=wV%$Ci!Itgu2(mGgC}n23Ndww=7#Kf;8OHB8q4z zZh}d&DLH$f#tQLU!v-RApYei{o5TEl;U~-oYvLY#96uDo@c6KEFIBB}+md@xCvXbP zFBhfhpFVuHpdP#0RI`f~{b~6vZzwpI!22iD!YP9pE;itUme(Q<37?0+V=t`&%;nGS zW@xf&zKu9Jl5piNDTDKJ9ETby*b=*A5~cX^PH-%Y!d^N^ije4xqE<{!2Tl^}@iJ%Q z$(jo0e+p;{fvBq?D59+Blu@g2u9J^4m1_~YQaWA7HDa#UbWW21w4!HR0+0AA5V#hKEkkL);RP}q+D}(wdD=ddFFRAO z#XR#!IFPzH9;EG%Hd9u!X;^1}R@Y@%^@j>kJ%-3oT(JCnG?r;NC{Rl#E*br5c__G> zRi`lMEzv|x^B9~gNiNIW89b6ZWNs830j_|o76PwoSbD2)WB&cKKZ--tugu~;jlv-r zelo+u*`tOEMD;Ny_@Ns33{q=NVXpcLK&*zrwkgLKr1%x6yoobE_y(_C04yy%jaxx2S5}fFT_5*30A|NO~q)cV?>sU~3o73pOY8NtB zEXs6$7HRpCBT4zG07h>^!+_U+%Phi%%SZkS;LY(HJFUl!95jKk^7sh&++zKE^8;V6<=1Jdv}3myUGHt004N7o23Wz6%#G+u?XlJLSaqGEL& z>CJ|-WfZ9{w<$gwXA|#V*0QOqdVZYKyh&vlryN4(8Z~MYSii)HpAn}@qS^WNbcvzu zE5ar^o_K2##inLqebc8^_hr;;6N;06kN5wI>dup*pB7dDUA-STeyW{Z7Z7WXuW>?9 zVvfCL(ul|bxh=w@JvO$hz*lxpWCq!CRHGEgP>&(G={bA-dJiU2FHUO*?>;=KnX&46 z*Ha-VWIA;o4JfI8iTg%O$`)0X%p#IvT=4=-Fx zv^n0FrYtK-z3LYHEieL`_`M^BoO0Uy3wrg23e{{?c}X_j?(Kex9e&#{ zNnF`oJhzI4MHq+70PfN*%6mlFamfr((|jfdOc=kL%lHbhP`(=z>*CB`CR6tTUGKL} zj8(AS?}8TfOzMz$mLIe-+M1uQr3;g?o9EuoFdn9?-0NX9#nvF6w3#e2Cy&glUUu{- z&J<8!`lLO)sh;%o;cqS(oObo!R;Cu?T36wQHEhh6G?8f^2k~{Rx+DNx zj2jiByqF>W%APXj*s%~5y#by@se+zJ5$qsu<91+HmkySvM4$Zx@WvjXc`6za|+t8r#_w#faCN77?evVac)X%5I3!??9{_|FN--A z9t6y6A%mV30iWO1Ll?m*VDI_G z$E(?iLF*RCR&5HQ6VWOnV{P4~R5m0gC4>1_BKE3T^+gboQ?KyLQe>Iu(5%nm?}iC!L8$@>x{!4>v+gUK z_|h*&fw$n+-a9Dxo!lm}L~^*nWr4YXUhcVA6=Z&`9sgl3`WnOm3quCOe%ZrR5gW{< zJ0k?qm?&+H=7Nud)?dWrPEiaY;I$OqQq;cw6g1i~()Q1v2{^h38?+X5&RC3vG#<=o z0hVT6VTJg&YQ{7oRjKcFfUXevg~`&PVOVz&*mJiJm{jktC&DAHl=1~(L(eIC-1!3H zjvlgox;TdP=p1&*i zQ+&a$;PLHPwH~p;T^%zp5$p2ajKx?2+eOWf+w9QQQxjTe6ff)}Kn|c3flB;*vO^&S zRTfID43aWd=@ZokQN*deJzR|=k@_i!FGqnIRmPG!-9gnwO>M}m^T`tzORd8;)G+yH z!4xW0;~O2lHh~;+|3lc6bCabXdE;~rhk4DFa1b1R;o|-5g>tGRZd93`^x9?4(jqU9 z%QP_;_&g+@Rj40g{+avjS4B$y*h<)L5U}wZLpo2C^F%{rsq%f(WzeDhVS;3qo7};| z_1REVA*_Bm3PCfP5kBZ|pAHPBVF*4`4#2xT-q9E)xVk!sEKl-BP zOV?ASoamB8ndMWHNBc^EUa?%+can?){+8w1yU=(Je=w>kt!;wpXi*Xd>l4L_!b9{4 z6CLo7$ZQSJw$~B1ES$Mv8jPEgE!ALZ`Sb&q?7&euX7-yIjg6_@U9d?z)nghPjNff~ zBxzCH7Bz&`K6WT$;F@faA`1O}<9yl!yj4@*9#j{+AhPvvwKUbPlgf^Rk2R6kZAi6Z zA2U4jXs%bNKK9$*+v!(v)Cv*9zl15Kdg%PbBzFZP&`aR9xi=!lYg-#KmGIB1f<%h= zv_hWUAl$6~TrZF6Kz&@rthq0MGxF$|Eg9|oE9=y`r@pgn5PyDw2F<*t8P)sE2!sjc zAmAil8IDHa$10``$fRvOp{phz>i3(z-eLd&~_-jTVmUlU&8`B>0chDvG>nlL{kPp30 z$BPVQ+e0UK8iprd)#ofe#ihPvVRCeY1ofqbGI1yKAA<+X$DxSl5flYiPkC4%;0~z+hA|=x&TSVZUIk_nw#W+?y*6*E!o$nCr*stk!<#|*ST@u()|&QsaTiI@qFUefzI`pfFE>kn z9zGk3XFq6s3hM2mEpiB%7s(ECf&?T*C8^%@n|YsrXQtSH4A}fe<@2Wq^N3O=qhS$= zWD=Qg(veKWJT(1;Fs7_rf$g>YV&rd;FM0Zfy+-T`U{W09hExL9fLJ%I?3gg);OO4n zW+Fi^qhX4toPHCnNljLX`+4-c*i|Fpa|J^$(wN5pgI2iRmpP;mi5}s6H4eGXycCkn3UEgIW`T$j_7Xj_6E9s#f)GpNL^A z3--I1S;=F<91^r{;Pu0vg7JUugrT4B{ z3wBX&j|&x4_xeRiZvLzicxjs@qTHv zz)gM%6^!p=nq}*>L-?S&d9dYevB7y2x2Wj@mQ8ARIO7F4XoW7?$K^Mgl5_g*p1j}9 zEWKJ3G0uL;s8@`be|@PR60*u)G0{&O+%=ly$xTG*y+Vi*kBPl|!$#VL9%%WD?%<{eQTpX5BzYXs(feLs&# zkddR;@!A=&&P0ZWCc)`ZQyBc3G)RgI&3e+O=^`%ig(-eaafZ`>D(Oy7sOf?QG2c;| z&qPT`s};4mgCTsh85(i-_SbQe*#2BiLPAy_sVla8LpkyA>dm7rKHP)c@n-dm^3}?g zSWK-z0HRe5P{b9f%)C`Fd_kwF@`hZlvT=;pu{MFGQ!P_P91H+{dQ%es<$cK@oFm}9 zvY)JgIXXVOpZOk_+UA<)+WHZf6(Gn4!5>U^WmUV(G2&OzM{=Y><^NR0m}*hX$Yk+B zMN0UAECGhft0rh_T#-1Ec`Oy@fSx@0lv2VxFQikM>DAx{!3!&!~PTS(+yS)-eppoiqul|aD!f=Tzl{%LTK?IZ6 zBQ~{e@NaqXD4n|WqPpEf`^d8nn-_WCiFgG^k;;69Yz4Z(CFGaB?*HseeAapJ6aDR0 zw#CVmbLSQNFkva&uCP2GnQ+efa781Iv#fgFYypKqXq z4jeacetQq`T=5|I^<8|S)qj$RD3$14&X!NDDFAGb=PWqoT4yTM)y^8koT$_or?=2~ zR*%CeBf`goVa@vi)Lf4x%HhLEqZt3XZ%V{?6s`eWJ2N*k&n3^hG~evd$aE^+tF_i^USx1p!aVO z@Kw&7h^W8j6bX(Y8YS83uzzgU5pu=W`9(NM`{q4fL~=aS-r9|YZn)3)bM^p(!xkJ6`={xCj&W`2 zW~BI%W%8NutoPOYP!ZTLR+~wM%6H5`GRtO2bj&>aYOLn{>CNmpT{QK^O)X(xF43Y% zeTG^gK(H}_h*l45fGCVsujVyYX|w7F0ZxoU*2?j5)=Jhh*GGX}t3#X1umyhi=TojO z1P_TLH@*tfD+b%wAPb2Px=8O!s+b?)M^aWstgjO3Fn)$a`nDr*U2x+>9+2B)Ts}Xa zYjWo>d4SIgU$zP~vT(A^jT#9}^6cR7rj}ctJ_`B)J7@=;Q$md6=V+e1NXtxzZL8Zd z+K^ch4&iXmR0Qc<8cv-tGQS<>;~JT4j13E1TA0+vSs$k>?fuPH=P35(Mx9^c}YtwY;~a zTy5Ci*D?ZwgWs}@D=M&0E;Fa|^~m0ju){36uN>k89`LoK8eABx_!qMCSsgIobk&Z? zZkN7F1!vZ^1okPty%KLW&e^(o=w{*xE&jsTrNiXUVG?(ym_-#LavqquvT+ZrdkTGE ztouna64>Y{&~>kLUJ2$(#dDA{vQ9L@`h~-UfaZ!V()X*~Y#<=31#;%2w`NeuaL-9( zBwLM&c#^`B{M_TWuBsPpMNqAsoXGn5jhv^b;NAe3lAC-L0KbS_&(2H zNwANo=Y={)5n6drMUt^^3p@!;MNAprXoW*K89PKXdTb#t<9!YI+<}3L%B0~)PkmBl zPkOt&n|Y$U-EC*>PQm){xt42NfMy8|T#`F6YWD!e&yIGTsFZ8vTBNaYK$ag00mHoD zM_S-n@eO9(QwYbmwaISJ*Pm?Iox>nqKVNil&~iqqf1 zRZjC1pGm<2$9)p$eA9nFh*wlnrKo-LT||}2)<qK%TDmNJvCe+bt_icn1>#_7)XS|g{bpKReUGOaCLsTSXU8rHiptnC%q&NU z`!zvwI-k8{i>RlFxqXh?KDlGVmucGGj}HG;^XGi~b|L>Js6u=8J2V`W8{(};e7S(X?Ft6Zil<&T9*8fJEK+)vs(%9ZbW8Mbn&Dp!I$ zDp&I~JnT%s;baSR@JOdkfJfrev`A^Hi-wnMaXgEzij7NvQ4-mcM`cvV{!EWU+4_#f zP*gtEE#7!=(6>03GUwd9Ucy*gB~OMCDKn8E(x0P^n_iPhM)*47T=y_BY69+Za@V?aJ&QcJ zKY#dA2c5ija1_*h=0;3PA5MIZm9jb3OhVK;1pBQj(?CQn4=uIacH5EBbMJ?XcDhOK z#fi*=5u|MXSu)gZp9B8nOrUuT^Gp;0Hlf4BQ!2GdxyYTrn;mtoTk-?yc#t=E4yP1D z=W9o_VZ;nZK`sXBH$ve5K=mdmPlIY(1e$-z-xRN4Xkg{k$Ea=T8P3u1CD zM)I|WCMf<@@ZhppNICKtqe=jwfb5vrM|SH&rcr>6`}KvozH+qpz#e$bDVl8GvaxS% z_f>qIboO4>L(f;x!mq6@qNQTphDw>z&Jbx%q$~+Dzyt)yEZ1U(OC@+9fl&zy; z5Nu-9;1AQC5)AFI64##PvDwpf4-I4-_t^zJWBDa3TPUZi)ba-Lnyng;2Tkx|%}r^G zm{BkLbn!URD)_o?_viRQ0X>l%n50%g3}&RWyO)-C)eOT^fumN;BK7o%Gp#RRnJ7~U zk9PpbUtez$Dv9$0Z`lg1+L5#-3j4@DT@HDd`kJt(s0PQ(k%&eQ6z{8_RXJmI#(OOj z_s5`nfU9zjd~7JxRP4v$0dJOZg;JD(^jY}oO0FU6 z*Lq&}7xUXQ-4?B0kI0{wsa=wY7NP4hLc!9Yh)%~ZeY;_6dpTfh2lVH}-GZpI58k20 zlZLb9$OfihL;d-N%^r1z)7~|okzW!>)6q>Jj;4ZNhf&m6Bx?Q@a>DBrM$$}YzU#x@QeC6CQ-8XHMFYR}B;;Xg? z(C(D8K4QsA>h{nfmJSB=3+{rB&gi&QWK_rcOb+`@_d^!6FjV0L5X{$W<{sAKd{nXp z?3}m!u~^^{?Y}VLG^RtBEY5P{c3xw#Sq4!?GnBrkJyanRvt`6WiPd)Rg_|ZwRuk(T z+7KMBKyD?t`FEL(l`EnjD-_+E2_Axt5OazYA`P^LDBOfO6{wR?p%34t+L)ANCdu`a zYo9++Ym78FDTep&lC7n%#+@z<5L`I^$}GzJcEzASQ*~c)h7*ffWt}R`5+{$ReiWBF z%3h0aoqB1>dgSf%^)p7TezoKlQh0TNkM7inVW#!b{Y%2VkcA!uvMTt{gOEFZF~X?K z0goXmY#x<#HyzCR272@(RKPggdt7~rjaeq!q$Y!Zpy)i_k&*uP8V~(&AcRwJU6qsB zCBKt(s?>TmkKB9QndsYPU3Lx^N7#;uP!h5dR@dMztXr--Eb(`_m_hO1*VtBI@F9u; z&`H8#!Yhejotyap95%RWD)i%-gCn<59+Q2LPWg*McLUY{qYD~>`#jADpAO7mEi5-r zZ>PJ>2#l-k8!X#&&g8UZ2v2Vpw$oMNw~{VTVp!1aQ}J2v+P=jnk05H13Kn|l@Yhk! z3>)X!cfs+j=TH7Ydl*<+v36+W5E1T^b+8+Xf;3j|yVN;)&JRU|++v+saKZ5NQ<(^B zFUM8JwFgigAw;cvJ>2CrCw-AN1SQ{@W`Y;2A8?OZl!nGb1#}=SXX?VJnBLBknN?v4 z6J{QkwX+$do}=gIuZpxEtBBY9Z9&ESDd)4fYsEAie7%{w`Sfur@GpSOzdx7v8HP)%qa%nUwgnfN;G%m@87Lp`qYJfEPNbj-` zpR^qcjVUG&;=y9chOW``w-X+Z^p_jnCGq>xBU?Hsyfh_F=SU0Xab3(>s-mm(Y-QYWH_$sl*Mg!sB0_ zBW^p4JQj}3WEw90H-0p2Yc`93rUWVXeQd|xSY2W3Ees5(;lfaOp?TjfME#%A=IXlh zewt)y0#@$ZH2RBb$QtRGvHMdX1!n#-I5Q(Yafp+1#^E6;d1hPLA5B}^bk4VPUe9&a z(Awc_))_cIEkd8#+VWH|nq}m*nt)Gm^W3SYFfhdmzyT2$*F2p?XSiQ5bVn>g1Bj{` zeIND$q)DILuGz2d!Fx@k4=j0BNgkiXE!t9K_duN*y3uZS8Yp+^mn-MAtq%`7Y&Ak(y!gpamd zHUOB6NiA|$rBO(?s02TlVW~=HA&)nUJ<^lEmiS=Sh_``4o2wTd_6!O3NPM$bAdzwi z^z0C)_e_dQ?BVGW{1oY7pbKNakhzYoIb@AQ6%1jenl9jqm*9H$vpdB{9HHZqeD!G; z6AP78`*3Z-x{Ag_MVMwUoc6#WMsUr_yaQVrgwl4AB*z(=(ymUCoC7M|xZ}uMKFS3) z#KnHwsrOy-;p4X8J)N?SSu$Mk4Mgv9gBv`gMBFj!6IS7K;$jSX2yBBHh7$;6 z>$T3AT!(=-Y!Drq?YABVRdCrJWT;dl+ad5p2pW~jieOGxRZp&%P7z3>3Fc(2?OJA1Y(QWC5)J(JBt3s^t`ym&yso~ z9);W*`xG^={x68d1S&itNGjOXsk}))DF_BwI7_6|yYh5t5*ge|+@O;RQt-fLJ1)DH?GAP+}~7JOT>uor6q|I##pu z;_rT)k{G6tehW_`Y0`k%w@3m1z-(FReb3tor1_1+Y1~kJG^=Fg9MEM5?ze5{H<3My zXAJul^`Um?_cz^Rgle|%k2gpM#~}w8hgS00qQ0beX3*OJ8;ECR7~{Ue<{1 ztD{(kq+Fscf7>MQU!0kbsihd_eJ6RRD;@V%3efc#Jrpf&0n02?@}GLMa*PpW(t@sEIXcIOON)AMBKjMe+u`P0uVV@4z%{_BC&(IUs$<9*h$nn;76V2XAypX}J($ z$KmkT^-kZNlIb~$>tlgx!>|}SJAZ*`*ocPECdhP#ug9EX&TfgD^G(9b_ZbX1LG_ms z{ACi*AZ|>pvNOFvko~aOqgcn9ad)_ce`b063jCD_bdxSk)!PX9EJZYWZD78?YbsB+ z%Hhw7D2FpLr@;|V<*QX#lEx>MmB@9WM?={z_w^LZ4P@1nIlplB7O)bg^k@}NO`iy{ z;n!Zf*g204&1U0ZwKM3T?Y0<+Yr-uG2zSG=b{it^&TI1iJ-4I*E00c)lR>ZRC%W~g zRpwhl^$NJA9sEwK&j+bEX@@@u0CG3i98|etjyJ0+ z4J=IUZ6G=Azq?{=lEQ;+0WhxU!r#v~P^&M+;p8~q#TPq*m^Yvmml&EroVe#s2>D9$sxwM@Ulqco*nq~A-oFg5o^uACdSsQ(=f?r?<1Q3N?w7j&MxP< zGtwvuW3#aRxk=E&@6>&@3;W9dpWoqOzH&}qg4WECBKB@rL)d8kd1(lt}F81AQ zr9CU)Es;x(4oBD}j!)u~=nj=+atiWrTYM4aKE+R?W?n+G;o--GV7l%Z$83|QgUtHo zD~9`;HCp55Yr2h&14e)MVN6V;@Lx)?7}>?i>Z4qmW(F4pZ7yyVo3s8REh2Lv;t+0C z@x-cad^eNgy&=P;M4hq@v*5GY7z||g554P!MN*HEOKn@*CQ>I*Si^h(6N3e1t!=51 zT812Hn0#@UYytj_+yOicT7x;v!DtI;nHTf#Fm})FBxmDU@63*N)ug9RLTPkoTF2BS zby9p1np5yA;&>2W!qPc?IJ4#4y11$Mu!B!L4Jl*jB^f3@0!>C7JC#8Q7CS+uKHB80 z68hDJIY8)UTW7cg@iNTK9l!Sm!DHng;+foV%!mwm(4pi142T1NIhcKlZ3J8+JUy)B{v(gO$D% zQAvj(A;GU{61njxA+|RTJIA$0dB&ZBw0_t5qVA-!!}7&yHKY^geL{) z{fL>iKi)aan%e7m6951Jzkh=P6lK7`(E*SEXy7>sz&c3Ew+svb&<37j0}&6KPbN-= z?v{4u&j0&^nbE`6rdZw9evJe9gWuq{(5$<7vS=5nn_(9ML<0kMJ5jHsi>xdvL}H5y z`uioHawlX0Kc_xrThH2DK_H7O|6XxgwiyvO|eeuo_3nb^uqL>qyB!7CN!y6a%A`UwiDgfTEyszY1+vzBvs(ol zAw#+@F}>cO@B*PWr3(i2wwjHu27PC=Tc9ELchP20Z3=uNB?*$sA{BF11V(q%{MJ$f-ubYs4tX|T+!iZU57vk*)TTAde1HfS8G$H6bJRGlfoVb2H$FGo{1bP|T30 ze8fcbF+;Ku5U+9Hf!}0O8F3k*#`P=OTi@-)fa$S*?f(3MGkww|4?`-X1E#AM;wC4h zxDNQBtr~B*!D>hBJYBXJfAedxxfPq~5UZ2s7f9*KHivaXdDAUZJ!Ou2A=fwb_G2*N zx49to$H4psLy8cgn7WN_C_vYMofNG)b)H1{DUPEcG=T|kghl8d(V-H zq{DiA=e^t}j?_qMVdo~u=a#A^=P9sOt7W)dTm9q(fzvEJ5B>Nu_2U7*w6ic1mn36$ z>ht-Kxi6MY&;OI%u)x3n93%kcTDc8QdjR0i3k`?>v)k6x#M1DSrLCd4DKn#koq2?! zyaWO)?jITiDM?Xf007Du0023Mh6EzyQwx7CfH*5l2m@-S@sEKg;O0VdLI6O09NZi5 z=T`s#jDw`6GXTIy_U8rSQ6k_50N71Qi3+KD=$&uuIIfGgP#auR64zUO$lwKZqKw80 zu0rp}7<8d5#~Li5RN?eRqG&`Llt8P$byeXq2Y&YnC(KHev@)B;W^3=Mg+=ne_W~8naxQxoOm2ldh;GG`jk6i$b%-<7V4cvPU`0!1dH@#&$8h7CT-~fvh1NyT= zfd4SeaKCTzXmL3Hyq`ce$R7;AfEpdLq5JK8$^lyJjrH;`=nn~8c(J+P z%wLcUeIXG~^mnC2JdmG!gi+*ppO5tj=pRh52;A84GgjsOfe3$SVlwSth5W^V)OM44 zCa7Gae$4+9gAyH5+o4naIj~-K>`deT7<%Uj(kE$Ee+Js_#0f0kz(b1!8&01JdxE)b z=I?nvb71{dU1Mh{m8@L3(O<|S+JK&S(nc)S=>KnVfC2sb<-1jvXI9(}_GIiIp91_t zp@;k5!G}337QAj5&o`0G|FYdTc+XtA3NDg<)U8s% zANz;*_WxNtDQ_Z=691Pe08^d`v)iR!%btJVI6cVZ-!cn-1A1>M;%LoZCjPhoc|n7= zPvdF+7f`39I74}9jK4Pi<@XJ|w@g?bwhe#!FSS1f&=U$YO0sh6aesk21EAeujXqw69&muTdY&bK52KfIo zTa+nvGpBYj3+Wl#iqi7mB1~~0m|;6gx?ddde`bUBX?VGP2g=?z)&L#*=h-^q!1_Dc zl`ohSR7g6A|NJ0$4sLv$p&3e_K>jzR02^aK^B)*%BubLD5hDHz%1oHyIl4wT z&EjlPgKFcyqBQ`(wRgVFo1GIQb)tzde?bEfAjbqj%&62P7{*Z6zgWIHQ1XFS^X6b? zR-MbmKkBk<;FAkcdJAE=%D27#3qC7yY#IAx>Qah}f9jQ`8_@G{=~sUyx?yhWl?4_b z;PDq^j*2hc-w*ts!DTT(W^KR#x4&g>5>5QKv8vKcsd~^FKZ>(W9Ju~-7CTCG3DlBh zV+$oilFeUs01Q+hWUqcYHR27=5NQ%5$^8$fCB>FOn#3)(Y{Gd zVwU?ewie}|Dh51g$*^Tkt1x7+oaXw5{cc4K2OSOYkJ zX&r0=>zj6+nm2(7pVkET7fX)-T7&Em$g@u#GVxyya8d&K0gKGzPyWAa3?PAY+w`?D zFza$mn13NNVr&^W@XT!xF3laA|3V`cXhzAO5(f0JgMidO{thOAz+qLv6N#6Yis64T z-OCI;++ea~`IQwPlqbIPFGqj`Irc?f#|3Oi{VRI@WGK<5<-Sv24Uo7Zc8vbhsuai;73c+^n>n)|{^gkj zF%W|x?}O&b*!f>oEhPnF@2r;r15#FhW%x(H3^%Zu1FMEHKO`bm`M-#zq{N<>OP_** z*e?$KUn5BmG@zHc`IBW+BfTDpcz?+agn=qXG*l=m%G-JTubGqpS)%{58$!zIKQTb_ z(0dNp83P(f$4C+h{-OQg#+tB=j|QMzV|}aje=#PIK8@7vKNWp+M9}lUg$AHNF#&=o zveZ;OI`IFM44T0D`3s<*2QyQ9o5=b8QVSXa!D+2j2XL zNguJfd;AmDb%2DrMK5BG!7XY_JnHH&L7Ssrm*8cI2K4Ohdexs37T_jDSb&L3KXTg% zWq|aZTjTTG)|waBSAQ#*VP&!ajr66gCNUVMKjyCzW5fN)B`Xtk!b$4dK609Wxg-uO zKOBdDn>geF+5Zcg?Fm6RDGxsXm&o|QDv+rI%y^AT)Uu%cKX1E$Z?%MgAaxWh#@HB2 z+JBi?_X#M)2$OJL;=j&{FUgdum0kTe+snep{}pOZ;6TyL^omHEoJ2nTU!gW20=jYg zPYX|r3wV)C{VT#B40>1@EP${~Lq7HYVyy!;+SG2T@_sloSy4dh&qxT|Evi0^1Ik`7 zxcDT>ny`PRANXME`pKy(4GqL|jK7N>fZ35f{pEBD=(YJ7S>TKZJeGqD=$%oQ10cr6 z&<_8z;))$e`3o3lf8yThe|?n)D3{S}s2>z)&1XyZ|CMzlU~(cZS+aH@rpmDVn-R{o z_x%(IZEu+IC;o&SKM@$5v#Zw)`T61i4*t~4@y4|ZKjgBEm%C4vTm5yp2GWPE9u}cS z*5N2neuVPT+rJ>%CpxFxLql2T_={_7F~QQ-d1^1Qolh z^YZxOPq&Te&#`i(k^(R#nJ~AR0_y?zQ7l9FYaxR4Y(l`%sluII)fqYby`AWW5NI>C zEK{m+qdGksF_l^;(KH}mYipkm>1zVm67b@me8T^EZ`B1H+}zR$-~i_yDUW|}At0XA zi@-)s^+g9bODR$`^0|LgWd>f71=fCJ7COvTvN2HqOd6HWjzeG`&D{LCrWkHOKjPH= zcV5aTNTdhk6a1Zp{)&lOah}c3HgV(!wn(^tywHJli1|;b0h^0OoCzGjs^sj#H&-tw zm-_rq-GqP{c7hl9#RsIbaRmB6Pz~Jp@zH1VPXUC09%gAiZR)~73<%8tYHnL+_otDd z11shHe;vnSsn#-T9}Z9!k=XGXr98BC@Mk12An(&CEfr;UA*Rwzhd>gvB|PMNRjT;& zVFE1Bz0&^%UC7lxDlW8f^VRE}0e`Cs?92Yb;Kmus$qW$Oz%B)xw*K_sMzm7K1O8k#pud{{R>}G8tjtEd9uh0g7O(#v^EdIVJ!}0tMk+ z=&6je|8UGY^qkqz18yC(6>xicp#$ra|4wEH#`*d{Cop9Jm86KA`2T47?m)J`?{7-c zmfC7lHEUO`5~DSvwyI5~HZ^L-rmdBhqV_6c)rwi0TD5BvBQ3Q@iV#G2-ag;o^DoKG zx%ZxX&g-1>I`@jpUHd*Yz+~3t9%ic@V>sc1Tqchq0E7_B zbU(^D$PxSxZ${C=;Dyrvb0*Qp1rIcd2tH|xH3-#0fG_@50)DbkMf_h&R@SQqc>?t> zvvI*svh)F+0Dke>HW-Ki=m$8D)jXO+VGs$yhSp-)pVt_47XTRs84l3^NU0biTcczF*K$SwSoz%5CfwTf33cw1Tvl`0;Heh=< z_9)afP`S20j5Dz}eN&R8MF1nkuO72f08I};^POF5+Ue~sle<3I4bt8BJ4ZtX0}1%I zqFOg({)=Y9*Z{RJu?B1xfE260X{GX1<|J#2-V#s_dO|Ozbq8x$D-1OE!Qe7Y@OPsdLq^?I=@(lK8cYLS|Dq5L8Qd%{}>_L8hdF*}X&qE7B4~t`|Fx zAlMa7c+1O~sJZ3|$N_}>6#T)X8O0{Ze2n8f!38(IlWnPBmmSc;_u0F!HH z!%8obu>{qEaL*ke>;e9V1;)O21JRkhT(}37Ar6bO1dgRv3xGGj_-AXW1BZzq7qAQW zz;r}O*T8O4XM&WV<i=SgP9yGMg6ePZRQ^x(6QUowi~grZz|_u| zYp25o)(YbpNQ(&h`2pb-vV>&YLxLu5S- z$bPB+j;z81#-V4#YGDNf104Fz)CBvr7@FQcZqSW3E!@tZIssve>j0h~K+IA6`sA#c z8+Qr(nxBBqc=uAQ@?{>5sW@H!vMpWN_|G7B78667#{LJ92tW10f(Z5}d&=ipDJxPQ z{_p4BP{Y;~Zg6#uuW=__Lqvt~K`6ppcoaqfI2-~3k2o74zowr%CWOP+K1boR7M&v7 zD8n9>z*XesMTm^c;ABu6@VPJm=(mu)Bd7&dPF!zk<@aNPD3@0aYkSAGjsH`2AYF0T zv@;C_qT6BZQg4DcE?-p+EM0ocq^}JXGms+KAXW-v?)i;5_8?Ols{|BAyQK(B=f37l zCESi?FW#AXN^p%g)o5XBZ|!?;)B^C1V{-I}EbP~y&=3wx(`Z&^@*m;{qT)Al9S}Cb zu%@(9N+rkpC0GSM<|X*FLGOQ)O31oE4-{xCd_a4ZJ`Q_mk)6{cvDNFLwh^L(F3CL< z{}p4geS+$q&tJlkYlW`X*5S||Gg%!)9p>;m&B@4 zp}7rY#Jx60=uBLt_E`umY)SdNqQT7*H@c8BcDx^V`L=HQG?3fqSN0Td!Jca1V#B}! zuHPvW*&w`J*Hx#=LRTIP96s|uUd!CulpO{`&SPyF#8?KWb_*JoR7 zRQMQ3kcQ6I6Hv!W!Ku|28WwVj`cS)`wSBKfrIF;jZQkXH&Fn<3rWPOLLiAK$gL1Z; zT-*_|16Mi85IN#W+2^;t;H}8)ZB^~fal0>sw{c|d4WF72&lX>zK)&{yg)KR}o>{_z zUERQ5VC}lX)`?})Qmddum&wz|2@X~|$qCkXJBn}uR#akU&Ba^<*i{d;en2#dtuqwZ z=Uvt4UF}eppyyW(GA^Hh%Lhb5yIn~e8i*_-Dt%~RmL(UJaVPalW=@bsqB`;4yO$OT z-qw9>b8cc%czh#md;@M~IW*O&<<@YY0v?ZuDw8}Nh54F!^F{*HnNR%l)(@>rV0z}WbS5{$&Xy0y8`#yWVjp|2z2^Yp^Y?P>p!T zjZ>FP`YRSqxWVZ7iO>Q2#%=<{f_@Lk5+nd-QCE~lmRvqmPr?-+w8OCW@iElq3&b(& zM739`Sd8GK>6^9!YbTw3*ey5>QK?>pWCh_lO>iuO#lCpS4{uMG))=r$p%5yAPRmrl|bk2W*bj8e!Ig^4De3?|I*+`rc6T-s#+bBlr6v*Ix&| zS6p}NTnV%y+dwhgu9X?XOZR!dV6&hPYh@Hl6V`?T?#6!WrYF|m4#Y7)5{+vjQXJe8 zba?#y(&#Pkm{#H)?@%2I3gofo~#Z-t>bmETO2o^$P2)b*CPIzGG7F(>~` zcDsw%Kn^G6CjRNQSU{`44nD1c?7TGwb+T?9Zq{=oT;{B@@{Vb5S9nQcp$D!(15 zV>c|snOj7YhLsQbTPi?+<^cmsGCgcB(-cAXnIi%loPbZj>P2iYDB;Yu?3P+lYeV&@JRnr|-iRt>AmTt?ii&;tc4P;2j6Pj96MPAa6_14`Q zJdE+yb&aeZ*Zt_}6%(=6i*BCFE4Oj&7&YF}_AdGQF6s%VXzHm)p_x5~=&=x%$&6`t zsY&I)ct6+ruER)7tiWIkqR|`0e?X$1ykH?DOXntHpRWOxY2O2`-!Uzj)Lv1+XixC+ zFEn{m2C=`hgC5BBXVk<&)o=Hm4DCJwpCic`*l1&aMovWyKfYnZWR?L6*c6&gap*5g z`!RahY0SN%dNn3wl4e3~-LH+j_K%q@`%YO)K0=O?$-TVY#%{&&8t?4J0j=?uc2)$of#fV|Ll&ArmOj2qt{Dn1~aqKTp&7FK|L zgDMh^s7C0N&TkwqkObLwnr?-b=+=#+yjbdAn@3Lge8d*rrtyiD%!YvGogvl{2z*R< zc1rD@Y`#Ase5o?B$iCkou^vK*oHR&y<4Vt53)xa5H!jkqV)(>g-^5?RxVPU}SD#2W zoy6#IsoVVF3g#kvL96!}75NnD$g=XJ$PKrg+-lTV!cDz1V4PY9=y2};;*SrAlk~mw z*1jmtIC?ft0_4Q=730bkF|{GB*w#;7u%PGtD+(IsuPg8T_(2W#y@xsw|EAtz-p(J- zL^L{>|1{h7q)@8aW9wY?Q7Lx4MkU{LSg*<%rYzQ=2&OYsfu{9xBHKmp*Fpri_`YNT zU{uI*`=!bcV?n0AjQ~ZpoiDD#pY|-+8Rvngu|9Fux1_yiA5hRwG;!+nbsfsj;JM>7 zp?2?K3d#jsuUQADF%hgv-#;D}Pl z)S~<0jM+WdUR+I1viD|Q={$lCh)-?B{@^`GI)9joo@fb=eF{!j_`tL2!(HizEZ4oI zp0Z%osyqB)uN!zDtju4J&&`|g@Hj@{8`fT~!7k2$&5sJU*AJ94fGl=2=69^p?pHXm zdB)j~3jnj3e4navELAzcMF5;B(HG^qb20Lpud;<@YA!-P5*yb-&yOI@m*Sg32e-Bh zKN|B_s#~ObJ2HKgQuV;2wwT9G*d8)2P==d;nU8)!GuWZvNqrTaM@>Mc+N2~U!mIa2 ziEPP&*G;mnxxO{R3P;+R`G^NvZlVtj@O*9++;WHxeog%Sr8~8$cEtO2ZUuu3FF6$j zzZ{{vJ0^~Ec#L_0!MjXie~K0(M0w${0s}`BHuGlSiHD%fdZU3=W{@s^(BUktuh69> zo5Dqn9Z>VYg~Z`RxtdZfXV9OYorVyD%w>{@;ScX0#GR!2 zil>!x%jCwHDz#^RwW=MN+Oa%ef&`oFlwr3v2~B}<{nHFpF24&Nzj8o8V}B0tUMHvS zK#X^Zygaa8GA@ZWuFobKe>AjaDp9eTz6m|B#9XX%{MHJUJIRx%P9-BZRX>S7lo&s+ z4wiFPG8StHPW^UVw03CE`f`A<_T>{sy1xZ9HtEEWj>@(6i^(aDx)e*I37A)c#XjVMoOrQHmv;oJikKyvaYnEJH9fVPG(G_Fo1! zZt#}+c$NE?zpd}VDAKWsQ5yz8=q|FJz9)XwqJ*X;nPI!chZ3UamEiNYsRKkc5ePS& zPnq)lW+N}-UE|~;oD@g5$-xiTfNJJErn6_?;hc+8w-O9Tnk$qsq&HvRs>LpqNd_11klQ#9gD7aeb4 z=Xh#XP(Cw3=OdMW+A%9j^_KvGwoJgdQPm#U2AkOFzq%fiW*hZEf>Bk8VVjrJTq&gQ zR!_~h(7)*H6=KMO&;JS@j4p#-KSU>qL?VF8$hhgk>>LG7PcF&uZ@Ns%63+KNYdA@< z|8Le0DReY%)aXeQ&Ql-OYICLpj;1@=*$!5dE2~ zr>061nPuaeDe`jXqd|5u4M&h+DyLytS|YEdD_hvOS?0}v@({nFoj#IUh+qm4B0@ONq%dH--=T(!ze5UN%$6VO4@9H5ROwA$Ah}KP!Y=P^sgfg)|YokW5Cp21s?b8IhfXUg7yB?Y4_XHtH~6(+i2hDr!y1q{|17B~ z@bf;~k>y zf^kWNhYe_CoEo*t#n&&guXqj z;>O;dOcM!z`^8&~KwVRTm2i6;DHl@N?zc0PD6h-$9Wg_zo)Uu9h^32u&jgH$S_x$t z&AYANH7r9hC3rq+86OPqP_!4kl*#HUv|T^$q8$LFJlOfqD!eKmm;9yfUsj;2EN;U# z@Q`4bziq)>P(MiFB}y*!;T!x?k*NRcrYn5>AM&(kAuk(pJh~s@B~ZCa*=nh}mSq?} z_t}{Dkh6nde)%@8a>JMT(HDm~E$!{sTSc@6Jf3vqvbUu0GG?V>2IV&M5tKi56`%g| zig`4Qskb(`^7e~=3ExF|ZYwQ8Emvi8w3oA47nIQ|fL2-n)lQ&p-dFaj8q@ogiPwV^ zknYGum{HD8tnS#x)d;L#c1q@z8@T`X#-^2XoPKs0{5DM;U!T)@c|M7Jc}rmo=6S3a zLNrQ3rp%vjAH-rQ)@b5`tJiL%)V@YRAsGz|ts9Gt>e0ibc*|Cy-B( ztWN}G#|{gpan7hed`L;9d<*=LaJabM6j9%5XqG!tVswDvDxG~UpQeAgeq8Y*F^%em z53WAxV9MVQ%>Pc(<&B9p=9t_yC}YNLa@o>xzo%-jmZY4sI-6@egMW5E;|ayiIw<+pP6 z=Az@3wA|Py&>1R8Ju_(d@S-VyIEX=rR31>~vbQ<=Z)>^uxt4asPfNH_kMLPJH?>od z;SBJNH^k)T=O&e9SJ@$`pFi-k9y8?~MJS7>z(XE6G2yZj2PQS>35iz+F80L@jCdqR zl!QrnZ)5)yg9|%lBqC#5z4(N=Huy>+%QK!VzwfPVgCC^B@<`%Q2zIWYmnx(&8<~-g z7&;Ddg+!P;TV)>GLH{WZ^^2u+S%f{%M58r|oVOr*%|9-&D?~JM3CS-t*q>8JzfWI7 zn`<5Zx-n3r*Ej=?&HNnNh;_mRA}^EMU*^L1aAf2ur@q=(p{?2rijyY~-8@BuQyZ)& zeA%wvhBQv%ehts9CEnMeK701BquaDTL=)Q*{~}fcdl6OV;)MTUmBw`EPEt?daA&~mCov1=Id<>lsqO`H&hPe96B&(5tx9*ay{Fs?S!PEGTG#GD z-4|9*edB_6+%E465BJ0+Vu3?)muii+aZm7sV-nEz>5~>hK}AowizgU2c-kL$W8M#Lg-H%R+}dLRHC;g*C%Y>WAAF zGxl+1Eyl+6qVbM=(9*cWMWG8V`fRhK$3L@kH-tgXYLzVjl2VwzFyRv&V&&=yvZeJF zbQxb2*t*=jf98EpvA80Gb9ZCHCw4%Tntwl_RT8XU31pWQvy9vzc0?nGAo!*F*OzcC>6LxeCo5x>dLxzuoGP0H^o+Em%i|ZjDBw zp8`fVz0DBJ;*~NFyf3`9XsEK^16-*>uvX9b_#22|vRnFx0cnDL(m77NcBlUj45XsR zPZA7~@+A*BBXOvkVqY~kw(VKUZ+k)g4sQ`8UF61+4C**j-(Ll_k;i2+r7!%Ubczen zCiaJ|v93pDJ#Jw<>u8*H(BkH}kX^#+pZIxBg!;8kUS&0GzQq3Z+&@~<6!SH;)elPl zo?O$DI==(=VJ*oBmke{NV}N}eeEfpa0)Exb|7_vhHN3c#!*L)Mzqzx^M-pc%TuFAj zH?JzzDEYPVZfXP3$oR5z=$M)q|G9Lirnx)OP)jVfju^`O1^H@t{bN}G3a+i^t0>;$ z?c`QBYl=WmGQd%*EbfTI(9pWs<>gH5rzpU&4RJ}_FVVg0C{iDk=c*MOtrLV4cuS?getmcS`wNRxMNR8GON^FpL% zq&L(Lxe|=Q{;~efW8V*b`Sx+Cu$rFK4bW#JyP5M@;i8Z0Dn-loy*Y4PQ@YZw@ns-1 z^M0Vi#Zxg~+2y(!s`TkZq6{!f41#t)2b*h0d z)0#z5q+?Lyi*KJ1JHaZP4NXjlT&+-R;@4MCvLw*~&G8-lFN7Fd$nTxmzo#+#SyS4+ z+L;gV7xdKPlxyHOrEfyyQqODlOf=XnTP-YF5T7khvM|)VV;$58K!!*qLe;+n_JSOdB>MbZKEzy^ zvLqV>jK%fyiu(Ef`fFN~q3*zLa`;2D&g*W}U? zu-`^2`_JYgOLRdpyFCrz^U_|zMmULN;AviHI<6rI>@}Zy*=**XJoNf*`wI@xd7yKs zrMAe=E{?IRa8&sGT3&qE?vgV;WM>V}M1S7A*HYZTget$+ZCcB<^(W~%cYq&`g(v%` zs}j`mJi*d^mfKviD(lmn1U-m8hyv0G%wK5s(o~_M zeVyiG1JvRR#XAlL(953FxXyS#+Alxx5W;!gX_K<=sp8AgXPD}`;m8Shs(~>FV1mSu zdny1``lsluu_B4jz5tic4X!izF%1)ep`-X8m#x|@DB07tpD_eWS{>cePFP!+on~h~}(an1;1P^joKg{8U8ekE|g|8#1;<#RT!`9|!vmi~wk&4;|(P4RhGr%@RpaaM`aA){#0#6{lB9LA*O$d0j3 z^stK5>x4bgmkI|4rm+0zsaw%DuF2CkY)AvbD(bgc;&NYPDE3 zety6H*;-7;RN&!v(`X|;&^Ip6o<}btb!Y0bp6!n*a*Sr2^aUPjHBq9x&iFy2S;KK}$%Qu8iibMPbC3c`D(oz_OpA}Ds3)DACm(JPJEH5wj z?b=$#EDL?-h5{W#xBOygV8C9d<{Kg4@DhDks+nR#gpKROP+H|SHP)qx@;;-vY&Zcp zCe>7wCy~5UPetd$))|D!hVNxJk`GMx@?qN;RN%#;+fys&Na2)QsF%sAl5%Ngm@H1$ zu(MYOI1DRhtI18Tbn&GWiM2XBo&DVFv%F))9Il=f_OY-qGZv_)9mlx-_?Zz&13l-A z9eqYIZ&9b5E*Dnia!}AzAK%G7GX{%aK-GSfdq9>R5}BnzD!F+ah!LuPwj-&i^h;eV zDZ_26>XrlRF|K9gz=1KKA-AtsqIA% z=TD$%2fhf$cQ4n8cg;0h6tU<6#th1u3=OsurWq73A@GRDw0{IFTFO($eInUlbCup~ z_8NT4ov_D95-c^gzNW=pzt5)Y0&0)`TG0EFX0>7PyK->4r}*0sF*?`rB_D1E8P_#eI*2My#^iT1=^S zm79S-f z(EU4oBAGU>ilawD3?-WJ;YB6;MZ){{@m2_5*D8sB04LNqBqg0K@HN0UL42}5dcnhd zIVvQ){JEmW-qmi@tC$?T>9bT$HE(gFCOO|oywl;3yk|xsW9+D1Ho&7a3QSpLKfI|3 zWF`7+OviX)121R3K0TX13X<80b%%FjGXCLOQ?ZZZrg6J-nKt8}j}t8BcKz0g&2pFm zkM?*O%_(cE0PpnX0oDA`@8qNiE+YNH$?Zqvwt-Kw{EG`PM3spPxh7QMvh2kP-w zg`|tDOqO+;ebP!P4v*`;i?rFevOsScoXDrS1%sWZAek_)KQnF$7F9fgA1C!%a&S!2 zE@tfWajov@X_Otbu!=}ZaBMVrT-^>re!`L%E?_HJzW3{`FL$S#FiA@Whu$cSYw-m^JogzZVDnSiT0tj7jagr1F!HJF_2IpR0vKPYSC$YHKL({VLfKPl;vz}JyB8o*Z8OW&I`~pmoNKq8Zt4O>}|5h?^@>{ z12-r8hE4YNC=WpA0iB9{dx2*SO;oV#m(r1n&#RJB=kAj)>ZwF=I05ery-$a4*aT^` zGmd5)U@@*+Md!)|v;Rc2t!BOPw$&>@(EpO#Bt*4Yni%4c7=k;UaYZ=yJbV6-pL0nL z#G|=nJnd)Md>7yce4TU%lmVCLuWoPzx9Ao5TRplZz}41cTLjdamXaS9MPGCshR6_Y zYHhoya2ED*TDjjcZ@Xwy{2S~7)&Bd%L~{fx2sG|c-$2|fM2XukAD;$08Qj+T<$`(; zQP}?r5)c2#bxur9UAcHB6wihW zqDH358w(u=sO^qro{gW9YyH~U{R33`BsH15ftW@?fnR`&^6|0Wn>R3H2X&7i@ly{F z>kV&sZ%@_!`Ks*c;*d}l1A3mFw2~|4%u?Y)S)uy@`$FM~iE%t3$BU&Bt9=Qe`ux0e z80chq4vYsd61jez`k;y_*C1bzd9O;JvBL}HJHjjf-lpvzOjIbca=>B^{TgL5TY7y@ zCGG#{*Rqo)RY;l|r*=3LOba^dR_z@z#;DopcVN>k^6oM4%8!3Y6*8P2h9h5EJoMh~%C4jN=sU z`(olB*+XZoXkjKPR=EL5yjp2Yx?{wUc+r}F!FmSZIG0!2zzr)BxA}DqD1N=aKrF5x zt=h&KcGl4MV3rMWtx;yjQY~X9GmoLlsMZ zi@E)^sY?ynBj-RVNjJ_XS6Yr9josZd6^+!2f1BHM6U0k@`$Df}c~Iz~zWhga9JhTR zg03%kP(uI1n_GSCvp&f3fM)`O`}^qQ>8%*m6#-Q*ieHf__6%=)P#j~Lst0Zpk;XK) zp}XCH&Q$1h2;PJg|M7bdb;?~!XVL;3PyEj8bhV5kEK%{oirirrXmA5kxr~lx+wOH{ z`Ey5szqImp?3z=}88KT3E*-SQT&cNV*W4#9U!Af^XSTjtlUVlLK*J8yFs#`8{~Ltm zTmwEWHHrd&bJ)YV0?>g#mc_pOcjCC}dJE2F>z4r5nFsL}(>;2EOQ|f$wT)J^Wir{0 zofxKSi>+pkGe`$^I_5D$5qttF3@j}6%tlYNiQ|6zpN|xH^>jqliZ~|Gg0Y4$dfzYJ zN&Ce~K{DSk3+kbp|Cs{$XQ^CE9O5Jgs~$5SN$x?emcq)2JPtlzWZfX*4w7b<2}E4OxEH ztPU)e5PrRl;+M;RzaQTfGwH26Vg;)1_A9s9Wyf?4?v#(+$ki)4^)DCJ5YV@O$?3}q z6l=MB^a={6fHt-~wyg)UH(uUA)Nz67MVks8qS+{Rku-f*EXO4X~(30N*L8RSBCg|HVfJC=>evkJ3xyosTxIrZeot zF2Jh1nxTX9SDBCQe0znr}CDPpb41 zz$<I3b8g$O*t)@Y~4-G3}3HUt4h=iE{d7>=l`()NBE%9Pw z6~8jg-D;C2nyBL~r)(g?OD1}E-cut)Aok%=@3nz@+F`cwf#yH5rW|~r2ne>Xi{(P; zrU=Y$&u#0L*`0Mc=7+UrK=4e+I0W7C)&_pVUR^&{=?|uTtTx;xIqTh9pz~4a69Ijj z$#7c^tpp*#Z$@rZrwSmqr-(}eP34Efroo#!qBE!?+$1t^`^h?f^=>T<6DY-$go2n6ka9es!5FgqKJ zf6hZ9b>&2_F!=aJ9?-{1KoB$%*GkH$D%K#sCLpk~jo~Iyec+P2Do&++&7_Gy02Wti z>9B@uEJ|XtPYWIk$Vtm_#Lho7Ja;RNLRA1v$AQ|B=cM4#7$r>kL9Ps4TdqoC;@3;Z zWM6125a+oeFbsNg*IWzXT_Jo)jXI-n@TN+Wg@n=iD`46F`&LW5m1YR>+($6LN`FAs zmtx022WO{LQIuR?;V5!pFRS*y3+c_ z90Qa#k3IUx0Y&Cy)DcMZ4nqcPjLQKMr+w++%wq_!CDfbImbC1e^CJIl7^^&f)>&{Y@Qh$Pn9r_mN??6n zzYtM!0{w*7Ya8pvyN z_U?U zw(n!`$_aUX$6UfpB>u!!rhq15HJQtav?P|M_g@T4Q0)5Qbj-Lbl`=?!k<$6L zO_YocOpLVI^(UDVP&HjV{|>PHB=U-^0*P!mXg>Wmlx&Pyo+%=aSe+W(y${|NVRW&* zQ{VCgw1rSXJo=%xj6Qe7?1&>L{H71D-$1P>#h$K})5x^6h(WZhBl zJyZ5OmrK_@>d3#46I!C}gGgw!nAv$r45jQ&!}N}BX@%g|ZpYG!t7KoryAHcs8&h{z zu|#U%vHVj`z0XAL-Z{&X(>Gtsy{SdPcfQh0-<<$WOn%p)$EpGzDES2FYLc!Si1D8J z(5>2>TE?%AdSyQI$uD{T<7qau?6z1y%PwYV;DU>A(?z`XG#4fP7I);Z9yMirHO**zA6qXd7RUo)q0$POE!jbFN)*yAvw2 z^TX#{`^A^veuH!zK>s_K`tLW?x5Zas`UZSLkBakMZ*~ez;GW0W`llK69#?prHbwWdsn2zsFlShw-jS{<|W;2G};IitcBmKHB4D`YPPRA5&*&vo4e<1)tN{n zxJm*Nc_}TqQ@LpSe&C_-=7IFyS)1D0p}(8^3v$uJOGap*-}ca_Fb~Zjl+IR=QMSb?X#MH&!d>m#{}7c$@TU+4*c* z6}`4RUhr(D*zE3$Oh%S&P}S=byCK_qOQz<%Y(SS{OQv+T&e!7BO;<(syQVTkPm_UWn&-S@ygTCE zEa2!h0cU0*bW_F$rkhh`Ly6zMfLKz?`cZl@wq?m3=~k2uma=0w$PQv9j@XG9;)gL@ z?l#$n`?l(2*Qaff7XTEB&38Ef>#~?g#v|v=c@m1^aZ@ozhQ-r zoXc^TDr>AqNBsTk31!o&wi24w9ILT%==~rIro(3Zq>Fifqb8dchJQlzH<`<0mYwJ+ zkhIPRrLq(ACXg~D^MCNPT{jRW;%lR{?a&yj*YJ3c#ANWl(gUvGy7ZmhYMC82ah}>K zpTkP%D(wKTZ6m@*Z}lncJ_02J9cRLnAKF<*9iz*6!3KS-{3HGB$@;3HRgld14nvX#sEb&jJVQ`_C`W3h54BIHMA1MUO0Q(9B8=R%nd*ln1bn06FbiX zV&1dS!h(T&58(U`3nHf4*PKy>qNT;`S9#Q1OLV5oGi6a;&YEw;(w4BD0`!CUQ!82? zn9uJ0c(zu?(dJdW>I*=!jh9t>p8GVtUuPYjmN&7Zw!JmPPC^{$<&zziLYlB95k-78 z8T`F%#L2cEbc1DZ=Gd;?S5i3+to2)xrH@Fy@bIB4XVIXYUV|@~#n@Or5TD=3W#h*8 zAt3q97V|!v2G*8qib&3fx#6tVKC!|QaP=5b6C!^eH@ul<^AcG3# zUs4WLLYjQkU}F!yuW0SL5MF zG;q2BrB43RtFJ2J&mkw5R_8i>T6l67>0eQ_?_0In=`MntkPd7Swh*3jJ*yBWlfd<9r@j+N^f8eE1X`=eJROPdkk>Hd!C|4NB^%C$(|}5 zHui9k>eW{-2V6%tQ}(HdgGx95)){pd9^i!3vJHszY~%t=7Uo-EJ8!7wtjZ5C zAHXW5Gdv!#e_e-pME!hAcbbDqNF5rYv3?4aAa^-IiYp)t8lXxjmeioL3Ta%wi-^zqwC28H7%miO=;&c6Z|F7DT>-WoIw5jnO9ktmBYCHZ8! z<~w(kF=E~^Gsiv|YB)@`C*F0`;IGSngd*&k(`7m>qJvlB){urO+X-swy8xm4pU=x@ zF)K4kT|tF2@Y%fXU3}Y=ZZxVL8~$w!{{TdK+?#HW?wZ?-(qPc^(rd=1|Jc82{{?sR z3OKVbkA#B9Zhx_A=48Z0nRFs4#vHf0m|O~h^St>B5~)Nt6{sm_qX=pZ4JvtAxEhuR z0G;#HcA2-}vEF4Z`Y1-d6E+F?g21Y@bx^OXSLko+Zd2^&1g>=5IWLDkvIN7WFfG?ia0=FBjmw-W7`&2bd; zP1Kfqyp8wRTFf)zP|QM_s&k~cpe5%C<%_Wiv`p8L2z5eml9bC&Dc}%O)|@a3EAm%7 zQ+j=4wmOCJPO736#X3QYV{pYB=Rc!jtE!=0HxWt;%exLiYDy{dj7FDBiiUEq!B>_8 zV>#EIc1LVOLIy0bKr}#!C_FJmnCCEsMsx2pZdoxTxWR08l^Ph}Y19KLT^!)gLd3hk zbqJ>3tlrV($IK)eb#XXVrI}9lx1MMU9wACrXQ&*|wYPu|+OWCr`RJicI zT+(ZW`sDg=ZPJSL)AR~|vA2O+hu9oI_HfV%VhKCp%C)4J4$yKuUKEa2}MtwtgLg)nGKfDG2&u(idTk; zSJ=*Ty+boErUAaZdi?UxO#VBJ4NPfw@(=kNe^Z0lc+=na?Ry^qt+eSHNTeqDaNqEa zp=giC$aOwjU)@PfYFR2eNSwIGCrwdS{kuj0$G-1%M_n?oDt+zyC-L67elMKzc@I8` z9xvSKbN-tQF&4^wtE<;DnBmdc4fRKn^%)Cw6hnnxT+}2gQ%5da-y=*!O&rHc3XLSL znbeIaswkaUk~`il-uoGvq_oQ+bhBSyg+s_~{Nz&n;!f_FEFXz*40avQ)g-oDz(G2%}ap-RV=lU@D&2 z)UUHxBZ^wcYGZ0$eP#z-n8XlT!rwVuHzL|oUY|BUIV^OHX(a0j87RERn~Jm=J~c`? z4WT|Vu`nM-1vzvx`9=F_4<~+XFOLcXFoFwC$Dc-8C$J%qol{#hSB1a9ZFNSk4 z(mh9t_CPD|7TNFfxi5@yaN;;NSRlGp%h%Htq%(xm%ji$G?lEP>QIFpKb{HL=|)XyL@< zArzLTO-p3zK5;FAW2RqRI%xca;iZ)PW#%M9S45h4cky#08=8Y09dmBS%M>Y>ZiU_8 z?Nm{z_0N|Jt53||21_rrm*?%~OaOGW&OYhg&`E~1QNGXy3{Z=7t$#u>ZLiPT8`umWQII9*3)?UIsZeXMQiTlE8xWqE!kYiH(Ea)kd4R6mF zo&JQ7RDR_PL*yG$oA@U=69CY4NHY-18kuc9fTx#WlE|Zr0BgC0;JrO1WC7*BY5vxD)}M@ zsk_jdq~35@A*zjfl*k&@#cHDk>`G!g0xJCC;&Jf3VRjXbj?iJQ#=j+uj!6de%(}yHQHN;G{c-pB4(a6uahzlhPf`V8 zOO;h5;?W0z-f|P)H7nqbx928)x1ZeOV0J225tlS5^S2WBfamJz$U79gGbOf%^zHhJ zxt!SOpSwp-d=z)wlWihLuD`MEe2g?N=aXB2646Or>$1T1dC z_7$oVkte=s=(mTuv=b;>UstB_oRy{KY;l&D5990kv8%R86qBKWn8*TM_E0UO*}1~d zPYxQGg;jKg*Wu!I_96D_*K$?^#>1Aq^m9Lv;3FZMm#6^-_`6NlLQD7bdBx(B)dw6k zIypq4x_efVVed7u_T0C7qCDIyC-G*g4FSz0K!@pX!pYc9vtg3>%V2V@{*y|K$+PAh zPixhdSoGLj|ICr=*WM6Ar%ckA@KcS$Gf7LVqk9r~mj6a4qE|_zCB_tiNZIFtyRcvF z>ECX=SF7-B63vFLIUQ-tbdI#kD&9d_Xd=BkRB9l^)aj#pm#({tGZSNjV;fYs1^l0; z9F~IITo4IlY$CqMf**jGPhW3t=GDgY%BizjUxsZ7GpUF%ywMyBXT-P%|69>5UFt^- z{P6Y)T?R^dIoZMX9_M&SHCJVLI?quI!NkcKJq6z`&t*Ac8G+dr22##x@O%T zeg5qdaNv5uYdOTr2N1{jmoxV>R~JZ}y7xAEHpXCN%L=Coqhs@9Zjs;27Zf~3@YY>( zL_*C;N^BGVkGi*xs;g=CgnT0X{l|ZKmiZ4SM;A+8!a#E3EBm~#ZA2Sb35vsT^ z=zzt<6RSSoIM@8aVd+7)!4Z|{%d@!tWIQcp5(49p^44`(tb z9+!NTx3REBnTXm}xH?E;iPfVgKiS2Gv!S0go$=AoXh@T<7`TgNBtAGJbPLDW6rI6m zZWgi4v3@M5;bV^(azSE`Tqbz$XVHvj6MuJvT*A>oczG96K&nPqo!Ps{jW_J64p=h4 zi^yrC$57mTB_(fj)ib)&IX9q;?I&^#DR1x;4)$)4LNNhj(I5h*nisju_GMo;of0JV#eN}zl-?D~*bxAQ+ z?I5eaa07PIlXnR)DE%uS_i(1n^4Dc24rlA$8qtnL0Bh!Yizm*c_6)!ad_|~q0rAbv z4emnP4Jq|535H7wHdT+rVRkcGt>rbD!Q7C@5NM#H4;P4gxE?sif#9&YNg&wB}(> zuVpg1!SPFHu1o}Ri^`jI4&i#eyij_Wn9cjk$2kpC#k{Wj$)^T)itB{O+wnK^^E;J#OfAw3r2>xYQFv65mwRr(d^%9`iQF z{x_r&(*ktU5X{+dNpcD1G{E|73{E@l2nq?_-Dx}raIbs>KrU*CT+>nq>oM%@~RJHvJNml#(85S_i;&fH0S^fDK#>`|+3uoem#aoPLz zif5m1>qy6Lm>i)|`(7QkyvdK}eK$x1RlXvw`WOY2W6GJ11+98oE$ub3W6t_=21+!3 znw&}p)&{L_We&O9Oxgq2^nv-{{+-jU^JUl~WMBmB{4?+(rKgk=nbo@2dU(K)_{aXi ziPhWCgbTw=Hvzomm6E-5u!b1mBDYrrk49=Is87wB4Vx~-^;)`Q!gg?Q*8a-bqR_n2 zN%o`^@R5)vCSxYAmdftTmy)!huR*x@LvS-!CvxYOp?LvD!(^tuc$^4#&G0I-zkT1cK{%Pf#c4EWnX#!Kn7 zH`P5%59(u?s25#|ZQ8?vnwNJ0kk8es9#|4o1Gj;L^2k8uuBa*9D$cxuR|rU=CqBle zGXgq-bTzMTA18r6S8(sRH{W@f8%IEiKLF}%EPs=4@f2l$clB{%ge?v7;|R+;N_f4j zOKjn(cHod|e?pJ$n$tt_x2h3^jk!3gLIA@1(O9(mbgo zPMJ;`b#>#3*d=Z>h#??)K1c|`b;h8sjK-{{iBrSqBk?k-<5B^}dhKIPgOzEzQH$X- zw?Bah3}PbqHAH)lD3un@NY_fKn&J1zfOjF@s{u)BsPc%8H9*`xg}IO9b$@tNJCQ1w zP^Y_QV6Iaw!|Z0DjH$1?ArrCzQK^cM1Y9lMPnbctzh_*6Hc00NnlX-->Z49nS}3nM z=L$L1bII7vbZRz5F|=RKVIsDw`E;Ox_-^ANfMB*_)Q zYlD3CuM*!p>`9QR-t@{R0GX|Ny-6wRQoz1Pj@YK9QRw5Jre+;(Gwr*^M(EkpyMox2!K`TG;7}rxfx@$dEIS( z0~}Ag0dKgC0ORY=`AfG?Y!w=ha|4MUo|x4rLCmXzCQhdpU_U0OW&J(seu?B^vH=@F zsk|83W9T2utg<@o0@Qr23KUdLiVHS5;1uI9vy%^;kw|3YOP2Qq zTq((Wpx%TRekYTYM0Re5MPq}*eWhv|XqBz=%j1VyS7U`sy;gVI`P?b3btxReBl8k1 z$Zn05P;Oi8t8I%D1?Xg`>SEb|1;9NkRS*Dd>3(8hIB|aDM>Qw{R-%@wA=)XAFr>Rz zxQ+>tG-%{*E_+z(@;;xR^Og@IYYjdT7^z`pQ?X%jHpQ##>cg%7Jv27U`uNm{T zfbIn%`J>61t8Wh|NL^=oY?kR?sD-K!CsNy^{B+7j=wLPo_7&rbLsd}G+w$|qjLCmu z^ujet=i9RJ$nvGYk>keUFFncWq79CKy(YphG^e+f9ov7KuO%L}T2uL5Mo?E2>Z2s3 zmy;X}r%{JH#*;tE>GI}m3~o?xkux%zI2~ZZ2H4yL97^Wt(3;Iiy!}!*(>X6%XGVaJ zZMYmo{VO1grCutEwe=R(xe5spQ^IqvYd(|ye$k-Zr{QY3DugOh!5qSy4Q7Tbd=*m#?PA*n@Xgs3lSvG*iLTLSg-#PWn)(CffIIiQC%)kQO8Q40nT z$vWo6O_f;GuEgMRz+4%W09~<(*-CcJwHv3cuZLd#xeFsml^BB|p9EH)R)I)vJqVN` z%sDwYXd!+k_cnSTP}n=~Qh`wx(&-)L6REeVBz44_p+5_JUnA*%@ZEN~KO~hnz1AaX zZvS4xIFecHFTq5rHSveWAD*6+fzBVu6?zooX#a9kY@V6<9eAscGxKpiPqquy^d{pQQ<1$|=hzwy)hDMv z=vXN2*F3og=1C|yA5PL8Lny=+>%P13WKo0S6=T!tvSIWy2{3xoe`*`0mzjSH?SINa zA$dw?z#;J^mm5SM=So-nra#WSR6=sUQx&h)hVkAY08>WjVWzspjDKQxr=dZ?fnNd-pI^2cMh-Qg_SQY393lZz>=8t|-F55Bn1mHgP-1 zH+#%u*M5{_2u;w52NM7I!=pl_ZYcg^&B7e_dlOwXLX6Yc??{=N zwJh?#@Ud%!c(&}{DRU4lCt3lkNU1)_$2;Q&Sm9RM7>uCiQ~a!Vj7Vx&fK852zFwYS z3Mv?fAOY01NV$Z~6-#lP;}Kh8ORV&!-$o;9F!;w1#-)2S3-CJP$7%Y7Pbob8{O>xo7>d^mU=sK45kn{aL|fX8 z6NVj{7yJtxrFalFiM842s0dYOD*B~M*hPmFKb?}}9qt=YG zC&+O7O6(nr1(e`Kz)kpl3$0whpT^0Wj9`D}vRX%)o(nb{g#H>5&;%hIM_=XIUv$tj zkf7Mxc-^3g0myFOl?`B^F!YagX?o`xMBfjU>T?Id^r^Pv%6hs=H1E)88_!q5f>0b9 zST8hy44Yc}dX~gzc)Z5L9sdB^f2s{|=7JGjiQhd$7L53SLzp)6%jW8yjewI!(FE!W z7M#X`$Md?K4XsP2C%{)oPqwO5bwK+*Bkuvx|NMC@_6kug#_>itm3g^2@>(sHg;6;N zfkd!J96u&Iz@@fv?n6{85BH#=x6@UHa+Wbt34 zjA{(p0zAW@3f^gyl7gcVb0*rfg#?jme_t8fF95sHP4oGPlX~>E%H$KbU)MuSl zYQ?;%>Odp{{D51ZF^3C`ji`piEa;B+@POHJ*Q#&3V+%#K|L)3z1M9&sZGN(9$U5U* ziXU+&2CO3hk1|OLB^qx1;RlERXCw)Wv7l5_!7wtTy=ENge5sb34K0*D`11PagWBXR zG%@XEsXha;*- zNl%w;KC?joJ}{nD4xT@M5?cJmgP2JKd)9KE7pLar6QpXv<`P?>1q91-VK7stJ)iz3S4Sz@kg5ou}0=YUlXI zh&fl&#+))1T@L+#RfdgAOax@HDSXR$+5>gDMdUB7>4$4XUg0ER2jo$8X@n;6v9L%qEv zZl?gmAL$m~U|p@oJzOBOO%ZA@-+7x+RiL&JZ#VuU<igtI=vMhg8)<-UF!xHu!O-+4k??1;$`3VNFRWqTXBV+k1sMpajOYy40Ku;}*V( zJ_jP!&(7Srs`AsZFzoBU*FsiRt$XlN15A-5@L7f4=Ua5UDZ1n<-f%#irfGPuE}AJK`_)w#0*H|!@pzbtfW{9oSLZwhTN^4g~w@0miGQO zlM**?dXTKc7BIjyJ_amC#Q|%$wk%6%znc3pF63{nK__t*p3LU3Ilt|#_vQA{;bF$I z9<)H*D>BTpAGdt0=9MZe03-6>^O)5QQ_?k%@z(dO9}kjIEn91Aj*RYy18S<=0D~;C z5uYQ*)fV?d`VYvpkkiG9H~ZFq?!P&V{F?VJ_YgxTMq7f$iqL*rJ<_I;z;iGw&;K>? zEM3tor&yN?LNR_G(Aj4XoVH!%9`OZp()qM8?oZ8~|2_Su6fH4)Gq zA!H^1#tYsSc}X1p^-cFv!c6$pLE(x>o}uS)_4u$6-T2f(~h8v&!z_VrlPG0p%Mq5zifXJfi+Aglyj14L@?mMmcC zi9ipuP*d$+DxERiv?q-<-iU9-KakFJzXHJEr4SGM*JR3;b9@=(^Ck^1mGV%lER(dSDyS=11vS64}8X0Hj+89QlAj>nDzZBVcga zHi2!pZtZPQ7Q{_|4ED%Az-Xy^p|V3>Mc(J zC-^T8z zOu$5+|3z&6ieqX#J0Lb_WJ8Cu6)AwoxdQQDfe{uTT6oI}8^gkNBS5Zb5{pT$sK=-V8>7KkSN_5k_RCMv0P+Wk+*#(%_ zNnHShyNh$KnbHL{Y<>&=pA3vTD!wdo~PLsyx$(=Pb3>{D# z0K9t;0XZ1%7~&r?D_S4k7OH#8@i1GCjF&H7<6^Q<$o9`yvh4?qEr)4xkcQ64;GI$a^Ci>KV)^#j z&rV0eo@{~)esd0n%}szv#{eST2Lfl!TPqH&A58{h6dB1kI7|zq6qY!;05GTlhXC-$ zjr@I3bMLES2wQoCYOsWLk8^`F_N0l1>&DWBHUd=Da?a8gpsK*2Py^S z)a()__KPO;D(9sxl2S_nWH00YP*DA#zplqCE?)rM6hILVO8z2Xwa5ZAAfGrY zW5V@|uD>*qq`UqL2oF&mMl8P!)}R2Sc(?2efIY-+f1GZSC#-Dp|JKYE_EeeK*S9oB zG=GCHcwXaR1vL*sB70)RyQzSSLm2WXA>w66Sc%J>n?UcA1B7^z=&uB6Fs+& zu!ESb5vcri&7DFgjE+==8C}4j&k(!q+`wThP+L;GSBf&^lYI~1!Izj8OiMGpf2}`6 z_bR5hval%^5Mv+!00zWR5I2jo}{+%a8ViaRvVj6oR&NfmEA%QP4QW)u*1>R%Su9D@EG&po@u zM#^4lDK`pWtm})#fnN=gP$fa9e9M~#4d!*r|G?{>8Lx7Bx;rD**QzBzBaBo4gPIq( zllJL=)AQQ4panhJ{ROX=Ft#^$dKt8adgy-r6%?i&GhjSa^o)VKmK4a>6Rxaz36wFK z;R~!(oODsr;Jvsao!tJ>q!Df4Og(crfz3;NgsNWl*$MD)1?cgGs((`k-2*nK0D^5B zl!>%+jZi+=TM69yLJSz-#G_z34F8W9H4XsRA7D1nyYaugbODoYw|3PZ2x*2O=^O%# z0TXZlf%*L57d|qrm4F8uIA{}j=WaLfP#xr@4Ipp7C{jQg!CC8$9V2un(8FBvLVKD5 z?Q2a3|DvgQDY=omTLAq1lXH6B%JItKhNub0e+36b3Qp?TbZp*`gsH+N_r zXyXs0z>MXEXxM-g)I9tu6{0!JlK~05*U|c-Kvk<2fH5wGSEWdTEgoE#Qt-6N>ZLMN z^GCWxn0maSuU&G|73nj#e)?DbonGiV)wIuEaIV6SMr)=#IC@lB`0E~mAvgUXoO2}anOa)^j=MqsGC}SofXz+4{@Io{@Xz#e{`2-sgey6%&#cEaBJn`mbR$X{j!HTL3CC z&yrH;U7B$S59=ZBlos@5(kt@_EZ&bB;QSt^!#{N=XW?~YEdl(79Xso}BfY<(Ud z02_&O;o{JJEE}a{!l|}-b$5{>`z=wW+`;igl4#N5)GmF}d!dvwI}CeOcSc=z-GWR; z*$~Uub`3k0PpQcALP7q)1x2B}7@S9q-T^QsWvDbwNGd!yX1xEI97D09xa=~2*dHr)=>NLa(U9beyg zeQ0?5=|r?65+lL6J}-pnOTP%`d>f&{M>7ls1di<4ASNOSyk5iHn{VAwJ*;`2+X1ig z?c~fA9}IXOyHG5032L<9*Dn#-Zh01NnwhI^wpk)2cnB4L4+vuVeM`&Y>%aN6QW0~j zCTo}7(mw^(g8#kpc}Z6g|5ue~__06(1aA4CCtfH2w!F6BDa93JjKRIP1*qaI*UE~<%WKubIQG#fXPzflZjt*b$T=x#a_I8&y+ugJ8U3! zx(8k%rd$DX2$e(rAY(S~PoL*qAi1=%0OuS?kkR+>A@yj%p6>hUHcPk!4^>p~pWYz` zkiLkRchm_^tFQcaZ`!`Nn^F;Yl=$yWPuV6tr~nLpa6qgGu+|2;{eQ^)i^RXwJ1J7j zYMu_|*U6_N9>JDRD?dHqP_r@%6{YT%tG|8JV-8_lK$$mvcI$a7HWsI<1kWmcdY^Rj z=i^A}+a`P5JVi++Oax6lwkm=Q-60l%m6j3_a+|1bsUK!zqljGcJ|$>YD}y)u%Ydu# z5k$HiWiS4eN?qzx6Rb|~A;3z(OhoV$?H#r<@0x*qqs7n8M67-8*Yu>r ze7`^aw3^HRfe{~Z+&wisF-(Gmi6Mfx6Yj6kxaN!J>R(1iyyy7(LRc`49E7JJ6~Z_Z$o>( zO)U5*Hh@?hF_%jwysT#lyUUU3Vpn0WNOJu-0@a}?oi3QJN4?6SYLcz^0FnAjNb1j3 z9XOUFM5tLhP7gW(gv6ZF@xd!$KbOc=w1+!gp|J!I#AUc3-l3sE^`1FzZDwsyQ#MY* zwd~u9zrHOGo|F`UZm+ayyGzM8CeieCWrQ;_Bn1b~Jnuar=I^5g1lRuU5~-Lm=nURM zg+7jxFk$SXdOYx{NIzo<%EtKdaS6h)h0^h$bAtv%!aicYb0Lb1B>FP~$q$_C`-#}C zH}KZ{nXum?QovtVR%vP%qzG&2NcfQy9kKvq-u5gOIA&W95XOs8WQsXacdky^_B|cHS8EYKNRu(-0S`C&3>mI?wjCqoL0fVWEGm@3qQy zo&9XRiz>sGJ8~~O9A(RCGx(Z6K3JFZB=#+1H)uR5lEo=EUCVuDH2YTx)A!v&X<$LFdX++<1(=BBs0`>1ruC|F>^l3AU=yZd?rv%^?>7z>Hp9j9mv1CLH?!t zOTQ3_Bk{K_M?EPgzp0(*S85b87%DX4rJqIh`i1tK{vp}zFU0;arStB@t04KJSxYOo%T7#0J zb7v|4)Jy5-1o>K=HIu%2^_MJf;*H-zeAl9S?;SGuIU`i3(259?u#V{0yhmc}^~aP= z3s~jCxFYJT<@j*LG+9$r`&=X}uHsGu3cIfe*QL>@B2*i{Rp^Fy`kXi@#qlbpCPmwS zc>YzD(~#5AaeZ3$cc)K}g=(yk>r^b+hWX9Ie*-CycxOjRSCxet9b=N+Fp(0Fh4;>3vEF$320 zPsGCPb>zcbe^G`Fkyv6G$V1naWTYA4!*YwapT1IiZF_cVL#3{wqPmH#+pcG|_9e~e zU4lvy7qWlvQM~`V;&Sh9%xwAhn1z06!H=GPU%%B)+Uyj~_>s;Tj*n{IBX-q9>oMSR zlRN_fqW)1#<`Ghsz)0^?s&@;7$?6XkQhgnj7bvc@2QA4!Y$;$a^)Zaq?Nf+JNND&D=__8W7s!NRqUugsdgu;n^={Z(h4w51PU{G9ZiI#_;>Yu$T7a=R8bJR`9!h)*6zHr`YVkU+WF7z^C!B~W*>RKNk=QVKz?^E9Oot5>{p``XSU4brc+?Y> ztVu1vvK6_v;uU%(w|7IWOe@r3A5iUn%N2_5@GZx)i1*?|JvTJGbK7RDsYRrp)ar!0 zH@YFxrJ30er{aBG8qBsj&sy?G*aF1wMa)f z>+L)q&@!*Jl`79ehR&0$Dw#EW+$(Cav_gk{HIh}>&-7lRpUQ9^?8Y%ZVZ*5(_g`(5 zEtDaL`OFc$qKRWv@u~01X)heB@idZEg{?z?yHkZ~cZN6@BoYjCc>PLUN3TsBV@Owb z6ZhLMwAkS?+$7(3XJ1y%qyH4Bvx;C3 zKtLjw`%;}(dS~|*OR-AOJ9@P9;5gMAMu=ui_YppJm``9@WwO)XW_4SL2kwE-Gs|iQ zRr>=jB0rKe!Twl{bp{U>-YAB&Jg;{Z-EN@zId$cyaQq|l>!U)k{xzh%*KW(@BE&e$ zx=y1hu}LN&FsP9ZZA2LzzSZ<}>_$iLSHc(ZMzKQ+{C?r|^*C#};l8~{B1KApG#_Ip zB^Px!QPp0MQRC2l6M=_?hi?AJ_0_Me!xbfqo9R%{teBf`U%>mc`^bsfkKSbVPeV-; zX@pW`4~L86$%(%%K`HPqU5Q-&xdz*XJX7Ivsm^9^)mB(-V}QdA<0iY69*O6DZZ|OYmpx&Nt-0-9h!5ZK9XSiIf(ME5b zpgyhOS>d%lAGh+jKQE2619fpjPcudi=45&+yF+i#|FL7WZyH-RixwsC(M6)YB`Zb^JX}SHIR# z{1AVXKySjX^*qsXBUR!f=1lzdgfC&bL#(1@M)<_4j37`ECIUPFDD&D3M!<_Xlb}6e z4In!LWL|(w2#`Sl*&;XHIQK2raBntA77-H54v%O1=o*=RM6kt3bJf-dk_LN zo=D)9PH*?(4tiPr=bKx~xw!iW>RG@{>Tr2+r`Arv6REZI4y-_R~hs?Plr4hBfmn)$?8PO>L{kpVJ#;TD+(0 zM~7$D+(}yD-8>%^t%n_%*2i-myr=U8+UGxO9a%R_^`%J{(Lh%m97lC)Rf z=$a-wCHFUr0C2$M!_8#Zmd!6TPH{IW+hYQsZ|Ev;3m&TCYpAlO(VKIH%$s9tx!nt| zvM28zo2TxC zzq(Dh%y&+oTukp+RkuW|uUx0plwbKaU3F;`pJYutH0NrWKhj&dIqk(RN#I^L=ek|W z`t+Hf7SYtRiqgDo&K0;gO~`d{>+6!U`F6;KlUPU>da@l67`eGV>B7!TGsxJ~ytxki zQaIUD*!a!a+bBW94g9-F;r>iB7}?aixgNN=E^)Fa0T73MC1|vX(P^7=W4nEvazbM@ zU86N!kGR|{G~;0JzxQ?3&I|Djd@xU8#wSWN2G$f8MR7J+$Lyb3#sb7d7*6m$YnjAo zlCB*aFrHy2hC;8E(v%Uv5XhvbHIbuiGWd9P8~Us4bmvU)F;-TOU!| z98r7!;l}9sQ=KnQJJ%EZ@t%w|&m;Wt4o~~z`KLNs53l<>&*xKuP!m&P(G-RIMc2Yd z?OxvAUPF9?O@?=LUWi%cUn_pStDbPx1zFDdAa>TG5*o++a4huk<@aoe`mxG9&q?w+ zMFJD9W{V+AH=0Jw&QcS`%c34gNMV4#J7D;7RY%ACxO9U#mwmjf({#8wE!UWft%)Cz zs?X}AS%c2}90@Y-wG@HQMz$z5{}WHnb&&K4*>cLJM7FVXl8Q~vgiAz&qDn(VgS@IGvlw+g zInx4VzB$tZb^ZX6M&iOA;b_chL4xNtcms!6n@f2d?}6;>ftO8;lSiH#_)n2rf|EzN zMYPGeY_{h_X#MW}h0^*h!A0@*Qfo-SUGGSnKnILCX$}sh;)sc%kI7~tayiS9AY2$Z zikA+8k8U(S0bKUzZx_UNqH2U61U|n7Qu)_@NT;8c<;Xg|Qy}9sAV*0_MG!wJh~7M{ z%IZADpOmd3lTF@?K!-j)S&7=TRgjK2>MPZ~%pq0~xJDc!!!WGPFhl#$T|Ks-W@jfq zRIn|$<}|Np(<9HSP{++MOcJZjhl)j($Nvgi$s{ce0SQGh{f8F?ldP-{3*u+ZD zqH3b|cAPRfxo{u1;iD{>YY}>~MmQ;Bv@Y)7dXFXQ`6JCSlC_heOSr&gvpBb^QZ%tg z%q`kc)KkIb{HB)VAgR@6LdEjS;V;Zg(|E6vho6KHys;{r?&V0q^iIY{IWV`G*=28M z=ZiyF9rXL?I{XY!DK6KwI**tpE`KVCCD*T_6(Gwo@uk zM;UmhbdG+wwvx-J92QMSDETq$g;r%te?MC82uV1Zn?NRDiE>!&QyF>c6lp@KeF|3g z!TBTJyJe6*Q8+yD(_n3|Fv4fw@%#O&E6EHdL}4q^H|?bN*)B$tL0)n(RF{%p8A^he zQ>n-}zJl z#)Z3-(KDtXO&%pRLiv6I^~SY4lE#bY<$ zEQrZVTsQ>Ry!ORu`0P+|iwq@>o7Mrj)bvq~i=kAM)$&mWE`)-@QAgZrg*>19`pXOS zoNZ8TS{tZVS@-^D60s$p4+;39$t&xm1TJXQ7)Kvdr=g*(qv>H4*kC0Mv^IeeTr4ND z&H+jP4(Ls*lm(%yd@HkQUSqL_XOr9jTN$-g=mkVQ%pwNz=IVmh-!(;3Sj9;xnbD{x z)Yk(;-TBlSAlvq9 zXB8$&TGkxxCkq#b?fZ|mmi}<(rEISsWBq(gYquwjAwkIF5dOec9x)9u6bRYAh6FbY z5>y%nE4s)}m=^5KPns6~Cf`%|*Ib=26)_Z6eHgrnfhaVS9s&AjZy2J9U|b}u9t%0F zIozymVD^u3iZ!@A{Wj7wtcss$RwT9vlbE`;ZD_L_8nLi~l~nI{HPp1vt~4r{6V+~) zc|B@p-)n%3$^?)dSZL?HeP6khEj)>&r7%z>?l=tFQjy zi|78l1x)Fq#lW}b_Yv|{{D`k21R|V$;A|hQYiTqIdYjfm4Yb$Vp&BP;A{@K$#F~B+ z`KvgVwb5wlh%INYv=EVYeMQ;YDo8p|HH-6~z8FtJ)}gL;IWzhni?d$DOVJ(>et z>~6aFkFqW>=C5Zl%HVYs+KfDhAT=OrHb;+h_NbZrq>mRllZO@sao8)M&0%M8%U)^! zO#S}qD(Xx9af*a}-_8o|JoL4+)&b?pLjPx5--Fv)Q2EE4xO(Q8tZhYOF=Pqip(J(D>a$Gzc}7xErCA zxO<$H%)eZa27DDYO4QaVBv?tLNL*O>YqDbI+BFgnM;L>Q{Z&u=}N$cGw8Mu^iv@%@BWOPal^3nCiU( ztt-){oQ0DN%ORqb8GrBI2E%DC*MWP~(ET>gr7gj?BB86M@NKBO%lt~C!n9_|$c`7o zjHKxSKa*3%YK!71yt35+BgP{e}3_ z3cD2=#~YRJDqC4QcRMwQ>tY<6VjP{3$C@SFi)TiD%zB)BINwqarJVsCq}k>tP;d?^DHiMq_=~?K zj3GOG_rDvDa%i&Ne?NG>hb+3VvNo`sq&n~mQJ0>eX!)PATvgW)1uE_g;l#rT2UmQB zuddSt{wB7jXY>ULW@UeVZbq(N+SrD3p_|GHU0-jX>EC-@-Fn9yyOoMCI^hTxnqMs| zgB-VO7VW>E#vxeDOrPQT)|4!UlxQ_c(O8I3E*2yOM|Z?e>ZgnkRu^^^ANq7=!o6L%GYR2D)Ko8!t=g4Z2;LN1C2XPe?x zCcusFaPFq~M-9lKh-Az5T7BWfRG&1)cH6ClGUJ!@LcXxN#8NGLes^d%K(LotFcVd5 zI-A#}zs{!7lN?auw4RU}J`Uyy_=UcGlQ}kcB9a-u5_&yTy|FUd46~e&Jj0F4ZI4^Y z<4!x@$euxYpB~ZfKP2ulwsTH1Be|H~DLLcbZSd!AEPem-*5@bGf=%LBJB0+@7 zNVIZUh)M{~hsF41XYmm#jN`vIW!54b|Jop!Wxz)`E)IN0UnazrW&t3N8U7ES?T-j8 zZ@LFst!RXMH4mD#5Y6+Kih_6i%Uq734r4s0QrBFkd~=%bHsaZoJMQinMq7JN7 zwkPibBY|5)3_Wj0o9`%t>a`x{I{mgLE^NcmZu1<^%a^6|j^&qnjf7gv%=(Zsr=Y33 zY8Gki%KED(kK|{RRZQ~vvw%pvzFFA_;r6*CzCQ5vze%W-9J8{KXt^m5=!gsO$oR35 zEx4*KMwbPA(VX=oGo0<#n}qdtWJFe$flUt1%Q*oZ&dc@mQrx>~Zbm6rOo$jx4KY8Y z5zz`N_6*~)h4Q{93{6RhL@1WO8pp7+f>)1+icWP+iM5iop<=W7U~t`UAXfUZIZ&TQ z=hKz_w@Jf+60Q3+Z@!N@x8tVsnz)H0*({r;!yUI1F;{ZM1qLx1tVi=$%N-_m1T6X* zmMI^KDrU_ojYGYADAA?O&}XQVC^R)$mHe`ALpH14<)YGbnfj=xvo?3SJ*qzzT>PnG zKcR26yiORQli>)pa-}wNJG=3?l8xso#zx+z9Aw;ShdB%0&Sr3#XVM<@joY!(?oqw~ z$QA&ZV=(YD*C7*f^xQbDt)@!d*4Vktv?(fc zM}pBW%7G_ZR<{Dd#kd=Hr2mnDg@WGHWCEtgb_c?vO_kNHZWRLL!j@}nFYS@nfnQZM zPtSw1Y8I*$+JSNIYE7^%vXd6hnqpf^=PrqBmU)A0^7cCir~lk|Lm{*_Ij?KvCpC4e zGTZSb2fUS%-^D~qkmFyJM7=w^m9R?nBg`U)?U+cCRU8h}_F`L=GZA+L<+#;y?dW{dWLe=i4l1PG4f^~$_ zG^}1EO{b~O06Ps;1_o(5$XWsBJ~6%6qOwkml@dQaS36D>@F=CjpNy(fmUq!~+3 zAY>N91k26Y@E;PIy8N^B5tm7F^JA3(x*60`Cz5%=jcNCNCUq@QCjQ_obBtNShRo4v zt*dFiM3Y&Elb*5tBO(9|;S1q=39(=D^a09E#JN!hqHo`b{ra6vEU*?GftcS4+~@>C zTZNPNh4}%03$_Y1&HO4}A>=k8%8SwzU7{vIA7?$6ng5hO&@8V<;6zP=2AV_eKrbGM zQWV9N5EJqX+`HdJk!uvYJ#m)Nn@u3W{Aoo4Go?voo_s>#eL6|1tNcvv-&4YZ1WbCA z3)Anr--MxgQbTG$)@(O!D|l}+Oh}yP|7gYLxYnKU`IA)Z)ONG-_?eB8#c#wmp%7;+ zK>DzBh~pgE$CeAr&Z^MX_UTZPE2IEj@L^ebC7*M0e{bHaeq=VLIF=(odCul{^5Z+n zvIZMAK5_yjd1oJuN0zEJu1IIC*_H8<*_r%E$E@pqpWm3Ti&L{M$CIhan*~X;WBne! zUP(7jk4JcI)>mcWEAdh0w`|sD-67P^m!!k4MzUZ?^wT=gkhcobP?L)q;3nu)o6#6T zV5lv9*4G;yoQ6CuLP6H3oI!4~e>k{W47=aeFq<|&2WID07&WZy%DP(W3x3kiZ+_leJ`OsZ%Xe{sNd67=3W-<6 z^R!cX;aj9J(GG*ej4NFW_CBK_&w4ZU)Q948-*(r!MO>nBc_)g|PPhesjTm zWu<;$6ia&S@P30Y_^DyZxs zOqrq?Kz+8roo>bdxb3eAJZJOwMiwb{{xv3i{E~*xN4+9@JGDgJWS>jeMhk|o8WQ6X zIYdY-{$rFH^<_%(unH!Y(|TWUS{)*v%H#PFqxQbLw?l0y#Ef1@9^oD)YoAe98JV$E zlCQ%I;TyKM%yE9}kv?+nUtU&pKzr4N6@iNNoy!5u+huC`nNy7oovmU0sK=5lBzaWSZ5i#{GQxJ$myqG)qa7j zv3;HE#|$UxE&K?T`48cK?z?VgnTGczZ-r%5?kszaN}BK!>tjjNiRjC=eX00YrCF?V z+L9qzV9g z3qtiE?w02f3nC!|rb5K@F@D6|pzuyr!UznB%$zD-d?ykD zZ$(3$dJF1yGGUac%J~Mu-AVpLyY)$1-3tx801bL$EDTXQ1iPbXAn=m$N{V`=)*|h? z+Ud$ct>~8Y9%tW-7+c#I!hUIMSf`S8L&^^8b4PRM?JY0@;47t^cktJ!K1rgS1g z+VB^v2bCzY`iKP3O`CSzN}DFakZxYWQI~1HU25~@4|X#)pLHn6OdQPi#q=&bFhEXC zR?1Ol)$!GA+!bG*TJvav74djB(Ye?N>$@1GHF7Uv?}+yZ7IW~3V>QBcrw)>jm3+9V zp$)U3)S6p0=1wNJ)$)oE6WG!kS$@0^G#4d=N)k`;XhI5V1C75TdrJPEU&KaL0^rpJ z0Iw4b9B&$Cn;6BY7|m{aEa{5sa5`F#y+L10EH^`G_XoBa91XL|feFUjPFJwT+a}$m z_NqB``q5(zvxK%4zj>V$`e6bBwY5=Uw_JEsky^CeXH}Xe(2L|*u5KSUx>GEXK8f79 z^0fLOk3`;K;QS-!V_0CSI8;=(yZ#}REWEn#*?1!bwo*>y?ab#>9gC$(TDv~J64D}G zXt~^zE&!!II;}rC6e!_oTrjDT;kV>Oy!xs_%PhZ$bn~>q2pl9;(7+Wc{r@TYaA0(r zFN%FyU91ly{b#^kB}5hM_MW^lhfgY>Pa_S z2kK(ih%TrAwX7ma<6q^|{E2Ss2QRS?-sy}D&Dz%K+Sv64C<|bcP*oBMB9uD11#UC& z!=kD-p28}b&(&T%T=%Qmau2SA%dhhuB#i2_A)Z2IHQvA#)_JL+FcMH*mDRnNOoS3N zQxS<2l!fhr;%N=o5HipXpuE$>Fklko;O}YFx(JK_W zW79tG>?c857pP`TXWDUqt>cMalW8o3Z8I81c^!5Py0fq6x_+Ry5X=k}AAVJmmEFxi zy|2d}!VHrgeid`A((nqQ8@9*h9b_ zru#WoTEbGVv}`3!Ot&#Ydo13C&dvwZ@#BGkv6`M;U!HR=PN%et1Ij>J#6zotx-Umw zw4?OM1XYt)hR{^gL)j(&JumOj%8hSvt7TtvA4^@$d(dsaW z{cl|dQ2+XGy&=%;2YMjoA@Y;oBN+sTcKb&t`!*|%vgTi8PWeFtm(s6bF7dvNw@bRS zIewq9^u;Dgfnlph5S~a(me(++*YVhc<-n4XFTW-z2@_}{dOrU=|9E5N&*^zL`cLNR@pMaIVX{@x=t|Z~3v;1BOt@{a zL_s}vBYo5Mb_xF~FJ@`E;tThLzDSBTIk`4+9sgW{%vjsQ5g)Pg86?vG=9|L9gvjtm zI%%52hNwl*YDwGAD`=h)bY2~HsK-PkO&4q2!?RW@%e%Q~JHrQT*ils>yzUK7$A-H` ze4i&dw-R1}&yrp^&5zbBSLb~}yuq5m^`88ic`tNu@w`9zchWtBT|pw zJV1T=4?})&ossGgv2Agtjv|dpwWb6`xc%;6Egk;z=|H-VlKmv2Fn3+78x31c&75M} z0ivGpOm0Ykf-15NigeZ2=;6$Fbj5Q&Q$;>~k)2PD7V1lOxM@=;%R5j3dAL?63pNI3 zT@fhWO`AaiIa$4!RHe=EJg)>4-*BSO@M|pUQw9+4L_++N>ieJX6fLI;VF+ok;_kPC zY+dleIXOZe$2+Trud@yy-z??qnQo!a_AF_r(|$tHD~MzldY_zr7<++&Hf}-PmS>p@ zrY^Z($GuN?9TN}siPZZXeMq=>5-))ZUEti=;W8WZ@pA3{`7PeU`A0qu+BL8jgLxS~HB==NEE!ZIRFixRodWEMA#g2#J+TMI2^bb&c%D_6@OgucwIj`IrZV?_ z=TS&vb$WP!HoQRL_}flca6%^*qAol#-o+2EqT2G!vX^!+l>uI`V7B6w@O#ga22Uzx znHduCH)9agS(cFXgCJr_@twkKI#OG?igAm|!`+8;RKkqZVNgd)^zwywy`R-rWyIc_ z(+KsjC$s~UCta|!+_O*Gv&r5~UbH0-)dQ+njsUG9D>UpPIO@pJzoQamKEq2FX*udO zs*o3js95p*W%v2+jD$`@((_2#{8jFdd9^SU)m6#*x_20(6! z{~Tk8`?k`DukEXJfv8Z z_ajNd*YG6RKsi0IUO}%exweeG_<&AUpZ%6fn9b{(Rx#Jwim9(}8`~^~Jb|&J?hU5B zx%tMPmyV;KA+_ODpFLCo))ArrdwtU;<{I1G$W(1U% z0Az0XZq3%Yunb@NOLSoC=J7GcDyGhVN+t~+O-svTzEjuS8)W`Y%KN3ANTN0t#T4w* zTP9BWL^rX{BIfk5)~BAWhO^gw0Dw>+D&tGJe6@&|xGW2Hhcs3d8*B>IFGsr7H7|OxFG&~g-AZ&_$k+wZYo6i`9(3!jf9p6+fwJhay|fb<+} z#-FTMC)HRE>BtuuY2YW<%^-?}5+x7gzcPt`PJ6{7ZUtl|DwBJqgBz8I-=7jHM1I3VsJ;k!%)TBscYPBr?Kr!$v!KV*|y|_iCS7gaekl38G5B^$Gutga; zniwO5@tTkKlYlYtiS`kbJ&|{xx1ixy9#@)jGhwXY3Yv``rUFbv?l<&kREw%|jIZJA zV|6YIzv%ottT>ds@!<-L2=~w;wcf4dCi-`&ez0+6s<9ys7_cCGt*F@8TxDtonq@~r zOj5DcbW&wQbyetyTsKpxF&}uwQTYTh&X@SGp_*lr;YE>~L%;?NnO)z&Ko0Lz$=SQ{ zCti&f4yCmG+z@IFeJ&+7S_>|C+(#J@tG0CrSOy@XuA$J0vH%eUVvQHIb*v7Sg@-Lx zCn_i`YOt}!e8z&B7E?iFHsb1RtklrHJy6}hRq;@Gm@Gd8BrIxL=vXFO!U>5eS;>b?Q$RJs`mP%XMP|1MCrQv9NCgd>S|1C}6VEJVG{NyJk} z?A|W=bJFK1zPZAmM+Y!ds9V#$Q|N@CsOq`Y!bNA*q%FXX_^@lo&@ZFSR%sc z?EqQ2^2Y2$|4$`>sL!|7TC{qu@0+?@I~EwLzI>+ZRdpb6knoQO?!dZ)$Z`OQ@v1Wc zYQO`>KcD`CkjMJlY{qQ?QPmdo_0xGy>a$_r_)qfMWE)1#gAVL|V_zXn=!TC1cfIUx z=b9P3qAQ~|6MVcJeR;NyHkbshbQM*l10*uGT<+5kwGOJWwTH31B>--j1J zgXyMS4!%@MXOhsPfX4$dX+etTrT)B zkGO^zfIM1(h(-^9fre~|V<4(A1)@rx7zPc~9(EL3$U(s$!gjYYAu_KK6rZTehRqR! zD@1JBT9npOBzI{yT$ixB0(+Q27!ZE;sHB1X`+sG||2n!d3bTL1nM)p5Hvu2*lvy-x z^vJ%XXy*G;n+-H&c3dYV?2+D5+uHjH;v%CbGr#JG(TCUbWq8T*7ZbxYS$$^3zfW9G zaJ{M0$&z89>jnOZjbWWnj0ArK#fNFKA)EkKMg^|W#udW=QUR!!eBhd&K-kFgWx@Zn zDi^X$`U=hz7Nj2{fp&Zgz?wg>3x%;|HrG+(fOPQRI8yJ1!kQ&-tHa+|=6^x%rA?g0 zT1idObpE@vjkUVBeZoErN<@}Ewme-_j_KrrHU>)^pS~0_T*v2)-*RK=#5|N}szE|S z$LRW6mF#m7ncPNx*I%+CGLQDLXo?JS9C-CGwv@ z7)bjDl@Lu|!u-1e!A!nYQ}}0D@JQm;jejK2 z1{5!=$si20l?N#Umu?LVhB82raZxJ@K`d-Q-0_M}faMb(nHk@HNS>0o^7yjd4cz}n z-%;R5%J|IwQVo~HFnVd(zdbXsS?n}}6B@53K1x#x_wGWBPCDbv%X(9s@T8KNb$lll zns!C?$sQKRW}neNapMh1nrtC1wv^9AA#C^amxp=sJFYAxdNFC~(ANRWPGealfecg8 zx}8yzpg+HZNY<%)08=SR`jRQ>xATFy^Yi)kIjKg!-_wBM%ze72ZrQn#yDya$JB${l z2U1-1?#@{aADY%Ia_b8EGar{kuYU_#)9#;hD<3lges_Aj^VOEcug}pL%RpvpN|?XU zLT*x*l#~cl_6Ke>+W0CKn#Gu24YaWh6w8Q zZKMM^u+zhu=b)j;6Zl%WUa)MH^;e-d-tUr#YFFO-W>5=EEa)3p!0 zzCdGlb(ERr-H`2+k>8CNS>S6pl5SkWlB&YV8-io$MaO4*fdPMhP6Vn3oZ;uBw3Q5q z{uG}pNiNP%K~gG|Bjpp~Z-kB^kpPdG#|JP_h28#!Z2?Rt+D1y=6qkUTZbJ9lx|(-2 za}r6A-~kA}hfVDKUsd;|@CF$C1O|_Q z!MkDbd>A~d6cW&!{Ci14w&C`kOUcC3)zh7M{L$sGSZ?mRqqR$A;6)CD%{t{L%7+Iz zO}Do-MBzESofe5o<+p=0c)OBm|L@ug*ZG49#;oR1eo4K$UJ{3=Bb(EX30gGf+iaBQ zRdr8F#n7Th8w=a_C?{#7a|JsW?iH0ARSz9_ZSvOVO=;JIq#8A}UpZHHAZD+T{3G(bVAMLow@IlJ}I>%r+!^#_R*xkWYU^C1J)$#qz~+A+F@F zK#3IMq7)RO9(=|q$T)KMG6BGvtdCd;k`@Jh;kfC6*6s^J@xSe;o?n>@E9FEo`uFi# zX$vu@(=RTwx|-*}}j2K9~*#!`n42&0Xn2kzeO z4&aKQHmdUg7GqsOi!RTMq{>=t8M)q=;?=gfY_H>mY$rpgVgWAq7>FpdAQmM<9{2Eh zb9qy1`7R7Vwl{Y^J0=gy(X{`~rKvn&9B)vGr#Q)r-^l7oa+vrk4sNktL z?V^@bH&*;}zfQH3`xXMg+P6?pWllStY|Q5Etb7CH_#M6$?IS{(`_kA6s;q-B@21YzP%f&8@c)1<;G-0 zTW)SVIXcl_L6YkPNdEdO$o5Kt*-9uC4kL6(fwbU;+E*l1r$RgW*yAb$${AzS`!o+o zdfo+4r#pZ;#{tx-A0Z2z5EiAIBa*{4pKx3!S!h17?R`|UtkhCtHGq)2(P*>6;q3Jq z{$fIDl{W2v*%Q-LsW%hf7d+my%pI(34)-hldi-<%n_fEb#{*Zh*vET-{gXLh=y1xkQiN5udDSS&@bO%se6;M1YE|Mu!1nae`uEOe# z{3uf|pQs7MAu6mfY*X%Wjo8vqS>B}!oDEfYJ>?%4i4>P%`?eJ-n>Q1Y2E4i#0BK6P zKBW|m=I}POy4iCb(e#4!67}B!$}SO99uLLs|M(_^^xs&??Q>jiHMoSiY9}}KZM#mj z<&rQ-%<0ExwW~%ueh$(#V}ZxSjX-A5yS7^DJ9R<+jXn{+K}f>>qu*m2S_d##=-x>C z96luYY`y=19`HKaR?K(SQ?(f`8n2Uq56+ttC-gUDIA_7hS54*@s4s^r$X^3T+}k9N zy+uxIqKJcJfj5B^;3gY7ia2X7UKeV)2%F=X{v@QG|?;T#@3;h(ttHD%kh zK9pMH)T>WF;{aW&?FjFpy_Z+4{J}$;>|@!@n|qc~@94#XA-Kj%+rPc{0ygt=pWFtpB8$Y^IJXh zPHlUzGCWVj)DvB@Yk%G>#&mnC*K+(WFH&U(tdF%os%t(y<@AOCB)~-lqoCUWw{#oemVl&{1yf||?JLP)13K@%04VB45GwY+vuOXz z!=Uo{<|J{|qgr&EsACDQCuO7!IZhXuw2Gsx8Q7N)OdUHQo@dqpix01=H&t|{FUHDh@5+Dj zv5yf!<-6&;WJeTm8&fzoBge)GQ_2u^ZSmy6OqhwH9&&@1Yy;wAyn-(++#@&z&GW+bb0vxk@iYft-usH%=*xoxxDoH2mL++kCLxZ+zQwOV(O^56Aq zyf4c4AKo&nxrpxSI}uPjMC2GX=zYEwW%dkfk}pHsv6lfQ+?A zxZbEAK%X}Q^m(%kWm?wfu`DF#V)DMpx`X02kRxf51vjDLb+f*9xEJ4Kx0`0JZCV)h z>wcB+B>(CK3mES_c-E4?)!;ZB7kO0P7fWBE&Q8d=S03i4-IXu?HK zRAzQcQ9t)S_gfeeW{Pk+{FN9t7_dmfDydf$TuF}BDv(>}Q!H7e&C@9iUZygIo`F$G zr}3jo9c{k48jjBKr*|O>8qWZH9V3Yj`eJ zEHE{|3QrP8bUdc6hzEd~Fe5KKZ>1)so(1o>b4P)_72t+0Zar8zmPhL!9|bVze~E>K z=c!h=e9OfCOr#>=HG(>#5MAJHbMGxnXj1Pxn%56QJ;*Hr20kj~RNV=g)0MDK!fby` z4_{{w+?w`w7$eY`Jj!o2hET$8@BJ+{O?qj3S!%&}ZqrM? zM@^euGr#F(U~#j&82FlemQKLUn(X7YpNEW1TP~Gv6@OLoYz=Im9Ty7w{;+C3?`MzY zE3KsQJL|E)489*|;~Zby-+92_^xP2^Sc_X@6gAeJi>y}c)goBlS5!Q(*mRe!s~ewB zOcvHof-90I7U)N48n~FcBPwREYo6K5MK4#5jc*JE{u!UITKg;kK3O^N>6?twwYk5| z`DmQ4iN5hX^7k_P!nAS6!AnA4!Oj+YdlSpS@d3LD%Znz-fR2rC@*P7g)GdCpr^nR4 zrsX^40%cFzmjVbvX&oAINXSMM}mIQZ=Gi)s#aIt`Htj=PZj(Q#ZwBo zS3CSu9q&j!YP`6j!j=2Qs&8Q2N=P$2H5ffPfqJN%kyLuvR(O3B9jr~i*%vsFDS;u2 z`I9D5&EVxJNF}51Y*RzZ{q#Fq_BCG~K7^*8jk;SE_S5R>O!#8#tg(X36vsU>n{YW0 z_A$}g)UfY$MTKp?Jh6!84+-Mfe~xI)Jt1_jF$pebtm-h$dzP6OJ^_tG>wF0++z14Ccdv^%r|C3cLdT3XYx zc!ADp-Vvgswe@Cbb{4RVDAa{I8?&5{r&DPZCFh&(efe%1lphu6#VwkLUZiFHrR8!> zT-&WfQ%+ty>6BU(0-OPXR3YZE`Pc*2OeL8Gl-tTpRY+`yrlNwlcGy?V9`^rff%xF{ z^txf@i|NUyQ-fbTh%o=%^C_J=LufYDpF_0~Tg@SOBD+{K-^_RTYq&HG!Ika?ZA=VoI4!RUD>$}#T*nBQHC&mN!2N%h zO^&JQ8V_+TY|2%U-LQpqqpVdQ(HyK)eq7Qq{0jF!^5LsPCx2`1AoH?t}4Q%w6Xpr)+J^4A*-CV4BMnbSHiWr4B2u#Zv`8M65o3*9yNb_$t z)e`xAlzKa@Ii(Ss?4yjE)Ih`G{k@J7_Z~up>mvIRabLyn z`z7(KJe6x~ZkQ7?e{<64apJz-YMlum#>%bRWlS`BST&`6P@s^Ta?vVb-+#*FZcMyu zY3?0=E1fv%l-p5XkHnDd6JO(*?;XdAD#LHL`+3%KobDU2=nLV4SJ{V5+Up*s zIWt#q%#|gU7Ek(V1iZyp8O0m3BSM`%aQf~rp6qIh{271D_u=c4GD-Wn9)I72X`^7L z08fW%2v2MC_o*(qt)d?Cwxb!;STf(dbFY&ycOx_1>^pKtVe`D56!rO;f*lhOTYb_) zJyM~ZiwUEM)6Yu|;H0w{3k!2VsoYjBgs}co=vY+>A+ce0iV6v~|C9oiFX$;>_xiAb zB}Uh>jL?#>o_agRs=i;PU8a(Zllhdt&uFtNcE2&@ZPdP&IGY57bwm?{&C@LmluIyCR9NI~V=^{HUXS^vZ*#Ll z7Whzw)CsA5L5HkOL6c1}n1dgfWESKw3i@2U9T{TGPZ-k>(U|A9$OVHRV`L=5*0t-;BcV1%VbC=lRwE^5vJ^yF z1XS^5ZDLqhA8j{-(F;R5F&?8X4|?dkl4Q?U4LsJK6d0!DUW3vuopVC!mn3OYOKLHewM$Rc-y8BmwAZ})73obIUOhnud zF1ivnFD03fH$0nPG}kl7O(CpbH0zbGWg_H5^1*orx{3-v62qf;=2qcGeKD&aho zl1H9)D^Rl%6GYd0{+t;)oXbrZXGVDolgE_e8#_-@Nf##Tx;xcW+5T6jX>gfe2$wOs zWlewwL1^+t#oyu3>d<4UAH!C@Dr}=>h5OeDk41miy{;(orTJwEiPZ9Zq#ZR=ju15^6SBn6HeZ{9Yf7E$AsQgieF$r?2K7P%R8ax=g3u|(eS694?8ve@ zZM^k!i7zIlWfny^@G|tS)m@8?_@=cML2ZLPd8YuNMyyiXtdKV7@G+;N1=|*{9h}i# z`(`GbG0HSk^MeUX-IC1ox7%Vvzc9=lbX5%`(-b(DmoP4-v)SOsq^Zema)wPR61yjX z%-Icq*9^wru_Ju#w3i@-Wo;~S_PsEQ<#!M(6p)VIMyYjPYt}qKSiSdMVki}Oe{5dJOc@@T$q(fQJx>!H|nwCAteznVgI1)9giX__JEumh}$W-Mtvdp&P3UYO^{Ngm-QLAiT;*d1?l84p@XC_iQ7<%kYBuZ=1lh53i!6# z0$YyXPb2A}cBQwHbK7~WQ(l>fLEcX>{i4~F)W*Up8t-4d=x=tS4gh8|1bfuyC%(ZEc>9T(sUO}7n5p>uK7loDzxJ> zeiWa1|E5{d9dKRQxvnfe7j>?>-}HEMc0vq0wmf&53+#gRcfbFv054OJN@;o-qtBRj z64Q@*aFbX&j#>c=x52aDDXH|(O7b6E9lDNL&?PrdorkQVIK(UCUh-p{1ZjpS_bpW>-fF>vpna)zy969QhD_&a3)( z(Xg?s<;j=)7U?I0yD<^fr!mv7Ul%Gr+%*v!6S5JAM_=Wx>iivkadnPP0|MZZ?@5Rc%m z?5AY?HaH1u7yIS-D08|f_?>E~b?}`#s)18ZmkEqiu(c9%;N5deb%iuVEo*+>r8F(2 zS%yt5v#tI|?q}b7`P(YmoEIhzG>c~LNd1qCVlDI6@)F^0ObP37SH6}-1C!Cy9S&=C zQ&f040SNpM(aQ;Ok8zNYpp!8pfAJcO*<9I_rY)_RBMfhsc5{3$q0IaVZm`vZ5_7%G zI0R2_Cz>d1^wvZ4lJK6FbxQk-E9TaRbaqtHC6tHri5zi~7qd>l%$IoD@D*%Le`59N zN7Kw{eagV!OD%uSha6i>&Il*yKM!>Da|0)(NKbScxbABE%eYsooR(s~+g_I}7icNs zI~-g1wrvY7A=%*?iw@cT{6gZdzh#|wjY!iQ*gY-i_En7hov36$EeTsI2t~uwF6WHg-d9NO(2UBvJF{WDQ_3uhUV5@kd zfDU%5jv?(V=`@z{y&UGdTO}Oe8_@P}W1C#&Z3wG{-W~1|6&N#FJEB`fowtW) z@HNsxNhl%dJQ>)Cg90F|0~W{}51ssK9_a6+x6nuW0M=uMVG7Xocy zkPh(hq{Ln?Tl%1%u=Fn$7kyl<)x~;JGvGOF{GMf??NQY~VEmS$|3O=7`#paENqEu^ zdRgc3h2*PBYF(X({)#eE${1zZK3ZqxL>Bb=3PiaUVFXMiz%_-`evKpe+(oVFpxZCWG#T3HI;k!I|-;*Zf$XL$hLpqupML$y%u)$}yza1~`Y|s!ZNL%!lYY3J+pgd; z)lm)%^NuAV%@X|=P=w_7a&w31`u0ueVfvXU4WAIQ+Oq(CfKTw$`K_`Yjy=G!%=x7n zP(08pRFJ*FOgsCI@&LdSp~xIiC~5d1RxSQZl>F;5Fqi}?V^PK?O9E|U4n;~S#saIM zEy}=~f*(4RiIegZa;46W8n(|*XH@6T)&K;SUnG4J>L$XPi8TKP)&+smAgnpww=fCc zt&3z};mf$vumSP|Q3Z_k`>73xA3ckxZ8fk9XlR(Ne%wd>Np7zN;Q5w9j;?s@TROO2v27Rz`yXVsuATUgm5uW_>^P-`IP@qUc`b z_MvT)Fg7_+Gl|CAr+$jJAy(5n@s`mR-|D0y*C&nGp&62uI_+s)+_BJMHAXv%xZq^| zXU3?lrxqnS`rE2!=FPc_V1jjsx_Oh$!Sf!J{{D+z-=0@8$RS9xt;JM$@r}bECjb+s zMBQ}05ZJ6RCoXTWk&;Z?(&PD>-K@DRroi)n>NE~=&7+}Q%<0Ovo?i_Kz>_B#L!QW! z&A6Mq-bk`y@TMQ8;p+J1LCrF4qS~~M!S}ErW8NvUv4||fbtHMA3+PlnAQ zd<(~O5Wazd)p24;M`h}|OcZkz&jjOso=H1w^7x4)k}p&(QqECuS-P5yd$~Wne-TD) zvfV%m2|LHmVjYq2t?V5W28Wc{s0kBqfq_TVM!QN^b;A^#6cw(fob$>$^{`VLfk0o7 zIlGKFmb@0rG=>w-WqIY7cF6%e<@z83?qi6>-j>MJAa`mwXlH_$(} zW6s>yEizuZKhg3*=MyKIp6{H@HH)2nb`^f~o~mt-w_ulO=PiP@o7DWx`1isL509_#(U}?dE+k?nXwsS-^f+3Jdbu z!DQ|gb6jmxl3}|Lwt=8~#mm&!ipa#m#@=2J8*6OyuvWenHWntW2MFc1w`FExSEfaA z{H-2j7@o2vr*RNrc!BYES?(j(GzRa9oa{TQn{!UI38tJwcC73=)O zMTG+HB5JSJe-En~yB6`ObvB=l3Lh+GujiN6jcuvjEzuQT|7E4+RYXQsn0rtNUymePEHkoZme!9>UaR(AX8CZJNC&R<;y3 zvLH-2{EOK6Ft!$+w{2flwe0PDn>X3ZlHb2x+Z(GTu`lA$@-o+uK@}pmNMY3NYYFjA zu#Fe;4wsVOtv-c&Y2Ml@VhSu?`9};+uq#HJC>lz`I0FW~- z7Z7o7R`9P*m|+)zH20TyWNj+ByZ+diQI8eLZ8KC>a7zkcA8}Xn5}>Gt>UQ$@E9QAa z>Xn$`r5bWRpt4tVuHX?}8X`OMwlLnEIcuu;h%0=1p0nJ>vSz@&a5jN=U6 zsUYP@$ax(#6cM*_1JEuG)x@~~R4Dp*>~j0SH_5eVMzD}JF<5zUBA40GgZgb#Z`ubn z?lTpcwF^sSOOK4wl|_NUi2!&(v30n=QdGE~bPf*F=wZ*%0ufBQl-lviI*_3-Eky+d z003QxjBxz*NdP6Z*@ll|w`R_I?loONPnSHNy@^l{{jrp!uSBKB%I~FCuK%tFEEAZ| z@>L)ZuFIMnUBRnn-PD_pTY0my^KaOm-1%+7on3QEt2x*F*HqxI1}-_t*%{h!|DzBs z6gs){TxhNDyRGLf9=g|YouO^%BRK%|vrs0awXk!c0XJROa9EXI@r|VB{V{P+C|&GV zGew0P$>&TN7FyVCaWEyc9m!Q9^qn~rf^Is*AU-_dB@;smRq=d3GO;F09c!2dy(sGZ zX)Q*IC&szN+2z-kx4?#%3&t)#wrvR_P}+&gR0Z*!Y2)-x*tDsJX8`v1mf=jspQxkM z^rIU;iNzZ$MqAheep)qo)@jnk$LqTkN@C-Va9P1+T*6ATkVim9X6Z9lF!>grVODH= zkrA@>hW|+V+xk7R9~1|Y#Cs_YEiTO700eOWdPn#O;O=m(p#l#0EYg1`l69JRZeBCoOSt_`FGXIL6^;9 zsdD0JVjTY$4`K|{j6q=+>&l1G=Fc(styXzT5TEvcQ*o^X05f;${1Ht?!JuQP<8Y<1 z(4R}EAx2$v3|P0Ig=)w#g$59z{Agzm4?zP6`G=R0@P zJ1zI!NT*G9meAF|0!wr~7~X?ETXBwkX|cccD2YkE^22fZl2&0}vkIs0mZKMji&%Nx zmkTV2OF4ONy4bu9UhZHq_6Bgd9~d%r`IG&3v1{$YH*?#82r02vp&f|~{u?5_)T529 z6}m^pr5_(wC6s-w0Uib3f^cKAkSPTUnKr4?AOeEc=4+MKJ#QrPvLX(u0&oqY@f}t4 z_O~#7#3MT4I4$G|JKm41ZOm#Lr%9QCPv609F&sA#8B(g-zrA_V(D&=hxo*x}Pv)OH zqVI&(r0obvajq5gb1B`y;#M|&LR1Hwze|S9eCM~sPffjBfBAb${2-YxYO4P*fjKy< z|8Y?4w$!LXIMtA~8UGx{{PTOdl=o$8&%ikRo$n&?+FAq`tYf@c|@-{6)b?V zH|U}goC+<-ItP5=wqXz?S8!#INP#7p`@rRnp5BDItHOtdehui1>&w*V!!|3NJF!UP zgvj5ORH|9EElyv@T*vtRGgpS@SH1ROeCWHe=eM}$KQ+0WWFY1M^_`|LS3etseF&Ef z{KaWH8Dpw6+gNjBWNlzVg=Zk`)N+nqwQs<~6nYDFZjB1|wvt|J-pyGp;KIp3R1_B?n-Kj;{bH#gZj1BNYEn~QXn2`Z517)ql8T^Ta)Ct zL~-}ZH(DC(>k!B%6Lmrg2iV=yM&_8uU0vX4i(gq`eG3~VvE^m9O~7E1Vy(F^ITbPjTrO3>4?xW&5)0Y zakeSul1{Ie+#wG2erzU^eVmB$)B_f2$>0>?T{7F1q4g(x<%I)clxH3{pn}$Z=iv7? z+LzDX{_HIDn9(NNUv<21m?Ry0o)HV-9xbhTWKk_bcT>YPW&K^E{;FombI&=0bq#Xb zrmXrrs{woGRfpHmIL%59_g_eFKKFPfTl4jY1yzf_q>y4IKWY2eth}x&OEnv+-E1tD zPOfJyDz8JEOc9O(q?VjIL6c5#Mp-+rMMXqA-tT8&*hQ^PM=dw&(M7XKWo59th;aO9 z?L$ExV*^l(`wqVJCG8|AlWJTtSnsmq$u014RgbAq@{d&=4vRieuMr2eVe+NX!3-+a zgrF=h(9~pa*y!Lx_>r_<3yT4}-^QZAG6)TV{U;T?0&$fD^&1Ne&0 zgG_y2f`vhWfSTX4v61NeslO2*xByrDg+Sk5n^we=tKaedg}!X68YS6q9fWnn^D8JE zYIr`A*^TK)Ni<%7+WJwkay4A1uAHK7xlQlJa{NThJ~Gn6(EZY{p7^Yn42QY3SEqfR zbe-X_wJb4^-LYNJFw!NB4gQ zFuikT$p~{~Q?QGRFs&#g2tVCYg(NQuh*I%v=1;xEheu9xqQYp*vV8U+Abc})fMN3l z1oz-n3h%mk5~|dYPnzWMlZqR^7MB=#@(d~QCREAyHXY=ri3Zyi1hQ};{vOGcT>XU( zsZH@)$TQIZN_~WrhQN_*2eg-e0V2!>oC^!kdDr>^fG<%Qt>C>Xtdt3J(pO3#F zokm4rTS+5|nzRB?!S)3ehH3UEIz+zFuA8I9;r1V2K@Zw*VgLoGJk{C?kF!l1iXf27 zo@zEj-PzcnqWgDh5ujimF6s;MpQAJFdY(0eX;^9A<{%oW?zu97a12A|ZMNxZu=_zE zZJs($f4|86Qgi$Nk@ePbQ3dVWxC+XG)PjgC-3`(uy|hS(AfO;1ur$(*grrNCfJiDx zcbBwCF9=I_NO$v&KF|04etz%okDWL(XFq3lX0H3Xulwvd-$oDH)O;e$86tS;-|?f{ z8DYrwp_g>&^zW>7jT8Q+bV!g|FmQERE=qCyQjrxBW`1{{FG(hgI7y}p3j5L8Bb{sd z1`=s3>t^Ew`Jya{*ZAm5;C06-x^I2UR=KZ=mcrAq+^)Vyv;5wC)4h^u7svAGt#dFQ zKUeiTKd`RQi!`jzc`z9z_u_-><$A#DM?&nCLjPs|t*saPJDT+{FX(G7r0T*r`#&*$ z39(U{=%~t;w^mVZKQ3?@kLVN~?B{O1n$&D_iQ|M;ewOM=2--q$Xbc#MRdKxg`8OTv z04cwkF8{v* zx3Af0;?;;3M`9SX5+jT|uar*va-7;ToOlgYkYkrB^$kZ+Oy}_R79QJ{1cesb@+f_H z8=(}sG%bx?zlL=M^Cn>&(b1&yW@H@xoBg+z)2!@zhx1JCj>^w%Og)%@=F9!?2MKXQ zt7_;g&k)Q6FFHT-9C~|xm|xaVIyv&*G@?RDg-82iM&wpjO}k{*{CF9h6Qsk!6iCLv z8lge{!$tLP!5;kl%eltiunbuC3lP@-Izi6K&-=s?u)$cZqLm=Y9f6PEB76>(7rx-v&jSDP8__Q zB~r5~>RlVP=xq68u&vyuq{-OutSrr%7pirvULJ;DCSJOH$FuUem>edVy^37UY1R@V zjq-98Dp1<6m7qa3)TeWuZTm7wavA0ixx z3s<!xgqNEiMTZuD)yS-+ESvR*@h*D2i z%P_Hmj5_yMn)}qg1_U1VIbLA(Zr9o=-w3wogiGizo9XWpZ})u(RQD*Kttt3d0hwi=|r)TG=gW4(zd zjZZ@VR=ydTK zmX|CB$h_%QYEm_Y!f)X0juExYZ{Wa}hiY6@;M|95zNCLI_r`l~$#~ca!+P(~@ffx8 zy?rUxenqBlds(>qdl#&=v|(u>o9$0anzyaX3oiB85?e1@!H(;ObB)vo323__g*D@nPqQ0}IF$*r`iM%g&xU!ec zZ0s_AzO~h6{+`mPZpte_UJ!EytrQnKAfVc}A(#M+XidrT=}WBmW5S*Ez_%|npLZzr zaW^WC#8pInWnGs`&aUw6T-drX?od*l&fiK$)}^Gg`er!WK~>4!|0P17V&rG^;UoVN zRHGh2a$R*)0xIGORlv7L$wJqu7#B1TE)JLY#IfJ{pCgSs-8X-8m=Qm zJ=~3xBbUQXUl_9=;&ac}pgHxiW<8AFQaSXwsL*B(8K}XtatPN+g;?90y4*s8xjux5 zC$OxH2?5UJiGGkNx??0Cn?oqq@GDv<<8xt-N&P7fK3CxKeWj^iB`1s9G%k0}WG*|Z zlKh_0h=dsTVp?W-ei0n~rdfSbq+P{fSVItBCfGz(JME#)5?-U$cxJie;`!AK@5K9) zZN1T|8U56(G+DU%)`HOX$yo?Gjmlyv31c(;qo=pR6?%mAtb;;I(-@zIl?N*-E(wF> zrw=|&UcJbB{ta7v8o-Y=6gOUZ?<-Be@zttv;pQ6E$64KnN8H}jV)dW0oRWo>eSTp#oHDYVvl`v;( z-s?ZuTO7_Ue>Qbkt&eU`wr*fV5R_qW5|o9yK{-;Sn4?tTrKZF~2s?B0tVWeQ7lweL z8PCpyA_2`-le>(Kf=w;8;OpIZ?jEqP3a?H1I3fD0h z!1EM`XNHusIyxYL49jHyQK6=`pzp+l!`=zq2215VI8DkdM@1^^oyr}ej^j>xSmHR^ z3xdnZnG)jA%amCfSn09GXk2Se_fsV`Pd|ZBlblm6#6blob7+h>rnETq;sZ|#aN7{=P)emCm015+yU_?$33rHRner&WMrh%`){Uk{2LGWJb(M$XNZBl z<7Ca#3wF_Q`hB0FIm8N3lFDrPSAdcL7rQ2+ljwc(XF+}vG-pX<44u7EWrN3GLT9iSJQGB&Wnl&p5H(=a*xX6mxQh z1e8|Lz-$Qa96xHFzg?Ph_w-=FT#TlwBAqHi<^ESa16hmPT7;9QZ9QT=BsiV1ez55f)>< z8AD{gDaLX|iLiK|-N`Sd>0-V$iJFzjD3j|wTHVnJeoj+PP|4IiO6~d5{&n+#beK0A z9TNKd9++J+27#}*F+|UUbk{Y55FD-U!Ev<5#*USUic2tn?|}5%*S)2w;>hS{#3(hz zR=535tq)rXFV#B}-sjfFJP|Vj@@l{>|xfSGw znskc*t08!7$h{aMGT_wwPZkyfYV{*m1i73Jik3?a+3o91*&lr=7pt=2wkpbO_rIRO z%~T|!C(4I;#9)7<^z8^faw2<&5U(QS7ajN$q*iMv^b>ZM{-){1p0|7FR2mTGOA0;) z*125bW4S>DQS{wv#a_;WVcBWTccERabY@m2{4@o4SQ-Z8jY8muQh`p=B9ap+91XXgU6q6|j)~ zh$*{2Pl-BWcMpff5Zwk1E&spl2|MNctf5;J$f^V?y>G#Oo+QSde>$+ci8dPpH~Mo`7li>$yOI=Q4Z@JeNX7Mk3(35Of3o zlASdgxGbUn&GK0;z?+(!6YIosDV-S^HFY#y5~~@HE=l(XB2;}D1^)5n|I%jjoGd$j zn0NR)^c~;B9=jN!2MV7uz&JXF5G-KR-JX6WT*blDn*q}3ub+>L=07+?e>)v-ee53! z9TI^d`+E?4qnc~>ksr0=Hj4PGiRckUwigA}qFKNlf6+fH2bXlf1lE>nhIL`@a6 zeH0NY=U-^V`8}Q@$+BS_pIm4|I^$q;_4_(8XJVUK?=4n6Te0gt8Cg@fVQ~|QH*uFh zvxd9S=7E70QCHF=hh_Wr)V7@jlPc)!E*4K0m; z{v=fbquB0;;jMnv<+S8{-vwK)`o#D;0|lp|!`$JtFzGKsZOWcO3}2F-09>)4(9+un zcFi5wxFu;#6HxZ-GFEIRO`H{A+;Sv;p*NgSUf!zLnQqqx8j?Tx&=)_9K={@;%;fS zJfVtmY6ttzYYqcVSMxn;b^Qm?s0y}X*7|a{9y`~E+rb!O|~8>d9a2er1ou~l^{z|TI}@gHAg8h`+Vvk@>^>sx^3^^u;!Sw zuT^a&G7o{Il>L78s_yY}@rgCQX-Jr@uwdxIR$yWQ-v@Luvo5t&|Au!jh{ z%Kpz!akE4i_3P>FQ0SNX`-YjT+m=fyle?@QmO?)+-5D_I7Zto=2Uy_4$jA${u1IwH zF!*yavF8tkx$m72NzT-5;^~v61^kS`^JDDvPfC=*=fE zys@5_ZRj`iLb$*qM-NgUgUr_U844=m%zqY+{1z9*S0j129YDGrtV*JM@(6` zG0>L}5>O$Fy6g57ND6RkmAwx~ho#k{-ZCz{eEL@{i17#vHosw``ij)%q5#gVQf_@n zWGB%liZ&A!6E_~N`}4=KSNax<9$MtTV@p533g)v!9&L7VACuo?kuOTt`&G|wcJ4G* zXQ#U?#`x!j{6c6(;SARNfyVl4=B`|+&DPW>J;-*k(JTp5YMruWU>%nxQ+qyf^B%pj z2oS=UCXa{bkrsNfI)KO^M8)zcK7*-{NE9lG0#Gje2d2IksoC4MUoJrR^_V)>rIfGR zOgJ%isl_VF5-ZyZdqS?ncYB2TCm0!Le@m`v)WeOohd&COT)vxfIrchNISZ0tE;$oF zRP1Wz+}fDR2nio@2tF+TbFz_7?^aCJ!DxxD`Q~JNg$S%wIY- z_6T@`X;b-r<7Jp6)dht5u-UAk1j5Xrn$I62G<*_M--&%kP7WcgSGfH8G;F{NVe#9a zSEgos-cvs^2S1BVb$wRcqPy?w_x0iA%bN8M+pq0S{&&ySf=PS`LISP;-f6&~CcvhP z0)nirCf)yJB#an;YgqC3-YSJkCB(g^QQ6p5xub+s2W1u&%fPa1ILm-C)-s}?ZJYl> zpVDhT_c5Gwn&=aO%(P&Z%Vu-C&WVg<6^F)<29Paze*I0OyFkissgR`sgk*HjxTYAz zg)J)RkJ(bdhnuxd#R%JDzaOGZ&Lo#9*r}=>j>W-uvaQ$g03^DsR?_5r@}S)%z@?Ccakn zPLMR^$&XLJ5@@PY2xY1p3RX`Bz1iFz^lmq+Rta%~WKu-;P(C)WO5t-%>Q!$|+3A~yijZnkNhCn8)DHiVA9k+$5{)2ol(1K_| z%468_!|Y>AJ0>%H1q`UDu%_x%u%_~sdb`bMu+%-xDqSDpoAzu~-A=5(|E+9ko5H@W zlp}8%Vjo}jRK06-y94;1C6jTp{jbu{;2&2uUroc-e=Vzeu9S(tx!6gqwN`u2FA;bE zjB$>1PAgbgsX)O0pG<@IZ_ORcbP9+2%GAw=<4jIUMH#aq8!iP5RXU@<9pJg9o9AFS z@x#)y-i1*+78Zqd+*?EN1KqnX1jH=lgy=!E!p-45NY&qg6mPKOC3iGcXWgI2E&(o^ z!|9aBds_&81oPstu7lPjN3EbJLd{e^$gD?QvNN5sDwA63>e2W`d`fKrgSFhi7DYvy z_93c>V9V}NMg7j)!Lp?&%Jj$Fofq2qSXfI3v_~Q z`MdmLB)DEOEv;#%!`8E>7qxwGw9wHsQ`|Uiaz0~M>h&fiF^+j$Z|r76R%p|RT+4?{ z8*L)CHsWww&ONXeV8|<=zHkBBNg7o&IOFuv@!+K576YgP?0qGxxc~=2+ka{c@OH5P znot2;1}aPv)-Pr7db7m`Z|>}K5`@V2Vr0GxYnL{lv)*dNgo74$Y*j9TkiQWfcPVQN zcPSu4i^Gs-Lx^9Io%`LRGsv^NWtWvMF63F|5RdPV&*n{ie|*n&nr{v!i*=f>z^iOG z8B55nO>a{`TRZ-QkhKKLMhW^X3^@Q!n>14H9S&THoL#7p-NB_bI*C-g} z;Wu6ZhrQ~o0815^Ru|7k7pFxIVgH5xa7}#;BWI-}DpG$KP#08UoT9f%ACZRvz@CzcI#*8%UTEI%^<_YKCPeziVYVbiQf!KS^oP?%fm*dOR)q+K7 zj=9d5u%-IG*JC$dD(ohs8H8f4;se}=?}Tfcn!P61yDgBIwq83cFr1PepH3>>qL{xU z`H&UDLekg^__vI{)CktTNLlTrfBCzbgk4XKu)GS}SergX7pYjD z54CU+@VB>8WY&0h^5#^#b#8J@(W@Ty=2O9eOUbC=siRcG{jdGK+bd~Hlm-N|RID5g zJSm0)wFC?$yF`UP(A9mmhj#jb$EKCLdh!UvNB4K^{HcnYxur(VJ&CaKn~d9&^s&(g z_JOZV$Zn84&*>|c7a$h3!XBFJqz55T3cADG@ks&1t^?{McU(V+s;DEYDcEWcBF=W2 zfb{Af(U@gdJD9zQoaZ~)5qfs7(0fGl&`&2ocxsW-T|hW&SqA>?%}lXBwXlVE*b4X) z6in?o_V%f3OPbxm*$##;*6Y^loQ<%&OODgG6i)ufc%RcdaXc!0(t6_tXvssZ?cJT&@sAcV?n1A^hPx$%cM79G51i1ovqd>m{!6 zl%_c3tiQ%!SGnM?#yuwguKX-Owp#SpwxR+Ew?Wz>!-g^)J*JCh7}uBbm% ze)9dnY)hu-q`6qdU#FPsB&vZGpFTh=MxO>&STcFY2$mDl+L+DX$rkxVonhlbD}&yY z39Og^J<9Jx9dh;P4%I8+h!mrj(Q!sBCgf(zX8VFv&0d%{G)D#*D%SeX64w;jcB|Uj zlr_XNq)`yOO!+lD0U5j8(jQQpN4d;SfxgDS&Ih4kL1yao4kVWC4shh$Ro}Qu1oOdG z8Z{$3_O8z)-n&c98K&jaE7j+u$8UN!cH@uS@~ro$Vw*~~N~tk-R({7mnI(*LwK+;r zHH5Fx4k>^SGoso1acFzsC%Ccp>-Q+pBPg2KdzgFdVegP~Y+cA;!X|w-=}o%m&1C&hwP+uV*{= zR4JZFINuzdI7`a1Y4yej3d`+Cyv|6Ax;wce`K3smKimICSFdH}V_7Dxjg_@35x3*R zJK?0W)k->U3b94@5j89kX(HLdL)X#niU8Y_mJBR)knhc@GtTzFmus z3mt4r?GRWSa7|2~{MbcGO8a6Mex;`rOZ$48PF7STmR5n8w%mMkpOkEPncFN{GSF8i zvA+A9LMaJXJmxW(2ZIs#rXS#&0(%DOvCA_&vCHd?T)ZT%b$c|5Rxa$9a)0lh7A?!v zM=Eggiunu+3ySe}t&S+APDgy&eI9)Mi)>cRL{7#>isK&p?h#qcNLy}(@ACN>nyi`C zggM1U>|xSuL>i+?)sB2bL2=W`>)A(2yr-TA`Nxate^xq~V;EFub3R!rRTue;*s9sF z&8&S#Imt(#9xHCod(T{Y$d!FNAuB%E5GoCbp$)cV*l^92C#p~_fM*FR{%Y)z;34Cd zf|10eH{ygwWwk5wZwRzFF=7+4Wcs`|X7tnqhk~dWwTq->qv5_L`HFPeld3)E6yKwB zXER`-gZVHEfiv#;Scg@C@>wx0S`wr1t90R4f4-Ei zo)s6l7X6s3E3546iGWvG#>9^`W1x5x~g3Pn$nXRLdKR7#LI!ok= zp2FIynY+MaDkX{VG>a?_QdCU}8sXFqYg?_lv$FG1hvLsnUcKLrGyp$B8ODN9ncA;@ z%=HhlffeiF5Q`B~s6$dyNLmcoC5kCcNpQL>wjf%Z!5D z&5&n-i2eGkq{LEZtkqklet#o0E)bT1i-MTWQKu$^?nVgJ(K|S0muJ<{^RDR;*o$`Q z1h#8ZT5ec(73M2{*m(n2(z?pyTgRGBvkkHKX^atG3+mnwiuDPJDxzpVe%gPyE`f!N zlGuv+IQET_DOw#L;MPyf^>{GEpR_W1%K)zGXgy@K1>lPLFwl+%9sV8!v3MaH=!7L$ zK2(R1LN@&MVdfATB?FEKL_(`Xux<;K2>u?1B^e^$xC{6XjfQ0V!CKcWF|+caAB*H4 z*Zr*&ypbWt*}y*5rXSZwzOfVVZyXIl-VrdKDC$gRsIayZw?Hjz^>BJSHCaiA!Nzj# z(HZRh9KAb6qVJDO_|uu>`{V2x0=r;4HA`~Js}P5rs-YDj*;+sto-Y9GBvKn(j61!H zP!3h2lWvYxe42;3zAhw#e=>AEkJerzNlMPoA@%wa@!ET#XYrJ!-Nys!lERM{{rJZRukK0C z;_l+szNxQWG{23VAxTd3!!>JG62{K}pJY%9krT)!%4{SuiX}e`p3@v5jD5lKT|C_A zL13PI<>Wg#OU3@aVjaR)ab#>xM=2VFfbg`@FR6<&Ae!yJz>OnR>3E>b(Mg}MhuMQ6 zB3k%RG+QvlB3|||ZgW9g2HkOSSFzAE>gsi&amYC(Tae>gB729=kI94MZ_{lH4O99- zjH;d!q(3&rU%%>X-d)}8tK6VF{~!yjP+?t2l=kZaMNLvmijH+L37vba8EenAwk3@C z)1vTjg00o*-^!8&mq{Cu470GOr;&uPu&bwW8cy#S3BSduQ0n&UQ*?OmJhq=k#qGUO zXEb_SBz;;6|J3#)g*yL|lof+WiI%MLa?AET*R3mCPBZKwiy}qzyHLvp^P-uUUY672 zrHE`3&qk`b%#lG1D^ETT8W}xtKp#A4q$A6*Nz++V9)|`pCBco^m=ue#>6X-q;fQ=} zy6jQRq319&Vqi;C?C-)R0wFe)(t#9~0SGF0{!@vK$$jrY3h=4&qNe4XEmmCc6o^ZFi1zY6hgA>Qv>=Wet-!NN}Gl(~}&C6Yo$fk9%b(+dKm9MduB zfQj0COMByZLhq_M0kbYbl$@DuPF(sWF1>M_#iNez`e|5yJ0&0bt5CjRU!R`mL=(;; zA+&os{m=Oaj09H042Yp;&eBv_t+L38v_RG{6!R$BegCUQh=;ld?9Mq$G zcc=lz>xDYmb*zVo|GEXfOrsehemP|;H$r#p$2TN=XN^*XSUhaqL9&H4H{gBphr%g> zTea%1tAp`=x#4?K;Xi0Ub~}%}Tz0sfi?en2d*(-d;|%VpZfo2QBkB=)F_{ktR}$v+ zV%it3Yz%3RfqHw3JhfOm-Q;2_Bf$iE8;}f*o5K|s7cIx<{!MT&PHz;y_#hxiKm5uhmIA6D@b1c zGSd@RqRi~Gqw|cWRd5dBt>}FN@6I@`#hkYKVs(CHEHt^3NH)BYmOEhNw~D*POGY+q zk+#WN`&2&2>C;EuC4%``lqpY{gaV8?MT{O9d$d*dh|D3|4zQ=$w}`~P@hES>#kZS3 z=zVps=lATUG9@iPQtCaY_`0LUfwp*vag9Q*mUq@{5OWEgT+Yl(xORqVdE>W#TxQ3* z`Nx&M?6?gR1qC#RZyO}t_LkfTs+8}06@#tDMqFpBNW>u!x-ddebEn*ef4j<3etKlw zk;k&ZvkDb6gxMr6a%FE_Jc4;aK8)`s{rlLAUpmm~8#TDtvnYu87-mndP4s(}bDL32 zvx&D~1~IUQ|M)@HT?EP`3Ll1?SLo3IOL`wz(z{$z8%6TRLX{pgfM#K3>VBh^y{2gT z02=A3Ed3x`;1qLfXDPXnulVz+!IYtwr*~y84_bs6(TXa7{Tu(&Mub4 zTF-~_7t0Sez}Rm=`|_C)GdIerR7pNkSLDgv{p!ufSD(p65i>$Pbhr77Rj$Hzs)X9sfT8pVtYE*yv}m>o z@%d)H4~SqiQ}mmC%=J%CWb~LKqY`@PvrYHcuyy~HnWG^v=x~`^ppzVS*_j2|lZ_Ex zw?GQ;sluhA`JiHKwgvfBApf`=*80m5lP|yY4h~Pb zhySP1kh?Xo)*qIaV`Qy08`z!GAH|!uPCeU`pInu;6e$@`<;bZ2tVur@fqAfV!s#eHU2q zw1F-(bW}K`*^~8oc%@UuWM##agJW3B^zQ&>r*{|iUwe4{OP%B1SPS@a-nHoXEU{A%@y6wb|FBJlkE-MS*;kEDl;%LFCuR+%SJXbY5L z@4srV72yn}{n4ENP+A%B3uhYG3yjDusI*tqsqCKdMnxf}xcWu+npF`bT=mHwXd$j8RAsm?W4n;s{gr z!m#I$aYoWL}kzdPJt9mL&Oz^3SiZ-0(n3rR#Dx_|L_4NEvFn9 z&k%H2)9Emf<6oJS22T#~xFN9YA|h6hIqSKGDkESlBT)1(7&Jc^%h%DDJSX#JS7Ylm zAM8uNYg0hD(?=ox+VuaaXmeyTR(NP*T8K*zE>HZ7!YDSD9z-)hJot`rJ?9qP zXl&#HDn=p0$Ey1iLQz$j(&)lyMNigvzRCg@5|3k#@~JYiJ#H^I7r~va$=H*uwcxAk(&SxL#z^mFjz-qi8SKoK(?BI4m-F6R-}U20cD4pdGFhG zs%128fOvyy_ry>`X)5KBm57*3ou=@_^D-~WBa1T+IU>V+D7cL^qR!17YfPK}CGZPu z1pF&UA!FL~|EXy6(~W5lgwa;`^;PGH2lSBO{cZB(Tlg}P_|voLC0_g%F07zX6`b@k z_9M}3Av4dRCK2;>(;vBSHlsF)-^$gwujs^6R>Ci$YFfyFl2dMxVyHIsN}PIUbVEoM zOaoUw{ZdpW@uBdA_wD4e*;vKFLk6Pf9MT@i5m59cdzAr=;*9x{K+uk{Sy^Q-)U z*jR|l;9H0$i?!`EW;JoX024Y2Ce%5wLJQ2*_fg1qE|V_dhFr0`2B+1i_E|2!rpgqY z@~!t$vm4l8{jKRE(}4%nH2U&(?pC9*iWTOIi!P)7WDCjkoj%34=KaZMwiO|bXCmoN zTjX&?@*H*g^cv@yhm1LgMPa?#oL_IEz1|VbaOl72WccarnanbK=^?-B(BL+z-ApDA zHvJHN_H^&FC=)@jm8}1INXc;HPDVvQP=?Fg11qcnFsCS}b^j|%gu>@S{(|~aR8N+O z3F(wZb3z9I#yyCIE&%+8hS8j|;zCB1SIYY0t>dQFWGUP**{icyljo}ak6Opk1dqVH z{V(K^8CxG=n&d;ntpxl(3(-Rpl|tEJe=DJ*FNwcXiY3(?ZGLhy`d*uFVh~kUv%)?t z(QeACd+j-x_8?yTd|pUEFRJ+bY-xN4lf+K^=~6S_65<_YMzE6?cHOr{-6hfqK0&ez zZocfCMMQ<-*__bzx2w;F!QP^x{pU_jsp6AE!G>fWaahgwu4GTEol&VrVwo$}_#&45 z=b%EXaPgZAJ>(eVbl5=a=^@xDc-@5Bm})laKkE)&yZSuCXC;~|HHp9cdgSdvPokgi z%9B~K#nt|ovb^zJar^gW^L6NXza_@^swgRMGrUHLaanp{?GHFvY9`_e^-SQFV({%Bk0_rP|{Z%XE?lUH5 zWXX$?D9lyTy?uEEwTmR)kSr945f5*ZrYm7SrQ^XUe#8?f<$o+gBU98Gd(%mX0Y!)T zK`c6?4zq)dX=DgGT1XHfeh`}usX&S_KLk?*@AgEl!iy!oL-hynW=}0sfj^VYlfL^J zuG~5q;*k_0#WS6Iq|kRaL6x`R?dJiZAv;G)=RKvmd*q9(_*u(AlglQnIJJeCekHpY z##F)MEL||d_8=HLYAA@;Q11AZ29hdBSjKu>I?SXa|Cm|E+Ir2vx_eoOki3cfdJykU zyV!m!xW8#uAiNic@{+|Z7E7kX+1v5lG1^6!Z9W^l+*FIZI+HNyp6*Ij>@_;;-uR|3 zU0kHv_3%&5eZ#F=>t)CFh}z|xo0DSo*S?--Uwm&4ihZvPFE^HPY*gor>)?vjAEIcd z9|Aem{MalyDY<8d-`n^aI2jql*@>*s;T3ke?06RFuyWiQcI{Tc=0x3AfG&fv3cnt^ z3SIUEE>{Y>pd|Fj;(!>4H*$0peQH3|`I5V)n~GDL(J9z3_@$L>Ad<4-2cs!<1$_vn zfDA(})E{_I&gclX^h5o-_wX}+3rcTTV&>&TF^lA*Dq+&UQlk0&XwBpT0)bbtt@(t> zbjoGqdPcj|Jqm|Mp_wawG3IWSc+)Usr+4KyAJ;4*PzQ08Vl)M@AOjA6EGD)`DnrdJ zRV9C5{(dqL{Ys$`KalS>@&}&LF(547S>N7H0P=F&cq>m~udF%WbS`(+$e1QsGT}p( z59fUV(f1V)fWQow?S^H)z9ZoOp;vf@ktNYZfJ>+P^Mb98+6qc~=!rIm=!4w~SnJ62 zDb?(ztI(FOnMQHp`?k@S8KJ_j#9QaDvDb9oeWl(#584jZwT;F2Z8baRA>jYVCicY4 zTxw|Ud`$6GGb%%=*2lGc3ZwdSZFBXJ9hF6GBxyg26fIJAvbA3NzAv)dU^{vG{4?!E zWiX$j$}vFOV&bKwHEt>5Az&9%n4)RUG1o&SWYCPjd@ulCwg;e642XU(_}(6l@(Qd1 z$ATHC`^Z&5ygOkDK-3cb;p0El8Jt7KigX?VRqv`_+a{VTY^~gSFBp0h3zOcm#H`GR zq5x*LjzZ3Xb*IR*JHqt7FtiXnCc!(O`6%u!L>ga&3EKGo!SHN$hMm|x^RwB2;Yr(& z;lv*TduG0l-+ne0CbkJBE%Z6ac~fLv9J5H@CaXO=`gjdjzEeEAA+)k=cynHTbM|J> z^P*?_T^?o$!{8pqZ1Y9m1+~QG{@EXHp8)al`kV6|0*TWd0-v+FW}lPE=Aj9mhJFp^ z@YzY%Z_n&+tVeqIc;6Hs`JX|L%1#@v4pH~}O)DBXd_#47?lVo*f(K3VKO_Mdpan3X zi#eK*1ba9<3}PWC7g&)=C!?nU6{lrq1NtKgDGf3=WKdfREa7^!C<1MDxVN4(ls4EO zh>>^Y0;~LuUE$&|x*pL05mOk(0ZK%pD~L zGZX{SA>er4z=Y01hlgDQD-J2eGv<3*AmUHR-0s5kcL50k{=~|?OcDMkWRH$))}P4W zgU_TY;J$fYazyd@P%VSbph^Ovr>w$%Rw+MeO6{OkKfFSh=?vh2yBs#KJ#^^*3S1x0 z`Mj`dwW^HOeC<^!X)!KG<|tjQPyV>kUP# za5XCy5}+Zoz48mv0&~d*ylAbEm0@)@xHo|$9SEb;g08PZqS^=`+WZ=`5oeTVPj|Y- z7NQ<5kDFmX(JQtQTEiJ&ps$*p_U5&Zvf5^AxzkAD=H}McTzF@F*^Oca5=zU)@*u{+3mO|H%D4dzRCj)$*=PJ)3gyisOgGEgAs&RE@TTj46iP z%E$b%yJN*Zd}m9YHt10h`kEM#gR2u>F)f z4WV0lj76Bixy97|4u1}ZpXtZlHNk-Q6TG3AS4@g(&0sOxfyE3o*(-Uq?tf*mP`FlT zRDus6m9vO`+~4N_)BHi@pTsMJ=JX>`I@Is9RYi>Lhjof}WuB}+GF+ET-+XwjH)}Qf z-^<_7Hj(4Vv^^>i9`OLfAx0I-t5?IMr;putr|kyP9pwW00nv(FYdG4>BR7mSl$wqt zVBYYNc7V3D`MG?Qn4-L*VTFAk9o3Ds2nGzzHC8I;bz zk~kasZ;zamcXOASKY6s5NQTyQESmP{cGw<@Rgu^^GSu<5oM0q~+xOTmc&UOIZ_2swu zGC?Z+b;W!rY``4(PKk52apGw9x>U-2NAGNkjNQfA{j96;A;Do};8j!ElW$wzTlWr- zd_H1to;8`_@3&kEG`V&r|7v`)Hpf7a@B=*2BzTJ(&;~#lsCTZ<{zzWq5(UlgoURUf ziR{iH1T=06)l=BNjfuHIZNgY^v4ZgZJncNgo@Q7 zLPPmN+c%TpG9;<8OgTBYw!yZZy4UZEFCSt?<|cORYzd9_(sK#efP>@3hyI8M|2iI{dW&{U z-Fb3J$IKz-8fw5y?5K&)%Pt+CaBz2jN+YC?tv(z|T#$Nol8F5gR? zw2Me1ZqT1vt?_VHSezRi@;GDlBsx9_*<`(J__(t=a=LbqyBvA;^Yoff;sdw@>Sv9E zs~Wx3m+=NZ*q-3puN^i%7!T}Y`Q{`_1~qc{*xk7O?*U3rT4%(%_BOt?d+m$h4_u3( z@9G;9i3^1osXx989qAIgqc`!bGqdy9uvA9Ns-Rnz_nBw0J94=H$SpDNbpMyWNngp>OJZYz82(p3hXz$cn%p_BuR&zk3J#HL3>dFm0><*5`hNh)Mn0(+F?2h=-%i{P+*JC*Uv{%mN>C@F;+TpyP8PZuSu~jMbC{t zx!{YhZots?%YRN(A0Vv#QFJwAG~lK&^~?7)S<&{)GtCahj_iR<84L^Jqk_<`%V^p7+YqJX2XSOOE$t<9> z)6o6`HFowGiN*qew?3+Lw10Jo_@VOA!Eg&0tus6JfuM{YSu{=K$B-ylG7z%oUBKag z3lAJCWPqnZEEwU3qz+vodFIFbX#SC3T@~NMxR?*2(uvG;2Miv%TzJ&N!#k3@pl34TzaxEUe_;Ras0V)jT>MlT5X-@_5TKsn-dIwXa0?E`|W z0>p}8K#qYr!?mx&&r=C&MOj{UleMBYbmwD}^u$3G^Lak>X<=uWOgk!N^~~8#U?PXu ztrh=kKSe7_RPpiOQ>uEz3`zqUN$`%fO;ja}?IzV6DH(arHSe(XuTm$Asu2`XjQXi) zERH&i=1yf!R)0IY>?x0)Y>BCo59KJ7FR6f8#Xwb3j3hR7RpuyuZYZqoph9BlE!#7q z#uSa;N( zW_W}e?_Ab?3>bI-jJ-iK$UvO-5em|pE)TgUpdFX_;S3`&t|%Q9k-MO3)lOt^;YX-W zANU?-WpEHub8Vu!Sapz`QCP}E9U4&OXuP!?P#ITAP<^VHA5mo^@M+M+@y@&+em}cdB7D_rlG@$O!qhy5LbWRM}XzI2$rX?jGidiu@O29 zL#41ux5?pB5C4c!h^RLG*bcZM;5Rp9VvNa;W#{~M^R4R?Q5O6)I!H8%`Y25R$eIn9gmRBJb zi9o?~aP&VEIfhuci^%91fN|La0kao4t$E<~y(Nf+2sr!fJd4`r`N&LG zs>tLe(<33-h>iQEh^{&SWZNA32h$w;;TB7YWJK%q*Ekp8T|ke7F7kytkx^}<_CYQM zDYTS-`ssYT({{2iPn$neV2|E6{zdDzZzdz|A3ly9Sp7Z| zGTls!ifo{{8OvyP?A-ZW%A~6{G(8TmM2}}Zx#sG@#XEKdSxH5Hbq@dE>CEXHAw{&;cyZ!#| zeLwe)VP@|caW*^FTF>*WJz?2e3Wl3&?p@DBXA9maRIT6H3$z|l|NK>y?c=4yytc-V zF|$K_Egg|(jd=Z}IojAzl4s|4h11wZO8Tp}wPYVJd|{ZbU|vm#4Nq1$1y${mQL*sR z_p6da%1)fGlY17sG%CpNIjs5CoFK@$%OM$+Yf>?);xgmiwPc=Hb0aJhRf^-EtcogU$e(Tg5C8E~W?~ zpghp9Es870i>p0&_+kIE(A;UsybJ>tu98_78Hv#`G67b$>A^Vm|^q^w%r!^#2 zworrG46$FbsR_4Yu9c{J5kqqeBa!Wme|O5BhOe9*?ZvitkXB#03~bDjUj6VqNz)K4 z6&PgB1kBkwfTuiQ;a5Ni2}uvJ&Bq+v$FPtFudejJ1w*zU zIu>`#vwBWGzOpx)dCoP^r=sn8DyDY9jC;N7raWC**+g;2JFo+k!obuwwNQso0-|co zHMKb7d)O@VeB1IiCXO1M8?b7J?9n{h4)~Qbi)zbZmzv8<07fqz$7oSC8ZuXX>g`DC zU2J|>O=2|z)vL|uoRsxRNGN^oFsw*U?1XP(Yv;^nv(uRZHv;RT99S3i4xHJVuZIp@ zf}BIEj=Yl~9jSsWdh}AmlkrkbH-J2hk*2x)$8?keHL?qsJ>!^TPGHT{1`|vTOfU}W z+|t`Cqp%w9^iwRvdPktTnk2mD7DTuYfNKQ-@9{wd4fx{krCO9aBp-TPC~;Uy($;DT zc_{c-$gTRPSte2wU{Y1Q2A)=(i8UTJ-#ZS!V0>%>z{#ma>1)54Sf%Q=5eRok{!9IV z$ykki-Ss=^VBzA`>DhW{cE;FbE#JKU!tM3x**mTjuGa8VmmsolrSK|~dB~QA8!Y_a zR5D?X1O8qM&J2b&mwYzBlnw%Axi!>EwEP)XhIF5m%3g=djTGD?r z!9k4!9H_wLIO-3fO%s|lcS#2<$&y`sWmg6mEVX0(6s5s-3ZD$@5S?wFPrOb@9S>#E zp1hjwm=!8Ye??q&uel|({NTR!QoAW~gV#g4&?2mh)C(zY*mGq(W0z3I85VBA77oz? z7Oahv##JLJd1JAadgr({`Qhq9=;3+B^0W;Cl+*MH8HWu`4YUE(R2G)ZTK` zP$RlnbxH;5_d8awaMa_7CNGspqrWF(o*y4?#HpiQ$#QBwiM+Wr3IjaW-LGW5|5xUS%N&Xhc`%aKd{%rc+WiDNC!R!oFNw3t<>X;K-y_nPla-xS z?~-^z#|f1u3!~CBx~q__$x$$j!=-7$K)d@ADeroI{l}?}xRR$+-thun)&;CWJ0N;6 z1oG@1;I&SUj(V3*@BC0`j0P(YIT-0Y0Ezs?6gM$y`OgIrE0TCxPQp}CLvE0olYze) z7B=9d^ZEphSzTkc;Hg+qQ3gJDSR$|3ub@mt2mme#+8Al{e z2GBao%rK{NwN@7G&NR-;=E?u*@tKaKRZWsflWd(#tO#Lh($~UGramIj_2bxCg6wU% z!ouBrV3-YHFi%+bs!g_K*aA+E`JKc^OM#}4HX8Yu3`^i;%>WD(Jo=B&AD57ltp=@8 zZlu=JLpRbJE(-iQs#yS7ga01fb35Nz8k#B%9H@(#-@gZYLJ0(V;A5<-z*E$s@QJi+ z^HU@T3+-cy|A|Vb3(SJCskP1^(*@=0Y%Kocc*cdpWX6RVZ_L81wT3gS%Wv2vYhJyj zv6~T??-9rg7n&oV|K(6@W$QLT=;W=v2c3+IzRtaUxiPaM1%7C(noXOt3`_XTY*PY2 z>6_$@Nk|nxX%s=1u})reX$OLQQsPdt1b8J@uX9(xcyQi!=&OQ;_8cyrQe6YQ0G_|3XnHjCo(IZnb__dw-!GlJ-ir{RAE--%Olifx{yuh0imI--({(ursxqGP_2q)k7m zCi};t^NN&^0qQaNP+B7+`nsCGS-ju$>PCCHQVTEB(D~#jjx8g{4y9C4mcKcQ^r6b( zvk-1c7N+w?uil<&q;+Hdk4X}y=<4nWIX5v@ZG&f3y2Hh!Px(|+mSaz1>mnG%9<;bP zD2hid?w`Kdo29ejJW*KnM#uxf)ZUErnsYWkIPahJvs5Bb z4Jmjk5nVcCOfzocLSsy6X2VXkMYvgNw+E&Zp}I%Wot?uYOuSOLOt2feSboTK)x^_`<|$m-uN4sEHxiz}7gcr4RRR-R;XtaRJ>;=5+TrnlR(S|yGb z`tm+M#nr;Te$5a&RO*YeZ(R5=rCaI@&b}ufAyQ0KtUMF3+L4{sARFTvAmftMxe=Ih zozgVM00#NZC49XH6tioRK~-9~m}3KKQAZJB*(x?AU#sMTuu$pGI7^^7!*0B5Pp$J~Fhi#4W zoHIyqA^nS{NOHn*&qu{fB+p7DMgZqIWLeZFx)nST|H4f}<$Hpc`_I@zBjTj*#Z_4E zOXjc~Px%_L%Bv+4n4ag7&%*l?amP4YiTiaV+0$46)j1u&bd7o@VcxpXE>`zwKAPmz zOT0Bj6%e7QVIv(M9zkc690E?2$*4k8{eWB&qU|qX96lnd89mZr{q{5(yAtXBBDe~o zFh!w0mHGVzeq(ew7)tD4ZI`pdUbE{wEGwp1mm|E4=2N#ZPN_bB(Y_C#8zHq@>rB;P@iBBQBY_X|X?stE_$$+6fw$)_`OELE)+O6# z7M#T#)c{iGA%-WLfZaA@V$4zG-SF2F&xP(1J%4A1XYn}?^6ra7T?azM;&ZY4yHX2^ z+>xPpmK!5ZInLI5d5;(ouAXyG`4h@uTkwaFuZ%XPivlX(CqN4QQbHP0p8N&{+TpJtkw_*ihBFZ$ zbZI}Jykb!!RF*-Tif~8>2^H&~FlErOA@3Q51*q`t2JdQ2eb=c0Ls)(f*OC~ zkreFic0byMXcG$y#tKuM8SPEXzPbEEz*AuMR0Z1KN}7*z(KP=9P` zy<+QCq$r>Ot$tV)7RY`C`UqE4W?EM(pH*V8Bm>`jlhjZ0owr(%fvK4!tC!1f1{POH z<&OK$T}w#iEZrKXJ8NT3+b(F5^x%RgtnyVgLdkSPfux34*hkaPF1$xp^(^RDE-I%` zWDO5@uiN((mAP9_M_+0x3`e~?(_SCoKi?wfPMoHavzbc#Ibdb6NBTU5takdbFFC76 z>>ue4e4|s$F+3nXhxr6i!0zzPI}Ae6+ z?_PM-A!|khdFB>Td-*U^H)u8UxNc9861_%mf*!IOclJ2Fvs2;AWjDJNx&~5AuD_=U ziM2!y@q$U|W+w`}-ZN#c`G2QPcS`I(7#2%u#??p`S>{qGH+b{O$PwKHzE(8#Wy(x4 zYwdT`=M$ELQu`@lKgkyn(QY8AC4Ka9n%;$E(~4H`(Y`GrUA1my$Kzn#@q4D55D+{K0EPNIWMJzT)dJ_pR~|LS{}_YtSMAQA6R z?KlQ>j1C2e)X{-RJrG~|8i>?)ZQ_x(Jt7Kx*xw4Y-CGv@oW$FikCMJ(Y7ik}YxY!K z%BJ~=cjDMZZ0hMM2Fq&T={e=4V7)V?88f6pJ$IX*n@>q-bwxQ>Gm=-5c~X@@{`I^;J;nFWhR%W-|#H}vf2VahE*w44nbUyN(erk>-@?=ovC}(JG zon|C+@wnk@;U~9?EPUkBL%5AlMhJ+WBv!eX)|`8WtQVRd70_0<9Cp!8^7*(ym7-5{ zg1gha+J4mAHT?yM!Wj)L-UResBIP{8%~J~vUJ%UzC;|XN=vK$OwSqVkt7_S8Q=`2s zMj)D<8oeu51SqYRlCoYDG3RKNfy65y7GgH#Tr|W5Zz(Z>>Qm)EuYitefpde9AFu z8b2J^|4l}Cv2yJIKhS-PYfaIaq}0_@jVrK(=*hk^PT*))IyJKe-|1QD$DZG-Gc>pw z{V1^^ek5{z{;zPx?q6yiB&R-`rqK(W9(IEYy}<~k>tHc3BB=oy`+ss}WP<=l1H?}- zDq+v?r&N0)Kt>aMO9QI_DJB|VrC|hC<*7ZxGqy*!psp2jnfzZZP*gY z;&kNmZ8!!JA&5FJ$bE3dEvW35!_+yJqbHD!{73yLTG`K21ocOG04~e=INmPE;;JWU zTeXD5-$)MLK=s|k14jVOTr68Vi?BUF&-`^@mn0)xIoGU0ye*EV_bJq^dt9<%HeRaJ zYIPRw5?E_~0^eU}@{2}%F!9L}ozz{AKn9)3=Oezjbci9q{ml*9!1v8frFH4p_|HnG zchET-w31sy>zzUj>G#ThQ90lXOPKV@XNoPPgI`StnF z=n>`?E7u|nDIT2Zw|+H8Myr!Q3`uKWgkqr^tq!1MWcyoBDjhZi;JL7%md0+DefrK| zBp)7~#|-^Q+hpT=)#`h9llkC&F|7A+WY*-)dQ1M`+=H(joXhvpJ&Jg3n}R2Ab@nUQ z;}eUMokZAVb+_}(wp}w~Eqne+{UeJCGPNu=zS6fw1rp|ITY%UL07FEQ5LPwp3Vek< z;42W*N@apG=PZ=Urp5>su8#-KaFH2n$x{k!e8oQpib&$-X-D9R72rYin~8tu{u)`V zUbptdgEXEHyUaIm{`g#If=-dI#l*B1c)}NA&Si?6vj+!>Lo7}V2~jyr@03Es1Y)V) z8=B{09RcBrl@fES<6kc00@`|7}Ie4XDw3oj69@^5Lb}(eH9;Z3V@+ z6Em~hz}NR7bbEH%#NQkFUh1hMa_`=ttjw+)2aoHPGF{d{HY2K=Q|IHc zVkFe$&Og>WinoqD1L<-e^^fFJlci}YUSf_}0bR)(Acp!(EgW6R0-f0gWtT1**eIij zrVeP{bmFECiRH&1c8&2c;6WyWJSy;X549T2Rs?%ZL%^#r4OgXS*n3N(O}e43htbS> zjF8{^5$D)@S=|w#x#WNFX4*c5nc$uV7{zv^Cu|Rw^z4!cyGFX(Y>br{&gDnoMh`sMMKCS2AxJ94N_8tROKvdLCYVXml;t= z-(~poR|9N6iN8G|6@Ob25e2Qg9h>dN z6CZJww4!q9ra%B;~kCaI%00 z!DxMq@pOD>K6;yziKB+kdGR}2s#u@WD8onCZc6W7v=#^An!j>9K*kO(Ko{ctCz2$Z z+(B2QwkOk!v-N%4uA_LjQR{1u@aoWkQk9f_ybqQjW0wt!ArFK_l`gRGtsP32m+c}+ zuuc(K%)gY?kn)&32xv5<9vK_cFxy18U8MgG$4V}7tYceE1{X^M94vXE!3jL!_^FOC z>s=$eSM*bOjsa0Ic-EbQsH9ZnQ$%do!}S?OS@CGlrnt9D-PEhb{%>7~uv(_ylS@oO zk^M8#4gI1h?^(~aCB>_RZzIu;xZw9&ziNIAqI?y;weAe*ww&V+4p$*I5Dko)8qtSy za(EiSaAa-1ha3^*ul@HQ*Q+f$0#YsAZt?u-xWbgE|^APqiXNZvCq#I%arF}CHPLML^{=p_t z+D5bDPi$!0R@+9yVi=ZEm&zvwH=Z!DTZFLUIMWKkOgPTjrraYcRy@$pgQCq_P2^;E zosJl7SRDzYItdYw(X!#IX)?)Q2YoB67ZX`8(=!B%qKQ zv46V@Uw92j@s6$DO*bnNBzh`m#;nFP121^t`!(3KzOzQ8j5nNmc3`}SZQ}D{?`FL< zhw<(Z3}|MFg+){ZS5D#T!}=` zFo*_XLdx=yxN(+T<1^@0RY23gt2wRtk_3kQ~wIU{N zPgV%)X3pceN*BFO_J7+^w0hl8)M#^Y9rzyp?LvQr@H)Dee16}un&x}6+3|ol9u4)i zB28-j+*)x>(|(gU&I$fo!N+GK;|#$e?`E$BYSJtDJf7ZFWgJHwOlU>M;|%4xOKNH`Y)AIa>XD| zZ4yj`KmsMpbRaARJlgMB;eJR+s50ggT!yo#lPb+c^h?# zkScsh^?O&Ip}NMwpWAQYE|vKEFoyB_XpGT2QKB37*_|ki_W67%q)%n3Rj3{Csk01d zPq%jP=H^Z`p=at-a_lyN=dU8U<4(m&5VshqOVt>uKU<-3eo-;Q*0=A8+xB;f@vPKDst7F4N>;o`Eu-Y|%VP8`0kQa}VWnHKzJx!pbR1=(#U_(V~QrasvZN0lgBg4RI+TJDG0Y$n;yHE5BmNueJUom7 z>Nj=osT@sKC8Zuoh$5G<(b>d3YBq~|B&$KEg>2204pF4dp>QPs@I+W=C6e~%b}ebB zVu|%*%#j&V+Mh`{PdQts=fkU$!4Ia97!=^xNHSL?paAhm4OWZ@4)>-ej{2r!XuF84 z^b%z?4KPnMWg~esV5gByV8qBDW9jTGsv8w0ps6mdl>`RAbR%bWuHVtm9?%KJPru|O z#6fhH1iB8UZU|-w&GR;UrRoS4&cKl2ynCoV~6FQMSG~B$cVe8 zqrdA+KBdTKq_3e~eeIeoN|#uvobh=k!ko5nOjfo7Ctf6}1}4es>}BCBvdYo=es%7f zkkBz%;i6oI5eyU47l}PypmPY{TuvH`r3-8u6c2K%lyd_AXu$}S*14H;pK;(QVUb{I zJSM@?dHk7a1cRGE6Vw|sm=>|o*3uRsOrkqPlBl~y2Ka&L@`%PyJtq6t!7MV!liy$b zI6q=I#|eF!RJ`ugc zlee-QD^eeoDM&N}Mte=mpd`Ya9!wm_U$fCYjsD)}J^M3w@r+c(f14_~rh6)Wybf}) zbN*xMcX@N{jT5Ss{R7CryZ|g!9ewQ59nj8%2Pb?1D9L}pHLujr6@ijt3#dAve6yh? zbtayB7BchZ^WCUUCq|*deG-h{j*50zOR7HEAd0H*NHsHVg~hnT~YpaVyTRHFUtQ(O0_@U57#c_*jG21Ve@*@*w_xRp>maj%$;STvp?@vHt zhU)Fk7(9?DGG2;xA63es;HQY}KY}q1#9{Gd#?8U{*|aB`QhiN0O0P?U69%oQ1`^Nl z%~{KWlb%?E>zX&;`fX4O?fNzq@Io_$pr;{cB)$@03z{O|Bc$ItEJYmn9N4JbMXA^?!;B=e^eB z+CIPB>0SrhVgWsM`wwk^{M>`Jg(+o^Fz_D0b$rZKIF%_9gjqM@G0UKNtp2=AS_k-h5c{n zvga^{t~B0A4>Gjy7mo;kZ>=PY2>+p|2tUU^C(2+f9qTD>1u3Ir*dHV}l%t>BDVx&# zry0`x%x_|}kIJS`^`2L4OK+)->By043`wtII(vOd)w>%*5Aeno-EouPt)ieih5#3% zu=3gCVmGGa>o79aOeJby zK&aJMq)a!95qbP&F-jEbQVh7vxe4e@?0tdbbvp&qhN%P@*Ew&$JYKDdDKLXyW<*J0 zltI0RCG2@g;qUU4eQszKM6HSkNJmX3iQ)FA683L8+6Js4uWBV_A`_kVmP{l91E(=? zOpOL}JKLJg{x0R&j?NuDs2;tzqi%3})O2^6N13sF^;fJx;MX`;tHag(&-!bi!waO3 zC5j@XL`B#0@4l=Vi3@%8cKv&|b?PqRhkjwpm%to+WXWAMM9;6E5=oME!_s*<4`S)h z>gIg|z(xG5wUV!0qje{vTNAVPt3Ehs&YFsrtF*Us$Qr^G>Y$Fle#-wsljpDCe0j)k zxOrM5lFfka<}sxr&sVtnxe&TCn1I``#7Z*=eVOY+$5v8Kn7D<<%aYfO2qQspT;iX@ zD8wU?^DW3P^jbM%dp78(P;&Z~>DPrc0-ru9I4FH7a^Z2#MW=)bIk;dy z-V^sZcJo(lRibq7-A;RpTPzk3oIu?sstOJ@>SdBsz5~0t0)lh+u^FBQ%R=*e4NTMn zF11Az&rKO-cXL_-e&aKiB{tq~=4mEBji5xwjhqU3ByHQm8li3f6;OZ9#7TkmB>m zXd<2r)~6YIOzw~(3LKR-a$(^zs3iyru&jgFM|>Y=KdJhvh&JS)UCm_jb2xC^f7^6Y zCH>u)e!c_8N$R4iO2o`s&Nz{Og?hXqT7!Tp+K`ixVMUhT z0a?H+l*hu=U_{!vkfGJ58voYC5OL0^Z&R{SC%E8hhGp`!WjM69T$t+mN(4A-a~_bN z36lB>%!X4KbY}3BFHum@>*$}WyO{q07-tp z+P@wUwsZy4GaXc!q32Iei^%*}q>oiE)ROA^MW9qNUd%?5I=%gYy)sz2=eCK9MgtTo zjw8rE!M?OxJY`i+6^NZTgA=7h>FaX__)ildy<}tcl2Dh?@H&swkDD0V#Y8jxKer88 zh9t^ZNZV?xBc+vb%~@Y^VRoCqiIStBzm?8E3zV;$7(r4x z>vsQ7t-dyAfWtJ#{~lp;fUTTo0FBT#mt=Rd-n)LETf=(E1G|SCA)tb3)qS}6v& zh1#qCfby{GAiplTGl@ED!<6>=<w3629qWd z*nR8DH%a|>X28}r5h$_$&l#XSDe3KO0NFAZw+r&(RADh4jT3j}x&W3StEi|KmUky{rv_VtYZ9GSx=`W(eJ3KPBf7ey4j z0a3(xV|0!RQpP-8o)4R`@f~@r?ZjT*o#T_DbuK067HkY7u$x~tkh)0hp-SCX?2&M+ z`;XV=ZvQXmPI-^=jS4X6;~*@k4*a8RLp6Z1L(srqhCn5W1<^x)O^jo#brgNQRLyk) zxJ&zgA3lqaQy%IT+!q}8^mR`?2^sJ>d34S%=`x}qT+5e20p%>`5t8lf>RjI?e$QOa z<0Y|6Je+iJEN(t9?RW=22{qF9*-L4KqU@ZU_?=B-gqXpnzC`Ieadwl*Suc3eaq9K= z8gojDXqVL5UED+usfd5kDM1Q+pZEChZcWqD#NN@m!-=f*ue6@R#oh1bAY||aSm+Um zc~06yWK{u$YO3S+EVPxp%G4E00}*YSP20#PHMCDqVGJx@#SOl>7y*`!&ijq*0rC1b zE&by4XRB-3_EMXK7m+hB?Osy(vl7Q#Sv?@^^cg018muR)zDI( zM&B7Ya2k#-F09(Cd%LAc^90z%;avN(e~`SCa}0R?B0x6|&$;~ZYS6xxcfmLEuJ4vJ zY~PV6**?SXdD6=k=hrJYV#pi1_*E&zbK&#nC?3>}-wLg%%OX3R!KS4v7+>~zaSQaK zqw9LO(8f#qFX>HgZ8+%atCVlc*T#I*65R?Pw^>6EnwkcY~f-U4l$b48d9mZ|6CUyDV9&n zxpUvkVjMF;KsoijY=nKwfJ#={IEps)vg|rB{2v}hg~by8oIr_ANYz*d5mb&_e#M!v zHp{)2VnN^-+Q=imz=qPE5yNR66lq}8*?4~;_Chu;cp2(9hCuV8uFUrJB*5vlW+kck zN-R0;kjy|{5jYw{WF7P+Mt%$%H3ly-#91G1+-@ny?jIF{X&ofD86{1}JnlOu5T`|^ z!cT6bs1oXW6@l_ZUS(FwM8()TCX&m!tN2s5b}<=XMb30~(0Oges38*ap{k z)Ks{?s2(nF4xYEF-|G5Q3NSDF-UEOH{m1YB7av(zInG&pSnB$St9yI?_wJM6ExGhk zOVJa(UG!u9J-`FB$uLZfd zihey!D5lrG)otF%u;&w8K9=-d$AqpI+k#&zXK5ts1Q)R|Jr_gE=T*s1er23ImQ}MY zPgd&Vzop&0`zk=?1nt(jS3Uo|H;T(!F57bSOKp^5&zt=2P_*%U-(sWiN*;V1Yc;uN zkypdpp=OcGv{mN2hfhH}T4k@@;PLk)Rqi2PNnS2 ztzRvk1RagtO1%6v$!~yBjCifhAKt0|MGWyKsgv5pf8d7~71WLzc!3q4p z(Z=QL4G0zZvAV4B0yz{tk$+d17FX+)`f=H0{;C14=5ZN%@_%)uBN_M>pV@ZJz6y*Y0^qB9=o%xX=!vI%Sg3cNiqfqV z%3~k}lJ?FsUFP~M3!Lr$t2=lse>xyh$Bbsw5`=Dg0t!DxjimlVNAV2qOD}h(a$kH|L;`?yTdpw5(hKX|GhV8gyU<$=I!b# z-2b%^LW}M_McpiY!Q5RXlQ74X`oe=jgG0Qpcw$tl?+RHg5=SLchHR7XI`4e*?c%6i z?kYL?rWN9KLX+T;812t#LE%2aQ-&AQBC;|dp8y~d!vAkGfN}4`IR?MzQv~-?+Zlag z7}4ZUs3d<~t{HAY>yOU$^0RhYaW8V&i1RFPwwE5IP*ys9EdLBxcZ`c? z3R3@u9^Qv$Ut%`@(99PXx%J}A?OsNPw|S7bfy)bSS+627ccza#Yscb5))h(dQ*pqs zAC;{q6J>r11(PNcKt)q6kNQlaUkYDHPOyC_LeQ=Nr+EWJ>OsJ{0?<(;K!{d=cYKLc zp&sO=SdWnz9Iz(v!`K6tk#KneE9uFB3nTGDAUL!QMKI78Wlm3%olofkp|gVJfmtC;$B-ZRNb;xcB_BAOW8w4 z0HM)ENO@IwBYTbS?Jd4Y^cTQb#{lD7L#82oaXb>2T#TT71zG~4@Z*X=Z&TX+wt>XU zH};*+a9{Gw1jAH=*^oY@$U&Z_5G&M_8s{2b&f*Y@$9j@HhDMVN}8)r&HwX$ zD0NHU~>!^U21Vom}qalpqBgS2a z(&Dd@BDCZ}ZLAqOR(i3R3S6Nfo#13m3SlG+jz^=9V6> zc1VtbFKR0^W7QXS&bhM}ZzZJL2p4J*W;9(h9daTM$hk3i@pp#T02-kM9TrAN8JqxU zMVWtP0F?ktQw9@VgZW6{hxXrL5vu3>KN4^$s^nI+UTM5MX^zhGKFk8gl4I(DaGtYz zwlr@Uls(&}f*JK==})2%6H?M_)F}*>5nk?6R3dDapWPUy(pY6?L0MI&W(xNFq~)go zb!j3#QlPiR;VH$9HscsWvW8^t&|Uqu@ket53&y@K~9LhWRK1NaiQJJb8v7#KvjVLa~8o9fFWIBd_Ct|5( zF1=2m6bBqEV_PcPRK8xbV`Pe^K`d<)^l~qI9S&lH-oSx5zq5AmW3oI0?{aW9Fc|_y zWSiHBi~UAlq(ZZr`%Ji?{kY*)U2C6NGbNhx#~acklRDScf-doo^#p8HqE%DA-4nVa zS>)%=wccW@RW?86C2r+r49?~RqK3|xb;O$3K9#lh<&w48-13#dIYJOt+SPUT;1>*) z``T~f%*(%1d;8J6hu<$t;q%H14_Cv+06h-~8ox0;^n5orMQ7J7QBPualT&$I$#cgARs+Dd~Y$`XSW}bncU*C8ZE|#Z)u(Y=+@7 z5;vXqSAv`1wk?(i8m95 z`0hL=BAz98-59Tc`-Q;zABBhYru3kBDpzPI}dX(8lNj|BqB}T-6iN}5EH_7 zBsMd+9Jf%K6FsyDx*ndTVl<+dGY2>bAC0q*EJ1-KtB|%N7@a)K9 zj_hg1qGi&|#*Mp!S@~Pv(nuj?`D3ISBE>eOg8@jy8^{;xW`^{?=g~ z3-nVzAHG=3m*KzhMy2c4{WHe{M|SqAq7Ii4v@rkM#t9mnWkF`_FI3fNV>b0Z^q;Q9>UM|`k_GAHoD2I6g zzXqW#d@6Njt$FM`lC6~k?(-CheLOYEL|^&=bwZ4$muVc*2B6NVc&SJLGfxAm#DgOo z;ssXF1pqnJ0>}Y`t6sp0Hv@BUAe#lwb;fqMjLG{OSqc{~?*g(I&r!hLx)6(}R9n;rfMaN4Hu%ao`kBhG;TzX0un zJ+IuDd`yu|d&Jh!)?*F1sDRE5NZ7w3ZEFSvP9x3ekJYcgfe(cJgGT{Wq#*>6tV_P<3_yH zlS2^0wW0Pl#UOvzGVj|0$Wjy7UJ$hJ9T=9s0cH&}06g=;6ZD70lg>@`Z$4p)QI)#+ z_&vYfZ=-DmtvjG_zT;b4j11dsqwVn;iCYn#*3@}(ySwBAmK&tos)m;4Au`go^~mRcgq@GIy`Da~Wqta@ zI!OO1i|u)>p;r1Ro6qmq2f4IQZ0~O_FraPnB4S0|G}KezQX(vDAw{fH3Dul2zcd1O z?_g|$lBngq>E>WflkF#&JF;0)@lG8XiML`!dqZIWIx`&r+YDO5Fp&(X^87&9iU$0f z?<~2`o)RcM#sIT4C^!MRU6?=`370V*xl*x{8kbQ#5Ir%cEwDe=4?QuUEiefjvTaMk zdHTRevX+&9s%zHQR|rGllvvv36Hx-I=NzrW&kSg;Qe1`ryec>MkypU^G)A-;oI4|G z$(@s$;itr*$LkD*$E+mY3#51#FV`Hu5gZmc4&T3|9btnR`%sqqP44B1@pa3d$j+s~ z(1}Ef9r1qMz1rA#I6;4Ra(90!^l&sObbs$V=~It_4vDP%pNl=`g`~v1#8S1o2oTOb z8rZEB73~9H$y&ic1;E(t4kgz8Syr5{S@x117^sthGXE7p0HgDtYbpl}-O*UC`}Bq;4`NU>Jo?vUUj`+ZrvL*;=fLh25I>Fa&J@m_ z8ntB1`Cq}d+dsbcucfm;8og7zx>0F&Rkta8V#>Ocq>+m*Lr-Q$uDD!9JoAqH`InC~ z0%j9a4FZDPlee(pleYSCJJTqzyTqeRv49P*NdqGwEP=K%-WG-#4Myb(7?ti|R4$0f zM7zbH_JBcnRH3cjLN4;)Z!VD2Zu{WB&G2LaNyGwV(?e$uub z>rRpIs3jLpi7DA8K%EqgX#x+llSbD};gA>HHrS=b_7OxYv5UU^e)Hv8kPw3W;Ka4$ z%Ng)s63^K4%ly#SPENb|Pev+(kMH+_+1-Pym@kaU@Ru1(Gb^Hw#m%vWphmkefTNra zfMO%>sN2Q?=k<9`M79O28tn4aZIhrgs)G}}!K$GLR*gxpYFL5JxQ6}U-rR3nYnTg6 z^4@Es)dTN72^I}2uxJ2pv;{00rPCNKVA0@>L=ke>^Yljxb&6lI=ak@-;H?)c6^m-Yn6d@S-Zq8uaSeK6)1I*G!ue9%zv?~w z&+chaKAn3`+q)hSc}DkN1lmTeBkhy9KMTO6@?1E*B+RABhBB7SIStc?Bo5jBxAuXB za5fSp{Xlt(P$JOFYo)jOBKeQ!PHD6kvQlwvXadcpv)3ugosiZ}vH7R|CbGN3_=eR^ zltd2;1l}Cq$J^setylXeg%+!%c=>gcH|deyeDfQCymBbLsEY6s$o;E}3+hEI_uphk zczw@4XcCGn*)u&asGAI8{I5>lysMc`+o2RwWzH+oi(Em_wXM2vkD6cTLq;ak3SmF6 z!0@@KIVR6fly4kM4xOo ze{9PSEZR(L-Wy@-c?tQXXHbNPB3I=-cjnxpPF(fHVO){G4~k`99zpIYef1x! z3N3H{vRu;j+@8Ubl$NJh3f_1omwF&g57@eTs1YLjHS%;B-}=t8?{n&H!Irtg1I#PN z{f9MnF*2p855K;p22ut@qc^sEXU!=grKA+*o#pYTk3SN%29+Mg1wJQ>6LpKn+l-;= z*qLb_)bKKgo#EJSW-MZmO2==a^W43Ud#7RfXNuRv?f2F*4N@~n^uPNmNYBgr5T~-f zp1e=pPDx#4S{l$qefHewq=8cmseja0tzRl^6sO@cU<^##?Vpqi09AitsrvH*K&jY3 zaR;2`Z9Md=NWr6}aRJ8(t&&x2*umeu*&HYuD=|0i?4 zmIV*fYS;+&@XYT6$A>vgYrr{FErp{RsBNrd?GHJwMktNWpp9jXA-ZYmFtELkqZJx6#*>!BSt<# z)Uzwz?0x8}UFwm_M^CE@zqJG=eDxT`0nYWc*f=3`H+#i9eEM$mzmp%1TmMA~+<*EW12 z_!ZuMHcZjRbR-BqBaw@Zc@D{}gw72~*t@-sp7ZH#e>^v2ZV!B~dFx1zM1lvvp|9rc z4-N`9-Kaw7?t09$N0OqJPh z`U+9Huwa|yiK<{yiTg^>p<{s{iw0_K)`TjUf=^Ksnbu-x6=PU|MU$jCg3Ma z6^%U>1LmBF3^FhjKY>@hM4=43WPaw~9Vml*kwxq8b?E5S9w-aD$TC6x87NDAkrmgg zW=`$M8PGdjC-$r$0*BfR9`+@Q^7wpdBmB!KlmIUlcw+@87y{wF#Q*mOuw?q^*PPn<5g1)rP|IT@lqstO+$3nz6H z(qfCtvE56Uq#hR*0z5leM{TyeaP8A^B&knk?zGJdm# zSy7PGBcUT=#z6mDfc~!nyo08D=~h0FKH8L@A1#m|Hb z$ZU_liFK}0kV847@%Q*So6&}$?4i$L?2hpUMgiXZu_mvWxMPJ*LV z7>(T4{k7qlm*7!(Z$@yxmq^!>!>p#b&M${qWZ&7Gm^ZOMkRB6PDh{@5yjb66e)hS; z-*O221=hh|zzL{sd79KZ1D|?!1ok_3Ge6_)2$V@*7M4w4Zd*eHp(o})!PVTx!hLxb z46Y;bKPwSi2bt=_!KrgQ?%#xn+?=|gaCl{b6e3w9bA!7}d_#ThURTzb3i z+*gpy*Szb-4`NwX;(hm`a`FBpa>mNo1eXthVZ@zz`Q69?f2w_}!CCNKc zc>l}3()JVM!t+_udJj?jgS5<^A?kxN!CyRex)BCNp7wpC1j%r3VEk{pU$|l@<&_-4EF%?Xk(`fcxME{P9Ks_f+`dl1cQ>z+^Juvxj<( zuuGP;_mH(2#7~y>Ld|;yHJ5Jecby>Cki{Lk6Hj~+ztNFLd!d=bP*xJAbk-7C{Ud1z z_{gn+5v2CWK1YtI_qkjuY8WQi*ylRNodP2=q+95_&s9g%Q=*2n+cp$2Nlz`FS`^fr z>x9QaiKuzsH~R z(nF@EP?zHhe-FU4rQz3uADrqJd&?Jn;Re)fGwLFKn*JlWkel~GF^JyMYCpJWv>=ht zF|y33#1Vj4or#v@q>VJ&lGz{gY5;veMDJEdZ@`S{}jN|K6D0k>KZ+q+X2 zD&$134^?W{XtXM|@u$pF%~$m9>ekr1E!S%Kma;cW#R&E24r@;6)MD_q7{`x z0(J^F+cpa1&>m*fs`Wez`2%>D)#Mq39p&m`magK+P8cide#K||SHaU_N77VPRN{G* z_9vd`Ii6RaG9asn^X6uVgKd_UAn;S7LK6J;WsKBCDyZ*YmCe+bK_U0@^SYq**SAN# zIrdzP5*aETP6R>q%)$8c7L>-gvZHV4aM72tsP=i2{A0x+;*qO;n+|CZ+zZE)Tz1T#U|3`cx8!m0J@WW9vCHW8Jxyz)oqM z^(-lGp+o3xfB33YV1)SIt+1!FwG&!hqNT*^O^%o&x3HX-X>(@E_nMil+hLf+`v&XZ zPkIC}E~>fZ50yJs*?HUo3T4|?FTeXvqc)Hpi=2rrK3{?8L^om6++Rx|3vZE55F^~3 zTuLg5u)1Z<$tu1lzm|&47oHpG!U6$<8L3(YA|BvrR?DzQhf6iq)HX$4cbI%&9Sw+^ zY2VScM#W@_dKUwrwq|M|*&e7{>x zqs62*KqVD^x4<$9=Ik!0TJQ&bK_*@p_?@Z1?|flNUD;1B$rwu#Ckr07_2`o{X|;>J+zkS42UN`I5SvB6opo&8;Se$o*5jB`+lDGu1rzaS;VISk15ihRhWjB@UKlv;z(jo==zOR=8uKnKes4$>adFn*(*MHv*dI({lU&ni+QoENf3&ZP&Un!`? zM0?Qqu5uoy$3JOBsmGeeo)zrf(~oGDmkQk-T{?=#YtQN za(oDE14;lLA#l^%Wh$f+688CT51EWMfnIk+R6%(@WDMt;xe^T6K-0~nI9YhgO?pk@ z@&a8`rZz!+UfMdqgqhDYJu4{&I{uaPSjxJv96#MTw>z(O@SH@*> zHSrFP?VI+#*%MP^lbM4K$~GnMQeZ`8GJ^)Wzkhg*3!4yrDHOsC{9T8{;`$kJQW&uE zyjcnLtg$hft3O{9DSuyTSNZOQO|I7o>*v9ztolPj*#w$?S~duv%~QRa}Mt2{=vFHF7AZF5wA3Zge|d`V<8@^TYF3iAJb?cd2FDdFKFbFIDV1QWy3U0OkMbWB|3WQ}y*8qWFgB92ikpL75?S#dV z0?kv81~J%1g0Q>!qq4c+J{PqLT2=;9f?>o774{U`fYx`6+{WCQ`JFnHXCQ zw_8Wclrk{SkeCCm?@+M&Z!4j^cs%J)^Ogs$2RwmV;DUrX^*z zLEq~)V#f4s5QL=+KY33B<3a;73v&0=1P!@L98{J!N6-3ALIPm+9L>H=@O6PNAu`Gm zMvuyTwTwGpeF4DFk?!!{4(MdXue1SXgCJ($N5>33Nw7`}!8(P4bt(!iQ~Uz_pe`_m zx(n8~>i=JaFOo;JK$QioPgd|C6aM{PGE9d*6|6%}RxZ=tt))m2jj@aVxJ{llZ3?Xd z;9Vdn{YmpT2>Ds(K)9yx^nc5j+)Se_fN)q+_?w}>>1Qv}S@g_#E$apH&Tci;t+(GQ z>5_yxjCNea>gVaDat!Ysed}6}XG(}E zm8ay9EmBt{F8+|bh7V5!ewpTZ7)sYgx9pM1S}yY!BDstjfh%{OFjn0erIHFaZ++#$ zt26va-z|nO69@QRW$#q&cEB|q5mx10s=z~*fjl&?)KC>gEn)`oyDz{?TL$z6=m9}2 z{z1FSmsS*kc&)Sb z2+v^aV=??-uC;RXvH6fPYQnH}|3bj)x91E#$^9PY}<%vkW zxxb{J`>j+bi>G(=0fo)!84I!E+9GR4yP6hxcFV^eq5omQwcXZ)3*sz zfh(B+=`U91X=#atTFUo1up|P>>rNRQea`n+I)(%37!IT(?k|{1_>vS5i2sD*{}GJC zKsX+1nv@*oaCJ=Cgke)*iX!i^Lo#WEXv7@^&`yacAg<}8$@seC`Xu=!)J+cU zW*C|V%&M}?Em)WpQ;no-Qk~F6x59Lp@;3P(;UPP1)xSX=)Ng>NTL3STr|EU>3rLcK zZYpIHT3vg1V4{wNT)@KR5``9W$xg{Z*NaQEeLiOoQ;Zmw ziMR?#dvKCAz`}po0gHSa$0;^eQpQ6zdao3%<)t@}Y)M@SUk7G0MRXiWNBnwpiofRK<- zlOpEuIwq@QTk8wP0fEv>a1#rFE|d*Kjn4wYH75{N2bFH%Qvr@*f(A2P6Y8rCszHPC z_FyeV>;}KxWn1DK_$(%jP)f^M7Y*jPDA(`V1bbHX}l^9 zU;0btV%A~tY^j^Sa^^_E>{f}S9gfvgBjcdzjithzU3k`7kP(pn;32G*!3MF0 z(XFWkkjF%-Y}sGkTquSDDH7M>^p5>wd#0y#LVqYb2qa9bE>pquCu?gEo=yT1#vGHm zaN1igDoM<;J|DQpnLlAFUO+mg4N3h+R=h-3zW~sruhacT4+nqpEKz!s=iNfGN4oFH z<^1f0W6$sX{X2+3(=aY(Fwud;d;QX$?r-dem6$7U?lxL^7#0 z+n-l~oabbZJv@!VPcXwG1m`?(SS-{vg#I2wiUr)3-`&CLA$@0%<>&dK@7W`092YY@ z_}M#;FUJjjQ4EWaNgddR2~9sx4tpOYZhl}ETphicA6#1NEF^4u5hFaaF!z$}WA=NF zGk6apftz>JrM+*+lIKzLwVK5x(AP^Ba2wYF8>%oHOoPfhKF5Jr75E4E&#;C(iytkB z4khV}q^C83?3H(fdKIkzw>@YsJ=Xq&%0bY^=O{}CDeVzljzZ<&d04<2bL4EA^iI6G zfR7Vln;%4NHK+9tJYcAkb$QU7lu^j7zZY4r7LDXQZe$iNn``EKQ}WT5?#< zQD=A)W-_@72)&~mAwIC3=7U0e197`xvc!ASf(WL<-@hIx=)ZWrnZFX%pGRAP)gZ@S z@8e1?K)y-J@rz)dCSG4$h~44v+-x7uD~~VsdLWxA>&2+xvXlnP)p|DM;iea4)?ztqL`NRJf7pnOd~fTa(oA>b)o=Iu#SyyFqQz=)^RrkvIfgajg{z`R@$5 zW}~jN>~~2m-*;0k?v*#!EQX2k`xxwXUESl2%jNzGQ)HIC$_-D!s?gT?TSq_%v-E`Q zMbGgcrZV+H#}e_}jwAc%0SBl?{V6A=oX=4PciEDZnL#I+SZ>mhSKJi_gyn>QQoD#4 zqF0nakmgKiw9A8gkvLQgS53c_DR&g;(Gb;s@igt1Nfnh4%eNcVB@LQ6h&C$Ow^`s1 zppemu=gy&c8_)cd4@Tyvu>jEMqYtw@U9^$ymWSeGCRhv+M0cXDA~#RFII83GUa`ye zGIBaU{RIulsvG-yvE208p2Lc+=~eNfGgP)VlRte9`7?N@Y%+#ufqwmAhVxp7|3p1d z0aj}u7Bj+w8R+Pdku=SgqhAlw>%i93{eV!(90XOTEi!{yD7Cp8frUu0uxVuUQ8aL} z($pQok~j}j1|yv5fqnc6D0811HRPpf1r1>vPHDSE^`GNaPuo*r->1=P%xR~R!VPWs z<(rgj2h+e8|G#_f8a%ESU+=-+JbZnJ~9)1`kH+)JU$M-X!AaZM6jmXY;sUc zMEflDwo-3ztvv_2d=tl@LyFG^Ps1U`cVDe&0MQpt!{YE9FiRO1DmAeDb(uc*vEu)k z%a}T>2n&9={}iy`!0~W%1K#CuEwN)=p7&3H)Xym>4FbAirAH_oA24fxpa}r+Ch({F zlxhW>>DbDK8^>5~#^q;Q7ntcbS2K{f^8go3U-ftwb zoBzQQ>7I0wA52SlS&8d2@DJ$fu?^FR89m)4S<1dZq5?DawNkA+&twmn{%YpN?h09^20#-ZP@=@4@rwyJ;@q;t^An;t=^78t!bZq z8&W^}@lCl%?4=26)nyjzhjg48r;C@}T~3+o1-x~@ z{^#}rOJ8Qy3YO1NDC*x4FG`3iL)lMu2ls5u9Y5Xt=yZEOhCU?FcVc38OZTq-Zl`JP z{#84TWO${$6Em)Mw{Gp>t)|;)EVu9XutlboS|jr4&6}nMicXuHttD%|_GlTo?f)A&?|q`A<{GYz+N znNVU7$64*Di%IGx%S^3`-}jC#*hR7KNzsEbxbmWw)rAWIDtYH9>892PS@c@o8nM^{ ze#NF%Wv_cjpYxXUlC_T-mFOlp8CvnnYg5GM2Qt1%S~A>P(xX%1VMWk3wmJ{Xh1hn3B~+2?{(rr6x6uP*8|trg7WeY>#~1w#~SElxhRM2WAYmzeLsleh{;`#CzME(0fQ_a>Fi&!nSR z%!#3i&U|Ni$LgNXG3=8H+~g`bG~@PV9r7gIp1w=7uYD%H5^z9A7v8bw-%vKC?7v4; z$T@Fd2eYemW+alb$YzaQHQp=cswptZ=GL4;@gF5|W60Z>T*Jn=lr|bKC6kf13pKiGU)rL&Z zh?JUMB@9dS4>ry?YoUEy`IH$#uA%xn>+poqm!>4Hp)~y&6epOEv1uJ36q)!V49!BW zj=0>Aik*EDhPz7b!Sa6i+&o3-!=6rc+F+aqMiGLP^4;b+G~e)qY+PL&1&ua){9}@m z0`UB=fQxeV#xXStn8l~RrN2c1>lZ%~aq>%#bet8qrv#CK`UL9t%?V4;+G1@n$|h|w z!0!$cty9$kXCH+f#@jj6-r!UEI&x^_(KlhT>V%`l7otO0wD6wu<}!3lVSe;Mn&HXI zTe^%Yt;_!Ioe=Acs`whf4fdlnd->sd0TCqrgi8#Wa-Vk^z121dq(eE`vvl+N2matT zb`wDGLnDfub`-pZ8L#8am4n2;MYsy%o}#}Obfy^;w8j-?V9HXw4s@k?;>_PiQi zFAbbpVqrq<{$L=G7Fh9RoCv?PZ%I}M{P?<^?OUeKOjROo*737Z&RGW_X*%J$OdWu; z?+g~RPPogkyL8+A{npLA`Bm8VTENFypTGT8^vCOw(VCq%PPu;oCWX)iQ>ibPj-E3# zp(<#+7VX)jkPk-xETj4Z*M`bAz|qh|w)I|^nqZ2D=9Ti>9~QESRdelW8Sec4Gt+3K zfDQ;W&91pB5;K#?aPwt0ZO~Vi%|<2OmYDs-Lfjt?e14-kqnQ$@tz38v6SBaq-5knn z{?>gpoWB0rgPl{@pSKI`Ipco2oj6Bs=O%zh#nV63>qS2&2<@kcXnbb? z`LTE)KNcO6c|5=)G$-jWLsM-)I+H=PKpPM6t;OFQh8u85X?E2)@M%2>79E9^*L%%;wD);Yc78$KPg;cZxf^jI?_6|U=)61gwAd> z1|{AfjIxMi)TBwcehs-_0jkDS`)CG~%BeSVvCbCIUR%gPs&Co7{Z zN9s$*K`;9C|2VnAXJD+0!pv{xa!TNkY3PdTNpL@ma?n(7~ zwxGsi?MusaxYe26^S)P$OiENQ=w&H#c#0%zdkO>A1&aKA@6a zYU)erpDwcY{v71e0pU+*t_w{IQK&mC(Y~3J2cX4mj=G1TK|0B5>vLh0KYnGFZ4^|? zw;w~5)?|0HpavFG^e+Cq%1fuH*g`!Zn5Oz$V!tLL8j8sNu zU8%mt7a>&h%?WdeIRb{2EXg9vN`4agYQy_iy`VN;R55J|3ZjGuS4}Y>#x;q( z<{@tasYdBy(I4Zd@tS}M&rSBPq(mi`vC6X9`7JQE`4fXj?D#J6R_rA3MGJrhrA183&}~G}T|x}}kNIT{_WULS{j?HJV^2Pn{M*xL zUjz2+IAxLj-1z4}t@!=xJ@sQ79?c^8s=)a=PKWB*IM_H$E!8xQz7s)pyPBH8ghp34{yb|61e z?5=T#VK2;p@+QRIm$wnfUf$M?OBuNU3hyJkJn5`}j8_%=s}*H^?#~g#2bkdlHH|u7Wa*x8PFh z{w|^U1d8(DO;p;$1D%JRG-8*YXWZJu@?TpngO}*G*U!m0*_K2uLYhLQPf1@2n!TA( zmubj&8|C{;M6hk&XYl`+gYFh4vc)IKbf*xaWIENJV4=IgV9TgdMyjNylANDqB>Q?3 z1i183dX}5Alb(1=VaGYou0;~@e`>1tu|El%C+r!BD6u<}yb+)>>tZRVm9AB|5rFK4 zW6)6PfAOf*QA+OJ1^)@pK-}aRkekl{=KBt}QX{Mvgi6;I_M*1iVcYZ3#Dj$T&(R=7 z9xrH~LLC*97=5#0LjF5VyN}~ zt!-yi5-U@88c;oyEdC7an9!A!=XwKB0@-lybG_mS?F8XCJ=2$nlZ$w5QWq21;l za8WM(2*2R+V zs7)LCc}PtQX9?X|{-_*oAczRsUw{}a@blCtoThGZYU@AjfaGOeoi$!xu2q`>T?zDm|6TP;Dm zp$~nnK+k}})8{IIEZ#$%Y&An&0x92XbQ)f6&G(Q|@cn4us%Ta!6F0D&r#z6e^Mz?o zFB}^D8F$bt0#3lc_U2HpNFPC6b1f;2%em~6Oa-)7Esqu4-q);kanC8W`v@R<`=0=~ zZCZ~Kf&Z6B7y7qdG^tE4pBeNKLjKFBwcyh&baEt$!%ts`I}(i|bI0E4v8f@x^rj|5yVjcNRSH?g#uz^D9zon&HUfNj)&-!4)a9FWs=d+$3El z*9g>D6+Qru3ocZGF9t)-h25~YnQmDBJSn9%`&h|vm1?KFB>}&5Jg9LN5U%*C64whB zK1^sEP-94YibzKL^sJT1ShX*VlU(-+KMiJwe2!?6)2g@dBWz}fJZ*EkyeY41v~EGy zlyW1>HG@`*aiNCU#&dfwU&8Ta}*Zm ziGgXb!Tgu5(#48zVo8XRc5WZPY6W5Oobk6#1JSR1Kve(R1vbH(Whr`fz^2P@ws`J2 zv!ibNIIzp>Phu&^+Djf=Ypc+`vLR0_d8~9I7 zqy5*xjec5I$@ss$fQaMfB$_7)o2*wl^zuHu46abY9+pbtBE&1ZP{V0zX{^tQSU21nOsho2@l zGSdfTBs?7A;ci4M(D?us1CLDq$#<6J>+p_HzMviWfqoqvN~Gu5bd!SI(u(dWC3w{#W8P$M~5KL3a+s`TE`_@Lryzl`U!YwprRwfHYeCO`p}(4Zd-5$9~@U zlClK1TI&%*5r(no9>+|-g~jrn&0hHNvvj%7ubt15qfjZUrn2DYtePhb+PUi+nZ()? z2L#Q=n;_0Y+}y~T3y6ZFZT{9)Ag00#a7JG66!O-g;8+0>3;O!C``#C4Un|;nbovk= zdZ4kJfio%$0~vImbf*n(F?EYeQuV)ee<>2yGd%0Zm?FzfFlWrm_YM zW+Unvt=v*a>2tRP4YCU!Tp6%4W>uu|INqM9h^D8pLVeGYmpwt!O%q`FJtow5xnsr8 z2J5i26-k*sVGfo4YN2r~>VU0a-5Xe@Af3erK;$j0C=pZ3?V)=??E20v7b&6NgY1X8 zCS-^VoLfC+=`Os7jc1LBykI5ip-`V>#!MY}%b@o!agBNM&eH<)iN&!>JYK1rZy9yI z7i4x6+INzSj?u&Dwqa=TuF@yux~x?BmsqJ!)XrZk1qD;f!G)w5(G;r1H10?(QRlH! z3*HHt&m)9qIs^_A`*?g)9-h?lK`C$4wHCfww9T5c-NeyRu}=2TSw7PtDAx9ss*Nw^ zll9Ktuj?Nt#qrf@=qzfe`PL5siK&FF1ruaIfOP9JodObW_Ee*qrVX$u_`rT39jvh- zEH!uuwMu`Y>!kom4i9OlcjKg-U1ntA~sD#Y5^(jM256=so}pc ze{jja)mzGlZa3D?ZIWCx?Zaesi`#8#n?EY(oeyUrsU8e+Svu1o$i|o0Igc7{SNU@* z@B6#QY^fQ9KQ954;0YYRb!1j(vmE>>bcV)JZ3wP}5Y5^y7ckD<4Y z0{Bp5btn;+%k3aH8I_|J13J_&0D(5gUx7bzT!+dbuI75+lSuoNNj#VVR?XtG^t`iT$LiphdxW|u|qJAq8049F#;G}RB>YcN~DPfmyn5pW0%MvI#u z+LT1uMEd|12!b0Af4%+^PnDbtxeM8aapR|bVHIM_CtHf?FzNVTrBufrCAb2kd%dVE zqO`3UzGpJEwy~%Eny;AnU);-iBaCF~Wc(5IN@LwY@L#7xAVcz6kBB2@l8gBYBV zU;__U0PHEQzir`!-7Rd=yU+w!75}%rf{t<-?Ya%fm~XKpNSGc6MvSnTzX*(2+6kEw z`!R3cI;7;iDl{`lJSj`bO)E3&C@{=#q~Fgx7rE%P`bWYQQj0L(*&Q4R+n=7>uiy?V z5V+TN57@``(5?!;4RM^aJ5CMS1;MY~UPe|?g$!koXB8lGj&jM6^MR1yv}Ik4PkfZdo@o}o7ZtVJ6Du)R3SSl&@R z!6}Xwdsm>Ze8gTC!v!>FKQqvrLS3-9<1SeL8a_y-)p}(a#b&#U=-8Ulk=8RToTo8` z#|;brifYgSygx(ohdw;#s+FG50Zk;)AxlsUv3)tKch6mY zLz|hGsnLOZ%s zWr10=zmgWL_|qtW#{=Mjd7K58 z*wfuJmM!qGobI;Mi-9pi&v{39$fSmBWorOc)q-E1oR1qZ48;so>==~S;3uOMrtdQ! z3T6nY0EI~Y?Ez!|7KS*T3%eZK!_Pfc3M;Of&HOimhhMoHjrX)@y6((Wsh?_TF<4Wt z(17YsrT~RVHe#mRZK|);Mk+y-6hN>Ndpqp)4LqrObP0j}X~3A#Soj|G-vJG^Ay7W$ zf8+iEE?~|OaN*viQEANv;L3-=|HI!}9xPj)fiyH1RDwT_h(C&`54%8d`Vnaoht%Y4 z_e6TalEnUZxdZaUJY=-%r_BnyTj7d7c*sxx?fKu~xv(jnsSzHvUjWJU+D}$JZHnRA z-n#Orl9-^2ij6;ZQift@JsTyV1aX0$;6aWfPQS3aYqg^v|H{?$BYR_(=J!={AC<+E$4x6v0|oVbUC6MCKiLybUkP-iVh%Vi>qi27v$8BFKMVBCppzo{y|r+rlQ8w7AWBT zN={8sN2Z88jvevo#U}B(63eMtgr-q+KPkKB;~Q1r*|tDej{`4#oOZA8=G!3^tEN{S zScHQnWlkvP6QnwjtVewIJBFN@Va^s?8a<~ev(8mHXP;n;_$FoX++9>`X*u=dAdMhJ;^? zxG|C6de(WmTzLw^8!=%dh$gu~&Adxo33YPf7-dO!+O+tEnaYu(>pnPG9u>ZPVposg4 z9vwm)-$$g!JLi_MH^T>tZCAU>O)TI2|NNwM!YiuSVbK2W?5&~JGT|_;wWiDT%L7P} z6)|$97Et@340(JNWFB9E@h3m(KE&XHfW@QAhQvbK_5Q9P> zlfrmKu?>`rF{52?w+$1V@j&V`Q`cZ8ld88xTC2c~>F*Ba`fz|N_H+%UDSdCus58T8 zAC(t8d|*1Awn*3lE0UeglmnK-jt;84P1-9$N}b>J)t^4ncJiQo{uG^bVsC`zBC}bx zv+CFUZQgqOPOj=849Gwu%pxnm$&3fyGBr15m*la1bdC`K`=|V^NrCI|`R@?Wg%V<5 zfUduoWn%ex+V>ozG7F_n$|`V--3n9zAT`Kbkv^y9caJt1fKB85f36Gg8UJ^YVT!z^ zikL&elq=obOXz)T5t8+T!4h{fjAbmCyp{>cNZ7>;;~2;7PO1u^z6z-U#$bx7Lh%g$ zDYftdf-bAV@DKY)@m}F7fl){CZPc=%nFV}oZ@@$Pdzownd7$i-!To;>(@(4O4B+y# zM}HuX^8%>>hW+aTM!^5+3gMln73Ub1y;f=mvoM6PGlN-RfV5=)X((1pr|*Fb5(R%G zy2;PsDw+X`PyW+r80NH03E{YbPmwDvWFutTchUdblW)J0rY{wIURT?!k=#(?t z(kol5l8QGod*?W2H>H`Yfn>e+M`3ln;R3lqrnhwK@1e> zne?~*of^1o2TBmRaC|ymus?aFv~afXTwOc6qw7*OUdh^Fe$G-qxl=teX?H&G2mAia zD-NW%_gnqA2%|^!76T#G46t?VZ3oit5J*4rZeRb}HUIKG+zU(9@OmZHaNxC>)8=&# zqD5_)$Imuhk{?wZkn4Zv5Oat{@N-$j9eL^pXc})XqHRJAdt zQP)M&tgT$dKBc5rd~e(vd7pQ`eKP*)w~u)4Z1(YH(D_p}#&1EB7ItNMTN1u^d+*B# zTNy?7)?_Lkx@uQNR>_3TZ%H0}{G%iVHoSzYlKM?nzJt3zpB8A0G$7p$uhf`Z)MX-` z^|z-p0TOYFP@4x}0AXOJ|GM##$R^-UPXS_54Ui}%K%#V?XOwjK@h+}>H?;xui3vcT z;3JE4@=}edWDF1|qn%@@0Tzh2)$w2&Zt>H%l@>qae@^V8*Wj$QO?bvZYRq~6BPspk zCYjSly&Dwdb~#8)@GOjsO7xsf{}o|)$;~5A_KwoDXHiKmHBT6*A}_mrYi#zCR!-YhGWxh212Bbxri{caqp;U*}ba zpEHNP^U;jUvN6AZXy+8_=xmc3Mx~WJEPWcy*W5&QtdZKNCHHO&R|L<(B^r0x143FRj1@`uu0<>JPt^-o5Ar z1T2F+l?-V@eZ(He#AZiDn69OY$L-Geng=OtWLu{n0m5ST2^oZSV9L61sWn%CGH!vy zUM&Es=Yot?K5*UP8+368hzj z`V3Q%StnmKMk-`iEPEd)INZ}G@{`1`wI^`L!?WQI1T8|#kdLe6-9@}4$$!Yh!V#^V zGZ;{JWI>+AgY-4+rDOC(~xK6QQdo~7CZjqxd zkdtvS%Dc!pla)UVLj6xQ@fhipOgecqm+DjIC)Vs;9#^4f$#xsFDXxEK@>W3wS;<|82qxYcp zGx_&CIk8z8;ZzPf;Ut!PqtUm8O_b))$%*i^GVF=AwcG%Yv_>yM`9)Ahh3N7lG|6mk zHSN5Yi3}`b1*&+lR@!+XeN|80p)Fj2C9;%h-uN-kf+S?6a!cY0-~D(|{JHjJr-gL@ zt95{C_*c2`uZ6e)QmEVqg09+`ssw#m7-!7xj&CPvr>P4t>NmBdNG&uEvM_{n6yHD{ z->xkMXD8UX=qM&Y1+@sCHjw!jef@FtL_07b5;cR{`KN;__1Y@h7895Z#`>DitfKSA z(mQjHWiMrYjb5iDr>RriNv&mnWg$c%L?e>mb*jh>E#Z_+8Qil+=*`u_=*R>y!l?Q)?NlW>nK{gg5U2u!2cq)Iuz#^nJY*2 zvB!&<;)Qps_{W=IS;@+3(*wJ%>SC3h1}x`%&f3vC%%*V5SgWJ~xV%UAy!)uURg z3;stFZH)s(Qnfhe(fMytZ+cxQPNOUyS@Tb>l6<^dMdu`aU1f#X2_>UacDfqxhEyJz z&q8F;f|P~>ZfzaLp(1Kp_AQK@O|`sThj!IR?y>U8gJjiiBhSd2cDNTxLu)JmZZ_g!BRWb%PrI6r0)uh2gOhP zRh48kL@JP7Rv)oeGrr|U#FEwwS)SCb12UKrTL_YRITs)zsPzm+IUkQ zFAB}=%}h3x?>4I8dXQlqxb8u@_)fzKubNzvOWx*o=6VfSJkPxSV*LgZF$;Cs{)&)-txL^K-w|k$7{C9}4%Omon-k%_b{T zEby#3k4HDiS+@&MKL~|G0*d|9}6{qkP>!)t>%ShN6ET^lDle z(~3T@O0VB0mT*)VV~aG{&5@#A;>G3Tg0cuL=A6e&%@nK>!dm$Lx>*@aNG@HHd$5kM zml^~B(#&8hlpaOJmeL8%!uZBQcaRD-FWEMN<|noyy#B#l=dU*MxPn<&k{>zb2Q%W& zM_iIvPY?^dWtx7KMX0_*_5L>cS=mxX$14S)s3;rF4oxx>`%Q>w)mh?baXUtK#vyTu zD8?7*ABtFX|NVgM%RohftODsAjF;Nfnt?gV_J#ok*)byS_(}p%@+c$Oe>TvYOh|Vh z8RQ+l*LW5;{+QQ)Lh=}aXXdrs!d#(IiPF_(Smi(ys@&(rpG)s{pLF`%Y+v;X?0yvQ zA-rbm7tTR|NDBi4jF`C_vU!;S_Pm0@1#^2W>EM(T>!Dk~WWVU(-zsVEW&pC_#KM)b%c z{@(}|7RFMZ%2AhwmN5Pf_4Yp#oVVf>e8^Hu>MTVp+An?Elr3=i^Fq1jiv}7|^-gVy z#Ad3xq}#I*jQBso3$Ni6cRmpwJfn=w~Ks-68?+LF#q-kC#=7z4tI{k#gj^Par` z{&hab=Ot`$u7f93tS=Mo1uLE=Eq^Gz9&{wXPFrbQsA`1vK&T4sW71OCqYlZ34{Zok zTWjG?T?&Vy(xpf_Le8Thub!$Dh@WeKfR_YJZlR=JENlxd7H1 zvd;plC}AG*SS!57Z^({JnLh9F7#B@cvR!GB__y-^eWaxB zMV;1sD{+uJGWf`ATG`5Ps*vK_xVAO2O@oiqbA5a0)p>rja9?PSNB-=jkU>a-RY*Pr zVY-*)Q3wls!|(o#!|!VH?85Kvz9;?R=;GmSiOTPC;=|2S`oqbM-viJ6qMxh7qVMHS z>;0jffX~g!ke~1EzXyxkt3|)L*1OxWR$zpy`=xQlqq`JvzFRbI zQBN=lC(#>--6hu>u6_*}^u$aL3o|C8w|d~vDpdfuR=QzUye{@U=*hQl}~;VCa= zRaChGk5S3apK69-mA>Jxx5AU?+Ab4?(F+*@&#+(0lV->8LQ9^hiPwP>qi+ngrDqQL zMkxowc+V=)PosEwa~?Y(ROj?Yy1*7b^2(A}g=vn$%l&yn(mdpqPHzqWSfp5rvdL$T zr=3p>l^=}^C`N0zCQ5QB(aJQ}?YbfG<(wVk{r`T;*W+tYE01yzkNk(vGoPyx2utX{ z``x5KMU$AVn*SfJzB($Z|BF^(h(US?si9jyX+dJ7yOD0BOG;V>B&2jGL15^T?hp_p zq`SKWhLUc4m+$ZW^WI;>Vy$yOwa-3#pL^H6!oRK2TA1+gc0LOR8;p4<|9^uDdCT^? zoV6DY(`M6i{UQ1;=H&fVY=88beAKFY2A7v81)K-6&1?tBPvJh;Xeoyj(mSyNA9MJB zW`6bcAR0k;4P1n7?lW22_M49NoD|==Ovso2trz&6_$>IF_1*s)M!|FtA=3BX;83cu zwQxNZ1M=XDM&kGX`v2XPyMdoKFa3(GYM4&x1^Mun=_IeX`^LW1KWJK1_cop?S zdr;nT#^}!#ryoTt>iL(XwGlt>@lyPTd8q_z*@#h@rMx-H95w&70NYBKpjYpCzRn%Y z?t`H#VNk*9;;LqLj6)0Fb!f|O679g^KlDoq~u8mD5(Uu39qWx?q88}@WN=i zM+Yw@0m5`VJl~^FQ(53N-DBuA4RHWlbXs()=QUW&piLCqe*t1?o0UUTk}h|S3L8t8 zxMJL2XVNO|w+;9r!Ou*4So_ufD&FNnmWDWJH-V(?&q4Tgc%Y%TZ%F2B2diO!#}?+x zJTD1Nm~!3T)HXZDM9EX_#UEtaQp>ZlZJr1mF>;w<&uqm?UC#aXC>b>pWmPgUiX@p~ zybi@z;{`Wg=-wsCwZ3{=8pke2Bi>y7>gWP)4^9AI)@G)@_@lzG6ywYE&#<7pqPE)O zIySCO)bLjNXv6U+-dz87fv#$=S?ykuYDb5()gx2qQIKtaw}d9W2-UwScCJ&iJJs}i zHSoZtRIqf&uNFNAo0m=hj=ua956DRmbRIQ~bwPsQs$<@Q_rcDOLD^hXj}*RaJ3cZh zX!5{zN27QP%GS#c{$nCSipD(V&r}ipvnRD}Nj9K1P`Kspy?-U*P*QHk?^^=A>~U^3 z*NLL$Gi}F~#4Y-I}m>xr8K`1H}Lbrx;AM*Vn}93?x^pV+?V?h{}ZtD=$^m*+o<%F=(> z*0r?43Mnk4e{a+Uj%iT7o+RhSI7?Np$@~6yH&mo^z?p2?&lqE&P;Tx$5*lQ_88;Os zl=8fd{3~HG!W&I%P&Al1+q(_cSagxx?UnuG%x{tOS>Ye=G2`k(+uh7QZXzviJ?>UFM_$fpYQ~Asaui}{!bWx; z{;H$Y)EQ_pkCQ}+z_3am7bSG@dQiSS!oy6D4`QmY`d6{cu&r%)W+}?7{-!<|Za_y! zl764d*=O;cUcG=`Xpab6TBfH3VJ1mu_dG=P@bD5-%Emmg)Y{xLB%6;qXwP&Yz*pVJ z*Z7Swj(xCJ4KscqSDk_CCRU?)+)s9t&=7n32QA{aVX8uuz?g#qSMp}PER!L*wNVL* zc~svb)eb!D1K0~O?j>K$we&uH&sArC@8v?=;5@_lw_bG<=J1nthc~2b=-?FdE;FT= z7W}MNe^;pR)zOAT;2-N~u9(*;-Nrb@`K}i%LuctuvklnxeFrL@Xs9o5zwf@YAE6x3 zRoJHRRS|hMHK*WIt{)D5HVVGRdp*2!>05^GJE*$6#_Pql#_9U0?pX=^XVorO3BrKy z^z|Ljsaa+QBd##>zRfmQ34>z+m^yDf>6+tv^WaRNJPBtlQqg}OmO5(}JD!(G=1=Uj zvlLW089JGM5U3uv5ns6c{y?z(gG7Q4zvrH+%Lu`BP5@KIvl8)*2%f)KyaTEjNlF9= z>`U6&G3pYB%E`Y%zfrrgV%;N__gDn7_j1oyT;P#Cddk*cyR^fYUwGET#)>!$yWfhi z;HR1!sF&ZxIoToXV70e)N$h9XxAX(pdJ3nMKX*6 z#SF^%BCLZ!bQsAIc3<59I*fRBe-K?E>aN(5gtEObtc}Y>*Ygsg< zF(I!QgOdsH8Zt`82Ef!`GZ1|4F$iu@J>J>ruv2*?Iau0Cs@)&Gul-^`_Z<6#{xg)z zNC_fL{FTL(se&n(F|5`e=j4`IBK~8oW5t{#l!`K>7*0O%8W+RqZ9!4ww8eMxzlHHn zQC}?Bwx(<`sSVx9rJZEuf*)qT{rvBjpVGURp78zFJO0G+`+~d8`fHy3ky$p8a+-Qg z53k&g!kP!TO^qfU$dVay?KV*zt89VyxzpN~yqh!>pHpeRNhyn9Mr_Xm`nk&|gcB`vm|5o9RgQWT>o5S1L0$(De~mRYeHxPHs*N^pF)`oHa@=N=TLJdlVwk2g6p#b9d3HzB^c47Wx7UY~ZM z^3T6EXRl;e9|HSESa__0rnK=b>x&B+c8PABr6@Q{iWSle6ifUpM3Iye3+N(OX-H6VQ zMFJpALv<$jGO12aYGnzmkTBDHf14|`9iAgQ2}+Wl%=+SC;!er#Ij9JEy5oHe-KDrH#meMoN56HPb>beH;{Ddp!z&O4_x9hnAoH9D0{J+Y`^cokg4 zlJS#R<@U>MOH!Ntn;^&YaF-4w%e7izJ`?^Wx^=hsF~9@IHhfPJM*eCc&}cL^1NVFN zl*&|DpswpPAAyqO*M4DI=g*Nszp)32Y&9ttGT%#nt&E(l1y($+Mc_Qac(p8I9#*P< zgePVop{HPpHjd~9B{_278-}JRQqs&*1lNT=xr+%p^a{R29Vlrg^?ZV8)c-tJ(-bIO=Oaih3y)>hm2ywoTB9 zI9SMRjBhT*fQUIJ0F07L6SIAiQ^#H3F_&`#=8NE|a~%#BzquvgBA+t-3Zp5tZCgpS z`OpRKXOa$7NVFlaNpfJ`e|w%wc*JddYkAAtHlB0lM|yVvRu)Po)~jkHsYaAL;l$wy zgrW+3Qq-S7f7jJu1AwNe8NL935wffOv<4Fwfm1zQvi$(&(q<*FGTL!D1nA4uwcYCe z%R4h1aXz;Cpr{d$HeX;9F-!0cV1VI(Is5E}fD3?7HjU%ZGog_eo@;mpC%={A$U;$T z62UubNOJ?Ti(SxnpP<%>Ez`j7FSrh=n2^6pm@gIHRra4<;)aTF0S^!;9mLh~SN@o> zmq1r}Rsc1}iGFShuM(j8urr#C(p5W?Hxt27HR~mL-v&dUlOff6Sseh-g8lx8^=mGo z%LMhgI9ObD3mHHu1|;qPYJYlC5*oUrDWK0e_^bn@@?IB@KA4%ZBQOM0oA!@*9fUN% zCGRmtEnx&qeQuY%2v`CAh$4ES98Tx%vHJ)m$f9p}_J5(++C)Go0}zU>trm=IlH27^ zweq8g`5v*QWmaRYWu|U$UOc~CD7WTf?2B)JelHK2a}aJKcNkQ(DgW{Z06oLr`tz<@ zh9!Cy-&s3?9GaNI)FbZ{btR%R_R$*J@FlH>91Wkyt)V)T56$MVO6jx3d)t{%Ry{q} z4V*^Xw3f9vv0h#NV;#2idEKh(5XiSVRB$aIG$IPs3}0ss+DU57I@AFeVnTzJq3M&A z?$=r!wfyXy3s z1Zes4boJ6{s0Uy5jQ!R4pfZYxr3(8b5xe8n-dGOC3*R(3G%a@aU}p1+7lJ6^)Ud_H zm$J8xOf+0O^2N7=*grgD!7pSM2gJlgGand^?PTwx3FqBoi@<y~}DAE7S4wd{HNPnW!v}@-4d{8$-ba z_}{8&l{>04Y%Th*t5Ojrn*CalW-$P8=Ip{J)^00wSL<3mR%{|f1UkI(IR?D-~PDRX&O?&Ql)gyR;v z{Oj*tZ@R{$Y51u(mct_aNSCU zTF3e`f$u1t0cMmbtDe}2kGO0tsPskYvUAaCF**;^W114>)kipZAd{NB9bBNkHYc*H z$4TEbg)-FCy$Rk-hjK+!fq6KTb&HerloZb_M6MG<2P#vVN@*&M)t@*&;h2CW?)}HS z4(bV^&yW#N+yutZ$3cZ>dU;R)!S#wQpd^eXJWBO9%%L9#~JuLNYrS0_FNT8r=%Y7hnbi?zX5i+bOD8ily62G1JM0YyvIVReiX< zjxP!jZu3LA4-}C~U~rN$42oxuAv;}!eEpL+5_Nu4oLSy7=^o;%6+ZHNsAe%fq)+=l zMenq;Ryku2o_O)uH*`{>!zf(lDPhEMOorLJ0wL_T{ESS&%oOxJT*oQ_Je&y@G<&hb zqfL(TH%v8|sYlxD6SbL?X!{vzs4v(?tjn1Kbf5d0&b@}|9)tr0JuqMFm(HJEiud~~ zQ)JaS`#B3SutJN=LKK-EsC76@QhBmcflchG@@pc@+pMK*yDLCqt*F)WK=crV#|`zH zPjrke`PS9G!vO;!q3Oa=yE80tyH2nSh^2m{E`~W+aK?MYNSK+A<@+MZicE0q+aHf6<=2n{1l$B_)rjNAFfQl-mPxotx`+$BNfQ)Y z7iQ)#OS$I2G4Le;LKDUFpU@b)O}F^Is)m*Ffch-Gbq7iK6+;Gqw$X`G&|4+!36J7= zhdJg>a-FY??5vc0|H+!UDr}s!PME|o5CkgIG9RH7rbDq91p4qyq12w2v5oC|5$h4d z)Tp$-+JmUS?cmCC`tSg5Qlc)8wVFhG{ey2ne~d5a{^?srx{fpn-x@kuEjQw?u^+(C z6uMptFbrt%_u+>XUNJ6qmd(+`@C=#Z6ze~pGj7HJcEx)i*p+1wJWN0lef7>cD|=`d z=wAdu^s4aO?D@Z*-3B|pn?M`xxAjkvsLA8-s?<60o}k(KFRlACAH102b6rv;ml4_$ z4#0NK6BfwAeFjZSvtss{K0uvr>NCmE*nYp1o4*G?cqqX0Y{ zEYn#EaGg|Z6Y|fWfOI*|0m)a>k9cAqEIDEp+a%-np!oKytRArTM(5+y2gxzBXWv#; zT?j!aVuoO5rHH4Kt?yzcX9h0g^?R&ei;X?{(+QfEd{V3``4Yu!G7T^8>CHKKwbbW6 zX^LC2O7w?8(6BmQ45uW;09w){5WGVSH`noWs16ktpd5gs>&lhI?k7k#lQ(9fkSB#* z?8~!B-1IEk)oP-9Fgl@_*zBDjIrYfONIFC zI;f*p<1h}WCuqU8{ZoW$3510lY-cmHHRmVfz`KnRy67N;Ot77fgqNX z^w%?YbwbtHCg8?-aKvMLfJ;JC905DGb^{aufJ^`cuEbfzhZt|@mDJwO%EW@7eG3s} z7mdxCUlx*Sc|j=*EmW3m!A*7{Ve@8WDy7h2a^GV@nVSyF$~ya z0cgT5H1tk}`wr61YhtCTcOc8?3*}bg%)RPJJJQ|Asfop&cOnCI_s6`KgCIBpxIptxnfz?fnqa5~4 zZ64-_dQ|Y4#(iSr$F9})O>OrR;Pl;^%Id(S`ov3q!L?QoXP`X(1foZ#Q_sdX*|etd zx3s{4y0nl=BY&WRYj7k({dFc@6kDU7ufa~0#)`jrTt&#+)fS-9V|${RU{r&7#8{a$ zs8pZZ^P}tLt@X7H;!Vx(YfbeSB~(7jyC%=a2!L-;U5@TkK#{%c^}OP>9UNB5lG`On zedn!aCa57(ly3m4flSI4`{2*adbzYLdSC`@YNwxyyafY17A#qlXKmA^tFqEtCX@|@ z?aR&#o$nF>Mn*TsArD}{ppmXIIkbKYl+;r_9|;}P#oTv5{3#3VLkk0&$HLBNAildU0>On+AZ=rCcgnQIeMJG4mWwDQVg@12V=@cYEzTdWHp&CiQ4I1 zyxzEPKE;%4kygZCC2d>B?$niMSqW~P%=Ryv$nd!-3fP?}fY0kF8EfTXdbnh^r+IYZ zbHjw_xkpnol=%!D8YbG=8l)>R8;n>{6=G||)-;?%UDMkHUf(Rkl#=L-2h3YN=(nn~ zuJfjnu#)Mr2$Sg!()fjqZ5;5Db&gMj)$qBeNky22|0-3<8D)1^PG(a-8&IRT%_@iFUpI^+_P}b%Z z9MLZ3UJK2h7pq*AGb3fuwL0sp>;}N%NZ302W;Y-=LI<+f{QWsja z=edVe>w6%>W80eiNWJP>7UA!iPoa3}7Ot|?(bb_jagRtDzAHRzo^C?w>e$sG=9fZ; z1}1B{YOxTd&-%Z!MpOTs4gg1d7FMu=sG<2Z6q>WGEWGxvqc+z5tmt9i%B^QiG?C+; zR2$h%(r2^kvUAls*aH<9ZPc{CN>WU;&CcRHryQc3XV@{eESzEImVQ5(#Y|k8%H5Fr z;H^}alvTv5-m>{javeK{VXy1;`4lZa$4JG`QA1u>{f?zsW3lNSs_dPyhtR_cd1mVy z!bCQ7JD90@q;QNKEd{qi%AUyQsAC1K+QutKJF8-1iC;;-Lu-)L86AP?r2sl=A)+47PUjwZQxDvZB=Fkf_&ee zs}A=Mg3o8K>~lzi!hQt;72p{)&gphsQF{J{&#S5q=dtx;2s2%{2#4TCig0Uq; zsV^UL0GQKsaG-}*d)v>X1||pYOLB)8)20=*bcSTkNwyj}BZRM2?c!>3^a%#R zx+XWR$nUh$D)l*X@11~a=HHSwliQY$FvKuJBhaG4k+sLwe-^?_;r8xRF=bCB6+qdK z6I}TfSg75=apd>;Tc;}ypdl>vn&iY;@v=j`!Og#3_ebiLFBPEshlff~b*l)Ks(kyv zimOn8m+3Z(v|zz3Eu%JuA?DXLa*iGAXL8M8ufSF>tI58Fh^p}uFt-BZ?sa)$wAlR4 zha&i(}&*OdM{db%NJkdNl(X%Et89L{Yz~!yL&4T*7Zx(8< zscK2H{pT)gMop8k`dc1emQw4Qf4th6*?3oy90z&d;FM52--nX#B`hGI_(N#cek)0* z?^lzOG?G>vZ&=!`DXj0pURTLB(o%6G8z_<+mG!^2a7Y!9c%ZS5?=Ls|o-uX%M95IP zDcFBW|LWE=9T9^0ET`mj{@R5(vMvhI@cJey5d2OxmnD!pFk^OVai;wkr}`&qo8pgS zq`vFfE`};E27D+nQa&18q!&7>aQ&GEgV2L_NYH}VNHBT7ep{+`MO2VvI(k{B|5Y>G zkdluc!amUG4v!@k=CW^hcAGFN!Wwn>Y^CnHrcy^9zv5_zSgC6H8W;uDKKv4km#)fn zy@%r*sX7t_XPH0Z{?jR1dkksr3U<#!lP(YT$hOG2I1lq?Q1yN$&TCXhJMNH$i&(;+w{SHHxG3|P^b|M)Y2I^;ceA@n5gUokeH8peUP)2!mQrB}P1 z{nLY5lT@3J1%BmaooDfvJcE6Yjo!aj$g&^>Hl!4uP0PzoaGnnyR}JWJc7yVt zHUDN=jTi*8KHE7fKRE#powx1;+*sOOpfiB^|zU3JPO%bm)QMimE}tA24+F}F1Ak? zj{QwvA%dIJO`a26S1fC0E7H`J3cXTtoRb+ywHf~2^reeL7w1BS@53KaUY|*Um++Np zJe-c8P4%3G>UNDjmuJ*aWCxKj>uQ85N$A86$m^uT!-gKi(*{6L244oPY zvVMPQ)VoJU%N_#@SeQ#-@?E|xtJ)ka(?Db_tKXiaNSyxfcE05}2PUGeyDjwvc_Qs% z629OxGcl>2Xv@_8?yh5*wbm|whzd!BzvnMu>@h0>t0fCHJp_#D2jxemW>Vo_*5AK< zzSb>w_M)dBW`ANS^<)f-)*S|qL~v0kw@G+;|D0`UC|xlSZ)qxBne%+|w~;p;d!MG3 zgD;z3QNrX&#)`6{qH9V*jYDqk^wMku0g&h82ZcL0W%tHk)JWnzw)k!#T};hIm^WPt zB$29t=Xmps;u^|hmqhoy!f|!cN;&&dw|Yh5{Gz$d3IcZPIVM3Qt7O_wHz4~(v{=Z@ zDe213q{Lcnzgdf<`F)9FFGII><0x(5YMpjzk@_U-WAAT1OSHOXYSe%8hz}d4vsWcb z_fmM`JSs7p5!upZ0&&TCUA`~WJ>0uw@k53>8X3wc&T1qYXs_e^w^w*Pp4jLeiKmd` zNc=fch(mndt|6udFVDS(=iAao2F7$C)S%5H{l;l$!X4zo2f)QwoY;>D%Y!U!#15_r z=Yz4gTf@ixPBO-JhYb}p+O%^u+E@(pN5CQCDj}JH>n;T>c4C%S-G9&yVFv~~;E%=1US%dR< z5@&r6*QZX-BO5bUX932#{w$fV-MTUD7nxn*kRk;zD)$Px(Jz~VzT1n-Cne&d&C>zh zwX3>u5>Lcm_+eifrC5ia$2N)h^#B|0)#wz)htYOAkKd#7vNCiYPhYlHkpHtF331zC zn4~t?8_^{*(tGYGmA_&jvY-8Tc4^Jg);dXJr@j)Hz;;elgR5G%PmQ$^rIU~qg{Now ztfYl%fyHDVXM@azm0wby`d+Pnu{`9Uk#`u|t>RLe`Y3YkbJ*cZyc^V+A~|ecmfE0D zfNF>*F8vS_c%eTj2yRJeHDWWH5t{pz{)^c}<0JXIHC!+T3AUcXIxxR^3r?&hZXksfepRbpble{h}~ zh@VyMMYJ>hmGq)pW5bLWTZ<3PjQ>-Bg^WIVI?(V8^H4}TTL6AAqkdO?!5axTT;r>> zv9xa&@INED}2&$nKl|e4^^9Y%?kW7ocM`o4u}Ga?D&CzD7;ZnvQtDi>F@7%)h3A8{WMjr zXka{5&1he-$!81kBss!6suzZZrnvQm&#oHJY~!|>n76Hj4%hrnSxfn^e!I>FZr^{m zwgU*Dy1uFgZny!&nD7*0ix+X1PE*EU*K<}!5@L5JR6MG_y+0DWjyLZ5wpw*J zGP2Mn?2qUi_p9uj33kr(Y&BwUc-yqFo8s2aD$k}7VmC=V!4o#0i1=^LYcFTJeq2J^ z3--guZZNs$2^L*GN2j_f;iw(naOKiNoVsKrK$bXqNHBUWlK_GQs%gs-_w4s}sSvkd0bL6I(Z{eSIFG zrWv5><;2q}*N_fAJ#D>XZ*HjfqeiRJRk2-&?@U|Ls*<~LScu=hT7z^V3KP$4l`Mwv zx235^6oj)OUDVB87gxs1k^R%c^j zS~(qND1jS$-Q}v3O)way`$_85zdb(PDSkzn8em#sj~NF1Nvx7sVBXj1^ceO0%_@7d z`yhu^*N${;P%K`I8tE|4 z11Nwb`?NPbYtmnkzq?RjdaMTUTR8CY6d+}N$i4mJ?sI*}0kZ%J$EO;LOdU)FfM{p` z`hS6Cs1P+p)=$96t$RNVf6nCCD@ z2Ui5Y+t62jCDF$L3*e?YTm9N5o& zu~Fpgvc_PB=O`J;7bqFu0q^(E)_%O=Z_guY7>y!haIOA8A8fOA;Vrk=W=!>gyZ>C- z?CYLD4_!|?hVBoQI|d{t24jsJcNF{!_e2Q5v7om`l)+T(w*3)`Xv0H?f5ktHzyXfx zXW=+E_;>2?qsVl_J*>tGD;2MXODIOYsQ2|HUw; zaD$wP+^^K|My31UjBKJp{OyBQFCtwv18Y#2_E9;Mn%GU zupB6-ZzCC!yaj=)+^M;yTn8;=%68SJ@o?)=aZ$AU9;$+@#tO_l6J}06C|^&g67WTS z_@Rlkpe9s4k1(5vzg=4$b5W`=eU-LSwf})}TkC3XH(1q0pGxKBucQoJ*C=k~Pm@D& zavbM#^wV*2*@2@U-*D*K#yyo~?ki`^zt~m_q;Z2+OAWIa@tygKEApKc-!o~I<7vKO zG=^$?J9baRDZ3-QHOlMEP)G*!2eyf>%-vdeh34*SKR@!<+gEV2@h0N5{bx)Kjy9_e z^hEaL3c4pR^)02`_i_^J04acEbKJ>g?tZHnItTo|zUY%?>xON!0J({y8<_Q?MK0+0 zNesk@#gT@}+#!pkimdJ-Kb*Ko{ukO#-p-0G=EfbGCQRs`ZMK=B9vxCkGz)09h-1;1 z9Wl5Xq>lK1(Ypf3f@Cc&lKk7g@=B@2*+tl`wV(JT8a?}E;xhB4%;P7Q#_S$hEiD=T zf5k86RkLoJ)&OUi6p^~Zo3&d*&sQw2a_LKT^23A@_M!%nC6c{k=;7StsF9c}YK2ktU=#Ogv zQg_EsTK%n2U1y}5yQiDvKV4%^0YQH87KBd+SIMPJW?a7kTY+vxI(qa?hPg~x<5&{058uoCYN6@!6AGdS7aW_*6>!Drp8LB zd!nEw$N!r8eFqp>S1LN|z{3{iDBKBid$dMJRrW*f&i}5lx>`0$Y;`e-AIzPO?(#Vy zHC}Qpw^VK@`u0A9Q|CW9WSC9n$A!$`6j9R%QD80#fI0v_D0|H6g4R^WbUx4BtS> zikGXQDoXy}T>Bl%CgMh*FIiuiR&2BcoaC-kW}aB z+3HkNl&-XRU`!8qVU@1jiLV>1ozjKuMmyLvrv`if3bdV z`oT}A+?3k5+9z*t+6{-yeFt*g;jCPF%zAMkY&iQ(BsNQo-N<+J5VH~2HAgM2%OX>z z_j%m_4Vz7TtqFUH{Wh&@9h9sRG)%>x|L6HwW!B3QT5dzvD14<_?~r@}45YT7(B*0s zP-r6&2!}A+xJ&6Gc^)=Apwtq*Y_}d?KFL2VIEmvKXO*=as*Da?t)`pp)Zf&l*K~DK zFXN!^o)?5$ezsWSH!)mOZ~Og1QSs-C)d5nGQ)h7FtvjWR^B5d z<{CBgVHRn^@_tl8J?M#j!EA==5p(bL9clZ>WaV<)SxKJ5{u7vk)I z1p#NWhy4kVta%x2sSW%9t_5JMm$?jL@6;4SDLu9XFGI6yfl!2cktuHb*9H*%SJzJ9 z7=xzz?SO)(PiznGN2m|S^qu0Kr1%LIug;8Io}Pp}adw;IFJj;STx?k1&RWRr_OzV& zHL!BlA~|)?2cY6>f8_TE#Ci3J0>r3p($`r#f7*XabjwmS&;76miyZJ&@t?*=8mH4Y zGTl1_`lniGX_fC7(hGTgmWbyVMOLq_tCx$F04$0IGqhV%eczI`HgFxjZkT=0NZEma zMtZr!-cdmF_01j_33b+xfUmme4M`so9m7wlctNPwCXn^S44b=tZ(>=KDH6 z5l@1@yz7)A7Y2y`i5-(k&j-z8GKqJCaiQ!g*l3*=_4Cqy)vK6;S@?UmUxjmg4iiABoY_2taxhpo zNK1dR+!dnMS6{R}dGHEH?R;gMTGj`D)ri0B`EIW~Txhb|vTYl=dyJTYKDe?;iFH5F z;s1hB%aYQ4oUX;M4s4VdwUhOUToqo-p=UwL@EW{AW*o~Oex9C3g_dbW&p?SjDSn<5 z0fMsttOHc?Wcv2v1@5@wCA`zW?2`fz@p($;RKG(gE{O-S-Y)_AiOo^>|g9qQ?mQn);mQNScz>`2Cm2T+aP{ zHsw9?E2HEVpl_@;5mhqhQ#XCktY7OMrsR=#kLQu+yktX~USZH6PGyi;m-F0aAv*|B z_HYp!ztW&NjjuC6wlxu70v(};@CJ%y##=4VJY3etcheLX`vpba`x19*M1=(fewj?_ zE`+(MhaXOJT1fw#x@2B-ZZi1FE=N0H?Zv+p8w6xeMF;gBc^mpf&Wb2q+MC~N4~Gyu zoL{Y;M{H@+5G}_6rb6c$uBPY! zKjN!oJ=y{eu6sD-t^RU_=>{Z`^FqxxF5|M(gPBI?;1YVL-xCvuo7^?;EM=hO$T^Jl zTI&jAD63nNR0maYFQn6Z3#6jaFPQwKSy39g-m!;7 z2X?<~d|Cycy_x1yYH+g3!}CDkcvRfPUB@C4+2*RmwCFzp!Oj1$Z)6UQia197%xYwG zdQn4LTaZ-$Q;?tA%DK&0$;fP>V)@R(Su@8R5UxHeD67_|%OF0R;aooixa>vet_PQ0 zOx%KX3@+BZy{{^cw(S>I5$|_RQM^?DtZVu~`+KXU6qT4x0G>FzVdN!~&Q4};>kF!E z$Gi|{HMs_vTI>$4wP!T&eT{~XTTjH#(3t$=e%hVuhxKcBlo5qbP19XG?3&Ip+>lya z!AWGh*SmcS!up-`O+b<9>2M;75ODbPPuSlhgdsq;O$!V$LIg~C$B5KqvUFahY|fO} zNNs728@>gkUoJk)sb1|0;DAG%gFXh8X@@_xnGJP}1Nv?AEwlSGm(XCo+PEbl*PXp{ zdhy%g!+$iJ1&cw-oYT*~Rg|$GGJ4v*+G^1V$8Y*hctob1D7;|u{$IxI$q{4%QL(ko zTJ$n7m`?Fq2N}M*sU*=!b2vQ zdQA8%Fmp46=PXC6)ouA}wvHXCR0mW(*d7t-!%+zGuYY^NCXy7;C|+Xcw@`Th@$fYs zN?j*(A#Q&nJ=Qltc?7)naWM!@^0S&>3Kja{;3$eHiQk->&wnPCdT53T07} z$N?sA!xiBf^X(FD&}Bm*K!$~Nu?q%-UC zsFfMVl8;O+3P4|cCwPyqOi`4>cp&Jy z6js~kLSQGiQ$K>~fPlyPa;o6ACcKw6MVqgV8Mi3+bRJ}j<$27^n2bZQr3qTYyd+lV zox9QucWa$6PXnEqZe5hNg%;V}F>41Qc(O)wGx#Eue~n~Ha*Vn0xN(SMsE3POlgwn4 zBjgiB?7tZJF8n7&_;Ng0|@x^|i;n=EdVbs0l zEJb7tDeegqv~{SR$>V8Y1`=C0(bxunjjzNo-VL+(&ee)?aA(Ge{$6cJT{`;*fRpFT zR4sTmt2OdWZfw$zo27_)g*+dcXmvLIxfW{MHP*yuQ66O^c{9+F$n1p0s-%G9UPT;^8-gk zH4=_{3Fpy8G!n)X)@YU)w`&rxeV2b)vlBJTCitq@ym5I9fJv-nB!7i$5hBCRQv-C- zY9@S>6~>WQhWW_$1@XU+Kk zaub-3)kyMc9)8aaniAc9vd)Hha*CN=#^*^h2}39--lXTSu98U? zIbO|@3`n0^w+MC-NoO^86`4lYf2{%?k&$vo)EDw!5fPn2n}sA8 z7~1pV4GEJp#dmQ|X;6}>m6Z35nr{^MfWVbdHKoYRz!yu|_aJ}b*jtDvodg4XiSe?g z%Ld+mzRl1R7(nj>eCkYa;=SM4VATqc;R!SD|CrpiH{==ssko)+_K-eoe=doLfXX*? zO+*Cd-aN??D}_z2cfMQ$D_M%VtCc6SH{`7Xjo<@)SFUsu9;v&rzmdY3 zfPP6o^=}pu%UoY#6`s#ga-D@PR=}u=<2(;~0J9Fg5?u$9-EBMfz$1MhjPwm;J6Bq* zdvIvEXY}|TPVKek+Q~ibte@n4p`CJJ{k%9>gyAL&k;bKOx|3uJGk5~Q$PXm^dgV;# z%KMxRN$QJ5Kg`?Y+5SAc@{d@`VSTLu9rN@d>=V|y0eTG$stwoD(3^3WylJ9IZV%|i z?d*YH$!G@FVSgm8=keUkhy=*z=Ov*oj#8x9Y$5J2i#gDFcz;Cy*$gB?zs9DSBNj2i z_N+*qm=-whL73oKMu$wHU4?`0TZItv+9z7dR@R zkey9&rpW&NbiORn(}Dd`I#Q7!D77k7+RN4#ZGC^F;zXg- z&NTf0T}W%oZ57FxSJIg=2z;e(Q)^fo_n&lRUk}jBY$03w4XguoTSMp@XMEcs@$d9d zSoL%`ei?)Wv}hdOEBn!AFlaN28_JsXB)vfMi{57#r5@q!=0;OFJJexgKkj||EG%&I?b!a%wesDkM z&=gB#b3Ujo^+u6jNn7`7SpsJO+(p?c_&DMh8Z>te$j>9PguG{o*+Y=nguvnGm%Em7 z4H#l!8=;*U;f7<0L%z~)Lk%aQ=oT38w~dN869WzFPky~7PIKC4Zg6yPX_J8#CnGJT zJcp}I!?awZ4it_@^!fP80xG9*kv3fYc;avR0O=~;3snhc8!rMvx5e%yY;3BjgT+B6U`Z^`+PbKzMg5k1{>?bnNmlc=@hTXT_M*+Q-v+QfI@w5hf)ameQeSgX zyOOm``={D?SU*Ea)biqbWPeVfW(U=5V$C|5)nF;_#c&pk^7)K!{>t7d5?{qf7ds$) zZ(tUu$H9j4BYt{C{L08AgmPkzn7ZjY@#V6vaj=vd-;X^eVUM%)x~da8Y6}`%XZno5 zz?+LntB;w(8~>6H)42@|W2futFdpJ(Mg-o>wh~h@h`ux_sfu}DTREsB$U)xo`ghn* z)sd|9&UY;Tgp$)sqT*91ji+bCGlWy@M9B;?qPowOGUu~6W4LB!JD+%ndQ7VRyISVf z=AP|s+7nff^BTJujIW0t?%qtkh^K`e<&1mA>|4U5M6p(#;(Sb?xDqFseOdEo@gpMw z1jW=x1H;0)$UYeff`j0k_uH&_JSu_l&9^^x`yR)fY{;qqR*M$$)?bdpz}u(RZd|mk ze)TlaH)*%udfV$RSH*Su)r@QB_rO2xVcOi+k=X3t3_pbjGV~qo@m%#b=^5C07$^M& z2DiDrm8A1LMKrG@p>5ohA*p$ibY*{_Y!2W#??#71Y$MjPkP%^m%@$-#3=;a}a(n_! zrXed$r#{~g!wE2#-X8G~$liG{m0c?+$V~(hQ-0d@F`0fpsiua~_!s$`m6fw3$?DRq?#xzg1(&!;hlhPpXLB)Lp5UtwoETteY5f2>B0vMFY(#EoYl)lu=BQ8vsx_qw-wn}Cw%g+ z5~CJbtLSZ=VZiqEA0^0mB1`%Y;yr;7I9_6++U6nVr|G=;wgXGOrhv)e5ZA&;a(?se zy1?Rv-?Mq|M%6;)SGHh)>@M)N`R8&B$%^wnOfAcFJ_!`0Zi0OZ+454GPaN(cXsV=H zLV3p|R%OkX0=vA+s!p2t?d(LVo-3IbvVF(K7wn-Yv3mE1oxtbm5$ZWBfsd`nqGBBx zUmWsRYZtgbMDWKXGpe%QV*C8oajnbMcH92WBkayA>s_zf#Gt-}f?VL(P495SMfPYH zJwZ&FVQ=eVlV?Mqvs=fp*=5Sb7{Ov0@yPu;b%~3HDyk2Bv@1mdF5C`n@TH33P z;8v;D9*?|HPtMsn;8s_l_`RFx%xNnR>Sp-g{gw-}pQCEBG5ljsD{Oz0*P|JV&O0`U z+If*lwuAOqvvK&J8XKZJm8y4O zC1ji>2@UN0t}|ux&K~{+#B6Rxqpcqi?!^E;wlW8jMbFjFV-eoZMX~#Ll4V|sDH-e6 z@WLd&hjrocN^@eXaq4@0vEZ8Rp~R95>F71IA&KdC{WluPpE`eo&o2Zrbed-dcw47E zWwo4-nd5{`AVn}G8!LT^|<(HXNp%b4dK6MNR=XU{~`bMCgKfQ zj<$0e&4*1y*VhOTSqMItENWfuZxQ&dv3joTv_@_Lgv4&z;t{NAe(A#p`xn7fRbSV; z?9doZO1lC};Px*PmB?s8N+bkavV|Gs`CrL@+X!QDW!rPp{f9|2F=nZA~iUHxkI<4|z_0 z%>euSNlFIj3(~IX>_Y({%x8`%NhuIIAes%Z7o6EeVuN)z`=6Dusf5~xy#1yfCx&%Lx9q&gi@Lc5sN3Tzh!$;o1Fwf<5>InO2sjQkW2&$xEnt!?ksSI^F-w9g3q zed#~zEx`tcQy36O4;n~<46>iW@c*#)oncXITbqK2Ad-!^-1FUg=KJRUnjbSfMOW3{YsXsede_?3 zT}2c7Q!w#tDD`LBDN{HHFDH+>ubua zcvG2Gkr^yI&7_u9h?YP7eIJd$GVhTJdKm)XvMA9KM2@W3{MlHv z0@0*b8?Qm*@78_VwHMkm*4Z9bvJ-sIZ2O4PZss@sN}WmX8`{trWHF6>9#N^QCdGn^ z>$@Sfa~6b~2s(hd&WGPF6f5!CFZO8v`H`yamZXDUfRK1oVVb`e^D$-hAeyp^8V`@6Le51bVT3aPB z+*XC+glt9MK^kD^KIFzgID6H`Z&2C0n-ER@s_`8GdKz#HPdF9Fihz6ZP*FCm z7Js5T0%qtf-f73}{7ip`* z89uyErSwgo>s|fB#CEkW_tB-Ij*VSo06p--7ac>2in>e4M$|c2^+D%to|{uPnMft# z9aWeHp!+vIZj8bP@oY`5A^yxM3J;|Uyy<-8MfYHiY+PkNFr)4zzm@nEy(NCNe4Qoo z*U(h{>Tl#xcoFN;dWvzJ_miVb_Mv~yg`CMpuVcKkbF@X&nY9ToRREFv$i_QWU|5d6 zz9D$24h2=AZh0n&*`apbYOwUZJMGNrk4C&W(pMqoOxwxZ1V>TAHiGN4>kyb}(+zZq;!sK>g|( zTZUr?*OlHA4GeoU4Sy#Jpa<-au39^{{hg3m*dhCjppIIHEcPNB&2f|$YrT8C*B!_b z@N55x_TNYIZV=L$?7iWH=ka`EdL~B(qXR66z}dC3n(Pntv967FHu*8DQKD~Ze5ITm z#j@(_vMTKyS0aerZAYhOvvI`yS9bf#rr#z1NO+DcxuB^g&WZl~8&T2&*b%IVOVRL>pT#Emb!jMX4*Qk1ZOU-KJf(;g|#$*NCpE81OTzy`~k zgt*eFx*Y~RPtGBzRRp#4%8CR2*J_RqhQwv_iMWR4WV`=AC|oWEQbxB zQ{#6!5|lqLzIf&yOstGH=g!k4Pdydo%tViSvho2zisQwH#$GSr^Ue%^YSU!%FP zi!?$zG?wKn_(E-*eZg8Y;u;o_j<7bheo`Q58)sY1L6H-#p@M zJ|C4~rQ93}u&-_W_DY$9>@!ORlu~g{`ZK-$PRlG< zw(D(Wl?$G|-!opq2gB&z+6~YLMNwpKp}FOE2KJt6&%>72_?s|z$+vpcM2}iO*QAZ? znTTa=IXbz&x?p!;qwcmOQ!J6A$b9-;dY{*&`57B_i>;N!Jt~&(OW!P0jNS|1hb<(! zL@Fu{X2k{_UWc4qjk^^Y36b9d}Dnvokt{?d#EM0#HRV1dc-?=tgM`K z6%%4WRv)3l@{y%x>zS795#Whz$m;p;eSLa#kXzo`Iqz9sd0_nG?!ujITzBN%=IqnR zPVZwplq*;Jjvv={)y3J_-ilOJ;Mv|p+Xen#9w+SRG%ZMQ&JNeT&8Az+z!t4JPO{x} z1FNo3{?*2NIBTiU#I9u{_eH?qOlJ&hb-DS;=n%ffGs&V&ucq_}h@?rIBmCTI;-KG3 z$|)T?P)bP$Uh8z;@eM9j#r?`^rr+pD(5&)RW#BBA;8q%W&xo9Y={wq`wWbXpnkpfG zUs1Dtl`b>Ay+g-9jWz@R)Ax`;glS!0xd?V8S+V0`<>txJE{nm%jKBm0^|^$Ha+4sowN{fX6EpX_FN4=zaorqAf7MJLsVNScodyKBc>3%= zIe0)jx=h$1c^Ys(R^TaB`7Pij1+rFHld<%#InE|tx6tq8Qp&Tb%i%)o8zL!H$DDI18OmydnZ_##mRsMW0@dRO%#5kB zTF!SSCXcuky%g|iCH<@YleYB_ekBfeHD8|>aXwrqe<2=}EQi>;7!mVSeU|w)R>nNf zy+i4ltE5a4tykvs#Nu;4v=nRv9D}%4Oq+khnw#(4!P3_u{%GaF0(ffrCvW5GqJHSk z7ERb>%h)ojx$gWR)gZ@eT9}r8#05FG`gC+VMxu5KZRt{j!#AzasE7ged& z!l(Ook3ZeFw!`GPFMs@i3)z;? z!*1WCM);5{{SFtBlb$aP|84AL#M2x_DM`k-q`|mk9x84hY8=~ME0WO2JODgdSA#YF z9{4jCPiN8t8-yDm?iQ0L)8 z;XHm%qulw(Syon3R}CSTwEQoG6p%0m@2qhAjBj^zH02Am4U~CF?@Gw0YHP6R+(5g5 z_Vh-i6>a?Y_oyWrdtja5x|23tE@FLIcpF_EeXv^ox;lsbWF8u8Mi4tU$u=M2PFTZl z%$yW6{Ro;dFKhZ+E-rY|8YSQEk@$9Gzn-D#iq4p`XnHO>dS-wAK8{nO8md6f`&00v z@^OcYypG9&eU+<|IQrIuK8U8idl)8O-S z@|u3w{~k$wLUpKLS>Lbum8LJNwVrR5M#bg?%j&LH*Q5rxH5S0!N+Go`|CG}Ny)Y)}S`czJyPMFB0WHGTBF1v7`=?9t{fTC9f_k6(9QKDAe- z=MNX)t7>hxO%>&k(47O=vIOO!j4?flAJ#;oPKLE~25UDzj`HVrO~Xy*VU8xpFV5tW z74zSCCasgjhb@|yC8j2gY?4#s#otmj#m2n99gg3$Tb((z$U`%zeX=xF4Zo-Dt8GJ@ zp(AKeq<5M+%{Z@w-YKpa>1lJbk3CAxHHF`flTFS|fZq2=`U(-uw6?X%!@_kN5y^@R5t z3*!UA94vJVIyBX7`YHz9!;;8Ug0Sc)nPopx4Q!2)24mO*jt72`Q8L$Dr7+hPS5R}L zIB6MQj6*Ui2!O8~_1yZP%A+17bFVCcC`?Vzv+^pcQJJ~%xv2dT6g?%#Wp^s$E%|$1z&yV}>eQ+tW zo}6$OUt=;E>ns0d)nY%gB%vBOPcptx{PmRSD}~cjU(v6>syB~4TqmEW4Fxq!wdE_l z5bqLsy}7Pjckn{0OZqjw;~`nLnC}6=#K1%S|MjuIEurR&2|&&?@K1b=^_qo;o4b>v zzT-1)J9jI`%P0QQl`=DbuP0zw-?c46Fw z^WeAG^I4#q|2|Lyf_dRRAV&@D8t{DMe;ug0tCO?ae>7Ulgns)^_X$F`!djujGiiaA z5WG6syIS4vY7@#6Cf>G>P`;)zRGw?$l_-?ptobw`^vvz_zMK1XMM}rMY9=c}{V-_V zL|RK*ONTFMV!CGnpP_AryyrR%Ej$eYl~ZcN>*3L?AdZ~AO3`_S@z3ox0=*RNe8yoQBl>11&^i`*7Yu2$faqUrK5&{%V> z0V4lz|M?}UI8EQb9lmw_fEHth8hFO3AfrpLRUa3wE**v7deOs*{LZx7QLwc@DFfB- zmaLvkN4tba(J>L}O$?AXsuV2+Jsd?Cwf8kqu1bOH7s zu?CG?fH)D6sQI|N=$+2BhaYl6DEURxz7QRh$-jB$TSKp1ney&q>yB7fSBv!{9#Y7! z7_HP8{b9&66^9!M zqcb5Y)wv(uok-EW!9uZZ-*_6F|F$#S!Gme8ffKrvL?gL~~tpgx5SL z<$rYHtkTQxtoa+f!F;Wyz#Y=3L~?&@q(FI#^uy@E=7Lds=FKdbr~F(Y*PDJA`kl55 zjcePs$aIy2ddAQlw!$NFlSR^gu%wKq^u%(0NOpLU+r!JeGv3`KxADo2#3ZcYute)I zcUkU}A-znY^T3!Qg*v}YZ{HFu{q0v}_fjy_OrqZ^WCJ%!UiCDCoW5TT#__dfEJnvGw;Z+wYoeI7Vw+`}k*=&`FB?QFv z`xFXmv$|<^^x_6;Qu7u^cU^uR%>*@NXq5-@*JI*})uxbFd`r25gf=Mk6{C{}-6CSn6YEB{d$s@KN z9Z)~qddL=tah)7ZMVP~Y_m@362~#legK?!a|HC_}6!_CmUv(92?D@{tJGC6WEls^{ z-JI8P^B4pDMsn=WJ8b@M463wmvKkjKsW~XW!T0&{LEOu48$sd7Lwx6Fv>d@Ew1r^f z@u*i_mr5_h^;LIPNHxnH*B<3KQu);Rm)0iGs3C&Tx-<{tAqB@a=O15QQFk~ciu7ZO zwVE8h9>Z`VRurX%&rux+Uee_#O zcMW{xq7tUA^Y<|SqOg##$?q!#O9-yHWKL#GdJq1d!SC|V5g%qfFlf+-E6*q! zBH&wyz`rXnkN8<4)f^acL|KzCn&4!Hw@GMunrOZ#oVwHVp?Wl`_thR08D$)aOF!J1zZ%aL@j{b(jv zIbZ%8!}RE@jGLqS3~fKfcV|LJ_5Cl-UTnd542recsO0feVje}|V_pBW7{xW1^f8+J z`mA?~`qA*7-2-!a(b3(Xb&k0=cCkFf#XrR?yFRUqw5Uw$TQ=7D=!GbIO#TXmUwS`y zHssC9%1XJ-UbH;EjA!`yAa}M_OWzI8*oZdYhLpJ!$sFH&!*A7OZqMx9?eyXAGW!K= zHV629c|Hlc45JS|R0W>Ft>MTk+aXtHt$x=bEk+l<$Uz3*5bk~@R%bP0eXV*}Cx){t_%x&)`n^jYKG@JyAE~)k2@y`&2~^AuRdy*l}kV`xLv=j|tt) zzfG2q`C|KMbA?=ds2y7FT>qek_I6mso^O_Oojm?%P}}S&zmjTTA$?rJc9Bsa_ZPqB z5-G`G!86>>_jeVFo)TnUWVQNP1aud_4W!uT#7N}yDVP^Nmm1v;-rD@=dusr3TQ8kc zbe0bGVnX`<@AhlHkEZ!ZaUMtANbGxOU0#S5@QsfLL(^%b-{0dxp66y(SfD}5jTt*K zXElw`7jx12U*+SuLUgRpc2~mP5(atG>BK`%sr1ALo#`lw2Rpl-K9^)f62~0WkI5=s zqu;5=xFH$(iQ(4i)2DIkedJz}C$?hdSx~YFc9r~TH2j#P0OZ^23u1)n>BmAOF55&x z2{a0~GmQf2C^KF5iF_D(ais&`+X#Yh#O^~=_}CK9wQr74NMR-1eW0mhDccc`kLIJ4 z{KJ$)ESun#-3v5KE|>!St$}uF^GB`WA0A;El<;C)1nDxm$yq$adb|B2I>tPQK->C^ zagjeRrIhe%JKU4yOEt|<`8q#?9ewIo;nLcn*o4P82OAHIiE43r$Qdpq^6wkuklpt` zR+sgs?=tdPsw%*@E7IV_@fZ=YmZI?vyoxMSI;qcw%xu7rbqKS9Ap&=O0 zEL-)pJ2c+r@@^VG;eB0DmO`4+WZ|cDvxv}h6z$A&za&F2jn^x_77U8?#Iany% z&V`NMH#2l9QsH3shSB`AC znzva@a~rvzw3*c2Q5gpmlFX$t{8A^-6Mgw&DEQPr@#`p@wM0Ne!y&I=yiDL%o7Ds# z1c{>^5Wt)mzX)x&Y{ZoA=B*9ekf|C%4Dxq9;OjSmhi`DUq$)`pC+q~pOwMU>J+Wr* zdUKx#?Qf`d_u`+fwe=76q^9Q36{13rxYwjql4w22agiOutvTuBH^V<)D?pjt4bXAfb(G@^K{V<2`*1F#xscJ^P=}IJ zB~r82$?IW!Gbc)Ouoqjm^z;2t+T72|)bj6YS0#U{>FR#%60)kGda{1)o|dKjKp+YE zH8vrRhX>}{q2sR~Q2ge(eK(-KU!+bY-L}r^H9yWPIoY2dhr37IpZb0f81hT~S>~}a z%)~$Y)+R&OY0U2&Ba9-+MoR0&68Q;3AftbOKkUQHLq3c6o~Jo;NAk5>Wks3NFT@aN zn6r*qRaUl)BT=8-Weaxh*X%r54fW!9!StkbkuW-Y9HAulZguu^M(p+F6UKMJx^KgpsfT&^qOtG^w*F%uV?OI%xM(KdLykH_ETp3?XB z2#Lx_WkmIS4xVw>u~R#J?B-*CYgA36>h_(6Q&%^0f;%Fgs$7~obc%B&or#`lM|9b} zX`4Ks`kjZ>duJ<|v%1!7fEdvlMjSGs&ynyJDMx9s&yh*+(k7^~fV_jQ0r7aOcVRR2 zj__>6Bpn%aDUqb0QN^)yy<^9uREw~V&R!Z>Dxg{Ir;#Y4%DwS@McQp9e-`(l*aO#4 zcpaa8@iS&W?qlJ^KJ3vYb{>c10$)(|o{`V#(6hWnJh zq16^-TCK%bK{@i&T1yxe%-O&2-lj;Gmq^y_{^{C-4 z4Hs92B`q{9Xyj#bS*QHk>*7P{0S_C@CFQC{y<{s6Xq_qF;y6RQioUmv_rS_E8)6u+Retx7{9R5yYi{iMf!zzZ@^eum2NigIYgV#2o^FL^xJ5?^ed`fFfbA;7+Jut&>CW!shQ1*LmxbVj~ozAIdtlxES z$edH&4B;?B_k+wK63NeZOpBC@e_%qtw{>K0ZdLD_QHhZAld)lhNj6B^>+UAnD<_{Y zJf7fgHltGEx9YN^3dfs#Tu{hX7Hqp3P&Nj<_T*mbx)mOKXCnI-wXys}eHSOWPWnpj zPjVgH<=RHk7Ed}8obPeOzGwLq{l#y!@lDBIgxDJF)qvQCPcznAI%*2cn?9oVjSt+P zG;E;Soo7aa=Ucn37i%q+0(Y4r@F@p6OR#%nq}!RPx=VOx2bL!L$7T9Tn`IQ3@RaQ` zJ=>POmgTsZP#g;7J`>zjt>E3%zj0{W$O?rdfyj#yShM)wEN$}qCthtqqME}eI`Yq3 zQ2&S@GxkIm@Ax_GYGj-&p1mp88NH8$=4DPMEo^6IN^mkZ7 zogRpM%DHcP!}07b8uy?W>x0DVeM7ttz&nYqjhCOiFI2_hta&UVS2Ote&SDt#p#MY= zzUuGiT8SbY({<3$anA4VemLbfrG*PQm){=~lUUT!@|2<#XAa_oCW%r&MmaL$Xe0b1 zRex%HX1wL^l!^*z5?yqL353 zhLEft*D1WLMSWcicTL56b?HD8LO28Q!vCto$-N_O4<&cYX0Sjh}6e0nPhnkh>! z9QGJ%QZFQNYWvl@NQPM5vheV93?djiYuWYiSo6+(Y0a=-mI`e&&qt&rJ%8Q!yK8fu z+2E53a9vt&{#~%~pIw&J>F1gE3Bt`f7ZA&S-Oh^;_Q z9Tlz%;Rr`W>V$z92ef?%@5alpAKL8shVOHfG0Gf8I_dB}i4)ic2Z#MI=saO`bNZb; zdM*dDVzH zG8ZI&c4(}vG78D!zsDiaH*0V|cP10T)VaZ}S0+$spK=iT)k^oqpi?}K-g`7?(=9|8 zgy0s2h*p#IOgk$Jn>SB{>zLj1Zb%^~rRc)G!H7u8JB$xb!I?00{_M~WR7Gso%jZnA zqHjFm2@!4sF8$2ct6QNoEQCse<#d%s8P}8~Wmle$rr44$lkdZ**n_1Y*n8K~DQ`b~ zR2lq>PC?LQ-&WT~M0N4rY@*f>Y(nLN#cj2fBGE5!8EaXZU-6vkJDn^liCL^rLojmR zvnisF6(O&cq(yhPdGU=JjdA}Av&A&wLw)7hD)Dl~{qHZ= z?TnTjQ>;h~ddVF}wsRtrY8{E;OfDy^*(3ae=J4P8a;4d%PuJ63h>yKVM=}Kxh7%g? z0>TW%McRGWH#t9H(~!&v2Rh_$CI@C{ZI48)nfmX6m49&MQg1pG3~4m>#?tukwU&mQRGf4I7rz7=>jU(6kN zw)x!XRp5#9;p*B}cI)XjYQ?P0?|gGJP%^OPq%Zs8ms#uC`RL%>MOS=w!13-qsrkN% zt<8Ybv%|Kt6QMaj;01hxZGPZ;iZ2e19-R*co*z$hX9ocLg9)eB^Nsq!?110Liz|a| z7rT2xU)LtKT925eeryiT1zfDwZ*5izy{HN}-rSryd9Nq6qPf|6bn$DCb}g`iN`LZg z^;4_P-jGxZc4A$`+uhJq#R~B!%QWnax|kLF`lvS}=7k@W<5JgV-b)Gopshzdx|#0D z?LJNK6IU@x;AFL7%+2lx zkn77O;S9*C8T)`GGalij>jG6xHM%>amPR@Y4-Q;~>?>37y}i!n_}1eY$GQ#K9kMEZ zRSR}cu{s=9AJ93(S06Ar3|0&FOmR5GRJ^XP>zU$mh^R0T<|L!BA@f{`Za&)!Frj^` z$q>yQqCBtJ$?V>(^ZOfT^FRoWgvM-7u|SRbY}Br5+KcMunjCOTUe4m!vh=>$E2cgh zyo;CeBBvR;OwFxuv*EjfDfPL{am$VzP8QyG`=<40Kko{r)#o+eS$@sxB=61MYh*CnyQ`a4U)`L# z{F=kb${VNGNPRYBmo%k5r#Wnylf&t$H%_0C{_MwH(lnv`W{Ty0Rwo5-zTQ^`vtM?t zfhCUSjOBg~r?lN$Rkhoi?6%*Gr9b_=g@4reQ8u7bSWu_A=gyXE=d|(8D!b`foL=DK z*Ez3WLjQi)Hvjd%+m?Yk#9yPzSiP5^=Wmzi)%ATNKL@`OP*dhq1c|gIT^lUu*9{j;)MkiJE4cw8PL{g!(LT zudj@^8tYcnvc%hFNZMh?E<%5nxX;(zJDzoma9JX+Suy1>a+k(nma)&*(mS4GD{)z( zx>+&pFld)XefD~4LS0PQPx;b$9Qs7kORrxIIzQ zxd5LE^?&8?bS_=@A{Ohv_F_kZW9>JBJ7sn+_s|sK(|mmBx7o4+-MVhP{u_t{(LY}zw|Dy-Oas09(R&?q)lF+cci{pl6C8QX)_0Z# z`dF(9@pRNmKkbiVjFF^lx#bOMMxe^D%UK-=?KtyZ%XhqsY$8pZU^q6EdlJL?j4+Bb z@2$LCU1Tq5;v|Epk(_M|t0Q5lKl^L;T_d@`7%XSP8(a(@XH$zG1!|dr3MmW zbLY*=%QZ(vlO^sjh?>fE$FO=6vT^4vFSm$C%lF50dlO1Y@ymnu$cJZ#Z7mGIF_yd>HD-d%Q5&XjDM?ZxZE#_>v-<{(T2|QO~q#dRqJUGZaCzk?ggE^HE z{M8oFj6i1g2qp@PI|m4mnZ`a|#w*X_12>M~Yw?!h&HIIrHR5AI8-Rw8CHpd%=D!aW9iu6-%S&@uWDVBe@2VcP_@L!CD- zbHTUREf5n6mN%|pZ3L2g1!7(Tr(AcF7p%!O=4!-~?fpdl8j<_C^W#rAg_haI05oj>dJ~lbF`8URqg_9%maM2K51n z#UrrfBz~gXWhay74UmD?fUfP;fQ=s|5Q1YWtg?&-#wf$EB8v%B3ru6e&gED$`$9Q^ zA-GCfb_4mRj4QG~pIz0{mce~Fzq~;>XZYDktw|JM*MN#{U(Les^V|zG+Y!CI8DRd| z{h6o0dPekkldk3t35~nfb^P;qCaMLBihZ2D}EMD0_p*($NGZBZm#jks|qP&zY zeBp2eqNunKh0W?i2}cAJ6=$JP);{nIglSQ6Dhiv$hcW}P-&P!l!e;h?zeLa!K?0Dd zCq9%f5$n0d{wS2GPe=q}wy@X(r9|yRnT}{Jgt#J6hCc8##Cbun1WJk22cC?WEr94E zQICBnlM#<|i#bs!Wgqk~1fl>UibP5Jz~d3$bBccMV z64}0Kg z(h3@nO~ABl>y*kO>p)q=Wv&@EfVV?g!07Qi3$dv*SY;t7pa!OH z7UYY7sfNk0fdVk~k?2$sSd0yYR1%$vhi&GAsS=`w@nGr>5-A22tIW?wA;DrW80=C& zNOUR=6qrOJ1waAS{QO~LH?HVZEQ~9kkspcV5jBj3b>!rKKq9#T0ad^dKS{2}^i34# zb{&7hU9B)o0?gX2VgOUX4~Kk|sf)5%a*A?l$uw+x+rY#((bc!k;+Gy#GgN}Qe?otJ z53qODv(z|F?GxmjZg{p=jr&EAr>`5J+Zyrgw;=R>Uy|1(en#e%5eT;dc!EGP;>#e|ofTOH z+be!y18fIYR3<(}0VsDM``H0ZcjF?iyW%Z+BV^!qd?tQI%~d_;EfQA+(EzLRJ7quh z%MY+Ze`bp->(avnjPn|RpYSWTPVxriK)z!7C-dY&foTEh1t{ioHA}n*fZkdy|A~!D zQhr+n&IdT|FFLCPm)!L)7>W`5y0B8;@Q5?OGe&G|WV^OmiqlE$Q9W=&yS5ph(^2J| zvnPGOt+3P%WoKvzPYcQ`%(X+=7*1uRJufQEutQlH8fK(D$tz5>i()pMdYPu4R~Ti7 zdTO{3k%m`P7;M)=V>p$bwpqyRWs5Q~G)zw$%Pn-VLm3$|M5I*~7TVdN)C{MR(=2lf zMeI;2hUQ^u0|kXVc0DA9Q%Px+1X37xvgHT^Je0 zrs3r?pE;qp4MB%)-E^F;&j6~@OSvu&9_8Bt>Q5C0dUbN*IueC=qiV$JTIxqH07X!I zSBOWftD&2Fk?2<{+W|Osu2xcVX5f`w{fk3)Wimr`0XxUFL5}kHSinDQmV2?Is|kO2 z>B`yVeFUyv-^kJ-z;NQ358s~7UYwq6jo5o$$N@gx%1X~LSt7_?rLyjTetiMZ_#bdm zZ@&IMpfn1&i6n{cm&!(@11e9WwFaP58DUFs`EIbwl?Jt-ZaH#+2A8j5hXZtEd>{Vl z(ShfgWAv_ohG{_#Wr5L9f!<%ol^|$=6`mmM0ITluw?Jy%Pkr1ED(MM5wB`>}4-(NE z=>yp-I?4QlnE>jN`-73(Y5{&p0^H)MD<*0LnJC*>gf?#mK&5&-;LTnp{6RFJeE>7` z0U-Tt#y@BlwT_&|Nfwjq0%0?ksm8>*k)j}EQ#?+f5M$;#@DcB|wR z+dX8Z6orR}7v*N#+1gMxWrSN7<)+)&T2Y2Xg)0>0#@jt)rfhl{&Qe65WNZ7BQuJl` zep_y!ovj(=$VK?i!rT{j4=?VDriXtnq<6EmHKJ@v3vbWOl>$?nlEZ%%(4RTks!)n1 zgT=V*Y#)KeiVAWecD7QKP4Qsrp{=b1nEE+Ccgq$m1`99B2aAbNio!sFIa^yHP{2Ar zcLEd;jSE-Erx&ud<)dth4Ij$M?XtDyp(KKaW9H|!fdaV~e*qG-rTf1PjsQEXh@&oN z0KjUu5RdSWu*m-^N=gJ`f*qzez6OBtw!Xqw;hp0-XY_&iB|C->pn54P z{EdI7(0VoqAEPG%Jvq&Y5->ngre+wExv&UYCS)-LlXtNe51~=XtwgwF$FxFR{>;3f zDXpf>Te?zO^FK}jL(6C19S~V?kUUq&x00In{{LhgMS;Ma8@fnrzS0Xw&13}#Qcl6JvNQ`Jc1Z7bU;`MhR?c^k;v$tG#zVRx2j3rK;koL98{_j4MDd&nXnV-&Ryu zip^?I35N$16=jv8tnJ|$aMPlq)KY8~d&&&BWD(0*70TQm{t^zzhLxh8*pFPm&kKwE zOO-Ah;OX$$LQufio-!R2a4ba`UJ4Yj7?z+^?cvFA3K@n%E5{W%L z363ZzIx9g*g0i#uMZZdb$|&REt@&VOqV{kYSlMz3N*ELf$S;}!1>kXT(@OzZi6ex=J1Bh0Lo#5d%)m8q5`-s`Obg> zWkwd46^}hVwnMkSrR+->R&)wnHY(1bp^I*@XPV;$e~%qN>npCTE}7F1=H1pQeY(kbfBC;EP%mK?nN-}Kh*dHh=D--0fB@>BNV*KL{&{-EJb$SSn3kKbPw$ zmp0_j#RGh^RMF7qK*d~x;DXCPeLELnT0SFN>y-gZCB73+>*)daT)w;RMRS>x2)_4j zMU$D6ulS7IibgYUP+8$ZI2@2)DxNCVgb#e7^yL4`$&1=Id@COZzQD&m3_Q;K%LjcH z+Yeh(=M;fbs4Aa}=FKeYg#tX${thK-cX&-ueua|RupNu)aWs%QqKBc#*RQ2n_|;aD z81hMMLDwk0abm>HDx<17Q3=l2U-REI=gr?1yiTLA%DdrIg$NPz&Jt z{ka@$+&;|lgVjMZqPsCDA7q>rbXd~ms?rbJG&71Ufl|Ok2Uxkg7UBVca_VqTswfbY z>nRL^o%4wF#1U2oe7z}7px3~1TzybJ*iHc;i>7!fdez(psWX3HRqOzO(kae1UeQb0 z(_SRFb~m%jo^OMu2=eCpKc!OuM{@tqz9FyrmUr1Vk4Oa0)g%Cup-lD57#ML0kVDiZ zig7t-3KGD#RfJc8GQiRn1{E{R2be*Zp}pkhb0RVC-YI&A_Z5!Sb-hyz4#^b~eN(_k z?-aCRrq6H_?YZ41+Blc@?W}6gZr~o@EAVDt_Y`>Z54Zye+y7TuV_3$_eTZy+LjJ&GSklaWknF>R z{FdKvt4RTeH^%%|x$&I)22f2?es3~~S$T1{!~tV|FS5pO@(%vP24?)>WElhUMqa~r zOff{sBbcF((`bvyO^7$u8dJH&(9!t2XeDp?J@PjfdS*<(R#Jor zs-Ic?A`h(@dBNo^kt~3+KW^*L&|CWTc;UyZYRrpt0m+@KlgsQwHp*ug~pW>n!+~2b&Dbmi_2R!ML^_TwbZVii|aC0BuVexyro{kRNX|i7;Z4H^plTlld>e| zz+iIz<6Z!)vbQ6f>6?~D7b=vf&1Hc7Qg1+HR)Ub++vR=7`?)a9h}%DaoW`qsKfxZHmjF7K zZajX57l;r?EcZNjOQ0e@GG~=c!S`&$J5t?S$lpqtQ08ZXoOLS=Igi9;@-sqOx|P_I z$auJe50n^PMquZ`=0~-r_~f69Ohb}(5~`x{$!^C= zb1s_4s(4}Ef#F4cl&a6hb1)z`b_*mC7*mk1I|agseP&4U@8rrQpiF5gg!vb+XDfjy z7A8M9NjbS!ud{hCn-mgJnY`fBJFS7fk$lf*x6w^gR!tcRH1CQhRhkW1-dk$-zjaye z*FH&3762gFk0>a@8do$$0BJX#bJrlbe*83t-sP0wLC^u)12G5jEc9ByyLKj3rCQ4g zQ+t`B5T%lt!XnD}Kum=$okNo`@Eu*FtACy#dac?~`3-|)Qld`6oGidN%0&==?aAF> zN)lI6R8tLu+$>J!n^2O;SW6!#6(RBQztu7@2))w>-;e4p7+O1}a1E3v4KoE6MneO* zU0nUCy3}$f43Zh|iLvjCHtv=X&J+7&88;4kris9^WvXgeJRa&{x2RT*eQ*(Xsis{J z3^lz>UeTqB7+M1zh8F}r)c9P7%5qvr57%YWC=MJz{JWHfYVJhw&|1aLIZ&Lc5XfB6 ze>JoQQ13$b(pGH8o8B{GM&`B@ra-R2*r7Eo81Ql1!1YA#EzrC44amNzi=Q}9Rc4BH zO&)HHC}(x&@(T^ivJ}y0=Cz5#)(Uqit?WsBvRrfzWG#(>rVH_ayF?Q`sgrt^>PU~D zjstcwRRFot^8v$N>V3c(6*4%>a(pE0IkD?6hCx1Q9Um-qzF9kRd$a zcGDxUqE@2DlsWlC!0}3abYw#Efd^P?OyAYJl>{scxUvNn(g6|Iu5J397@;W;OnrI> zHX{(jfdvfTxaRT9?!?U`b_phE{m@$beUVXf#!z6^2Wn&IWU7+c4e3YghSr8efmOZ< z@IDMMMQa2;S;Bvw#~=kW*{`#k0cofeRqj z$A5Pu556V7DIpPRYNN86gJ4np#|KUAwo>W{>)R+GF0ctTEyi9Nj~Tn1`s|Xpp*2~g z$2gF(0H%!5=Y5J={n7ry87B6S4Ih0J3SE%i_j0~1CLC7Cg!0sQh&B~*ZR1qDp{7D< zEzW_Wkf&>*hb{ z55(NAOXOYK=y)rLHWjsaMx2u+d{A?3V?APwg-a#K)9>{L^I*ue4P)BHrEaXDf$yCM z;H-3Y1%qV-Fl-^JpSd-j9Z`uvb8CbDomHR(*ESwE0Fm}O*zyKPFBi~rK$oHDwR|Cc z0g?Q-hE#!2y1Ve&27nWi#+1Rgz|zE{CCvau)!!jt#wjclxRFT!z#%c&c!~&ZDwrBD z1qDlP>mX?w_pW>cZwp@)JfSCk?+2q!VmzU*srQ3r0q~({TLvWs`WiU1Ep7_*2=sLT z2f!*`Mi7@vctb&iB}w|=+fN^tCYc0fB)e2A#b0$ObaQKhmo7~@Akp;+H8_6IiL(V4 zw1!lv{ydMkf9W}%I4AY-aXt_OZdm@W_P#SJilu9J$T=s;g5>A{k(_f7L~>M;3`ov7 zNe~ePK~N+N0wSP-FiMaC1(BpM2uM&sk{~%FAbP6@&rvzP@4ffOUF-h%#&vq=>aN{Y zyPm!GvupZPK{|{8_vDxde>S>(ar!WzV2!NhGz9ywVk0RO_5w_w^rbFto{&{;(U+|1 zySBK=Df>_>V*HIR0@ZhAag#$fdRw2NsxNjCcSKgWU7w)J*LM7~V!+7tT-7i78;|=! zp$oZf`csd6^~R<7mw}~}@c>I%#eKt+Cnr1Gk-JxG#1=@NF5Buod#tH1bJ34mR^5M= zu-@ogpul{$h0E-Hq>+7KU4@U;%%gRe$G&qT{EuY){dm!1rFUiXWo0G&N@AB;UIr4+ z=^uO`LI#%2iYSGaAeM1Qp23zLXqy=s&=9b8GHsr^gf4iXY*77*HxFn?IUxXR1Q2LK zD3|~w>dzlXk7+mD5GeMR1D^CpJgKoQ(g4_=*;8}Jg|A>Et9fc{X*D6VlT)!`x98%F zcT0QB4n6V3hMwGgPPVNw7cIuEU6Z6jj2^>-&(6MZx_HJ?Gs7q<;2UY(%-swKSPxZ6 zZb{WC44=fpG_j+UjvK^2F#Ml+A*9Pl6+n;D@H`Gisfyj+2#n;k&11aC4#1wg4D5=>Y@J^klg^%#_^fo9Fz2G0S%@&9c@`VSg5 zOZCLp9c!eu$gjbcg7nAa>d3K1WZA=+%SYf^r}xs55q5>l!*Gq$A!*5`Tul!SxY1*9 zwbOg4$x5MxB*So()7VSN^p1r%!%`KVo9xU>ZLc`O3U`O*}Q4uxw&QujP_XeG<6 zzvW{6V;an}9m#vOhHR4L>CCO(Q^%TmGu`~SnbrNL2zUDcW^PMk>w{K>B*bIr?*;LY-%Xde z;{5KojK$@ki^3awS`Oqkcxig5EPXsH^@_ja-{grsHxBSXDfN2=B`3P zd@B)2h#G@Jjt8n8#8xOdJz12@%!^FM8F)49aiVNYirbx~^7Lf8brbR_JRdQC=B$4N z_&+$`6&a|};F-+!r0xqc@!glHd&_$&Ffn~$Y7s?L*3C3B_Cl~%0#9-Locl{;Adu> zT`^_pU=yGWqqF`z*!7Ca1BnjqF=aGu`@Hu7b7~|k>yFTJpKQW4X?r|kyRJu4)@{zU zqh4fw%+H6vwHZOvCeMJMD|P#pT40>Ab7s1X->3A0C#5~F6z=T1tyXvRXei!3h*fsx zn~}~M_s#{cxAZ#ivI175K*yQ^3amd%FyhSA#5&ez9;9lYjnLHsb4pqQ)V$%`GJK>m zg^imxk5Ss8p}4?Gix0VhUS-Vb@yq1Zsg2Z_!r*U-4oKvFv=cd2w1Yab% zOum(NDU-?qw0kCdCRntIimOfoF=sF%8H1|}-cZo*^2F7Cv>89wSUCgnuU8~igH3s8RMq6rygvQ3Tp1%OtCArGnb~QK#~ZKHg{qL7n_;8(3$GL7EEr|d1%S6yPE*_ zrmc=A?_y%(7o>CNK4n|#EI8vfV_frA>p@P5*~pcf0=4IG&AMX*xxI?9AF)`1XP7LP ze=w~p?{B&3Q+wk?1#QdC>lrs$f{Upi(Kg={U+YW@Di(W0`wA)&deod|CNQIu(m<>U zv8p&RZ^~N_l=-UhqdS;l#V&fW5zhYRv^*Vq%lHyQM6NUaO7NJAOBH&ilD**igq^ii>r4th8pC)hjF+2O&BYb`DL zkmb&~8-CCDiV!mFYSMVZz$&anbok-Yb#G-h1AtYelhGg>h%LLbb1V&2 zc8O&GDS2zKP6tgfrSz90W*+o1x0|8CtQF-Q&hyHL(E=m%kX9jcK>D*7iA%DKa6p@KM!7PvB)XfY!=H{IC_Qi=*h3j-!uhYBE4 zRe?y?wc^B;sRZ-QIT>Mikg3~ob$pAvdF#r*&(j$Zlv@b7R(%_M5)OM%lcyk#&(~Yg&+t0%p&X zY9)FOWa&SWbBsJI(W_9&xr8g^SkukXo)auJUW=AeSR%M1B+jLA4nr#N+c%2dt8?JN zMX`|^8`H*DGU*NVu|{^qr!$kzK^y@|E_`9K=!sJcE_6#ZPl;*9SwPU76pQj93NZgM zwh>Yh3Q7SwBCec)a*Sb$zm8)c_NY*ZM-9X09@AhW9lAhPo&rggD^)Lrn8tGcl~UN! zYqDc{Rj>AWA=c~+ShIsWW)9+tc6wycUu>q!`9Xra2@D&v>%&}1p=l>TmwdB6C{TF= zLgBOzcnu3X0aT%Q_zQfakUZ7R8{91p*I_-aHbU#-Q1m8EObet^u>h->jN{xPv8u|Q zNuPhYwkD(`>rmIvVFWQFFx#93kt=_QAdyR^wk3U`h1gVE(qU2ptmKeN%I;4V;lc?r zw0^AsVVVYTwp14BS+P)vImsg%a>3Q-=j5G|q0Ut5woW-AeGLSL zy#i_lZ*+nC?vDaZhkx0aUeiOMhFG`=0L7N$y<-6xNVDen>yj3|aY>r)H(}PV!z^FN z`ike%i3{et9CudWGBqHtZhGw@@@`RKmN=4lD&4%Yd)tFs5YsWgnj2 zDJ*dF%aTuO1Siu@==Fb3Tvw#x)T7d)lQ-~$aFm?UrMD_+yfbVnyTGOdgabnIcYl1oaV8O4PZ=kN$q!` zA{W;BftT8sy5fmK^J7t9)_`)DW;+j)hS;qD)vU5G(ijl{InrM4G3u@wSlywZMf__}pnf(s!(EfeGy~BcV zC6O0nW=RScdR~krxO;WmA)(U+Hd|&;Ip|{0rOF*|ZaMKqiJ^VhwbxFGT`d+-OZcJe z)6Eu9FF`}-#c?;tz++!in&MaP3~Yx+p{~E%^1u!~Z@Uizhb97`g+2M_V_69bonr~d zdI^w_WR$~;v8=%rpwk9d$)SDI{BLZJW~+AC*OjGCURZfAE&Do%ymE&fwdWyu<9*z8 z0DB!CSy+`YosivpXW~S}vT zkb1dILwS_VgxS@10*}GiqZwgKWLUQHMfgggPl6QglSOUgp>0Vk*skIrP+(YlOAG5I z!fF(j>EYwpOIC$J3&kGpL&8XF-CF^CT+q#9D-*^_x>(4a&|3k7+)>-Ey_yVlGZVYS z$d#Ti7hoe@<@d1Rq7;QV{J3aa;S`t#p3?rL;+QR|rc!luDK=DpyHxc&+un0*Y(zNd zh$_3e3JhtMv=Z%)trU7mx>4GX7HXW?Sy$N7z~q6l9u{(z*`~JkrZ(tzg`&&-ji8KQL6*m zahKwlF6OHpJiivJn_!z3YF(I;2o`Aj2CxUv+s1@$g=uP~Py}vx)I1DcK@WfrT~_!A z)(Ft_@#>yHL8l9B+ssf8FAllGmI`>}#91VP9@k#u`9Z*^AwaY3K)}ZV0>p6@L3=R3 z2anqhg~2I40^kEZ?8CsJi2$^7PacK@z(m4p|yE- zvD25mF2ImAz5%z^SYRVHX5)j&(+eu={_MNNOpVw}6;5#m^;g11RiQGg z_CfAxLG-u!n6Oc$#=WhI{Wdd(Z~psVh>=apZ0F6cS7;n8Os@H_e3_?hD*HfyK$&~w zwffjM?R8Y_eKBEc%I>I`{NgXVJ3rav!F^tRs~qn@p!7W5R=L?85TUbZ7I&~}xn>$_ z6((VG9<1b@5^=M)LTP^iwPB*#B(qjQyl0}+G_qQ;zH1_{2wSRP`&ynC0UJrOD zG058p$so-){T|P~vhVF{y{np}ZUFB39sdXQ%@wo{P3*H0-XX+cBh1(hAzA?Vu4`du znPE#5N}+!>gz%9=P$p0-NtrL7*q@(jJl9$Ae6!r}>wIzJNM!}uN7!zpAQd*k9m8gbM%(8{qrwA+O; z0MpRg@Od;CuF5DFJQDPyfI^4^fV6ezxeOKp^`s%RzXxpyLCZ$D6cWBe@E0CB&-2P( z77tcHQ-kHRfQ?=91P5R^Z^3Z3OdiKf7A zV&T^lWR99FN}(FnZG=G5oa*Uw3e*|^ujC9TKk(j70HOWKEkVdAT-W6NwmCrSaJc7ij0rH6z}=8nX(LC--?;2c zzCs30t#>NNp$?0;c;LV(BqnZ8)I$Aq7C~6Cbz|p90rO($#^z#!1ao}x2CA@+uM`8; z^mH6YDHK)_NCUbv@(=KVe+SmRiM51}W=mYO218I0DD<~gn1Rx<`M&X%Ez%QQ?6Ek& z$>mnJT$_cVzlCh&dT^DHbbMCuA!gE#-u^7+qr<3gmezM>+K)jV?)86;1ZX30FUEBOcX;O3?TBP?Oa``e9hWPssQXSbQoOqdl!D?qmBw;B$)@ZM-z zY~ZvsVTHi8W7?BVrbh=^OpO8S9&p(7l&~c*2FLcEQ)2@tgi$=80q&{mnI;%Eibx!t zJ@E`C=vjXR{Q?UN+!cO78wWi`o@CMDfrmgfy|1P~g#Vv`{si!(a+@5?{Om+00E!cm zyyGFX11CKU0QlY;ANWj3KG@Q*&nA}HA#fcIzkqXRlY9=?4b;0?K!HHpU(;c*|AkFv zKNUoVXzER@vcnjP2?cvm4#1ChypT@V0dj>Og${W_y1#8#gN01UUVZKL0b>IUXkiLx zEPY^#)XCOlGu_xX3 zA>mnj=ZB&jtdZF>)c|axW~bYVEPUbRxWJqhR`{is@y=PRtuQR)c*tr^$Q~dS@uebQ zh#+T=#yERs;OrTa$c5?U4|&9|;9nwcI)^k(v|+Qn+zo?!60Xj3NI)9jPb!AADwbBN*m5Rm)G z3!q59H^*5cCwD%2n*^X)gJ2wTcgI+@IDi}U#yu$j8-cVkr}}Tka{%>2p)wX?2je&k zxKZ2h)|U-|H*Xn_x&gs!Lnu7%7B;*`^5rcdK=gsN=K*-l_>)6HUi$eBz-3tJtK&zB zl|mzHoY|H3h5NJHAes+Bxq^ZdLtn7|SYXu9QXnJ%JU0}cz}SO@ zIM|*KtxuD)(aKvsVW8Y%ggEeH4Ax=Hd&FrVnO2h2-X}lJkB+F1le1CD!(J*8Z0{qR zEAJCTz9qWk#-6cZen>G8QTkHBWax+AH|pCmw$7iQGhz%UM&^&n z8c1xG(nOXa4DdEf$sz^v4F)!_&=K=5faiyN=Dm8*>%Tb;Lz0IO{SWf93B`qQV*@}c z%1Qt$80aez{HoJy$sG_3CzAnHIi8m%^h1E_A$S5L0>|7^o-ldHPyOca=P@;wC@k|A zhY{=LGqsl3&XbTn?TTXrH%e4&JRFJVyf>74g`cSfJ(s8{kqw zs5`*$2Nj?L#B>@WAUi0afP<7l%W)PcI2h#ssR(n?6_jGqT<2pPyT@6Mf%K?=^`acG zqRZu?s%vd(-)O#5ulH4a`}RIRfce{AVAJl5+4r6I`T9PMY95@5)VoHU-*2`@@~$f; zew9vZ;#wb6`(ltz*}FOUiekPnYqsW?jC$NTc?^}046Ljz8H%pu&^bq?bx*I)_~9r{?FFVw7f!rK zCf-BsD`;iL$7;c?k5{fqkMBm1S0~t5AS53ppY>Tzm0dh8Vsw*eS0*q*p<*=g@--(h zhqxPI%Zqj1Z1nkxZ-hemrDFQtzRrF4WT1aTuYQJGJg{t%8vHn|dvU^~DdgVU9H)z2 zb;2Z`v43sp@D%wf-OBt-nR?^%dHtzDCAT&t%dY0kJRAijQod6!q{imsz?36X)p!l$*G>sh@) zwAV*Xw0J#KE~9N8X-#SZ#6}xPD@rB*>U$v;}$IW zfBBsbbN!DNA{AoWrqIOAgK2dz60tw5^J! zcFle2F6m|nDmq zTyU8Xz8CJVd}{tg3r)f%tXBu12PKj%O{s?74dx zPKxmurPMFhUT0--M7;fIs#EuPH9_UNWwBhjzhsl0XBRR;))DFL^MYyMb|v3i(`lh6 z_X@q4p`Ip4;Fw~NbG^7yXPG(%5M>G4-)8h zif_)}nt3C2)hL=wIBQVc!(=q;iv0(KeI=|WMgL$$GAYsh9rNgP!|sLF%CU)I=YUVQ zEkwpVGZ}Z&GE6L|PsHVw5^Jy5-YVIxNn3aMwBr_M?4Qw7_@F&KZ9T)dbH8gm^4a~u z3JaBwgTWH#*cL+k$5zbN9ICFBRoma3_Hs7N=(-30lqJM!Oxuw9D0^{6~o`ZUpwO~ zR`d?x9IA?%-Hjjg8!@Wl(t8a}(l4OW^@ z4n1g;E35hEvA;69lHfKB5!nOU+O?YRMPoc&S_+(YPWh{ZKJvUJKUiSeQ&U=2$0Na- z{w=1I{>`Z=PAgGgY6iy8pm^Tgp7akkgZ@*UI_KqX+|_iQOH<;1TOZ9vlyohJhMrCO zhT&B!?p3^LEiaM9&ZZbHIbB)B{gtSo(d&RMNvY5U(RNcko1O(N+5;j38-ruJ`Fl$06A zQP3&y?MEq&z90KQRJ1n4`=Y4u;(gbX%FmgV-=9^ks%kEYE$XtOt6hF3l5cBplCP3hk;YbQ?fN&6H8V0QhR0EJ zB@S})g^+X5)FE`*v@_$jXpDBI+PJ>y58-*;k?NfEryuADTaZii}}*wm2WQ&-lhWaHU){bV>|`0Esz-h>5{YG+eUV9|B0 zX^oMN8O5ZAEt`_IY%dTQOFzOjrdJbUDWmU?FdMfXPq4Xn+$5*7-yHiMmdrWE({09- zV^nAQOtiQXL*6Df!(LB#GCZZuIZP7I&t7>YU`;!fUs4R0dqkX{T~`5rCq-4o zkm`aiTA)VkDlCkst(rkEcVEPT`ejEhsotDDRp*ii5lgJ393Rp8v@JFtlA$c@aln)x zUY4+O)>m!^hY3M9g{;x*m&dqB6JL<;kXPLnR*uwjYIpFfiJ@RLi#X=Tp?#LE;M$qE z_=Jd?0ZRDHG<1!b;s7FBVX=v8E)>4iRGDhsA7LXXD;snfgEt>5KQ4nK}P(C~ZuHm*MJ38~sEJq|wP zyLUO?MW)m*#vND%C`DWADugP#2#cL?8?~G(KJ|qRC5nxg$G12}zWOTY`_N4Ur(<*X z5)Ac%v@v6dE|Sxs41J>4QkCKKV{>JmlNX6p6Oyw=!sdn;v^g&|uf8BAb)%7T51aoqD&s!H6Ejc|NM}YNqLrEX_|*I;0s~;R9=t zvVk2Se(oi8-p9$!7qg=jCQyk$r~k7(5KtBP#P+Nt@WivkHb_Y?WeGamq zZ%C~D_{2|4yw$}hn{RKM-at@j@h_s?Z$+bu%@3Au4I7<88%ywAO9^4u#8I4G8K9?4 zN=D`K-;L%KTYNTiSAN2+SZHmUru?qj>63{?x$hQvNHYa>j&(UASRQ1EU6-*4d~#ym z-^SDLo4eAEU74!qarQm@{@vR;>)%h4T@L)BzD$3zlbvd0)SS<{IqY>tZTso#eE1C) zf@-qMK9JO3+G>j&{UcMc&gA860sZ=KD8LZ*|3Lv}{0|QR1zp66p>$r@A6^rQcWpz}>MI{nKZw-)%hhD`$Z9+y|SUA?!`+RqE z>oHENy@RLoRrtqf(u4q%YlPR+bD2Twi6(}e%(v9u+FlBv!SABu25HS%a#Nk#nz;|2 zjZkepeWd6gA%O@NHyLDZw`s!i4=K9wwdqXDM^?5DVXVThR0X5WDihS7R`e2++%~S* zKPQQIzGQVXRJkTOV!z_xj|<<1ZeSPw?_hx0aP5C!@JATfVPN0~!Jvx|z<}Txlcx7; z`!4f&^FtWOLonD%7_Tj37h>UKoXe)C<m)AJiVsLJ@=f(e z%h>pwiE!(aBS`R^?xsrrN>ea;J8sgS$)&KBDokqLwJgE1lLDU zcgn_4SM0_IcmD95PJJEiDm$wY+r+fn(&EkvyNh3wmKpM21UsF%48L&~@0eY&*n9lZ zQQJu-;joVy>tjrCunEXm7+XCSz(HlINGwPDj`GVXR;qWg ze1ZG^Ftu+M120;!Y|eh{C_)myC=DR}c->`jXWucuCqfN}udXTLyZ6(@rc*nvhCJpL zj+||04e1B(T&(RLq0Lek&>3D=DOw+xK6lUhQ^QMIooI_L11}phJduU$Knt5Hma-;x zO@$brH)P|@*YvLF%FVADU{h2T=s6Rx1<-KO)lG;T^IGBL?A~s&*@eBwVaT`75*_l5 ziY)MXoo?rMpchYzyBF+e09WbA=fd|IVSgj#cH^o+E8`f=`|kH(f8}Xf#a$<%pL04` z*uo%t#fK3B$aBD0Np3Q~1K6+voAJ>6Vg!eOTB&+^_&Is_oi`5la`Lr-mLWc?`?~-d z+eRmBAYdF!4S`tn%ZCEM?T~a}+{@95o{|ZIDxl&GkWn-JQVj-E0W(ZNZlZ^E13i5% z*?W3kf}Z_HIl>+$@`m71GoT01+U!3+FNrX6ewA>v5#0}hvj-ze%FB_Sc)19grkpLAXNG9KYr-~&^hMA0XtW5W>m@(27~_lT?ee# z*pL)=Cr1}MQ5SbRXQ#hJygZzb>OfRzqrDLb;{upC@k8w4SG+eyz(3761jdikpJeu^ zz$l3Y^9CS+`(Fa%d@uqbVEh={Ly?%1p8@fx!23B{us;io@%=9Xe-f>u0_iHsggY zO2PE-Xy-1xRIGYo27{TqVIPsg_z(vI#4qaqsraK(e%~ASS6EQu;r?l-+@k`1-*fg? z0lWVa@N);+qf&m~X!TbqIs~||e{H*ZwEFLRR{mODf%uo|KX$M@TKo51{eG=&N%l+a zpL_fr74Z9RYrhJ>p**U@KaS<^yIcG!pr7fe0E`mp#26-|6PBvb_9%l?C+<1C}3< W!vhf%20IS^-3Bh~Y9NT|u>S>Et&0Qz literal 0 HcmV?d00001 diff --git a/tools/ccf/ccf-v5.xlsx b/tools/ccf/ccf-v5.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..4576a41679b83800827b880599c11297716e1f21 GIT binary patch literal 77500 zcmZ^~Q?M>Puq`@m+g#K5rfu7{ZQHhOuW8%1ZQJ%b|32sC?uYv@l1fz`IwR>GUFk$Y z8Wao-2nYxYs1%4tQ%q|BF6h5e!+${f4<`1;3QqP8&HzIP2YL@%8`(Hn*g*y)k$+Mb zJ9et~M2tks#rqT966|aVCcQ8&zo|J37-ff}I8FwbUx<6pOMo#Az}9#UOYwS{KnxTIS#Qog5K zKgETvbrZJQe;9)IC4Yh|{4aY=NL~o<{U8>J3<3K06x-{FntS=4LTvwWpA(L-W9PRG{eqN6Q>j&GDjsMW5TE( zQ~RcQ*>2`tLCeu$%FS6PqCY`IG zC?Vdx0L$lB<`;$yzg{dXkDb*Cyef-&WO%L30ZNW#==9MQU`9NRT_ zSP{OGL&ME-|N8vSRHv<(FXfV_6i^5N?0-sfqMyMNet*p}M90Y&_gYV-be z{5f<-dmYrE{S_Z8AEXQ0cU$xY^1s>1)X5=5f&c=_p#TCx{f`|F8-R<2sjcb%YZ?EC zpBpW0=S>bYzq`755A#=B*ip8?)@D>^OSi4&%#a&7!cb(5SQ}51#1Q{JaWH29k& z+0JYpFxrc+SyAz`a}Lj^TY97Ou!xjL4}%TB)@oN9V0T}g=?}6X19o}ceLqa8j9!bD zCD0Iu?*uB!&~{KXl(Yxh)T++DHV%Mv^|E_jsaJL$bZ(p{8&ya;y`6^xZld0 zU(I@KVNoI=Xu>xIyi@YEcnKYf37(rPS7X-A=XLldKW1{%g~b+U|LDPkqjhRA+5r!2 zU$HB1F!$M}uS5{Kx!7{vWc_usHnFTSR#|@O&3ErA+ad=hR$G3_+I?p!E^@SH-UGh( zK|Xw_HgdFT-sQ@YoZ_d}y5s`GLP+fB$_oX(Ldw8F6W=Fw{8eN^AJUa0ZC*oe0(`z&7d zLJi5ykar|8oWmUFQ|ASnFUV4{g;&+??c#I|bl`NXJ(fyV+L2X{)c%K>93FgBl$jJ* z2*I%QKjbKXIsIfMP=9GkH-B@M1nyG+e?FxW<1L#=%U#H4&Y5ur#OiQe!z~thynewy za#&&T5^?cC%yFBGIJIB|wmSX|G0;L8UGR`wY)1ap ztY%H-GZ?>~NpziEO+-LW(qsQ`?rd}davwn$hg8;0k)sCKPoCb8 z4Q3s{hc6wHdUpJ*yaXBpq#)nYP%~QMqH=k|=QwT4tb{ zS55AkHVmlZuZ*7sWRHlxeU{c6^X=ffe(VZfqD7^h&CNfkX|EBBt!NDixV^ocUJ zqNHPWADxal$|<*_xV0jJFm-fs{`E3tG%tJHql1H{)sE0aIh57CSvkwjsr4dp`%HHq zFnIiNm=H%i;Xc!U))lVxd)+zuv`glekje2JK?Zga1tCqvgTTOKI##$%N`OEGo=KSy zxd#a{DZ>lM_=N3wgzKO}pRM8J^cSTK4wKVcBtt=qs)qw7#&kNmyGyomk6HVq4YUnW zVKQ04oD_~6;AM6aURNP|s@)`q4c$6and!pmB{z^B^0LdNqxiR_x6Ip&$t(6$oVicX z6z-hu)jlX%{ZC_+;Dc$8(_xEi7gX;Ql~%aKZ@@PyDge34sJF9D{(~%syV?68kSP0m zb*tocXCKaIxk{_lga(;k8q$X_3Bou=`Q9?htxtf6LflM&7{K;sFn(2Qd*Tr>-Z zc_q4+S$U?)WsR_f4l#yA~R{S_FD{aVRv8XVe(srirZ{IP#W}-rj5M=un^Z~F={^SoXe!TO~tW*GD} zHDxiGHqd13q`HAc6rrO@+F6G|nJ|H8u@x!TK0LifWSG=4hh{g($r^PvXfOnf3|EcE z?{0`nYfTI=Z?N)44b66eWR4@4_i(S?FA*%pwkbL(1u^r~0+eP4x-7EAk*F-(eoz%N z0~`*e(=B=(6Kg&garnp*!&V*Ll1nP!pc18%x4fvbpBD> z^yUY$SjP(YEzRW#~kAK8;A^3P}?6F~r5!|9-r7h>HJ-GByp&qHi^t&joNNE|N5LaHlL(BnMO>s(GImlJL%l z5*zEb8tWh@XI);xZqaXPHYwyLpmM9OrC7uz?6i`yfs%c!#{JjituT(H&5a2e=Tks3^D7z1pIk~vw zeEhZ@-?s;8co*o4W~)i_&)m>J(+;BV^S#8DeE}r-H`;u6HOp;;2d;ET6}b&%;u*ie z_q@(;fssD?FoaF^{OV<8%C{pwG&5-__|GD>2VbL(#3|5!(9o=SI?FQJZwgyctE$Qj zbF8ghH{jBj-9b9xpS$NbZz*a+t+_Xj+5fjEwD4Cdlwtw{9fU#r|9Jw_|KwBGJ=V_K zVoCJhx_w1MxDCdl2`QdSu4W__dM0_Pw6&Dphu!*e0XsyI$T;V~os!P}KiZyuaT7G* z?@6|BosH&dN5s$-G&SW-O?fjv*0wr7HucUvoF2Ejt2g_6-FtNCcY8e+KQL zd-yheygNHvp&0Mub)tS-5dU}s8+4Xm)ZfQ0uI=}Jfbvt)KU|=FO-}!9ABTHt3aOt8 z|Bm$do$0~A5B+QH$=^Spv7m2c+~`=;-~SIzztcLgblD z+t~ZJx!jfvA@=#!CwIWVzjNAA1OlB4z=etzSGF`M|JJY|8POrf$lZZq$@QO*?-R`K7~Iuf<)jeMIh)%<968aVck3 zswobR&*rz0=Bi}nsIi+axH`3qg=&7y&#J1X{)Ieq1950&`PY|gvQpx}yOw@R7!q=? z;=M-yzDK2Xdo9J(gNQLd33vYXjH+m?50Bg?1L;^~xp>@GTFICpj$Ci}GJJ9oY!&6MCx zU1h<1@QnTRr%R7dZqm+T`KUUtRsi7{AgZMpy;U8$YjAEBg92x{^y2UT`yl{AeDiT6 zyL>-!TGC}lVa~BKcOHrV7NYF%Yr6LH$Vo74o{|7oR1R&*J-KyQDFol(1PX3v#T=YO zQlpEpJqka?1CE=sFu7&q3E!k83KKx>DmIA7bvK>RTrGf!5G&a@{qS_-j<6J61D0^d z*}a7u?CuTSy~H)xk#;XciaqG!M2;sMR_C345MtIuS zFlUg@rj7GzIroomJ$=3<+%Ug@&fo8R%YD9$AL8>Bb-vs+1eIDaf3;s&pXUqWmoHzo zmlCqVxTXv03ooK2nOc7^(20p=)6zFNd#z;&PT&DXjhZ-_vp!=D{j{0=h>Y+OLT0^B zP19IS&r_WF)lO+;rOda?VFt=DCJjrJ#UBj3qvlaeMAnuF*ve{e_qc|$2819Z_+_$t zfePlwE>7uVSi+z+iyj_Erc+@}v7B6g8UFGuI22uQ`H@RoOhKbQpwnAMyc3y4$oqno z$H|tUmYI1qnumR7&Wr<{`BU4B;NU{>?6ilC9Y@S+4t4ehJLfBt%=`F{x7{D>L^~p) z%Lr;gQ=x%XVKQq(qS7)nk|bMth6dkeOat=_|Z{qR==1Hm@Kaaw1BY+(i_(X zpq|;NMr&YEhp)wfn<++zFDBqNE%6Fdh{nSfdTue12;BGr{BV9} zdF>MiotM0N14g5-x-hms?U1H!sjdJwCTVm{6KI%ET2uv8*Zh_+P@s!rEp3)?S)%Io zBp_B?g~SD~-<_n6ha7Z)`a-JM{*8^-0g^a#hchfdI4OmhNG^b9A3`&=ZnI*1PG)qBFVg4XLK2FQb0$+4C-A6szy8|? zvlbr!s&#s^myKi$J3GrXD-ajytiNZqKOi&C$TQqtWcj1Fodt1+w~gHQ9@(tSf9ec& z^W>Dq7+&|dM2Oui4sa`^599e@5VpZ>#!%MIG6vQ3k3KsK!#dfVM8H}J7Dy`<9x-H< zKZ@#Ks}PJLZ`&i2Z<|T&j)^H_aXizyI_({ugsj&c>xHF48883xzc%|kj#FtZBq+M5 zCu;5HwHGCqM>6tteEO#QVXJwP=FTDKnh%Q4hoX)0n#fbv;8=$Dt|IV6F?2!g`a{d5eB2okm;Pc63mb@6ovBp=C5<~)LrbLps6ZRk`=q!g zLQzMH{M#(HA+XQ1H1tJ0JHBY;=76r4fLW(U$DMRN9qsFEu%JnHdNWNVu7(n~j0uNy zU<>x0+=J)4azCmI!_(@2fBlzmv>%e6?kIc{U1rBRk+`%q0qK~M=QsP%IE-`>|Sf6AP2jTbypk%pe?R>epxA54Vg9 zi{2n%kDrsMq$4Z8Rm!zl6~RBgXgJ+OK&W%IxRl9v7b zas0y~6t*uBq4kU8oml)rFixl^awwmv3H$+ct4ptd?r0S26-1(k6HG53q%QEY91+Uo zVO!oWeFal?6APuM6|JwO!)9LJDFC`KkMSUNbr7An73HP5u6Lct#1|N5jk+qKtdEHa zE;Ck1ZD>5@4?5JMk(L;Vy-~_^Z?WfwxbKKy?<(W*=p9oSlHsDEo<6ctS-7+2x5)B9 z#Uy2sq@XBd&45Oxmq}rC6FGJm=SX7lhdeIbu^yr)8fwjc4I*px>7#OR>0^2(;>CQN z1kLx>hIc_aKta*0p4i1~7)n?LaXSKx_5gO_UW6QP6r>xpmvi@6r&@~?zgYPnOSuuojQWqexrax6g|!$K8Cxr zB*_D#ObWJ7fM>Q-I8mD?2xp)ANwrW;B`zrOt?PXVq4p$(RK?)>?Ar20 z1n=`@fSgOW|7oP<>V6Gz4oLc%Y)@zBYmMEbl^VNkgjxWV0r`o?5wbOki+QH7*ua(s zEWHymOvwHptPiB%8%0Klt-nN|Ei^!+jFSSk4`kV(j-jJ|X*&nwh=w-=X3=C3=Mi@E zq5+Fuyp3(Q2ZDnd@XEK&1Awf-==%z}EfjiHwS;;5#%Fy=^BB(tOF49!rgvAS+E3Sm z7c&3z*oz%oq171ib4U9;y|bk{jiq`O!flY zVa32slPNoLW!WwrvRgL_R`cqsn(8vFHo|AkWuCo<7%=;tJtNRgY-QGltwjHk-I*NU zz~LOG`?Oa@%^^8`mANEpDodd;*SA>;uUeZvqkP0cKw=$i+qVv1#eoo7n=r z?$<7SBINf?QGd}8Yuz+BuMDHeY4*FO4CpRFbv{gcu7FMebcII|2K;k8CDLonJL%q` z(1)mEDPeUNE>@bdLRq6VC zP>4)g)qVzN(O(9c(x~y zB$tyi*rJf{{X6sT-re{(*ohA}f7jo-%bUtev#<^@#jiad^{e=}2H&Zrtqmk^KJaIv zn3@KH)_NP34q77hz!2tx3^B|g+r`-54w=u~d%TDO*wtqz)UQGJWCla_^FS?G<=JkS z!S&&dw*Oq_B99+r^2{3jy;L}s6wCK+ohtB*t2}HJ8!ji-)Dg zy)5mvSp;7p=O`gc`!RCUlc?EqoN1W<9?(!t8ut(kcLkMa*~K4b*_Dr%S*cgR9o81K zDuldX6e+=@VUZq{^U%!5^W&vkvn4`&CAEbEKhN=*>-<|b9RGF!^{PXV2*u7#@&tfkOSF}k+K2fiW{>En zz0frf26RQuUKV8}hU*RD-*=}qR1 zw(~}fwdayBRq75@kBiHv)%glq+>rHiN5L9AKFcy{6R#8tjT$T< zfwl_wr4f1XUZkvj0%@6CBj*mPcUi+Pl&y$&utr|@%-5!fLAa03jt=72Kk?5@$Uv=haVwkmNp-%hj>~Ux0Dh!6V^}xkqu#M7Nc4<{X zN64kN=@nT5PjBLZP@_OMV*H81?Y9d2%2$j`AnPU0+gH#pN!?=I#_)un*3&_b#MXE! zWf5)T>_+D$|I<`-0oVdtyz`j6n5CS&kc)DvbOZ0C4KuBx3sUqi{L+9PTRBZE9E{XY zY2vxfU9ELb`$CBX5~AgQcy!Q;Y?Siuy|}qK#?G_W?>$x#~G#P zCWDG#T;MgH^_Pu zS+ZoN>z5nNqn$vR+ZnG?0@$f+SZhaZ2DGN=dP;jPynzi=2eOu0j95z12yG{`3{H}* zGv5|t7ODYBD>Jch)lHsNEsC|lZ@`yz+YYW84}+9&hy+Yc8ENf*p8VC@SMwkuD8`gU zaO`IG$s}YJ<=Dc=>6%O()Hv;bgg2&}vTT7^c zAs!`9V0M!-UR7<%qECdLD^RM#5s$P~hmFx=RGUNLe7!|auZr6DovNGsJj`ct_l=?? zuaI;h5&8l$YB*P&6*AUs*GFVJv2aES?08imu`sG`PW0KwAMoLO^6sVA!p#X%TU*;-u!fk)-GXVh=> zCVzi;COSRc80sI~GghH@gvyzh1il>vTprv2rADY{dvC2aNy6~);(MB-;d@euimP>j zgd&qZtzd*_W{PJNCvT1uEy3Hrq*iUD%A#P^iFKzA^mZk=kXx9oK%V13NKPkG2QjH( zG;Y+z$izz8{`n_Q!qzg{%?cBoF8Chj$u_luCW851=;FW395wRHO5%f1AQF9l5dsXT zt9F#>?uSW*9kEYdHN+T3`000Z9U!5&YQbeP*ju_toP`k`=@r?ht|Nj<1&nXm?3Ok% zoyVS#SHVNg5y9+aX9wdowyvtH z@|9(Em=~q3@+gfJAw%#?m9{3|?H|YByN0KniQvYYTJkyMHq#P{y>}n@|@T?b1ck9tssY% z!U}M~oo3_q!NBkAb%|IAxU`#^x{kX}70oaks{nlsnYuU3>6(gJ>61hpL`x68O2Q3& zfQV)xV{O9bSi<(TdG3bh*P)xQ{erc1vt|2l$LAT~;w3+Q8`vGX7+tT(Lh`aX_}MQV zc0Ah=eY}oVPBHxDOO46DdBBMEXtXe+{ofJT7!^o)+KDDKrGenOt7SK0uhq&`f*yD1r>e zOuy0aX4|4+5ZcMQ!>%osaj4E% zqyeg$brHQNQJTAuEiZ?ldBST9q`X$s?R|nS1CQ?l&6jLr`-JEbGj>OcSUL@3)rNcZi7!?WVE(kB zF)?+|mxfo(h6Q)W{hNpsxaO6VidiKWRcp_Z@q;8asM%(>zb{vx?MFPA)Vq^+&FrSH zo=jOVp^qKfVH>;=^XXQuo_+?nP`d9v%2m8bbyxaGU8(h3e%!dCv#_B6+Y^HiIG{Aj zULBIOxRLqQ)K3U-Is9WIeG)4x)JS`pQ1B;lRn)i1q0g1d9}e8Ry)NSQ5sH62g7gqr z`_aNqh1ILHF>?S?qAd+u)`HlJYW>%!iNW$E6rpQfE2Y86hTgaZ7a}PFrM=3479WL}3 zXA_m)LqZVd!&F&63i_cEzI2}&?)>Lg*IJ^DZl9Q)_g(n~^1{E5lq98!uI`nxRl%2}a z9Ac5sLe+we>>v?8#rT`7Ep0~Z#2jQeA&1*lnMK;ZRy#{wkE@Am`=U%)(r3xnIa$AEvO1H6X8Nno zq}nlRXgMdkD+5E4!dG29HtB9WG;%D-U`_97K{qvlm8P3&+E!4b#8NxyZ9rHyRwcsE43Db!z;C{A2x2p#rcr!ue*a7hRWI5 z|8!QDvVz+XuR1nhMnqi4tj-+yJf5Licuw$q@ynF#17W7?8k+3c?G3 ziGsEuU=yX8!&Z-_8AG{C&z+T1pHh-fMQ&*Ji=wbeu~s=U7qYRQsP(Kd;KzF`1K)kT zS#{lmkP1iK8^t=K%Hsl(;_k(CH!q^LDPE)+r>gjVjD%bT$(Xg#gJguSjPy@7R%k+T zw~GAgx_`My@y;;ccOm&W!`>6S@uO%MM!qrPTIK)bcw~BzKipE1KiEY{R=bIoMYhW{ zlLrcV8<3vzB|!=nqF3pTB+i4h_4u)2p@0a-s}M;5jmd4araKOT6B`A#)U(-o0ET_T4rE@0K>CPr0uF_ptB{3@6{KGUhAD1QzQ45T4i!=cO+J_~OsPx&g*cxag}r`VoL_n<~t!p{L*BdO)TDqt1X zU*%%tzE)HIp@77aTjV=$SdIkIpA;+CWAq8Zc^uv#{#`xHr7MkW9cR%}8>i?90)PIR zqJr+uz%d+K!^wV{Kz&R!7 zAuTTFSPbeQ1W`pKbpeDYDOfur|7&r=nCcQ3oT_brMhiEUc-MC3|G2b(-rWCP+;WaW&gi4>M#((Ti_HAj=Q(O7f`QiWtcThMy~tJS8~7`|0&euL zDwnm-?fm$UGvdfz$gT(E<6Q;qA!By*#R7?xHDXsK;OS)f^bdBam{UW%+y!AH63~4 zUg-8U3+Qa2Z*6?`la``jHz3S^32Co7I8zSOabCEp6SJeX4gspb-ff;x{y)Fzfbcm} zT3Ll5enoOef0?J&fr|r7$h#YuXf{q9IF;}Ub!qFMu+=f>ETH$h+g$fCrhuum4o%z~ znu-&igm1|LcYc4)f8M!DhJ3`Pp{_$I$hiN|k zp`Qx7;J`!}k(YY0sHf+xW9T=PIpmSJX^>HpdDV?Ijr8>iH#!ga&&{tM)yaP>DE<^x zC(c`KfP!)C4I$AR(?aaN7Sxjr`5YMr`0OmL`W$S+ZxG$&4x5oV8IZ(nmSO- z&oEWsJBc{97k{LGY~;D!pKQ?fg1HBkI5BNmLMZbzlaVkXfMSKu-mSDSBTn;LC<^yH zc0)OhY}k@B?g(Ssk9CTo)%E3TD^M}S0@w^=M6-$`OUZr=y^wk3>mwNzK^a*IcVaRy zeg(3W`$+?%ATt(j#LPI0m)j4Ef*!>M0q?&SL@hLreG*mbwnl#gb%@`lv8vi8yYZ`X zzoSOV*ol{Dn5t;)tqr}4dw#g8YCDm67cv);D|L~j-MQkdHG`}~Wa&oWq-!4)F^ZM| z1IKReM*X>^!*u;V#8vjXwhO4P>y~MWw&(NB!P1GMscq+ zlYVoQ#qQeaG_qQEs+N`lC2Z}8xQBUT%gbo)$QOFbwwk{zu~=6EYmd&eA{25bLwdYE zB+5{y6Eoh$<1^k=PEDKWoWvqvOIaE)-+!@Vy);y`$JqM|h|nye)yUs1sv|9)WQvCZ zWiJaNqJ6d=}&*Lrm*P~_4T{b?uX$QWYF$qwdFCW&7RGt{kTqttcCBWwf#s8jF zhDrhT3aB=Sc+TGhYh1oQRIj`0^O(U99JPM$jv@trXoU4{?(-S^l7l=oTM&XDCmW*E zhpuOF?nVfCrj(*y6v<9U${4Asbt*VsAQA%Gfo={PAoU~799xLSAKe+&eZ7bGC_W&1 z|9yx2?}TVZZw0I#Zxf8l2M4#c!&~s?h|LB}oqO09d{zb$%{Gh9Q~lvtPp|M>YE9TN zG9mJ$&`F0&vu9i+vb4xYz-h>qW!JQ{A#alNGd`UZ=2u|L8w*pZfXCb2{C8H{?Cy7- z*fw+!*`JZ&tM~Pm>*Jn(IGAyijo2YJ-?o6L5_RADi+d#k=fD?ZY_Ebfrbitkd=q82 zC=#%g^_~A|P0X*{qfNio? znxGwQ{Po5cM^F+QZhpLrJeJADLhkO@&EQ#e-QY{dH2I>)?s>bs{!5vS5WWF?c}5Ja z#cuBIX5^ffHx`9_vzS%O-L)W`Bw!TPfLxN=bz>xdHF!CQM4VfulEb*Lrd9Av5!8yH z58vE+DH&WZfx9zZ4d1NsAe5-t97TE1GQYX6+Bo z6{`NeT|QIlJf;5;=M=w%T3&?#6NQ_qDsWY1bG19=1AkETgR^=s?6t>&h2@DeQ*b;q z6u@&$EZ2Xy;rB9&0g0jhx@EqxdaP*L^>S@w{rKdN_;*og^~xbKlp>yQx1%QmN93!) zj*x~LSxu6Xx;J4|LM2^o>K9Md9F2XU;Q`eOw8{2oICJyUdUmC--`wqo89Gl?YESH% z!M5&_AjN#|di4zc@)zO^I*Q9Rm#-UT0mroU>6GVHQE^1#g^eR=2Y?wz(QJMYdAxKm zmP-w+N*7E#%Vc!76$)|}oj{?*X|`9JExO|pm2%|t*X%%?3{jY`)5u=MWkip3|0kRx8{*utOy-bfKa9J|SZ!VEC(=pnbo^}E2} zK`$DP*MVhOi=g)1tI_HrX$DI+j%HGg4o!hPcfb>DYoFTPp#*(5A1dFrkCo=0=aS=0 z6n>+YG3X?u=uIq4)TT7J=wIChE_8TG)+{QF9pu3r3o$C*@rxV;NPu-YP$Vn}6<{@z zs|49iMs3E6QLN{Ohv~=?mm!` zw_^Q#Lsg`ypUVS{a97&XtRoMLR=svI3GmEi%W~;39KoH2A#CL+Wtk)XFwi)Q0&?6C z?9AY~uJ5p*ZvZq=22iijn!tRIQ^;>vxGQGFb$7Bt2dhrJRYTywSrN~brhIYp0u5x+ z(<1d&)+U)OYW@93@$b@}H8{kT6D$uNQXhXbQXl>iDD|#EZ1mhAFH}gL(Z-PPdaqRR zmiTrmC>kCxFYaR|VG46f9v1E(N}cSt;7W@@D(9wJkh3B>{Po zk`L-EGX?D42;tMru7dVHiD4T~8IfI0X*+=%Ui)~6C6FH5D!5B@$UMTj{2XYaam7b| zEw%dF(5=)0Z2ix!06J;!70V-3z;k7 zelm*uOuNX2l_ssGj|8m(tk5XfJUTk(J?rmpZG9e42(~h4G+zzTau;pwz0!Dx7ko4J z5?Juz;DAQ7woVZAZ&rf!`qN|u7iO6(iRMooimF8d_gT>w7|x8YIjx2_tT;*Vlm=Jn zror&4mFz{&IFkAwN~6VoyyF2|yM(xJ|6;3>{lz8ZH)WUMA2fW%l}Cy9M92CLZQ4Md zzV@^qG%E6>5>`1G>xv1@*g8b-voDcyuI z*JtKVD{iZ~?SQ$m7~ZeBEDw`T*W8?q^lX|C+jsYED(4XuM&--kd*&*MYBD|$FT`md0!P;0-=U8A< zi2E<=djN|`b?dk#_8#9JnLS8h=k< zRc&QYiT#jNLDOMbhM=ePBrf($+(qt2j^4DJ7PnD?dwBzos4uqN;wHS)K^Lrb73=<3 z{X&$)csK^P;omF{Z56;7GY{by(6>6r0_T(IFg~5Aw~X3K|3=(v$a8;?NTgHJUvVwX zNp)#Q2vGI>RCax=7@a84lJh-?wPyxfhb@6CS^dQL&d(r)6G%X}4rheu#IQnRWGI$> zTV7`ee^h5jevw_J?g9u}n|5j#nthwN1EYeD1>@tG6@NaL7zT#@fk>-hzDLX6UKa4< z6c2N9+CTEm9g53n?k{RMl4Ew}zj;ym%Wbytk!F1@_ncz{N5Oklgw;ZhK~xY=Fr)mM zB0U8($V8Az{Vs)>E$=KKQRxvBXV>v0XV>N9oL1`1XA#mOrS8Mh$2n|Jj;?U$gImt$ zg|wd8L}I%2m?yoFoW+2F9x6Z#Fj!8U=mTq>9d1f1@qqU|9>vO&cG1k%5Ef!KlEwn8 z7X-0?u!lDf2Euj5$!)&!lO7C6zfHV-zAX;2J;dBl+aQ&C?TnpI<1byi_KF`-kFN9rg#k%B$%IpMZ%DKd!6=fR`Eq8E&Eh=CsQ_@58Snh zm{f*+HF4KImoY|@8%YFJS71yNY%yN4r`_w7W`-b$@;+^Y-uj{&R2I4LlE!Ir?b=&# zSzrpes64N_w%V*e&FK&tGx%y=MGJpaMN2-3)nDC2r$~buwgK6*=nWSx9IC^X)u{{9 zlz_=|?Dg38LfgTx)x8HcQ{9}pn0o+i%&Z2x_EL-DU1cxb(*`>7_&n1I78~|CBtu&s z*!h^R_Y?t4_a0O(&~HM_B;;z+FYJ<(PVa=NTdSQ^4YzaMY0#kDN-VrUu)osN9zdE z&Q6h}+5Sxbs=#V^5K$8qQtbda&JAYWJ?zmzS6r*0afG1v0V8RUmj6KgYg$BYV7xG3 zlW`ucS}S0;-jc5HGIDniv5)kR)gCBtn}-2bj34r%%tD%KIs1WUbKTIKX7PJg{@;%W zctWRIG>euE{UxYXMwxAe*ip)Uh8W==elg5}BY&5k|Wcxz94n(%wgkxjt ziFSq#JC#Mv(#ikW5}ejHuVb4gK0d-FGj*F=&sp++$~8sHT2Qfmj9JG}Y*h|}!bIl4 zhioG?`b;WWO*(?Xh~{B$mD3MwWX)XV{&-Z=6ih#imLTx#(5t4fYFxn?sY(Os#w|q_ zVeim=s4CZC9M8efgBHop8Axdxj^0BeogIpt`27 zjV7||qz1Ccu8s3;E*2^c9@sZ%J5X;;3_yOxuExkVL}D2KQP(40b+;u9evT8bJ`XSC z@IP7UM>I0kShY-8fmAqgCPMH#&Cu{e;C(8f;Md~40MG0<<~A%GeXF29bnenLD>jRDYEQ zzsgDy!v@GV;_y-u`>e&axUG6JIfyWSN%v*PCp`jUE8tPnLG-+!*^FIm#r2BtlxP+Q zPr4>Q7gr`5APMzRm z2{mZNUmId4DB7_m&w5KW&!#R`olkkzku~m8MbBY-jm{Kk9s@evI{d<~%m^MM0h6dqJh~_7$$m@?@1UN-0^npD>Df~!h>oIOl2)LBLV;>Kv{=Pin ziMI2|&JZ7ZLA`~NJEY(R}DSZE3PwdL(KHzq&B%Ur8beei7F6bX#(xA6uPWrpn{9>XYRGl zG@xD(rt}6U+XrHd0UWLk@1)Xhx{1kHZ>@p8k^c_>dq9N0mh$hr`D^9Wan8{?&DKry zz32A5I=AXppNLg^lC56cQwIjN(OLb^pn^SD$e#x!Vs!UGd@n}@@x4q1@u^*r4^TvR ztqI)yea;tkTVR4KJpfbt=W{ftagI%IMHf z{RK9LpqT%vS8XZhVpBg=@o2 ziK|a*asuYT5ts*o*^}6hw0`J>AsQP6mFL@lcx5azZu5n7h*3ep!V)#ASHd~Y5%A8D z^(?0rdxWb6$gS8(Ms720P}N-#0kp9hl{{nuQ;@Jw3(umwm|vO|Zf<8x+?{-^u`a{+ zU(P;~p*5&W7>wugElPCH0sE|ga0bqB(DS~^FrW=jg#o339L3Jq@CH-8(3*{lt$MR4C@lR4As}6nPVOSt$+~t4%$M(w~-kD8}{v&?$BODcqtZc(?`2O(Y;q#Ch2J*i(#{&xVo#dt2 zs?E8Dolkx+os0ZPm`i%i`9aCGqxCqDr8c>(&NqMw9EpY=Rcn0EF** z2P}K{69(aA;HjxGMhC$I77}bN<}cH0N_`p@SP^j|5tHQ@(;+xu?d$OH$7>fD2TOZP zVq1bd><J%iHUHip@X zv>!wKtt1++eIGCPa#XzB%T&Ca+7*$*#I>(A=~iyFwP4>yVDKwcUr6MFQ@a;gbRa#f z=TMNig(C0)|2wFR5q@efaXS;1<+Yp$VtT5z>=;m&MJYJfL|u#|qYk`3XvG2;8#<;o z7__X}Jx|pH&2Mp?>ytvMZJnB%d#!wJ20DoFq!SRMfDgoaIVuqAWhxL$?TV-lA_{0t z&WPIwCf8|o*<@zdHsdp*+N2^p>$5?sU7z+Aw^ZqyZuapeBB*RNZc~3}t2x*l13WjA z%d99@kSr?0!=9P)Y>jnmYMRzF z-wovIh3P?Gj}4@TA3IrM{DiqLxmXqDO!f(=L+e~A#OL}TH=nOw80K=}E7Gnk^h^By z=%n_}{A|q$6c!WMwwNkDV2rjo`pM(8HNQsR@770@Go_oPl>?mGM2xyBJ`E|<28aH+hR1)^2bRtSD^bjrR6$N=h z1xNvur?S856A%MD3YqKOEPAPyN5YSMLV$fY9r>N=_(b_J9-b$Wy&6R#dzB)Qsa+ju z6@B#<0tM#KY(C&q6(yo|)G2C>M$I(tcgp?RW!^92zTpqR7vT-whFmOE;3~WeV{@1h z5|)n5v$E0MNyai~Ge`8kyEWyWl$Fs=Xa>@ilvoK6aAd@hv&mcH$>?C*~1xZy5DGy$vI^ z-1S{V*f3z;f_AcMMB3wiVRv``=5Kjzug|H=pd8$wZ7-}&=FM%ZX5-Z=nJxR3Cy>1w zMId{XB9N(F9ck5e^%gL!)9MB*Zi!T2wP~Ckn=1eCVdZWEA_IBJvC!^Ft)i;ADMgc! zasZz!GKBfaJq$hjNv%QQ?3i3sL0k(Q(}xD#$JTSV6diQ15gve1P9^K6)h{22ph;<( zkkWfqN-BPhN;5wYzjSmO$Z{J#4IOhQdpl9TS3?QA@OvK`7Kj(lOrn-a){@vU523#ShAyC~7jctMv&9l! zlG!CtpQ(d(%T{a-Dqgx$54|zk4k7r(P1;3%S)F-8T?PAc%b< zW#EJgJgYr3hy&iO3N5p*xi_PF?-;rwlZfY;imyg76u0vkx|mj z+^lG)Wev06u6dXegnA+qMu8xs4Z)U@0}_9Y6clPcUN+fWt^}&eW*y>+Wg`5#5RUYq zyeve@OJPMLDyrzp^wY4WIfA5{3U(%llP0(?(Rr`+m6ktp4ME~1`Xwr*IFTxK6?e4; z$D3!LPk$w&4(jV=#yXCSITzCuFO*cV;gn9S!^4e0EgnS&;?UNi(_ajn{m@e6652-QN=>+*`JJR=~yj8)mXNt+F&hIy|z%*)uAL<4P<>j z9IOUSjsjO2NOh(qfT0vHc;e@)QN+(zDdMNv724<`FsNj`-^?KgMr)_})YgR(!9eTg zlnOwU#TYQKcZ~~r^=6Zo4EnA#6?U3Yjwv+xi*~VEDy(kx>z)b>&_N0+c8>w*9<1O@ z+vY?1qN~8!tN~<=_cAmzbI9KietpW^8A}7zHESJ)ya|5b(r!ug7+4=+9eO;~WOfXZ zZ#i`_$GO3RC8L1|H(D2;J6W;NaWl)N%aF0R z!YMEUt?FtspzGz;P0`d9UXY0}GO$3yqrnJ#IETYP)Dqp(1s^=){J+R84Zc1BA{+jr zs=Iz)%qx)l3=dgYo72#E0VTwUoMvk4p*NHNujHRHe4URW|{YXib&MAH?Nee-g z*$yIBoZ^Y_GO)(My^WKH&2p6JVRd;~Obd!ksY{{_ddnK?o!bl_xnp(DR`dB?Fqy%$ zO%|(WQMc(BmRFv^`f3z|^;L?&s&<7|rid#lfmJ%=kaJQtX0(nXBgH0~jEG3YVNtAcK8v8tVQiMtcr zMs%6{&sFRBx-F*;=0kW?C1CWZ@Ou`E+_Yi;Eqs|721IWuA19^()gBI4c5mmEp=~TZ zR&79Fwe1sH_^(@Z0(2SJn7Sa`I2NPwBiVe5hyLRlZa&=3C-=N1UnCw}fG2wFlCF;y#9w$^vu>G>k`ZJ;#_W4pQtQ`8Cs06^W>6gMVZwZvZAg{$Fsk2* zv%^asG(R#bj?HbXHW)_gQel&S2IdBg&koM&y=vd3bm(`0)^E5%hcQ;4MtNdj_R$Bg zM@1jJPDLN6UEx_m1ZJ&;cz8~7R@JT|IJTjbZM=L7+cT&T7Fs~IxOs3O9fr|y0I6Tb zlIk9x06K&J01nw$@{#5&2)-kcr;L$kEN5PAFc69M!!u^686QzzDg8K2%}pe&`%Xo4 zKx3l25}p#AAX}hkQK3-DZ;urj?ALVZ^!7kLFrVCOPfUM3ikSX7MNC(_LZ^VZ=+#`P z*I9K%QSs{vgQ$J<13%~a)bv}l^VWvSOd-;~f&Vl0ZzSDc=2s1u7PEXxf9R2B{#|?) zgV}5+yd6HW-L6z$ZO*I&cV?=Vc3KG@Jc#CqZ*ZrRE~L=TyWH;;HSg zM^W2fr>N~}S7?2T5Tdq#>1FCKfVG=V5k$0J&N<@?DuB&>PK9E9_z)Hb#f#K@ncJjr z5a|oq9+0!`>*_csjl9Cga@U1W3H&G@C*hPhC_#pw=u0CdsLO7Vhgs(^A`&T5HpZPw zGmw;4b96CYXYF;A*ChTNag~o{lB*3KdzBBQi4Q%ejGLlhorg=D^T{;%17;z)!abGy z^(ZR$>lBq+?FtW&;tJPV*sE4^rm9==aHI7nE^w`rIF1c_G&XeJWMnXOEWTL|7F^Ln zsW-eth;RF0(kQB;jk3PMITO;>VrqWVwRy=q?i@1JV#zxCbC`3~6=|o>nqhUjvOjAK z9rq<+_v+}(U{p1RT8$P!IuJsKFpBH!e26`w5zCk5hX-%i%5EszSs1O{V_}Euh5Zm* zh}`AT!4w8@pLjQS(uv*U<{Lfiji%YnZyaIcUc!@J!%aFr$Qy_1`W{R3RvQciMId|A zDe9QNFy+A+Nb~-NO4fDpJc?RrcGgIxvM}xw57;$LFLWscAa4x%_d~6*{2|tyt!Mi| zkBS<0gY!mfVZ0}JI{E8Sbn@3JI=R{vp7g~%LCq0tEo64wFX6U=g9t4nSll194&(c^ zRRd=|UEJiYkPN~Z>5fPa;GbV*C1=sPT9p}|;<@sUVhTPHft>5{4k0POpi$D+ zI*LkeW$+hAr$?a?K^bN7LXg8chBJT90ID-X=UCdg+Tdwu=cy@vD%!bK-8GZip`hPy zJ~tk3LSq#2-1XO^xa+S|+;z1pJSm7Mq_y~*&uf^*Br6mWY z0B?bj-gTap%j-zU_|D*Ag8YK++xZ`mPY|+A-(*E;qmImrHqCiLhNQ7H_K}x2UTAJ) zKheleA7^ARFeymeCr~8!Z55vGaS&CV7B}Daab^qp3J$BL*NXTwmeQ^^SZCUa=<@*D z`tLk{;pctxxr?F5bJ|~z;?syu1R zY-I}!f#ppc=&Y(%csqse4_nWzQvG0KneL-B)sl0E6v@I3b#dFH`apZTw59Y`7}51^kvK=|ELoT_GhvG>wQ$%nM$vi6kn*P|%quTzwA zwJV$^aaoU|l#e*>3}Tp5dM#T@7c4f#L`O)E$?3=pw0R|v!qB)3%f+AoT^Sh0veHLx zVW9x;7f6dHtQJ9Q6P5)cjcs53Zs5H-bQL&~lx_nY1{fG4-e}k9!Er`MhzGE=A88hP znM##&$3Xd$Lf1nTI)x-}Jb(JlDE{=D6n|Rn3MW%S61Bybe7>j~AUmCN%_%V81YMAD zWI(UJz<{0Rb}fg3JbW}e0$5}|9|@+nf%>12(`XEks9*jlKoTnLG8RRb!RV9C`z(iv z=DieAcp2x!QM5zhL=}JrCu)OXb_iBz@@jz<7yLjY8Au?Lny>qS%(@wh5T!c>fqJ@2 znqI1$^%D^Tg=a{=8O4x(lVV7#UEz#~K%uobhdPL*?#Iv@UT1jODYBuhQ~$;sy5>ei z*%i7`ZGC!-QEutYcrqhj*Mdqy+~yZ;u_SN35%G0#QD|A=)UR9bP8}PyO@SHqd$8`O zP1NtUpi9OyaTfS__NDXsLL3{>Y z*!ADIf%cS36X{Bx^KBtEXw4>dwGn5Gt88EHToyJDsHCK3n5>{bTx>MQT+V1UclyM% zcaWLRJkcno*uA;Z4+;D9Vu2MX3nq=UnlPl|&K+t(aMG}zQ}_@?#GzdMC+(%k4jk&q ziO$3D8c-rGd6F8ji1%Yz-fDw^c)#1Ln-PuxTv_zh|KP6{5q&7z`?*2{bSz zo#?%FN_fR1D^t9Ocq;mvQB?FdDJr_!6=;=6Mb}$^f_|vY_|MF|kYhsJJdz!h(80oW z0KCx5)@P-iI8IE@n@kX08=a3^&L2)pu?=Dk&WokfQ@g_`#&CkQEI70>&Wh8Kf-yzP zmDSn2f_oaw?e17pvNB%OCl1EpFX2|uz@7||~8))WUy zb$z1z7!S~saNmp~;l4?caMiAkwc^cS zFUCL;I%dBs>_iPXWPs@gl?sci>!mpuE#WU$W>ry04_d~=xUw14f+|1VMD<$}<)!mH z2lZV}${Zp(|Fz1RW!~^D)3sS3yXMGrv5AaDvn;@-e+G4Sc3!@l9IP-kh5gC>{g|o% z-oR;OzA#J9`O=S4+{!29jq!*DBfgt{L^d>_CCcFw~KJLZ`ib0=3c9bTF_Jal-C z<3~rMyPdE5bv7nf{#zO4gxGE2-5_sC+(9g?F#S9mkcGlF?aqrekKUT&76t~}Up8!2 z#v7tRM)Ohm`3M@oFTnuaFY-n-mcgqp&&^{tn}6&JZb~!rj2_yN9|Gx`v6%lTs+DFj zC$#5??O~j6VYPH?&!eQ~IYdvl-dD<>8g3cN$`dqUBXZ~35!nGD_ccR~EB-w+n+16c zQyF~YB~~2V_;%V8Zv>us`(_mL_Dza;t9Es))e=%$bg)jud#x=%Z>K$`^g|itRQ22< z&&C8JVP`o+P9T!^E}uUJMd7ekHx?bboYbpj3;5xu|NGNwwlW*Xoq^;9*eTC9SYrY7 zoyyVX(EUOLp9t_z3YbxF&z&y~JfVL6_bNkvw|&Og4S8d1qc)#>F50ib$J!@8dnP4u zbw40^_|T=XwGTq*5~j$dFFRRPWLNp$J&d1Q!g=p0muR=si@322ASGiFVBRG-zfVtc zml}Rp;fE_)ENdrqD=9{|Kp+$)OR0pgNnvKTc+q!XCFsl~^Y9T=RIt!D3A2hI@66+u z6+q{uvCBu0Qg|(R=~S_Gs`xKbMT1yg2OH4AP)JQz`-r;klPGUs_!w#o-bGsVp|8DU z^og$ukH;s#k4azSe*Y@g~2+qx?ku8y@rX=;nmzQFCBkGP_lGlJ{+i8f6et39a=fl2XsqpSm?$`HyYc z9WNGP(ism$LrS7jnY6zH{_s+wS|B-827nE`ACU?cl z$bKgxfeZ&@!wPg&fHjU~Ek4jtM$GhSN?^Q#RLPi8)6v5!0(uO4CJfsLDFG!DCh}RB z=@nIeOW}0dC{v4c`v)Hu0RKH=ncBzYb*guEtX1IBn<)N8X`$+!{I~bplV`BVFS$d1 z4Mu(fXX&W;G=*C$P?MF zE?Nk8M{1pUA0^rbO>0;4dDd7kC$3+B+np~GAwm~fV7YwsUP0v~E<`Dq$F7U3>k=-; zNC;MJt;^pHHyOBBV_g7RA7u^4cRLAK?a6%E)-&7=F*{b^g`i~vJ$O$*L4~E=j>xO9 z=f_-^P`OFXizM&v8zi99<*gxIVlg4qZF{IQ7Kt!NWcFY|jMKj0_}AV3uT5^OOo>o% znp7G_uFe_(qH$S5a&Mn9w12%SPgQ)?hFcEx>D8#KHXWrxu!N7X^p0N0RxZhg%xY`u z4$vp=E~z<)|Gm$LR9y@6sGq-kEa?uqZwKf;DwxAQuA#e1px26>=}r7))gcr6KBIof z@UHdZ=FS^YmM542!?{JxvD1>_6oGQ9g0+(@Zxl!`3$zwbo&?nk=$4uue|m9v@@caB z!_JGnANGRONE%t}L?56G#?o4`fE?iAXyE`;dW9ADh`GX|l7_8-+}N0mgiawm!3D_2 z{@qmP^fpQjWMEq#c@e6F7dycliE3hV_YRl3qJ;w_-dXcI!I~cx4PhVG*1Srh)(Vm7 zO_Ddl^1|1;674$I=O-uxXLj;YhMo9z*3b)VHJDAKk#IdRud8BNH&n+diefU&8<=Nz zUI@y-!tKmznCV6V8RBKN0wf8(dC&7BUe)j(l{NRF+6w z%u#$&^DU6t$KYo0BD#hKAz2~zWT#kffvN;elr=6d?RAERzOuXb%xCp&-kjA`CD(VM8+=M^ z9LkWM;NA<)yxe-Y@i6YcZKzO~6_b>T0*qrr9ukU#!1(gsz?d}k*2gkD1Xmo2NG4o> zT_M^GFc!v~9@pvgW8uqQfG?x6@Y}~Vd{Ltww8Cn76BxCb3O;1ElM_ge03;C^QnYT= z;yrQyzWd4dhleN6*&`OzmA(#wtumVe!X6Ojc}83eoLJ)N(7gfThrRTJ^t_BOk&Brx zmJE<=_^@qoRbMt{V`k3C1}BqYRSSX=)Uay{M2S4~{Rk^Js7oi3AaoC3YgbP=h`+Ql zW-glg%5)@`rm?SrYptjP4qcIjH~39n<~JEEwskj^`gnCb(<=fTb8hQT@mPZ|m%(aq z?*EPq>~(<|G7*{YCFzI~7rr4N*-(g9oNR#X|MimY0Lp#DQ{hE%VtGrTV7N&FtqgrNXffF@@300tdy_QaB#&wX78zb`=#wC&Y|7xDgS*oGg$T z&VMVDZrE={HRG^Wfizw*go92aRP|kkrbN(451PF6*N93_vF4@8$)p}hjygj_c%v-I zz6cd`8ygptSVf3#z{GF~(0j6!(QRP<{!rc5&RRhJdZam#5<>Rg>ZV0fd_PrP6ix%; z%K#Aj-0Kkk!Z@35h-tFzk@PE{qfiLEy1D*(I^s0>rW5Vg&Y)ifgC0f4wU2ANfY#aR zffjhGxA{3MkaE3oHN+@ZMlXRO4Hb`_uI5GHD9nS91?UYd$xEP* z)0nBNz={R47%1@9ld0MXA zdR>#?jloCeGWA5!u3&crYNu=?V_C;~i{njNh;XkhsoOJt04}t9Xk?zjdH)Bihkbb0 zKOC-6c!S~|NGy#bERhoXHRJMUoe!sLwDsyAr7z&7R#74K)|8TxSH%0{bEK;Kt{_O9 zx5Y=IXbp?jaSH?DJDc%NGt*nv>j1q+k(uq|8hUG;kxt0yt+k;FpRf>kqJFNu8&1aW zbXS}*9!}=8@a#%zimNL;4p+e&oLc~MQXp!&+B@rzdjR41;mCbo&~~QlWmvz;X7E8t zZP){AB#?C~4a6RnrT1(3#}sTD%QeCRTSmolfs#g>T1BaEMt+e0dY#%P5AieO$vAtuxw2WPH)ubmV-LZ!Xpv zi0k^Y0%qu_>IvMP`4W0=UqD_kdW0vmqJ#PrKA%{Z@ZAknZt|P@tCGP<|5ycu-0{96 zm;n{?*iU7K?U*IsV~cxcp#aFf zMr=i9B9}-BKB>PNmo<27`}SfeQw40tGP(5@PhtqZ@(-KkIM5bMsQIIUZAXg*b1+=V z53>kU=(-&c!?(u~!?%;faJ4hqHAQq)+oaL;?RsNQ?HTyoXL$`<^XI&+SIra{tb`86 zR-5&jWxQ2CcspF)^ufaPyXw4L=SXzT^D&hY&G1>ca=`YN z_F-dqua7|m2(`t1*8fZY@Rwj9>e^30JXyi*}eXT)NQ)at(ru`L=U2W6f;3$kYT@K zpV8<_wPHuJztt9h(5)e{exA(12w!QH%WC=r1D*XU7`}(}RQH=~90A*UdmP((JIS_I zJ0rJ-ym4r4pc;}9Q7}#DSCTgitrM}7Qfq+)jYN74rW%FIO|-q>mXxR4AO{mHU<*)x zLv`u*6*|KpfCes!b2FK5ewfU%JB1>oj;52T1hc_>5r8mV zLMVe8^1aPqeQ4Ht2NU@-+T3*IIN#JuSUAjXR||J(6yc=3n&)gjmS(8{=V*4g+F~GZ zVls&HaHKRw5TX5a83Gfk@;DIazQe0TxFovQE%%zPG+G7R?d@^g?d>FYTkVXtG8wIu zHk04x<=b|VP4mBfhmms4P5zw*VQ(kzaY22=yqXgk(X@{{GuzB9R_PszIJdy#%s7ju z<)&~$YEUwy)ITAV|2zgLI`*bt#WkGWjp+d z2?c3bNlf~BSm}I)j4N*H-L#8)4$rz=ywmCnzr$?PjLtC9mJwGQnxqSQ(GHk+N=?c=mJ%F1~-DHMHXsKYA z0sV|^eIMpg+5>d!Zcph78^pV+ihr&0?yadaq=e5qJtD^gUbW7)6l59AmR4IZeC!0d zpnu_+vd|Kc*37WXpO{Z5!^&_H^^jR2DRhxx$b8J|+{rPe21%F*7|+|IDh=4jHJDII z&If8xnc60DzxD15*Iz%TDiPfK`Z0{;!o7k2E?m-CglV!c-q>GP4)FWk>lSlB{{APr z#eCYKz1N4PO266}8OSo4X>EQX!~fJ~M`)B2o0{WXbm8)G zqVT=q1ow{@TwOIt&j9<6c}@YXku-h-S{*le+9BQh?pR5)s8S1R-5H-Rv&n5%eqCOh z1IN|14Ha@E8<(t{Z7GQ8hqZ?fiC@x{2c1??Sn%dupTxx7KDt}MsCy2O3a3JRp*d1U z0}l>&v^Xn+%(pf5sleLkzyY3#po9Xro_o6@@*EgHHYUbG zs;B(lHZo`iXVT(g#ZQ2HEW6CFR$S-YAc7N=!gA{xMQy&cSuy=*3!=oR@7Ct|Z1PQ` z_gr(GJiCsG6pt(XBq~A0Tx%*l3V;=*Xt~cUzSn0_$D=g2KIPYb9sb0oFq*9(p}JIj z+v^jk2hj|F=#>+r+D^cT-xW)D`@v>R9t_XQv-4soY2Xi^;nfit6aO*RD3~#7u z*y>-)V&f8MA?A!fwaBrIYOhrJ60;d)9m?&e3%sB-b_^LkSjk)(;lTMsUX^M9`qu|CiH2cC;>HZ4xLH(#zHTx|-2^R@ zu~O9>6)V*i42Zz1lGTbKa|eh9@L`86BJ=ry4DC~Jv^@`}632x?n4An;yQj&O;Zn=t z$4>p%s7j1m7LhAi^AMfk|AJR|)l~d@o6@BufCkYCJL94gc9PKvYG>rklmS$0(=m4r z{XO?bNcNUjT8)@=mtDHKuc4Crv=J^H!$ocsA}8189hG2Jc|TN8vuI4C>#V$#tv~hK zwxjY=zC4wS`ak_L`6(|Kv%LN4GrLM9hJ>Pbo?YiFT6uShTiv|^?zT#mysSr4^3@i+ z9Ct!mB~Uu}{qm|y5$2tvD6WMORsHglnj-q3dIShKtE)Uxiy;dxV6g9uW3cZe8SH9j zWKqfsPHS^c7(V$@%=3CBClk_NC>VxBUzWXL=6`b;E4EKKbas2+=b>(hd*ay9u64_y zEb5+fqJQWgGav}~@G!&$5h=R&C}qHdy3U zJ(^9ewixI?-hsRIbMZroB89S%F<^c2YzkxeqiAOb7XpIv&NzbdPLiOkc19j685dN7 zGEdEiVqPeyFeL4>F82~T#v47(x(m_NRUms#(&lCb<&9MxjO~+KcjByQ7iD&5DQm$b zU^Jn-`B4C402z7Qoz=9=R#1a3zO=%@V)52*G+dEL7~Ef#aWV@#O{u#p7fhJV6>706 zO&vwj)Z(2z#U~pA307Vwnc39scaw9oyPJ_**K)$c)V%jn4Bl6T`voMQMwdJA5-^H) z#xaU_l8j=tGxAo+@S?S`JM4#g`qd!++sUEXX1Rjz5qKt!)1HZAz3X3E>pU+_=Q&m# z$MkR#EFr+ZgtHaci^jx;3p=}&1MC;`6(;B2{lRVm8?XzQZ!b!;!b1v=Sv+7!w|;*( zJyL*YB=PvE{lWHLsigTZt;{*&(i{vRzaDC}6-_^Riwq^A$JYjeb>3yGRtC!pPe7kU zmu)lvScaw__V)ZG2t((o}rugl4M%>7TKA*wZIRvDX% zXsVL%*#aa3;<7GFVpNq`b+s~m`@5c%!wbJWGJ0k3sy=$S4jhvLanj4DXx!BG`Kj@~FBqTAE7DZrj3>edu48_mKu|At)M;W)c} zy6pCddz7~`EC7c@Fix{21J?lhbL2vdLL~SzaJv3I_kXUrf3MHIj?!s<_|7YzMKrz` zY~2x*ymeL`SZQRCPN-)0T>5Y2`_m|2XGaWJ={w_C={reQy4o3Cd&)ba*5)v{LpHmo1i^RgnM2rDTIEBflc(QZe}E$*bz1CG-ZQ34;ec#MBq52r;ue{?8pyrDu*q5Cu856Y6 zzu_d|-rGUWIDXOLVf39ekL@E(4u0yr=S1F!Ml<%+7EiJfB{ZhH5&bb0B>9zpT=nQ| z6#?acXB_2!CrSBNJEJRkd8^RcC|q9WoP0Y#<&O34qYXoHh}0MD6z2Le&u14IoLnz^ zET*8@Y}MGT44tPePvHA}>uPHw-27ckEu`BjYhxVbO;dMDH?N?^NIUuNFJL5X|HZoX zGs0Cgohoyh{_Z&{%yo8?cQzW)#p!pNz-hU?1B6(}ZEZBzJ>Y5|1yqrIvRW85-^9SY zGG8tsS6m6DCgVREhPUbVYUKyiBaXZ-82(a6>rP+ z8f82vi%TQ;1yzB*$d|WZrfvfSyreK0zxR59xsV2D_5m{N?Ae&Ehz?m-kZugb9_9n^ z!8)#AU%mx%$6;j{^I3B$gKYCSJU8NQu7+x*D787ihxlx*Be%T!rY5pPIW9o0&)R4S2)_=wg;I@W+2t6eafpa_%svRS97UGN-sn#CqJI z1U!|IY3MB$r#6Em0Z1@PUHb3wS=EcHYa8cIf^cbf8qT$jl~FE?6lTWw%4eI)8Um?^ zD@>J2eL9ZKi@QzA%RxWGT_BPOEC*S@e3}aOLz_#^le^9qH zQI7$A?{(=3_Zbtd>-5-L?QymPmxnOp;Jps-o)$jHL1o|&da$%xV z=F=v#;ia|+w#dHG4jCGO!}iKBblxneFORZy#^%s&5O=scF79wQ8F#35M#M+a98%l- ze|b|+zQAye0F60n)Two`Y@#`&cJ-;_&9k>X-n0kdUxAweTpPig=k+WvL6d7tL2$(s z4zDV8Ctooo){-q3_4_oJHRqMHW=nV;h&07fIqI03@;@*T)EG0~>2(32tws~&+T*Zk z$>aJ<>qmxygK(}a?0s&!kU2H)^--&!rM4K(pxp&3elU-xme^rqBh%3Xr^&gBsue!X z?8L7KpJd>S3^`*7Hs(Ootgr(FDa-URCp1o(${U)$;?$-%jU7SA-R`)MyWM2So!S`@ zqGjwDS`Y|w>YV{!lMwhIl%5PF>eo~ShVCtVZ#e4(I^)8yekyhB9)sV4(#&9pb~YZi zARAk2rf1l!Dc`Dob8s-yIUr=IbrS<|aHl<9K%s;1$gE}6I!XN-t3mTA&S4snf|$hJaWRRz$(Tg7GomZX zh@{3OQs&7+V^2)Z^XaNFwx5hVS`R*HE5&uAAF5Lku;}S<{&wPuz5UK!k!w%@7S^_{6@!-hlTp-#rcNKBpw(raJYm`yp#T0!H-1TnN8|l zmJ}K0f>Ar)f+@k6){jJWf3S6oiK3Z1^W;v=JC65*m+7}r8ebHQ>8lNXF)Mvl&cJuq zB6p8UIrR$^bkJ#QBdicfHdELwm_G1lxcMl+a)JweQ0@vDc)|23pfEZJQEkC19dFmV za^bjZiw19ei4%S3fgewSg@Iv-zn>m=@FR#d+#MHdxSNbMR6C>VP8mPcq9TWKnV;BLNV0MNE_oyENqk^z{g^q#Iod z+P#4E?V_l%rl9CG{uFrehD|Tv&Z-!=XjHHO=2LxJ@tMi=2rdotY4CeE%y*%h_%F59 zSM1J%x5)nBTvUNKa}%6G3Kk|J(HIMfJYv&4`D4F9v&>l4^FH2j25L(6fr)Z3XUsBo z|FM12A%$5FHcOe@0vv@)M(CubsNJiE^Tk-;t!m-IegFjc?#o z(Z1J3t7G7((m%s}OMBqtwmG$qc-Hv0$sU~MWFQHtyGGrb*FdM`_ z?v9Ip+)c(ms-4kwh77Y>n-9n{aCZeVx@wKV>$FL}5P#l{T!cAR3z$)<1(K+I9UWfv zdRJ`ZXTd!33v?n7JHmCOK-GXy$BtJds16mosPk-kjqWSVy=38@vw}6)6C4In=ceu; zI3VDf;tvovubJ0oJv7iEDWmm8pquq>K`V!xY2P2wArwn@p8w<6{IAc)&&8WcTe_iB ze7f`DL1rn!X*0YMY^c>_+&Fi9c~((~CXO|tQ4lPlBWR;_xeen)^H-!5gQnw4rz z&P+W`ro22y2ivJFhNghr+x00R1C{}0hS$@|rKU$(tl>iK<{=idKKAAyN)7{O{$4YG zeb^UpXW0e;WxL}7%65|hWol={O^}zZ)<#*jZ{3+}a&C;{<)))D$O~HS-b{MOP3r7~ z7CZLrl4-WcE{YQALdtp_71GuzT`PP_mq?9Y6!2X*RDk&sTas1$ULU)@p3*Tx_gyXP zgM-$LFR9Hz%**b$n3vsT%!}F?v1nv%*4iAP{$TQoBXX@-U}8S1;$9dOyv>Z&d8tgjEwFc7Z77|sAA8_Mp|vYRdh*>{(a z1j3up@inEqeg*|OxD<#9PFOKBCxdQA!vgaQ!61BcJ|Qg7G8cnbEF-A`>y3vmq*53V z(;MY`#y%uC$2%5|_W2&x59AN_CtzmOx6g?pXg?lb&3GU$1iQ{h2MDMwc%ARD3$rI` z*uX%--JFqjJH=XL-k~W;&p!GxNa*N?>L_6Al2D!|b*7h;Ej5_o>LT2=j8&FIuIHyx zlMY@6g#F!dg#FzlVPEZxNJBDSYHb)CgDlQ(d*Omf;M6+)HLqrM)43iA5|!JtXh6Wm zo5>&wFkl!Xq(SxpcVB{0Y_NCHEeJWwUBUwMb5YtG5(Nqq1j`t%ZaPCDwG6AkL}S{J zLI`8K^mRZoun5MV zSl%%N>;)v%y>TSfy(CFh?TiRFA_S;yBnaSYVQSiUI%1*E>~PgC>$#GiNquR*0JOcz z1BXa4bM>rx=Fybj2WUSpz{$*E!I++SwSeMpaNaxnbRO1+rk%-vI)-8)cgkJnXldjp z-`i~>b75UC7T1k2xSo3f*bkCnMwLJ}taQLYX$@e(FD^^vFC2sYal;pMUZR-M%6D~! z{f#8tEVI{2gbnrERoGBlFl@Z;ISRskJyokKCC3mv{zzi%pg}-8-5WMZX1zfmFLb3p`C!g3nfsTJAE(H!s=CF(kZ>6~V z_X|V>HB&a&FOT2hvpokPO5$PvL>F9Cqa2X0l zQ%2Pm53nFo!jBF9wX*+%iMaz60Uva493ONq$p=+CBbuEI6{fxUF>?k2aRgW7N8{l&5)E-oU2S`wu~ zOI3#)U`0G&eVD=RQozEn&x=S>RMT=b%Z(y`3|E7b3)s4XxSnmE^+g3o>fpUL>@xnw z$VuM+BDaM`S>log$Y>_1+JaFhxT)|bR7;n)>EZ-ck>N<6Uq&No4!ar@7#WW|XZ_?2 zsVM+zAAc_%j|xcfK)I08c1^%m-5bYN-Al4n)y|0MD}$9v8mwlUc!?Hdus3IpD;H2D zgO=7^|NP>4Lu7}pD!lE@=rod5an^LUBCl)Gx<#2SF`w3L0e4QO?W&sjI>n)pOmPS> z+aV7bkF`LkaprD7wNcP%K#>iFXx3#Broe`B+Udw6*e!G@^Jjp>o zoJIYFY8CR59>gRKiMYf*>+B4#kf{=_XvmfU;oN z^XI!5CBo?5Hh7GEBT{i{*uGra85i`6F4idO_w6LgsoG^hx*u`Nhg>5>Zl#muQ|6Nnrfzp5-x;Ks;x|d{!s-029gAAowo1d~~h81YP z)L(Pujz?|W-^#9ScT4EbGDmw}n9FPm*Yp@hjGGk@-fc{7MCDaXmjT4jkho{Mzr8M| z*F(S06Oxlh;r-P4xF*D?b*g+$bQ%!$4v(mOyQiwk@Zx~E<1C;{Ptl& zoS1vfK?eZ>+U8!L$rdj7kfpiZTkwgtN7Anh2h|io6o_04NR2Kp?nLJ&+OM5)20XXD zaXh!ZB+pIl?DX^I4>HY7Z_<^<O6UG4wHoU6%xI}Eb7MEfsV9U5v24-%Q{4dlzFgTnZERj)q#(C;jlYsh zf+W{i$?>(Cd&)gAthOqOA`= z*xNqFyqA)@o*Eg*oA7|__0XNX^6=B#PrW!Ly>OoQ*JJ#wbELg}mTl1<6e~NSxLqKh zU5Y#Yn!*xJU4t2IEk%@WXQOwckpG6oy=Yo!v+u4GocRm!tA?-SXH&6*^=o*hwFBeT zHgv~XM;_#eL8DgrmY<-ZEBkV5^7EstwJZGkvCHhb*UG%QT=}Qs@?qhEva|NAFnvI_ z!|)d?Y6sJl5OEIZ4dISid1q5N8vSbFQb?{Vx)HxmmfdhNv0tfbzfdgu1 zh)weGKyA_+*Oy%L?;q>kL??u0-eR)l-ja0}DU|M)%rZ*z3!6o|DwkZH1P>S3O$fUt%}*mmj0mcQ^m);*}hC&@SM?OTxww|bZeb% z1$WJP=>xc;Z?MF?CFd(z09H0rNUzy*8ABMCOIZ};JA&$@)r_NjZO_WyI-2^gwNNAX zhitfe;R9c+EItznfS=hHpZREH-N3b#y!j5K_)EY7>Z$Eb{IH>yUV6rw#Cudo->y#(71|Fh29T*Ja0rtkl1MDT^0o2aW`jTN#Z8FSfq%}Y6n+UNd zEhFze?7L2zOkej9=A6L+z5z2qc?AZaV@)V1nxLtN z=i2ClY(Bh%r70j}R~Q|qW9VHD1giOrt!F8gBdn14tr*5$-9f>{7SlOQ%d83KjFVTc zksgIBn0VE zrEkwg;trus_5aV_+cn2=BWNbxY>?^#}O@Ac4w6SMfu#&w68HcPutg05XwCB%UX8c;vI3Mxq>pnA}bLlLwLi zV3AKARpyh&6nYl33oj@%?0LO%3*EV!w1pcywKc>%_H29f5V1J* zndg^LP=*1j{+Hr@6UEhTLnOv|bw%DXs&MBEm-&#{oX^2O6D1R_q2ksC8 zDJg6YlzRlFjpi|p-riSheTKN`2DK5jFIjB&(q_%yV&m^z*lq&eZKkXbqnMeE7c8v3 zaV)I8A`8px475xqVVO+^#8%$I<0?b4f2ynb`g*&kW_`{+1<>z>99&p_mmuBMdK2E6 z=qi9|BnqRMJU#pA!?Oqvb)A8#EY@(F;D8^O_C+d4|5*8lkF6c~x=QYUUae~K>Yx7O z=;)bG`$i608X1r`ljbrec8#8=YlE4^#XH_RxcZcSAZLjC9!e&GFS2SOfx;|?pHhH9 zXf9|f*DWaTPah~)taZ|@>t(PEc!Keg%Z^0E>kGWgUNPiYLhGi39Q*gSy2w{jcH7t( zAX%Kv)C{U{byzQzHNvXxF00bXM~aTwa>U2H#=6)w*eTXJ{2Km~(An7_HA7@y)Q|q} z|JIdtE`2V@?h0bdf=WQHEn`%4z2Wup^9OT_Ha0BRBk1YzL+Gj2$v4*1Q(I4MkE6g~ z{PcVm2#iJHlk2d%E6UdEp@$5Oq&pRbZKk02-FklMm2+H3yen!`w{`cu%U*B)G`mg? zT)Y;gD{t>5)P6oEjA8$^-L&nN`B8!ayEl#jyH{kunw??PLieN0(kZLfo$@y#&Z|2{ zgQ%|fKIoP&vV}boJ;WT0d+zp1A;}d_@4hbO!NL8=12kTk%~9B9vcR1DM70dhw~g9} zsF#?JT3ogb-G=XsU6s7za#6VjCvmUOu9CVeDTqBrQmO5U_E%bkkL?9yWjv`d(c3oV zEqvp>_1A2=f`GL*E^q!`F>k)v*~gQQ7Bk6ildQ_S1(cGsS7l2tGwh|CJZ)ao_%5+r zw@Y_GbvM;&y}WK0Seg{>2y34U?;_SQif0p1TPu+x{fjVEp-;q*+R9j4$ z=PuOE=0>D(NX$+k`fRBp?SR@IWE1QW@`!Uux=@5nDKJQgZCK?9I&13IgcfI0EQikpOCTMuOJutl1{Bv!3Cv z+u1F>jI*<82HUvS$c(`Kw#77Zo@5-dh5j~&oEB~yV0ro|Sg*<=F9QCs3AwNt8!?xf z$%`bDmPuQdt2Ja55{6X&WS%lQX|7l^4zzh&W*D*2)G4#Y!x*90(FaXh%2Jh>kAGTq z{>mxMLr@iuckmz34cqp@5hxMG4#f}kYm~>6XTV`sv@e1|vNw)FvR7n~n4Qr{pxYO# zOq;URr3h<^t)>(Czbg_ zEnsRc>uQbMFtKY5^Hty=+`)Y1h07@OT@_$Jo_SZZFXVH}(gDbYTJOI?YNn8MAMJRn zS6sAwBRlUs!>ssbgCSGaWuP>?Ynpb1NHMOnArwijXL`=SSear!5$a#n&Fc z0RQGWLX0s6H_V2Qrs$Y09>#|6SvEYYs$yI8qC)7Fd?1lWvE+|rBBVpxpO3c}EMZ|u z2sv{R^=opw#%nEP*FmMloa4@oLvBr6z+C-|~?yt%`1;4ZG&r5dvNdU3xgY%Az!j^Q6Fz# zLujMy4iBtT@(4PUc0Y2Tj?*7EW)FseOxWTDN>iC8eOtPZ`lM!hUvPr<`+#&|mG>nD zs27qhwLQ`PN+R_IGk^6N33TgP>ixa-*KDE!FTFnwFTG#HOPihj@~ah#wwv&BaQO6H zgtWVVYAov0*6y5kTwY@8eexHu-u7a>+TbH5m)`6!Un4r1RKhhl>jGKt{>csF$BFap z>#rDY*v!3O&Qt>=3y2{c*VV{UWa2 z>ozR{i5A0$T9eJv!?&>+WH#_>h0v@+t6;Y=zJ6-b|< zxCMZII;q7{?LmUE}So=GX`G`Eb;h%&Idv}8v$!xG;}=1>E+z9P6` zn@7WZ%@$;LUklruEo2ZDn`jJC`=5NmpA4|p19ZAMr1&faUNUTSU3!uhgE&eC;TMVj6>dU{ZeEHSjK=wzEr$EBP^9vg zqu+*D#qC8;2KcbwM5vPyH*5hI-XB-QWWQL%#Ow@@CEdPQO-^nX)s4ILob8`l~)v%etBlTuJOP*!{ z_ZwGE#XQ76hpOBw!>-6Q$q~pPT`qH|f!0%inw;8VuuX|wBW0*5fyb>AYuwvQ-Dg*f%>v z(dhQZY7)Z8;4!;}Uh@g5+Z*%4EGTENS5>!OIWHIM7ek*E6GE6TbPNP8Br5MuZra8A z+VV|Id~$MQD||TY$t-}K;fNaIe$62hYZ#%3VBjB0V?DLUYHvZS1#Pbbu?0V*Goy7)s<;vz3B^7b@|_B?e-m@^@&Ye! zN&)ZQ9|!N=FT%Uc&d~MJH>F+Q#|SdLoxHD_IoU%!ovqcUPDuC-gC5bzBC|HR#KdTH zcbh9|#uhQ@eKp5lvqx7=@JWE5kk(W`*;6i_=o@`N<&~}Hzyo;=rHO`V@-Op6>+lC* z(H_Td$f`%CqfG{gkURbcmR?Oqr`xg7$Z@m9a983mVJLb7k-=W5q$90Ke-U;2HxLId zjSQ_(bt%#$_8%zy5N%CQ;4hSPo4rjINFSn@NN3=NE895%Gv6NvGv6=5%+1d5;L`1! z)r4ORC-3L&*S8E9oB=obca4(z&h9AV05j>7gK+*Ku~{_h1~It!mMG5nqN>O&G&Czm~rnZHJ$Kyi&m|s*A46q+z3iG`fSAc zID@;u&%CoRwg|8-h~v~2hi%bp9Q8nphN&s~7A;weF?MWpIRo2|>)OFfpVUq3W0|}{ zq}jgRKVo1R(mzS9MSPvSLZ#;>A9UiLb~)_9P@tms$DyM4i>PR`Gd!?#8)r2+X~9#S z{8HV(^@@Y;L3JRB)PfSHK0W#6-2MAA-SQ1WM90SgKt@x4SzRW`4MjdvMGS;47D`U( zzcqA_d+MCb%n1>|Xod|O09t-%8)(edV(Te0BdWJmjv!5lqOYtRuwjlyqm0cK!_5)= zCPn7+0-V!M)veA0!-h-p@s5&k#DYpDZ;nY`ow3T9nvORDsrzPJ_Wn1;?EPkEcrvJ_ z!))^I1}}Td>c;1bvEG)fF7#Vpk3}JbB^_VN)#iO$VJ4(N_!r2KN>X7jX8J7&4w??; z6gM0DFpx(HpA<=x8oCD|)tGDMK$MTMEnl%tTGg?K9@51b*GzMfv&;)U!&ED;!16kP zQ;Ewo)JyVZdv3__r!zBgj~46ZId)FxVoIRH@Q7F#kJxB2iZz9M1N4Z8H={RnlVq-o zX_9Pp9c+>Sze>uz{Vl2_xUrTfiZhcMxF$6WsOwkMmUap9FReUpJNPxY3+S>&0s|H2 z?($?<_=91JUQ+U+Z4==9H{-zhZ;If2vokzqblYY%IjI*=!OLw9c8Z+;^Xs|p{Ft4j zi3a@1g5H4My%agrKir8(dUS7VxA<6M%>5Y3VpY@6-A;_WT%oNhT>Sf}a_DGjW>+?6 z_UP9|b%omg3JtSoiRDUTH}1T?T67Vs(*JHe+X^X*&6Tq4)V*=`FA?>*ZM?a2wa9_s zx>?(f$scIZyy-!!V@Z{DxyQ>Y>T(*Ts$xoCk@AZUB;~tD_(ic;Wt%0??{CJT-`^C` z?`CIs4(T?_YVsRn&yS&O-qa>onH?NK!b9$48av5Lkc797FT^I6s0UxPFDZ~7y(oE8 z={=bQw+-uZA+VmysSDg#6*BhXmUXH%YgaLop~g0fmFekFqwD*kWBggOC5NrKTo%bS zq|_XE`3RH}W$jaT>!mbwnxy2D;Yf+;*=VJAp)Ng_r-Xiqoft0p`iu@yJH93Y*_!)^7Z0@_bWCLuJ)$11gWmtT2+0ItY4fxC-~DBC zbKy4X)3c*rp5-ylP&jk4tZu1X8q8qoyuQ?Z|1tgKyt#o0ozIKda!#J01VUBNG1N{s z-A)bwk>AUE^MiyrpB;ZlBos_L{6S11wTAwSkz#QrF4T}~+jaew?l)BV6`!iy?{1o` z(zjJm-~^K&I>(zMbN#(S*};8$2WWWhjQ1im`C9uBxS1T@LQ5ETVPm%I!L<4k4l#lOe zP=L-|gxi_>JUpVhoB0+?Es*hV#v$Y16p`^}XQ*1brM8+#u!wGrt(F8hgqw2~3Y0Je@gpAuoZmVr|30mke0glM&m=dDohU&mTVEpY28T&7 zXP*IZ(Yh0TafQY-Wcv^|bHidA>!d#xJ;EhiS?REN1wR(j{`A(`U&zyJog!AHN;oy- z`B&;FGGXIy$wuE@U~s~0m6(>T`P5cz+w|WX>0C$yZaekU)di6MVsum5bc`gGO`ohzi>DYe+cyn@eS>=`JG7e zUANKcv8T4+Y@=JIbqq1OhvGLMqa4n?9F8-y3(r&naLCKmQP$CrfOUYFbo;!WMDjR_ zn(;+6jcigJ3P0rDKDR^v@EWI^ zYpcl^18wy&FeA!#*~SP-l5|qfhG&@U0h|=YWDgjsA7hfQGPBHl9gKZp)vsnj*Nrfb zMIB;yF$*=iui)FLi=&&l(X0=%#qgJP_>HPHLl8kjnH>{+cbtz_pyX-K*UsgNeG<~f zNdo2C!+)p3CY#{89i)KS<`*Q6H{(bgZ;B)ivorMj_04ZJIdTgMrkCdPc9gd^kk8R^ zHv1U8i~$%%R71GhkSB*Td5ksXT~D*1{20CX(21zkAyTKT>KI&s8%FrKd}7p%$^dG} zo&7++Mvu2dYDD$1SMAhZHQPGfo5At&rL;~0?J>kSJs@4vO+R0)Fp=jmT=4YOFq{8Uf1O-6t2$E)PoAqL7qNf3Kw{Q@rzwp&($gXf>c~D5+(@ zw#~&b&7#@j-E-6$XYzj9+&CZBZwn6LJ)ysYNz7Gc@(yySLsDvdSfQoy>k`wdt9G&^ z%{$mh(5KB*TYRGIvaFQ6^gaD-s6PC>UT0E?G6~P{vE!1tI}m{EgK>cDgCZc?>5>c44GoRMk-$pxtwX)SIQSN`AMZb?t=CACeOjqn~~(nQUT zs5@lXK0q6uv2MN!@;_m5b3HM-=0CRj3&XZWR`?4X$R+FC^j2<%5M>lI$+yC8OK!vdx?%57uJ-4`Gt9CBaUveG$R!J%_b$&ElIQw`5w2ma$EBc|&gC<1MF*?Ng20+9TB zBJFW?V(vCpg!v*LOn6jrp90d}vxZ?UrAcRyc#jaICMxtMa5PHWY%$CP!h`KGt;`v% z%=w~PLVY3r0l+Hxp z;@?N!-stKgtj0(%?xL`DisnpU!4Jk^!4Ha9aI-T!y>xSCqGEq{hxP~Wiy2O$)p(ep z;y4Aee%8_Ni%D=ao1~j0V<1~me1AYYMX{S~NkC!aRT@FY{)H|5C9R!ex`JExC^jy> zGoxE4?sSx~Eghr*>@(HLHhDItdx*&cfVSr8?l=#Yjh;4q-RNzHW`9rR;UVNZjgfrN z3Y|Xy>{1nJNcJ1G!+rgyPqHZYIq|3nn8*9415C$tI}g|GX7Qz+1BAba9APE)Ivmv( zX*Uc7DB4hg(moi6(mp7nw9U@&jMQzYnZLa0rj2u*7eHt!-nLDEYPft6;|XF_cpBZn zwYz_b#S4|M)ZA?@{)0xY1@wm;3+tg_Oz#Sb9uVX6^-q<-4o_;{IbD(uiZoX@giH7VTC?ZhJ&hP-xO@r0sA0AxCbNs2rNTF^c20>8CMg-6v ztMWDVn;k(I0R9~djn6}28bt3vM3LIMzuY*pPLAh`$&tHTUsVws3>d|3-9$!qG8oL@ z4ToP!$)-b*(jH=BaO7>bb1wAkSAoajAsX<%>yR?;$lYN8b$Nr?T59!q$go%gP_pIA zruBA^KW%EJjOGCcp0d0;qP7xiepAirB%838tSSs;)#0)byb*c9%&sH-X6Be+?MTW9LJxDqTC?*&U_Nus;0OO;}wLgPn6rScDQpYtcnC#~243&>E`(C#w2MXq9(3 z{IB6b@Kd&w;WxThQZPRj5bTj{jC5Nb&5$HHjYl7*X$<}@N2@n0WqTsiamjHte{y5e zw<24Q+cdYhcJ>zSMbV)YbdG~@bvO=+bvVqf&lvWcT1PPIXW16n+O%5uzk)_U$ zA;11taA$;nJaf+a!X5Pf*ZiX$CL78^csn8CPm`8;&+}1obVxj(m7;C$?I{k7H{NN6 zB0Ra1B*EA^8~sY(#lTmmFI(1i2t^JH%bwcHWS@w3$qrE4HzFvRuOXj8@c6N9CH2E- zaMh0QDaGuy;}K<;nyEuU$2#oOPlQ!El>#WrFMEfh-EU0!p)eD=Ix_oc_HJhCv znH-KInH&~LCT3@6pFaG{qMO-`XcgdT*hu;I&TgFH`KYJx{tM@4vzRr`Uvmn9ln0N{ z2p2%oD9GuL9!PwL^Qdh;IuSX&0Fu^4*Q}u&mj401+k?X~ZCA^71=groCfl0K)~Ds( z{6f|xUjR~&$zozS++xS_XKo(r=7u25NvE>e4sS(XAi~GOuoi1EbLWKA00{HT#LHv6 z8k=%7ZKv4+3?pirGmSxoa1N>=H2aZ;Fe`Efr}-2sK+MobmkX8JEoIeH3x%Y0Vo(sw zqsl9R$Sx8!^bf|q(ueZWpn^}zmQOG=4#zPx4vP#8von&GPC>I9rM96|iQ4Sr*WQ_s zt82qhVF=cF89_`ul*k+=fX=nC%wsAyAnF>vDzznwwqNTz7-4-v}5!|umT zJ;S=0;kWH_4ZJNFF#OMUv+jLaltgitv(QpKvHDTSsCP61-r!WBLF+gFd}!hhKzHd| z-J;LdNvG{;{o?Ay&g9+6(b2QePj;#J4`wXkDo1mqOQRAIg~)@f@H*-QD4$glBj(0^ z(YjHgTE^bu>o)#@v0D16S)h(EzaYs8mRs|`b>0T}Md#Y!6M2uAiMK)R*KX`smkVCs zVa3~pl`sC(9xj)jK(X<#zJ%@t5w z`Tn#KIg$h^!{_9T5qUnZHjAmp4Z-C^&T#EB&7~I3=oOWiQzv$aSN8cv`RFrj+-QQ1 z*}~hnSBZ^FHExTw8(q1<1Yw!-k#?^j#9lOeiv~+m7;*(FsRDguTFTFz=$CNIU0iW3 zO?&V~V+g6C}n0dnK3J zt?Uwj7S4%rUN)r^q1*4uIXY8>Ww?LcVnKXaPdc5Pkaj|82Ke7m8+NEf)@8j~;eWwf z0cW_>ZViU*8Bluxv&zeob#(6}ual`QGAVkv_cV{OeC;1+`A+TSv&~tFe1qyuwPgXRm{$4@pZbN-N-A-2XQ<9CF(TG@$KY@u`ceXqEgIJFz32ivOXJX z!}xua1t=(*(24yQWKU<6<`Q8VHhettzrDt6^J_ZrphjfVZaQ~q^T7(kqFAH8mqqE5 z3fn)(j8E+u+eV;7ZMl;XC@i|%tyaiMED-Y8z!mOe7oEch+0L)1p1QiGl41fS?iN0b zgP8sS8(*+U4#%-b4vQ=jvol(7oug(pVwt!}sU`p@Z1WaYPT$y8w}6VnY#-Kr1NTWD zj$F0i|FQ zow_kFyD^l~S>V~6uiG&y-thJdtqVRMteaNFdv z_Ehbz-YS4oTL88(DbX(QRD;lnrHxPguMkh-7uFZwajnV~cT4&*pnz?zA!zIeDTLs& zd3ESezNQ*` zCiJ&F*H_ecvC-ew@>#OhNhvrA`&xpSS^lsKw<>_Oz#Gtv>ANM$w(Aat3@grEE0PJa4ucBJX*yX_sa zn;+j|y14PK>uSEfmitelv0|Qvm|SNkz6~e+huja{j?f7V_*Kr}cO6?SQW9|~-bdJS z7xPs4i!9XQK%5VbiX-fvf3pCqFo)MmU{E->tiHUg12VV%LRn%!#|=7?wQS~=3=WO( zuvU;R&=b}~jjjeN7ZEJLKeC2tLL9(c*SJ*SO+nVd945jSG9!~T$f?9AZ!M(N_SXkM z3p4;p3AO~Jm(9S!kd4OQnk~GMg|q;{IQ>M^Oz!{5bc*(OFy3}pxk6H4ykR9{(2i9@ zKB>7Aw_riB<6ROYP~0wlt4uK7MjHh725u7C9nF`F6Vm%EV|wVi4qD2O?;^RDzR}@V zKcsuTiU31f{BT5T#g#4cRBmb3b4ga8rX$Vi@Exi(NOc%}`;^<_-1wgqNGjm!!Hg)NcauC?~lOWDgM&)O!NVG_@2xd5T?{!S1Zqk zoVD({1+`z0CR9&u-0#~N)qMHVHnX%4UaTKO(c#zP``2#sgu6Kgk0b)k*CI>Fg`#vk zR+I7iq`JzseppuAZoyU@bGYOifZgUNPyFo|lN0czIGuwRa`@#-nG@!m*O}Io32s*W zzNr0$Jb2$u)uYGV)#-+RaHaP1UEKDyws`=h<^J0RwLhtXbzh)DCDJD7!E$)AAouMZ1``qA> z*iGIoW>jA9r1tNSOzuU{v%WTW>}>M%-N~nCN#)U5jqyTXduH7%HuTuYl}dNG;Hj_U z3?0#rZ!gfOgIC2qP_+g|Nk{d~!Gm`_xvThf^`$|e*UbAvI+M?y)^0!hY0Wd0Tzh}g zj9-Oj(XAmTiiZGyvvrU+5qVI$5vEtBLiE5msm8*13tBa(-W=+F={Ne3Q;_)y>gHH+ zep^M>fGCFWl8BF&WZ6=`5(aD((ANLlGGHcV_S_)5*iC-Jm7Dyufi=I~M$VONXylo+^Y-eN`slP*I)!%-)~-c*gFCUwGmgoV9F%%(dt5P*HgkDCYCs-5uMk;_Ol~dk_VfaY*G#^g9lIhTQnbN5} zC41`?AgSjBOFQ%1AhVl8wqOaLDo#4TwtuWe&GzQL*qeRuo!p8Nk=l>q6xyC>e`V|j zaDvL^Rf}D}xBi;V@{O3~D6F0Txn+T@&OUuKLpWBGbE-f-!8Q3r$?K0gzyjGzWA$~! zxsH11TGkh?85dnar#fFY^F_U?xH=+W8iDOAH3^8TOln=ACISr2S5BWGziWl#HcV3i zWYy13++*Zc;rf$~RHS(FynVHrmu!Wv!fSX}@X!|s;zzz;oGH(0@!6QxsXZ;*JlRk; z)Ej4>{*$HX8TZ>?NRtd|8vW1Tb-f$ z>So()lA3J>Bu#`4g%$v{d z#&_Mep!e1M)?KWupK@}I-p|6foR$+&6V_IlsesdV)n$FPsdNn8ds~{jFMJw^Oi5C_ z3<>ffceDAdp4#%Y4@eup2^MDGpMF9k$ZC8l`2E|FnvZNH`UfB7uM)Z? z1NV@)8yxo9Y1?0_wnf#_gKt-0KzGMsKzEB6P_r|1%G86;Y;qjl+9x0BrQLeNFuQ=- zbWU}EJ4Ko4YP!tD2cHFVZAH#f&Z@;JYvOZ%?JVDhuu)e)#wR~YazUWtj8n{G-^F{# z)`yUVEQ29D-(?<7LJSd36!?47hH-6G>c?-xoSN&>y8#V_Uvqv7FPEDj7h?^@LQQFL z!rw0a;)KWyA6Hk^vdgOt1HzP(F@>8tKY%OGft-<4HMZuOn8wy@LB^J{Rfi;6d>|*6 zjRWnnfe8b8N1;E}xO^CFso52~6VdsHD&S z=a#9nI>YOwZtAQi=k@&Zc|5GUx0AEu54x!{6F)08t^!Lj9jS zAc3ARRdQOKBDi_+fg#Dm%*K`~tVR-p`&ZB4Shw-mo>h$-^}N0ELk@p&pRT{c=vSM0 z{T#?W`7a_jKnxr)i zctK^zcvR}A!q`0Ac8kF=Dj-??R}klbe11jMlCO+WNy2+$`jDS0){t$Bod25m>LN0f z5JVMP@Y~6sTS1E_ivWS|jst=37D3=4*R@Y#6Fvy;Wa_uw^ox6 z=O51}>E=ZWq~B)xMmBp(_p98>>As^lJDe7L*_GMVgCoyS6B)q?n0$HOQQYw<%;lM^ zNi&6e5WMcbVq&wtU5(jn-L5pr9A--jJ136qW*ywzI4#J@ULyp6@(tk}-PkE#a9Xc9 zJf38x(ESUFE?$ThGxSsFMpT7@>XgS572UEOqfyId3$hEby6~BkG8>CmvE=Y|J^c*p z^MGb#U;^Tv8CkZ3BBXcaf;{Vm`;QeSYew`FR2H9NS&<-tj>0N*lv6JNii;X!$I;D1Z@|^*k1WaPAC>)M8QTwm(3PrEbzfyOgLJY0aqa`LHeF1IK-+9#5=Ds zjVz?GaTmh*{J9b3>d7fQKLEILHe103O7MMAhG~NFfD<uAS6N^g%wzN|1TsOA(JJ?WjZUP0oi7YEhd3Y2E1{e#7(RVT{j;Ca|uWDv9M%w zRWH!_n2BhL`*lG^R0@UD@Kto^Q%VAm7j%mGUPHwL_s= zpIa8e#BYDJa=n;M+-b0;ZR|Afh%X$71l8?<(T~2vbR*HpPge4i4FC17&g{7fX4y`Z zRXq!y9ns(}d|lB0Y`S#}qGM*6-?7Ko;)OgA-I0H_ARo3cw7`E87Z6dJsfWDO4b-UR z+f8piIq}XO>(ldJkDmF$SG4TSI-kL|37GCs;lo+pI#F8HFkNGl9NR6(G{K9YtUhfn(8?=`85$|axU$V zq+9e@CZ)C~+F#k^(6#P_zyT*)e9m{p&%C$(n$1{%#COMm#CMAzakI1YlM{<_Vz=Ri z*}fuH4=4FWi1B9^?FM{)|IqLml18Cn@v7FWCYPJVlpY^2PQT)6vp&6HT954!M~We_;z-ElbN-69Uz>IPv5=s4_WC;%J!^W1~9X7Ys7sCUy+ja)jJZ^C1lG-77HCySkeD1 zm!^DgkG<^v>2K?y=|Hv|ZMoy40m+&e)-&A);mr-k~qE9s0E>-4DeTDur_U ztAs>=Xx8QWu&g}}Ad~ivA#PWSO0v zpITm!*+dj<3cMV<#;4s+&bN?Ai-=w@b2#l7H<=xOuSyCE>n@RQ@T?JUy#!`^n-@y8 zd_8(nq?`EU`SM1BGlif@IyZJA3rojwT{HQz1{&=5q)s8EHkElOEm37wAM*<@pqEw2&|X+2Re*5N@CGS6)R#F5+mfNuzkcVir@Ns&Rz!nI-^IFUJ9-UKRmTW@o5Cx}`T^ zHNQg*N09rLoD*gbiP`ml+uC=Fh9#z*7t5X`_x@3~NDWSASUjF4gc>0+D+gX~@F$pq ze9=zk?cyq$VI#|uIW61fFT>&Z1JZkn7Bo2okh1^_6b`nXQ-`rv{%wFO}tUmGfRN8|fCnnga?!}c%?;6R*M1Uh?80oEpB8i9~c z)1mn@7zxs_iAL=O`YFsYhTAyay_4X;PH-^j$rkEQJDKD@6}n>X@5?ow?W!CHWI}!^ zFlH~uVa#3@F=l3Gc&h29&uS9to-iIyH+w@eZ2m1)GmtLblsU@G8o#f9s|8wql-~xwHb=nd^P;DuUqsM^K(%%&JN>L(u zd@&K2iSy205|V_$Nk$6!UL$)RBG)wienMwXWhd%Xtvxb^q|GHf?k(F>Teh}owvl*u zG|hYBy<7gw=K!!YpANlq2vYArV1xAg> zyP~tBmzR^9y7pM&8Of01MZa1rGo@>u|Za0^1 zbm13`p2@S9nN8E#ckyLcUqIt1@QVjEHD*;(o~XZ6+iaOvh_kqqKGQm_<6x)rdRoFP=fd56yP`_x=rJM&p8JN?e?DGM`RA;~2c4fe z`09$j8j3|5d;C72z#v%yI)*U;=N9~|;&9BM9d`ql?{hyX|GW1@G^35#aH@-MAeEP;+ zfJAZGSf~?=UD_qCvrR2vfiK6UWqw&q%WQUr!qqpmnaMdkMPUIDqzMpWEmoh`H@DT} zZ#ibIWH(U1l3)AENJpey;+OJmXFK1_0K`B$zZ(N%m}4J@w{8+^S5Wv5_=wuOv9;w# zCtWsMe1|Q+J?nD1+i`bm0mVD7`B+;3XL@K&Hej=y;c-PEQh1=UibkL%@ z9i%+EZs)W9B`-4#0zdn59Dep?5kG5o21=mQAI&DEc!+Ki24!5vNLyNXK3u`(bp>m8 z-7F{T+TE~X6>;$69J%8nvKtY*U7?psp}qnZk>pa5mQmXW7q$0fZ?<@-pkYCbXGD;7wi*ORJaD;Y0|aObk8jPX$g;$Ac`orpk|IH_Ey}*pM9V)y za;f!tC4l*_#-&PrRZNv^b_Q=sI)U13GBAnFIj|&Dqjuk(ImeTvSy42Q^0WAubA!cu zNCVthB$r;dIp(;mr-y!KO|Zllb-l0x-|#w&FZuS+3>I=DP)|@RN<_v4#)%mJbTQU# zggHsmMwl(=MG}(4k++Ss7(YnW9F$hr2Ob`JEz`FFxs1(_RU|j$vYvzRk(1*-C{!<0 zYT4$Fq3)JOJondJ0byRU_t^Wz3%IIWGVCf8mNG6z ztFhuxdr`!Z`c%LEnZgIh;fC{(Q3?+mP!g4=k%LP<*spr*Q%n$#S!eQx9#@FMV=M(FVtZcnV5 z-^m7rK+|pZx-!KYIY|yxU=SM5E`}`{%{Q@H6at%=L^Pi|QA-#-_cHzfC$5{WAvBW^ zXIy3FNolEf;#%_>KUJcO@aGN|)~VP|R-TUkTU5h?Y-xe3uypbwh%d|XnJ@4BaI(uR zg*!xE@`keTJJ@HrH9x zb+!A1pKG#6ABz(|wI^=do>9r5$+Q5;7v|>WuA7#E3{LROxy$m=##d5sWgb?RkxSl) zfK}m?PYAqh3j|x>)i}1mt0G&#>_>?*89@%-_t7tv-YWz{RSgi<7@DlUnf* zF;dN=L?Vu#MrJa?0A-joEyHT0EyQ&SNl<%K^oaQCMRk(#c(7u4#}}etR)27?Mb1@V z?EtCASdVJDYN2*pZk(fM$5c{$iK*td|1S?a5O;4j^K}Dg!^>*w&h1XNNEV`F_)5O~ zPGIdcBo`O6>ItVKZBV5IuNkyfF^3= zU6$vByo-FKI8pMYkwg%bB?kVHFeNYUfot1dFeVV}U%Qlxgdc^aJZJan*ml%7Yam@LS z-ta+klSOv%WW!t?9`%=S2VB34nRwz=mfQCj$|1_MPUzCqHy7}(tw9?5-BCB}NybQ@ z?<9np+sjLA`nS~XMMIK~%XjDm#D>-Tuu&tNuC37SVBGhq+wr7F-mQJMBg>{>P38wz zB3OHNqQio6-uMRHabNIaPzHH(^V-MtDAl|l(#;&*F4XeHO>B1Pr3(ifAE$JB4LekY z;PHI@BS;=LUPv>54j=A5A4}m)3frK3cnAvDt8o;rS49e!*%=%jI)%$@@(ybHEZw@* zlap#)O^)6FGjH{xHfASDc*Oe>1QCnf&!GD$bwArO;Q0BHf)ySq#b+?79OIih53_5~Gc@ks1xl5?xER7#f@%_~^am47TCU9J zugK)1A}f07-!3;Rh^+5ChEz^%sn|Au6i<;ZVUQEWkn6@W_hadh3fegaON?EzsTF+l z40v;M=52dV;9|3eB65>?YSA_rMLu^Dtey~>(U@~1=DbaBx;l5!6Imc zug1{`UlnPDW@n&iI*rh7(q68=!rk(p9TX(`RCnuDGc7!nS{)gOOXvHayS=&SxPW6d zvZs>S# z#~Ze>$`M%?kImi!B}0!966!6io{SENq57ak$gRrT?+32BnsIqW#Bc`2Z7~g?+9a;y zFI{DwQ`G9o-iyi4^kYvD3@x&7E+yXcmqb7sLfi<#^K;asx!p~OLpGP(4VD6fTj-{% zf0)%yb1Zn~XkMw+qI5`M(HOsYydIIr`$O_(ejtACbZ&FCTOp(`g|*Sa!HnJFEf0p?TPkR|9nrb-Or7) zUboY^@i<@T{Jr(pY@UK9^lBVU=v9#>WOjD`^Rbl}-fojG$K>Db>htBiHA0G3KOd|A zKrGg455$hDE@W822(LG@@{^Ne_~s7pA6C{5=@82`s@sLlY#f0Ui*#nen6p&9J0V(XI!!b!i#a!y7a4o%-cs;12emD`Vi-dzwfe+m^cumEMtrxek!cadR*gfE)|GQnzTMc~Rrkj13l`v5sk3 zlH=%8SRQZM;K|_p8q2Pe(oa6M?1TK=UUi0jD-o=~Yw=d3yKXmgu2vBQWgR_V(Imq2 zx*}>6r{9)71jk>I5)|YXU>tA+Z8Ak~i@p%$SKJCXeIKK73SQ>{!xYC{wt9l;^m-iA z>2;CmWOhd9mTvW|HvXRV4?c~4MA&k~b%hWn;z~aJ zmV?J5K>ps>C%y@u~bvXo#TY3=#`v!5n{tBn)a90RHM zl}5Hb1-t9%j=AwPD|COl;@X~RuBBV;{3?1xFoovlwy zbs7@mFmz%8h031~;jS$M(2d4u7LnQFdmD{{Tn8GBcC(&`$CPB?JGwmmzWJE-mLZ4} ziI&ZUU?9C7$3S{rWFVQHk*lVgi$N45g6IC~ZgcbxN1THk|4TO_=2+@QlS0lzLUWQy z8@|GznWj%*+KEv3nCntnZ7IbaGe(HetbX@lM4TD}y1R4+4>E%F_^9|A28xU@a46e@ zMrG1M!WAnjG=SukutS)L3kIS8u;MF52r^*`Y|=X#E@02e6Pf3`o)mlOB!d>Z^(#kAf=<|Pd2Q-Zv2K6L*cNH4CC`)VhB6s zPox1L4P={!(v`TABDX00RDveqv#(L%#|2~ z44*^jKG3tZO9^qojQr2$N9;F$9`lxG{yG0D<%vh+6_q#)wDN4M@=nNq^Bqp1I?vT+ z#gy^O>``tRc`QDGNbj~6%+}i{6+V7Us;jG2edWm$us6H#As(xEg?aJh;>G0OB30sr zGb&$66fnh$nk>^I!2RaRH{L#JUWCi+IktY%xPLnO_c@gyx|%#qCYxFZepzxZkZbVF zwRBC7=j~=T`E6A-^U2dA0FY0o?PdWlea`NM zSgHoG+E`{1Wy1oa<$d;K`T|qroICl$nd44bzuH4I9fSwkf-rKx6?M7PVU?*;4(Agj zBIJ67ES;yvko1QJi1kWvS#edLp@cpx@MRS~f@ASjch+tcONhjwF#g$*Qwp&47-udkql0sN6a;!f1rj1KRe38s^u*FrqE zK_?KzvTEBkl5u8kcQo!)u7J#t^o^SE0iPyhaF>=0wbuRpeBCZFCor7O6-2hK@*jbI zg24T>{lM^HlJ_{ODdj?d79gj2y<*ED$ru+<3BGYM2039g1syG?6KHB&xAiP;NO*5? zfBNbav7Y^KNi>j2y;`}^x?aV8631^v`*eCR-m*P)}W#GRf zxJR{w;I*Pn*3*-ePJx{Nwe2(r4_)dBu+{44pNlSL`5bu4zeh~Nj`GU(Ohfekbz1y& zTKsid{B>G9`e~8fPz3$w^|-2cuZvah%+B!m&~GR6qs@)B~s8F?A#*m%A9|A_mR%Rqf8!) zyoR`I)~x)JrnMoEpeJ$-#s1-xp-f<3>sb`;4*~uV2SEEcrdsy(e~6xHq7_G%gfm-g z_2V$-9L=8*B}vdqchQDaWvjMp)ZN{)2hf~%J^{ZdKcduv4Y7Q#NX)w8D@mma=0+7{ z5Beh)qg?>3HSCK_nK)r$NufZO%9dOZ9AA$kIKD0t9L>(q(bp}xSqDv;@VAp=CpF4h zPiZsWiQE!LENtD-52})e`!99fg9@R3#m{5b2$682i!o!!E9D$NAoGH_gbB{t$B1p} zlu**DG@wfzc+ICXRbTl3~&(=xh$S zApOS)=hD|Nu3qd+E}dEYO1B-zkFx&MJ}bDI5qJ$>;^_b>+VcF~Lle7B60HjC$kf$Iedx`aFsuHtlW zjmN?5vX(bkx_wnvwz9H=DUfgZVh6jf)IADM6{=atr|4q9; zy$tLLGWy;)GWuSTjBa*@w@LLfU^W?X8F&YaC=nv+t-$L zh9I*GqKG2-!M-!ZD+BK7G-4Y52DS^6m_oPVUuRU+(%t`>n>r#oaN6C5Z=EYNHW*1* z%<_KQRddxW5>QO~i7bK(+X7RD0a68X_~p9-ce4-Jt8SmU;E(C{Nl7(bdII1l60?xn zH#`+I={WnJ3dWiJR3^^U4-tnu08B}MX@6)ToZ3P#4}7!5;~n@VP00`Zzr;Ugg}Q7=1j!jhP^KC{OWzf)34fnII! zz+4YjORq`0nAWQWC5*BvcX|syI)8!L;t?%;DLsJ_ZRZ5!9cE6|9t;d!`(}Ek4Z7*q zfF7cHMBhm!`%vl^v@O&~xU;rp2aU*{us1Gy!d@|Zg4r3UpH8yDP2 z)@{ntYq8nuzbPjM>CgovM4Z)>mk9(W@HJ4qtqvy)JVoINg3rb)8USq@-Tsa*^NQU= zI!GBs$P62$0KMOM4LdYCje^141bT`#OGCZ59fwPKQXCW82MO05VyaY5DoMz?bHKY5oC0P+ClC6N?hky|<2f zn9biukbKzCau-G?E-+g>;!Z3qc-)EYpo3N}H(w?nXMwW~Dl!u6jmt=|SIkIYb_Oec zpl?vC30=iLVa#jto4etH1aFqcb<65S51>JB9ri{ya<1Xy!)wk+PAfpEO>W#-N_H_# z97a9ho!8iw1@d-(V_|Q%iz#^Cd=Eo@SGC^UB)FuVP^^&J_|UNX1%N|+?XNt|S~9_% zP&G*`gNl+WuhadO=+s^!d$$+3_#Y{a*)PAHMf6ev=G8az5RN^cnGY(Z;`S7L^}TU? z^}Qlr-Rulj?@-^KRucem!{%H-jTBtqx0BuBu#(d1&Y1?_!EO!!}6QsyG_ z;r}K%{N>cPqXX@S_KKzP%+8#`?EYOhj#iTpMxGp3%WCS= z6@7BsdtpBU4yuvo%jkB=X&j)VQ~y1{kWS%Gv360w0Pt@q{S^->0kQtbkaZF3@i`Wq zTz4r~CiZ#wcPFx2s?Y^iQzk!61HV{nyq~JYThak_=bWctj*2l zMl4f8!zGjB1JCgtQKrxCzaB*q=x}e+iI6DKjXz)m_9iX!04TSs{ z1(~}ctr~ZPu*~nTmD^Racs7Wv1$*PN7VH(X7MPvE*`Q}FFq^!KXY$bk#I)LU)SIc5PkJpGJK=k?dO2@zNrA5F1ti~)h%8@f{hL_+0qGNzgazs{cI|u<&}*q7 zjdRafqk*R8X%H_Ilby95XuQ)MfhCN(_ z;|AdfMjEYQ^2XB|wIv%_Bxd`9^vZg1f;dn5(t22J=Kf_kY5huxLgL4$0aMnuRe}&7 z(mjwYVnUrGciH}(E7C^r4 z{F9fdU5(4E8`XmLSw8AE_45Up@1S%hs}W)+5?LTJhx@V$?$=v&vurK}_i%3<_i(Ss zJv2K5dFk9kyUA8_$w_r}t2u~qNQ+ytnuyI$ih~-)&G?>KBK!|!@xFu2iW#kA=7oT* z>94wyojF=AEhXZqtpc{`Dl%)npXnN_TYoTnmd8zVRY{ZJ-~~G*%g)v0ewvY*!F|EH z*dNEb*e|j!%+5geI_tu0;_k@L;VrVp^*Zs~71ijOouq}ee5H3xqT@USc<}HaV5dJ^ zinaH95L&?2i7=5s;_61y9AC`J8*Ua7O5j9I1)P6K>bkLB`9P-EILM|#*#+>q5+_ia zP8F(|gYu;ykj|$DO7UCVI;`NsFJKa)&59@`xi0)MAk!X5%39wkl{z;vZRNlrV|nbxrN9KLqZ1 zx}55C4%2-dPs=ddERPVJEM4a>x)cQBRiBZ=n+5iLP7hD`>s@Xj0|Zv1&(B8hPB;0G zAiq<_Nd#1=PZ3|u^9eIMf+4X!E_2f3~ zgn4qCEgt&henl~Kv2mu?_4IQ$xkrYUl3C=a%R?RH((JMAxAkM=O@9bjU4|0H&5-L?QRvLWn42!--4t!pD)(O8 zx+^@M%vHQ$s~0VW`1Yq-rc-;FY)_y_rP_t_`D1Az^%J^8mZBG#dkITf+V0P(-kC8I zq@?|Eq@?{KDaq^%WUP~t>?T_Sjc+HXn;Mb>A1&I&?M=I(qyD%0X6cC(IzZd}<{jT| zLWbZCopDz*tjZ6IA-HZ_&XZV$9ISYBWeUoPb&ZSqc&gL430yw-{ClBLKfN^KX++s~ zbm&rikMX`I=AvmoGcaJr(-IDbbfX?v!dYrec(S5c8o8q$2r;8~+&X5HKL7QYDt7|a zVzWe~ra(994@Rcy*cQ7`yLZ6dO*hyj;+UQEvZ%xYp85w+Ts7yp{ZyIY^gZeQduXB@ zvIzb6ba64ehc0HPkYMKRk7MTT7nylxXP~z_GtX`^;1v2-`{8Wz&#p2`8k>FJ^|WEL zJzYnvG~ZGIN{{ak|`PbKZNNf5=nht}^?^=f!CD zquJs<=S7L$_&v^xhgZo*KP&E|Z{Ooo5OmP}adgoAA|2H1475|HgPKjwR_%3jfrUtX zf@Ps=A#DOhob^M&>iUyswsY7I)|*u!#yb7S%eBDFZ={9jle!`xE6mm;>u|IQ{F!aK4j<8PlO`7D9t7|XUU-2m%Gp9N8JZIjdHi8~=5^Of|O2h#c%P54^ z5EHL|cLz|xFBr|0G+WSy1g_*eu`zlm6q>U@ZezZaqkLxio-HhXVb6|VbdEMY@S11) zT96I*$B_;9i)2HyGq>0;b+Vz|WWast-wnV?y3W7Ip0&+lt#9fFe{Z1G^I0o_;>WcuBLQzMo2o7^at zEpq>$61B+MEefE0r<;Qy-0hDe-0c?$cV=f`A9cc=-DH4$d{3+TGv-3q?c$(P!XxdX zD$LPO6yxg;e>=lCc7}hHkkOD0_YFfsqxpMg3$oM)3GCW7R|<=7_plGyjwDhes5G!R z>NmCXcTr6b==pd^@@iCxI-oqas14sNvIUR-$_uCr((d19F#rHA( z11qk5Q{z8EF(2KwkI=gBV7lK3YU!JC)Y3OaYN^>7m~Nd~YBw2Rxl`(M~@i%=zy2S&PXi;=}BhYSpxutOwEtcRd4`y;S{y3_mj8=*PEV zscF#1C-1(o$u}iontZdxcQN@TP5N#o|Btcr?th}}Jd{3vkHbVz!rqLdguN+J!pzR# zFwrStb`w$*MH}^F!s-W(9+A{B$0aEVUYG9Q*?t9`h?!2j)KjynCyO`^MI_z6!R%L@ z+;>$?Kl{`aKBby*9E|66-Sftf=W=x;bX#@CELt@`S4j^Rl$*&gHs$bU(GC8a&Ra;mc6^J>Q%I+~T2K4eDOEU?liva8xI z>&e@tTh>!NQgKQhWUSJxEEa6^vO?A=}?IWF^Rtu;8~2`(obQAo>*W&4yPsnlx&*_&!(nfppW6ws6`~arN(R3bQ$^ zFo8g|c%bjo!Op3r6dT*~+oV2c*#kK>f>YZS{`N2H_Gs2ES8T2&i6<5rh|KWxGp~8e z5c7dOqOHliazP4yGmaGerbr4lI|Hv=Ck5M0Xq$+e*w6Kq)5%|#PJxX~J7#Bz;c3yi z=_YgRuciKIjVXVkNYI6$!I-H@3BibnS{j=miv`=ucwse1D?G@&sw57%pI;QSc!64r zVTU*n6t5HYqnz1YQqshb;R$-(q5N2GvYU!^@d|7(B@>fV(`$u7*pMEkV3o9SK%FQ* z1+1FYUZNRq;me)753foQ?$KOXvjrY?FaMq#b=jy|bq4zRSCC?;4ra*>4G1O6`sNb! z$i_#KTV`?u6OS#%b%+2n|- z+mM57!Yy?3I*4!V0Tq?}komOx-D<#?lQC>DTxE9O{Mb#b1sn;j8@4=lIv1n4{rY9K z=wmN%weL~BMOyptYQN=B@dfMpuYLM#hN*FWt5p&Y2k!E6vvT)pPj%1k{rWL7niy`j zAiEF67`CYw9}%w#Km8Q5M8AAp_}y=yE5}TcmoSSeA`XY1C9*d96pWqFtsnAQi44y%@$+) z?3a5>C=ePbT#&~Hk4A^Mix7lK}hqrGVu@8Q&extS0ZP-B0_aDn` zO9tlcBfL#s)b%0>yHbf{uNhtFowJ4XEMf#whMT00!%FPseHAIQqk^dYW*kxbO_8W= zb_RA-Cu*Bbl1zSYW3Dn_%^`nIH>Fm0KNr)!Awi}#v%XQKi?4P48Q$Ou4%Yy7buSm4 z`~Qa}_Y-x9%1P>m4foU@u5DL}gy6sLQjWhX#g0JgFczr~qr-gouK-Ut<0_x<@55^a zm6lw+eZguO?x`>fFRMEfi6LO1rwufE)jfnzLm z{oeX(I?DsW^*R{G^*ShWz0A(ee|5U2nisnXxXDhE@2e>qW_2;l)@RqZos7*A5Z*uJ zyFFTU{$b&gKR{Hb5_6$p~%iH=bGB_ z91%PM0KNcVB?@|WpAFMwO~tI4>0wm)%zycq4rO`ic>V*B7G5H?r$f*7?Yoz zD|7$R&;6r5cfIndDM!=LnJt{X`jrgbhnwoE?tTcWz-)lVSG|W-xO&jpsRnSgU`zO` zl5oGV=rWrkC_e||C_e{9%8%I@h*@`8%qBq<&bTNVBXQ0UDAf|m^>T7dML2bfWA&ZZ znrXjsnXPp_ucz(J&1T`DKXZEapqLFy3y(Ko1g|dL#l$%uJM>>H016wZ8 zj5ZR(X0)zCJv8S~*O(iW@K1B>HHp z{_OeR%G3W)5Oiu|{;X2Y%#1+K9*jfJ9u(2DW@n%gdVUMDiE~T7G#xu4L4^vn66~I` z`_EGL3^BGeeWDPWkJ5D#xlcI9YMzy(4Rvz8MRZaOSZ=DWG+Ey+>&esl#np?QfCt){ zz+l$x3fcEx>cy;GJ(DeI$PDV~CReKpJ{Nug2h9SC$6jnYP?gTV%7;c;P3n8rqsWfuvEi9>Qf&f3;eMY(iU{K=Q@hf3Mp1 z#(>JiQs^GlY+cqzgSyQYbZ%mBF|~H?N(Kz0C-eg#I30Oi^zm6$jrEgmd#xm3@#Jd^ z6_IlrIq@gkbp;hnw^+!i0sNW#6HQR>Np-m<4`1bpXmLNBFr9>rwdF0SGcHuJUC5qyJBi4)R#wpZ?#t=nTBNRQBk z_A@B{2f6Ea@{_?w`PZA(f-t90EU}${qXN_OcP_)j9tA%areEJ9`fhFzp-q&T40KDS z9rGEvUM@;=l2Jm*HV)4v5eDJ}p(r|ryu_fG@@MX_kmMnWV8s=@b7-r89pOSBhVAgaKRsdytzKSqB;ypzb zHYNWVA#86ZgEV=k$olnOGKD=>wqybqeJ~CeeNerYNHqPduV@Q#KlEY_=F^%663>@Ye7ajeiLNR%sc|*g%C6 zS4agRQ3NBe8^eN%Za0ROssSSx-Ri|uvw2atyh|gcFF;v*b3*xsV=UWG#aUk4-A_&*)41}(8e$6I5@q@iT14$E%;E3Tb)@Ase-Sr1xy#og`_9nRSyt!gt z)%Y{`Ti3PIrt*(reYv+DyB%1ZBS2s8?LqH;tGjx*Avkr7$hk$li(qEi{(N>~#=!pi zPLTUB3)g0RCr=hOfa5t`i&*G&-}A#|HmucX+^^Z<8(k!~<9+|c7fAu$Js1bxJt%^A z&CXC{x~;LA2&~~Cx6A71gOUdX793Op@?E;CS2Ld@Y&WfRm=Pak;B?;dj`>l;Es`&j z9{D5EG@3IhAVHE4ke2zxm@ykD{a!h?n{L1Y@)*g*OK;w}>lX08ZJ0E?6W|3Okz$DK z-E{0n(bd;4t%v;hP7Jd&8qI6AAgl8_LUfOhfBP4&l^aX)PRsA9<5t(%wGW@%iA}gZ zwABIid*iO>a7DM?mg^R{cAZ!oDA#4wd2wSr=JbrXz zXEu?`_r7-1{Zy|hACYeD26c2<`&$iO<4HqsArJrV{{7Z^7cSs9y#bONl{Db8ZP)H( z6WP7$NvP`!KxwB4H%n4}`Wxk3Zk={SZE8KrwqYbFkJR0V+_>p)9Fy_`Nt26({-@PV zy{hDS>x~`XvcCFw;yTOIgf8|T!wwVQL_h4MvnS)~48M8AC;^~{&YT_TIO5TdqHjjA2!tiSvx_%^P$icR1 zH&@q!)wL5&0Sfp583|nY&i#)y{+&V(aJQwbN%#TR!TNfB`(olp9WEZ&fq!-45Mjgj zsLzm+k4m$0VuosRTURT?pbRKg^NgcmIuNqdhp1kNym$B0fz;$4 z3JSsDI10gGkwRd0hQUVFv2+JrU=#cZtujSI;fM$)8<9}V#nFMTg;DobHQ;< zh&*vVn2PjaJ$>i(VJ#5Yutw3z%`z>2H)=efbdDu zd0QCpf_#V&gm(Tw1Aa0*tSz17tv4DhhjCdOrrKPbG}PtO4(GuM9-)j<$)Agvxq-Jn z2X_pfg#JQDuX>egjBhg0^D&m?)Ls_T9-1x4wC#z)?D?eG`T^aO)fv~%El*G&{s~+L z-wE6Q|J1jWPc1)%DnZVR-xW&KT}}^vED(d+(r2vvlnbBF zR|7FgBb6aDjDiPoIF1K#SmZ&No#ESxZWyg5fOP_rnNQC8)8?j`L1_9IQW3Uu-9irS z?b`P?cQ^KV=K~!aF-THsrF3~pz8P#}wN9d#)SF?T2GAb}bYKis)vHtU^bP~JVqS7$Vl3JHd zyO}*6wG4kh|B>>7WPFt#xV)pXxre0m)%QmNKK=1_e^4BeJ z1KimNdVJz_`zBOiIkCVLIavR zbA}1~2T{r_9L#OP1?d$4QPm;IUCfD)Bb`M3Qm-C?Z&!z$>+9>rEiN!$Z$(;gOCkM3 zQF+>UmG<+&p2R}_5PO|MqQLliuDzfPUs7vlxIcC23){NJw54N||I}7~``9&F=-}0X z&+_|&iBpfD&U}CakZHJ7^%HwLqpDyMBj*e1;#dYZnAj9WByLW_>}6CJreK(=k{x=2 zM|C)kM|D`_QJI}#%uhe`O!gDfT;EsC92O*!z4b$HQ27D66n2x%0@rD^S*{zb$BCbU zRYp4I(|61LF*A??fPMmSbcUIuowq}Oafwedcl z?#b&)e{N{<$Ld68u?0csa2!GCut*RxJHt?>Zm~_`L^$uxuicg6@=`a|R&&)<$1{|T zwCnjfRKb{5%PMk0jzXjnet=~%==TVZ7!Zxu?WalD2-YUWs5|rRA(X=g{^X_l>L;rI z>6MaNf*e-Hv<>?*nj>S2dXRm=%+)^^XM(PNGK=S77W&@bUfI9{#Z!1b@s4z%=t1jr zG(#fS#VstDF^A)rF^5HFjM*7JHRxN|Bn*TF`nkEfURw!t%=TOM@SHpS<9bXcDlul$&@VmtvT>(N&?lZ6ErDt+O-_1A2&0`q-14)c9j z#C)5b{dQz!0yLYPqBkU>ZDCm^ezo-Vu{z8-cYL6D(pF?@RN+Hw{?HEZ&rr~Yb7NCQ zM)#i=?PeXfHP*>&n2vf)T#r?auA@>LKC7C_^i@#h>gL7d6JxI+`s0;^hm4o~KD;~u zcOuqY7O*g^*j=+nAHz@@bi#uUGh7RUptkVFMnlD-o`dX^}9s6>5IuvgLFq6R*CWmaG3;N zFe5uMs`-fqgQ@P?^Fl2Nyrt0&S8Ak67$W>z5|j|BfEX(GW#2$@EO`&kZ+R%8tELMK zi!^VIaTJcm{hKY`Jx4o-_*`pSJc0j1KZJX2`0Gd34F20I`8T!!`ms3z&;Kxc%KIOW zWe>DUzGm4mr60eNpa@^<`P`3tN2mgU^s=($di7vd%^{m0d5*&VX@7HRZ29#1BCkwa zTKtAHIYIgxPs=vlt%oPNEeGPayGKwzyabt4OX|t@PKN&t}?4Gj!B$yS4 zJB7Vu{^7el&b!-s76;#KkbK^G z`S1{WSwjdLJ9C|L?ljmU)~u69&s@t&#~t(BWJq+utaN7%R&a5OnxxJgetwOK+i;8j z?hbjnHu_c=_KBzF_LWx3m!Ne)Wiigs(Hs}E#dkSF2U1raa!|XQ;^fF=sWQxN5_dP0ELy)yKBWa+Q4JF>lQ2 zm-y;K2P$~~-|U8L5=kQ3W#qjv++iMLRV31c1B{YYZr0_cB~QJ&+OF*45~5u^3g+$A-y^>V{`Uy; z=6|l6H@h>CvkLRDo19%Y-8GizE5%9e_D1e4pW$oiyN3+MRdc1634d?*@09LeuCvQq zqvrIGPvU#vmukN8r0M1cnPHslF6`33O?&|>RJUn+AGf5mrMp93^ z$qAsap)x=W!jxPLyQ9oM?b^%rS43PauG}v@@+~CwbTSCuM=*UCRYx%qD#!y4C$4op zygzh7Lo|a5$eG ze*oSREjgVw{guKaBoEn&{F-Ub&MxF-$X2a?pg2?3n-TsO-fm>b)d!h@N&0GkkLde( zR1Kn1sd($fs>PHb+&(PtJN{X+AQ<7QZr~!|{x&m0y0$EBBWBY|9?DB8YFK*9^eHBj z_<6x`ks1XY-udmrXjHEvwXQB-D-oX*!T9Kaq}f|dRry$b1|V+8{E``hD=35EGenG1 zmH?P7THlw#`i>%Y_@7(W*Xj(^M}=G1P0p%Yd`>?GlftAUXqE29O7U+4EpHC?JJ7FZ+RP$~KIDz##P+;s|*EuYj?Gg_t1ph=}MLhBtWn zZu_u^51N!fH+lzvg$jW;J_GBmtUVH<`|><|Yo%4WM#fRt7Q@ ziS$C|T+F`4Z+ABW2!yHhZiznHZZ77)D{9w~$?V5CYq25*XGYrbQ|Bc4kf%42R^6Jz zodl=FV3N>}T-9#VE#1|m-9Vz8>*`B`fWmeI7YWZ|r_}ts{vB-7&EoT-{kjNC;wG_K zEaw}Ph_e)7AhBYDf0op~w;-^bNG3?lQ%QH5i_Xb~vN#zKDL+{FGp9U3(FDWTUb^L| zSDIV+-q!Q`T-*QBvHx3jY+O`DhV{#V6TyPV=^9lC`T{~~pEdnZx z7g%j?7<*yI^)$T(uc^2d%C6Ka;Yy973;Ca0u9VdosI{8F*lq#|i=Wd4vUjO_JNfCu z*^##K-q{@*u2Y6sraw4+xUQ@D`Z|d^K0W*C!?WJC7qnrKde$^Ntd~7{wt!pB37)-uCDy@tE}!-nPXbIiAXF{4N2QH)zt1cxesBv;X{=@Y8KiM znw`z0&77PLssfYzQr@Zj3aI9 z?Og7IAZq)-0l~ygMSVz7wC+*JZB8>Zr(?~@l2iy|(+uhtD+Q zsuodGtyrfauX#o@$GztfI#Z?~X}cBcUoF70fmd&}@ENarwOMseA+A&Ps{xIB*7-dW z=Hs>C-~Zw(vCwqMn7X&)dvx)LFP0EQBYYzbi0krHM*+l}Drc;u{__q>U72bnC0o~b zNToA0zHBG2HlWBt_MLSPOCziAwL&uGf~*e&PnX*nh?IIms3QlpZOz$v;Rbg0`u2k%p ztuk0J%J6;FJsY5;zCDJP2+N#-^_XL8MAC8000X)q=MR^N5Ek?e^B+JR=V4LkEs-PN zI}-G8jm>VVIMi+cxy;U4Mwwcd2vTCK=<@X(LM$s#n277?BPGIeet(tUHT*06X}xIQ z=m4e|oZM6mf2>KKZ$2BQ3jgRNV3UU2~puCsLG= z<(}|dFf$f3+i*`U(UnMzHh*-MaTpO9`SQFnX~6rUQ;uNVrW9$}*;08Ea%I9{IxW>` zRlpyRPd+2kidu4qO3~F>??AV0AC8(=`ajBLt7DC0^HWI0&O@_U#~CRMG}!2Zp071` z@-si$^xMkd|V;-;u}4+r2RJfxEu5n=cHPFeq~MnbJO=XCiXfrwFfwG^rC zmR0#aj+r&q-ipWZ{xSmep7QSZ^%;O1yy4%q`l!j4GU8%Dy%~9w2_ZKSlx=@=U7f)}%FE0cv<2(ID#yEpG~eyc zldE9=tXt9BurG}wZ$Bi{N~cp7+V6LbsF40u(^X*|P24iKb4Oi#Yu+MN?`o1bb@58~ zGn|&YyuQVYI_1&PvY7RBL$QU4*RbaHECxUj$p|>Jc)LjXety?6*S6i2bmm56E4zyg4biRxC#D)6gd%9ycuGUOUEekq0|#DtvZipw_O69* zE7%_U{TnYIvK~n%JVYgYVOBHt#ZR@e<@QJ0$3;Xb#|{((-`72Pxj(y(s(b^He3kUR zVOu>JiC*Lre|03Wu7#TaD_xB=oOi!F=wN0CMk)2D}LD}|MR09R_1;PpU*>R&dk$9|D}8`SAUIuE@CWswv`iWK}OELbvRm&S^}|J zUr*g79H$1JoOA)Jg)KNy#U}E$Pm)YD7MOB+GGJ1%dT#uB+JoR>ftcl;bXSnY8Qsf~ zTT_{RnGe}i;)jtp1dX2`XBccU(y!LhatpWL<$!md(!_OMfuA{x`3}HJkzQcz`66_n zx(-4s8Z8un47=TYoG-uyGK7Zx;?_pwO1P;uIZO=L#JiMm;5?Xka`fl1h)Z5dG99LP4PGgNQ+DudV(u>oT&~&z#Rj_I2x{-Og=um1x z^uWd=W?i@&ENKF0fECIcy|4A%j5|Um64OK`_&7mP-}QIG1%8^1u0ErkS+GltIdqUG z^vfKYSxN)yH`pf`uR6UB*cFMiTGg3KgK%*;3tbD%qdT4=n zi|nu}1IZDXYoApcp>%1V%T!ppxdn_8IrF?21a}8*_^uM#IJSZDKFnI}E2n8@h=mrB zf#tXkTAj?OGx7|X88dnQt{4H=U{3M9pBtj;-(c@%1kXIWOFiTEu5O!%`0y~UTwTCk#6W4n;=p=*|{{Ux9GsS;cIzQp|FYY?TL<wzUh ztjfjYYN(!aaeXz?QC`D&^Jxo6xY<)?uhi;PtA%fC)kGtY$5XdP1aN5Euc8(-X`_w7 zkYiF|T$vr50R=7BAstBB%QQ7fS9`faTXeJPC_Gv)24V{2Q@llg=LR=*;`pKZ0is*B zD__+B!@C zTIX5T=C=d3+e&s=%`FfHgX66Kv5qIB)DF#E%8hF~+i^+KJWyJ1d~tPt8jm<$ZFP;$MjBe*blL9| zr459}FHTGAr6p%;mqeR0k6BFx;V}yPI95?NI}Ma{13e|V02f(R(tTHLJ<31bFh7Yy7@veM|b8h=nTvA$P<+gN6snpg&42%1o%W7+4klJbjo&sKTw~> zdbmA(X%I&~g=^B+=|$dYM!HmgeNs)a*- zCf*oadYc?VX-MOG#6u`-5uyTI;89S-%Xjey$I+B;cf)k7&|%$;vU{}9+&@BEg(+ji z%qOO8kouZ@_WP1n(?>1+@wUN0ErW5b$)4Z7w!Dw_w$zn5!JfF3J{zmiZ%4-lkg||a za{ld{P}W3{@PeM)WzLsVtRd?=nDXk=vYqdGf%56h@&xarXrz=rm(l^!7=AzSJHH{5 zU7hecSEhZJv7X2~j&DNw4 zqDvK6SOU4srb(R=Dn@gSni0Zcn%8*FF=7HxJA`=g+hQ(nnclGlxW7vxgpWac*e^vU z2(%2Gdf)@VrtM^k@0MR>T*QX8w6+npfFObI5`L)^ zSg@w~Y?La)g2ZpV3MH~Ai{=>x7|DPzgc2hl7sWc%mLzpOKD!7`hX4tomH6 zvVOUs-B-vT-VCr*f4{rJ6=}#1eV~33jjvz_`}%ynjiXNr0WE8XS{yMQoWG-T39_VQv%j5{(==s$K2xVlj=}OD91d{n9m86e5puIxGym zE?CiimeS?5qJxyh?&DqqjKX}4TXlm;79&|RUW&AAb9(XdGWjnoD67?LA`~;{VkQP0 zmpJm3`!j{8A5MdiQl{v{+)?>fkJPpu4J1GUq1NrP;<30WPW?7^q^7Y3)2OKAJjlk~ zwd`UkmFggXThl=+&|5?+db}O&-oNqR@TYQN)PPx|K~uJShDvXoaod&+!pLbYWsjD7 z@HvfFGYH;DOWJcWQQwSSUuzpjFJOJ~ObD8tCJX7mRfXGf)l4)ZRh0-An0{LJtmZgD-WQr!DP?4KkHBJAX zEZ+XL(SM$NM33oJtc@Z@Xr4nSNKHWVxI1UHUL^ zj%PLQnLQrR$q9;0*76gW?QIO{3t#VgEdFh@hS&DNJ&HwQJJMu3{-Rt@Sy~N!Y|Su^ zW|Sua&TW`bF-E(rZ+?7Q6{?v#wrM?C?bV|+KT zG(G(j38QH&JIf~oqep|ls1S1%Ii93)=8T4BzrB>0K9cWvOeMy7^2DCryDR+ICvTGml?L;E;Xb+^7X?SJ1Rd8v(o@7& zkZjW?;tQX%e9{%7lK}@2vxM)H&jgQl5&@3A$#d>LiNfpTaObR-z}A(R{_y-7>FgA3 zG!;DGvBic1dg|pE(c$9~j9Q@MF{Q&rP!Wm2xA)JXDtLBT8AR6?-B2@iaYZVR^DepU zT2)sPjYCDQWShz6Qvjtk9mL61&lNSNRjrs5SVnNfxedi4eoKiC8A;!Q^U-Tgp-tEUNpyv?*xjPY1=i zhYaE=s|h^YLcqLc=fqSK5OgH8<}tpu@9C%V0uhSNEbKwc=5O52ADmWkiwQsjJ3M>!QTAjD*G zPyvg|G|r2&F#SWtp0$1mLU(lpx4n{ZfOcJ)krkiEgavsLyXJh{?x3Av47!+*#CFq7 zuO&-JBVmc36zL*7k25ez#a4xa>(+vf$ZZiZ=FCiq{n5LtXuLbP`nrwXqKpM2pVek# z=Y*j%R|MWx)>SXF?G|<<&2S|0^L_WlPAKeb0%8Kbm$z{934VL}JIBi>XF%1|1XbGi zbLq*&Z%>tDYzk|9BhQKawG7oaAGWP}yxShkb5zWZ4&%mnnF|2PQIH%6A=@B|t-A@N zegf7?utMOxT9XPD)l>sqQ1;T{omO*N%dyd^oQTk;Nw+mMXSFmDnuj_PstUmkZ8T6| zKKP1WOn0T>oO)WlWE|pYk9RSYN_9poE4vxp2D*ThlWkTNA2kRNcgG}f$O9ev7kJc* z7s>X;xB~S2I>Uwmseutf|A5s>llQuuP}u@L<2rD~%LiF{hZ?#MX*1|r6^)4CeTgF+ z?Np`IYVsmmn%3kvX=p3+dZWhcY<4i|WZ~u%&}vp#&BJud@>Gc*F)#cIg@CW$o;DJ% zf#JagG(EI6=+aeP$i5ucss1ijDBj4W?cKl+Vs@hnMB80+{Xn9Fq9U{Q7d}mUr1=Cw#n@;yZ0$e$ zes(=~jRYQy|I`(rsxH=O((bWF8`L$Vo~&eBYU-K+<+qrlwNzz1PKd3}61VEJ$}eyo1N+HT5Ndd?VOTw&+L2YI zpGrf-7XgPZ%Sbge%GV@XwgW%Pr_95wma7sFHgROguXlAO8NvegMA z$v#7L@)s6VNSekhQ!~kr-C-kWG7=S0Yt*EW0q3kIhpGuNaY)+34d=pTDMahHE)3*H z5~AkF3Q)nhJ4YH!Anl}}7~9RbwdHAfpdf&Lo(H!hy#~(^t;PmFP2Mv1__JqUg0*l3 zf}poRGZ%qBkUSEvWD6M3?4}INiV4MqVTTwsFe%%aRB1wqsp`OpP zK*F2KN~8Ran7WuklZ(!vW>8ONReo+LeV2OvVBL%coakChbx(aeN3!Ysd;$RDO4QTR z-_5ALf`0=meM8SUGMUJDyDTfD<|UVo+8YMTSgbrN-wsTtL&tV=7&e1?o`V*DG%EO5 zX=|x%X^+hDM@_b;LNn=KnDp)!3OXpFVR>SJ>gZgz(zaotJZA6mVCcf?9OeD=SBG)= zE^i+N?8v`H{ zbeVs8Q%4MSx*m~Ir^z#l*VAR&X$w6f`n1M5(>mSsP=QJAXwE<+uhi7LQ>r4U@%Z{u zSQo!C^XDY**#l~HltE(I`o1L&_M5Z>@9#SQm%x|`TzNATOe1Fc}Pm}6+0K!w!)IB&rI-n-r<9N5e7}oNu?STd@r1*B8+9k1og+Io7=00wQld{ zipaYRG!c>>M1`lAmf(4N5-9FjI2jTp01`eHCY;3lerBGToIi=AG^)f0% zyCaoTzAc1ztfv}`&O_Jg-_S1OF5!|Ffi!Tw2d)aRTDw%5gS->0oh~h0Fd2Hqn+0hOf*_P~J z>Z#)dM&XgeF!daD&`LcM-|;=kEwu^Sm>Zpq3b-wCSK;QL;JWJ3gzw>p*ei`KIm+%O zc8$9|N5xjw5Ib>ib4GRE8{>Mte4%+(y@rmM6MY4Hf%4h&>6}A;3z`v)$e#5zQV4U$ zR5r*Ck}A#ePaji&Y#Iv#9tjndmeU*sk9QoCyO$GvXLFI|oagomckh>~xzF$vsjHQpv;kMp`jG@Ic>LL2*=$5t>^uxOY;s43Nb& zEk?__ThmwMDZIc7VJYO)Xrpc<+=Q=leb{e6_G>?5(Q(t(q#Ilv#{ z$e7@lJDNzY3)p_5AczIBEq64cT8Ja>qZ-$mQRFXVx9yHu`hjEpWXh0aj(obWZ8MRc zj>l7R|NZnlP+YHB3YZD@W>DY_kE+yk?j#bbMI9Q>xU?2Fb>4xvszl9|QYJN<2cFsC zAl{W0x;IF_u*dIQyF^C+&Y_p7unx%m%t@wRrvLP z5~mN6&o|Ts_Hd$hV9UIJN)7eA^|rIvjn03li^}u5aLortt(9|-dQ6YvF;)&MVyYZa zL@X(AGea>Y)L~g5f1d7r)EoLjB2-nbr%43A$hUeN)SnHps!Q1}VA*!q*q4L`6*?LG zU@APl4i0v5btRMG?ow=!rsEK0UOczaz2leWwA;-NcmrtgVr;96knaVENtDfP4=smO z{%gV8)c~2dPwJP}*`N>)`;)WPx5R2{Q0LdUNf?tuyFI$^HDnV39mb@QE^p#7^4$;u zlejTNS^PP#6)JoM&CN-nD_z7;doQzu0*x0*t!NbrvMQ8&TSC~vk$l;# zp=l1aH(v5kl!8V!y>qY>lKjho^A2Q#u{OWHJ}-Hg9m+`&CsgCa;fEQ#_MTCOt(K2(A$dKz;$E0 zxLuNk&^;!Um2&qs`{m5fKyaegFC83-o)9oZ0cs}FlFdgsUqWE%0v+&)T@T~$`x^OW z_=T-*Hki13CDRA`Ieh05v1$}Lp@k%4&*%vL6(KKnEy5~}*pO^JmTX=K;Z2la7p1gP zRa1toCh(9~Z8aR)dz)T2@owmLH^zY}YPeu0oKyk#IL3s$7N!JznDYf}FCA?!)g4QR z1sRsZhmk@L9Fh-OaOfRLo=$xaf%r0X8T>yA0Hr+weU!92)!nT+swre!u9kom}@WWvdv*`F-{} zU)c*!|M{B2pV6(V`iZ}BdF1?@X;PTsSd~zwt9}vWs2&v*#XiKs2ZBl739JrGc)C&*jmYln zE6IHFb)*HjG~P%WmPtF?etmSve++cp<}=b;3GNydvDE;1*`@KBIcpQwe?enu@8^vV zo_lfSFm!`=njQBGW?qw64#Lafjmt!?Az)C1Vk*CT_2ES7=bIfkj!=S0+VDg^ox6UV z+b1_cF^J!lOP4d-)5arFEn#`|U*fskX~BTmqL%SItdeH`nOyhW9U<(?J7*`b_QcgbO2q7~ zHkukX8}O!6sL;FrjPaf11^)k9%>!g_hM&>isJKMgn$kN3xKBQ%YlqHv-VFA`1KwPd*STPYr1=bqpHfd)aZWq2ia$@xmF!~$W&PK2BXgny zxRZ`hK;@FgqdWr43(F}$Tp7Cxj3u2)2Dy3hPiZN`%cY1zilzDxYw7kLoU+krXci{AXV-EQnf6(8pu7k0aBR$<;=dAcPn{R>;@Ew}X zW&och3}rUHK?8XKRLO^5MFI^M&FZOHFS3t?#&qZ9LE6MK7r5XkY>p_y_(1q!uCde# zDA7zBV?G@xRJ}-p#~Ly(AhKa7T&qFDCqRd3($ZywR^nKw8mhIDRm8hNFE428SHmS^ zFJvwu%?x)vHSf#xbO*yK`df-PNfXO$;rFM@uH;-Eks4aM=-5I&ZjmqU$YbonNsS>< zqlf14i@ljLRP?4HX{5bD<0tE{G5B*Ifd6}=y=t0ZI^VP?{Y{JT|8}y!Xwksd*77em zYl`2J8W2DT(j`3yPGwp8Rdf<1N*jts-IXNEWFCAepSi`-EPq8ph=CB!-nE{^JaEo# zYC5OJRk)1z%eE>~TI9r=6<#CAsk)XP(aq)qheOa<>WUfFeCeBOh^M zXx37AkE0fkDQ3BL6^c7>_~U4Ufg^ta1@%>lsJ#OS(Tt_^2F9I;2(fjZZ6^8JDk{Yy zBkm^^Vgg?s@NMcxTnp`Ch>UiLTUxg?nB*YMelTeKown$TF4F;GYio>!Exw|AZqohr zce>Kq^9?p0Q4XwvJADpMcUP}_QDs700Uj7u_ba5=zfLH@E^u012zBqjJ zAwaN)HJhV#(-Dc*6lO8gN6(Ko4l~e7)DOMu8SZsV_%8aZ2fzQpcO6!z=k4Dn!1^`? z*1t{hZ`l2BgZvAELkXO40SpMDHNU(7f=MM2zc<&eheE3{&=}PHPNT4UL!jvW5zZ1i z{%ZL0p&D60?h=p9s<36|Fx-tzfyUa<4XmJJNI&)yE99kExj2PKT**J#otiqZ_s&M| z5hhN=vp7K(>x;0w-pax2`<3-UFMsc~N^ucZTu_3f65$BYunjgcO~}=>(O#h_jf}=K z&@>tpP2R3o-YgOnJPJ`ZSK*Y&l*-5NUXSdZ{pIdKXEXY-hckd>RSCZT3%=raDNW*U z@a=$nd)oIMYYN-iI2qeG=_<$rig+C;G`CtTVqLc>u2z>tv-ThQWBWfDnW?DmA2!&G?UcT7D4+ZV)7bF zP9&}C&3C-Doa;M!bkiNO2u?abc_5=7TDS>3cY_ zr>*Jz?a+WgD8PS5I$|1qFu%S>v+nyq_&)yg@%tWW001LfLj?z0J4bqbJG;LI_@B~7 zL=X5^-@l{&W+zfVKZy+R)a)_`iv#X=Q%DS_c5gB>%Tb|D(YVaQgf5-$9p? znX$F;zt4>SO#y`#Bf{eMwU?m&9jE<|0)Kdj{~ERZS1nEaBt{?>x| zP3Qk5_G9{Qefek1__vmOBEbKqb1~#exg6#hTpdqvl literal 0 HcmV?d00001 diff --git a/tools/ccf/convert_ccf.py b/tools/ccf/convert_ccf.py new file mode 100644 index 000000000..c505a1ddd --- /dev/null +++ b/tools/ccf/convert_ccf.py @@ -0,0 +1,143 @@ +""" +Simple script to convert Adobe CCF Security Controls v5 Excel in a CISO Assistant Excel file +Source: https://www.adobe.com/content/dam/cc/en/trust/pdfs/Open_Source_CCF.xls +""" + +import openpyxl +import sys +import re +import argparse +from openpyxl.styles import numbers + +parser = argparse.ArgumentParser( + prog="convert_ccf", + description="convert Adobe CCF Security Controls v5 Excel file to CISO Assistant Excel file", +) + +parser.add_argument("filename", help="name of Adobe CCF Excel file") +args = parser.parse_args() +input_file_name = args.filename +output_file_name = "ccf-v5.xlsx" + +library_copyright = """Creative Commons""" +packager = "intuitem" + +library_description = """Adobe Common Controls Framework (CCF) version 5 +https://www.adobe.com/trust/compliance/adobe-ccf.html +""" + +print("parsing", input_file_name) + +# Define variable to load the dataframe +dataframe = openpyxl.load_workbook(input_file_name) +controls = {} +evidences = {} +output_table = [] +current_domain = "" + +for tab in dataframe: + print("parsing tab", tab.title) + title = tab.title + if title in ("CCF Control Guidance"): + first = True + for row in tab: + if not first: + ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) = (r.value for r in row[0:10]) + artifacts = [v for v in artifacts.splitlines() if v != ""] + implementation = [v for v in implementation.splitlines() if v != ""] + testing = [v for v in testing.splitlines() if v != ""] + controls[id] = ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) + first = False + if title in ("Evidence Request List (ERL)"): + for row in tab: + (evidence_id, domain, title) = (r.value for r in row[0:3]) + evidences[evidence_id] = title + +print("generating", output_file_name) +wb_output = openpyxl.Workbook() +ws = wb_output.active +ws.title = "library_content" +ws.append(["library_urn", f"urn:{packager.lower()}:risk:library:adobe-ccf-v5"]) +ws.append(["library_version", 1]) +ws.append(["library_locale", "en"]) +ws.append(["library_ref_id", "adobe-ccf-v5"]) +ws.append(["library_name", "Adobe CCF v5"]) +ws.append(["library_description", library_description]) +ws.append(["library_copyright", library_copyright]) +ws.append(["library_provider", "Adobe"]) +ws.append(["library_packager", packager]) +ws.append(["framework_urn", f"urn:{packager.lower()}:risk:framework:adobe-ccf-v5"]) +ws.append(["framework_ref_id", "adobe-ccf-v5"]) +ws.append(["framework_name", "Adobe CCF v5"]) +ws.append(["framework_description", library_description]) +ws.append(["tab", "requirements", "requirements"]) +ws.append(["tab", "answers", "answers"]) + +ws1 = wb_output.create_sheet("requirements") +ws1.append( + [ + "assessable", + "depth", + "ref_id", + "name", + "description", + "questions", + "answer", + "typical_evidence", + "annotation", + ] +) +for id in controls: + ( + id, + domain, + name, + description, + control_theme, + control_type, + policy, + implementation, + testing, + artifacts, + ) = controls[id] + if domain != current_domain: + output_table.append(("", 1, "", domain, "", "")) + current_domain = domain + annotation = "\n".join(implementation) + typical_evidence = "\n".join([v + " - " + evidences.get(v, "") for v in artifacts]) + questions = "\n".join(testing) + answer = "YNNA" + output_table.append( + ("x", 2, id, name, description, questions, answer, typical_evidence, annotation) + ) +for row in output_table: + ws1.append(row) + +ws2 = wb_output.create_sheet("answers") +ws2.append(["id", "question_type", "question_choices"]) +ws2.append(["YNNA", "unique_choice", "Yes\nNo\nN/A"]) + +print("generate ", output_file_name) +wb_output.save(output_file_name) From 40ca1976ffbc05701f40dc760317487fce245c3e Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sat, 28 Sep 2024 12:57:18 +0200 Subject: [PATCH 6/7] update filename for consistency --- backend/library/libraries/{ccf-v5.yaml => adobe-ccf-v5.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename backend/library/libraries/{ccf-v5.yaml => adobe-ccf-v5.yaml} (100%) diff --git a/backend/library/libraries/ccf-v5.yaml b/backend/library/libraries/adobe-ccf-v5.yaml similarity index 100% rename from backend/library/libraries/ccf-v5.yaml rename to backend/library/libraries/adobe-ccf-v5.yaml From f66089907099282dbcc605674ca0969d1bba2142 Mon Sep 17 00:00:00 2001 From: eric-intuitem <71850047+eric-intuitem@users.noreply.github.com> Date: Sat, 28 Sep 2024 13:31:40 +0200 Subject: [PATCH 7/7] rename source --- tools/ccf/{ccf-v5.xlsx => adobe-ccf-v5.xlsx} | Bin tools/ccf/convert_ccf.py | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename tools/ccf/{ccf-v5.xlsx => adobe-ccf-v5.xlsx} (100%) diff --git a/tools/ccf/ccf-v5.xlsx b/tools/ccf/adobe-ccf-v5.xlsx similarity index 100% rename from tools/ccf/ccf-v5.xlsx rename to tools/ccf/adobe-ccf-v5.xlsx diff --git a/tools/ccf/convert_ccf.py b/tools/ccf/convert_ccf.py index c505a1ddd..a4c08c1a7 100644 --- a/tools/ccf/convert_ccf.py +++ b/tools/ccf/convert_ccf.py @@ -17,7 +17,7 @@ parser.add_argument("filename", help="name of Adobe CCF Excel file") args = parser.parse_args() input_file_name = args.filename -output_file_name = "ccf-v5.xlsx" +output_file_name = "adobe-ccf-v5.xlsx" library_copyright = """Creative Commons""" packager = "intuitem"