From a7fe1e7e8cb6958c528b4c46bf80af74803d3a98 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 30 Jun 2024 20:28:24 +0200 Subject: [PATCH 1/2] Add NCSC CAF --- backend/library/libraries/ncsc-caf-3.2.yaml | 1083 +++++++++++++++++++ tools/ncsc/ncsc-caf-3.2.xlsx | Bin 0 -> 28898 bytes 2 files changed, 1083 insertions(+) create mode 100644 backend/library/libraries/ncsc-caf-3.2.yaml create mode 100644 tools/ncsc/ncsc-caf-3.2.xlsx diff --git a/backend/library/libraries/ncsc-caf-3.2.yaml b/backend/library/libraries/ncsc-caf-3.2.yaml new file mode 100644 index 000000000..1355a89fa --- /dev/null +++ b/backend/library/libraries/ncsc-caf-3.2.yaml @@ -0,0 +1,1083 @@ +urn: urn:intuitem:risk:library:ncsc-caf-3.2 +locale: en +ref_id: ncsc-caf-3.2 +name: Cyber Assessment Framework +description: 'National Cyber Security Centre - Cyber Assessment Framework + + https://www.ncsc.gov.uk/collection/cyber-assessment-framework' +copyright: NCSC https://www.ncsc.gov.uk/collection/cyber-assessment-framework +version: 1 +provider: NCSC +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:ncsc-caf-3.2 + ref_id: ncsc-caf-3.2 + name: Cyber Assessment Framework + description: 'National Cyber Security Centre - Cyber Assessment Framework + + https://www.ncsc.gov.uk/collection/cyber-assessment-framework' + requirement_nodes: + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + assessable: false + depth: 1 + ref_id: A + name: Managing security risk + description: Appropriate organisational structures, policies, processes and + procedures in place to understand, assess and systematically manage security + risks to the network and information systems supporting essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A1 + name: Governance + description: The organisation has appropriate management policies, processes + and procedures in place to govern its approach to the security of network + and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.a + name: Board Direction + description: You have effective organisational security management led at board + level and articulated clearly in corresponding policies. + annotation: 'Your organisation''s approach and policy relating to the security + of network and information systems supporting the operation of your essential + function(s) are owned and managed at board-level. These are communicated, + in a meaningful way, to risk management decision-makers across the organisation. + + Regular board-level discussions on the security of network and information + systems supporting the operation of your essential function(s) take place, + based on timely and accurate information and informed by expert guidance. + + There is a board-level individual who has overall accountability for the security + of network and information systems and drives regular discussion at board-level. + + Direction set at board-level is translated into effective organisational practices + that direct and control the security of the network and information systems + supporting your essential function(s).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.b + name: Roles and Responsibilities + description: Your organisation has established roles and responsibilities for + the security of network and information systems at all levels, with clear + and well-understood channels for communicating and escalating risks. + annotation: 'Key roles and responsibilities for the security of network and + information systems supporting your essential function(s) have been identified. + These are reviewed regularly to ensure they remain fit for purpose. + + Appropriately capable and knowledgeable staff fill those roles and are given + the time, authority, and resources to carry out their duties. + + There is clarity on who in your organisation has overall accountability for + the security of the network and information systems supporting your essential + function(s).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 + ref_id: A1.c + name: Decision-making + description: You have senior-level accountability for the security of network + and information systems, and delegate decision-making authority appropriately + and effectively. Risks to network and information systems related to the operation + of your essential function(s) are considered in the context of other organisational + risks. + annotation: 'Senior management have visibility of key risk decisions made throughout + the organisation. + + Risk management decision-makers understand their responsibilities for making + effective and timely decisions in the context of the risk appetite regarding + the essential function(s), as set by senior management. + + Risk management decision-making is delegated and escalated where necessary, + across the organisation, to people who have the skills, knowledge, tools and + authority they need. + + Risk management decisions are regularly reviewed to ensure their continued + relevance and validity.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A2 + name: Risk Management + description: The organisation takes appropriate steps to identify, assess and + understand security risks to the network and information systems supporting + the operation of essential functions. This includes an overall organisational + approach to risk management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + ref_id: A2.a + name: Risk Management Process + description: Your organisation has effective internal processes for managing + risks to the security of network and information systems related to the operation + of your essential function(s) and communicating associated activities. + annotation: 'Your organisational process ensures that security risks to network + and information systems relevant to essential function(s) are identified, + analysed, prioritised, and managed. + + Your approach to risk is focused on the possibility of adverse impact to your + essential function(s), leading to a detailed understanding of how such impact + might arise as a consequence of possible attacker actions and the security + properties of your network and information systems. + + Your risk assessments are based on a clearly understood set of threat assumptions, + informed by an up-to-date understanding of security threats to your essential + function(s) and your sector. + + Your risk assessments are informed by an understanding of the vulnerabilities + in the network and information systems supporting your essential function(s). + + The output from your risk management process is a clear set of security requirements + that will address the risks in line with your organisational approach to security. + + Significant conclusions reached in the course of your risk management process + are communicated to key security decision-makers and accountable individuals. + + Your risk assessments are dynamic and updated in the light of relevant changes + which may include technical changes to network and information systems, change + of use and new threat information. + + The effectiveness of your risk management process is reviewed regularly, and + improvements made as required. + + You perform detailed threat analysis and understand how this applies to your + organisation in the context of the threat to your sector and the wider CNI.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 + ref_id: A2.b + name: Assurance + description: You have gained confidence in the effectiveness of the security + of your technology, people, and processes relevant to your essential function(s). + annotation: "You validate that the security measures in place to protect the\ + \ network and information systems\Lare effective and remain effective for\ + \ the lifetime over which they are needed.\nYou understand the assurance methods\ + \ available to you and choose appropriate methods to gain confidence in the\ + \ security of essential function(s).\nYour confidence in the security as it\ + \ relates to your technology, people, and processes can be\Ljustified to,\ + \ and verified by, a third party.\nSecurity deficiencies uncovered by assurance\ + \ activities are assessed, prioritised and remedied when necessary in a timely\ + \ and effective way.\nThe methods used for assurance are reviewed to ensure\ + \ they are working as intended and remain the most appropriate method to use." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A3 + name: Asset Management + description: Everything required to deliver, maintain or support network and + information systems necessary for the operation of essential functions is + determined and understood. This includes data, people and systems, as well + as any supporting infrastructure (such as power or cooling). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 + ref_id: A3.a + name: Asset Management + annotation: 'All assets relevant to the secure operation of essential function(s) + are identified and inventoried (at a suitable level of detail). The inventory + is kept up-to-date. + + Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised + and recorded. + + You have prioritised your assets according to their importance to the operation + of the essential function(s). + + You have assigned responsibility for managing all assets, including physical + assets, relevant to the operation of the essential function(s). + + Assets relevant to the essential function(s) are managed with cyber security + in mind throughout their lifecycle, from creation through to eventual decommissioning + or disposal.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a + ref_id: A4 + name: Supply Chain + description: The organisation understands and manages security risks to network + and information systems supporting the operation of essential functions that + arise as a result of dependencies on external suppliers. This includes ensuring + that appropriate measures are employed where third party services are used. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 + ref_id: A4.a + name: Supply Chain + annotation: "You have a deep understanding of your supply chain, including sub-\ + \ contractors and the wider risks it faces. You consider factors such as supplier\u2019\ + s partnerships, competitors, nationality and other organisations with which\ + \ they sub- contract. This informs your risk assessment and procurement processes.\n\ + Your approach to supply chain risk management considers the risks to your\ + \ essential function(s) arising from supply chain subversion by capable and\ + \ well-resourced attackers.\nYou have confidence that information shared with\ + \ suppliers that is essential to the operation of your function(s) is appropriately\ + \ protected from sophisticated attacks.\nYou understand which contracts are\ + \ relevant and you include appropriate security obligations in relevant contracts.\ + \ You have a proactive approach to contract management which may include a\ + \ contract management plan for relevant contracts.\nCustomer / supplier ownership\ + \ of responsibilities is laid out in contracts.\nAll network connections and\ + \ data sharing with third parties are managed effectively and proportionately.\n\ + When appropriate, your incident management process and that of your suppliers\ + \ provide mutual support in the resolution of incidents." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + assessable: false + depth: 1 + ref_id: B + name: Protecting against cyber attack + description: Proportionate security measures are in place to protect the network + and information systems supporting essential functions from cyber attack. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B1 + name: Service Protection Policies, Processes and Procedures + description: The organisation defines, implements, communicates and enforces + appropriate policies, processes and procedures that direct its overall approach + to securing systems and data that support operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + ref_id: B1.a + name: Policy, Process and Procedure Development + description: You have developed and continue to improve a set of cyber security + and resilience policies, processes and procedures that manage and mitigate + the risk of adverse impact on your essential function(s). + annotation: "You fully document your overarching security governance and risk\ + \ management approach, technical security practice and specific regulatory\ + \ compliance. Cyber security is integrated and embedded throughout policies,\ + \ processes and procedures and key performance indicators are reported to\ + \ your executive management.\nYour organisation\u2019s policies, processes\ + \ and procedures are developed to be practical, usable and appropriate for\ + \ your essential function(s) and your technologies.\nPolicies, processes and\ + \ procedures that rely on user behaviour are practical, appropriate and achievable.\n\ + You review and update policies, processes and procedures at suitably regular\ + \ intervals to ensure they remain relevant. This is in addition to reviews\ + \ following a major cyber security incident.\nAny changes to the essential\ + \ function(s) or the threat it faces triggers a review of policies, processes\ + \ and procedures.\nYour systems are designed so that they remain secure even\ + \ when user security policies, processes and procedures are not always followed." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 + ref_id: B1.b + name: Policy, Process and Procedure Implementation + description: You have successfully implemented your security policies, processes + and procedures and can demonstrate the security benefits achieved. + annotation: 'All your policies, processes and procedures are followed, their + correct application and security effectiveness is evaluated. + + Your policies, processes and procedures are integrated with other organisational + policies, processes and procedures, including HR assessments of individuals'' + trustworthiness. + + Your policies, processes and procedures are effectively and appropriately + communicated across all levels of the organisation resulting in good staff + awareness of their responsibilities. + + Appropriate action is taken to address all breaches of policies, processes + and procedures with potential to adversely impact the essential function(s) + including aggregated breaches.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B2 + name: Identity and Access Control + description: The organisation understands, documents and manages access to network + and information systems supporting the operation of essential functions. Users + (or automated functions) that can access data or systems are appropriately + verified, authenticated and authorised. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.a + name: Identity Verification, Authentication and Authorisation + description: You robustly verify, authenticate and authorise access to the network + and information systems supporting your essential function(s). + annotation: "Your process of initial identity verification is robust enough\ + \ to provide a high level of confidence of a user\u2019s identity profile\ + \ before allowing an authorised user access to network and information systems\ + \ that support your essential function(s).\nOnly authorised and individually\ + \ authenticated users can physically access and logically connect to your\ + \ network or information systems on which your essential function(s) depends.\n\ + The number of authorised users and systems that have access to all your network\ + \ and information systems supporting the essential function(s) is limited\ + \ to the minimum necessary.\nYou use additional authentication mechanisms,\ + \ such as multi-factor\L(MFA), for all user access, including remote access,\ + \ to all network and information systems that operate or support your essential\ + \ function(s).\nThe list of users and systems with access to network and information\ + \ systems supporting and delivering the essential function(s) is reviewed\ + \ on a regular basis, at least every six months.\nYour approach to authenticating\ + \ users, devices and systems follows up to date best practice." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.b + name: Device Management + description: You fully know and have trust in the devices that are used to access + your networks, information systems and data that support your essential function(s). + annotation: 'All privileged operations performed on your network and information + systems supporting your essential function(s) are conducted from highly trusted + devices, such as Privileged Access Workstations, dedicated solely to those + operations. + + You either obtain independent and professional assurance of the security of + third-party devices or networks before they connect to your network and information + systems, or you only allow third-party devices or networks that are dedicated + to supporting your network and information systems to connect. + + You perform certificate-based device identity management and only allow known + devices to access systems necessary for the operation of your essential function(s). + + You perform regular scans to detect unknown devices and investigate any findings.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.c + name: Privileged User Management + description: You closely manage privileged user access to network and information + systems supporting your essential function(s). + annotation: 'Privileged user access to network and information systems supporting + your essential function(s) is carried out from dedicated separate accounts + that are closely monitored and managed. + + The issuing of temporary, time- bound rights for privileged user access and + / or external third- party support access is in place. + + Privileged user access rights are regularly reviewed and always updated as + part of your joiners, movers and leavers process. + + All privileged user activity is routinely reviewed, validated and recorded + for offline analysis and investigation.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 + ref_id: B2.d + name: Identity and Access Management (IdAM) + description: You closely manage and maintain identity and access control for + users, devices and systems accessing the network and information systems supporting + your essential function(s). + annotation: 'You follow a robust procedure to verify each user and issue the + minimum required access rights, and the application of the procedure is regularly + audited. + + User access rights are reviewed both when people change roles via your joiners, + leavers and movers process and at regular intervals - at least annually. + + All user, device and systems access to the systems supporting the essential + function(s) is logged and monitored. + + You regularly review access logs and correlate this data with other access + records and expected activity. + + Attempts by unauthorised users, devices or systems to connect to the systems + supporting the essential function(s) are alerted, promptly assessed and investigated.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B3 + name: Data Security + description: Data stored or transmitted electronically is protected from actions + such as unauthorised access, modification, or deletion that may cause an adverse + impact on essential functions. Such protection extends to the means by which + authorised users, devices and systems access critical data necessary for the + operation of essential functions. It also covers information that would assist + an attacker, such as design details of network and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.a + name: Understanding Data + description: You have a good understanding of data important to the operation + of your essential function(s), where it is stored, where it travels and how + unavailability or unauthorised access, modification or deletion would adversely + impact the essential function(s). This also applies to third parties storing + or accessing data important to the operation of your essential function(s). + annotation: 'You have identified and catalogued all the data important to the + operation of the essential function(s), or that would assist an attacker. + + You have identified and catalogued who has access to the data important to + the operation of the essential function(s). + + You maintain a current understanding of the location, quantity and quality + of data important to the operation of the essential function(s). + + You take steps to remove or minimise unnecessary copies or unneeded historic + data. + + You have identified all mobile devices and media that may hold data important + to the operation of the essential function(s). + + You maintain a current understanding of the data links used to transmit data + that is important to your essential function(s). + + You understand the context, limitations and dependencies of your important + data. + + You understand and document the impact on your essential function(s) of all + relevant scenarios, including unauthorised data access, modification or deletion, + or when authorised users are unable to appropriately access this data. + + You validate these documented impact statements regularly, at least annually.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.b + name: Data in Transit + description: You have protected the transit of data important to the operation + of your essential function(s). This includes the transfer of data to third + parties. + annotation: 'You have identified and protected (effectively and proportionately) + all the data links that carry data important to the operation of your essential + function(s). + + You apply appropriate physical and / or technical means to protect data that + travels over non-trusted or openly accessible carriers, with justified confidence + in the robustness of the protection applied. + + Suitable alternative transmission paths are available where there is a significant + risk of impact on the operation of the essential function(s) due to resource + limitation (e.g. transmission equipment or function failure, or important + data being blocked or jammed).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.c + name: Stored Data + description: You have protected stored soft and hard copy data important to + the operation of your essential function(s). + annotation: 'All copies of data important to the operation of your essential + function(s) are necessary. Where this important data is transferred to less + secure systems, the data is provided with limited detail and / or as a read-only + copy. + + You have applied suitable physical and / or technical means to protect this + important stored data from unauthorised access, modification or deletion. + + If cryptographic protections are used you apply suitable technical and procedural + means, and you have justified confidence in the robustness of the protection + applied. + + You have suitable, secured backups of data to allow the operation of the essential + function(s) to continue should the original data not be available. This may + include off- line or segregated backups, or appropriate alternative forms + such as paper copies. + + Necessary historic or archive data is suitably secured in storage.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.d + name: Mobile Data + description: You have protected data important to the operation of your essential + function(s) on mobile devices. + annotation: 'Mobile devices that hold data that is important to the operation + of the essential function(s) are catalogued, are under your organisation''s + control and configured according to best practice for the platform, with appropriate + technical and procedural policies in place. + + Your organisation can remotely wipe all mobile devices holding data important + to the operation of the essential function(s). + + You have minimised this data on these mobile devices. Some data may be automatically + deleted off mobile devices after a certain period.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 + ref_id: B3.e + name: Media / Equipment Sanitisation + description: Before reuse and / or disposal you appropriately sanitise devices, + equipment and removable media holding data important to the operation of your + essential function(s). + annotation: 'You catalogue and track all devices that contain data important + to the operation of the essential function(s) (whether a specific storage + device or one with integral storage). + + Data important to the operation of the essential function(s) is removed from + all devices, equipment and removable media before reuse and / or disposal + using an assured product or service.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B4 + name: System Security + description: Network and information systems and technology critical for the + operation of essential functions are protected from cyber attack. An organisational + understanding of risk to essential functions informs the use of robust and + reliable protective security measures to effectively limit opportunities for + attackers to compromise networks and systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.a + name: Secure by Design + description: You design security into the network and information systems that + support the operation of your essential function(s). You minimise their attack + surface and ensure that the operation of your essential function(s) should + not be impacted by the exploitation of any single vulnerability. + annotation: 'You employ appropriate expertise to design network and information + systems. + + Your network and information systems are segregated into appropriate security + zones (e.g. systems supporting the essential function(s) are segregated in + a highly trusted, more secure zone). + + The network and information systems supporting your essential function(s) + are designed to have simple data flows between components to support effective + security monitoring. + + The network and information systems supporting your essential function(s) + are designed to be easy to recover. + + Content-based attacks are mitigated for all inputs to network and information + systems that affect the essential function(s) (e.g. via transformation and + inspection).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.b + name: Secure Configuration + description: You securely configure the network and information systems that + support the operation of your essential function(s). + annotation: 'You have identified, documented and actively manage (e.g. maintain + security configurations, patching, updating according to good practice) the + assets that need to be carefully configured to maintain the security of the + essential function(s). + + All platforms conform to your secure, defined baseline build, or the latest + known good configuration version for that environment. + + You closely and effectively manage changes in your environment, ensuring that + network and system configurations are secure and documented. + + You regularly review and validate that your network and information systems + have the expected, secure settings and configuration. + + Only permitted software can be installed. + + Standard users are not able to change settings that would impact security + or the business operation. + + If automated decision-making technologies are in use, their operation is well + understood, and decisions can be replicated. + + Generic, shared, default name and built-in accounts have been removed or disabled. + Where this is not possible, credentials to these accounts have been changed.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.c + name: Secure Management + description: You manage your organisation's network and information systems + that support the operation of your essential function(s) to enable and maintain + security. + annotation: 'Your systems and devices supporting the operation of the essential + function(s) are only administered or maintained by authorised privileged users + from highly trusted devices, such as Privileged Access Workstations, dedicated + solely to those operations. + + You regularly review and update technical knowledge about network and information + systems, such as documentation and network diagrams, and ensure they are securely + stored. + + You prevent, detect and remove malware, and unauthorised software. You use + technical, procedural and physical measures as necessary.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 + ref_id: B4.d + name: Vulnerability Management + description: You manage known vulnerabilities in your network and information + systems to prevent adverse impact on your essential function(s). + annotation: 'You maintain a current understanding of the exposure of your essential + function(s) to publicly-known vulnerabilities. + + Announced vulnerabilities for all software packages, network and information + systems used to support your essential function(s) are tracked, prioritised + and mitigated (e.g. by patching) promptly. + + You regularly test to fully understand the vulnerabilities of the network + and information systems that support the operation of your essential function(s) + and verify this understanding with third-party testing. + + You maximise the use of supported software, firmware and hardware in your + network and information systems supporting your essential function(s).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B5 + name: Resilient Networks and Systems + description: The organisation builds resilience against cyber attack and system + failure into the design, implementation, operation and management of systems + that support the operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.a + name: Resilience Preparation + description: You are prepared to restore the operation of your essential function(s) + following adverse impact. + annotation: "You have business continuity and disaster recovery plans that have\ + \ been tested for practicality, effectiveness and completeness. Appropriate\ + \ use is made\Lof different test methods (e.g. manual fail-over, table-top\ + \ exercises, or red-teaming).\nYou use your security awareness and threat\ + \ intelligence sources to identify new or heightened levels of risk, which\ + \ result in immediate and potentially temporary security measures to enhance\ + \ the security of your network and information systems (e.g. in response to\ + \ a widespread outbreak of very damaging malware)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.b + name: Design for Resilience + description: You design the network and information systems supporting your + essential function(s) to be resilient to cyber security incidents. Systems + are appropriately segregated and resource limitations are mitigated. + annotation: "Network and information systems supporting the operation of your\ + \ essential function(s) are segregated from other business and external systems\ + \ by appropriate technical and physical means (e.g. separate network and system\ + \ infrastructure with independent user administration). Internet services\ + \ are not accessible from network and information systems supporting the essential\ + \ function(s).\nYou have identified and mitigated all resource limitations\ + \ (e.g. bandwidth limitations and single network paths).\nYou have identified\ + \ and mitigated any geographical constraints or weaknesses. (e.g. systems\ + \ that your essential function(s) depends upon\Lare replicated in another\ + \ location, important network connectivity has alternative physical paths\ + \ and service providers).\nYou review and update assessments of dependencies,\ + \ resource and geographical limitations and mitigations when necessary." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 + ref_id: B5.c + name: Backups + description: You hold accessible and secured current backups of data and information + needed to recover operation of your essential function(s). + annotation: 'Your comprehensive, automatic and tested technical and procedural + backups are secured at centrally accessible or secondary sites to recover + from an extreme event. + + Backups of all important data and information needed to recover the essential + function(s) are made, tested, documented and routinely reviewed.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b + ref_id: B6 + name: Staff Awareness and Training + description: Staff have appropriate awareness, knowledge and skills to carry + out their organisational roles effectively in relation to the security of + network and information systems supporting the operation of essential functions. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + ref_id: B6.a + name: Cyber Security Culture + description: You develop and maintain a positive cyber security culture. + annotation: 'Your executive management clearly and effectively communicates + the organisation''s cyber security priorities and objectives to all staff. + Your organisation displays positive cyber security attitudes, behaviours and + expectations. + + People in your organisation raising potential cyber security incidents and + issues are treated positively. + + Individuals at all levels in your organisation routinely report concerns or + issues about cyber security and are recognised for their contribution to keeping + the organisation secure. + + Your management is seen to be committed to and actively involved in cyber + security. + + Your organisation communicates openly about cyber security, with any concern + being taken seriously. + + People across your organisation participate in cyber security activities and + improvements, building joint ownership and bringing knowledge of their area + of expertise.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 + ref_id: B6.b + name: Cyber Security Training + description: The people who support the operation of your essential function(s) + are appropriately trained in cyber security. A range of approaches to cyber + security training, awareness and communications are employed. + annotation: 'All people in your organisation, from the most senior to the most + junior, follow appropriate cyber security training paths. + + Each individuals cyber security training is tracked and refreshed at suitable + intervals. + + You routinely evaluate your cyber security training and awareness activities + to ensure they reach the widest audience and are effective. + + You make cyber security information and good practice guidance easily accessible, + widely available and you know it is referenced and used within your organisation.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + assessable: false + depth: 1 + ref_id: C + name: Detecting cyber security events + description: Capabilities exist to ensure security defences remain effective + and to detect cyber security events affecting, or with the potential to affect, + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + ref_id: C1 + name: Security Monitoring + description: The organisation monitors the security status of the network and + information systems supporting the operation of essential functions in order + to detect potential security problems and to track the ongoing effectiveness + of protective security measures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.a + name: Monitoring Coverage + description: The data sources that you include in your monitoring allow for + timely identification of security events which might affect the operation + of your essential function(s). + annotation: 'Monitoring is based on an understanding of your networks, common + cyber attack methods and what you need awareness of in order to detect potential + security incidents that could affect the operation of your essential function(s) + (e.g. presence of malware, malicious emails, user policy violations). + + Your monitoring data provides enough detail to reliably detect security incidents + that could affect the operation of your essential function(s). + + You easily detect the presence or absence of IoCs on your essential function(s), + such as known malicious command and control signatures. + + Extensive monitoring of user activity in relation to the operation of your + essential function(s) enables you to detect policy violations and an agreed + list of suspicious or undesirable behaviour. + + You have extensive monitoring coverage that includes host-based monitoring + and network gateways. + + All new systems are considered as potential monitoring data sources to maintain + a comprehensive monitoring capability.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.b + name: Securing Logs + description: You hold log data securely and grant appropriate access only to + accounts with business a need. No system or user should ever need to modify + or delete master copies of log data within an agreed retention period, after + which it should be deleted. + annotation: 'The integrity of log data is protected, or any modification is + detected and attributed. + + The logging architecture has mechanisms, policies, processes and procedures + to ensure that it can protect itself from threats comparable to those it is + trying to identify. This includes protecting the essential function(s) itself, + and the data within it. + + Log data analysis and normalisation is only performed on copies of the data + keeping the master copy unaltered. + + Log data is synchronised, using an accurate common time source, so that separate + datasets can be correlated in different ways. + + Access to log data is limited to those with business need and no others. + + All actions involving all log data (e.g. copying, deleting, modifying or viewing) + can be traced back to a unique user. + + Legitimate reasons for accessing log data are given in use policies.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.c + name: Generating Alerts + description: Evidence of potential security incidents contained in your monitoring + data is reliably identified and triggers alerts. + annotation: 'Log data is enriched with other network knowledge and data when + investigating certain suspicious activity or alerts. + + A wide range of signatures and indicators of compromise is used for investigations + of suspicious activity and alerts. + + Alerts can be easily resolved to network assets using knowledge of networks + and systems. The resolution of these alerts is performed in almost real time. + + Security alerts relating to all essential function(s) are prioritised and + this information is used to support incident management. + + Logs are reviewed almost continuously, in real time. + + Alerts are tested to ensure that they are generated reliably and that it is + possible to distinguish genuine security incidents from false alarms.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.d + name: Identifying Security Incidents + description: You contextualise alerts with knowledge of the threat and your + systems, to identify those security incidents that require some form of response. + annotation: "You have selected threat intelligence sources or services using\ + \ risk-based and threat- informed decisions based\Lon your business needs\ + \ and sector (e.g. vendor reporting and patching, strong anti-virus providers,\ + \ sector and community-based infoshare, special interest groups).\nYou apply\ + \ all new signatures and IoCs within a reasonable (risk-based) time of receiving\ + \ them.\nYou receive signature updates for all your protective technologies\ + \ (e.g. AV, IDS).\nYou track the effectiveness of your intelligence feeds\ + \ and actively share feedback on the usefulness of IoCs and any other indicators\ + \ with the threat community (e.g. sector partners, threat intelligence providers,\ + \ government agencies)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 + ref_id: C1.e + name: Monitoring Tools and Skills + description: Monitoring staff skills, tools and roles, including any that are + outsourced, should reflect governance and reporting requirements, expected + threats and the complexities of the network or system data they need to use. + Monitoring staff have knowledge of the essential function(s) they need to + protect. + annotation: 'You have monitoring staff, who are responsible for the analysis, + investigation and reporting of monitoring alerts covering both security and + performance. + + Monitoring staff have defined roles and skills that cover all parts of the + monitoring and investigation process. + + Monitoring staff follow policies, processes and procedures that address all + governance reporting requirements, internal and external. + + Monitoring staff are empowered to look beyond the fixed process to investigate + and understand non-standard threats, by developing their own investigative + techniques and making new use of data. + + Your monitoring tools make use of all log data collected to pinpoint activity + within an incident. + + Monitoring staff and tools drive and shape new log data collection and can + make wide use of it. + + Monitoring staff are aware of the operation of essential function(s) and related + assets and can identify and prioritise alerts or investigations that relate + to them.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c + ref_id: C2 + name: Proactive Security Event Discovery + description: The organisation detects, within network and information systems, + malicious activity affecting, or with the potential to affect, the operation + of essential functions even when the activity evades standard signature based + security prevent/detect solutions (or when standard solutions are not deployable). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + ref_id: C2.a + name: System Abnormalities for Attack Detection + description: You define examples of abnormalities in system behaviour that provide + practical ways of detecting malicious activity that is otherwise hard to identify. + annotation: 'Normal system behaviour is fully understood to such an extent that + searching for system abnormalities is a potentially effective way of detecting + malicious activity (e.g. You fully understand which systems should and should + not communicate and when). + + System abnormality descriptions from past attacks and threat intelligence, + on yours and other networks, are used to signify malicious activity. + + The system abnormalities you search for consider the nature of attacks likely + to impact on the network and information systems supporting the operation + of your essential function(s). + + The system abnormality descriptions you use are updated to reflect changes + in your network and information systems and current threat intelligence.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 + ref_id: C2.b + name: Proactive Attack Discovery + description: You use an informed understanding of more sophisticated attack + methods and of normal system behaviour to monitor proactively for malicious + activity. + annotation: 'You routinely search for system abnormalities indicative of malicious + activity on the network and information systems supporting the operation of + your essential function(s), generating alerts based on the results of such + searches. + + You have justified confidence in the effectiveness of your searches for system + abnormalities indicative of malicious activity.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + assessable: false + depth: 1 + ref_id: D + name: Minimising the impact of cyber security incidents + description: Capabilities exist to minimise the adverse impact of a cyber security + incident on the operation of essential functions, including the restoration + of those function(s) where necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + ref_id: D1 + name: Response and Recovery Planning + description: There are well-defined and tested incident management processes + in place, that aim to ensure continuity of essential function(s) in the event + of system or service failure. Mitigation activities designed to contain or + limit the impact of compromise are also in place. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.a + name: Response Plan + description: You have an up-to-date incident response plan that is grounded + in a thorough risk assessment that takes account of your essential function(s) + and covers a range of incident scenarios. + annotation: 'Your incident response plan is based on a clear understanding of + the security risks to the network and information systems supporting your + essential function(s). + + Your incident response plan is comprehensive (i.e. covers the complete lifecycle + of an incident, roles and responsibilities, and reporting) and covers likely + impacts of both known attack patterns and of possible attacks, previously + unseen. + + Your incident response plan is documented and integrated with wider organisational + business plans and supply chain response plans, as well as dependencies on + supporting infrastructure (e.g. power, cooling etc). + + Your incident response plan is communicated and understood by the business + areas involved with the operation of your essential function(s).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.b + name: Response and Recovery Capability + description: You have the capability to enact your incident response plan, including + effective limitation of impact on the operation of your essential function(s). + During an incident, you have access to timely information on which to base + your response decisions. + annotation: "You understand the resources that will likely be needed to carry\ + \ out any required response activities, and arrangements are in place to make\ + \ these resources available.\nYou understand the types of information that\ + \ will likely be needed to inform response decisions and arrangements are\ + \ in place to make this information available.\nYour response team members\ + \ have the skills and knowledge required to decide on the response actions\ + \ necessary to limit harm, and the authority to carry them out.\nKey roles\ + \ are duplicated, and operational delivery knowledge is shared with all individuals\ + \ involved in the operations and recovery of the essential function(s).\n\ + Back-up mechanisms are available that can be readily activated to allow continued\ + \ operation of your essential function(s), although possibly at a reduced\ + \ level, if primary network and information systems fail or are unavailable.\n\ + Arrangements exist to augment your organisation\u2019s incident response capabilities\ + \ with external support if necessary (e.g. specialist cyber incident responders)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 + ref_id: D1.c + name: Testing and Exercising + description: Your organisation carries out exercises to test response plans, + using past incidents that affected your (and other) organisation, and scenarios + that draw on threat intelligence and your risk assessment. + annotation: 'Exercise scenarios are based on incidents experienced by your and + other organisations or are composed using experience or threat intelligence. + + Exercise scenarios are documented, regularly reviewed, and validated. + + Exercises are routinely run, with the findings documented and used to refine + incident response plans and protective security, in line with the lessons + learned. + + Exercises test all parts of your response cycle relating to your essential + function(s) (e.g. restoration of normal function(s) levels).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + assessable: false + depth: 2 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d + ref_id: D2 + name: Lessons Learned + description: When an incident occurs, steps are taken to understand its root + causes and to ensure appropriate remediating action is taken to protect against + future incidents. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + ref_id: D2.a + name: Incident Root Cause Analysis + description: When an incident occurs, steps must be taken to understand its + root causes and ensure appropriate remediating action is taken. + annotation: 'Root cause analysis is conducted routinely as a key part of your + lessons learned activities following an incident. + + Your root cause analysis is comprehensive, covering organisational process + issues, as well as vulnerabilities in your networks, systems or software. + + All relevant incident data is made available to the analysis team to perform + root cause analysis.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + assessable: true + depth: 3 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 + ref_id: D2.b + name: Using Incidents to Drive Improvements + description: Your organisation uses lessons learned from incidents to improve + your security measures. + annotation: "You have a documented incident review process/policy which ensures\ + \ that lessons learned from each incident are identified, captured,\Land acted\ + \ upon.\nLessons learned cover issues with reporting, roles, governance, skills\ + \ and organisational processes as well as technical aspects of network and\ + \ information systems.\nYou use lessons learned to improve security measures,\ + \ including updating and retesting response plans when necessary.\nSecurity\ + \ improvements identified as a result of lessons learned are prioritised,\ + \ with the highest priority improvements completed quickly.\nAnalysis is fed\ + \ to senior management and incorporated into risk management and continuous\ + \ improvement." diff --git a/tools/ncsc/ncsc-caf-3.2.xlsx b/tools/ncsc/ncsc-caf-3.2.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..0093d4d7aa9e7af6e214d3dea040a9fc467d6e05 GIT binary patch literal 28898 zcmeFX^M5B@ur3$Gk0Ra&MRb*Cf+5-atrGWzhp#njH=!iPlyPDa%8mM_W znz`sPc-q+#6@!6L6#{{Ll>-&*Fx_ z#lH?`!n$&`^!VghJ?K%fDh4RYiODezqCgnnexB^_4ZVrGY5oZLJ!`HVeCupg34$ID zC1M1cSW|hctyQ#@{}vd4Ad#Q(8791bXSR#V4e>Rcbo>W+cJ@v-$t)fZZ($Tj|MkgY z-ee{&vha_}4}>1Be#Hw>Jl6oqdB`6M@s8f;kG1RO89|{$6!6>A>ux7~_*O8vdhV7- zu^?_$ZMw#{kG5~MauM9KqHg!!MEv>!1ycI|&=gg_*9_#FrrX~vg#D(efwP&d3nRln z?f<3c|G}L6pMJe2SzZ>D87cfK_=|X|hj)X92Uic2%i8B6cn;nr&o83X0bS zv{>M|`=y(MQ@-A6(%WI8l$18HOl&4m>p5{vm>5m8;J=h0j2gw z!SR*Nyo!nhc~~}R-r>tR7x>TaAL1^k0h?J8zDG>mEQsZr_KXw7Pt1+{CNmndoG3GY znqI%9@V`^W?59j`&o^BRA%K7ozY(6cj2;foHpUJPHvdGmAL<+SdrU}v23B9hw?3z2 zLNLmr>N3^h>vePXj0tH@aE+&{S{u8?RbRdPp^nsyTO1&iGnxA?<};ZwlWxS_?yEu{Rn=C+FjHkPB_EJ^*kci zCiQ_zfW-6#w$Og~ebgsYzmaEZ@PieCK=|TFHho9+ZhTt2-~`PdqYL5Ph*q(`YGp*ePAtD3_ zC`1qUeCtf1i~3MAZIsEnw4a78^bhsxRinK#=$Wf;)1Lrc)?@qzr17AnxzMSp)YZ-E zpHj&FOofOkTBB?X9N0R>40hnZVBqvR0vSe9aSu>U+HF+Nx^>llzpT=b!=*1O`R=GY zuVa1f0z~whn8+%S=lS{+F)Zh$&&Dg42>2971&e3`#!;-n6vkWW`JBX$`DCk7u3y+; zB=qCaJHUTdY&mdPsf}n;kJch<58=m%sGO32vmn5WF&xbOGyN!|WX zQ#Ij%b*|^kw7}>;DQY|sMYgbZJ|UpTN;T9nFmlYU+9)WRb_tPGa;X?*4TYqt>EN-M z2^7j^jE)Jr;F!>c)FF0?YaPDi#rClmW?Mz)DI<9t;tc!4O}seRZL{gcCG`5^&fQ?c zPDH_`6vopx1zWxAV`zbZd*v7DrtA)lfoh2fIN@oKmCJU3slKyL8MCz63??oiPs5I> z3GkG%>M)YKG}FK(_?^Bs(y~npJ~{)wPGSE$9~p~X*!Jh!Y6QOTVtt#$fBHxlOEWW9 z7sh{2%>Ovc+?0*@9H#HsLi>PEw@qnCM1>nxvuay%skgM>ViImRGP>xFuu*l@YogMW zq@q4A(+>v`@b&)a=^wBdeLlcrwI1B$BnSO-P_1bT?S5lr$x|0w3)18 zXjV^{(Wy3!C!2A3(F0{9_z3^<70y~mP}vAQ*Yt(^N?hnXKFP9*^w*{+^}O-pPph~C zo3P#ly8U20dVT0WCqxSg2Gmy6HBM!ZCS;Q3+4UFO;vUGD7Qb7*a+v61=+4bn`!&>V zTa#D+PRZySo!}b1U}L0D&bT+x9A9~=P~7}&#FL*yoSeTWHpw(QvCJy7(myogFq$Cj z%+x^f;A$tqI1Ns>Z8gP?!?^1W>XqeckI8*!kqAKMJ6BI;kr4@~i(3mPEKuT<_yGz| z;tI2i_1FMb3iBEW*qYS`Q$>rMfysC&Y(3?DO(D0rG_+bo)OvwPK*-O9vF=s#*XBe?*5ZapVw)O5aU2a=9@fL@b|>=2KW8Q_y089=qUfH*B}Gar7q#jX-I1`Ex8x zzvu-~97GU#!Jl)=ofhC*GSNc4%hrzpUrkC7U?H~Ekz%7dUJ0_y*J2KKd>9wwhAzxL zI0p|A9EpC>$$ITZ3L^|o zTFp@!NIvp#CPl&w3%D9{+jx9pj6o^hzIX>3@*mTgC&3KUJ7k}ktnse@(Ch!2YH)dH zob$s00YwV`|M~=$e|85K+SoSb1uxMb+#D|H4Jv!~mS2EMMD?yo)`2nRDqzHM zyM^92gjI#6ma1Y21jC*8&m)k0JqLC9Wy3r+o^snn6%g%AkyA5;KEJ#IJ*7Rq74Z7F z@Z8J(`LpT-LUUY`0zL2@Xq2CmRtJ8p@+g!vN}KR75WB@KPak^CQ zkKwYr8*uqL^BW+)j0Pu3lRcW|7h5wYM)n=6VVColJ!oqr0;P0i6ovD_%p*hZ2vzE6 zHeJv)0d~!&T;uUB`^b$RtIMK$PNfy@9wQT(_G@Q&M9bubu$w;>k{va^-9!XOGB*A} z@eC4MJ3dI`)J^NP10P?@+A4|O)3=0q%R$Q}I_~jUh zY8tOV4UfumO#F(u9vw!$%%7hh;@~(Y7!arp>kpXo12u#D{>#mz<`~)Ub0CG)qdWt} ziA%Stk^yJ0iqto1(sh2!+c!$Lt<;MNjQS?9{&+GV5>Uw}ws>}`;Oq7KxIOrIKlxa= z+kbNS+VTrnhwtiY3lRADX#IRRGxB(P_^`r!>gPYe7U(> z-fgQLqgmgoRoq@K7tDW3coNJfyb=_>QK5wZbmK%bH6QBQfY36u7@Ll$(3T;Ne4GX$ za@HJH;FeXMgx8KO*vBFu-RY}r{OpR5)L#hMRpYXQf@J238hp(WTGdyeh;ND7uX-r+N)fz>pBHd?m$l~AyO2c;hitl{dL&n-(wK4VoRQSk%OInH zMB$|OTI^TaeQm>2jmO;L zvavkkB4%yFLn6J3T!Q5o9*Iv(dzLJQrUxJq;@uGa19T1z9Wj=wn~cO`u94Q_ zXRasSSD7w*0{G#bTWQew@Flr1o;|>!GrmJc#lxzZw$mk(_topaZv0iVx?D8RSRKo8 zVdJ30$H{t#-U&3|yGVPHZqd$kvKqK9l^k?yx#q+DyPSIzD#@_|SJ{|rk%%ilQ}H+4 zpJf)kuB>sK#%VM-DVcRuDP&s&(jgpWFV$ggHQ#~>7kQ?_Fe1tOFk=TJ%TQSIc6`ak zwpZAL-WOlyr>cOY3HNLvf4+q{_dTj8`g{>dbyW!TAB*AU0f&VucT^2%2bfb)YdU!F z*~TImn`6pwnrcz;@Y8hoxRyeA0oXjzl{pYLwpPraVU{T*I1(s#X=_C!cWy_mY%|OJ zSeYDC7d^a>PN>|Dm2SZUK)K_T2W>TbVs+OD=r5w2jG#@Ez&JM%DEff3PbeR7pKoNRqGtBlMmxZQXj@y#TH{RSe8F?A z*oQWd<0FY}FQF-o}Jz>u3JIBRA~&1 zz;0BVj9*WaTlI2V+DBKAq52yIxKu3Jq%bfFO_RE!So$b8DOe2E(?uNHqtnV5Ji8!V z|CtG(c#1}!P$pF=N$~!!p;fmmd<+$D>5dZMt4hoZRM{Bl`xngsje@CEMI-@gEBJ0( zj?PfLSYm4%oZ4oCT>1{%4KQKN#uO6Cj>=P^(VInqc2;=(2oN5vGL*_!Y2$O6m$-#< zw?_!gC={>!5}Qj5YVWaqxXe^P^y0WPBX=n zIsy5x1+v_~&x8EpGNeTMM=46?=r1Npg`v^!|M8hWr&5AGW*BenXZsL^!$5n8;J<2& zzhNTcpGy6$YzT%45K50U$c+hSh^e32fpNgYgiH8MPEmLeBXY6gpA~gUXE}#!z~}Qj zGXQdu(;l&?(c9b2D*hRn%;T{rXQjc=XgZDl@KLIXI1DBCx&&iFk39z<88{-;dZ8?J zJgB7=(1(lbnl~^B8a-D>226=Fm=0B!1V7z?O`ue)zz^m3LD#%|^>ajUnTl}$xUK9y z(4!@gnZvf_jVWGzo5Rj+W*rg2uM{llVo@&?8s~`HmQtr@@AnB9v&Am2qADek8OW=U zVp28Zj_<~_BiYrz09Xlvx=yQ2%LyAbehr<9treICp2(^2Ju+$7_dv2@{M}kq>WVb3 znON?7$O80He%;;w!=}H*cLe^=P?k?aN?b`5aE?++CV+k|ALuSx7#ttq;l#kBD3T$e z;TP?tDe2;tUriR$)bgBCO1$`uQkp|hw@Mkx5Ls?>lr*xTZEAjY?iR{L`WsiU5UZJ1 zl=)l2p=8!<94c5*KRRhV!$U;^n}*SXn4{NT7eYayXVpuBebWfJRl2S(<-%82Q(xGI znjB$u?e$x+YTKANgjnH)hLMfqgx+EeY%|D4O;U}j(Q$s84^E)e|5#zNG2rG^N#!5i z^9GmRxP!%@@n*ECp0VJ@UEmLNPA%KIk4hyoR3R#z%|a(E#T#07;|~yx%-u=CqL<^! zB+OmEa?#M3qt_#fi&y-5aH@KY>b&=KmSIQcyINg>CH?unl)96FJjtqj+ zH0f4fy!f$G&j?CKD_?>0;mC^8tMJiK7Z+ev{eVKpuBs%&2|=@{)?9^tULAw=Wa9uO zz|q>3iPjRQ^;P?p%G64BQW3R)L7D8@8p+7a3g5TUC*U$vG6z13N;6ll63Rp?rG3sR zrej*R)^`YeBAyIT<4hmYyS)K89-Z)=L1~PEoFa>j0ga+)=tU$E$MN6J0DnMeWZB4T z2<&Onl`TCBn0)k`$k7ZI_bF3_N>J!p`s4xKvr<72pziTdF0jD!s|s*{mWDuBkcSNxLi(VcB;XOxMuMo-4~8m^d<9R5KTGDBtU|08rs7nS^FtE5d!cz-3nDZ$u%ME926Vb6q=!4GyGF0mCohxs{^0gSKJeJQ6!=SD|%qr*OYA@^yfya<){t zw7=g~d@7xI(|)(BjVe!|Xwq2QzKcgU=>exhJ?gIBjqXS#-rK-g{FT#p3Q31)@^uw6 zQ4PASnmrL2rFPpGFqHQ7c>J{er$MymFZ5GkuUdrdIb+KV!qcM~)S6t60xLt2ZT=zj z!gVI&V{xuum^*6Y%7tsV4|GiFm2|pL^A%W1#;5Z9DI~DGY%LQh+6&soU-;k0EJ7e@ zjOJJ3mwL?1kG%IcPw{`w8%1S_TvO~t2xTpxizn?%dIlihX*WngigH{jLI3Sxgfm68 zG81@EqRQ$JvrL$83|tR=zVY~#e(0M_4ek6bNB|hA!3?5gz@VC#8vT)kwu=ITt=tsP)(jvy=hGIWjS$`xn)PM@rTAcH_n&o0hWM% zOFl%UlH?h1rQ`QYx#5Nd&Lr$;-{V2ZddjNjnhC;pc1IMhXhrE?wf3WEe7}NhxI_(a zK18^oSsSkMq8nD*hVrk9)S*FlVhfVf7Ek`Ig3?S*c2T@?jKN*Pqo02oVBC|-paqeO zAoY&bA5H<)agWT%|w4{o>L>x zF8Ae)0BwsP>?MiTrE-k9IVhi&$~4t*a$5y>7Fqk?V^27BZziy<7?UTpaj=BMD+w)( z$zZ*Ja`L8T4pgnC$Q<%2GmUhH033IqHR*f>6QWyQkE03^M_YpVqz_Q9sf1I5%G*ZdS1hRvdRxQl;iV?tXWVkIvsV0b>{ zb?c*?(rNt$7k}3fqoW@xCR3E&ctHArZQRNA13e&@9ODCteYPq0tE^Ivm~w+0*|}6##a@s_>=W`B_M+mdL{yW&JmKE?9b)%$x1fCNvl`Td;g-b( zf@8=O$JJO>f?8+j6Q5pcjS;JR4C@7wC5Ho%e(Fzec?Hg&2#XXHx31RagOQMoj!=z??)0STR6}mY48Rt#jy+3oRT3k^BD0wWU zvziG0mOCYa)nCE&9a00KWgG`SlWcuR7m9V@{31GX;d2Hf-WFrD@O(`;+f&I?6)fQ(3&;fp z1DmMn1;76iJ1InIO6*vvIQLLr2fhbSm$fkkg$NwOZ-)RQAzwZvSUvR@YGhJ)^OxW1 z`Ad(;uF?dT__rn#vs+KSu))F$4YDes{I#q1upb>wL%V`u3bWAGn(ba4H{1P=llJeC zHEA>HGk}JhzIKZ1DZs)8OO%4n%Qf~Msu;+E03?H6T{4$+-!KG4e`ug4&^j!Zk+X)0 zfe3x9^yEMwyrj`p;#V8=uE^|!F0gKGGIhQU4Oi1t;Sp1N1kZ?et z+6%NnmJR*KyoOwcsr^FVC^$SOJSG`KA{;uVa0Dy_Eb@QhZ~xVW{I4$Q_e)|?up%M$ zi_}C~U>u|~+fTR)e4Jc+dVd*)oFILKNs;AF3~`FP%N6QKRRpr%h#dyG*`e3ii9{mS z7yybti95BI%atnPhI1-+xmBGkiT>s-gvhi9Ocn`!ypG#jz~RQ{?aE9mdei_VP5-Ij z0vsbgf_gHI!L$zJ(XJ*#;?r6ZYABU?RxkzBiGpLM+u>1n|2)p&Hgewe{@bq_pRLhC{ZcsStxa$oG*WEJD_2Ty3iv<|AJNAG|&@$<^{{b#R$70aE z3Y>?5!>se@w*()p$E{;5xqp3C-u3o~*w!uT^NH97+gQ5$vr|7Zvjf$?wT*a;-&^pC z;ClCQD~R$UbDR$QrrDoGU9mMc7Ob?Ek=&{~(N?e1-u0~YJav`SzS9eP+16|L_i~Td z@SUdLalr4$pkwFrH4o4>R+!47t(FHi5kXB0E~jVovV=W^^8 z`}d$W+nD`U-Pi**BMi=R2OKIg3H#{+0I~iU$H%z;&KmyLnqT23gZcLN#sf$)ARzev z2*56`Ubbc~{}lQbwa*+%xRAd5e}5oGUZrXj63aCGDmeydtC!m-cGibxg5f7X}@~Dz}~r{&v{}{GHmMTb0C##5h&xHe?|OHZL+<9IC-h{f82K6qLCTui!MccFe%=OL^X4-CB6t< z7#m>x2o=18l+K5W8xrcEvQ?Ds)qEHcl~iviEuwP^_PJc zj;S+G?1)v8&OGuiv(}NmM=eyA&j3{onxopX%P$Z~8WWou7EPRxvB?96%x=voh^i~x z^JGo@E*qjHzXD+Y8FBqnTI#0E)ZN(q^)+8 zH5W#{9;)D4EABXG9uufDQpQ6h`7?GX+PX{JM^qGLB?n~2^yh*@+GpNL>aaxC^VxmF zBn#nS+IUs&TxcUKl1rgd*~m=E>P$vEd@VIRZT{H?CaPKj$Z_^P%zO(0c;`Y#LOqW7 zmLA(Fqk3{&$c=S-jkGw{zDz}bnl7jEj#ckBIf02reXAb5RZ2$M4Wma(^kBx)Lk;1V z2klA~GSk;YvI)?#(SYKR(7vct+q_rm4;XOL|p>B+Hs%P=uknXutXXMOZuK{L~wRt@_Xc6KsALSI%u zc}#!TI&jZPGLR!%e+@zu9Xa_c|Uq1kBlwB^Tj=s4D1%E6Qr?`kh5;kC4k_F5|MGc1nWFGah%8CQF~3wzfyt9>hrA8{1n zMP6kG+w!{2`&|2kbTyY1AagI~eNkpP=Ft{fwmw}Uy#WRYs8uGp(D^4qsQNd}1;6II zK95KRx{&&Bpa_s6CE!365r;{+D9R{uLO%AmR~d1WjBphxM>Qi2|L)Kan!kC*NR*j$ zhq>5x$4j=`i&Y>uY7z_`U(OgK)CO*GQS1$kiIM7^;Qd%iQyS7Du|@@Tz$U!GLu6<~ z;G1pL)2QLxE|3d_qG0LiV8A1gt(f>bfXyO+x^vH?H`$%Bp>5uw>QA(MY=xM#rq{+@}f2MY4=LbIq6Z=X)0cq{Vm*(H;I@#={T+atXT))OOR=;YVSCCgjt$0X>* zH}i50ifc1TW%5Pts9-k{!bd;Qmigy!$d-40`hI)kC%P3Z?y{nnRwHYC&SPu66?e96 z=Gw{)>}~Geh5pOj7rTg}9EvX)umN6v7(zZWC%_6Qx-XyU_5*^NZ9bAnJ$=zt-wyUC z*ngLb8EEEg3GxB~1+W4Gq5WqhurzWuGgWnUwz9YQHz1t*Z6)K5B|Y?zz9Znfn9vx9 z|0LVkRf^oiN>0{jOcw~J@-nIC@D3!9ivhy9gy6z6cwv8p?>)LrIp?NquBr}T>es|s zJAN4P7KiiitZr^%QOxIidFk`hq;Gx_-%4G2eOVh*4Dd@wKht7oT!}fd*baC)7`d8l zGS8_$dTG+eoSnUlK0M#nf4{{n;GE_dvRIkEYtFfFzgugzm_9GlJeXdvR;{_oIIGe> z(0Omx=dKzwF&z#CSEX{qg;@ecQXU@Ey>f$|69e2ch>9oD?^^GF0^k}}QW5~X|#%8FpWTDdxN1To3 z-cCt7vu&QT5O1w@%yFUP%(&-k&YA1V=`xQw*hp{o?dYBayzm&HX{k=RyLI$To;G={ zT<>q>kmz7;Y*hJ|&!*YvSZ->WZ_k@f+c#I9(&rnEPHH*G>fS!s^Y80%D8A8NF%~fa5KPc07 zaTyLf*3xCIcK#kS zG37~b8566ABQ-xvIyDcj8Z4T80UGe`!n67x$c`s()n60aJ+H3z1?;%C>qi#X`tr(s zj5Ej2efWqzcHJI_Z zu505=+obrw$KzUwg4FU?XE^EIEg^gd>!`ZJsjC@4;C!>RBYCCYwt1Vr6>IH3Ybx76 zqz2gfc#NfOFTZp$7wFdQ(mwLM%IEF-I3kz~>~0>t>aShGA+*({hd|!+le+ck*uwKe zt3l}Nx~mX@v}>nBMIB<-O^8D98f2>gLK63`nsMm}>68Spb|>sQdKyjSVjOkoGB623 z)X)*yb9{Rk(jQf8a}J$EK*csw-%g5={vs!IeNj24e*Bb80uy<{Gl#*eiw1G}l{@g; zO>1glsG8wV#t1!Os-0-N2+mHYuXVv_6vC!-YI__92KZS9oS_vZ8!47uqK+qN4SAce10Fs_MiRzM9_?SjrgbosNir061n>6u| z0-eh|xYCdyMnGe(YLKp|a-swz#-2O-2Lf)B*gkeOG2(PawKhkYm}^eJSh<`})_*-H z03#Mll{sqD8=@cJNv>FC@&YAgO1m480qNozX%d*{>@&AoIEz+u?e&+xkfe&W3jm3L#xFs9 z#7f;B;42{(cCs7eZ+3kq1?rYx5twvhp_d-%&sO4~E|GK0@2L{&wMO#Tf zm8%_%3%Ky!(il?Q8Rukx>1^;T=tu@St8Re=gHfGtchX>TN*Of5?l?oWFBstDm|Ka8`{%{rP_S3e_HA8J?;kJBML*T|l(=yXnGftCXH?1mil31r~?oxzL>|Q*KB2eV~MXuD6H`EKaAz4EG+>_RR%~sSJZaLK> z@>q2)Y_*=lB+!I0w~i8qJbgSK!Nok)D0-vN41^vOLLZ5o&l?6`f`0Bgx~#tXOL31Q zO4GXOD}n6*F33cjc0rWH!7HLn7I3aG+CO1%=tL!W(0AJC6{b^0*H=k96==rcMh~Mo z(JhGxDWls79`gW6I`-+8E7m$xbKYY-yvupdqw5l?AJ~QSuZcrBsKT=D>iwYstL%W0 z5YQ%kxHmN|#B;E2AxiMkSqQNLuqmFUxo0~=j%iphd-6>JJ;qi2%`}N|LkSCr4G|s@ zQ22neU3~pi9ds8ok*NN<#w`3m_Dcm3D61Y2O}+&vfnce=O`m_GM8gfVFoZg6FnNV_Cg2@uP^$ilr?K-kwN#y zjujkh^=}2nk!=esuMhLQSD_58nfP}m(-7AFo~XCi0s za69@x>ImPs-Ym)iRYqeA0ctmcklXVVoJgRh0~tC28CE!pm)Q^3^Ri>y-2IFW<;>!Vne%a3q4H=2 z7a%X#6uv*!>q{lz=C7~93nLH2D% zr+gk=sZED7B%aIkixDAZ7!Sd)fHPJMgWBI7IE{>R1h)NHV#s2D66pH`_B>-&mzbPS z4u(i>-cqsTUB}@OK(a-lh5wCB;#ZgRSw!JSjvo6(mOpZ36U&Szp!@U zfT5*HQD!N4GJ?T^qzDi)#{KtZ7eX=A$XDQ>oSX*`2k@(DmN?I0ceWQ7_&+Rej>3lt z3hjqO;JsC=HacdW`=N5!pr!1bTBR=DjX_|f7HUgK*y7|GnkvGcB6tm-BF55+FP{c! zs$hS=s{7dP18YYife zw|DKXkdPJdoM5a2-{Iy;wz%&E+9vs-EWYF&&Te`cC#ALUCjS*ny?&!!u+T(S0@mBk z>P76aB%&qN!h1PLDHrSkc~-4;6yuA5s0WaH`GS0cb`nl`XJt4(Q8D0994YSpT?t;Z zg|akc8h@ESUepeT!H@k5Xc%Z1jEb5mToCN|Od--} z(wMzCmvAR?SF*TU^}4u$+G|h}wcetI6@AuiU8nYjPmEn5@x-DZu$HWeNeC~HdN&Pz z@0P~wj02EP%|?XQ$4!?a2EHP?MtQ5%S^hzo241lfdLadh0)ZXm5-S8?tA?U$f6+zK zt~ScF2Atw1SQg7~c&#eoK;OoOY|&=Ngb7CgRxM9nT|H4E3hS7)3-VfA+@tpP!#Tmq z$WqYjAyL+tIi_oJpuNgLUkB7Oc^<=ikTv1h=H|uH67Wn`6%*3IOL(L}y~r>Kd1BW( z_#`c>`K3ZvB~}LxN>D*B8op0_H?I#W ze((s_L)3QO2;xgh6g-&Jj(2M(&(E*klGFS_%Y;zt#%PdF${ANHQJG^n=L}a$hY>?D z&wGD(?fk2UI9JsG8O7%w1v8RRw$;(4GNn|0MU~9+T!BdzNL+CcFRvlV(JCI9zMuOt zkgw~dW&@yWhqj>}f@k#vJMS|7s_q7v0%xDih4H$!#3f~X;jFb)#Sl9E1!~*w!4XQd zb5Gb$F2fU4_?P>D%kda~Ug6DfpDZZ1fN^hzpfo8!CnF~82TU+_^iN+YB2$thA-K-J z8~9NUn)&^YDB6c^N_mGB5)Jff4`yC9kFkQ6&w=)^JbB9Q2)uNqIj+17JwZ;KCfFN$ zsaPd@u^eP9h69oiKtFJ&V$iGLq%cQDrO|NeqS=FumaLBT2+=Lg(#v_d4hL^6r|=t( z6D*4T388WV3CWf*M6kRW3E*zLT-Q{G<95(J;EE}X+a($B5Wx@$(wGuB{0Tnm&<;PJ z9C{#sd4|eBg;a>$(N+)uO#@X1js$34e$^gamLN#)3`Pr+P@{H&=xl-7SR9|=XkCco zN1WLTKY-fk&N?8IkWUGnM+r!=1*LFPVo1AQ#?k{$o>

f>SX^ zHGrI6CRPme{lP@w5K;L+%*4&#tfnH#U?OTAV4w-FrzN@ZKzp$<#EXwp{SaxD)MP)N+3C|RA3AwA@_MXEZ58VM$6EO|2s~uO!I1G+IN3uz% z%$GUGFnjQxQbJeiest!GdUGk+V@;|g#B%}b-=W(hW^!JD>#yH@7Fa3^t<#bK!3(L= z`l5+jr6Z;yHrQ466j?h#$>@+%|==`Ba5Cx*GHG# z6X_9kdfVZ8pxg|l6Lvi6MOrf65svkqamhL_l3`}OgR@cZJUZIbw=N(fFfw?)Hgp8q z<=>Bx+c%1sS;9saTAk^oXOIIKa+k{Cq;Q@q_HCtAl#~cv;WIre4W{Lp6J|YVkG9=t z7$znQRH8D~Y>=}wA>l4KQsDr480_#t_@HPg#AA zWOy0~f9`m5M-_a>(wGrS`ITkMND?RSIyKyed9A@WuGcb;o<=r{1ZdaJAY$ZV9E>t3 zzkDzzh|H`tW{fF?;`Ce2*ZnH zppNJpj($TM<_-ETO?SUls>Tv8W}(oKM#PROpGj1yel#JVpmfALT-%?}s>#-_Ua{m! zpbn@OzP`M%a1JwjhwZ?aRvZ$8d@|COiU<{yyUdfID6vZ(t)jJ0OtE$Vi?-&ssyXNsJrqaRM_o{^FD* z8yFxZIoWgzT-V49DE)zaRO#$oh3ex%L!>BUKkXd!5$M|0lnLZ3Q9bPN;^R+G2f-Ap zJJitq{>zBV8)kX1`Aho8bIS%5gpQT98U?O@d)?5&Iqhvl|3b1clvXS~ixG;~l07sd zuxIFR^mYq}VjCk0sN>?Rb#%C4TrLHh=Ded3q!HZw;VG;N+0#prn67(C$d9%+Rr}b1 z24sfg>w%$+3$prwP@%InI|XD~%`oWK)q4yHp_5CjX4FH7c{zK#fho3lLt(BEHALe1 znNyCx*Ht|)9q^t0i&gE_0X6eiiiQAFE+`qfO#Qc=y7WLe8NT2mSSqrRizNk~7VMSB1XVuYEU&@(#ruu(P>u zJ+u0xd869aESjl~7Vz4lk5pHIdjc>JypNcB*PxxjDW;@mm^=!o!Juan2)1RVxyN;( zk~->2*XlO1bT!ISG1(>rJez7z+0pjc6)K$OR{>b!eC#&alOA2zrtCzZ67z+BjACsL!`o zQMRX|*|SS%(ThW*lqlg+%?P5wXBG3Pzf(_o98nZ(a?@qu`=&`F_#i0u-7*uCsB7yW zP)66zLF$gM#=6Vsey16k!DMV>6%#!gyHS}9b@!OZihbimpXhl0px)=Ll~LqWW?EeM z-oF`aO(f&3lWpiW3w=z{lN z>RZt^_ayeYV#`2`^kO1^(jViabt>*oWm&;|cS}2=KJyN-c`xttrjYZ ztWqfrY~*fBSi9>y&uY4!j>{J}Ldw!k@?B7qRTHx-@|IL-(z-}A4NdZ%Ki!~TCZ2YS z+arL*F!z+_9Vt>BI#q2SObGw}_HqBqD}P8fGalkNvtY1PU)QYV*R}?*JPUPSqYFBo z#-%+VBTtxAXfejTuv3(`K%9X|O&q{qB(@GS^q1@3>O<&{yo>-BI|;m4z82HS+;17u z?MK>4wmg~|E16}bm9erUCaVSOt>y~kag`P+KhL??L&A4aUL~CNv@?VDs!&Gck zwNoy^zM@CQr1FC;MCPku4~oPG>5f!5Zk-4rQAYJ4Y&Fxvub{>)wm$J3&&}bvEl?oi zx*jQ32mD?icC_3|$91cHY_tNIhgP4~o*SK%DES;% zGo!xX{LX5uFF;9tj4hS!!&)3ns(kUT$u>d+1h68Ieu&y%_>mcW;;#I=Yn9lN!!`S> zn&kqj=ZU3GT@+g1>k-b=V0a0wZNF6aF(7cEE9DuVQ@k2#eusVC1{*?^l*UAy*OYu{`4TE9z`3g+$8bSh=;P=MRV7-+(`2J!Gm-tYydF`;p` zL_>hNXvJc-R~Sy}n_c+r^Y+~%W39=Y{`pOVN_W_aAwOY0eIltu$u2=%e>{GIeXw{X z+Ne^%4{46#I(P1HVjO#*>S;MLH}iwJm?+HSD?vuSQsg8BRDrQ?{lSR+ffd7PQ>*=& zqZuai(zua+=P-Qq_y;DbNk%}9hS`=%3TG#8w<^tn;@ja+vy$TD|qdl10yh zX<~`3Yy(kHZoRo%To-kx!*Rzi6R$VmRI<9fX*7aydxT*PKR6bV#Xbg7+#QSz23lyh zxx!MHua?du?!)4Mckw;nTt#X6EFJTH-P?6xUdY`GRG7rU;l_RQ<`iJwhLSTh-` z-)qqcy2wGUN*}=V^*eWu>#a=lNZFi`Bi>ZfVbIgLFzDb_R)w0gk9X5AjOzbr%T6ZQ zx-x2(9TCICAx{7wXn5Yu6 zHcg)47PQST4IcC*J!0byA{wWGYsalJgHta(luiY3`f1iw#Z~UW#=HX0{F7`kQP?N? zjEpFGi|I*%Vel(BXU`u3%dFgOBvk}(*dPGdNkIA1oens46CvL8inl?UDBXSJfWnH) za-MCu7v`z#RRydTt75Q?k~_K(Yk&48X|E7ILIzraZvi<#Blyc*P;Q`&TP%q4!~E3r zn!9)sJ|Kpv24phNXRcojeI9Y2e5T<9V_kgOCq0z`xrd6)hg}Ce%hW$e0KCiEfOq-Mg^>cz&w7+SFCc17vpy4kG#3W=hpR-7% z+d;q|611+`>1dW_VAyGPJDDjUE<6&C^T(YFshlC60>Rsax_frfWG>Qe)~WfcbX8rx z#=z0w+XhFe1W^lbStgY9e8`qO&PZMEyF%iS9n8NnId#%bZ~s`Y0&*No_358I;J$6_ zV>0APoR8CRB8WFn4Xl3uJE9#oY_-5N*Hj-M(ORx8_tdOoK6y+!#Q&=>;YihZyjEH7 znmZ+ue^@cYKZCV<7EB{$Zq#FscV@E!`r^q*tdT>JLtBlOFM)Qa`85BF3|}vpz|)@T z7-~T`drce*hwZGx_ZxMo2{4HjWFQ2%agI&WJ#VTxl8*F;9T!UA1c8{Ie2GE}Ozfgm zHYc-bQ1npYD1-riIAoi!NtTl{Y~p+{8Lv`OpEg({0$aMCx3z6%SLCGFwQcQKQM(*a z5~F2wAG&^g!kX1MiXugtC~cbuO>GHAiRELG<^Za8yQ)hEnS@@v=uRyF6Dhzt znljWjCU2L9x!si#U2tzA95-Hss@8~9j+$B`(r&K`E&?R%VZRVjGFKiB8_QGKqbgmF zkV|Z@ql!7#kr>Jr1-I~4i$Ose5yEwx2BJ;u#I+`h>pcZj#WNzKlEP+~P(4ux&nw2L z>8rx&p6}kHX~O+-hno?`m!N?SkY%~i=@I%%KM$-}=`+S5q^X8$)@YQ2wN~h2ikB$T zR~luJ2YU&Pd*_e-ERhX*P-#*syu_m8`BoZzBeNzkiEjB9WV3-Z?vd_2uKohb!Xb1R z+}g2Dpq6=-B$94Pc$@Fjs$Mr>-!a^*%L9007t9q(VDRcoaI!WgWX4RLAGFz^PrS>Z z?j(`2wXx@PJCZOjZ(y~MifSd%Gn1=DoqgPv$RH>moImXKQC?*;Z&sR>KxxbCG0#W&b#ei<12V&i=ptqpNB=% zvA4E{Cy;qbV>FUxc-o5+g6kAw5KQBIT)?aH{tAs#Ai5n_lI5~Nuyluor5n@QbV<45 z5q;7_O%4x^7e3hG2-~*QWwJ)coH+OCV&t+icjq zEf$q` z5gSXp0<_42a~Mt5VndJv#k-zGG@uGz3(#-X@Ri0(pQow2LhZ82a97@jjN^~0MLLoA zqQ?EKiBJkmoL>>sxpBu%CeIl(J8ueDb&=2&c$iP*w&w{@_qc`BRaa@+J1bPQH7W%h z81-RhnWbezwL5uq!!R}p>_F_Fn%`)=101kRNy9tnzah&xgYO@bvBMF~$i7eXR??ev z#-J>!m|=r+r%lGHTh%8uUlHnP$-==B!0%C~%jf&Dbg9-lsY_(@jHX=adriTyDot1!B1 z!N3@5#iGHkq*{NqYPXKS{1bVNXd(5e?k98c@v1IZ8>zXIBHr**#dF24i2L9+F)Qvf zU!>I+nTOO?QV0vZ5>kdl8fUG(J612k86^g3oHQ>YMz-w;dFb7XO~E>+IF^`c@3DkD#gB5C)t-t5 zh5l0}T@;~23aln8U2Ll_m=tpJD;CK*vTGa`7g{E`mPr{J_M(~gxF#0hS#D9b`lDmM zGzq-8hQRjFrOA#JCme~bT-2y|5%@*bw{^@8VmGwH%6rYu5%M9sxUL7l9AulPZO4vmm}CA&@g^%2$QC4fe^Q_yQJN$t96<>f8N5O!R=3xN4{sIXcc7Zor;bAq>1v$`nf2MIhxS9qEi(I?eaM>BK!@Y5CO-%J#Mg7 zsqsBAbd1;%MiXXI0ZLlRXhzsUSEx{94j@`y;TcVsTV<+JyqSAo9mPo&Lf>;jp(=BjVn7e)E3RzKvM?9~ca8cIfDODK(ZV3Rq_riI!$3%G}2lCK|HBWfhtO$Fnn#HQcZ7SySd|*#y7vPq3g&?%8kUX|vo` zg4k#6FjJo^$T!9YL~RNk!DDN4@sz!>X{3^^ue-OMm`k*Q)l!^?DJn~6*Z`_!?VdToVigQ1Q<#DKDpB^u& z$sz+C6{N{L?-<0ST;uR4D~uKl96gBGw2)Rw5UBOPKsm;*Qm%uEq7{cul{DrZr;sIW zV%Zj!+Jwv!ubatf@Tv`5*>c%#&wd0bdJr$`aE<8qQYvO5JOojFXOa>#KNEpNi5W8x zGW*@9vk;o50}P-4G@mnmr*`l&xc6{}1x8`-Q78}q4^TPAdRl8{$zChwl}|C(0G#g^V2Q_CX0@~@5Ns)&%R4(x18KE$9z4L5IEc7cC5M}q zF`Q<9K!3Ec;vC9YoBW{D?XzP1{5GHw%r#!U{6u>BV`fzNirN@_iryQZpSV@RF@fQH zq_-kt)E;B*2B>i{L;@RwupD@LpqEx}KI!O&d{fxDk5w+jg8LoX>v$1a`geXpuOC1F zuB7S~^|7|?Op|r3Do{61>C{qkLW|j@}^+{|@K4*B-nii?i_DBfy z%6Iv}h!HRcl@@fKYaUb0Osb`in8k+0_o5R9#7LPfltki&a0)VtYw`RNr@C}Tj zrZsZ=k`rOVzh`HTvl`v`D>RRf{<0q$ZW==XbMkhuMp8ZL%ThOeRpuFGGwBeYOr>Tl5epqgio(m_ z_=plRCm>9AAKAJHiRo5IO14^$Hf!<}7T*JxYuD7Cb5A~Xdjp5<2d4Ddp+H-cC|d9N zf(r79bSc^C{K?Th{8D+Cd4?mKuAh1t1T1N~3I&a`k@YZl90cVc#|sDN@O`ne8pbTb zgs`a==*?pEdhOjyI}L{x&1;`j2|FR@5L9qB46CfhXT4I5+%2@HnD!62TsVMj`)h&r zPlxNmV67!rtPN3g8O*x$%~-s64Ud8p&fVM$>h3cN&b<^o3PxcxNSP)5_qW`rZmIV1 z2x6|hMW=nZO38yw4c}-PMyvCGZf?UZvV}C76GnqDf6zZg#_b*HQAYo$#hp#0Nb~D#HIcadzxcREnkB{-_urR6dPMCC(PA?Ll@#y(%aZ1%T#m> ze-SOyHqH+I2>$EJTGQkr`7T%tCvGJF#91o{S7JXvy}Se*6I2`T+Z&FExGe-vQU_eb z0?=A4#6cwNilhhfPjvdccv8IJJ7~5pR}w^(tk6zT8w?o|wnQvx;lJfUO;}ZsKS^-< z;Th8Q)p4LX%QcKAByQ*16+t&+x(1MvDLO5)!-A_g$Y0?Pq=%0)TtXsx_RI01mNBc* z-K56w0BCN3E~Pmb%BV(<-M%jC9|T-&%U2Q+Qtt zl0WaD{Pgc!G6uXaUA~Pe%~?%$gGRH|E4_dPTIuBB_i6E)gIZEa4o{FaxN%->xSQGe zo_pXMOF_xfE)V?c@FGLHDdrVE1Seh4dU-Okv;|z)Nefb&a`h5xT-4?H$?Loxj7;3e zyAF#BAT7<%gZWC6sMEzCLpz%Sq|1i_?JkUPVySbpJy|HRWIKX7sHhXDj!iOohpEG@ z@+|f3pTQuwb=a)rNz`dJwsx=iLU_#R$K2n}m!G2m3yWhB-AmNVezew}E4?T2U78K5 z0K4}E-zNg~2{x?8>7*Ort1(!@Ra0|jIWBD{)DP!{U?!Ic zaKm{FrJdlVogQ7_J|B3F2?CK)3>ZSs+%bZcBA9`t_-EX51!Xyu8oHL)Gc2b_A)XjT zxso?=)_VF7$cGOimk2L(iMKs>fmqZoj-I|0*O~ccf)~hAqx5F+CN(11o}G00qEo8M z2{V%>m2Wcxo$B6L&I((1?5lhs506DXIu6ioDQ+;%zzb7vVO3p;M2VRJgo6#VC`}@I zI7OfG)enr|G%(rP-&ZK_E`NT^+r+s2Jd7Rl{6s#pQYcen9<4{&xK-Ef4^fj%)p1a_ zJTnHD1#hV3H*FPMugx4*D+V4sW10rGbRHSFy(p%r{~-}LgP6RCcGQ$&T0o3*yOHvf z9TO(K?=_y0mEP_L>IHZFS4z&&Ek9)@J)7JZ4`sz2thNN$@!_j*`ruJdM|c_=6}J#% zAv1-SSlit`LWseoL^?`xLvKbss&Wg$oir8XIXIaWB0IRw4;|Ef>`SUWHv9f2pHM0j zsJ;AnAs0UYr~5ZKxa((#iX-d&wq$WLxT%@VA?RCVx2Oh3hD&;GDv))hS-!M_n~s$7 zg~hlepo8v!8Cgw;jK_}nlPkQc*UE*{qG$x(pQcg64+Nwu(gh#iXTEIydfpp-heT{X z-?Bq#0=dXEIw^I(EH`ngzYf*6o}b%f9n{_{d{zz$Zc+PDn)fB{Q_J+f2B_s_I-v3JPP#K>zq2+HgV7i^+h>_RQ7PsifM`}o`!~v>W!>=%1NuqKE}Hw zUyaA|yrmugG;OxdU}9y%Ow1XI7PM)itk^OwFc?YtCSCCw9TZAW$?2b+80FSYtzeDM zPq6a?AHu*EDP~$6^Hj!Qg=DYf6mOvAs6NVkH}7@l=u42ZBEG_-@v^0jtG^V`a}D*7 zg}W)q4oj&Ng)r1BW{Y;5g-!b-WXI&RhM*!J%#R{ub1K%N8LV{587k@^8?Shsq*P8a z&H`w&`f0_mz(RCsae>c-pNEq>a)j<9C1SdW1#0gupl6tR6M5MR7OIF@OM)3x<8F@F z7vJ}`nvd(WsW6Q!oqGBFR9LlGa2||6S0}8L$|=N0IpI3kB&OHT&j(RLkNfk*H-y>IHtd zxZaCU0Y&EJ%Y!L!Cs#MmEr;YSeax566C zXYTy^(&?vye51HAadGc(MaDe8k78*exkMz% z16Y{kc1#~deHZC1LWwBOVa4^GBe2`_+p!5}-5qmFN1fqT8m`9)1m)bpund%B zm@Jw^$L6=>TdqBRtmP}Er!Kt`Zc!mdC)~2i`L$zOO_FE9$e@e<6kDEr++l~W0p>-A zM`;_B`zY1X%qR|UzrRlv_fZ;9teZ9N_Rw0_28CWyUK3|IP+7!_rzBBWEA~d4N{BI zf-{75wvKym=RBvGQFn#m(}2-1Fwz6TR8hyO!kIWG&wA1iC)YLtGrP>uW_<$gE@`tT zV?#O_y4~KFcwN_Rmw3icSiSACl7xM(w&Gj<5qGo_O$>Jv87+PvvM7ruoP}g4c&phh zDs^PaXy2;emPa)qfaF`kK!GvkxJD>vOJ`P%Ybx0CNpbH)9+!A=*>>hG|8R;O95Our ziP3v;^(0=lm#%|N8X;219{UY~R^ z$t=VyXIXDuor%8v4-y4_EF~UUl*xEh0aIE2q3!z+rhR`oR94NpJTiXR;j$W0%JX7= zIBN}pDp5_cn4s1**#@%K8gP5xjSy`CCN_$AAnTK<_V38Jm*wWn#Qm|bf<3{#lxiM2 zM|l*j;WhGK)W%#}qaB7oxt76VB^bp9xNePKU;U5M${Nt1w!L|e3T6=*Ov?&Fn8?uB z6suYwn~3rFMwqt>{bX=1KP{DZm0^tszk!FrbL}2rOSDGtsnv^2S({U(p-peDCH&fw z+)trpp&+;wUMMeJXQ}$dV{=H~2Munv`19X%~`9$`!aYD3QQHfSupXTm|&Zf>+{Iu1zgV5yh zj7|Yl1|6&?#@%W5Q^}V(<8|M{W|9}lP7*n<-h#_rC;+4?KRQqGr=_3i(=L0pPcnSaf3N!Nlzzok13o%};pkNRo#+nzIL}qY9P|7;TJ(M>17TH`1 zANR>PKPUZFjPCg-=ZEp}HAT_3mtTaR@iq+fE!J<_l10JX9WF{WV+UzOr88f@Dzx2K zHbx5?woHL6b&X~L;jg~hRnO`|eYrXySZLGrT)ww|>m=wFVqCy9o7r?&7z3R$u*3 z8kf7)+_v!^7rTn;TdLohbOTlc;gw(OoV{|VGKH^iU+snLEO8(D2TGMi_pb_PR=pcb`*3BUv+`OMh}o<8EOR4K#ry5sFiY)=@$H!LihWboUY*s1qmxtamFt(S zcE48N`|{I9Z<_40g5oNJ{wzX+k?&1agGOTkzl`yDa>rg#jROSzc5Q^OmbxujL<0B; z+np{ZSw-+481ZijX`m4E2rq@HOYBQ}Tq) z!~Ekj2AYR4I@#SAG>%*0H6ncNEv4+bI9y;ABz_o52Zj0ZH70c7KhCbl{62D$3b<_o zm0m0-a=o1nv;Own!42SfXk3r=TRsn8=U%X_f*HK9?Z>-VGU>To+DP1L=%F0213?FJ zu@z}khQI$<*HdfYeibawh0hMm#nQ!hDaVc5jb5X813V)_zvX!%-hQ;kKJ8=UQ&KZa zcJB~um@=y>a&roq?{E7~l&Hu0;&-EL9wyafWqTYe&DG;SdT=*`M%`-&l-xEZ7PDG= zS3)c|tl63o`@h zQ)LAm&YuDbUb#wj?lyQH;T7=j@1qZK)^j=f%R9m11&~!at4HT=we8d(|Bd$|xgrBkeDyN%g1kgGW>Et; z`7IQIeIB^KFwk^9{>6{0>-SS(uxbG~WigL9fHltv1RwdSPT$Gnvdq;U%Y|&74_ZMRlHsL( zhAecH{7GmJUMI#+BC1GG1N} z+j!fURkt>SZ*Kcm&##3dCL+YSSOqxqF6hR%ep|eCyadfiDUrOR4q1JPvk;|ezsCqu zF*~HR9duFKI0Z-=qd25oIt62bbhf+Kf9IbLvGG-1A_p?ZZsVl|V#AoOxbdw^wxl+N zls`FzY1fr}Zbq$RowRQq_&kj_VeU*RRo-<{?_ImTr}kn{?S9|(9LUh_wyx}lOsKOs zJWO)gDPYVXR!=#|n8VuA?Sx4Cqg{9Jn0@=I4l_KChv;6j#%{av?e(0fn4)~+wi(?Q zGnPGo0DscK6IXjxSlpun=imx2GX>bGSLc@wymJ( zz5oJC!$a+sO3{_GXp0s)+*za=ZScYB3Uh=>drgZSFCNVHrs5SaH?oAlToQ+g5jP(% z zM=78&T(Fzaqh{G=eo8s7`yV4UDc;;&~B0G{#G!r$e4b?+$0hh{j=Et`T z>)V)N)UFGf)tYIMu(kG2r&QwNqT^oY>!TX?$5@ZW$GWA~>npr)BAskVaunHzGW#iY zaOw7>ey`}?=qXxc@@ZRpjZF1m=_$thSoCZ&H?eU&#OV3c+(3$nbW%5`#GYAC|GrYtwpbK2-x&qM4W)Bnu zQa5#CgK*iz@;Hsm5}K8lxnaEuHr*j{Y4=r3KG8u?ZDgu)Z`L7dBFv}Y{VYEx*JZ$h$!-3l-T~>**aK`v^mpCMjtvK8 zS3Unuk870wRLvs--hTK1l9uE8ab+qOH(EYY;woyq6nE`lOY`vyX-jOZifyHKy<5C599^p!K` ztyu^e-AnkHIzTQ{xV{y}So_hnVN?}mB$Jg~${YOSAY!Ck=x_)V>0{p$p-lKS5CVho zsrl)8@6h62NoM+#O^bgzTa1P-LW2{&g@M}Mn?;_YY$y9)vt{k}+``$G}{kF%%U#ja+ zA94|%gr)XJm#LLZYIz^#2+os1U5Z2tJG}Khf`)`+qhfO8Y)l&YZT(9?*{)KF!gtX()XLg z-{PkJ6#f~r^Otn#J$UDj(49ZU|DIg(mlO=F|NVybzvr0z>GNlf#a~XZ?@ibLmTK{* z%b(=?zg#fT{-eu3Irx9N{0X!C%O#BHpDur*E&nw56UOzI0n9s|>-}W@LUa8o{gdAE zmlTcRU(!EWE`K`wdpr7<9t>M`5D dse%7*JXev2elIdGFr@c4?0cOKIQ-+={{hAb1lIrn literal 0 HcmV?d00001 From daf0a6696539d3d98827219b0385b11a93cb7c80 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Mon, 1 Jul 2024 00:00:30 +0200 Subject: [PATCH 2/2] Explicitly use the list items as requirements --- backend/library/libraries/ncsc-caf-3.2.yaml | 1895 ++++++++++++++----- tools/ncsc/ncsc-caf-3.2.xlsx | Bin 28898 -> 30486 bytes 2 files changed, 1372 insertions(+), 523 deletions(-) diff --git a/backend/library/libraries/ncsc-caf-3.2.yaml b/backend/library/libraries/ncsc-caf-3.2.yaml index 1355a89fa..b30970be3 100644 --- a/backend/library/libraries/ncsc-caf-3.2.yaml +++ b/backend/library/libraries/ncsc-caf-3.2.yaml @@ -36,30 +36,49 @@ objects: and procedures in place to govern its approach to the security of network and information systems. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 ref_id: A1.a name: Board Direction description: You have effective organisational security management led at board level and articulated clearly in corresponding policies. - annotation: 'Your organisation''s approach and policy relating to the security + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.1 + description: Your organisation's approach and policy relating to the security of network and information systems supporting the operation of your essential function(s) are owned and managed at board-level. These are communicated, in a meaningful way, to risk management decision-makers across the organisation. - - Regular board-level discussions on the security of network and information - systems supporting the operation of your essential function(s) take place, - based on timely and accurate information and informed by expert guidance. - - There is a board-level individual who has overall accountability for the security - of network and information systems and drives regular discussion at board-level. - - Direction set at board-level is translated into effective organisational practices - that direct and control the security of the network and information systems - supporting your essential function(s).' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.2 + description: Regular board-level discussions on the security of network and + information systems supporting the operation of your essential function(s) + take place, based on timely and accurate information and informed by expert + guidance. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.3 + description: There is a board-level individual who has overall accountability + for the security of network and information systems and drives regular discussion + at board-level. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.a + ref_id: A1.a.4 + description: Direction set at board-level is translated into effective organisational + practices that direct and control the security of the network and information + systems supporting your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 ref_id: A1.b @@ -67,18 +86,31 @@ objects: description: Your organisation has established roles and responsibilities for the security of network and information systems at all levels, with clear and well-understood channels for communicating and escalating risks. - annotation: 'Key roles and responsibilities for the security of network and + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.1 + description: Key roles and responsibilities for the security of network and information systems supporting your essential function(s) have been identified. These are reviewed regularly to ensure they remain fit for purpose. - - Appropriately capable and knowledgeable staff fill those roles and are given - the time, authority, and resources to carry out their duties. - - There is clarity on who in your organisation has overall accountability for - the security of the network and information systems supporting your essential - function(s).' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.2 + description: Appropriately capable and knowledgeable staff fill those roles + and are given the time, authority, and resources to carry out their duties. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.b + ref_id: A1.b.3 + description: There is clarity on who in your organisation has overall accountability + for the security of the network and information systems supporting your essential + function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1 ref_id: A1.c @@ -88,19 +120,36 @@ objects: and effectively. Risks to network and information systems related to the operation of your essential function(s) are considered in the context of other organisational risks. - annotation: 'Senior management have visibility of key risk decisions made throughout + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.1 + description: Senior management have visibility of key risk decisions made throughout the organisation. - - Risk management decision-makers understand their responsibilities for making - effective and timely decisions in the context of the risk appetite regarding - the essential function(s), as set by senior management. - - Risk management decision-making is delegated and escalated where necessary, - across the organisation, to people who have the skills, knowledge, tools and - authority they need. - - Risk management decisions are regularly reviewed to ensure their continued - relevance and validity.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.2 + description: Risk management decision-makers understand their responsibilities + for making effective and timely decisions in the context of the risk appetite + regarding the essential function(s), as set by senior management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.3 + description: Risk management decision-making is delegated and escalated where + necessary, across the organisation, to people who have the skills, knowledge, + tools and authority they need. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a1.c + ref_id: A1.c.4 + description: Risk management decisions are regularly reviewed to ensure their + continued relevance and validity. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 assessable: false depth: 2 @@ -112,7 +161,7 @@ objects: the operation of essential functions. This includes an overall organisational approach to risk management. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 ref_id: A2.a @@ -120,55 +169,120 @@ objects: description: Your organisation has effective internal processes for managing risks to the security of network and information systems related to the operation of your essential function(s) and communicating associated activities. - annotation: 'Your organisational process ensures that security risks to network + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.1 + description: Your organisational process ensures that security risks to network and information systems relevant to essential function(s) are identified, analysed, prioritised, and managed. - - Your approach to risk is focused on the possibility of adverse impact to your - essential function(s), leading to a detailed understanding of how such impact - might arise as a consequence of possible attacker actions and the security - properties of your network and information systems. - - Your risk assessments are based on a clearly understood set of threat assumptions, - informed by an up-to-date understanding of security threats to your essential - function(s) and your sector. - - Your risk assessments are informed by an understanding of the vulnerabilities + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.2 + description: Your approach to risk is focused on the possibility of adverse + impact to your essential function(s), leading to a detailed understanding + of how such impact might arise as a consequence of possible attacker actions + and the security properties of your network and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.3 + description: Your risk assessments are based on a clearly understood set of + threat assumptions, informed by an up-to-date understanding of security threats + to your essential function(s) and your sector. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.4 + description: Your risk assessments are informed by an understanding of the vulnerabilities in the network and information systems supporting your essential function(s). - - The output from your risk management process is a clear set of security requirements - that will address the risks in line with your organisational approach to security. - - Significant conclusions reached in the course of your risk management process - are communicated to key security decision-makers and accountable individuals. - - Your risk assessments are dynamic and updated in the light of relevant changes - which may include technical changes to network and information systems, change - of use and new threat information. - - The effectiveness of your risk management process is reviewed regularly, and - improvements made as required. - - You perform detailed threat analysis and understand how this applies to your - organisation in the context of the threat to your sector and the wider CNI.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.5 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.5 + description: The output from your risk management process is a clear set of + security requirements that will address the risks in line with your organisational + approach to security. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.6 + description: Significant conclusions reached in the course of your risk management + process are communicated to key security decision-makers and accountable individuals. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.7 + description: Your risk assessments are dynamic and updated in the light of relevant + changes which may include technical changes to network and information systems, + change of use and new threat information. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.8 + description: The effectiveness of your risk management process is reviewed regularly, + and improvements made as required. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a.9 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.a + ref_id: A2.a.9 + description: You perform detailed threat analysis and understand how this applies + to your organisation in the context of the threat to your sector and the wider + CNI. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2 ref_id: A2.b name: Assurance description: You have gained confidence in the effectiveness of the security of your technology, people, and processes relevant to your essential function(s). - annotation: "You validate that the security measures in place to protect the\ + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.1 + description: "You validate that the security measures in place to protect the\ \ network and information systems\Lare effective and remain effective for\ - \ the lifetime over which they are needed.\nYou understand the assurance methods\ - \ available to you and choose appropriate methods to gain confidence in the\ - \ security of essential function(s).\nYour confidence in the security as it\ - \ relates to your technology, people, and processes can be\Ljustified to,\ - \ and verified by, a third party.\nSecurity deficiencies uncovered by assurance\ - \ activities are assessed, prioritised and remedied when necessary in a timely\ - \ and effective way.\nThe methods used for assurance are reviewed to ensure\ - \ they are working as intended and remain the most appropriate method to use." + \ the lifetime over which they are needed." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.2 + description: You understand the assurance methods available to you and choose + appropriate methods to gain confidence in the security of essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.3 + description: "Your confidence in the security as it relates to your technology,\ + \ people, and processes can be\Ljustified to, and verified by, a third party." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.4 + description: Security deficiencies uncovered by assurance activities are assessed, + prioritised and remedied when necessary in a timely and effective way. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a2.b + ref_id: A2.b.5 + description: The methods used for assurance are reviewed to ensure they are + working as intended and remain the most appropriate method to use. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 assessable: false depth: 2 @@ -180,27 +294,48 @@ objects: determined and understood. This includes data, people and systems, as well as any supporting infrastructure (such as power or cooling). - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3 ref_id: A3.a name: Asset Management - annotation: 'All assets relevant to the secure operation of essential function(s) + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.1 + description: All assets relevant to the secure operation of essential function(s) are identified and inventoried (at a suitable level of detail). The inventory is kept up-to-date. - - Dependencies on supporting infrastructure (e.g. power, cooling etc) are recognised - and recorded. - - You have prioritised your assets according to their importance to the operation - of the essential function(s). - - You have assigned responsibility for managing all assets, including physical - assets, relevant to the operation of the essential function(s). - - Assets relevant to the essential function(s) are managed with cyber security - in mind throughout their lifecycle, from creation through to eventual decommissioning - or disposal.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.2 + description: Dependencies on supporting infrastructure (e.g. power, cooling + etc) are recognised and recorded. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.3 + description: You have prioritised your assets according to their importance + to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.4 + description: You have assigned responsibility for managing all assets, including + physical assets, relevant to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a3.a + ref_id: A3.a.5 + description: Assets relevant to the essential function(s) are managed with cyber + security in mind throughout their lifecycle, from creation through to eventual + decommissioning or disposal. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 assessable: false depth: 2 @@ -212,27 +347,67 @@ objects: arise as a result of dependencies on external suppliers. This includes ensuring that appropriate measures are employed where third party services are used. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4 ref_id: A4.a name: Supply Chain - annotation: "You have a deep understanding of your supply chain, including sub-\ - \ contractors and the wider risks it faces. You consider factors such as supplier\u2019\ - s partnerships, competitors, nationality and other organisations with which\ - \ they sub- contract. This informs your risk assessment and procurement processes.\n\ - Your approach to supply chain risk management considers the risks to your\ - \ essential function(s) arising from supply chain subversion by capable and\ - \ well-resourced attackers.\nYou have confidence that information shared with\ - \ suppliers that is essential to the operation of your function(s) is appropriately\ - \ protected from sophisticated attacks.\nYou understand which contracts are\ - \ relevant and you include appropriate security obligations in relevant contracts.\ - \ You have a proactive approach to contract management which may include a\ - \ contract management plan for relevant contracts.\nCustomer / supplier ownership\ - \ of responsibilities is laid out in contracts.\nAll network connections and\ - \ data sharing with third parties are managed effectively and proportionately.\n\ - When appropriate, your incident management process and that of your suppliers\ - \ provide mutual support in the resolution of incidents." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.1 + description: "You have a deep understanding of your supply chain, including\ + \ sub- contractors and the wider risks it faces. You consider factors such\ + \ as supplier\u2019s partnerships, competitors, nationality and other organisations\ + \ with which they sub- contract. This informs your risk assessment and procurement\ + \ processes." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.2 + description: Your approach to supply chain risk management considers the risks + to your essential function(s) arising from supply chain subversion by capable + and well-resourced attackers. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.3 + description: You have confidence that information shared with suppliers that + is essential to the operation of your function(s) is appropriately protected + from sophisticated attacks. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.4 + description: You understand which contracts are relevant and you include appropriate + security obligations in relevant contracts. You have a proactive approach + to contract management which may include a contract management plan for relevant + contracts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.5 + description: Customer / supplier ownership of responsibilities is laid out in + contracts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.6 + description: All network connections and data sharing with third parties are + managed effectively and proportionately. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:a4.a + ref_id: A4.a.7 + description: When appropriate, your incident management process and that of + your suppliers provide mutual support in the resolution of incidents. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b assessable: false depth: 1 @@ -250,7 +425,7 @@ objects: appropriate policies, processes and procedures that direct its overall approach to securing systems and data that support operation of essential functions. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 ref_id: B1.a @@ -258,42 +433,91 @@ objects: description: You have developed and continue to improve a set of cyber security and resilience policies, processes and procedures that manage and mitigate the risk of adverse impact on your essential function(s). - annotation: "You fully document your overarching security governance and risk\ - \ management approach, technical security practice and specific regulatory\ - \ compliance. Cyber security is integrated and embedded throughout policies,\ - \ processes and procedures and key performance indicators are reported to\ - \ your executive management.\nYour organisation\u2019s policies, processes\ - \ and procedures are developed to be practical, usable and appropriate for\ - \ your essential function(s) and your technologies.\nPolicies, processes and\ - \ procedures that rely on user behaviour are practical, appropriate and achievable.\n\ - You review and update policies, processes and procedures at suitably regular\ - \ intervals to ensure they remain relevant. This is in addition to reviews\ - \ following a major cyber security incident.\nAny changes to the essential\ - \ function(s) or the threat it faces triggers a review of policies, processes\ - \ and procedures.\nYour systems are designed so that they remain secure even\ - \ when user security policies, processes and procedures are not always followed." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.1 + description: You fully document your overarching security governance and risk + management approach, technical security practice and specific regulatory compliance. + Cyber security is integrated and embedded throughout policies, processes and + procedures and key performance indicators are reported to your executive management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.2 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.2 + description: "Your organisation\u2019s policies, processes and procedures are\ + \ developed to be practical, usable and appropriate for your essential function(s)\ + \ and your technologies." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.3 + description: Policies, processes and procedures that rely on user behaviour + are practical, appropriate and achievable. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.4 + description: You review and update policies, processes and procedures at suitably + regular intervals to ensure they remain relevant. This is in addition to reviews + following a major cyber security incident. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.5 + description: Any changes to the essential function(s) or the threat it faces + triggers a review of policies, processes and procedures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.a + ref_id: B1.a.6 + description: Your systems are designed so that they remain secure even when + user security policies, processes and procedures are not always followed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1 ref_id: B1.b name: Policy, Process and Procedure Implementation description: You have successfully implemented your security policies, processes and procedures and can demonstrate the security benefits achieved. - annotation: 'All your policies, processes and procedures are followed, their + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.1 + description: All your policies, processes and procedures are followed, their correct application and security effectiveness is evaluated. - - Your policies, processes and procedures are integrated with other organisational - policies, processes and procedures, including HR assessments of individuals'' - trustworthiness. - - Your policies, processes and procedures are effectively and appropriately + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.2 + description: Your policies, processes and procedures are integrated with other + organisational policies, processes and procedures, including HR assessments + of individuals' trustworthiness. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.3 + description: Your policies, processes and procedures are effectively and appropriately communicated across all levels of the organisation resulting in good staff awareness of their responsibilities. - - Appropriate action is taken to address all breaches of policies, processes - and procedures with potential to adversely impact the essential function(s) - including aggregated breaches.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b1.b + ref_id: B1.b.4 + description: Appropriate action is taken to address all breaches of policies, + processes and procedures with potential to adversely impact the essential + function(s) including aggregated breaches. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 assessable: false depth: 2 @@ -305,72 +529,141 @@ objects: (or automated functions) that can access data or systems are appropriately verified, authenticated and authorised. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 ref_id: B2.a name: Identity Verification, Authentication and Authorisation description: You robustly verify, authenticate and authorise access to the network and information systems supporting your essential function(s). - annotation: "Your process of initial identity verification is robust enough\ + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.1 + description: "Your process of initial identity verification is robust enough\ \ to provide a high level of confidence of a user\u2019s identity profile\ \ before allowing an authorised user access to network and information systems\ - \ that support your essential function(s).\nOnly authorised and individually\ - \ authenticated users can physically access and logically connect to your\ - \ network or information systems on which your essential function(s) depends.\n\ - The number of authorised users and systems that have access to all your network\ - \ and information systems supporting the essential function(s) is limited\ - \ to the minimum necessary.\nYou use additional authentication mechanisms,\ - \ such as multi-factor\L(MFA), for all user access, including remote access,\ - \ to all network and information systems that operate or support your essential\ - \ function(s).\nThe list of users and systems with access to network and information\ - \ systems supporting and delivering the essential function(s) is reviewed\ - \ on a regular basis, at least every six months.\nYour approach to authenticating\ - \ users, devices and systems follows up to date best practice." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + \ that support your essential function(s)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.2 + description: Only authorised and individually authenticated users can physically + access and logically connect to your network or information systems on which + your essential function(s) depends. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.3 + description: The number of authorised users and systems that have access to + all your network and information systems supporting the essential function(s) + is limited to the minimum necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.4 + description: "You use additional authentication mechanisms, such as multi-factor\L\ + (MFA), for all user access, including remote access, to all network and information\ + \ systems that operate or support your essential function(s)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.5 + description: The list of users and systems with access to network and information + systems supporting and delivering the essential function(s) is reviewed on + a regular basis, at least every six months. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.a + ref_id: B2.a.6 + description: Your approach to authenticating users, devices and systems follows + up to date best practice. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 ref_id: B2.b name: Device Management description: You fully know and have trust in the devices that are used to access your networks, information systems and data that support your essential function(s). - annotation: 'All privileged operations performed on your network and information + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.1 + description: All privileged operations performed on your network and information systems supporting your essential function(s) are conducted from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations. - - You either obtain independent and professional assurance of the security of - third-party devices or networks before they connect to your network and information - systems, or you only allow third-party devices or networks that are dedicated - to supporting your network and information systems to connect. - - You perform certificate-based device identity management and only allow known - devices to access systems necessary for the operation of your essential function(s). - - You perform regular scans to detect unknown devices and investigate any findings.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.2 + description: You either obtain independent and professional assurance of the + security of third-party devices or networks before they connect to your network + and information systems, or you only allow third-party devices or networks + that are dedicated to supporting your network and information systems to connect. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.3 + description: You perform certificate-based device identity management and only + allow known devices to access systems necessary for the operation of your + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.b + ref_id: B2.b.4 + description: You perform regular scans to detect unknown devices and investigate + any findings. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 ref_id: B2.c name: Privileged User Management description: You closely manage privileged user access to network and information systems supporting your essential function(s). - annotation: 'Privileged user access to network and information systems supporting + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.1 + description: Privileged user access to network and information systems supporting your essential function(s) is carried out from dedicated separate accounts that are closely monitored and managed. - - The issuing of temporary, time- bound rights for privileged user access and - / or external third- party support access is in place. - - Privileged user access rights are regularly reviewed and always updated as - part of your joiners, movers and leavers process. - - All privileged user activity is routinely reviewed, validated and recorded - for offline analysis and investigation.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.2 + description: The issuing of temporary, time- bound rights for privileged user + access and / or external third- party support access is in place. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.3 + description: Privileged user access rights are regularly reviewed and always + updated as part of your joiners, movers and leavers process. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.c + ref_id: B2.c.4 + description: All privileged user activity is routinely reviewed, validated and + recorded for offline analysis and investigation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2 ref_id: B2.d @@ -378,21 +671,44 @@ objects: description: You closely manage and maintain identity and access control for users, devices and systems accessing the network and information systems supporting your essential function(s). - annotation: 'You follow a robust procedure to verify each user and issue the + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.1 + description: You follow a robust procedure to verify each user and issue the minimum required access rights, and the application of the procedure is regularly audited. - - User access rights are reviewed both when people change roles via your joiners, - leavers and movers process and at regular intervals - at least annually. - - All user, device and systems access to the systems supporting the essential - function(s) is logged and monitored. - - You regularly review access logs and correlate this data with other access - records and expected activity. - - Attempts by unauthorised users, devices or systems to connect to the systems - supporting the essential function(s) are alerted, promptly assessed and investigated.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.2 + description: User access rights are reviewed both when people change roles via + your joiners, leavers and movers process and at regular intervals - at least + annually. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.3 + description: All user, device and systems access to the systems supporting the + essential function(s) is logged and monitored. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.4 + description: You regularly review access logs and correlate this data with other + access records and expected activity. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b2.d + ref_id: B2.d.5 + description: Attempts by unauthorised users, devices or systems to connect to + the systems supporting the essential function(s) are alerted, promptly assessed + and investigated. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 assessable: false depth: 2 @@ -406,7 +722,7 @@ objects: operation of essential functions. It also covers information that would assist an attacker, such as design details of network and information systems. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 ref_id: B3.a @@ -416,34 +732,73 @@ objects: unavailability or unauthorised access, modification or deletion would adversely impact the essential function(s). This also applies to third parties storing or accessing data important to the operation of your essential function(s). - annotation: 'You have identified and catalogued all the data important to the + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.1 + description: You have identified and catalogued all the data important to the operation of the essential function(s), or that would assist an attacker. - - You have identified and catalogued who has access to the data important to - the operation of the essential function(s). - - You maintain a current understanding of the location, quantity and quality - of data important to the operation of the essential function(s). - - You take steps to remove or minimise unnecessary copies or unneeded historic - data. - - You have identified all mobile devices and media that may hold data important + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.2 + description: You have identified and catalogued who has access to the data important to the operation of the essential function(s). - - You maintain a current understanding of the data links used to transmit data - that is important to your essential function(s). - - You understand the context, limitations and dependencies of your important + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.3 + description: You maintain a current understanding of the location, quantity + and quality of data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.4 + description: You take steps to remove or minimise unnecessary copies or unneeded + historic data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.5 + description: You have identified all mobile devices and media that may hold + data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.6 + description: You maintain a current understanding of the data links used to + transmit data that is important to your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.7 + description: You understand the context, limitations and dependencies of your + important data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.8 + description: You understand and document the impact on your essential function(s) + of all relevant scenarios, including unauthorised data access, modification + or deletion, or when authorised users are unable to appropriately access this data. - - You understand and document the impact on your essential function(s) of all - relevant scenarios, including unauthorised data access, modification or deletion, - or when authorised users are unable to appropriately access this data. - - You validate these documented impact statements regularly, at least annually.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a.9 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.a + ref_id: B3.a.9 + description: You validate these documented impact statements regularly, at least + annually. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 ref_id: B3.b @@ -451,64 +806,112 @@ objects: description: You have protected the transit of data important to the operation of your essential function(s). This includes the transfer of data to third parties. - annotation: 'You have identified and protected (effectively and proportionately) + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.1 + description: You have identified and protected (effectively and proportionately) all the data links that carry data important to the operation of your essential function(s). - - You apply appropriate physical and / or technical means to protect data that - travels over non-trusted or openly accessible carriers, with justified confidence - in the robustness of the protection applied. - - Suitable alternative transmission paths are available where there is a significant - risk of impact on the operation of the essential function(s) due to resource - limitation (e.g. transmission equipment or function failure, or important - data being blocked or jammed).' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.2 + description: You apply appropriate physical and / or technical means to protect + data that travels over non-trusted or openly accessible carriers, with justified + confidence in the robustness of the protection applied. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.b + ref_id: B3.b.3 + description: Suitable alternative transmission paths are available where there + is a significant risk of impact on the operation of the essential function(s) + due to resource limitation (e.g. transmission equipment or function failure, + or important data being blocked or jammed). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 ref_id: B3.c name: Stored Data description: You have protected stored soft and hard copy data important to the operation of your essential function(s). - annotation: 'All copies of data important to the operation of your essential + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.1 + description: All copies of data important to the operation of your essential function(s) are necessary. Where this important data is transferred to less secure systems, the data is provided with limited detail and / or as a read-only copy. - - You have applied suitable physical and / or technical means to protect this - important stored data from unauthorised access, modification or deletion. - - If cryptographic protections are used you apply suitable technical and procedural - means, and you have justified confidence in the robustness of the protection - applied. - - You have suitable, secured backups of data to allow the operation of the essential - function(s) to continue should the original data not be available. This may - include off- line or segregated backups, or appropriate alternative forms - such as paper copies. - - Necessary historic or archive data is suitably secured in storage.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.2 + description: You have applied suitable physical and / or technical means to + protect this important stored data from unauthorised access, modification + or deletion. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.3 + description: If cryptographic protections are used you apply suitable technical + and procedural means, and you have justified confidence in the robustness + of the protection applied. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.4 + description: You have suitable, secured backups of data to allow the operation + of the essential function(s) to continue should the original data not be available. + This may include off- line or segregated backups, or appropriate alternative + forms such as paper copies. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.c + ref_id: B3.c.5 + description: Necessary historic or archive data is suitably secured in storage. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 ref_id: B3.d name: Mobile Data description: You have protected data important to the operation of your essential function(s) on mobile devices. - annotation: 'Mobile devices that hold data that is important to the operation - of the essential function(s) are catalogued, are under your organisation''s + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.1 + description: Mobile devices that hold data that is important to the operation + of the essential function(s) are catalogued, are under your organisation's control and configured according to best practice for the platform, with appropriate technical and procedural policies in place. - - Your organisation can remotely wipe all mobile devices holding data important - to the operation of the essential function(s). - - You have minimised this data on these mobile devices. Some data may be automatically - deleted off mobile devices after a certain period.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.2 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.2 + description: Your organisation can remotely wipe all mobile devices holding + data important to the operation of the essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.d + ref_id: B3.d.3 + description: You have minimised this data on these mobile devices. Some data + may be automatically deleted off mobile devices after a certain period. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3 ref_id: B3.e @@ -516,13 +919,22 @@ objects: description: Before reuse and / or disposal you appropriately sanitise devices, equipment and removable media holding data important to the operation of your essential function(s). - annotation: 'You catalogue and track all devices that contain data important + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + ref_id: B3.e.1 + description: You catalogue and track all devices that contain data important to the operation of the essential function(s) (whether a specific storage device or one with integral storage). - - Data important to the operation of the essential function(s) is removed from - all devices, equipment and removable media before reuse and / or disposal - using an assured product or service.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b3.e + ref_id: B3.e.2 + description: Data important to the operation of the essential function(s) is + removed from all devices, equipment and removable media before reuse and / + or disposal using an assured product or service. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 assessable: false depth: 2 @@ -535,7 +947,7 @@ objects: reliable protective security measures to effectively limit opportunities for attackers to compromise networks and systems. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 ref_id: B4.a @@ -544,57 +956,112 @@ objects: support the operation of your essential function(s). You minimise their attack surface and ensure that the operation of your essential function(s) should not be impacted by the exploitation of any single vulnerability. - annotation: 'You employ appropriate expertise to design network and information + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.1 + description: You employ appropriate expertise to design network and information systems. - - Your network and information systems are segregated into appropriate security - zones (e.g. systems supporting the essential function(s) are segregated in - a highly trusted, more secure zone). - - The network and information systems supporting your essential function(s) + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.2 + description: Your network and information systems are segregated into appropriate + security zones (e.g. systems supporting the essential function(s) are segregated + in a highly trusted, more secure zone). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.3 + description: The network and information systems supporting your essential function(s) are designed to have simple data flows between components to support effective security monitoring. - - The network and information systems supporting your essential function(s) + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.4 + description: The network and information systems supporting your essential function(s) are designed to be easy to recover. - - Content-based attacks are mitigated for all inputs to network and information - systems that affect the essential function(s) (e.g. via transformation and - inspection).' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a.5 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.a + ref_id: B4.a.5 + description: Content-based attacks are mitigated for all inputs to network and + information systems that affect the essential function(s) (e.g. via transformation + and inspection). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 ref_id: B4.b name: Secure Configuration description: You securely configure the network and information systems that support the operation of your essential function(s). - annotation: 'You have identified, documented and actively manage (e.g. maintain + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.1 + description: You have identified, documented and actively manage (e.g. maintain security configurations, patching, updating according to good practice) the assets that need to be carefully configured to maintain the security of the essential function(s). - - All platforms conform to your secure, defined baseline build, or the latest - known good configuration version for that environment. - - You closely and effectively manage changes in your environment, ensuring that - network and system configurations are secure and documented. - - You regularly review and validate that your network and information systems - have the expected, secure settings and configuration. - - Only permitted software can be installed. - - Standard users are not able to change settings that would impact security - or the business operation. - - If automated decision-making technologies are in use, their operation is well - understood, and decisions can be replicated. - - Generic, shared, default name and built-in accounts have been removed or disabled. - Where this is not possible, credentials to these accounts have been changed.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.2 + description: All platforms conform to your secure, defined baseline build, or + the latest known good configuration version for that environment. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.3 + description: You closely and effectively manage changes in your environment, + ensuring that network and system configurations are secure and documented. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.4 + description: You regularly review and validate that your network and information + systems have the expected, secure settings and configuration. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.5 + description: Only permitted software can be installed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.6 + description: Standard users are not able to change settings that would impact + security or the business operation. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.7 + description: If automated decision-making technologies are in use, their operation + is well understood, and decisions can be replicated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b.8 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.b + ref_id: B4.b.8 + description: Generic, shared, default name and built-in accounts have been removed + or disabled. Where this is not possible, credentials to these accounts have + been changed. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 ref_id: B4.c @@ -602,38 +1069,68 @@ objects: description: You manage your organisation's network and information systems that support the operation of your essential function(s) to enable and maintain security. - annotation: 'Your systems and devices supporting the operation of the essential + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.1 + description: Your systems and devices supporting the operation of the essential function(s) are only administered or maintained by authorised privileged users from highly trusted devices, such as Privileged Access Workstations, dedicated solely to those operations. - - You regularly review and update technical knowledge about network and information - systems, such as documentation and network diagrams, and ensure they are securely - stored. - - You prevent, detect and remove malware, and unauthorised software. You use - technical, procedural and physical measures as necessary.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.2 + description: You regularly review and update technical knowledge about network + and information systems, such as documentation and network diagrams, and ensure + they are securely stored. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.c + ref_id: B4.c.3 + description: You prevent, detect and remove malware, and unauthorised software. + You use technical, procedural and physical measures as necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4 ref_id: B4.d name: Vulnerability Management description: You manage known vulnerabilities in your network and information systems to prevent adverse impact on your essential function(s). - annotation: 'You maintain a current understanding of the exposure of your essential + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.1 + description: You maintain a current understanding of the exposure of your essential function(s) to publicly-known vulnerabilities. - - Announced vulnerabilities for all software packages, network and information - systems used to support your essential function(s) are tracked, prioritised - and mitigated (e.g. by patching) promptly. - - You regularly test to fully understand the vulnerabilities of the network - and information systems that support the operation of your essential function(s) - and verify this understanding with third-party testing. - - You maximise the use of supported software, firmware and hardware in your - network and information systems supporting your essential function(s).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.2 + description: Announced vulnerabilities for all software packages, network and + information systems used to support your essential function(s) are tracked, + prioritised and mitigated (e.g. by patching) promptly. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.3 + description: You regularly test to fully understand the vulnerabilities of the + network and information systems that support the operation of your essential + function(s) and verify this understanding with third-party testing. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b4.d + ref_id: B4.d.4 + description: You maximise the use of supported software, firmware and hardware + in your network and information systems supporting your essential function(s). - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 assessable: false depth: 2 @@ -644,23 +1141,34 @@ objects: failure into the design, implementation, operation and management of systems that support the operation of essential functions. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 ref_id: B5.a name: Resilience Preparation description: You are prepared to restore the operation of your essential function(s) following adverse impact. - annotation: "You have business continuity and disaster recovery plans that have\ - \ been tested for practicality, effectiveness and completeness. Appropriate\ + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + ref_id: B5.a.1 + description: "You have business continuity and disaster recovery plans that\ + \ have been tested for practicality, effectiveness and completeness. Appropriate\ \ use is made\Lof different test methods (e.g. manual fail-over, table-top\ - \ exercises, or red-teaming).\nYou use your security awareness and threat\ - \ intelligence sources to identify new or heightened levels of risk, which\ - \ result in immediate and potentially temporary security measures to enhance\ - \ the security of your network and information systems (e.g. in response to\ - \ a widespread outbreak of very damaging malware)." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + \ exercises, or red-teaming)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a.2 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.a + ref_id: B5.a.2 + description: You use your security awareness and threat intelligence sources + to identify new or heightened levels of risk, which result in immediate and + potentially temporary security measures to enhance the security of your network + and information systems (e.g. in response to a widespread outbreak of very + damaging malware). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 ref_id: B5.b @@ -668,32 +1176,63 @@ objects: description: You design the network and information systems supporting your essential function(s) to be resilient to cyber security incidents. Systems are appropriately segregated and resource limitations are mitigated. - annotation: "Network and information systems supporting the operation of your\ - \ essential function(s) are segregated from other business and external systems\ - \ by appropriate technical and physical means (e.g. separate network and system\ - \ infrastructure with independent user administration). Internet services\ - \ are not accessible from network and information systems supporting the essential\ - \ function(s).\nYou have identified and mitigated all resource limitations\ - \ (e.g. bandwidth limitations and single network paths).\nYou have identified\ - \ and mitigated any geographical constraints or weaknesses. (e.g. systems\ - \ that your essential function(s) depends upon\Lare replicated in another\ - \ location, important network connectivity has alternative physical paths\ - \ and service providers).\nYou review and update assessments of dependencies,\ - \ resource and geographical limitations and mitigations when necessary." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.1 + description: Network and information systems supporting the operation of your + essential function(s) are segregated from other business and external systems + by appropriate technical and physical means (e.g. separate network and system + infrastructure with independent user administration). Internet services are + not accessible from network and information systems supporting the essential + function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.2 + description: You have identified and mitigated all resource limitations (e.g. + bandwidth limitations and single network paths). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.3 + description: "You have identified and mitigated any geographical constraints\ + \ or weaknesses. (e.g. systems that your essential function(s) depends upon\L\ + are replicated in another location, important network connectivity has alternative\ + \ physical paths and service providers)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.b + ref_id: B5.b.4 + description: You review and update assessments of dependencies, resource and + geographical limitations and mitigations when necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5 ref_id: B5.c name: Backups description: You hold accessible and secured current backups of data and information needed to recover operation of your essential function(s). - annotation: 'Your comprehensive, automatic and tested technical and procedural + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + ref_id: B5.c.1 + description: Your comprehensive, automatic and tested technical and procedural backups are secured at centrally accessible or secondary sites to recover from an extreme event. - - Backups of all important data and information needed to recover the essential - function(s) are made, tested, documented and routinely reviewed.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b5.c + ref_id: B5.c.2 + description: Backups of all important data and information needed to recover + the essential function(s) are made, tested, documented and routinely reviewed. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 assessable: false depth: 2 @@ -704,35 +1243,60 @@ objects: out their organisational roles effectively in relation to the security of network and information systems supporting the operation of essential functions. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 ref_id: B6.a name: Cyber Security Culture description: You develop and maintain a positive cyber security culture. - annotation: 'Your executive management clearly and effectively communicates - the organisation''s cyber security priorities and objectives to all staff. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.1 + description: Your executive management clearly and effectively communicates + the organisation's cyber security priorities and objectives to all staff. Your organisation displays positive cyber security attitudes, behaviours and expectations. - - People in your organisation raising potential cyber security incidents and - issues are treated positively. - - Individuals at all levels in your organisation routinely report concerns or - issues about cyber security and are recognised for their contribution to keeping - the organisation secure. - - Your management is seen to be committed to and actively involved in cyber - security. - - Your organisation communicates openly about cyber security, with any concern - being taken seriously. - - People across your organisation participate in cyber security activities and - improvements, building joint ownership and bringing knowledge of their area - of expertise.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.2 + description: People in your organisation raising potential cyber security incidents + and issues are treated positively. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.3 + description: Individuals at all levels in your organisation routinely report + concerns or issues about cyber security and are recognised for their contribution + to keeping the organisation secure. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.4 + description: Your management is seen to be committed to and actively involved + in cyber security. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.5 + description: Your organisation communicates openly about cyber security, with + any concern being taken seriously. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.a + ref_id: B6.a.6 + description: People across your organisation participate in cyber security activities + and improvements, building joint ownership and bringing knowledge of their + area of expertise. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6 ref_id: B6.b @@ -740,17 +1304,35 @@ objects: description: The people who support the operation of your essential function(s) are appropriately trained in cyber security. A range of approaches to cyber security training, awareness and communications are employed. - annotation: 'All people in your organisation, from the most senior to the most + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.1 + description: All people in your organisation, from the most senior to the most junior, follow appropriate cyber security training paths. - - Each individuals cyber security training is tracked and refreshed at suitable - intervals. - - You routinely evaluate your cyber security training and awareness activities - to ensure they reach the widest audience and are effective. - - You make cyber security information and good practice guidance easily accessible, - widely available and you know it is referenced and used within your organisation.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.2 + description: Each individuals cyber security training is tracked and refreshed + at suitable intervals. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.3 + description: You routinely evaluate your cyber security training and awareness + activities to ensure they reach the widest audience and are effective. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:b6.b + ref_id: B6.b.4 + description: You make cyber security information and good practice guidance + easily accessible, widely available and you know it is referenced and used + within your organisation. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c assessable: false depth: 1 @@ -770,7 +1352,7 @@ objects: to detect potential security problems and to track the ongoing effectiveness of protective security measures. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 ref_id: C1.a @@ -778,28 +1360,53 @@ objects: description: The data sources that you include in your monitoring allow for timely identification of security events which might affect the operation of your essential function(s). - annotation: 'Monitoring is based on an understanding of your networks, common + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.1 + description: Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect the operation of your essential function(s) (e.g. presence of malware, malicious emails, user policy violations). - - Your monitoring data provides enough detail to reliably detect security incidents - that could affect the operation of your essential function(s). - - You easily detect the presence or absence of IoCs on your essential function(s), - such as known malicious command and control signatures. - - Extensive monitoring of user activity in relation to the operation of your - essential function(s) enables you to detect policy violations and an agreed - list of suspicious or undesirable behaviour. - - You have extensive monitoring coverage that includes host-based monitoring - and network gateways. - - All new systems are considered as potential monitoring data sources to maintain - a comprehensive monitoring capability.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.2 + description: Your monitoring data provides enough detail to reliably detect + security incidents that could affect the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.3 + description: You easily detect the presence or absence of IoCs on your essential + function(s), such as known malicious command and control signatures. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.4 + description: Extensive monitoring of user activity in relation to the operation + of your essential function(s) enables you to detect policy violations and + an agreed list of suspicious or undesirable behaviour. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.5 + description: You have extensive monitoring coverage that includes host-based + monitoring and network gateways. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a.6 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.a + ref_id: C1.a.6 + description: All new systems are considered as potential monitoring data sources + to maintain a comprehensive monitoring capability. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 ref_id: C1.b @@ -808,70 +1415,148 @@ objects: accounts with business a need. No system or user should ever need to modify or delete master copies of log data within an agreed retention period, after which it should be deleted. - annotation: 'The integrity of log data is protected, or any modification is + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.1 + description: The integrity of log data is protected, or any modification is detected and attributed. - - The logging architecture has mechanisms, policies, processes and procedures - to ensure that it can protect itself from threats comparable to those it is - trying to identify. This includes protecting the essential function(s) itself, - and the data within it. - - Log data analysis and normalisation is only performed on copies of the data - keeping the master copy unaltered. - - Log data is synchronised, using an accurate common time source, so that separate - datasets can be correlated in different ways. - - Access to log data is limited to those with business need and no others. - - All actions involving all log data (e.g. copying, deleting, modifying or viewing) - can be traced back to a unique user. - - Legitimate reasons for accessing log data are given in use policies.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.2 + description: The logging architecture has mechanisms, policies, processes and + procedures to ensure that it can protect itself from threats comparable to + those it is trying to identify. This includes protecting the essential function(s) + itself, and the data within it. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.3 + description: Log data analysis and normalisation is only performed on copies + of the data keeping the master copy unaltered. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.4 + description: Log data is synchronised, using an accurate common time source, + so that separate datasets can be correlated in different ways. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.5 + description: Access to log data is limited to those with business need and no + others. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.6 + description: All actions involving all log data (e.g. copying, deleting, modifying + or viewing) can be traced back to a unique user. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.b + ref_id: C1.b.7 + description: Legitimate reasons for accessing log data are given in use policies. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 ref_id: C1.c name: Generating Alerts description: Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts. - annotation: 'Log data is enriched with other network knowledge and data when + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.1 + description: Log data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts. - - A wide range of signatures and indicators of compromise is used for investigations - of suspicious activity and alerts. - - Alerts can be easily resolved to network assets using knowledge of networks - and systems. The resolution of these alerts is performed in almost real time. - - Security alerts relating to all essential function(s) are prioritised and - this information is used to support incident management. - - Logs are reviewed almost continuously, in real time. - - Alerts are tested to ensure that they are generated reliably and that it is - possible to distinguish genuine security incidents from false alarms.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.2 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.2 + description: A wide range of signatures and indicators of compromise is used + for investigations of suspicious activity and alerts. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.3 + description: Alerts can be easily resolved to network assets using knowledge + of networks and systems. The resolution of these alerts is performed in almost + real time. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.4 + description: Security alerts relating to all essential function(s) are prioritised + and this information is used to support incident management. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.5 + description: Logs are reviewed almost continuously, in real time. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.c + ref_id: C1.c.6 + description: Alerts are tested to ensure that they are generated reliably and + that it is possible to distinguish genuine security incidents from false alarms. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 ref_id: C1.d name: Identifying Security Incidents description: You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response. - annotation: "You have selected threat intelligence sources or services using\ + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.1 + description: "You have selected threat intelligence sources or services using\ \ risk-based and threat- informed decisions based\Lon your business needs\ \ and sector (e.g. vendor reporting and patching, strong anti-virus providers,\ - \ sector and community-based infoshare, special interest groups).\nYou apply\ - \ all new signatures and IoCs within a reasonable (risk-based) time of receiving\ - \ them.\nYou receive signature updates for all your protective technologies\ - \ (e.g. AV, IDS).\nYou track the effectiveness of your intelligence feeds\ - \ and actively share feedback on the usefulness of IoCs and any other indicators\ - \ with the threat community (e.g. sector partners, threat intelligence providers,\ - \ government agencies)." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + \ sector and community-based infoshare, special interest groups)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.2 + description: You apply all new signatures and IoCs within a reasonable (risk-based) + time of receiving them. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.3 + description: You receive signature updates for all your protective technologies + (e.g. AV, IDS). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.d + ref_id: C1.d.4 + description: You track the effectiveness of your intelligence feeds and actively + share feedback on the usefulness of IoCs and any other indicators with the + threat community (e.g. sector partners, threat intelligence providers, government + agencies). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1 ref_id: C1.e @@ -881,29 +1566,58 @@ objects: threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential function(s) they need to protect. - annotation: 'You have monitoring staff, who are responsible for the analysis, + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.1 + description: You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance. - - Monitoring staff have defined roles and skills that cover all parts of the - monitoring and investigation process. - - Monitoring staff follow policies, processes and procedures that address all - governance reporting requirements, internal and external. - - Monitoring staff are empowered to look beyond the fixed process to investigate - and understand non-standard threats, by developing their own investigative - techniques and making new use of data. - - Your monitoring tools make use of all log data collected to pinpoint activity - within an incident. - - Monitoring staff and tools drive and shape new log data collection and can - make wide use of it. - - Monitoring staff are aware of the operation of essential function(s) and related - assets and can identify and prioritise alerts or investigations that relate - to them.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.2 + description: Monitoring staff have defined roles and skills that cover all parts + of the monitoring and investigation process. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.3 + description: Monitoring staff follow policies, processes and procedures that + address all governance reporting requirements, internal and external. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.4 + description: Monitoring staff are empowered to look beyond the fixed process + to investigate and understand non-standard threats, by developing their own + investigative techniques and making new use of data. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.5 + description: Your monitoring tools make use of all log data collected to pinpoint + activity within an incident. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.6 + description: Monitoring staff and tools drive and shape new log data collection + and can make wide use of it. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e.7 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c1.e + ref_id: C1.e.7 + description: Monitoring staff are aware of the operation of essential function(s) + and related assets and can identify and prioritise alerts or investigations + that relate to them. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 assessable: false depth: 2 @@ -915,29 +1629,46 @@ objects: of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable). - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 ref_id: C2.a name: System Abnormalities for Attack Detection description: You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify. - annotation: 'Normal system behaviour is fully understood to such an extent that + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.1 + description: Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (e.g. You fully understand which systems should and should not communicate and when). - - System abnormality descriptions from past attacks and threat intelligence, + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.2 + description: System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity. - - The system abnormalities you search for consider the nature of attacks likely - to impact on the network and information systems supporting the operation - of your essential function(s). - - The system abnormality descriptions you use are updated to reflect changes - in your network and information systems and current threat intelligence.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.3 + description: The system abnormalities you search for consider the nature of + attacks likely to impact on the network and information systems supporting + the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.a + ref_id: C2.a.4 + description: The system abnormality descriptions you use are updated to reflect + changes in your network and information systems and current threat intelligence. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2 ref_id: C2.b @@ -945,13 +1676,22 @@ objects: description: You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity. - annotation: 'You routinely search for system abnormalities indicative of malicious + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + ref_id: C2.b.1 + description: You routinely search for system abnormalities indicative of malicious activity on the network and information systems supporting the operation of your essential function(s), generating alerts based on the results of such searches. - - You have justified confidence in the effectiveness of your searches for system - abnormalities indicative of malicious activity.' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:c2.b + ref_id: C2.b.2 + description: You have justified confidence in the effectiveness of your searches + for system abnormalities indicative of malicious activity. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d assessable: false depth: 1 @@ -971,7 +1711,7 @@ objects: of system or service failure. Mitigation activities designed to contain or limit the impact of compromise are also in place. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 ref_id: D1.a @@ -979,23 +1719,40 @@ objects: description: You have an up-to-date incident response plan that is grounded in a thorough risk assessment that takes account of your essential function(s) and covers a range of incident scenarios. - annotation: 'Your incident response plan is based on a clear understanding of + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.1 + description: Your incident response plan is based on a clear understanding of the security risks to the network and information systems supporting your essential function(s). - - Your incident response plan is comprehensive (i.e. covers the complete lifecycle - of an incident, roles and responsibilities, and reporting) and covers likely - impacts of both known attack patterns and of possible attacks, previously + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.2 + description: Your incident response plan is comprehensive (i.e. covers the complete + lifecycle of an incident, roles and responsibilities, and reporting) and covers + likely impacts of both known attack patterns and of possible attacks, previously unseen. - - Your incident response plan is documented and integrated with wider organisational - business plans and supply chain response plans, as well as dependencies on - supporting infrastructure (e.g. power, cooling etc). - - Your incident response plan is communicated and understood by the business - areas involved with the operation of your essential function(s).' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.3 + description: Your incident response plan is documented and integrated with wider + organisational business plans and supply chain response plans, as well as + dependencies on supporting infrastructure (e.g. power, cooling etc). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a.4 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.a + ref_id: D1.a.4 + description: Your incident response plan is communicated and understood by the + business areas involved with the operation of your essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 ref_id: D1.b @@ -1004,22 +1761,57 @@ objects: effective limitation of impact on the operation of your essential function(s). During an incident, you have access to timely information on which to base your response decisions. - annotation: "You understand the resources that will likely be needed to carry\ - \ out any required response activities, and arrangements are in place to make\ - \ these resources available.\nYou understand the types of information that\ - \ will likely be needed to inform response decisions and arrangements are\ - \ in place to make this information available.\nYour response team members\ - \ have the skills and knowledge required to decide on the response actions\ - \ necessary to limit harm, and the authority to carry them out.\nKey roles\ - \ are duplicated, and operational delivery knowledge is shared with all individuals\ - \ involved in the operations and recovery of the essential function(s).\n\ - Back-up mechanisms are available that can be readily activated to allow continued\ - \ operation of your essential function(s), although possibly at a reduced\ - \ level, if primary network and information systems fail or are unavailable.\n\ - Arrangements exist to augment your organisation\u2019s incident response capabilities\ - \ with external support if necessary (e.g. specialist cyber incident responders)." - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.1 + description: You understand the resources that will likely be needed to carry + out any required response activities, and arrangements are in place to make + these resources available. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.2 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.2 + description: You understand the types of information that will likely be needed + to inform response decisions and arrangements are in place to make this information + available. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.3 + description: Your response team members have the skills and knowledge required + to decide on the response actions necessary to limit harm, and the authority + to carry them out. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.4 + description: Key roles are duplicated, and operational delivery knowledge is + shared with all individuals involved in the operations and recovery of the + essential function(s). + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.5 + description: Back-up mechanisms are available that can be readily activated + to allow continued operation of your essential function(s), although possibly + at a reduced level, if primary network and information systems fail or are + unavailable. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b.6 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.b + ref_id: D1.b.6 + description: "Arrangements exist to augment your organisation\u2019s incident\ + \ response capabilities with external support if necessary (e.g. specialist\ + \ cyber incident responders)." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1 ref_id: D1.c @@ -1027,17 +1819,34 @@ objects: description: Your organisation carries out exercises to test response plans, using past incidents that affected your (and other) organisation, and scenarios that draw on threat intelligence and your risk assessment. - annotation: 'Exercise scenarios are based on incidents experienced by your and + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.1 + description: Exercise scenarios are based on incidents experienced by your and other organisations or are composed using experience or threat intelligence. - - Exercise scenarios are documented, regularly reviewed, and validated. - - Exercises are routinely run, with the findings documented and used to refine - incident response plans and protective security, in line with the lessons - learned. - - Exercises test all parts of your response cycle relating to your essential - function(s) (e.g. restoration of normal function(s) levels).' + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.2 + description: Exercise scenarios are documented, regularly reviewed, and validated. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.3 + description: Exercises are routinely run, with the findings documented and used + to refine incident response plans and protective security, in line with the + lessons learned. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d1.c + ref_id: D1.c.4 + description: Exercises test all parts of your response cycle relating to your + essential function(s) (e.g. restoration of normal function(s) levels). - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 assessable: false depth: 2 @@ -1048,36 +1857,76 @@ objects: causes and to ensure appropriate remediating action is taken to protect against future incidents. - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a - assessable: true + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 ref_id: D2.a name: Incident Root Cause Analysis description: When an incident occurs, steps must be taken to understand its root causes and ensure appropriate remediating action is taken. - annotation: 'Root cause analysis is conducted routinely as a key part of your + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.1 + description: Root cause analysis is conducted routinely as a key part of your lessons learned activities following an incident. - - Your root cause analysis is comprehensive, covering organisational process - issues, as well as vulnerabilities in your networks, systems or software. - - All relevant incident data is made available to the analysis team to perform - root cause analysis.' - - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.2 + description: Your root cause analysis is comprehensive, covering organisational + process issues, as well as vulnerabilities in your networks, systems or software. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a.3 assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.a + ref_id: D2.a.3 + description: All relevant incident data is made available to the analysis team + to perform root cause analysis. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + assessable: false depth: 3 parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2 ref_id: D2.b name: Using Incidents to Drive Improvements description: Your organisation uses lessons learned from incidents to improve your security measures. - annotation: "You have a documented incident review process/policy which ensures\ + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.1 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.1 + description: "You have a documented incident review process/policy which ensures\ \ that lessons learned from each incident are identified, captured,\Land acted\ - \ upon.\nLessons learned cover issues with reporting, roles, governance, skills\ - \ and organisational processes as well as technical aspects of network and\ - \ information systems.\nYou use lessons learned to improve security measures,\ - \ including updating and retesting response plans when necessary.\nSecurity\ - \ improvements identified as a result of lessons learned are prioritised,\ - \ with the highest priority improvements completed quickly.\nAnalysis is fed\ - \ to senior management and incorporated into risk management and continuous\ - \ improvement." + \ upon." + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.2 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.2 + description: Lessons learned cover issues with reporting, roles, governance, + skills and organisational processes as well as technical aspects of network + and information systems. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.3 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.3 + description: You use lessons learned to improve security measures, including + updating and retesting response plans when necessary. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.4 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.4 + description: Security improvements identified as a result of lessons learned + are prioritised, with the highest priority improvements completed quickly. + - urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b.5 + assessable: true + depth: 4 + parent_urn: urn:intuitem:risk:req_node:ncsc-caf-3.2:d2.b + ref_id: D2.b.5 + description: Analysis is fed to senior management and incorporated into risk + management and continuous improvement. diff --git a/tools/ncsc/ncsc-caf-3.2.xlsx b/tools/ncsc/ncsc-caf-3.2.xlsx index 0093d4d7aa9e7af6e214d3dea040a9fc467d6e05..520853ff64fad2bb03644fcf932320625899f652 100644 GIT binary patch delta 26173 zcmZ^~Q+T9Z&^8*|ww;M>TNB&1jgD>Gb|%KewkMp}wv#{e{@?!gKG_G|2X)n2b=O_I zo~L_v2RQW-xc(Rd9EN9$q$}wH0uP{VpT&sgm)G>=|1NKvD5#~PRMT#e&_ccD4~3~Bxkxnl%7;Rb67hS84 zjMd9eDOk02#jolbt8>HB-od~2pRFjFB3J$)f(X&cLoRk^i)MNycVK`WZ_ro9oHCs~ zqpVwWjCr;E>fYHDnPa8NU`2j5@izA6=?O9NoVXgL_P#{y(6}z?8QeXA4e1OSj8HH( zlFXylF%UX#JAAIjwV8 zCk_!@Z`Z(0p(mo}HN5EE(!Ym_qbfDlV(X9XgaO^I_#S8#Qz(lUAz|)Y?HXpiEh54o zu+)u4Ls!Rmx7)|=cq3pr4!CR^6b>(ToI9a$qf245@zqzk)woIs8Ijn9h^z2$T(2q#>hO&N z(Q%d6xtdQq-DRcOm5OP!9I=eI-;SQ5%VsFa=K^qPU9^o*hOur^Po$gHQ2=ip2*X&K z66=xDo3|)=?L#w-PgkW9wr(vu8^lCSErT)6y2xUwY&wd#r?IWqrOV=q0LVBq+|_9Z ztp@>WY;wnJiO5I{eW(!6;DR$P#_oBWI*&7Yqyci*_#RtPbI44ixNS7HPG3yM8g4ev{tqRgK;1!mXy!|n4@9{I^i*eg_ z#-Echkp~QlH(iMxpfS0?6b)&D7kg#<%6(6Jj|l|y^#%0rD>+5mE{G9HtTnL9KMA|RE#!;D<@#p(ENfV2*pd55d5f(zPQuMP1TEv`ye`xa zpEkjFtb;K2YU^kYZqL<9>_#cF7W>Dm)v8)DNzqYg?q2|pDyE#@Ri=+ddXlk42|8(> zto(9WCdOKI%a2N#pFE|R92ko8-R!hvnT`?wDbs`Y*s%?EH9y5jT(Q?u;COBsa_W@$t;lNySYKAqfZ`{a$!~+bU zwnx{7@;7$l3-l8x$saKvL8o#AO8J}SrIPVAurgOc1Rj_Nf&e}4PAkv&w9nDg-dnK{uylt74rs6`?3 z*AC`(@6C#tG?%@J&XQD{Y80B)Q_JU_Q9!bJiOv5ee)cqQaoEKZ$wDnCe=QBa3DBl2 zMPA<5V}*Jw4@|d7JO}28WfqX%MQ$!!JIrXJ>Ifk-<_4nW97<(TF7(xLnA1HAh8u*c zV(Y#cEHy`LG=*y?k08z4cbg_hi>}L&{=_6reHRPU!}OUL6|LQ)jFL@VVQT6_25CO? zbRqx|2W$#@!vCe1P6dy4-cGlT4nXgjQDVi{xIs_tLQREd^wy=>y7@%}82DuA!&)Wo zLP+}!FkxcgQd==Qpe~2Gr5+a;v6KxQ+Hjp!K!EgRd4kjJ5eA(EsuUf3BQ5bTUBqDU z>TPL(?@V>FM(o}uCAP9~@3s1A_DqmlUDG52M`5N{hMj! zkvheomx&{$*ccpniQ}xB{nAK=kVKV>khQhH1A8rJdkt0F5jsAxfWkU}Ad%NClQ{+f z?syN@YEQ#X#n<7%c{cTKB3LJsh2AQ<+mOSqq$9iP0s*zWBE1t>=KndjY_A{%;ZLYR8hb!*`7vA#Br8 zr#vtYgSyBq2|=6zznkLb_N{gQ9y)iSBz<1l)h87(X-r8LMp2&21H50nJ>|vO3-tKD zyw?HV-_igd2g+~v6LA2)x3{>Lg}grsJ?~{P_B|gjbzi;!pRb$sr=G9(iL!;f*D{7Y zKvJpwyjx@X3}CXX2cS7~cBBvZx_$Yx^~mnNei%&Gy@mm=&1(}COPAX+bUU~E=OxYe z-Sgu?;EEn_e5Fs7UbiqXlE*{!Ge%K@m(A@lNE@b)PTOG-QNJuKZkrx0d$@KHfYbTX z7bEOo40{Ri0N3vD$synmv`z*`1geiIV=@Fg{Xw`xYm#BdL5o1`^T5#&^Y$YfW+bSj>Jp;_pE? zwe7^^gdS8KFXe5Hnp=OgSHyuaFz$~d4#8@$r$&^*VVT`^=|0WGRS|=c+uC=4BD+!3 z|6?A&2|a&=!KmeNE6$q!TRTLr*b${zfzhDp8ZOp?F{Bk{L~@TzGS9Tv;+pka5Z4Ma zw_$FK-O~k!N;pE2Q064+NiV^gIZ11?;M0*2ry9?yD}cnt1>GVf{|K`ux%cdJ zXW<}Eg0pW@#~8~hA9#-q8Lc)gB^s1{jt&@3_;!$g&wp+_iK}pKxw4njUUwm=U?`%a zP8+v|HzR0*Eq&5E#Ie|MKIuO-P{=upZ56DtvS=2?R?6l%D+q-Ax!wv!c?E3qLc932 zW1IgUfsL(KM{7noZZSJ|Rsg64s{>8+f-hh=BQEa7rL^EiFj@UD9D??)q@Q!1lVB6| z!3!mNx{Dd|9;JFR?Vl^(G&uGi_lHr3LzGd={6mCNJi}?=vZIPr*hgbg@xQ*&ca?~- zaxYdfPA4)?i*9BwienORZr`H7XM^l*q`Av8na5?a(X+A=EF2#LK4}%c%_hAl8DziN z{O}#p*1EY#09V(`AjOH;v#ziRCUfs@XK69PIm0L-bvBVoPqnU2!(ym_~^^=!(*@y znxN5kysStuq2i`_%=5nAFbWD{?943uCzM&)X>d~#>{KXD#i7M1SvZkm#U(=2#HDFb zT?fF5Q14(~dBq|$iBl6$CPX(G`;G@E1Njwzo1&60a2@6U^Y->3Y0kEpSPtV48) z9q|rDfBzLNLPaDFR#nBYt^)UJue$>4cfEVj5Zh|Y6lAn7hDLCkw+=BhGmbMH9GRPl zk$DGmc0<84InpA|SY08-zA4z^u;>l-$xxsGR* z?}r0aei;l7tx~?8E4rzLTgXLN6kZxY7TNJD3vy}z*PxRm4olg;iUy14%t%5bAV~dz zL6+Jhlg$gCEzcqb<5x|=D4T{suAxSjTl77#7}U1D#fB?z4hX+&Y~Ub`KwKK@YNtp~ zBLst-h;ueAB8}N=S$)Zqf~Ck;!bf8JnY-`oam8@xEy;^qG{@C6hT z?eP*&PqVUHri_lmUB=3)_*4=!w~fyGiq{A8eNr?l=J!(AGbgv_HAI?0?lyF6w`f&% zQO<{R(~HK)n72-#oLix5at=BPcbVw-;pU(@##QKgnoXl`M~|~n=Kcl30>HK!;qbpo z9I}jBQ($opjD7kvJS3KQ3R0*K{i39*RDNF_k=q7=Jt`jGG#bA028+`o5(fqmyHxx~ znx?>RRM;W6wlTnVc*4EIwNA?a=?bt*N1bWwNtRVf-ADS z7oJ%`uiNL z$Zz*sTgdG%jp#Q@Mqd(;qHjHKd#gNMRgN2G%>#qWRDwyl#S1yxMOAE9MAV({c&Y;a z1@!mH9TJwSs`%!>B7bM4osqqo$8qZItmx+7Me!VlR{lP7^=1XQ#(t63fU(25u@ z77?f&3n9)FU=CjbkfOgHF`^Ev!8Gdy+8y|r92Rqr?LEv1nN z?K)|O=bJZRNSl?Vr9j>qK+as~tqRs_X?~$uhor7iACL!pXasnjqw6}Xt7@hi(K#&q z&hZ%o@vPM+0W8V3bws~?kpX$ThNTA9FsksBppn;aH3%xf&U^xnTNwK8x8%_?*R;%o zXxnUPdiJq+A9v|@fFYZdL#kSqHLLq_lwZhc)ST55ul=FcDugw(&wi-o{hF;_x9&m- ze$^IcFRxeQDQP0F&#M#Ed1Pm3yQs8?GOi-=aj@@f0p7xmKdLlVf%d>XMjU>zNxnJO zvsVNn-jrxQnY;jKsBmG0!b2g-OJ*G-b=9KZLkdGBpn#-5^kp5>g_9aC;TuQ?qBsX! z2cX-o9H1O;?^uI2+KrC|OFZnWDT<{-<1%7e;JVP`%mjm*F{}Gw$F1a-#$H3-LZLpQ zVx&)OyxVTKNVo&E<;ZprRZu9-M_?vR>4EHp@Sv+sJCXtQ;D?z~*Ya{cg5)zx)kB!R z<|stdOWOTKx3*Q56z7G|Zjs=ZOz0aIt$2Lqmut)fW;PL>f{=X~Fd&y8jdrJPG1nF! zN{K%$+Cu|-?S=z2Ifisx)@SBkONxtUov6XT17oOcO4D)NQU%+=*&!VWL#M8Sv=WET zu3K6iWe4c&D3fVOEvLm)vk3SV$g7SDuI`r?E%D7>or8U2v$r%53G_#Q-gZ4nMPBpkWtHrGIN9jey}Td1W0_ zp&7|3Kn-OO(lVx1JlP4AYZN7sBq&o2W)h&b2m*YCa;xwdF}<+k9wA5qeulGcxm=*Y zo590!!)|Vz*#>_jDIWZG1R`J)52(?u_Nj2awsL^8FBJ@1t9F#Ao{$zPt^FX%&f8_C zHN^$HWqFLa&*g9gX3&)Wt#F+{_sJIBGqkhGZ45{hqoe({^CQ(bKg)`7Z%$gq1VxV! zpwlid0vn98-<}E8X7Fypt7RFX_3g=flY_c5BPy^Y^F3}FJkHLXl%iPEPE7z%kgn}j zAp*OaoK94QLD9OH?rcd!e$&y~5bh*91Q{Vlt+D{l&S7!*bvV3eQ$ai!moqpHB78D2 zhBIc`O+38xWC|@`li;aPE@6;06Q&aYJ5EiD{C8L?EI-uwbiF}Kx_0}qTSVMHcGGQt6onn6+;1NTc0NhFvEb02 z%k!`3oT`Mpd3GRfpKKUfNcQ zx0yTSQ#4$YZ-oI?D##d>rlKL$p|qr8jjVHQ%*$AMj185|sz!;V8nQ{*k)*=^{HbrJ z5`$Ht-fzEDZ_Fb94wy?}d*9!G@SimRKV$h?`^np*B?q_4ixd9prc@?49pGPqA^&9GK?%*)~ z9}a6armZ>&LNu)dB8Lj?UN5)Kk?qtrf+fz<5>3P=*l5Ar%IFxiZEP`a>e;pDYb@Fw zLVEqG9gHlj8@JsQX(mT?$!{W4tJI;sJKmz{KViH08RlG^hwqwjGjyZK20Hy@6F9&u zs%8p>-~wKn27@lG0cqt*J)d4X3%pfEBa2Q-vq@({*g!z-e?{mKk$=orbbs~BY7x0K zINUtUL2>Bcpnj*MbmjN?=I`?w|5tf}&L}9dX-HcH`~aZPOEfc`r(mIm1-`HWq73ZsT=NIY*^n&lsLI>|zb>3=q39sXkKz^`)4d_=O9)~q^w6%6f%1B zpH`htnoxY5UfGsNI4xX}kG$<106bLOil7TE41N}iI#JG?AfE9G4fD=ihME*#(ZMY? z$Qv~5r0M_Mt62YiZ}$O=C@apW30x7(zj zorDXfr&Vx@I6(bXw~O=c4Lv=oj%EfM<9kHVOtKwJ-Qryf(2F(}z^q+WVGfhBQ;k{N z3yO>6Rz2KjK+FU=e)cEdY@@kJSF0uh-P50M!&b0Gp1e8#(ogl<97ioB!MwO${ z63*3p$f)OvQS@cSNUk z7cwRqiISLP(LKk}`?pZe&B|sCOxM<2nZKt*PIRB??#QEdY%m+m%(n#_DT$&ZZXA$K zd|0yqNxq`>0=vzAY#oM^Z;F$G;ayl~ZPIC&_xe^3RV=E>Y-)@Ch5NgYtM1c5rH~@y zs<^QJEp0L3Mm}f8H6sB4H5yiqei!$u#dyHDr{Rn#E7;?kD(bq`KWU8Jv%Kkq62kr< z`ly9X&;A~M-9LhxvT8;xHr{HJ3@Pb+quZP^Jmj^)vo?S1Amb*xu$Eew=hpYt!cM9= z4`6QA&V6lMkmJYHxUySqhM(LMu^EelG3PN^x2nSHMwDK4yD z-+=3Rko{Nx1E9J#$7!kR!g}e8InL+}dgB!BLXRpiD8FaMA>%O!K~5Y)z0vWIodGQ< zX>5vrj9pz?yR`V-zN{L5lNC2KPcttwxE8EhSv5w7VQUxC|Lm&w4ic0s3R<;tDg3u_ zkpqZha$zl@&g1B(JgVj*#9OV4Q8&fB2~eP1DQ#PH8xMwXH~ zQE`A-RmBwZcjFe_+kKEzr!SrZC5HE`HKS9`GW{Or$-%5%^u@&WS>G!SPL733XXQNI zypWWnu{3-c7ZQ|Z{%QvnJ5XyCfM!#vy5vq6X|g_Pxwg^p5#pczu{>v7jsE}lQ6}O4 z`&{%FwWO@VgWM14nMqo;Q7Jjv236)+77kS7lXCEI0Gd;F zxEx5`n8!Rw-U>ff6OFJFKxI;Q*&U5mq$BYvbgj~m-P?(%c{)o{^+Y2OweVtowZZuJRBeCnJY?GBAvl`fF3QmDbGzP1$%;R3 zT{?}B4P=XWQY($OT?1{#uang_+)117@$CO+ksqHkfOV@$MEQDRu#BZ`tzqg?ckytt?17!jB_SRu-81+K z^)UU0n}9a^Rr1ksd>o=DLUkAQ)_|m+xt12)gPS6{$WFBQ9&pi4C%BckU~f>auGf0? zOX`#)q>z+wDl7et*(ocI8(QAEZjx1IdU_tGrf4?}Gja2^!?0kbLR~qAbhAE3rB5KnVr&Pfd zdy=8<3|tF=WVM^8N!p+B#+~Ts3^ZdFfIN1MC5X9c3&8E*B3-pcMP}--QjM)JL+PlT zT^ZY_tsLjabTzatRN!Cm>J5Kn-3f$7Xfv{Tw^rx7MY_y~kPb--PLhzgroU1Al{l1g z#-=#p1cWDCS7?MOZES3-t=n!GlqsuAsr6Z2SGHZO_;yEn^Pb)$_?l|+@~H(yYO~dK z%b;kxT>x}A!|ISaO9Z{Nj+=oWp`8Ukp>ZF}C>o*vv~y&A)>rq-g*3kf_RHgshN!G- zP_VO3R*`^dn1wo!ep%s9dMU!JNCH5qmzRmLKG~^zV{5I)93+KR-P|mPHWaZ06{TM^ zkR9ViB`kV}jR=F@T+0Lbky9La3~2)W{Hs`PZ2@=Vbkkz+)3wH_lx@Iv5EV~0INVXr+?Trva2Y_h&qdBc)FIpb7FpjLx^nG{~3 z83C4d&wr6=3XO`YNaYy7+&Cf$f@rXF`mD%_ zlRLa?f$ZR^r%T-g4C@uE(Y%%v<)84q$ttkXLe_Du%y=%YMKnm=tR21m)JA?^Hdv~!<6dGr#ktFhAH+P?6Rj+6Lk5_$S)!99vKlCIx8F2H-! z=j(9Ku5%NYk@#r!1*~(^muv_i^WSfsX4B^Q0{J(70M=^eF?HWR&X|S)0)qdZbRISg z&Muxdrq2If4tJ^9#$|CLed<+w_1(IsrUl!C`_tH$r+AemxhZtiAuvU#8k6o77ps1~ z#lVy8cdVaZ=Fk%c@=ZqPWtf{eycbY&aVx2^P@|l0d15IhOwgfrf_=TDb16q#$qlAD zP+J576q<$!=bx^2wemQ9SClJ}+mKuXpS09j{?y#@(MkDI($Z|p5vxkE+AK}i(29+< zu#1zsgU)2NksE@v5}28OqEM16>La8iP5dIsw8b)iHSsl6Ic!wmAx2+y@Lzj2PAnSE zD+gk$6d05SaF?01CpQ1M$A5M;RjkkcgyV1mkf!ZpDr~>l=DyE91Xiu!K8PzAtIv_L z-0!f`7tgYd9|#?T#Q~Q~^_@q>>x-G`0T1M;;r!W}O>l^RUXk0=ajJ-iI3;pcBaxKS zjv?Q%DN0wQl^lDnK!+4JSiQWLhG^#y{=lO zF5+D_I)>OE5MYf622#8x9Q0&rC~qfbIcZryOf=-?eYf~4@GE8!CzB|qHTt}mXoGQ0 z8;;J9u@_FV{;vq)6S*jYmK*v$&Qs14Agco-D8xY--QbbR{DTbk3aDInSLd8uy(;;%3kfz~uXOnB3bcEzl-=nqKpQR@O}S#V(7B#VQ@$Xu#RX z-2|Baa?czcPx74R8KPVAT8HGd>Bnlc1i%Oh2t3a^-SS!#atP?%%aO2VS#w+V_s}AC zoW-%|j?qEz-hol`xU9_tVbH`#Pn*|DCkkt%K<*MAJyj)a3+&AfiOjWu+(Lir3+Rf- zxgz7uVZjyG>gZk0O|Wdvi3u9F<}qZ|m`4Lbqk})6&mQ`avv1GubFAwf*~UaC3a?tP z&`>2J=$0O+{)-F;2F$s8`~Mb70AY;=mK+xl(4Pq)AhiFfXbVFpQxjzuCrdl?{|bB1 zcRdkT-RYu}^c@l1hY5XdGkZ?*SDbKSk(kvmT%1WrIrfNWrXc9jCOHTd9KFq>XXe&5 zVfIxf!;KcLvwr0xJrG^QW0ENA&t``9yI)SGmkgf|A6Bbf)~$ffT7AIFd8>Ml=W^4T zXV3AnyFUNhLR?SJdz$%_oq#rj*@WMw-^+Q!Cg0niy3ZTJ?v;y2c)!lSzAxu~JzGAX zyF+$`T>{ll z-zJU}1U#4VmI0gkh!-+%`wKJt-j7R|otIS%kNR|LQ=gwvm~VC69({=C1Ge68X?9GX zE_~X}dovgpcHI~3-jfdRWoI{#Thq&pJd?jyo9_l%)&~Ur7 zTQ1#L`2AW2wQLdZJ`C3{=`-be&JS}w?bm14H)}W9Gyr1|0=ccQeq|@iQ)XOQtyA42 z@0cr)wGUz}dubQzogj*D%{4cmJ*#u< zPBZrvo7an6)P0BLHw2MxzUm{qkITyRBm0rO_kytMYV$MChH-)2hZil@CzfadZ7SSn z7zW?de!#{_iCpUw$-AM-Q=Yed+yes51UR4J=b+L8RpNsuM5QVKb z_VzFE?^_;UK^rCux-C&=E%tWz=caG9x>iAEE8#DO(8OA-ccwh+M()IjcYd&AEBDs9 zeQhd3$6IMxu56t&>~N%i5r&@?R!O9>sEd*AFaV%Cu)2x4_4Vy4icpT9t=tIk><0-~ z45k+^mqlhRL+*sjI(T?6+I3Ao)3nN~Ae@@5A2vOEw1gxk+YK;vDl{9d93Pk6Tf|Yf3=^Bhc&^Gf=+zrrIrXM&x-T4mvCf_!tCj4X?%j}l&HgnUX=zDgA2gf0 zI0S^@Z#7suEI;pm1uU%_bC>eaXJ)M;RE@g3S79g(K4ec7^p@v4@%0L<^xS-8jg@hklTHRa)+y3%%4j=1?_UTy|){zs=gF7SeiqJxNQfvt^U zid`!H`BPz^&AVo4$$X>V-xi}CVj}Ky#tg*G&%en9saFNM^bDKyk9>>!A2z@3(s%&B zX-+^->Bb@9J|>s2mISBrbvKi_Z@09Md-UD4G79(#fla0D*4#E-U~%@=YjyW=?AN=` z)*$ISqu9XrlZMb>UjUCo+-glmIbyKITy8fE>xb7QR!HRElv~yVY3=uacm%$_#Sq33*U%!nIlG z_PFxgO{A3Djuz^+xHrMITP`BQ;HJIV+Q}DQYV+%{30ylUqA9#&-O>>CT&e(ghgkd% zH+EEPZmiE4TEjY;e0$2&=k~Tl_`r);Jok?d5&%UZQy*YCL+%df8{#{3_MW}R^1&f% zJCLxsUABO>PIqbo4|O)FT=k7`RC#F_@b_#LS2|uC&)Yf714m~}BKUS4KKjx_@Taa# z_js^l%;(=uU)Qabox|y(ZYTh|pa|0zuLny^$aE)`gRGl_`gS4CDQcGx1ZV!r#a(yk=O<_cJpYRve9T8bM z=$Q~JSudW-+W?R-h+-A@v!G<&YNAa>_>)bWRl5BBamQqN>NM2^YZ*XV>uxPPDN9G} zzzQ7lp*ZB)1=1f5vHT2Hg#O(;R5uJ@VLF761w_T;<+}smKAzMf=u96pTk7t62Z#M< z_2nA4rzUU9gUl;Bd4UDm$RmWm#6`O$Vvmt`C%ZJo1v)Y;AK9a)N2dzM0SWF+>krPm z=x}gIt!}Q3Z#SC6CYgZpH6`PlE3&`Vfj8f#g zS%F_rzdCM8VAKqBMiB=uTO?SIcF>ZE-zzpKCNaP!kUpx}H6&xb*LphrwRu=-)=1T~ zn%*=eeh}qQ!a%}J`F{Bm;gp98xGrsO4lsnS2x2l$7BblY$0`E2w%^z(Uaj6fY+~!x zvc{j4F^CWap;d?ngObpTZcww7^m~NUtUo3rC6#~PrO!vrQ4L?ziy!v0EcT-rh-e2( z&oYOlfS9djRzBkr&a=9EH zf2e}ViC7O0(JmMZ#A~j%8*s!TsG!_f;yMjXo@?^z?Klkpw=+qP?8D;pg1#sZX4r@U z)M_Q1MriVav|b)^{|SCU4{t5o-0J~rxNV$c3 z>R>&uaWe~OJO3)fkQD+)fm5L2EGN`NmF9QjaCR<_f4UbUs*^dL&Od@AHrs4`lnB#L zAC8E831E`DyY2kbeDK3R%eq{`|0nqxLBKIj@Yi76+XLMc*?CZ0`WrtOX{HI$8WJCD_AWn)F*TnwHzjVpCxUpWxq2xSecRE!ZVTFJk!!sG4=@b<;~ z2fB>qT?k3)l`%hV;u2$S2BrgqVlysj1Hd0dEJz3Sj0L2$H zdV*iwbB(4gH2`_#4MG#d8v!8P+C5ZjVV6j&(o^>3IHl-H&VKgDX4{rN3@Rmc&@#y{ z%*p~_WZf(nn&)Fo$Bm(@X;ESJn)~#!gt|;XWW;M_2bIv<+-Ak=Yc|z`r?xpss;aV>6wXYzI>uV6)CKY}PH!Ln>z!;V6$+=KARO!>;+yil?T-56$&Bl> zi-$zS-o?!F!I0c}f|z^IJks&P!^Ysh?7aXqA4Z2#Ns68h$U15#G zHWW1%DzS{>1E;|Xs{e&|#s=pn9nrsHYt9s~&YLC^D^h<#7|gyyMWWf#{Z_v5vXug8 zIAG(aW!rB48+}lUFO$hu*{Aq=o}DkbaJCF&xU;4dp1062Jjh-6SYvqB)Q{osLl%tP zZzACTRv&cKxN83C=IU3n=DkF+pioqF45E2>QesngS!;v8575O(ust2I&E@bTFi2vqFbhmR%Bm77=yH(!{2Q<_me#1LgSN}eNw0wCSWsLHES->z(Gy?W z96YrLk09BE`xA__(4Pd7lR7mA!~HWHYp;Jdfy-F%7WF+V5SS`;lDHpOqQ4cOY@}+4 z{tFym&5=Vp^;UBYdXyypEbZy13?*=bN#_)5(-`vQq$H6!@ZVKrPRJ8xLMqt%op-!c zn0O&CY&?3Rtx%>L^lPcs&W3Siy-`LT8vkrBYyp_6WzWR?!fIrMzR&yjLv~|ChT?U*J0cX_+i;F7EXP zB!^0*9~NR}SS5#2{7^8LP9>GS_+@mP@nN5w%`; zfe_#kB8cmk3^{pz<||3Sp9sBvx>!!23UHs&h@M+@mT6JFx)HS4n6Rg#u{0C`r0H_= z!!1w&cxW>Zw-gRcE)+WlLmfR5xMOwB7KYvBi02|@$&unwJHw#VMg$3@(UcHD{-sk` z*z$0Bwcb@m*S5?SpWXOgCL6bS3hDMiYD>XaCKcblHd84DORzvdMe$6)Nh{<`shC)2ua^)69^nPfj^~WlIrMEi+ZE8Bdo?qvC0XmrrJe4mlNdJF;PohBsC3N zi??yeRaz_V8&il83f#W2cT83d_x@vg!X(iWAdl%pwa)5*nf71O2*k={^CGf-dp^;L zT=9{Vf|vSVZsQlg_{i+0z@!YQ_MDs<4(shk$DDMeEyKxISXBrHT+BfvbsF#KG_<9`RLFkIOcO{zdRci#7rs@q-4ESFUzz6U@eF4<#r6Nk25?^4WU z*?au_aZZv-WVlAmI2jYQPj0a<$~=yaNLlFF`@mu3A(%N{@dAc;H)%oY-Pmv*qLvH9 zD0U(^)aMzjwyPFg(2Nt((QK1pA)YxA=9ERocqk~~K($wexC&f=q-`S5J3*!&+LQ_k zrq05Ca*#glBS;n{dS78BCP548v4($wc@%sD^%vzOf zV|1bbZiW1#x&|G!uesAjJZl#ATL!W@t1KrhgbS#JOP667r&UD2axgDoh+uWZOfi{p z9_2biYcMbdlbDz$xV6gWvRR;PGNgVWo1LeO@@?Oex)-pbB$I$=L$Y2jFv<)_LO>n~ zHtQs1dYu}2FAJrJwAkw&P2AM{I+mYdja&EvTtHI7XhzEOn;QgNeL_=0)CwTk7>%r) zzGk0#MzE;+oEMr`#%C{An-DP$qin8tKo$K$7cm$V*XD31!^iz_eFQ4Oz0GLp+^a9) z|1G?#XFdvN%r*)(c1UC@^%hdiJ>qFRW_$2+Mg!^M6oS4M{ZVkFJ#1hcg|b>!C=2@@ zz}eYJN*piF1DBtzl>p{V2h(Uw`GQI5P zw)2o{ff*94GSlNnGF|4#B7l1Pl zS;(Q%a4H)$(s%~<4~hYUxcN2YYASu{UkXlv!`1FWC>+ddeJPYHc@hVwS9qo1?@SBH z%#YIpHt{>82>cJC49X_rx$g%12fcQ_aun$TK1oB_Af`_4Zt}-SX7D*HmR6D|KgN|~4g=zi`DwgO>2H`<>?r0)3GF?OyRCHoFyb zkwo-1$&zIQUO_ZfNQ_`g3()j7H1U_W;3j0GF*1!H9c%Ckf(!q)rF!JJ8#y{_r z`#9fBJ@C|(rSKqDs%A$>nn}rVgfU6?MLmsb{!>XhhoYe4voE%L9~jMkHZ#1LcO=an ztQB%8o7XB0jw0zRo~JHacax4rnIrn9lxiplOVHaHt(F`gxZQR(E5Pzr=INqDG2ON< z=_nz^g;pTFbYySndI75F&d@8e4-s1d$0w zi%5+(F?m2GH8Cnf7+~S}S^oO_*USW!s2oDoQXP+AMeMwnUM0mw3P~d&@@W9SBUJW% zYBA=Le8QYt#G36sbpo?^O#u3${5drE0r-qdF;V(0<6pgd%nhCJVAF`aS5BE9td_Gr zs6Ga$rYeD4@a-_smdwrZn{ix?d0zeqvgdW_+)Rilk9uEMzyNXIVADZt+sI1Kg4BH^f~}<+SIP4Uz~60K0kOOXa6=kqW_k+0(MuMxPO1xeO-^U z3fMlTqTxfq@?pYY#?xeK{WU^mRQBdMSjGelMZXFeg^lT|)!?b(a{Gf|5rHL6BF6~X zen1-7Jr|pO#|EHbYjAx*+CFExDmt596^-tMHDhb#71Je0ydBvOWd296E3OX1^e5#5 zmq(d8A~)SVgk(-Zm)@!c6?^Hp*1P-WBuO6Cwa|ETBgH#$;c`pjBG2$CLlRFkjyF<0 z&5JG7oEUc7oLrFxm;y(ccC3G}G-2i*lLlh%raTg_^8z4vsZsH0J7$7mzyj$Zllx~K zx|;`MOHX_b91grT2*p||oE;QAkJ%`fi=Cqs$Sg@pdl+BlvrWE5Uk+FG$eb+<3bPKh zQr9(cc<>C|o+@2ooftDf_6u1*ge6Wg9d*~h7 z+nmV1bOr!7JdUT!sFEp6hT^q$d)+s}j+T58;lN)o3<-<2yMdmmG{zU?mmD>wWN3~^ zl4wjk=~F6+TkyAD8c|3%M8RjNYv;}9NAUMweU?`&!hWylisPE8WSq!N>}jQ8yJRbk zl!`Myxcs_Pz00h?F7_L=F^~PhwWb!hM3~BnbNvVy`y9^BaZ3?KU7QZ|J#ErA995wE zc=^DwM2x9Gp!Q%|CQ($0WB>6x*2U< zINFa(7Gr!8T9rp^ads}7=TdHE-hngdRXfT`-cEPeY-s?rE@JmsbEs&Ny6a+DCT zIknFAoc4Qm@aGld?6}sRa;2uU_(mABrr_r*H`+RUlCzLPy^e(!d8KKw=7~{M5ek+b z5{N!zzn@+Wj_(Ydd9K^{5D{`OL0X=QL#wSlK1D`Uy)9`YzU}PQ;8G~U1I`tHP`O!c zP0gD_7*l{j_ffq?Jyb>fVe7a)`1SugZ&Ol;ekV1kM5WbT|(x6XghT~A%r zyEm7QPfZG*eL@X+SXrLro+`z}I88EkvF6iPMAtT^3S&64w*dN80x zYGk($Ab%1&@HfRnrA&Q*q}JlShTvuBZuv$TG=64@{W z3^;Cq76R?7_K<(uQKe?=X*Hb>SnAGx$zR$4*JVD%1A9e!45)UP!{FT6q$_0UlJef5 z@_;cstK8pM^q)HZo_u!N6c%(ymA`aGD{yx`fIG zVJ&uABS`32v!6cb($aIfDyF>lXX%6XL+P?Yj@UMBbwTNpv1ems8p?uyl;bVVeX3;; z|N5!EsE~L&u^av3yuUoO_!Ybxx|r(aK7PqRsb-=$%C1?1tS~vTBxNlhL)Z#(O(iw@ z$XtF5pJz)=({&;lq(NV3LPO;P1>1AMx>g~q#%AKoF~uVMC^w-D)>w8ybOS_PVfjH^ zoUaeb@JRqExCa|8eie81Y{4jR%bmN6PQwg$31>F3$d)2SbY`x$Ks0I_@rzxJ=3c&q z;W9pYEJ($p@N|MxWDMn_QqzM}U54HYDT41JU=~}SvEc68j|=iENBk4(fMgzcsOnPM z)=VUafau)8uqr0Q0OX~?B7OOoSSRA&+D%X@vdkw%#f{EjlU`|NQP&i$^4G%MT84vfTOTFD ztwA(W$Y@2XtCStxR}5+U{_(@5UcvZm1Vr)QmFgQ`bM`32!_x?R<;N0F7zpv(HXw8- zS!D^wP#B;`J8+Qv7M?!zplg`29EyByVf2YzDXX3H`#6CcZ5%m^_tu3qIx_br4NcAA zBY@W;8GocwdGMYC!e~%VeuIqCJ;7!d0f`eiosO6cbk^Ju2MM7RF(TtRQ)13B521{A zVhuXN3S-^Whuy=1qg3GQFuiC1i?!fTW+6pKp zdKE)6&lUaV(D6ONPzVLJaWDcyJ2bMG?WkO@L2X^@4PibynsDF?78*!NL(LZC0tz{)FiNWO{C+M<~gL zO~dj!yI!d54`c|Gwp|Ny31FDcKG*nopNNARA1Hhs007&GU$*(2%u`ssoby7MY6v#f z^oH0Hz2dFe^RxeUZ2U#-LZ)|Vq)N#zh4srNd?-rj>Z8K)c!=0K=%*dk5bNdzt+Im=q%e;}MhHt~OG4wI! z6-L0!rU()+&ctXDPvIZxo)zVq?@vT{0>9%`*Zo$;ao!r>%Bw+b_Jls;@?OB-hgEY4Eq|WK>@cs= zbjk|iFp}oy()*b~6$Si8g=1M1Fsn`&161b>NNJrLg3%xg%`#doX<)0_B(NgL%-t6W zhyW+FjeW=t1-z&cLV^g!_Sw_eWL)*rL}wz)&Ox`)KmZJDV_bh*5)>@X6k7-^a)N-U z1Ii9YsPk_GW)YY@LND858tbNDYy>TJuYM@DrMh2kdsq!uHSSTgFOvXMybastgmD6h>&?fl{jctCgqML|y-r~_em~DulS?DkoRsd> zIgIvn5MzUM@~QyQL0f-AoV;JDeB+fyu7C-E({`tHNie83Wn}9$(RLQQIoC6+rwOPV zmDvwe&tih$xS)rcWxZGUuuXu619>lrGD_B?znIqhbh9Lkn9|?F^@6MQ5#_9c!LLc` z3U`BMyOM?SJiul+wKlWz%>z@Omb*R%+vxHGf_1x(uWTV;A$}Ti(S#n$x_wc=`U+py zzTVw7@jjmMYHb&D(5fwDc&WICpfdWfXLhLWF*JBR74dWv1oszLecXml|fT|3d$_1RKs| z(&yZUDA$yIA0_?AdEM1s1wERz{^a*q)!bBz0N2nBGiSd^u=oLM+Fh|s_F3bS*1}d4 z=;=X$OGDQY6oOO*3f{vt){H&X3-QR;tP7H9ekHEMLv%q~T~+25V|m4n?rcDrexi%v zc@C?tX`KnE(kJFXdV~w6;%y&ZcZyX8;4GFFg8~#V<^xP)IsFZdK`A-H2)v2fFKCUq z35@mxPn3aj(~$Zq`xCKY|fDEfK|!Tl@Z- zbv+f>2}cn=VX>2$f0{|FxyBFaM?B38cC}*lZuiX69~XzWX?Rt%xwy@#JI)tZ($GDx zEt>Z9wkd-cSkj+Bi113DY$I3#c4P8Wg3Q!NMP)RFHK3#zNOqc@*ZI4Q17oJ$dxBtO zFkvk4l3nw~w)~E2tmhL`Kg)L9d8gJ~iU09V&(zeo9wiW2C`o8mU+NSxJXwqs2)&HQ zA(37?Jr!4rHw%fOmUYVfrOO2@O#f9-+5q9@W{Vc9z~&tk!cSU@bX#i^j(^R}BO<@9 z@nU9@Yu~U7vJ{R1*03C|E@7Ckk`1mXtt5W6lPmgj(o+atZ3ylf`Tii=5pYW<%dY;sm1(|cO>!BH({PT5Au?sTvMVvq+F zYK9{1)6|}xd%p7%4=+wQR&v*B2NDJ2CdoccTo%YceWrn ziOU80%dleTRiK8{d>!cSuV#GDz^4TPOM93Lo8$w>#^b8n8fMGeIm2(jy1p8+H@8LQ zx@ul?`;P3Jt|9G%gQ5%D4i6ckx$?4F%+n|L0nEq~0>DT97j;yBz7R^~jO#-Z%r{$Q zY%Asj^{mWsl1c{aL~s(T#_t+R7^3dcw-lRBWWIPw@JB3~BZZyz!lQkdrnDgT7S>QU zU0DGLM2Hh(AhHF$};pC7Krgp{hVDGljSij9vB!5<-~R_d^pVx1yoQ>^_m zgw-mZMKAy=G%Cy}P6F)Ic%ea)_V5s6-c44Kn-iv1Ufl@Q6Hd^Hj_3k`KHsKw{8}`m zh}x5J%Q&Acj}n^utS`*`Jx*~3Mf#Kez@U(?z`u0gkeV8xgHZmgP5kC?v+g5Zk5uOS zOB<7OYdr&oh3Tck&aQkH77l9pDGR(9H3IQ$m2?|!J=0GrO%eK0Hvm8#4Nyu_?HCAI z2f5a=-!zOirfms4Kky!J8L@~XOvbeQU~NP3v&(bbj;f&g?oYR*b9mw5d>l~j?GN<- zkqnfjpTsFn3FXr{W7|Ul1u$?KYQ+d4MdiiyJ7UJtwIb2Ptk*o0Up!=5#A3Hu+%3&N zWu-V62;Y7|IEYD>w*`TKVp4mF5&>8zj_EcDI!3y;f$D$Aen5U^uSW^LzRY6=x6#aQ znXzx9+pNh@m#t;exVg2pA|Sb0?4vosEnUt5#AB`{X2BJ>3tR9j-p6_R|8&Xc?1eYb z7I7i-GUvB{-a=qG9N6>{=JlYVRM{4c4PkGyBu4)YJOTd!1A_`03CT!BW5NDWpkucd zydf@MILvK$2NB6@#lGbh8A(p*8Sd8kSj1HbPR3EJI*%ol5@2L?=Ju^3i+XKS5bb+e zhp}V2{lRAMm60d|VYe;0`8C6R7EUG^c{S86+!1F;X`%H^)0-vY{R8rQ589z|pOQOv z(Z#_FUYeDA(i$zO*~||OGCzBlI@1NQx_MW|*3L>D9sflqDx@mp zYv_pyBDAW!GuUGp(wGdyvyr5aLNRUZk4-96%;>$s`Dy)A3?x@Qwnx<*Sk%0~5v%#D z@U-F_y$MQram3P{qS^q#e@!!T+XoMc9viUt>Cz+acbs8_agr#nlRVHUDah- zI{L#E2+au+_jPhSz`NU3)C7-&W4_)N$27qwL$i49(1b*Hp;QhCswsH!<=HK7kcW>^Cg|Nk_UEz^e}6p$U9935N>1503nJv`d3P4+ z7URc9!Eu(n({)iQPc6rLiuiw;`oK1%c#tylZ?jb38cZ~KByg ztVq_U2<~4bGSFVF@kN#^X~^^uIF+vAuH$6oF_prpomXg^5mDc3J+G zS~}JK^uv{H^uymewAkIm%laG_heSzsjTa|fe05Bx!~elD%s||4a25;WV{!}9^Jjdm zu!P-h4u1Xoix^KH)>UPaE>HQ zQ5nKEiLwj9b2vNexL|K5LX~y2J1IU!xMdjbi~cZJ?);Hj%#z<&W1xPNPR(6UVPnR#+PR&*~0;>!Cu z!~(S}0NRlvrG~W`9G>g;7}!Z50j27&Ci+u!4Wi&^WZn=S@9MWFg_|F*Vi7W)-I)73 zZ()3jtTD8GzVlk|Z*#aa=UNU`5kpWQj(womu~C6E>bi5gQ?hB5O!xc^Y6-Y!JWLkG zJP5L(jIw2&NF-RBa>F1Iea1C2)`y5kHi_E8yQbPhp^dGvv76&^)-DP3pW; zoD507yjx_;(N$mVbdaOJr;x-6PI=u@+~Rz)vRj@baG9U7j*gxYmt(GA#uF&5SsAw95e`yJQ1vT@wGmot1P3bwT{8pm$Rs2D41q`!X-qC0u%ZLi&D> zI*MwiBIEt;jHrFbOdx!DDA}QNE%2(jUu`X;GV;~dG!=U<}P-K&HdihfbUjP z)JuCXeHMrKr<_QD9P`09+#&(b6YjH@R`&`*66eqM2f%BOl!j)A@Q;NL-UvK-#rky; z(hyyz1Y^|f5mybkjiDPK`Ch(!(KlL{zz1Z3fkp@@G&T^b3Qk@UfS+zE?J7Mr4|$&Z zZVs$;LcD1xWgA=Wuh}b?d68krMTn82Lpwv1d1fB^-%&B8D(3M@%T*DkYG5aw2POV} zcjr&10y<8cPR(W(aQC`?T`x|>A5h>f2Wj+~{^jEGW2vL%_XH95i zWeIdX*t($P2~2O}n8LPrbrWzQdgtjC0?avr~PidUH&c;1#+i+m#XBZI%k>cVQ6ly5*r%OJWBuEeE|Fo#N zo{6ehEbG%Rx>nqHoEo;M0B3J@kgo%yb2)$y#hxItlt{4oHqSBJfX)W+=$l=~UG&YY zoV&K-1frZCrh}v3b`dLn#!2gKasm3|#nKwOIP%+CGW<*|zULls$a*zj7!W7yClxKA z96ghx$UR&a0y~6q8B=KkG{zT|uBDzsr{XZR`$V1_n9J1uLe87J#q)~8V8P7AODq@U zJVOvvuvZ6-1mm{u)q~|4{QA&!IEMf>LK(NECHj&D_R-Kq!eaUZ2uL%E>6^E%&|;yu zJT5xX-JWQ5?`@fJ?aVK}16SnD%70A9m_y52we$E$Ok) z$m6W3$uA1`Q?)ErViJ|6`TWe;T#kgiI(v|Ya)xqlm@^J7Dq#VMDERMZnt+Z(tr3D zrleua=D|Yc(Qb8e#&&1B&fUn_^!AxMdN@p&)vmaBlr9k1qswSlDTRCi77v>Gs3_)I z+LX>r#^D=w7j8JREH4u}HjBmuz`dVMBj&6oI5&aUkuat8a0gWY3+>8Iv$#)v%hZV4 z4{vpi^<15I46Z>G>GG^S1wJx3vK@q`ej=bk%Epokem#Kze)b$7K9KPAPt1D$%lr?t6f?q_gUZqxD71eW%j**2 zE#rWFGv63D8U!~VqKaL#(>x%_57lxw66r)kd?g%oxm*ku3k@S$YYwsvUO}ITRCkhF zEqgBCJ%?uNogeq)oH#bbI5Jz zf(8W2`Vdfqwa<5wz(qTi2@dlzG{U-uY)_MV#0`a|7hJPV6oH0o3QLS(+V}n#e=2&R zKafdKm`D@ZkLacKz}AXqKF&!9t#VDHc*r)&>>Od+gZ^%TZV6);tbhMlY?+W8mJ206 z0!Me~+3By|VCa-$zcTlKl_zOy66K=dkz1LfT18OjUo`@KG#?wB|Fmv9VK_)Bu_W z0OV6Ar;+64o$lInerLXv0h1xwofJnb8H&lujoH@0%cVNkG0Aw-BB3cUEX$SY4H=0@ ziW3oJH&r#oEc{;6YK1n#|%w{-Y3EqCB34jnDt3)ZokDLS*st5)4$QDme zL%Ns7c8gxrVGI%%RG&HJT{L8shUZoKmS4yWQ^XkJ^!(c`<5?EK*B94UM?5GI~ zSimG0ZbUKj1Q(HJ&{KE;DDo{JB(na&MwPGfG}?X}r=y>^7#yx(8ype55KCMU)y-p_ zQ8XkMbcGS4db#CmHNm=F%@?0W8KmtvNM#+WZ^k%V8dZa}?-?q(HD5)yV)8ky@Y1q$ z(g6|OprdTtItrLNi;t(G_y*z{mYRQ~;rmAXq8?t&yV3DYog-2b2|mlN0s#ltwgi$b z7%f5*RoTq%A~|agyF1d%QWEe;(uf(Z0~RQig;p~2<~L5P6`JAAG=QW-jqB!wd*(bC zSu{w2GItjY)5gJX*moW46E4lnbSM;{@VL%cgQNlx% z6R9XiRMBE?X?KKYF26esZmehE9sH#wezoyEa(ts`KtbfbJ#`fp-@(hNCmXt|MsFOG zt%Ct^$Avvh52f>>z2LVeIFta2am=9u<&%S84^S_CX9kC5#0X{U@x}MBcy8afXa!{4 z{gzYzvfcOb>isj@X!b{YdLP|R>y0p3WGa&H3)_}F1EQ><9uk=^iEU?}EA+;5PGEzK zdm_5Z@$anI7Iy?2|M;i=OR+vbzAp<;P?|I`=!ox#9c?d;V6A~vbxZ&4q_zF?pT__7 zbN0>&lOaDpzrGWv7Wau(csmou^RZzlS>Y5^g3)dsKK+!m*3sC&s_5A%VY6f7O^gFeyp07wy#;Z<6Lf43GXHh1?)R{pl6JJ4K3Nuw6zPA_wsF^NSKo5(VnMI4BEsT1CC z@KZAfgy*9UOAr4EfbB25o@0R(!()N+5Y~zlca>!2B|9pw@&+r$qum3hJ!r+R}29TeysZn8c7YtqRD{ zH8%ilkxeA0hR9i|lfH4NKYDfxlM3MB zH0EFKq^VyRGHsO9ISpr9%kNG!3K1b>IAHcXFVf$+hCqe%M|p5K*r9(Kg1?0rf7@Qm zr+EMGCvHZxoP~hGDt#(w-m&Hchi;;uN^4BUvn2wJOif`+{SqKlbo*O+U6f30V55Ni zPuHHzu0*5Ot9BrKhn!ycH$PXD$LcA5PV2wnvfZI7eF4S$q1Ig`fw>L__Bxz3E|>o_ zue-Z}(`0GA@kB7@(8e~qEY;iYsBvv{4389ls`$Pwe29eSMy;OzwK8dP5;6C^=a43|$OJ}H$`Kki+&-nDKvVb(7aDT<7@m08^Zvuh z<F$Ch*iZ{5z5rFk44{AH}tR4&x^3R*?2@DVmEA~ z6WXttr~H&Z>XWrkHdl|xl#&_3;wDk<+~1o)EflZiIu#S@XFo1cpH??7<5S|SaprAl zPv6mU2^_R!po)(cS|#~#iFWv%3X%`!y+2)T=oy?zxs{9=U7#b&uyE27=h=_w<1_|F}A z#^hcH62kwVm;IjtD%Ru|2P(q<>1qftF!cXq|3#%X$-IsN5G?k|UXEn{{VS969dRK3 QIwrR}Qo_8t{8#b+0R(pIo&W#< delta 24537 zcmYIuV{{-*&~9wowv&x*+qP{d6WiVx8#~$9++^d8wXtm{ci->cd%iz?>hyW0r>4+T zPgiGLg6{5sHXK7iTKtsl?Mc0WA^_GMcUe#ZjBLJ0Z~aawgyB@gG-RtK*6L;*nG@4p z5E@Tcbk=u@tG;^o!klTDH#xzmr?d9lET^+#Cp<{IDd!{TzZYLK2ot5MTj(>X-a7+l zPsvsc$+)PpO&AVYBAG*1TTGg=eUoXvHz2~<7zaxku%i)&H6(}f>GGoHb%47FgZu+n zj_S9R@42jcFa(eyaqxqbwkT*Hs0bVdZofxkG$B)4LFeRA;O`Zt<>req@5!AZ=a@B4 z)HKpSSocEK6%b>(L#R^2)w3rd#tb6`oN9N_hqw@oqt^0B+?zB8Dm5jiE^vkSBJQI< zS^7=9(?T9>kOU(ZMzR?@s)3z^^aP=Cy1ynPehnn^dg*QV2u ze)ctI$xZJPa9Xs%{33BZI_D*AFt-MWrYU+PGCTu_%3r?O5o19Er*{J?0jS2*^6e6eUjIuLv z;_8_)IY9n~LonzFVj4-qKR`EYw^KXo)>r@YvO-6Rkg=fbzpdfAhV!+fDQeKfLQ#P_ z$KR)fWj!ZzHdeVv#IH0eR73}iq1i$xjF5Z9XseJX3X^{sLU65w?Wm640xpE$$p%2;E~kmCsUV33b|%S)}RmFKoJ@)+fB4 zyu|SR+(I@*p2k*xpU3Z({e6v|kgv6s$a#F>hYG0Xy&nFSQ(iHDak2Gb?4Jz2PILTd zLRyr;yejZrgoxl{%td|jWOTt3X}#*I*G#o3Syf|B zwjTis_<0Pbn>DGNEJuDN-fZB1F( zpOiH;Il(u1!Ntm$0H!^g=#HPOQI|*%%&LaGH!0cV=m! zd2zRsVV#C#*teSF#$(;}2KUNwx5wtbvq=J|{O1}eY_g(2UHobUae*?I&o2L-21zN?$wdHNJha%pf2j zUtj+-!~tmr385?qVf7)dpr(aDHHOW)A%sTy>(4H_ik{E40hDu`XfAg7TgvH`B0!L6 zs20DIvpY~|x>E1ynB7t`{M z^@n9v-e7}_sj38|B{RzidO_!-8^p0w#5z4ePExk3YAGE2#y~e_CGKG%i@oR?SSlR@ zixj$;ZG?5 z7S1l0_5);G=In0bnmKhMELPye;+@)Lg{H9~qbLY^;W_|dYP`wk;O}qp8l>{mmd?zp zGf$r1vU%bg$`7X!VE+ofxMvA1wx z=Ge9wb~}IBg|$T?QqE98Q#>EcIx_Z+RHKby*9Tt}Ezjg%>k*!na!*BjpNOjcscasnu$=U@5CooBFZu_B((KfBs4t#tq>8d9APTdmc zEd?)?=y@g#3Yj?$;*5_Ae*3j2D0kHFX8P0KNH+~Y(EuSa_ZiIRhcgqe zr-u(4?8m+^AFrpEt+pp8;N$aPMyNG%=`GN>6lN+Fgfe@LSBf%j9gggS3TXGl^n1 z;;cRv-7g|)lf=zWhD=v7MITGd6;Vj{+K#uHfVIVKeQCr^+}4hlOlAeO1jjidijb84 zEJd6^DP-xUB&EfowCFb!ClXbS|SI$tmAfltZ^f zp`9YocGH|@ft7qK7JSs{3ggIR-^0vptnbDmQnzD^cJ{p@UX1>PvOm=XrObF{3I+15 zBzW%8#W3fJ$f~PCVgFhUHxD??S9zjq!8*a6irF$CLe4Z6!Py;CN6=M^Nkp7xAjY>8 zA_~Iii7n59v9q^g{|vWICBu_MyGvg!BD?cAYGt2Z0t9ffI43W9_#R!*d7LXfLIyx` z$EXk5YIeozu8}Zb#JHU0_Aa)e7C69*C_3p-RLyW!R>6*IN z25tn&ce$$O@Ft7Y!el7YS{vz_%SSy)DB|V2UDrpsT3%!?mD3N;DyP&54##t+i(AF@+PJNsrD21-g~v!k3NX=Bbj|Su__E2^Gz%o z`-&W}PM`RrKacb_L^3pwCq~2?rfGv5FHsB(qYIwO{|-`CDMs*MLWpqDyT8w7H zLBJte<1;_sql&<{^~VvWG8|{A_TH`Dbubvl_bBL>E{%l~+=*_J4d`j|s9tJI|L6)f z)_9|Wl#ZjA5CKJ_Ytm2>&lu$)hlr(lx`=0gbXop|$RUK#e`cmxJV|FrESsjBEOZa- z8{2ftA;!}1m2N9*epQM4fUB5-{QF1?%|@X#nj$hleVNc>)7ce<4@Z1;olDnZklWB{ zs{t;&*_28$#aU%CEM}u9$iar79|_8hvqY>D||rd${n^ZtL|^Y>I*$j<`nt^I5ds&E)&7a8(*jp;v_sKlpoe=9qZaUzuR zBOPjE;u&(-cf4FILPm%1N{Xn!07mZ05291O^E^pgRp2fU0EN${A!|* zu9o+dTJj}el-d%CwpH3#mc)9Cv!sz7V?+D1bEi-~D$uloja1#dqAbuF0WGU${ZP?{ z_R&S_84)H5)I6LX%o4Nqx)25i^LxD%#J^-hZI!9(OTF;d*ESTfqoqVzS$+NITlFmf z8;=+#qR=?1ag5kkyn%fh)uc(fQ7tAuVB^6Boc6y^Ofl8Gc~w^Z&;NWOr8k}su^4=r zZE9z1`0*En1D%sg_MW5CDNI$!%4ajMiHixw*4=~yBqOtTQt+7N__B$!*RR}kbe5R) z$PyA2zaLzx9-}+&y?iwkh7e!yVjR#g(?g<@D$Yp=jQul$1dX6FPa!qeH2jnR>y z_gDXCm&xVq2|T(Gx`NZ0g1AH#n`$Cae3@$wFlqOdUf?pnFC-7z*4o0mcm;bZ$ivL9?YHi0z#jO`ZQLCdivu z=l{9h5*&2dsWe;S=gO~maAEB;O-OKOf?N!Q=9rHnz!(PerDTozj}uuu5$a|ASNN;Y z{}xZ~iVE-{!YCi~6GXfc*(gx8h9NM;QLm7x31=z16TC}XO3Mtq?2+G}4)=Ogu-J(P zZ03I!4~C%QGHI%EmrTHZTP?zWy1-{u6KF&umEvlkxiljTBugnK*#(A3G(xX1JCvG> zrwRwfM?VmGLJ`67ZP9GT8^MQ~wutgP4cRo(j-0qd*Bn~~Cj>N+%~ON9O(O5$PwT*_ zKb&!2Tyco+pKC(u6W{^~L#R9a^vGOa!T#g$aJ6q*`pVECAmEy*Q`C5XzJt>`C(5Uw z@t4T#a#8$2+ptI;nS-sn@EW8`L_itknx>dawsg5nV8B&E8iPdBUbnlQ8gGzT@~^f% zH?MB;11_g}^c{m6{gFz7w}G>SE0=#fi~-y1>ne7<8hlGFdps&y{k9PpO8a%g+MkgKLeNxbYMFf@>j2lt_q!@5doO&~16xoN&^52z&UTgo9ijTG;IJA*(#>J1M(Xclot z`z|li_owebJ@<4lp{pmdNJT4J|B7t@Rpa{=bi*ZjMDroi4c+Q+l@G(P`W8%JRg@kb zrVD$pyskvbA62wwN{Wl(YjzgK zucb0wErQZs5s^*KG33}ALBp2?Vl&q4Nqr0=G3iQD2Wuk404S$yYUV`OX^P6Btg_I` zU^-6NRuire)|&Vu5SOD-xFG}+0=aWaE6;?d{SCMDGJzddC!LYBr``-;KSuIrHeX#S z2z3NP%u@!6X*;e3sIZKi#q#hM{?f;WwLZj2T~xsFekkbIN4sRu2MjL!sUgM0JXA`d zD!uW74uDv{lkW$4KrJ~Y1QGviQ|VV-&diuO;$K)CsoPHqCk2}gvmC80RsYb5Hp!hz zp2Diw0@O>9w{10E*Ez`PB+U%uKL{6{`^W$mOjbMr2beAz=9bHZ1+V!@59pEYOAR&L zc{$`hVXt8y8tzJDbxG_Kp6x%O4nKDa%71-UgPSqkvbjNV4w>V*o2p6D>J5DoGD@#9 z<8=SRd4Xoj;Y4Pf{M%bzf%i9(b-k%)^o%Y|Pa83B6H|qqaRe&?D}ukJN-2H1w_g+} z=qK``jLR%#^CsgNn|6IQ`bLd!P?OEZNkxA=cvw+o-^la57>{(KU^x3IKPt6RX;*7S zQp9q|nxy2_IJw!-yrq|LnIYbB+I53(_wTHl4tMkbS{_^Jj5boB^>&F+^;bxJhx9;L z8RvoD1bd&ugp{wdanZt4@1eEbVjn$_;kJbi$gYGU@doj2%`ZlFzp_*dj%nNqLgI!5 z_aD>PTqxB+3W(~-N6Z?H_*(sY^B}ExB!@ z>e@ql9rPYDRo2E594dH>xD^VDf_nLsX!F!xsFg+KD^PxG5GXSuw?Y?E64(l)kaE~g zzOch13J-o$M%#C&_i`K^O~<%`V+ps?)tTvD8MD~=_eXSmkE%(Z&Y0G0xan)Bx}MaW zUuTO})O)$c-9;A%n-_#;GN?=8mgyUYqUsL|(gs0vJh1-7?QA{AY$PNKqEjSfPm}H(+30A4gJS_#@xnf z{lfoX2m~wyEV9NVcnmBNNH|D1l>dW&`(F|Ie?{_ttHhzpI_t_#QNgh-|hO5>1~+)%`N0(!rp>cB=@_ITOqU;+2aiO zH|_rKv=y7Pze1E(GgDgi$J^@l+Pj{0o+q!8+qZk+FWY*J_b+$(jJ4kB`ke;?j*L3C zKVS1S+kO>hIxSySaViGrJ8#(_U~hQg4H+sh2JV`~j{d`yv;H?7x5@EOtBp3+fE5o8 zU?bA#EO)@EB8#}60nm&K#5z94|DWS>pzxE)atjg!1eyW_1o2}Gx@IxDupy^)ijrUMD@E-Wz3ZD7yfB1@P{iYqq8bmnNWKofWk)- z>NF$mG;`;w??J9pVQeS`r3xgvhM+=DR!hKud5BUb^p?sf89}nRTN)g0%Cso6It1bl zjk+}25jUc`TqL(LSCkoX9YrQ|ck4kG{>~k9)*FkOb(2lEDkY+)K9+$wLyO?nZ&Fg3#Z5hip8 zEt3xuKP22iZ5Lw3t9tM=@&nhsJ6<2-hfCAJWDWT%-`eAZGVxwo+HWHt0MFc&H*Ulx zS#J(?hgIju(5n{ayWap!4TiJ&lG|@EDLON|8a8db&|eb=PFdaBlTcMx_~$9wgk5^N z72)4nRL67_X@|ygTOe?EDOPJC;I+Wq5#CVPXlU7p@nj#~T)M#U%~3Yn(N^7<`Fm(W zYHfJpVR_A9&d8Y$Q54QN02unZOZ-Q4G!IAw1GYu>>wM5Wk9J|>0R)UDGh0eqVoCz&G_LC;{ zl=#r=YmQp!@!$Hglmh9xT*^CEeBa~+#~Tf8dJI;mnd#R}9<4D$0Ory|Es>W8-AYvo z^VcMbaqzNHpg1(FFFMUW@0IogPJ+qauHhfe5KX8Lyp`AE2w9|C{aZheOY7h2V1lm0 ztcmcplx6V}@HRtMPVvJYIUH9=dRHPNC2n^KF4iUsK0-PDE5`Uino~K?O=v@Ws28CE zJZnU_QQSIaDt$H$*n&c_qA^ByQFteVRX#)0SkA==o}S{eY1q4PaF7KN{;~lf$UtTa z&8X6yggn)}0CNIgzm~(*JVQ5WDKP8lhRQk2c+u0tG+gShox9P#yG($(Ih<#JdottI z{Wtq-E@9SSaBeMZi~Nl6aKoTKVCLG-vyN9D347*a5zhiR7&@bm+_X>dRbQsfI>?^Q z^g#unAIx?_-nbsi_PR|E>@(`=GWtsuGx28f;A|_vA2>c9HATKAni#+Ok^obSp%#o)Yl_y8}orZQ-id2XDeXzXXi_ zfbi@6f{h2h^->R}rutU5$o?gFE38-w+@(H6roP zv>IsDaBUUHhrv*>^>i>15Xn`H?+@Uz38HV`^BPQaXRhm7cBloCEFIe*C$Fk^H_f`4 zro#E}(Ej31$_)G)dRXlm)-nD= zmgQPh*A`MLlnXr3As(W{j{)EH`p6pw! zwUz6*TRgq<{g=5f4v|GUR9~_X1AGE-#QYR4n#>W^N4CSB~Anah~N z^DV>oTkHa^Db69Q<*B>ooD0vp)n==y^D^y&sd-zqnw!kCD#HW4_hv(WJ5G<}nVg*B zmAZ@>!Iy`6;K@Ec^Q_rk^I~cJ$g1G|bFbOHjp?hK-tdLK;Pdl*85kEX2jYQCsr%D%H#W1P^b{Hm(PWva4fW6+L3o{8bvN=-krZ=ST0Xsvb5 zabw`hyytJuneEEyvWz`g&uI4V=$_Dg;Wfh0QJeJi=;)a^ZSnz@ulLq-$n>z+*Q)}{ zXVUHTtT%Klx8}^J9Gfdo8S_m>Cv=?T^lu*=1@;U$mEP#D347Uk`p&6-5mInDVK)zA z3*1{`W7^y0rR#kS`g@`~lKs{72sn;_(t0lf;J-93oENWRYubC6oO7P*Khfdozi&)7 zWm&y&c2(W_<}(7ZPa~>w*=8q}U6e#`{5g!V-J^H?=(!pk`3GgXZf?Wj#|C;IyLYdM zpXD!dkAg;~QUSh?|18>UtF!o=;B!-yB_#AFU{u{#(~$2w?{xqtdFv1^w`Y`pg5S#Q ztmbjV8JJ#E%n+9Wy-wp?+fBul2wh`uOZSuEd{dV*e+Q`CxOs|%y8rP)Ghx^L>a zTDqRnYUfkb;-5XxkS%(Zr%{dh_!MX7J3TVltPzaZVyJ(WvFZ@$H62@?{FXVsayU}+ z!>m*L;Htr@$zM|o(Nko`@B`KPcx-LZfJ-+t}L>e^62rH^^~_<28aH1JG{ z|HLU4@*Jq;l>50jacJ>voum7MYUuBw!WROvXKXsBkw?D40U{9#fd3dR&@YuYvz>H| zqSiMgw909h4DxNwGS+}+X1RIyz5p2k7s_Z5j4u%ezti7n+UvTmjVpbF>VuGg zdpR0fCs2dwq<5!;_#L97>JG22W&nxn&Dw$Nl@Zvodz-oyZ|y&8D%(4x)wK8X`jx)5 z^wP;%pkKE`|H%8QkhkaOjAS;jvvKrlxO$0z)K-@f3VqX0?$M`bk0=1E4rQqCsY(LY zuA2c9eTZ8(E(XPCl&z{6nzVb>jL$&Kpe%^9Gw#sQ(`Y6i>#WC+iA@x$j)~Ns(K#Pk}Lo4c)GawEO2oSNUoiDF<&F7Omna=OfDtX(LlY0@QTTX!%Wl`(J+f7-T?i zbR6?@6LA3*g}=4UzdABma>CW@3YEogGML^^YHPTVm%%XPjlt45D;0`7 z@fg_}#D>A-ab;|p*o)gF^+_c^ildgBHNsCsMjo_dQ@z0k7h94(^}vX}_(L^uFpMV> z?^c5h{uLV`)H?XVu5BoWqWcQ)t_wgj`KgnnE@hdYWz=+x2Aa_k$uRa!mI+{kPZ&l%NhuLI%c*$qvFqm{>#+jq-=4GO6NiLsG+Dpx-m z6LjOdr8B0wGtJ3_&|4Q!)RPKwRoes$fuK3x>ZHTwk~V6D-*$y*W4WeN#wtV}e7nfb z3bk*0K`1P=Peb{haD+il?um>MqvPJshP*N%PE;#F>{=tPGIb%vfDFi;CV7H^p|}o^ zkuorVeD9~d(yU6~-jH_@Xdl}=G}SYh#BD$(vfLN~WR(ncY9|)kD z!H%_o&Qw2j9pJ5)gaz{d^cSu@!ZAKoM|BOy?z(_#@AojMopgSE025L}tVsV(UlC!^ zW(A!Kiz2d)0|w(1tqbhm@ic+ZGp?Y<9T;WUL8OMwK;iOES1g1^)C&dR2kJ2`f%IGQ zbL{w`;_E6Fu){uY=s*4f6oZ?M)^h^pJ=AM(})%-a^!r+I4B4TBMp63 z;g!EtWNk3bfb@5^Yc$>PRD4*JyuaBvBI*LHeCZOC5cPN= zs(Av1cD=khXdXVPm(#{>+hLIY&7a!8z1BI9{q~UrN=}DY+y|vkYFe4hl0}VL6%tg+ z`NS5?kb>zktVDtR^F|K_1%tAgAmSo>-y!a>RlaH)KNF$bI8e;ljo{l&JyJnK7Kx-s z8^l(V)|P)u{V-q(a{xxeAN#oYnyn&WD*4q2gA-Bym%03utp!l7G9vlL!7xDNkyAaQ zfK%tjUh6$f21^`!>nv%^+sEq_Qp{V8W-toNMC?T+{E@`>Z$sSz$hDa($J&U4da5Ve&AV z6VsA}lsdYV=ryM)#lSK3a`mka-IDK^fZ%e@`{=ra<_B)!+-uTM4!Ve(r$&Dmu)?7^ z5(?f#i14PagM1FrEldqLIs+wM05QqCIQ#5i%sB-Q;YhhbWWc;)xREY7W-Mt1wJypl z3XTYz?Er*^X?mD$7^2brb&cN%gE%e~MPY1uz_j`2VNeIluy90;G8qa`)S025V*1^E ze;ibLOCWbMCLQ4xUO<|@o@ziI?$1(3;bkqwp~DSednb7{=aaw5glANM!JHF(EF zP`aBX>1JIqQSFv|%rz~QAP@#{?W^<_m$w;3y!Ds`eTVNJRJEY^!y0p;H)w0?q>}ld zG!`y0?b7;#U7e)_NJm5PnPos}bG@Ua7mS+{#RY<1R-jQfxyHV8u0#0pd^kLIg2-f{ zW&_(i&Vi45A~)_g3-Tb9F}T8-_Ew`J5LOkUgR%>M$S{-GsnIbUM z@oI$>BtHL20CKNQ4YPwEHn#$`u#fvj*@3REkmiI&0whWT?22439B3BJL!@TDAonAv z<0%+{)X$?U^{EJ^q;uJRaT1hF(;+xENal)RaL3yNmyt2fptc{2Oy4=41p7Wgz0X)R zBq!!lLZDKbH&w0q*6?@*QS8y^5&z(l1=Qty7Sa9wjtc7?_550})&mm*cfC0#- z9$>m`3uJbr*!uN+n5?GJ!GaYOGu2>dye;H}wb6t>%zWZ$@2Q1dC7wF1ll;y|Pevj~ z(=Vc1IACmTR+Lo=nSx|AFC_|sigo|*Y74PAdekfEPcE(lr~|~6bZfll@H_j93&I~( zH%Ae}M1_vSp@_a}RqGwo&;2kt?682egG;OQ#k(mOob-Hc2^o95d_z-3_){dG@l)il z^y15>LAomVKkpi#$NpUTAzZAx%?c zWC3gq-VA1Y*UmB-MFH;#)*9#?ey&uD=XQ{Nasb-GOWxtkhL34-dJA95zIfX88|}Q6 zHmWkH!PfU)jT(LfRb@xV#EUaVIEy!ze z^Nilzi{OGNqe#W9helgv<(#U?f%Pc|e;rWI;(d(hLDfcJpPds=Pb4r~QA*5!Ea8;~ z_o2Wd=8aqJ;Fq$l?gy6Wfb+;|t3jr{7b}B-WUVzTWC%;htj@+lLLvOME(G%siVNkRt`x(Ocbl==D9oATN}=m8d_S`TKUd~&Y%TFJ^B z<5^dPQUyJ*2s6MyP0h_h{Hr#B#09Zk4H}3d?E~-sg%eav%~)g9LdE z$<8(jsEqwQmqGkpFE#6$`VJWD8leO>Pw;bYW3L(>(5VQH+1yyKtBc&yrWdX{n^jC< zQ(xfr?OvQ=B*6APaX+OjZ*bv0&jGjdG2)!!oADk+aBczf?le(pGN6|k8~y_>1UKfV zzch(C*^w|p=l(ijw3Bvz|0A02p@(wbVTEJ^qxyq|Pt9YT(B*TGBRp@OiYF2uLurmX zUqer@3zr%0`feId$!;7c1)K4J6cor0{K;6%DgwP1rf*;NM+CnpndsOdvIBTB(psjBSJ=t-U+6+ z32tX~44mNUTu2Z`p4p2$fZOTMIH8hJP70q#3re#Gr}EHZqbdzkmDfOZ-eXilK=Ef@ z|6ci9{EMiO<0m%fHcs{|MnZs+Y-P^=rs$jPj0`BJ5yJ}IL@up5)OHO!hJ7-)y?bAYsA}=8~DKo@1#ey*6;kfna0OgNtxnl z@xL25u8It;st?PtZPs<++)#?4sOq((q1z>Qq`4U${Xl(>7(O~;*~_#iiIV^ z?*Vige}uyu<-NPvqZA2&pM`|{rzGZXgZ49DZDrPCU5arGYpqCMdUgl;pHP_mLD`C9 z+j{nIw=`m1NRpUnqVsG(;d@J|%2-vfJYJngs9zabZejUF4qv^l%b60#Fy@x*@x&i6& z*arBOjw@6=Cg-0c*<>`9OI*LOdjNu`)Uf5cAD#JPzTC==I1{Rg3EZHDcbJaISzH&8 zhHE#U1=cFUYxHCwh{785{umNA8OUkK4Gxt(1vUiJkTl8&k#!5SB8-M5Mqp2Dl7Bgh zvDxrevQgG7C}L(Y4Kd|*MSH|t-nO|Ps5inGM4XR$Q5H?NMdEy?-M*g}$pWn3?hx!W zI**Qa4Q&f3h)j&0uZ^8Sb_Dh!<@Zb?rx$TCg;%C~8JXn4hCHQnxTsubi~U>am82xY zmif)kN<-**XGOjpw8z-5Hw=?f1S!*)Yd6SSn~`RB>v>_%+7sEfDw>X|(1IC+ZM?Z$ z!UN{5Ve}zdu2|x`j;SlpQ2^7^K*V#$naf?ETCfJWQ@&I(<%`TDRtAO#U%4THV+}X8~Sa_dZpYyA$$Dgp66?OHcvSz#% zb^ZOCB6n3VMv|m=s9JQQI>-3&%H=mAVd=5P2rc#@s88nbmN%sEf}l9769vM)gk%}D zE{f3q%F^j?Rh!)JqCh(u((nQWxHIOubHLELWrLwx)7>A{s$WSLGcXt^BjU%@&tz&e zKbnxx&^i*Ft{qS4)#YkeuGsP<(FfEDUtiwXxQ1DM!?)qgD-KD)KAGuDMTHB>-R8*9 zlsTl1RxsMfC%<)oinZpqsy$V4lY<*Sa?-JxgJexFEM~0Cd;yh7{ew{7`tY#eyzHst z%Q~F%gJ_p37&0*)hI%FUOcVl;y+IXQly@)i;Lr?GEwjIcGv&)OUmQR%hAVP9A7u_T30 zE^(UC525Dd9UTTH*%ORKxI@*EN#~|dIrp!tdR{sZI|CQ0+N*(@KoEgxO#`hQd}#!# zaYh=ZDWDjWcn7tu;R$8_vU^#w+$EP#`!`EK1*7H1N_gIAlY|Muy~w4oYgolWf4y^Q zMmnn0bhFS^p+D|x-wm>YQ!yv}OzvCHj3Ig6sID!WcAB#lqORB@%~jB@ARH9mBlhk! zcxOneIk^QkuOfN~_?aYr$Z> zLl`-(PkhV*11<5{9<%m{&?I(Zi(r z4g=fE6~6cl$sp?fx1wlI8<#3S?fKRU+SX(YM|KH4W^t&rGBrY)1yKy-j8Y!$KVHg+ z2Z*8JQkpM`+&4{_AO^#5?39_AMPJ(ngEPB#4$^jnH`ZOo^t(*U4yNFms+t+lIgHA# zYk0;!R_vK3`Nbp%1ou8~E{~$7vC`us{>gGU+n@PP^3&^UKj;($WBU)nU;+#w6sOo_ zxpcguo`nVr`)qpH3$b*I?5O&ztzQjd7{F5XQ?}g_-S+P-gpO#Ro%}vx7`iv~^jiYK zW=c$iX0*ADRFp3LFJ6oQ4g^6B3q@fxxp3-P^LtKffkQbP|4PIS7y4vHWn6H(X$qZ^ zv<49@^V;Wg9a9F8TqA`$ib1{5@UVH`-L$u&EuIP7bETGnSeb<+f#koYM{6`Zoq&p* zP`;D0B@?3f@0GV1bwMr=8;VNKkR?U6na!sx+rgHTwrM;{88XtD4qlVVwO+E|lP)B+H_)!ae6 z?lPj~=Q$UM zB9IB7yNtt#HVs8IiTAS%>EJyGg;NINJyt`i%@0NOb80@o2Ca24xS?bM6#ub5G>X#x=QQTgh)gQ5w+`Xd$2 zngoUqg z2|N5qQK*rAg4W%PusqPS6NkxjMhYs29q+(v?Z!i=D+LY8td5xn;GvMrIUXY^l~E*Q zdlHI!4ebt{Og`&}By;UfJ5!w9Ho`)of30FL)A>?iUlO_8x?mEg*WRV-qGVLwA_b8# z=vUHD+3t~TDR~!EG?OccclYe*W6}03q0zKvYU%dx4r+tUFcUAJ+wi~jTj9h&4G_(7 zk)kPj1Qu1;>H+a|VBVKd2h*LyxY(_c_#}|;e)=^aA^|tdS&bsUffafSIW9^;+189h z;%@HaPC?`XBP&*SI+Ah6zlV@MOuj#wT}nxu)uP4ul|Gowf>~>Fl8GnPVxZ0_6N`AM z0CJxsh%m36j4A=vd>&f4XUQGWo=fZ~$y+aI5@k|+DxU@w_+5{*SMGvCa|CTE5*6I7(f# zZVI2sUt5-+b@RByo=qdV$k{4E_3FLeNsX4zi8DRw4=LcP{_O=MIe@vP(sNjclSPd` z!9B%Jn1~1-5QPpv*8L)k%H)@D7uZ>?#FZMZ*;~;r7gRe>Ds}0i()riHaGio6NNjz> z=Jv7fgn1n)!=a%ba%(nNMwP1OhdKN1O9LCAer+E96;!XD6y@Wdxw~O ztcCiA#9stI@6T6bXU>>io||oUUsk=2Pi&f;iUym3L!LSME zI^413b#uUY;Piz9XgtNMI6ouOLc}Tr<&NjO&Y4ebDqQcj3I)_x^n5yb!LL9!pEyYT zuNJY07w(7^rwM^+mSh8AbCKHBT(5Af^e?-Jhqt}Q7y2gSCB3Wr7Ull%a|2%dBHCnP z@v;K|uX#8TH_1L&tPbV3V&J3{TWPa9X9OXZy_w2I4I(Gwv$?1U)XOJcR*_=VEEzAhbar`@fE+=!|RAhI+kYu(8wZ43e|-!g=bZyUJ02NmkVilXk^-6QJXr ztLjOie)?z*{v4C|@iv+vn%v1U5(D8jSg^|hTsL2gC7gZCeBOgn$mnoqQ1K@m;)l0P zvaKSD`T%5)$K#`bg;tjklQM z)b;P?z_RX;*yWtKHG`4blO_$ni!Au2)G^f1uyg;k?#4Wqq|GHM{Cyn_8ZC_roiFxIlRZQ-y~ zDhG}&GOTiqKZtv^5AZZ{6J(W(pe|v7Slr>FbrstFVUG4?J{pn&JB!Qf@Uk_SyDE5u z?Ig>S6Xs3gLU{emZ{CQAs`I2-Zb5szQlLTknUUL%V6j*&9Q$r{S>JRs!)TO+FQOMs zlwDJPBOJ#7PDwq$=ZgQU>t!WB_jYNIoj0Z|B(P*|Oq zs0R;upCfU0GohQ%bh218G0BKTpO&ZZL|FDGbTU$c&#x-Voc|jXm zRT^Q*u6xfYxNCfINx6(yOp=*)V6Z26ott*r8s%ANb{hRortXY{|KBD}nw-~+T5u3 zF8}OC1^oG=i9{opGMBCfy+9KEcJoR8S2=-RD51w)^D)eVZqAwnHZF%h&Ofg;WhSAd zmeDO?piOh_Q||abTcPR6zTb8SSx%Bj7$}w~wIIYpWOBG!&4Xiy3P)j#h$CU!M9s2Y z0XM|t`4B38m6SeRs74fy3*A}pu40sJo6>bZcze~%?@lu5$q&FFf zmnceIXGA7fLn9e&r&o;-1s3t3UxX}`Cy#)G?Xm1Zogr7mJ-*jP&5Gwx0%MbgS9G(* zs34sT29e5@HD~s z8a%KbW>ao*a)|xh&xa^c`h;@;Yp&&yJsRU|rxOlI^A$(?PNyn%?b}=dKXE+m%7ggh7p#;@5Qyqa0D|oGNx3m|w|iX<_+!5^xLawo99{f5{f-pei)%z3 zw4z#R?5xykaW{X@MJgE3z1#cUKG0$+X56D{=0-LcX)uP`QuhCy>Drb_6>9q}Ys z8G6FT&x7{a!hK8nPfZ1?u`=0`Q z$~gyw^}DviW|K>ehL4>STPLKQXXJS|-KzoxFC1|+-o*2WsCrIzcE}`h&*{u2vP_S= zF(OEvB22>R+z$&xRes;$2@1rw5=ye&*GU#{@$mHHTAMCF%igiaJ+#!w&_t1g9WID% zi(O``46Mm>pU!6=i}69EKr5;s7oKkL`4ZU-a$2=%W3HdYuvc3=Ch5p(pRyTKUyzEI zEe&U07@BpGtf!*Z)0CPySBSg?cG#9@4JH|=r0;_+TSbaR3YJuSJpHnzbvBaoXsQke zib7bT$7xgprtp;z<7SOOX`<{|x~2!*4u>3X2=MGw&H3hA>OX&;U&nNRb@dasm-@xi?sx|GN7AiZKl!Et7`f#%?(sSV2UA?;z zn45&QVfId}uC?CK3HYUyksXXb&=uUE_YSByk;rD{--5v9j3&J?IO{4_#E@?@W@FW@ znp4^@D0TEykx)qh^qn01to3lh5Fxv|gY6ZZCFixJLH6^^CI}K`^kT6Tzx^eYWCuUCX$Em8hEsXLn@IQnC*@dxH3r41J%hnB!CDn#2 zRXcSgR-dSA#0zOh^*>ojPE>Uv+RMxx7x71)D4!{RN8N+Ak6ZSd{VJ;oVI9&~P9rV! zO-dUQYy4yT)1?}MWRe`Lb=(X=jc(f(@iw@Vm_~F7HImGPX&Ql}gSD6C-|S zo)$u$*TFLl=&ny-$qqftW2{$B5!=L+?Y>lu?N3K7JTb+$n9g#`eK#X&{GlcY1y3s7 z!tiZ8BdA+iH~15}%^8$j!0ED9hRPZc*kg}>qGXI!(`v5m_nYM2Sz8&xi!{}3>7qB+ zAA?|zd)qLVXP{yk4I-iI3;ztm*H8#dsVp_g2zoC9=+lB27uoHfvEZ=B=?o*YcDO`g z_?uEd-PeI=8Q51le2zzT8jogSVrf!K?v&{OHP$x7N9W>mM0~AZT02f`V|km_nob_2 z8WXUJq(gY(#5Up|VMmDB)-okdSZR?B;gjsGKjFnTI84rCmJ{+T6L!E*PZT|6eGX_j z(h&(iJV^Y*`UCs7(kKs){*u(tyc{}p3Z_OJfIdoWDeKPECxu86cY*Mi+JM+;fGbn1 zJW9)ll5^)pkQdiOasf#a0|!Btj|uAPE3D656{~97PZH!NLPelo=v7~Mlo$3Tw7f;Dik*{E-C?wvk38T$Qt)I!^W8^jn zfHuOE5}d4z$*icezDS|g99X=(!Y7vWTa~$5k^gIcv>i)l(a8(_2c{YR+P}*eJOzdh z<7gXC_yuxx%~d~i&x`WeZGR~?IcXFwHmhsgN4JbY!Z99o~L*4Dh*j;*BHplWH(B9v8Szu1GT2%{riL$bcUz|@2# zJ7w_G=d7qOWcLI(lrV;v-y#&&S*%;*?kbJW79%K>@f3f{jL73s$3HoOXvm{m0xn9j zR6e&%5;7hMM4$?j1tS-4G7cTI6$%tu!>@2Ii7TKrC~>Uf@adAqyrVR#lnp$G!czOt zKjdo`3R?Uc1D6gw4qJadfR(+;m-Ki>40}P!St$3x?|!n#NLZbUAz{Rg8Hrf@?bBNb zPuH`Ioc}bRJ8`SAKOWM1u+4^`1nfSD0AOUW+7aI4YBO8TYN=m_MCA5m>Pj!y-yddx z8l<|4dU!=Z`I`~6z;Ey(pPk%FX%7Ik7|G+8lc0sR(m4+uWKJGT-m8|&OV1ohw>Mxo z+E{T0XR1rR-|3mDoH)M)ZiMnk)GR-iUHXs}6S=H0hMZ>bN)#w*n{-417|%!hDKp3H zGJjhSYlMVK;p32&Tb}G2q}N+bxp<;q7k2L9m5Z6E+)(*&kl)yOnh-JEv!Li;bbGrlCT`J$U*r2C^4p(JG@~>kJjjLC=&MQyWFz^ zJM>!u0acrhX-cXfoCEqdfTEB_LBg?D<0(3s3c)!+BvTo6ia)FEikm1g0#|ubF58|A3;YX^q~x z;6|DJ*t0#yU5)Mb9iGT&b^4H8!u2V$c1l9^Qve9jecy7F6*0~eIJK+Z9KsTnU(u?O zS>njQu_|*yYD<-oIc67H8a`D(_+Y6X2DVFC4>YK^2n}7z(#{qnMTXY) zPb-KHqIpydN51HXN1DMA!kxMqtdZ7C`MTK6Se11OYNi|#kgL>=Cu3v4NmF_roET9- z=LSc}@1ffjp|RWmA~N#T2K3oeCy2z}ggiUuPTaeSpSRWtIDX;Eo*oFbHHl;Oo-L@M zAIp|foy;E}-XSlRM_7Gv;m{A%EQ3L$%uu7Db2G6U=1qVB4RSqmabN6$)N!W9rHAdf zd_3(*!|C&U6^r2|wOFCV3=9Pxy%!oItwWsEd;a)&BCM7H=lF2ca8b~E5@j{a*`!Gk z(=G5D#n|<_I~R^x&Mn$k{-32BMchI$p*e7Dvm2ibO0~XiVm-#SzbE7&0B<>63AKMZ zSQCY6ExBZGh++7`s?XSr$4}JoAWY-d&C8_eHLK*-OT(vR5oSqNF8iy_(9J!TAe?>v4sTT2yL_?jSa*7#rPPVuzP3#iv3kfIIC1xNqqnO zc{ZVG2mZQ7?dhBeYR~?GkoJB2NvZ)1}@OVJVX zd8}O91Sj+Z^zTbMZL{;#+YkwYgpvGXH=STYsl6agpu7YcH>@@>pf?f~bxQ=9qRtY6 z2d1}PNPtP&5z7DsCp-P0eQ2JEowZw+DoJ8Wmg%QyjfRX#TcQ?qh+p&ICT%OIAEmeh ziHzy{>bS7n6dERylDG05i{P7aJ%T8ylwFrN5uw$b6)%YgG9o9KE?`l8`V|B)%UCrS zu0O{Cd|?oN^@6IJ>juz3`)-tEp7Gki2HN|t-@M9Qyd(lt@9GR*z-1X z3Ow~7H8Dv$_>&xW!5icOa`N;AJoqUKG8+o@QmZ_)<@u>={NBtg zyhl6EkcBWE?eP8iO0$>~$giR84I#><1EF?zW+aKvbANiWG2*GVh4nBoCox@`Oh-39Icp6~4A3{}JX&`bp8%Sxto$A4M2^Xb=|;6n3|k- z9s6}lvtvlv$i_N>Gqxf1x~vhk63`*D=IKz2XVJhGL_*o{eX`{&YAOWluqn;FfSllF zJ#Cy57a^nXC6Sq((eW4NId9^35clY2pel=j{kJ%8Rpo8Gwj{)f;mb(IkWn8OWIB5_ z&roy`3#I3Hhn+rBn8C$l1`t4P?8j{IuH2e*J6#QZ4oPmA%n_;ceFtqH=c0O#{oY5j zPZ*U+w7!A-u#oqbGyNM}y!EqW#nJVFoAQKTcxhR!U>IBEH{T78443p=SD@?5vVCoZ zHXkV!h=_Af!VbH&{F2>-%6#NPJhjZPex+JCBaTJl_h|+*a$iWcB10H>cngdVxn(2dUBE1q_VK4QhS7v)Uq<&wbfVLaz+M=Zf44$T_q~`EmS6o?m{>rTgTGG= ziB14ppb&Dh;*rP`P;>&^E5rfI9i$RNM1K}Ba^#lhAUv;E)UD=W{1&eS{I(*pFp>RF z6@hp{!uKL{W4kv_P8MysjBcZr-n*UC`&(wtdf@>WC$OsCUfFR?F~u|Rh%vpcs@7u6Q5=*)|kv}?ODmW!?A)l%v6`<{ojDGpyZ}rjLsIn9>&J`+{)n{GwznU3 zh$bQimrejDlAWce9IX`UfW+pW{a=qC)m)dvB~O_)Jhp}hQjU|I9Rk9R_$_`oqt&u` zN+s(!Qu;z4K-PLuD&VMm1Nd--ZWZe0c@@z7WRIA?#4J1zLe`7KgU(bRWQ-k_9-6C6}r-MUzIoBud6qP#s^+DXX{N6PZ&yq3 z4mJWXZm7@{EkV-4ZSUblQuo6VQUM}f!z5S;;LPtPe8qd_T*Mv~$@=ZK!C9C*lRlpz zN=4sIe1ev=7Ibjgw8@UFZm2gsdIH(YmrGCFd!;;MLQRf&k5s$*F(oRR+ioGu3XKt?oc7L7YS^metu;TNDQ@@(gK)`^m7 zDKvH}J%u80-#D+dj^IKzZo-Woto;+DbF%}RlKQ`5m1&ur{*!R{xE!=gxJ5VtQTM|m zB4sruM>6ZCfbkw5E;%0Lt4LlY1Tnn*WN5-He(vZC`9)c(;+S&*?kax3de(zPw*pLf z;cM4WJt#mm_R1r!pf3LRH_8tkCq1^Nv*PBScS0sI9A_k)a8P1rO~#9u1;=%SYU}Xg zm{ksrdGGBYtpq(ZQ$%O$gx^-~Q@RChR|GK~6de;Yqa~C&=2%rE3)j?XPsYL2>N=3s zWrg*}Kj`*?K4&UEw3DgZ^DSNM3aHyE@kyMtecfTFh{&wA6xj&vOzD|r_R zktY((Ml%+^(e4(PIW%W>YBg-jdp9YB7Er=OgEQ^2N~++%U{OtIF5L1-dG}b6kQ}n) zFngPSFwF@K8=3!A!U4%rX5>JYwr6xbez@~Y4SgI45AQe2tsk%hTDqTEfp#+#>;Q4P zfoSK!F@8#-KG|Z5KQMo|%X;hT%nY4=Q78%Gsqo2TOeJCpnac|fZQX^k?0rMZDzpq1s~{*hAa!f~{{HbOy{rKXZp)AV zu;33WlX+P|C<_%9hjLX5Y!f+=zzFMRVW1qr#izy6t}?udkXPskWS*UUe5uwb0gZaG zX*;WT=~y!xt4Y5%rT5b4*=R^^L>J0S*Vw9l^V#3j)8^-XLB=~hK?jCV!el6k)3~l# zL@-j{xH3>Z?O$8KxzzT%9>QGY9Rt1Bh9VS%7&|c$Y0Y3g6-oiIy&Qs29S=;hWsk?X zyP?zRv*kctP2FHDMIw_E@U&3}`>|CuZ}{GJuqI693P_5GBrzADu#O za9vo&F4rrZKI8`7N`{#5(KJ6d<3)nuX`K80#Kfwyc-!-D(oCXtBSY)8o3>POC@<&p zQtkLbI&s;om+wk#ca@E?!p1GrVK(|Ef54G10lHOBnj(GQ^nfr#c=NSy0bGO*?=P+OmS3s>++OV`xofE^{vSVv*=nCnZ^lfQ zotmue`oTwT9idVJk%4{Qy%D?e%UqsuuhD6TT<&n7h*`Po!8XfhV`+mx8^+t>@H zX^?Q>j=kvRVz&*OSdbuTyX*NByBP69qv}_Tu9KM_U*MzQ<;WV^>P_}Wo5}6kwTD|O zyBNj8!cgCszd&<-28b_w9^s!l7B-Jya=f!XXqvFhZ$kRgTMFtrKUiQFCchub2#W|5 zXiVxNe)zK%_xI3MCg`Rqtn_>-ndkLnnEkKMHenFoedAhu;L=&-8t;Nb6~f@TLqE~^ zqFE1cvACYR+0X+Ta14V7csPo5L6L8xbv?EMdsT>h=l`1`RM`*e>?Pbe*HIQ>HL5z1_0Zk9yURsCceVLb6+XmqTsV?KqlI`+-Qv`pD%uWcBLVH9qS)X13@hW3wrIC*`Lw zS69dDZ4)m~Mn+j;e$gdD|GVtqgZUG1!3$5R-t9Wy1F{nF-CgVf!CG!dqmSNPGsSIB z)dJN(;z7;{aLc^2DoXkMdzh=RVa&P)eEe4=3jYk)TNr3MoA?^Y)AjeUFhsq8o*z|R<~4E6cNeXF z&`?$kWA~SDwLlylnI6o#gVFs0eOG0*YRrWgw)DhTYf~!J#j>~u0`RKOB#OV{bZ5ZS zQCZeXkIh03-+P_lb?L~`Kx4MI_pe|I*1hks>7$rB8eBoMmD%b_(YY8}X&A)2&u1Id(k9oPHSuI*|( z8&!MVwLJk$?Vf9@f#{@qkl|s9i%ua^CW(5`AagEzOSda3{jYZY-6PJe%R1c11U|Am z?Hb3e%GZ}OvSOO@^_%85of*dc7G=dXzu$5QDBoe6d9Je-%I13Qsl#D^ngA)bOXp5V zB|Dn3fzp5O{Sx6T>OUf0WGMxeA!%qRD7CtFM;d6r*s+%bFY*lW36uKH`Ef%^!q7ZB zw7R!DVdS)SyUbddB*p2^oBp}MlajCv?JS#qQs7 z<2z5_#g12s`(=<9oWekYi=2SGOC$gVD}r@_%y=I>dscD)9g1rQ4)sXyH&^Ox#fYm1 zO!iY_OUhSFo-$QhGn{%7H>Or0{tQ0Ggg*9F8_$-tOqA)*W#SbWZJWWdeL*BP#s|7B zmEy~%vDPgNgn!U#bfE{UE38naoV2aCefh+2+nb7)p**RQfNvDelOvw~zNX{u$x z(Szb7+85z6Ai>rTBg2VL15j!7`2cR}my%S}O=7j{)wNgf1@b>jS|{c*0RuN8^nRexdxa58ItJp>IUZ(} zXxr?}=JW9u!BMCG2*a$5>Z24m*Q^qZ{GPJ-ojdonSp*&1R}^@n4N}Mwt#3sz)qU`2 z7*)p@$zrFL@q_*_h#IXBJ{-zI`Ox=BDi?WW34_D@*!+04dtiO1A~$owp(8kxBSFUy zrNxch!bI!j$EHYAww-f4r!)K}f_>%GS~-VAxl;^=Wfo_ANPn?;QXO?-+8GT0jI$5h4$(_(W^74)GN=V z|0UQ*duhP+BSS%@ZXlDS-g{w@{)+Okvhwv`-!kd!pKlJrbc>h}8T3Ae}EIxE(|95s_prEk- t%OS)%)x}2y=Giv2!iR?JpS{@gcE%Uqm@WT3oiT^hBOh9X0q1{u{|{K5$CUs8