From fb2fcd52b52726f4e56546d16871f5bf350a8524 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 29 Sep 2024 12:04:52 +0200 Subject: [PATCH 1/2] 358: Add support for BSI C5 framework --- backend/library/libraries/bsi-c5-2020.yaml | 2856 ++++++++++++++++++++ tools/bsi/bsi-c5-2020.xlsx | Bin 0 -> 59450 bytes 2 files changed, 2856 insertions(+) create mode 100644 backend/library/libraries/bsi-c5-2020.yaml create mode 100644 tools/bsi/bsi-c5-2020.xlsx diff --git a/backend/library/libraries/bsi-c5-2020.yaml b/backend/library/libraries/bsi-c5-2020.yaml new file mode 100644 index 000000000..f61608f83 --- /dev/null +++ b/backend/library/libraries/bsi-c5-2020.yaml @@ -0,0 +1,2856 @@ +urn: urn:intuitem:risk:library:bsi-c5-2020 +locale: en +ref_id: BSI-C5-2020 +name: BSI C5 Library +description: Criteria Catalogue C5 +copyright: BSI +version: 1 +provider: BSI +packager: intuitem +objects: + framework: + urn: urn:intuitem:risk:framework:bsi-c5-2020 + ref_id: BSI-C5-2020 + name: BSI C5 Library + description: Criteria Catalogue C5 + min_score: 0 + max_score: 100 + requirement_nodes: + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + assessable: false + depth: 1 + name: Organisation of Information Security (OIS) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-01 + name: Information Security Management System (ISMS) + description: "The Cloud Service Provider operates an information security management\ + \ system (ISMS) in accordance with ISO/IEC 27001. The scope of the ISMS covers\ + \ the Cloud Service Provider's organisational units, locations and procedures\ + \ for providing the cloud service.\nThe measures for setting up, implementing,\ + \ maintaining and continuously improving the ISMS are documented. \nThe documentation\ + \ includes:\n\n\u2022 Scope of the ISMS (Section 4.3 of ISO/IEC 27001);\n\n\ + \u2022 Declaration of applicability (Section 6.1.3), and\n\n\u2022 Results\ + \ of the last management review (Section 9.3)." + annotation: 'The Information Security Management System (ISMS) has a valid certification + according to ISO/IEC 27001 or ISO 27001 based on IT-Grundschutz. + + The basic criterion can also be fulfilled without valid certification of the + ISMS according to ISO/IEC 27001 or ISO 27001 based on IT-Grundschutz, if the + submitted documentation meets the requirements of ISO/IEC 27001.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-02 + name: Information Security Policy + description: "The top management of the Cloud Service Provider has adopted an\ + \ information security policy and communicated it to internal and external\ + \ employees as well as cloud customers.\nThe policy describes:\n\n\u2022 the\ + \ importance of information security, based on the requirements of cloud customers\ + \ in relation to information security;\n\n\u2022 the security objectives and\ + \ the desired security level, based on the business goals and tasks of the\ + \ Cloud Service Provider;\n\n\u2022 the most important aspects of the security\ + \ strategy to achieve the security objectives set; and\n\n\u2022 the organisational\ + \ structure for information security in the ISMS application area." + annotation: The top management is a natural person or group of persons who make + the final decision for the institution and is responsible for that decision. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-03 + name: Interfaces and Dependencies + description: "Interfaces and dependencies between cloud service delivery activities\ + \ performed by the Cloud Service Provider and activities performed by third\ + \ parties are documented and communicated. This includes dealing with the\ + \ following events:\n\n\u2022 Vulnerabilities;\n\n\u2022 Security incidents;\ + \ and\n\n\u2022 Malfunctions.\n\nThe type and scope of the documentation is\ + \ geared towards the information requirements of the subject matter experts\ + \ of the affected organisations in order to carry out the activities appropriately\ + \ (e.g. definition of roles and responsibilities in guidelines, description\ + \ of cooperation obligations in service descriptions and contracts).\n\nThe\ + \ communication of changes to the interfaces and dependencies takes place\ + \ in a timely manner so that the affected organisations and third parties\ + \ can react appropriately with organisational and technical measures before\ + \ the changes take effect." + annotation: 'The Cloud Service Provider can define and document the interfaces + and dependencies described in the basic criterion in guidelines and instructions. + For example, Cloud customers'' obligations to cooperate should be described + in service descriptions and contracts. + + + Third parties in the sense of this basic criterion are, e.g. cloud customers + and sub-service providers.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-04 + name: Segregation of Duties + description: "Conflicting tasks and responsibilities are separated based on\ + \ an OIS-06 risk assessment to reduce the risk of unauthorised or unintended\ + \ changes or misuse of cloud customer data processed, stored or transmitted\ + \ in the cloud service.\n\nThe risk assessment covers the following areas,\ + \ insofar as these are applicable to the provision of the Cloud Service and\ + \ are in the area of responsibility of the Cloud Service Provider:\n\n\u2022\ + \ Administration of rights profiles, approval and assignment of access and\ + \ access authorisations (cf. IDM-01);\n\n\u2022 Development, testing and release\ + \ of changes (cf. DEV-01); and\n\n\u2022 Operation of the system components.\n\ + \nIf separation cannot be established for organisational or technical reasons,\ + \ measures are in place to monitor the activities in order to detect unauthorised\ + \ or unintended changes as well as misuse and to take appropriate actions." + annotation: Identified events that may constitute unauthorised or unintentional + changes to or misuse of cloud customer data may, for example, be treated as + a security incident, cf. SIM-01. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-05 + name: Contact with Relevant Government Agencies and Interest Groups + description: The Cloud Service Provider leverages relevant authorities and interest + groups in order to stay informed about current threats and vulnerabilities. + The information flows into the procedures for handling risks (cf. OIS-06) + and vulnerabilities (cf. OPS-19). + annotation: "If the cloud service is used by public sector organisations in\ + \ Germany, the Cloud Service Provider leverages contacts with the National\ + \ IT Situation Centre and the CERT Association of the BSI.\nRelevant contacts\ + \ are for example:\n\n\u2022 Federal Office for Information Security (BSI);\n\ + \n\u2022 OWASP Foundation; and\n\n\u2022 CERT networks DFN-CERT, TF-CSIRT\ + \ etc.\n\nPublic sector organisations in Germany are e.g. authorities and\ + \ ministries." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-06 + name: Risk Management Policy + description: "Policies and instructions for risk management procedures are documented,\ + \ communicated and provided in accordance with SP-01 for the following aspects:\n\ + \n\u2022 Identification of risks associated with the loss of confidentiality,\ + \ integrity, availability and authenticity of information within the scope\ + \ of the ISMS and assigning risk owners;\n\n\u2022 Analysis of the probability\ + \ and impact of occurrence and determination of the level of risk;\n\n\u2022\ + \ Evaluation of the risk analysis based on defined criteria for risk acceptance\ + \ and prioritisation of handling;\n\n\u2022 Handling of risks through measures,\ + \ including approval of authorisation and acceptance of residual risks by\ + \ risk owners; and\n\n\u2022 Documentation of the activities implemented to\ + \ enable consistent, valid and comparable results." + annotation: The risk level can be determined by qualitative, semi-quantitative + and quantitative methods (cf. ISO 31010) based on the likelihood and impacts. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ois-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node2 + ref_id: OIS-07 + name: Application of the Risk Management Policy + description: "The Cloud Service Provider executes the process for handling risks\ + \ as needed or at least once a year. The following aspects are taken into\ + \ account when identifying risks, insofar as they are applicable to the cloud\ + \ service provided and are within the area of responsibility of the Cloud\ + \ Service Provider:\n\n\u2022 Processing, storage or transmission of data\ + \ of cloud customers with different protection needs;\n\n\u2022 Occurrence\ + \ of vulnerabilities and malfunctions in technical protective measures for\ + \ separating shared resources;\n\n\u2022 Attacks via access points, including\ + \ interfaces accessible from public networks;\n\n\u2022 Conflicting tasks\ + \ and areas of responsibility that cannot be separated for organisational\ + \ or technical reasons; and\n\n\u2022 Dependencies on subservice organisations.\n\ + \nThe analysis, evaluation and treatment of risks, including the approval\ + \ of actions and acceptance of residual risks, is reviewed for adequacy at\ + \ least annually by the risk owners." + annotation: "This criterion applies only to risks that reside within the area\ + \ of responsibility of the cloud service provider. Risks that arise for the\ + \ cloud customer when using the cloud service are not covered by this criterion.\ + \ When outsourcing activities for the provision of cloud services to subservice\ + \ organisations, the responsibility for these risks remains with the Cloud\ + \ Service Provider. Requirements for measures to manage these risks can be\ + \ found in the criteria area \u201CControl and Monitoring of Service Providers\ + \ and Suppliers (SSO)\u201D.\n\nShared resources are e.g. networks, RAM or\ + \ storage." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10 + assessable: false + depth: 1 + name: Security Policies and Instructions (SP) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10 + ref_id: SP-01 + name: Documentation, communication and provision of policies and instructions + description: "Policies and instructions (incl. concepts and guidelines) are\ + \ derived from the information security policy and are documented according\ + \ to a uniform structure. They are communicated and made available to all\ + \ internal and external employees of the Cloud Service Provider in an appropriate\ + \ manner.\n\nThe policies and instructions are version controlled and approved\ + \ by the top management of the Cloud Service Provider or an authorised body.\n\ + \nThe policies and instructions describe at least the following aspects:\n\ + \n\u2022 Objectives;\n\n\u2022 Scope;\n\n\u2022 Roles and responsibilities,\ + \ including staff qualification requirements and the establishment of substitution\ + \ rules;\n\n\u2022 Roles and dependencies on other organisations (especially\ + \ cloud customers and subservice organisations);\n\n\u2022 Steps for the execution\ + \ of the security strategy; and\n\n\u2022 Applicable legal and regulatory\ + \ requirements." + annotation: "The appropriateness of the demand-oriented communication and provision\ + \ must be assessed against the size and complexity of the Cloud Service Provider's\ + \ organisation and the type of cloud service offered. Possible criteria are:\n\ + \n\u2022 Integration of guidelines and instructions in the onboarding of new\ + \ employees\n\n\u2022 Training and information campaigns when adopting new\ + \ or revising existing policies and instructions\n\n\u2022 Form of provision\n\ + \nPolicies and instructions are required for the following basic criteria\ + \ in which the content is specified in more detail:\n\n\u2022 Risk management\ + \ policy (OIS-06)\n\n\u2022 Acceptable use and handling of assets policy (AM-02)\n\ + \n\u2022 Security requirements for premises and buildings (PS-01)\n\n\u2022\ + \ Physical site access control (PS-04)\n\n\u2022 Concept for protection against\ + \ malware (OPS-04)\n\n\u2022 Concept for data protection and recovery (OPS-06)\n\ + \n\u2022 Concept for logging and monitoring (OPS-10)\n\n\u2022 Concept for\ + \ meta data handling (OPS-11)\n\n\u2022 Concept for handling of vulnerabilities,\ + \ malfunctions and errors (OPS-18)\n\n\u2022 Policy for system and data access\ + \ authorisations (IDM-01)\n\n\u2022 Policy for the use of encryption procedures\ + \ and key management (CRY-01)\n\n\u2022 Policies for data transmission (COS-08)\n\ + \n\u2022 Policies for the development/procurement of information systems (DEV-01)\n\ + \n\u2022 Policies for changes to information systems (DEV-03)\n\n\u2022 Policies\ + \ and instructions for controlling and monitoring third parties (SSO-01)\n\ + \n\u2022 Policy for security incident management (SIM-01)\n\n\u2022 Business\ + \ impact analysis policies and procedures (BCM-02)\n\n\u2022 Policy for planning\ + \ and conducting audits (COM-02)" + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10 + ref_id: SP-02 + name: Review and Approval of Policies and Instructions + description: "Information security policies and instructions are reviewed at\ + \ least annually for adequacy by the Cloud Service Provider's subject matter\ + \ experts.\n\nThe review shall consider at least the following aspects:\n\n\ + \u2022 Organisational and technical changes in the procedures for providing\ + \ the cloud service; and\n\n\u2022 Legal and regulatory changes in the Cloud\ + \ Service Provider's environment.\n\nRevised policies and instructions are\ + \ approved before they become effective." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sp-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node10 + ref_id: SP-03 + name: Exceptions from Existing Policies and Instructions + description: Exceptions to the policies and instructions for information security + as well as respective controls go through the OIS-06 risk management process, + including approval of these exceptions and acceptance of the associated risks + by the risk owners. The approvals of exceptions are documented, limited in + time and are reviewed for appropriateness at least annually by the risk owners. + annotation: "About the Criterion\nExceptions in the sense of the basic criterion\ + \ can have organisational or technical causes, such as\n\n\u2022 An organisational\ + \ unit should deviate from the intended processes and procedures in order\ + \ to meet the requirements of a cloud customer; and\n\n\u2022 A system component\ + \ lacks technical properties to configure it according to the applicable requirements.\n\ + \nCloud customers can use appropriate controls to ensure that they obtain\ + \ information from the Cloud Service Provider about deviations from information\ + \ security policies and instructions in order to assess and appropriately\ + \ manage the associated risks to their own information security." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + assessable: false + depth: 1 + name: Personnel (HR) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-01 + name: Verification of qualification and trustworthiness + description: "The competency and integrity of all internal and external employees\ + \ of the Cloud Service Provider with access to cloud customer data or system\ + \ components under the Cloud Service Provider's responsibility who are responsible\ + \ to provide the cloud service in the production environment shall be verified\ + \ prior to commencement of employment in accordance with local legislation\ + \ and regulation by the Cloud Service Provider.\n\nTo the extent permitted\ + \ by law, the review will cover the following areas:\n\n\u2022 Verification\ + \ of the person through identity card;\n\n\u2022 Verification of the CV;\n\ + \n\u2022 Verification of academic titles and degrees;\n\n\u2022 Request of\ + \ a police clearance certificate for applicants;\n\n\u2022 Certificate of\ + \ good conduct or national equivalent; and\n\n\u2022 Evaluation of the risk\ + \ to be blackmailed." + annotation: 'External employees in the sense of the criteria are those who perform + activities in accordance with the processes and procedures of the Cloud Service + Provider. Employees of sub-service providers who perform activities according + to the sub-service own processes and procedures are not covered by this criterion. + + + The verification of qualification and trustworthiness can be supported by + a specialised service provider. Depending on national legislation, national + equivalents of the German certificate of good conduct may also be permitted. + The assessment of the extent to which a potential employee can be blackmailed + can be carried out, for example, by checking his creditworthiness.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-02 + name: Employment terms and conditions + description: 'The Cloud Service Provider''s internal and external employees + are required by the employment terms and conditions to comply with applicable + policies and instructions relating to information security. + + + The information security policy, and the policies and instructions based on + it, are to be acknowledged by the internal and external personnel in a documented + form before access is granted to any cloud customer data or system components + under the responsibility of the Cloud Service Provider used to provide the + cloud service in the production environment.' + annotation: The Cloud Service Provider ensures that the policies and instructions + reflect applicable legal and regulatory requirements in accordance with SP-01. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-03 + name: Security training and awareness programme + description: "The Cloud Service Provider operates a target group-oriented security\ + \ awareness and training program, which is completed by all internal and external\ + \ employees of the Cloud Service Provider on a regular basis. The program\ + \ is regularly updated based on changes to policies and instructions and the\ + \ current threat situation and includes the following aspects:\n\n\u2022 Handling\ + \ system components used to provide the cloud service in the production environment\ + \ in accordance with applicable policies and procedures;\n\n\u2022 Handling\ + \ cloud customer data in accordance with applicable policies and instructions\ + \ and applicable legal and regulatory requirements;\n\n\u2022 Information\ + \ about the current threat situation; and\n\n\u2022 Correct behaviour in the\ + \ event of security incidents." + annotation: The learning outcomes achieved through the awareness and training + programme are measured and evaluated in a target group-oriented manner. The + measurements cover quantitative and qualitative aspects. The results are used + to improve the awareness and training programme. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-04 + name: Disciplinary measures + description: "In the event of violations of policies and instructions or applicable\ + \ legal and regulatory requirements, actions are taken in accordance with\ + \ a defined policy that includes the following aspects:\n\n\u2022 Verifying\ + \ whether a violation has occurred; and\n\n\u2022 Consideration of the nature\ + \ and severity of the violation and its impact.\n\nThe internal and external\ + \ employees of the Cloud Service Provider are informed about possible disciplinary\ + \ measures.\n\nThe use of disciplinary measures is appropriately documented." + annotation: The Cloud Service Provider ensures that the policies and instructions + reflect applicable legal and regulatory requirements in accordance with SP-01. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-05 + name: Responsibilities in the event of termination or change of employment + description: Internal and external employees have been informed about which + responsibilities, arising from employment terms and conditions relating to + information security, will remain in place when their employment is terminated + or changed and for how long. + annotation: The Cloud Service Provider ensures that the policies and instructions + reflect applicable legal and regulatory requirements in accordance with SP-01. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:hr-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node14 + ref_id: HR-06 + name: Confidentiality agreements + description: "The non-disclosure or confidentiality agreements to be agreed\ + \ with internal employees, external service providers and suppliers of the\ + \ Cloud Service Provider are based on the requirements identified by the Cloud\ + \ Service Provider for the protection of confidential information and operational\ + \ details. \n\nThe agreements are to be accepted by external service providers\ + \ and suppliers when the contract is agreed. The agreements must be accepted\ + \ by internal employees of the Cloud Service Provider before authorisation\ + \ to access data of cloud customers is granted.\n\nThe requirements must be\ + \ documented and reviewed at regular intervals (at least annually). If the\ + \ review shows that the requirements need to be adapted, the non-disclosure\ + \ or confidentiality agreements are updated.\n\nThe Cloud Service Provider\ + \ must inform the internal employees, external service providers and suppliers\ + \ and obtain confirmation of the updated confidentiality or non-disclosure\ + \ agreement." + annotation: "In a confidentiality agreement it should be described:\n\n\u2022\ + \ Which information must be kept confidential;\n\n\u2022 The period for which\ + \ this confidentiality agreement applies;\n\n\u2022 What actions must be taken\ + \ upon termination of this agreement, e.g. destruction or return of data medium;\n\ + \n\u2022 How the ownership of information is regulated;\n\n\u2022 What rules\ + \ apply to the use and disclosure of confidential information to other partners,\ + \ if necessary; and\n\n\u2022 The consequences of a breach of the agreement.\n\ + \nConfidentiality or non-disclosure agreements can be signed by means of an\ + \ electronic signature, insofar as this is legally binding." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + assessable: false + depth: 1 + name: Asset Management (AM) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-01 + name: Asset Inventory + description: 'The Cloud Service Provider has established procedures for inventorying + assets. + + + The inventory is performed automatically and/or by the people or teams responsible + for the assets to ensure complete, accurate, valid and consistent inventory + throughout the asset lifecycle. + + + Assets are recorded with the information needed to apply the Risk Management + Procedure (Cf. OIS-07), including the measures taken to manage these risks + throughout the asset lifecycle. Changes to this information are logged.' + annotation: "Logging and monitoring applications take into account the information\ + \ collected on the assets in order to identify the impact on cloud services\ + \ and functions in case of events that could lead to a breach of protection\ + \ objectives, and to support information provided to affected cloud customers\ + \ in accordance with contractual agreements.\nAssets within the meaning of\ + \ this criteria area are the objects required for the information security\ + \ of the cloud service during the creation, processing, storage, transmission,\ + \ deletion or destruction of information in the Cloud Service Provider's area\ + \ of responsibility, e.g. firewalls, load balancers, web servers, application\ + \ servers and database servers.\n\nThese objects consist of hardware and software\ + \ objects:\nHardware objects are\n\n\u2022 Physical and virtual infrastructure\ + \ resources (e.g. servers, storage systems, network components); and\n\n\u2022\ + \ As well as end devices if the Cloud Service Provider has determined in a\ + \ risk assessment that these could endanger the information security of the\ + \ cloud service in the event of loss or unauthorised access (e.g. mobile devices\ + \ used as security tokens for authentication).\n\nSoftware objects are e.g.\ + \ hypervisors, containers, operating systems, databases, microservices and\ + \ programming interfaces (APIs).\n\nThe lifecycle of an asset includes:\n\n\ + \u2022 Acquisition;\n\n\u2022 Commissioning;\n\n\u2022 Maintenance;\n\n\u2022\ + \ Decommissioning; and\n\n\u2022 Disposal." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-02 + name: Acceptable Use and Safe Handling of Assets Policy + description: "Policies and instructions for acceptable use and safe handling\ + \ of assets are documented, communicated and provided in accordance with SP-01\ + \ and address the following aspects of the asset lifecycle as applicable to\ + \ the asset:\n\n\u2022 Approval procedures for acquisition, commissioning,\ + \ maintenance, decommissioning, and disposal by authorised personnel or system\ + \ components;\n\n\u2022 Inventory;\n\n\u2022 Classification and labelling\ + \ based on the need for protection of the information and measures for the\ + \ level of protection identified;\n\n\u2022 Secure configuration of mechanisms\ + \ for error handling, logging, encryption, authentication and authorisation;\n\ + \n\u2022 Requirements for versions of software and images as well as application\ + \ of patches;\n\n\u2022 Handling of software for which support and security\ + \ patches are not available anymore;\n\n\u2022 Restriction of software installations\ + \ or use of services;\n\n\u2022 Protection against malware;\n\n\u2022 Remote\ + \ deactivation, deletion or blocking;\n\n\u2022 Physical delivery and transport;\n\ + \n\u2022 dealing with incidents and vulnerabilities; and\n\n\u2022 Complete\ + \ and irrevocable deletion of the data upon decommissioning." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-03 + name: Commissioning of Hardware + description: The Cloud Service Provider has an approval process for the use + of hardware to be commissioned, which is used to provide the cloud service + in the production environment, in which the risks arising from the commissioning + are identified, analysed and mitigated. Approval is granted after verification + of the secure configuration of the mechanisms for error handling, logging, + encryption, authentication and authorisation according to the intended use + and based on the applicable policies. + annotation: 'The basic criterion applies only to physical hardware objects, + such as servers, storage systems, and network components. + + + Virtual hardware and software objects are considered in the criteria areas + (OPS) and (DEV). + + + The approval process typically considers both the basic approval to use the + hardware and the final approval of the configured assets.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-04 + name: Decommissioning of Hardware + description: 'The decommissioning of hardware used to operate system components + supporting the cloud service production environment under the responsibility + of the Cloud Service Provider requires approval based on the applicable policies. + + + The decommissioning includes the complete and permanent deletion of the data + or proper destruction of the media.' + annotation: The deletion of data or physical destruction of data mediums can + take place, for example, according to DIN 66399 or BSI IT-Grundschutz module + CON.6. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-05 + name: Commitment to Permissible Use, Safe Handling and Return of Assets + description: 'The Cloud Service Provider''s internal and external employees + are provably committed to the policies and instructions for acceptable use + and safe handling of assets before they can be used if the Cloud Service Provider + has determined in a risk assessment that loss or unauthorised access could + compromise the information security of the Cloud Service. + + + Any assets handed over are provably returned upon termination of employment.' + annotation: 'Physical assets of internal and external employees are managed + centrally. + + + Central management enables software, data, and policy distribution, as well + as remote deactivation, deletion, or locking. + + The basic criterion essentially concerns mobile devices (e.g. notebooks, tablets, + smartphones, etc.), where confidential information is stored on them which + can be used in the event of unauthorised access to obtain privileged access + to the cloud service (e.g. if these are used as security tokens for authentication).' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:am-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node21 + ref_id: AM-06 + name: Asset Classification and Labelling + description: 'Assets are classified and, if possible, labelled. Classification + and labelling of an asset reflect the protection needs of the information + it processes, stores, or transmits. + + + The need for protection is determined by the individuals or groups responsible + for the assets of the Cloud Service Provider according to a uniform schema. + The schema provides levels of protection for the confidentiality, integrity, + availability, and authenticity protection objectives.' + annotation: 'Logging and monitoring applications take the asset protection needs + into account in order to inform the responsible stakeholder of events that + could lead to a violation of the protection goals, so that the necessary measures + are taken with an appropriate priority. Actions for events on assets with + a higher level of protection take precedence over events on assets with a + lower need for protection. + + If the Cloud Service Provider does not make a differentiated classification + of the assets, all assets are to be assigned to the highest defined protection + requirement.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + assessable: false + depth: 1 + name: Physical Security (PS) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-01 + name: Physical Security and Environmental Control Requirements + description: "Security requirements for premises and buildings related to the\ + \ cloud service provided, are based on the security objectives of the information\ + \ security policy, identified protection requirements for the cloud service\ + \ and the assessment of risks to physical and environmental security. The\ + \ security requirements are documented, communicated and provided in a policy\ + \ or concept according to SP-01.\n\nThe security requirements for data centres\ + \ are based on criteria which comply with established rules of technology.\ + \ They are suitable for addressing the following risks in accordance with\ + \ the applicable legal and contractual requirements:\n\n\u2022 Faults in planning;\n\ + \n\u2022 Unauthorised access;\n\n\u2022 Insufficient surveillance;\n\n\u2022\ + \ Insufficient air-conditioning;\n\n\u2022 Fire and smoke; \n\n\u2022 Water;\n\ + \n\u2022 Power failure; and\n\n\u2022 Air ventilation and filtration.\n\n\ + If the Cloud Service Provider uses premises or buildings operated by third\ + \ parties to provide the Cloud Service, the document describes which security\ + \ requirements the Cloud Service Provider places on these third parties. \n\ + \nThe appropriate and effective verification of implementation is carried\ + \ out in accordance with the criteria for controlling and monitoring subcontractors\ + \ (cf. SSO-01, SSO-02)." + annotation: 'The security requirements include time constraints for self-sufficient + operation in the event of exceptional events (e.g. prolonged power outage, + heat waves, low water in cold river water supply) and maximum tolerable utility + downtime. + + + The time limits for self-sufficient operation provide for at least 48 hours + in the event of a failure of the external power supply. + + + For a self-sufficient operation during a heat period, the highest outside + temperatures measured to date within a radius of at least 50 km around the + locations of the premises and buildings have been determined with a safety + margin of 3 K. The security requirements stipulate that the permissible operating + and environmental parameters of the cooling supply must also be observed on + at least five consecutive days with these outside temperatures including the + safety margin (cf. PS-06 Protection against failure of the supply facilities). + + + If water is taken from a river for air conditioning, it is determined at which + water levels and water temperatures the air conditioning can be maintained + for how long. + + + The maximum tolerable downtimes of utility facilities are suitable for meeting + the availability requirements contained in the service level agreement. + + Premises and buildings related to the cloud service provided include data + centres and server rooms housing system components used to process cloud customer + data and the technical utilities required to operate these system components + (e.g. power supply, refrigeration, fire-fighting, telecommunications, security, + etc.). Backup or redundancy computer centres. + + + Premises and buildings operated by third parties are e.g. server housing, + colocation, IaaS. + + + Premises and buildings in which no data from cloud customers is processed + or stored (e.g. offices of the Cloud Service Provider, server rooms with system + components for internal development and test systems) are not subject to this + criteria area. + + + The recognised rules of technology are defined in relevant standards, e.g. + EN 50600 (facilities and infrastructures of data centres). + + + Incorrect planning can endanger the operational safety and availability of + the premises or buildings. This can result from an incorrect assessment of + elementary hazards at the site (e.g. air traffic, earthquakes, floods, hazardous + substances) as well as an incorrect conception of the bandwidth or energy + supply. + + + Time specifications for self-sustaining operation as well as maximum tolerable + downtimes of utility facilities are typically collected during the business + impact analysis (cf. BCM-02, BCM-03).' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-02 + name: Redundancy model + description: 'The cloud service is provided from two locations that are redundant + to each other. The locations meet the security requirements of the Cloud Service + Provider (cf. PS-01 Security Concept) and are located in an adequate distance + to each other to achieve operational redundancy. Operational redundancy is + designed in a way that ensures that the availability requirements specified + in the service level agreement are met. The functionality of the redundancy + is checked at least annually by suitable tests and exercises (cf. BCM-04 - + Verification, updating and testing of business continuity). ' + annotation: "The cloud service is provided from more than two locations that\ + \ provide each other with redundancy. The locations are sufficiently far apart\ + \ to achieve georedundancy. If two locations fail at the same time, at least\ + \ one third location is still available to prevent a total service failure.\ + \ The georedundancy is designed in a way that ensures that the availability\ + \ requirements specified in the service level agreement are met.. The functionality\ + \ of the redundancy is checked at least annually by suitable tests and exercises\ + \ (cf. BCM-04 - Verification, updating and testing of business continuity).\n\ + Operational redundancy of the sites to each other in the sense of the basic\ + \ requirement is given, if based on the assessment of elementary risks at\ + \ the site corresponding distances of the premises and buildings to these\ + \ risks are maintained. Very extensive events which, due to their extent,\ + \ could affect several sites of the same redundancy group simultaneously or\ + \ in a timely manner (e.g. floods, earthquakes) are not considered.\n\nA georedundancy\ + \ of the sites to each other in the sense of the optional, more far-reaching\ + \ requirement is given if a very extensive event at a site under no circumstances\ + \ affects several sites of the same redundancy group simultaneously or promptly.\ + \ The BSI publication \"Kriterien f\xFCr die Standortwahl h\xF6chstverf\xFC\ + gbarer und georedundanter Rechenzentren\" provides assistance in this regard.\ + \ \n\nThere are cloud providers who no longer address the issue of reliability\ + \ of the cloud service on a physical level through redundancy from two independent\ + \ locations, but through resilience. The cloud service is provided simultaneously\ + \ from more than two locations. The underlying distributed data centre architecture\ + \ ensures that the failure of a location or components of a location does\ + \ not violate the defined availability criteria of the cloud service. Such\ + \ an architecture can represent an alternative fulfilment (cf. Chapter 4.4.7)\ + \ of the criterion. The tests and exercises on functionality required in the\ + \ criterion also apply analogously to resilient architectures." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-03 + name: Perimeter Protection + description: "The structural shell of premises and buildings related to the\ + \ cloud service provided are physically solid and protected by adequate security\ + \ measures that meet the security requirements of the Cloud Service Provider\ + \ (cf. PS-01 Security Concept).\n\nThe security measures are designed to detect\ + \ and prevent unauthorised access so that the information security of the\ + \ cloud service is not compromised.\n\nThe outer doors, windows and other\ + \ construction elements exhibit an appropriate security level and withstand\ + \ a burglary attempt for at least 10 minutes. \n\nThe surrounding wall constructions\ + \ as well as the locking mechanisms meet the associated requirements." + annotation: 'The security measures installed at the site include permanently + present security personnel (at least 2 individuals), video surveillance and + anti-burglary systems. + + Security measures for detecting unauthorised access can be security personnel, + video surveillance or burglar alarm systems. + + + The resistance class RC4 according to DIN EN 1627 stipulates that doors, windows + and other components must withstand a break-in attempt for at least 10 minutes. + The US standard SD-STD-01.01 Rev.G. is an international equivalent to this + standard.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-04 + name: Physical site access control + description: "At access points to premises and buildings related to the cloud\ + \ service provided, physical access controls are set up in accordance with\ + \ the Cloud Service Provider's security requirements (cf. PS-01 Security Concept)\ + \ to prevent unauthorised access.\n\nAccess controls are supported by an access\ + \ control system.\n\nThe requirements for the access control system are documented,\ + \ communicated and provided in a policy or concept in accordance with SP-01\ + \ and include the following aspects:\n\n\u2022 Specified procedure for the\ + \ granting and revoking of access authorisations (cf. IDM-02) based on the\ + \ principle of least authorisation (\"least-privilege-principle\") and as\ + \ necessary for the performance of tasks (\"need-to-know-principle\");\n\n\ + \u2022 Automatic revocation of access authorisations if they have not been\ + \ used for a period of 2 month;\n\n\u2022 Automatic withdrawal of access authorisations\ + \ if they have not been used for a period of 6 months;\n\n\u2022 Two-factor\ + \ authentication for access to areas hosting system components that process\ + \ cloud customer information;\n\n\u2022 Visitors and external personnel are\ + \ tracked individually by the access control during their work in the premises\ + \ and buildings, identified as such (e.g. by visible wearing of a visitor\ + \ pass) and supervised during their stay; and\n\n\u2022 Existence and nature\ + \ of access logging that enables the Cloud Service Provider, in the sense\ + \ of an effectiveness audit, to check whether only defined personnel have\ + \ entered the premises and buildings related to the cloud service provided." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-05 + name: Protection from fire and smoke + description: "Premises and buildings related to the cloud service provided are\ + \ protected from fire and smoke by structural, technical and organisational\ + \ measures that meet the security requirements of the Cloud Service Provider\ + \ (cf. PS-01 Security Concept) and include the following aspects: \n\na) Structural\ + \ Measures:\n\nEstablishment of fire sections with a fire resistance duration\ + \ of at least 90 minutes for all structural parts.\n\nb) Technical Measures:\n\ + \n\u2022 Early fire detection with automatic voltage release. The monitored\ + \ areas are sufficiently fragmented to ensure that the prevention of the spread\ + \ of incipient fires is proportionate to the maintenance of the availability\ + \ of the cloud service provided;\n\n\u2022 Extinguishing system or oxygen\ + \ reduction; and\n\n\u2022 Fire alarm system with reporting to the local fire\ + \ department.\n\nc) Organisational Measures\n\n\u2022 Regular fire protection\ + \ inspections to check compliance with fire protection requirements; and\n\ + \n\u2022 Regular fire protection exercises." + annotation: "The environmental parameters are monitored. When the permitted\ + \ control range is exceeded, alarm messages are generated and forwarded to\ + \ the Cloud Service Provider\u2019s subject matter experts\nThe monitoring\ + \ of the environmental parameters is addressed in PS-01. When exceeding the\ + \ allowed control range, alarm messages are generated and forwarded to the\ + \ responsible Cloud Service Provider.\nStructural parts are walls, ceilings,\ + \ floors, doors, ventilation flaps, etc." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-06 + name: Protection against interruptions caused by power failures and other such + risks + description: "Measures to prevent the failure of the technical supply facilities\ + \ required for the operation of system components with which information from\ + \ cloud customers is processed, are documented and set up in accordance with\ + \ the security requirements of the Cloud Service Provider (cf. PS-01 Security\ + \ Concept) with respect to the following aspects:\n\na) Operational redundancy\ + \ (N+1) in power and cooling supply\n\nb) Use of appropriately sized uninterruptible\ + \ power supplies (UPS) and emergency power systems (NEA), designed to ensure\ + \ that all data remains undamaged in the event of a power failure. The functionality\ + \ of UPS and NEA is checked at least annually by suitable tests and exercises\ + \ (cf. BCM-04 - Verification, updating and testing of business continuity).\n\ + \nc) Maintenance (servicing, inspection, repair) of the utilities in accordance\ + \ with the manufacturer's recommendations. \n\nd) Protection of power supply\ + \ and telecommunications lines against interruption, interference, damage\ + \ and eavesdropping. The protection is checked regularly, but at least every\ + \ two years, as well as in case of suspected manipulation by qualified personnel\ + \ regarding the following aspects:\n\n\u2022 Traces of violent attempts to\ + \ open closed distributors;\n\n\u2022 Up-to-datedness of the documentation\ + \ in the distribution list;\n\n\u2022 Conformity of the actual wiring and\ + \ patching with the documentation;\n\n\u2022 The short-circuits and earthing\ + \ of unneeded cables are intact; and\n\n\u2022 Impermissible installations\ + \ and modifications." + annotation: 'Uninterruptible Power Supplies (UPS) and Emergency Power Supplies + (NPS) are designed to meet the availability requirements defined in the Service + Level Agreement. + + + The cooling supply is designed in such a way that the permissible operating + and environmental parameters are also ensured on at least five consecutive + days with the highest outside temperatures measured to date within a radius + of at least 50 km around the locations of the premises and buildings, with + a safety margin of 3 K (in relation to the outside temperature). The Cloud + Service Provider has previously determined the highest outdoor temperatures + measured to date (cf. PS-01 Security Concept). + + + The connection to the telecommunications network is designed with sufficient + redundancy so that the failure of a telecommunications network does not impair + the security or performance of the Cloud Service Provider. + + Measures to prevent the failure of the technical supply facilities are e.g. + power supply, cooling, fire-fighting technology, telecommunications, security + technology, etc. + + + Cloud Service Providers can ensure that all data remains undamaged in the + event of a power failure by shutting down servers following a defined procedure. + + + Power supply and telecommunications lines can be protected against interruption, + interference, damage and eavesdropping by e.g. underground supply via different + supply routes.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ps-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node28 + ref_id: PS-07 + name: Surveillance of operational and environmental parameters + description: The operating parameters of the technical utilities (cf. PS-06) + and the environmental parameters of the premises and buildings related to + the cloud service provided are monitored and controlled in accordance with + the security requirements of the Cloud Service Provider (cf. PS-01 Security + Concept). When the permitted control range is exceeded, the responsible departments + of the Cloud-Provider are automatically informed in order to promptly initiate + the necessary measures for return to the control range. + annotation: Operating parameters and environmental parameters of the premises + and buildings are, e.g. air temperature and humidity, leakage. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + assessable: false + depth: 1 + name: Operations (OPS) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-01 + name: Capacity Management - Planning + description: "The planning of capacities and resources (personnel and IT resources)\ + \ follows an established procedure in order to avoid possible capacity bottlenecks.\ + \ The procedures include forecasting future capacity requirements in order\ + \ to identify usage trends and manage system overload. \n\nCloud Service Providers\ + \ take appropriate measures to ensure that they continue to meet the requirements\ + \ agreed with cloud customers for the provision of the cloud service in the\ + \ event of capacity bottlenecks or outages regarding personnel and IT resources,\ + \ in particular those relating to the dedicated use of system components,\ + \ in accordance with the respective agreements." + annotation: 'The forecasts are considered in accordance with the service level + agreement for planning and preparing the provisioning. + + For economic reasons, Cloud Service Providers typically strive for a high + utilisation of IT resources (CPU, RAM, storage space, network). In multi-tenant + environments, existing resources must still be shared between cloud users + (clients) in such a way that service level agreements are adhered to. In this + respect, proper planning and monitoring of IT resources is critical to the + availability and competitiveness of the cloud service. If the procedures are + not documented or are subject to a higher degree of confidentiality as a trade + secret of the Cloud Service Provider, the Cloud Service Provider must be able + to explain the procedures at least orally within the scope of this audit. + + + Cloud customers must use appropriate controls to ensure that the capacity + and resource requirements to be covered by the Cloud Service Provider are + planned and reflected in the SLA with the Cloud Service Provider. The requirements + can also be reviewed regularly through appropriate controls and the SLA can + be adjusted accordingly.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-02 + name: Capacity Management - Monitoring + description: Technical and organisational safeguards for the monitoring and + provisioning and de-provisioning of cloud services are defined. Thus, the + Cloud Service Provider ensures that resources are provided and/or services + are rendered according to the contractual agreements and that compliance with + the service level agreements is ensured. + annotation: "To monitor capacity and availability, the relevant information\ + \ is available to the cloud customer in a self-service portal.\nTechnical\ + \ and organisational measures typically include:\n\n\u2022 Use of monitoring\ + \ tools with alarm function when defined threshold values are exceeded;\n\n\ + \u2022 Process for correlating events and interface to incident management;\n\ + \n\u2022 Continuous monitoring of the systems by qualified personnel; and\n\ + \n\u2022 Redundancies in the IT systems." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-03 + name: Capacity Management - Controlling of Resources + description: Depending on the capabilities of the respective service model, + the cloud customer can control and monitor the allocation of the system resources + assigned to the customer for administration/use in order to avoid overcrowding + of resources and to achieve sufficient performance. + annotation: "Resources according to the possibilities of the service model are\ + \ for example\n\n\u2022 Computing capacity;\n\n\u2022 Storage capacity;\n\n\ + \u2022 Configuration of network properties;\n\n\u2022 Application Programming\ + \ Interfaces (APIs); and\n\n\u2022 Databases." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-04 + name: Protection Against Malware - Concept + description: "Policies and instructions with specifications for protection against\ + \ malware are documented, communicated, and provided in accordance with SP-01\ + \ with respect to the following aspects:\n\n\u2022 Use of system-specific\ + \ protection mechanisms;\n\n\u2022 Operating protection programs on system\ + \ components under the responsibility of the Cloud Service Provider that are\ + \ used to provide the cloud service in the production environment; and\n\n\ + \u2022 Operation of protection programs for employees' terminal equipment." + annotation: 'The Cloud Service Provider creates regular reports on the checks + performed, which are reviewed and analysed by authorised bodies or committees. + Policies and instructions describe the technical measures taken to securely + configure and monitor the management console (both the customer''s self-service + and the service provider''s cloud administration) to protect it from malware. + Updates are applied at the highest frequency that the vendor(s) contractually + offer(s). + + Protection programs for employee devices can be, for example, server-based + protection programs that scan files in attachments on the server or filter + network traffic.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-05 + name: Protection Against Malware - Implementation + description: System components under the Cloud Service Provider's responsibility + that are used to deploy the cloud service in the production environment are + configured with malware protection according to the policies and instructions. + If protection programs are set up with signature and behaviour-based malware + detection and removal, these protection programs are updated at least daily. + annotation: 'The configuration of the protection mechanisms is monitored automatically. + Deviations from the specifications are automatically reported to the responsible + authorities so that they can be immediately assessed and the necessary measures + taken. + + Protection against malicious programs can be implemented by operating system-specific + protection mechanisms or explicit protection programs (e.g. for signature- + and behaviour-based detection and removal of malicious programs).' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-06 + name: Data Protection and Recovery - Concept + description: "Policies and instructions for data backup and recovery are documented,\ + \ communicated and provided in accordance with SP-01 regarding the following\ + \ aspects.\n\n\u2022 The extent and frequency of data backups and the duration\ + \ of data retention are consistent with the contractual agreements with the\ + \ cloud customers and the Cloud Service Provider's operational continuity\ + \ requirements for Recovery Time Objective (RTO) and Recovery Point Objective\ + \ (RPO);\n\n\u2022 Data is backed up in encrypted, state-of-the-art form;\ + \ \n\n\u2022 Access to the backed-up data and the execution of restores is\ + \ performed only by authorised persons; and\n\n\u2022 Tests of recovery procedures\ + \ (cf. OPS-08)." + annotation: The data backup concept specifies which type of data backup is to + be carried out (e.g. type, manner, duration) and specifies which data must + also be backed up in special cases (e.g. pure use of compute nodes without + data storage). When backing up data, a distinction must be made between backups + and snapshots of virtual machines. Snapshots do not replace backups, but can + be part of the backup strategy to achieve Recovery Point Objectives (RPO) + if they are additionally stored outside the original data location. The business + requirements of the Cloud Service Provider for the scope, frequency and duration + of the data backup result from the business impact analysis (cf. BCM-03) for + development and operational processes of the cloud service. If different data + backup and recovery procedures exist for data under the responsibility of + the cloud customer and the Cloud Service Provider, both variants must be included + in a test according to this criteria catalogue. For procedures to secure the + data of the Cloud Service Provider, only the adequacy and implementation of + the controls must be proven, but not their effectiveness. For procedures to + secure the data of cloud customers, proof of effectiveness must also be provided. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-07 + name: Data Backup and Recovery - Monitoring + description: The execution of data backups is monitored by technical and organisational + measures. Malfunctions are investigated by qualified staff and rectified promptly + to ensure compliance with contractual obligations to cloud customers or the + Cloud Service Provider's business requirements regarding the scope and frequency + of data backup and the duration of storage. + annotation: 'The relevant logs or summarised results are available to the cloud + customer in a self-service portal for monitoring the data backup. + + If the data backup is not part of the contract concluded between the Cloud + Service Provider and the cloud customer, this criterion is not applicable. + The Cloud Service Provider must present this situation transparently in the + system description.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-08 + name: Data Backup and Recovery - Regular Testing + description: 'Restore procedures are tested regularly, at least annually. The + tests allow an assessment to be made as to whether the contractual agreements + as well as the specifications for the maximum tolerable downtime (Recovery + Time Objective, RTO) and the maximum permissible data loss (Recovery Point + Objective, RPO) are adhered to (cf. BCM-02). + + + Deviations from the specifications are reported to the responsible personnel + or system components so that these can promptly assess the deviations and + initiate the necessary actions.' + annotation: 'At the customer''s request, the Cloud Service Provider inform the + cloud customer of the results of the recovery tests. Recovery tests are embedded + in the Cloud Service Provider''s emergency management. + + If the data backup is not part of the contract concluded between the Cloud + Service Provider and the cloud customer, this criterion is not applicable. + The Cloud Service Provider must present this situation transparently in the + system description.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-09 + name: Data Backup and Recovery - Storage + description: The Cloud Service Provider transfers data to be backed up to a + remote location or transports these on backup media to a remote location. + If the data backup is transmitted to the remote location via a network, the + data backup or the transmission of the data takes place in an encrypted form + that corresponds to the state-of-the-art. The distance to the main site is + chosen after sufficient consideration of the factors recovery times and impact + of disasters on both sites. The physical and environmental security measures + at the remote site are at the same level as at the main site. + annotation: 'If the data backup is not part of the contract concluded between + the Cloud Service Provider and the cloud customer, this criterion is not applicable. + The Cloud Service Provider must present this situation transparently in the + system description. + + + A remote location can be e.g. another data centre of the Cloud Service Provider.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-10 + name: Logging and Monitoring - Concept + description: "The Cloud Service Provider has established policies and instructions\ + \ that govern the logging and monitoring of events on system components within\ + \ its area of responsibility. These policies and instructions are documented,\ + \ communicated and provided according to SP-01 with respect to the following\ + \ aspects:\n\n\u2022 Definition of events that could lead to a violation of\ + \ the protection goals;\n\n\u2022 Specifications for activating, stopping\ + \ and pausing the various logs;\n\n\u2022 Information regarding the purpose\ + \ and retention period of the logs.\n\n\u2022 Define roles and responsibilities\ + \ for setting up and monitoring logging;\n\n\u2022 Time synchronisation of\ + \ system components; and\n\n\u2022 Compliance with legal and regulatory frameworks." + annotation: Legal and regulatory frameworks can define e.g. legal requirements + for retention and deletion of data. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-11 + name: Logging and Monitoring - Metadata Management Concept + description: "Policies and instructions for the secure handling of metadata\ + \ (usage data) are documented, communicated and provided according to SP-01\ + \ with regard to the following aspects:\n\n\u2022 Metadata is collected and\ + \ used solely for billing, incident management and security incident management\ + \ purposes;\n\n\u2022 Exclusively anonymous metadata to deploy and enhance\ + \ the cloud service so that no conclusions can be drawn about the cloud customer\ + \ or user;\n\n\u2022 No commercial use; \n\n\u2022 Storage for a fixed period\ + \ reasonably related to the purposes of the collection;\n\n\u2022 Immediate\ + \ deletion if the purposes of the collection are fulfilled and further storage\ + \ is no longer necessary.\n\n\u2022 Provision to cloud customers according\ + \ to contractual agreements." + annotation: 'Personal data is automatically removed from the log data before + the Cloud Service Provider processes it as far as technically possible. The + removal is done in a way that allows the Cloud Service Provider to continue + to use the log data for the purpose for which it was collected. + + Metadata is all data that is generated by the Cloud Service Provider through + the use of its service by the cloud customer and is not content-related data. + This includes login/logout times, IP addresses, customer''s GPS location, + which resources (network, storage, computer) were used, which data was accessed + when, with whom data was shared, with whom it was communicated, etc. This + data is partly used for billing purposes and for (security) incident management. + However, it can also be used to analyse customer behaviour (depending on the + cloud service) and to make the decision making and work processes visible + to the Cloud Service Provider. The criteria aim to provide a transparent and + clear definition of the collection and use of metadata. In addition, metadata + refers to data that is generated when the Cloud Service Provider accesses + customer data (e.g. for indexing).' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-12 + name: Logging and Monitoring - Access, Storage and Deletion + description: "The requirements for the logging and monitoring of events and\ + \ for the secure handling of metadata are implemented by technically supported\ + \ procedures with regard to the following restrictions:\n\n\u2022 Access only\ + \ for authorised users and systems;\n\n\u2022 Retention for the specified\ + \ period; and\n\n\u2022 Deletion when further retention is no longer necessary\ + \ for the purpose of collection." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-13 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-13 + name: Logging and Monitoring - Identification of Events + description: "The logging data is automatically monitored for events that may\ + \ violate the protection goals in accordance with the logging and monitoring\ + \ requirements. This also includes the detection of relationships between\ + \ events (event correlation). \n\nIdentified events are automatically reported\ + \ to the appropriate departments for prompt evaluation and action." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-14 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-14 + name: Logging and Monitoring - Storage of the Logging Data + description: "The Cloud Service Provider retains the generated log data and\ + \ keeps these in an appropriate, unchangeable and aggregated form, regardless\ + \ of the source of such data, so that a central, authorised evaluation of\ + \ the data is possible. Log data is deleted if it is no longer required for\ + \ the purpose for which they were collected. \n\nBetween logging servers and\ + \ the assets to be logged, authentication takes place to protect the integrity\ + \ and authenticity of the information transmitted and stored. The transfer\ + \ takes place using state-of-the-art encryption or a dedicated administration\ + \ network (out-of-band management)." + annotation: The Cloud Service Provider provides a customer-specific logging + (in terms of scope and duration of retention period) upon request of the Cloud + Customer. Depending on the protection requirements of the Cloud Service Provider + and the technical feasibility, a logical or physical separation of log and + customer data is carried out. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-15 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-15 + name: Logging and Monitoring - Accountability + description: "The log data generated allows an unambiguous identification of\ + \ user accesses at tenant level to support (forensic) analysis in the event\ + \ of a security incident. \n\nInterfaces are available to conduct forensic\ + \ analyses and perform backups of infrastructure components and their network\ + \ communication." + annotation: 'On request of the Cloud customer, the Cloud Service Provider provides + the logs relating to the cloud customer in an appropriate form and in a timely + manner so that the cloud customer can investigate any incidents relating to + them. + + Infrastructure components in the sense of this criterion are e.g. fabric controllers, + network components and virtualisation servers.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-16 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-16 + name: Logging and Monitoring - Configuration + description: "Access to system components for logging and monitoring in the\ + \ Cloud Service Provider\u2019s area of responsibility is restricted to authorised\ + \ users. Changes to the configuration are made in accordance with the applicable\ + \ policies (cf. DEV-03)." + annotation: Access to system components for logging and monitoring in the Cloud + Service Provider's area of responsibility requires two-factor authentication. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-17 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-17 + name: Logging and Monitoring - Availability of the Monitoring Software + description: "The Cloud Service Provider monitors the system components for\ + \ logging and monitoring in its area of responsibility. Failures are automatically\ + \ and promptly reported to the Cloud Service Provider\u2019s responsible departments\ + \ so that these can assess the failures and take required action." + annotation: The system components for logging and monitoring are designed in + such a way that the overall functionality is not restricted if individual + components fail. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-18 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-18 + name: Managing Vulnerabilities, Malfunctions and Errors - Concept + description: "Guidelines and instructions with technical and organisational\ + \ measures are documented, communicated and provided in accordance with SP-01\ + \ to ensure the timely identification and addressing of vulnerabilities in\ + \ the system components used to provide the cloud service. These guidelines\ + \ and instructions contain specifications regarding the following aspects:\n\ + \n\u2022 Regular identification of vulnerabilities;\n\n\u2022 Assessment of\ + \ the severity of identified vulnerabilities;\n\n\u2022 Prioritisation and\ + \ implementation of actions to promptly remediate or mitigate identified vulnerabilities\ + \ based on severity and according to defined timelines; and\n\n\u2022 Handling\ + \ of system components for which no measures are initiated for the timely\ + \ remediation or mitigation of vulnerabilities." + annotation: Identified vulnerabilities can be classified according to established + metrics such as CVSS or OWASP. The decision not to remediate or mitigate identified + vulnerabilities must be made by the Cloud Service Provider based on a risk + assessment. If necessary, risk-compensating measures must be taken. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-19 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-19 + name: Managing Vulnerabilities, Malfunctions and Errors - Penetration Tests + description: "The Cloud Service Provider has penetration tests carried out by\ + \ qualified internal personnel or external service providers at least once\ + \ a year. The penetration tests are carried out according to a documented\ + \ test methodology and include the system components relevant to the provision\ + \ of the cloud service in the area of responsibility of the Cloud Service\ + \ Provider, which have been identified as such in a risk analysis. \n\nThe\ + \ Cloud Service Provider assess the severity of the findings made in penetration\ + \ tests according to defined criteria.\n\nFor findings with medium or high\ + \ criticality regarding the confidentiality, integrity or availability of\ + \ the cloud service, actions must be taken within defined time windows for\ + \ prompt remediation or mitigation." + annotation: "The tests are carried out every six months. They must always be\ + \ performed by independent external auditors. Internal personnel for penetration\ + \ tests may support the external service providers.\nVulnerabilities should\ + \ be classified according to damage potential and a period of time should\ + \ be specified for the required response. The following classification according\ + \ to the BSI publication \"Ein Praxis-Leitfaden f\xFCr IS-\nPenetrationstests\"\ + \ can serve as an orientation:\n\n\u2022 High: Immediate reaction;\n\n\u2022\ + \ Medium: Short-term response;\n\n\u2022 Low: Medium-term response; and\n\n\ + \u2022 Information: Long-term response." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-20 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-20 + name: Managing Vulnerabilities, Malfunctions and Errors - Measurements, Analyses + and Assessments of Procedures + description: 'The Cloud Service Provider regularly measures, analyses and assesses + the procedures with which vulnerabilities and incidents are handled to verify + their continued suitability, appropriateness and effectiveness. + + + Results are evaluated at least quarterly by accountable departments at the + Cloud Service Provider to initiate continuous improvement actions and to verify + their effectiveness.' + annotation: Common Vulnerabilities and Exposures (CVE) or similar methods are + a suitable way of documenting vulnerabilities and incidents. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-21 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-21 + name: Involvement of Cloud customers in the event of incidents + description: 'The Cloud Service Provider periodically informs the cloud customer + on the status of incidents affecting the cloud customer, or, where appropriate + and necessary, involve the customer in the resolution, in a manner consistent + with the contractual agreements. + + + As soon as an incident has been resolved from the Cloud Service Provider''s + perspective, the cloud customer is informed according to the contractual agreements, + about the actions taken.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-22 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-22 + name: Testing and Documentation of known Vulnerabilities + description: System components in the area of responsibility of the Cloud Service + Provider for the provision of the cloud service are automatically checked + for known vulnerabilities at least once a month in accordance with the policies + for handling vulnerabilities (cf. OPS-18), the severity is assessed in accordance + with defined criteria and measures for timely remediation or mitigation are + initiated within defined time windows. + annotation: "Available security patches are applied depending on the severity\ + \ of the vulnerabilities, as determined based on the latest version of the\ + \ Common Vulnerability Scoring System (CVSS):\n\n\u2022 Critical (CVSS = 9.0\ + \ - 10.0): 3 hours;\n\n\u2022 High (CVSS = 7.0 - 8.9): 3 days;\n\n\u2022 Average\ + \ (CVSS = 4.0 - 6.9): 1 month;\n\n\u2022 Low (CVSS = 0.1 - 3.9): 3 months.\n\ + In contrast to penetration tests (Cf. OPS-20), which are carried out manually\ + \ and according to an individual scheme, the check for open vulnerabilities\ + \ is performed automatically, using so-called vulnerability scanners." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-23 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-23 + name: Managing Vulnerabilities, Malfunctions and Errors - System Hardening + description: 'System components in the production environment used to provide + the cloud service under the Cloud Service Provider''s responsibility are hardened + according to generally accepted industry standards. The hardening requirements + for each system component are documented. + + + If non-modifiable ("immutable") images are used, compliance with the hardening + specifications as defined in the hardening requirements is checked upon creation + of the images. Configuration and log files regarding the continuous availability + of the images are retained.' + annotation: "System components in the Cloud Service Provider's area of responsibility\ + \ are automatically monitored for compliance with hardening specifications.\ + \ Deviations from the specifications are automatically reported to the appropriate\ + \ departments of the Cloud Service Provider for immediate assessment and action.\n\ + System components in the sense of the basic criterion are the objects required\ + \ for the information security of the cloud service during the creation, processing,\ + \ storage, transmission, deletion or destruction of information in the Cloud\ + \ Service Provider's area of responsibility, e.g. firewalls, load balancers,\ + \ web servers, application servers and database servers. These system components\ + \ in turn consist of hardware and software objects. This criterion is limited\ + \ to software objects such as hypervisors, operating systems, databases, programming\ + \ interfaces (APIs), images (e.g. for virtual machines and containers) and\ + \ applications for logging and monitoring security events.\n\nThe configuration\ + \ and log files for non-modifiable mages include e.g.:\n\n\u2022 Configuration\ + \ of the images used with regards to implemented hardening; and specifications\ + \ including version history\n\n\u2022 Logs for file integrity monitoring of\ + \ images in productive use.\n\nGenerally accepted industry standards are,\ + \ for example, the Security Configuration Benchmark of the \u201CCentre for\ + \ Internet Security\u201D (CIS) or the corresponding modules in the BSI IT-Grundschutz-Kompendium.\n\ + \nCompliance with hardening specifications can be monitored with e.g. file\ + \ integrity monitoring" + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:ops-24 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node36 + ref_id: OPS-24 + name: Separation of Datasets in the Cloud Infrastructure + description: Cloud customer data stored and processed on shared virtual and + physical resources is securely and strictly separated according to a documented + approach based on OIS-07 risk analysis to ensure the confidentiality and integrity + of this data. + annotation: 'Resources in the storage network are segmented by secure zoning + (LUN binding and LUN masking). + + Shared resources include memory, cores and storage networks. Technical segregation + (separation) of the stored and processed data of cloud customers into shared + resources can be achieved through firewalls, access lists, tagging, VLANs, + virtualisation and measures in the storage network (e.g. LUN binding and LUN + masking). Where the adequacy and effectiveness of segregation cannot be assessed + with reasonable assurance (e.g. due to complex implementation), evidence may + also be provided through expert third party review results (e.g. penetration + tests to validate the concept). The segregation of transmitted data is subject + to control COS-06.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + assessable: false + depth: 1 + name: Identity and Access Management (IDM) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-01 + name: Policy for user accounts and access rights + description: "A role and rights concept based on the business and security requirements\ + \ of the Cloud Service Provider as well as a policy for managing user accounts\ + \ and access rights for internal and external employees of the Cloud Service\ + \ Provider and system components that have a role in automated authorisation\ + \ processes of the Cloud Service Provider are documented, communicated and\ + \ made available according to SP-01:\n\n\u2022 Assignment of unique usernames;\ + \ \n\n\u2022 Granting and modifying user accounts and access rights based\ + \ on the \u201Cleast-privilege- principle\u201D and the \u201Cneed-to-know\u201D\ + \ principle;\n\n\u2022 Segregation of duties between operational and monitoring\ + \ functions (\u201CSegregation of Duties\u201D); \n\n\u2022 Segregation of\ + \ duties between managing, approving and assigning user accounts and access\ + \ rights; \n\n\u2022 Approval by authorised individual(s) or system(s) for\ + \ granting or modifying user accounts and access rights before data of the\ + \ cloud customer or system components used to provision the cloud service\ + \ can be accessed; \n\n\u2022 Regular review of assigned user accounts and\ + \ access rights; \n\n\u2022 Blocking and removing access accounts in the event\ + \ of inactivity; \n\n\u2022 Time-based or event-driven removal or adjustment\ + \ of access rights in the event of changes to job responsibility; \n\n\u2022\ + \ Two-factor or multi-factor authentication for users with privileged access;\n\ + \n\u2022 Requirements for the approval and documentation of the management\ + \ of user accounts and access rights." + annotation: System components in the sense of the basic criterion cf. definition + in OPS-23. Automated authorisation processes in the sense of this basic criterion + concern procedures for automated software provisioning (continuous delivery) + as well as for automated provisioning and deprovisioning of user accounts + and access rights based on approved requests. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-02 + name: Granting and change of user accounts and access rights + description: Specified procedures for granting and modifying user accounts and + access rights for internal and external employees of the Cloud Service Provider + as well as for system components involved in automated authorisation processes + of the Cloud Service Provider ensure compliance with the role and rights concept + as well as the policy for managing user accounts and access rights. + annotation: The Cloud Service Provider offers cloud customers a self-service + with which they can independently assign and change user accounts and access + rights. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-03 + name: Locking and withdrawal of user accounts in the event of inactivity or + multiple failed logins + description: 'User accounts of internal and external employees of the Cloud + Service Provider as well as for system components involved in automated authorisation + processes of the Cloud Service Provider are automatically locked if they have + not been used for a period of two months. Approval from authorised personnel + or system components are required to unlock these accounts. + + + Locked user accounts are automatically revoked after six months. After revocation, + the procedure for granting user accounts and access rights (cf. IDM-02) must + be repeated.' + annotation: Locking can result from a longer absence of the employee, for example, + due to illness, parental leave, or sabbatical. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-04 + name: Withdraw or adjust access rights as the task area changes + description: Access rights are promptly revoked if the job responsibilities + of the Cloud Service Provider's internal or external staff or the tasks of + system components involved in the Cloud Service Provider's automated authorisation + processes change. Privileged access rights are adjusted or revoked within + 48 hours after the change taking effect. All other access rights are adjusted + or revoked within 14 days. After revocation, the procedure for granting user + accounts and access rights (cf. IDM-02) must be repeated. + annotation: Changes in the task area of internal and external employees can + be triggered by changes in the employment relationship (e.g. termination, + transfer) or in contracts and agreements. For privileged access rights the + definition in IDM-06 applies. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-05 + name: Regular review of access rights + description: Access rights of internal and external employees of the Cloud Service + Provider as well as of system components that play a role in automated authorisation + processes of the Cloud Service Provider are reviewed at least once a year + to ensure that they still correspond to the actual area of use. The review + is carried out by authorised persons from the Cloud Service Provider's organisational + units, who can assess the appropriateness of the assigned access rights based + on their knowledge of the task areas of the employees or system components. + Identified deviations will be dealt with promptly, but no later than 7 days + after their detection, by appropriate modification or withdrawal of the access + rights. + annotation: 'Privileged access rights are reviewed at least every six months. ' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-06 + name: Privileged access rights + description: 'Privileged access rights for internal and external employees as + well as technical users of the Cloud Service Provider are assigned and changed + in accordance to the policy for managing user accounts and access rights (cf. + IDM-01) or a separate specific policy. + + + Privileged access rights are personalised, limited in time according to a + risk assessment and assigned as necessary for the execution of tasks ("need-to-know + principle"). Technical users are assigned to internal or external employees + of the Cloud Service Provider. + + + Activities of users with privileged access rights are logged in order to detect + any misuse of privileged access in suspicious cases. The logged information + is automatically monitored for defined events that may indicate misuse. When + such an event is identified, the responsible personnel are automatically informed + so that they can promptly assess whether misuse has occurred and take corresponding + action. In the event of proven misuse of privileged access rights, disciplinary + measures are taken in accordance with HR-04.' + annotation: "Privileged access rights in the sense of the Basic Criterion are\ + \ those that enable employees of the Cloud Service Provider to perform any\ + \ of the following activities: \n\n\u2022 Read or write access to the cloud\ + \ customers' data processed, stored or transmitted in the cloud service, unless\ + \ such data is encrypted or the encryption can be deactivated for access by\ + \ the Cloud Service Provider; and\n\n\u2022 Changes to the operational and/or\ + \ security configuration of the system components in the production environment,\ + \ in particular the starting, stopping, deleting or deactivating of system\ + \ components, if this can affect the confidentiality, integrity or availability\ + \ of the data of the cloud customers (also indirectly, e.g. by deactivating\ + \ the logging and monitoring of security-relevant events). Misused privileged\ + \ access rights can be treated e.g. as a security incident, cf. SIM-01." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-07 + name: Access to cloud customer data + description: The cloud customer is informed by the Cloud Service Provider whenever + internal or external employees of the Cloud Service Provider read or write + to the cloud customer's data processed, stored or transmitted in the cloud + service or have accessed it without the prior consent of the cloud customer. + The Information is provided whenever data of the cloud customer is/was not + encrypted, the encryption is/was disabled for access or the contractual agreements + do not explicitly exclude such information. The information contains the cause, + time, duration, type and scope of the access. The information is sufficiently + detailed to enable subject matter experts of the cloud customer to assess + the risks of the access. The information is provided in accordance with the + contractual agreements, or within 72 hours after the access. + annotation: 'Access to the data processed, stored or transmitted in the cloud + service by internal or external employees of the Cloud Service Provider requires + the prior consent of an authorised department of the cloud customer, provided + that the cloud customer''s data is not encrypted, encryption is disabled for + access, or contractual agreements do not explicitly exclude such consent. + For the consent, the cloud customer''s department is provided with meaningful + information about the cause, time, duration, type and scope of the access + supporting assessing the risks associated with the access. + + Subject matter experts in the sense of this basic criterion is personnel from + e.g. IT, Compliance or Internal Audit. ' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-08 + name: Confidentiality of authentication information + description: "The allocation of authentication information to access system\ + \ components used to provide the cloud service to internal and external users\ + \ of the cloud provider and system components that are involved in automated\ + \ authorisation processes of the cloud provider is done in an orderly manner\ + \ that ensures the confidentiality of the information. If passwords are used\ + \ as authentication information, their confidentiality is ensured by the following\ + \ procedures, as far as technically possible: \n\n\u2022 Users can initially\ + \ create the password themselves or must change an initial password when logging\ + \ on to the system component for the first time. An initial password loses\ + \ its validity after a maximum of 14 days.\n\n\u2022 When creating passwords,\ + \ compliance with the password specifications (cf. IDM-09) is enforced as\ + \ far as technically possible.\n\n\u2022 The user is informed about changing\ + \ or resetting the password.\n\n\u2022 The server-side storage takes place\ + \ using cryptographically strong hash functions.\n\nDeviations are evaluated\ + \ by means of a risk analysis and mitigating measures derived from this are\ + \ implemented." + annotation: 'The users sign a declaration in which they assure that they treat + personal (or shared) authentication information confidentially and keep it + exclusively for themselves (within the members of the group). + + Argon2i, for example, is suitable for using a password hash function. + + + Insofar as this is legally binding, declarations can be signed using an electronic + signature.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:idm-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node61 + ref_id: IDM-09 + name: Authentication mechanisms + description: System components in the Cloud Service Provider's area of responsibility + that are used to provide the cloud service, authenticate users of the Cloud + Service Provider's internal and external employees as well as system components + that are involved in the Cloud Service Provider's automated authorisation + processes. Access to the production environment requires two-factor or multi-factor + authentication. Within the production environment, user authentication takes + place through passwords, digitally signed certificates or procedures that + achieve at least an equivalent level of security. If digitally signed certificates + are used, administration is carried out in accordance with the Guideline for + Key Management (cf. CRY-01). The password requirements are derived from a + risk assessment and documented, communicated and provided in a password policy + according to SP-01. Compliance with the requirements is enforced by the configuration + of the system components, as far as technically possible. + annotation: Access to the non-production environment requires two-factor or + multi-factor authentication. Within the non-production environment, users + are authenticated using passwords, digitally signed certificates, or procedures + that provide at least an equivalent level of security. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node71 + assessable: false + depth: 1 + name: Cryptography and Key Management (CRY) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cry-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node71 + ref_id: CRY-01 + name: Policy for the use of encryption procedures and key management + description: "Policies and instructions with technical and organisational safeguards\ + \ for encryption procedures and key management are documented, communicated\ + \ and provided according to SP-01, in which the following aspects are described:\n\ + \n\u2022 Usage of strong encryption procedures and secure network protocols\ + \ that correspond to the state-of-the-art;\n\n\u2022 Risk-based provisions\ + \ for the use of encryption which are aligned with the information classification\ + \ schemes (cf. AM-06) and consider the communication channel, type, strength\ + \ and quality of the encryption;\n\n\u2022 Requirements for the secure generation,\ + \ storage, archiving, retrieval, distribution, withdrawal and deletion of\ + \ the keys; and \n\n\u2022 Consideration of relevant legal and regulatory\ + \ obligations and requirements." + annotation: "The state-of-the-art of strong encryption procedures and secure\ + \ network protocols is specified in the following BSI Technical Guidelines\ + \ valid at the given time: \n\n\u2022 BSI TR-02102-1 Cryptographic Mechanisms:\ + \ Recommendations and Key Lengths;\n\n\u2022 BSI TR-02102-2 Cryptographic\ + \ Mechanisms: Use of Transport Layer Security (TLS);\n\n\u2022 BSI TR-02102-3\ + \ Cryptographic Mechanisms: Use of Internet Protocol Security (IPSec) and\ + \ Internet Key Exchange (IKEv2); and\n\n\u2022 BSI TR-02102-4 Cryptographic\ + \ Mechanisms: Use of Secure Shell (SSH)." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cry-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node71 + ref_id: CRY-02 + name: Encryption of data for transmission (transport encryption) + description: The Cloud Service Provider has established procedures and technical + measures for strong encryption and authentication for the transmission of + data of cloud customers over public networks. + annotation: "The Cloud Service Provider has established procedures and technical\ + \ measures for strong encryption and authentication for the transmission of\ + \ all data.\nWhen transmitting data with normal protection requirements within\ + \ the Cloud Service Provider\u2019s infrastructure, encryption is not mandatory\ + \ provided that the data is not transmitted via public networks. In this case,\ + \ the non-public environment of the Cloud Service Provider can generally be\ + \ deemed trusted. The protocols TLS 1.2 and TLS 1.3 are currently regarded\ + \ as strong, state-of-the-art transport encryptions, in each case in combination\ + \ with Perfect Forward Secrecy. The specific configuration should comply with\ + \ the recommendations of the (current) version of the BSI Technical Guideline\ + \ TR-02102-2 \"Cryptographic Procedures: Recommendations and key lengths.\ + \ Part 2 - Use of Transport Layer Security (TLS)\". Generally, the use of\ + \ wildcard certificates is not considered a secure procedure.\n\nThe basic\ + \ criterion for the transmission cloud customers' data, relates to e.g. the\ + \ sending of electronic messages via public networks." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cry-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node71 + ref_id: CRY-03 + name: Encryption of sensitive data for storage + description: The Cloud Service Provider has established procedures and technical + safeguards to encrypt cloud customers' data during storage. The private keys + used for encryption are known only to the cloud customer in accordance with + applicable legal and regulatory obligations and requirements. Exceptions follow + a specified procedure. The procedures for the use of private keys, including + any exceptions, must be contractually agreed with the cloud customer. + annotation: 'The private keys used for encryption are known to the customer + exclusively and without exception in accordance with applicable legal and + regulatory obligations and requirements. + + An exception to the requirement that keys are known only to the cloud customers + may be the use of a master key by the Cloud Service Provider. If the Cloud + Service Provider established a procedure to use a master key, the Cloud Service + Provider must perform sample-based checks regarding the suitability and effectiveness + of the procedure, on a regular basis. This criterion does not apply to data + that cannot be encrypted for the provision of the cloud service for functional + reasons.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cry-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node71 + ref_id: CRY-04 + name: Secure key management + description: "Procedures and technical safeguards for secure key management\ + \ in the area of responsibility of the Cloud Service Provider include at least\ + \ the following aspects: \n\n\u2022 Generation of keys for different cryptographic\ + \ systems and applications;\n\n\u2022 Issuing and obtaining public-key certificates;\n\ + \n\u2022 Provisioning and activation of the keys;\n\n\u2022 Secure storage\ + \ of keys (separation of key management system from application and middleware\ + \ level) including description of how authorised users get access;\n\n\u2022\ + \ Changing or updating cryptographic keys including policies defining under\ + \ which conditions and in which manner the changes and/or updates are to be\ + \ realised;\n\n\u2022 Handling of compromised keys; \n\n\u2022 Withdrawal\ + \ and deletion of keys; and \n\n\u2022 If pre-shared keys are used, the specific\ + \ provisions relating to the safe use of this procedure are specified separately." + annotation: Keys should be withdrawn or deleted e.g. in the event of compromise + or employee changes. The Cloud Service Provider protects the keys which are + created and inserted into the cloud service by the cloud customers according + to the same criteria as the keys created by the Cloud Service Provider. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + assessable: false + depth: 1 + name: Communication Security (COS) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-01 + name: Technical safeguards + description: Based on the results of a risk analysis carried out according to + OIS-06, the Cloud Service Provider has implemented technical safeguards which + are suitable to promptly detect and respond to network-based attacks on the + basis of irregular incoming or outgoing traffic patterns and/or Distributed + Denial- of-Service (DDoS) attacks. Data from corresponding technical protection + measures implemented is fed into a comprehensive SIEM (Security Information + and Event Management) system, so that (counter) measures regarding correlating + events can be initiated. The safeguards are documented, communicated and provided + in accordance with SP-01. + annotation: "Technical measures ensure that no unknown (physical or virtual)\ + \ devices join the Cloud Service Provider's (physical or virtual) network\ + \ (e.g. MACSec according to IEEE 802.1X:2010). \nNetwork-based attacks can\ + \ be conducted e.g. with MAC spoofing and ARP poisoning attacks. Technical\ + \ measures to prevent unknown physical or virtual devices from joining a physical\ + \ or virtual network can be based on e.g. MACSec according to IEEE 802.1X:2010. " + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-02 + name: Security requirements for connections in the Cloud Service Provider's + network + description: "Specific security requirements are designed, published and provided\ + \ for establishing connections within the Cloud Service Provider's network.\ + \ The security requirements define for the Cloud Service Provider's area of\ + \ responsibility: \n\n\u2022 in which cases the security zones are to be separated\ + \ and in which cases cloud customers are to be logically or physically segregated;\n\ + \n\u2022 which communication relationships and which network and application\ + \ protocols are permitted in each case;\n\n\u2022 how the data traffic for\ + \ administration and monitoring is segregated from each on network level;\n\ + \n\u2022 which internal, cross-location communication is permitted and;\n\n\ + \u2022 which cross-network communication is allowed" + annotation: 'Cross-location communication can be realised for e.g. individual + regions or data centres via e.g. WAN, LAN, VPN, RAS. ' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-03 + name: Monitoring of connections in the Cloud Service Provider's network + description: 'A distinction is made between trusted and untrusted networks. + Based on a risk assessment, these are separated into different security zones + for internal and external network areas (and DMZ, if applicable). Physical + and virtualised network environments are designed and configured to restrict + and monitor the established connection to trusted or untrusted networks according + to the defined security requirements. + + + The entirety of the conception and configuration undertaken to monitor the + connections mentioned is assessed in a risk-oriented manner, at least annually, + with regard to the resulting security requirements. + + + Identified vulnerabilities and deviations are subject to risk assessment in + accordance with the risk management procedure (cf. OIS-06) and follow-up measures + are defined and tracked (cf. OPS-18). + + + At specified intervals, the business justification for using all services, + protocols, and ports is reviewed. The review also includes the justifications + for compensatory measures for the use of protocols that are considered insecure.' + annotation: The review of the security requirements depends on the measures + implemented to design the networks. For example, monitoring and reviewing + firewall rules or log files for abnormalities, as well as visual inspections + of physical network components for changes. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-04 + name: Cross-network access + description: Each network perimeter is controlled by security gateways. The + system access authorisation for cross-network access is based on a security + assessment based on the requirements of the cloud customers. + annotation: 'Each network perimeter is controlled by redundant and highly-available + security gateways. + + Cross-network access is access from one network to another network via a defined + network perimeter.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-05 + name: Networks for administration + description: There are separate networks for the administrative management of + the infrastructure and for the operation of management consoles. These networks + are logically or physically separated from the cloud customer's network and + protected from unauthorised access by multi-factor authentication (cf. IDM-09). + Networks used by the Cloud Service Provider to migrate or create virtual machines + are also physically or logically separated from other networks + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-06 + name: Segregation of data traffic in jointly used network environments + description: Data traffic of cloud customers in jointly used network environments + is segregated on network level according to a documented concept to ensure + the confidentiality and integrity of the data transmitted. + annotation: "In the case of IaaS/PaaS, the secure segregation is ensured by\ + \ physically separated networks or by means of strongly encrypted VLANs. For\ + \ the definition of strong encryption, the BSI Technical Guideline TR-02102\ + \ must be considered.\nIf the suitability and effectiveness of the logical\ + \ segmentation cannot be assessed with sufficient certainty (e.g. due to a\ + \ complex implementation), evidence can also be provided based on audit results\ + \ of expert third parties (e.g. security audits to validate the concept).\ + \ The segregation of stored and processed data is subject of the criterion\ + \ OPS-24. After successful authentication via an insecure communication channel\ + \ (HTTP), a secure communication channel (HTTPS) is to be used. \n\nWith IaaS/PaaS,\ + \ secure segregation is ensured by physically separated networks or strong\ + \ encryption of the networks. For the definition of strong encryption, the\ + \ BSI Technical Guideline TR-02102 must be considered (cf. CRY-01). \n\nIf\ + \ the Cloud Service Provider does not use shared network environments for\ + \ cloud customers and instead uses a physical segregation, the basic criterion\ + \ is not applicable." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-07 + name: Documentation of the network topology + description: The documentation of the logical structure of the network used + to provision or operate the Cloud Service, is traceable and up-to-date, in + order to avoid administrative errors during live operation and to ensure timely + recovery in the event of malfunctions in accordance with contractual obligations. + The documentation shows how the subnets are allocated and how the network + is zoned and segmented. In addition, the geographical locations in which the + cloud customers' data is stored are indicated. + annotation: Zoning is a segmentation of the subnets with a firewall implemented + at the network perimeters. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:cos-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node76 + ref_id: COS-08 + name: Policies for data transmission + description: Policies and instructions with technical and organisational safeguards + in order to protect the transmission of data against unauthorised interception, + manipulation, copying, modification, redirection or destruction are documented, + communicated and provided according to SP-01. The policies and instructions + establish a reference to the classification of information (cf. AM-06). + annotation: A safeguard against unauthorised interception, manipulation, copying, + modification, redirection or destruction of data during transmission is e.g. + the use of transport encryption according to CRY-02. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node85 + assessable: false + depth: 1 + name: Portability and Interoperability (PI) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pi-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node85 + ref_id: PI-01 + name: Documentation and safety of input and output interfaces + description: 'The cloud service can be accessed by other cloud services or IT + systems of cloud customers through documented inbound and outbound interfaces. + Further, the interfaces are clearly documented for subject matter experts + on how they can be used to retrieve the data. + + + Communication takes place through standardised communication protocols that + ensure the confidentiality and integrity of the transmitted information according + to its protection requirements. Communication over untrusted networks is encrypted + according to CRY-02. + + + The type and scope of the documentation on the interfaces is geared to the + needs of the cloud customers'' subject matter experts in order to enable the + use of these interfaces. The information is maintained in such a way that + it is applicable for the cloud service''s version which is intended for productive + use.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pi-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node85 + ref_id: PI-02 + name: Contractual agreements for the provision of data + description: "In contractual agreements, the following aspects are defined with\ + \ regard to the termination of the contractual relationship, insofar as these\ + \ are applicable to the cloud service:\n\n\u2022 Type, scope and format of\ + \ the data the Cloud Service Provider provides to the cloud customer;\n\n\u2022\ + \ Definition of the timeframe, within which the Cloud Service Provider makes\ + \ the data available to the cloud customer \n\n\u2022 Definition of the point\ + \ in time as of which the Cloud Service Provider makes the data inaccessible\ + \ to the cloud customer and deletes these; and\n\n\u2022 The cloud customers'\ + \ responsibilities and obligations to cooperate for the provision of the data.\n\ + \nThe definitions are based on the needs of subject matter experts of potential\ + \ customers who assess the suitability of the cloud service with regard to\ + \ a dependency on the Cloud Service Provider as well as legal and regulatory\ + \ requirements." + annotation: "The design of the aspects is based on legal and regulatory requirements\ + \ in the environment of the Cloud Service Provider. The Cloud Service Provider\ + \ identifies the requirements regularly, at least once a year, and checks\ + \ these for actuality and adjusts the contractual agreements accordingly.\n\ + The type and scope of the data and the responsibilities for its provision\ + \ depend on the service model of the cloud service or the services and functions\ + \ provided:\n\nIn the case of IaaS and PaaS, the cloud customer is generally\ + \ responsible for extracting and backing up the data which is stored in the\ + \ cloud service before termination of the contractual relationship (cf. complementary\ + \ requirement).\n\nThe Cloud Service Provider's responsibility is typically\ + \ limited to the provision of data for the configuration of the infrastructure\ + \ or platform that the cloud customer has set up within its environment (e.g.\ + \ configuration of networks, images of virtual machines and containers).\n\ + \nWith SaaS, the cloud customer typically relies on export functions provided\ + \ by the Cloud Service Provider. Data created by the cloud customer should\ + \ be available in the same format as stored in the cloud service. Other data,\ + \ including relevant log files and metadata, should be available in an applicable\ + \ standard format, such as CSV, JSON or XML.\n\nIn Germany, legal requirements\ + \ for retention can be found, for example, in the German Tax Code (\xA7147\ + \ AO) and the German Commercial Code (\xA7257 HGB). These provide for a retention\ + \ obligation of six or ten years." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pi-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node85 + ref_id: PI-03 + name: Secure deletion of data + description: 'The Cloud Service Provider''s procedures for deleting the cloud + customers'' data upon termination of the contractual relationship ensure compliance + with the contractual agreements (cf. PI-02). + + + The deletion includes data in the cloud customer''s environment, metadata + and data stored in the data backups. + + + The deletion procedures prevent recovery by forensic means.' + annotation: Suitable methods for data deletion are e.g. multiple overwriting + or deletion of the encryption key. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + assessable: false + depth: 1 + name: Procurement, Development and Modification of Information Systems (DEV) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-01 + name: Policies for the development/procurement of information systems + description: "Policies and instructions with technical and organisational measures\ + \ for the secure development of the cloud service are documented, communicated\ + \ and provided in accordance with SP-01.\n\nThe policies and instructions\ + \ contain guidelines for the entire life cycle of the cloud service and are\ + \ based on recognised standards and methods with regard to the following aspects:\n\ + \n\u2022 Security in Software Development (Requirements, Design, Implementation,\ + \ Testing and Verification); \n\n\u2022 Security in software deployment (including\ + \ continuous delivery); and\n\n\u2022 Security in operation (reaction to identified\ + \ faults and vulnerabilities)." + annotation: "In procurement, products are preferred which have been certified\ + \ according to the \"Common Criteria for Information Technology Security Evaluation\"\ + \ (short: Common Criteria - CC) according Evaluation Assurance Level EAL 4.\ + \ If non-certified products are to be procured for available certified products,\ + \ a risk assessment is carried out in accordance with OIS-07.\nThe software\ + \ provision can be carried out e.g. with Continuous Delivery methods.\n\n\ + Accepted standards and methods are, for example:\n\n\u2022 ISO/IEC 27034;\ + \ and\n\n\u2022 OWASP Secure Software Development Lifecycle (S-SDLC)." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-02 + name: Outsourcing of the development + description: "In the case of outsourced development of the cloud service (or\ + \ individual system components), specifications regarding the following aspects\ + \ are contractually agreed between the Cloud Service Provider and the outsourced\ + \ development contractor:\n\n\u2022 Security in software development (requirements,\ + \ design, implementation, tests and verifications) in accordance with recognised\ + \ standards and methods;\n\n\u2022 Acceptance testing of the quality of the\ + \ services provided in accordance with the agreed functional and non-functional\ + \ requirements; and\n\n\u2022 Providing evidence that sufficient verifications\ + \ have been carried out to rule out the existence of known vulnerabilities." + annotation: 'Outsourced development in the sense of the basic criterion refers + to the development of system components used specifically for the cloud service + by a contractor of the Cloud Service Provider. The development takes place + according to the processes of the contractor. + + + The purchase of software available on the market as well as the integration + of external employees into the processes of the Cloud Service Provider do + not constitute outsourcing in the sense of this basic criterion.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-03 + name: Policies for changes to information systems + description: "Policies and instructions with technical and organisational safeguards\ + \ for change management of system components of the cloud service within the\ + \ scope of software deployment are documented, communicated and provided according\ + \ to SP-01 with regard to the following aspects:\n\n\u2022 Criteria for risk\ + \ assessment, categorisation and prioritisation of changes and related requirements\ + \ for the type and scope of testing to be performed, and necessary approvals\ + \ for the development/implementation of the change and releases for deployment\ + \ in the production environment by authorised personnel or system components;\n\ + \n\u2022 Requirements for the performance and documentation of tests;\n\n\u2022\ + \ Requirements for segregation of duties during development, testing and release\ + \ of changes;\n\n\u2022 Requirements for the proper information of cloud customers\ + \ about the type and scope of the change as well as the resulting obligations\ + \ to cooperate in accordance with the contractual agreements;\n\n\u2022 Requirements\ + \ for the documentation of changes in system, operational and user documentation;\ + \ and\n\n\u2022 Requirements for the implementation and documentation of emergency\ + \ changes that must comply with the same level of security as normal changes." + annotation: 'Changes in the sense of the basic criterion are those that can + lead to changes in the configuration, functionality or security of system + components of the cloud service in the production environment. This includes + changes to the infrastructure as well as to the source code. + + + If individual changes are combined in a new release, update, patch or comparable + software object for the purpose of software provisioning, this software object + is deemed to be a change within the meaning of the basic criterion, but not + the individual changes contained therein. + + + Changes to the existing network configuration must also undergo a specified + procedure, as they are necessary for effective segregation of cloud customers. + + + Personnel and system components receive authorisation to approve changes in + accordance with the requirements for access and access authorisations (cf. + IDM-01) via a specified procedure (cf. IDM-02).Relevant information includes + descriptions of e.g. new functions. + + + The cloud customer''s obligations to cooperate can define that, e.g. the cloud + customer must carry out certain tests.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-04 + name: Safety training and awareness programme regarding continuous software + delivery and associated systems, components or tools. + description: The Cloud Service Provider provides a training program for regular, + target group-oriented security training and awareness for internal and external + employees on standards and methods of secure software development and provision + as well as on how to use the tools used for this purpose. The program is regularly + reviewed and updated with regard to the applicable policies and instructions, + the assigned roles and responsibilities and the tools used. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-05 + name: Risk assessment, categorisation and prioritisation of changes + description: In accordance with the applicable policies (cf. DEV-03), changes + are subjected to a risk assessment with regard to potential effects on the + system components concerned and are categorised and prioritised accordingly. + annotation: In accordance with the contractual agreements, meaningful information + about the occasion, time, duration, type and scope of the change is submitted + to authorised bodies of the cloud customer so that they can carry out their + own risk assessment before the change is made available in the production + environment. Regardless of the contractual agreements, this is done for changes + that have the highest risk category based on their risk assessment. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-06 + name: Testing changes + description: 'Changes to the cloud service are subject to appropriate testing + during software development and deployment. + + + The type and scope of the tests correspond to the risk assessment. The tests + are carried out by appropriately qualified personnel of the Cloud Service + Provider or by automated test procedures that comply with the state-of-the-art. + Cloud customers are involved into the tests in accordance with the contractual + requirements. + + + The severity of the errors and vulnerabilities identified in the tests, which + are relevant for the deployment decision, is determined according to defined + criteria and actions for timely remediation or mitigation are initiated.' + annotation: The errors and vulnerabilities identified in tests can be assessed, + for example, according to the Common Vulnerability Scoring System (CVSS). + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-07 + name: Logging of changes + description: System components and tools for source code management and software + deployment that are used to make changes to system components of the cloud + service in the production environment are subject to a role and rights concept + according to IDM-01 and authorisation mechanisms. They must be configured + in such a way that all changes are logged and can therefore be traced back + to the individuals or system components executing them. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-08 + name: Version Control + description: Version control procedures are set up to track dependencies of + individual changes and to restore affected system components back to their + previous state as a result of errors or identified vulnerabilities. + annotation: Version control procedures provide appropriate safeguards to ensure + that the integrity and availability of cloud customer data is not compromised + when system components are restored back to their previous state. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-09 + name: Approvals for provision in the production environment + description: 'Authorised personnel or system components of the Cloud Service + Provider approve changes to the cloud service based on defined criteria (e.g. + test results and required approvals) before these are made available to the + cloud customers in the production environment. + + + Cloud customers are involved in the release according to contractual requirements.' + annotation: The definitions for criterion DEV-03 apply. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:dev-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node89 + ref_id: DEV-10 + name: Separation of environments + description: Production environments are physically or logically separated from + test or development environments to prevent unauthorised access to cloud customer + data, the spread of malware, or changes to system components. Data contained + in the production environments is not used in test or development environments + in order not to compromise their confidentiality. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + assessable: false + depth: 1 + name: Control and Monitoring of Service Providers and Suppliers (SSO) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sso-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + ref_id: SSO-01 + name: Policies and instructions for controlling and monitoring third parties + description: "Policies and instructions for controlling and monitoring third\ + \ parties (e.g. service providers or suppliers) whose services contribute\ + \ to the provision of the cloud service are documented, communicated and provided\ + \ in accordance with SP-01 with respect to the following aspects:\n\n\u2022\ + \ Requirements for the assessment of risks resulting from the procurement\ + \ of third-party services;\n\n\u2022 Requirements for the classification of\ + \ third parties based on the risk assessment by the Cloud Service Provider\ + \ and the determination of whether the third party is a subcontractor (cf.\ + \ Supplementary Information);\n\n\u2022 Information security requirements\ + \ for the processing, storage or transmission of information by third parties\ + \ based on recognised industry standards;\n\n\u2022 Information security awareness\ + \ and training requirements for staff;\n\n\u2022 applicable legal and regulatory\ + \ requirements;\n\n\u2022 Requirements for dealing with vulnerabilities, security\ + \ incidents and malfunctions;\n\n\u2022 Specifications for the contractual\ + \ agreement of these requirements;\n\n\u2022 Specifications for the monitoring\ + \ of these requirements; and\n\n\u2022 Specifications for applying these requirements\ + \ also to service providers used by the third parties, insofar as the services\ + \ provided by these service providers also contribute to the provision of\ + \ the cloud service." + annotation: "Subservice organisations of the Cloud Service Provider are contractually\ + \ obliged to provide regular reports by independent auditors on the suitability\ + \ of the design and operating effectiveness of their service-related internal\ + \ control system.\n\nThe reports include the complementary subservice organisations\ + \ that are required, together with the controls of the Cloud Service Provider,\ + \ to meet the applicable basic criteria of BSI C5 with reasonable assurance.\n\ + \nIn case no reports can be provided, the Cloud Service Provider agrees appropriate\ + \ information and audit rights to assess the suitability and effectiveness\ + \ of the service-related internal control system, including the complementary\ + \ controls, by qualified personnel.\nReports by independent auditors on the\ + \ suitability of the design and operating effectiveness of their service-related\ + \ internal control system are, for example, attestation reports in accordance\ + \ with ISAE 3402, IDW PS 951, SOC 2 or BSI C5.\n\nQualified personnel works,\ + \ for example, in the Cloud Service Provider's internal audit department or\ + \ is commissioned by the Cloud Service Provider in form of expert third parties,\ + \ such as audit firms, and may hold relevant certifications such as \"Certified\ + \ Internal Auditor (CIA)\". \n\nThe complementary controls at the sub-service\ + \ provider are necessary in order to, together with the controls of the Cloud\ + \ Service Provider, fulfil the applicable C5 criteria with reasonable assurance.\n\ + \nApplicable legal and regulatory requirements may exist, for example, in\ + \ the areas of data protection, intellectual property rights or copyright.\n\ + \nIf legal or regulatory requirements provide for a regulation deviating from\ + \ these criteria for the control of subcontractors, these regulations remain\ + \ unaffected by the C5 criteria." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sso-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + ref_id: SSO-02 + name: Risk assessment of service providers and suppliers + description: "Service providers and suppliers of the Cloud Service Provider\ + \ undergo a risk assessment in accordance with the policies and instructions\ + \ for the control and monitoring of third parties prior to contributing to\ + \ the delivery of the cloud service. The adequacy of the risk assessment is\ + \ reviewed regularly, at least annually, by qualified personnel of the Cloud\ + \ Service Provider during service usage.\n \nThe risk assessment includes\ + \ the identification, analysis, evaluation, handling and documentation of\ + \ risks with regard to the following aspects:\n\n\u2022 Protection needs regarding\ + \ the confidentiality, integrity, availability and authenticity of information\ + \ processed, stored or transmitted by the third party; \n\n\u2022 Impact of\ + \ a protection breach on the provision of the cloud service;\n\n\u2022 The\ + \ Cloud Service Provider's dependence on the service provider or supplier\ + \ for the scope, complexity and uniqueness of the service purchased, including\ + \ the consideration of possible alternatives." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sso-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + ref_id: SSO-03 + name: Directory of service providers and suppliers + description: "The Cloud Service Provider maintains a directory for controlling\ + \ and monitoring the service providers and suppliers who contribute services\ + \ to the delivery of the cloud service. The following information is maintained\ + \ in the directory:\n\n\u2022 Company name;\n\n\u2022 Address;\n\n\u2022 Locations\ + \ of data processing and storage;\n\n\u2022 Responsible contact person at\ + \ the service provider/supplier;\n\n\u2022 Responsible contact person at the\ + \ cloud service provider;\n\n\u2022 Description of the service;\n\n\u2022\ + \ Classification based on the risk assessment;\n\n\u2022 Beginning of service\ + \ usage; and\n\n\u2022 Proof of compliance with contractually agreed requirements.\n\ + \nThe information in the list is checked at least annually for completeness,\ + \ accuracy and validity." + annotation: It is not necessary to maintain a single central register in order + to fulfil the basic criterion. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sso-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + ref_id: SSO-04 + name: Monitoring of compliance with requirements + description: "The Cloud Service Provider monitors compliance with information\ + \ security requirements and applicable legal and regulatory requirements in\ + \ accordance with policies and instructions concerning controlling and monitoring\ + \ of third-parties.\n\nMonitoring includes a regular review of the following\ + \ evidence to the extent that such evidence is to be provided by third parties\ + \ in accordance with the contractual agreements:\n\n\u2022 reports on the\ + \ quality of the service provided;\n\n\u2022 certificates of the management\ + \ systems' compliance with international standards;\n\n\u2022 independent\ + \ third-party reports on the suitability and operating effectiveness of their\ + \ service-related internal control systems; and\n\n\u2022 Records of the third\ + \ parties on the handling of vulnerabilities, security incidents and malfunctions.\n\ + \nThe frequency of the monitoring corresponds to the classification of the\ + \ third party based on the risk assessment conducted by the Cloud Service\ + \ Provider (cf. SSO-02). The results of the monitoring are included in the\ + \ review of the third party's risk assessment.\n\nIdentified violations and\ + \ deviations are subjected to analysis, evaluation and treatment in accordance\ + \ with the risk management procedure (cf. OIS-07)." + annotation: "The procedures for monitoring compliance with the requirements\ + \ are supplemented by automatic procedures relating to the following aspects:\n\ + \n\u2022 Configuration of system components;\n\n\u2022 Performance and availability\ + \ of system components;\n\n\u2022 Response time to malfunctions and security\ + \ incidents; and\n\n\u2022 Recovery time (time until completion of error handling).\n\ + \nIdentified violations and discrepancies are automatically reported to the\ + \ responsible personnel or system components of the Cloud Service Provider\ + \ for prompt assessment and action.\nEvidence for the review of the suitability\ + \ and operating effectiveness of the service-related internal control system\ + \ include reports in accordance with ISAE 3402, IDW PS 951, SOC 2 or BSI C5.\n\ + \nIn the evidence provided by the third parties, the Cloud Service Provider\ + \ reviews, for example, the following aspects and, if necessary, incorporates\ + \ the findings into the risk assessment in order to derive and initiate mitigating\ + \ actions:\n\n\u2022 The scope and the validity respectively the period covered\ + \ by the evidence;\n\n\u2022 For attestation reports: Qualifications of the\ + \ opinion, included deviations/other observations including management's response\ + \ and corresponding controls to be implemented and executed by the Cloud Service\ + \ Provider;\n\n\u2022 Disclosed subcontractors incl. any changes among those\ + \ (e.g. additional subcontractor); and\n\n\u2022 Stated security incidents." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sso-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node100 + ref_id: SSO-05 + name: Exit strategy for the receipt of benefits + description: "The Cloud Service Provider has defined and documented exit strategies\ + \ for the purchase of services where the risk assessment of the service providers\ + \ and suppliers regarding the scope, complexity and uniqueness of the purchased\ + \ service resulted in a very high dependency (cf. Supplementary Information).\n\ + \nExit strategies are aligned with operational continuity plans and include\ + \ the following aspects:\n\n\u2022 Analysis of the potential costs, impacts,\ + \ resources and timing of the transition of a purchased service to an alternative\ + \ service provider or supplier;\n\n\u2022 Definition and allocation of roles,\ + \ responsibilities and sufficient resources to perform the activities for\ + \ a transition;\n\n\u2022 Definition of success criteria for the transition;\ + \ and\n\n\u2022 Definition of indicators for monitoring the performance of\ + \ services, which should initiate the withdrawal from the service if the results\ + \ are unacceptable." + annotation: "A very high dependency can be assumed in the following situations\ + \ in particular:\n\n\u2022 The purchased service is absolutely required for\ + \ the provision of the cloud service \u2013 this situation is given when the\ + \ Cloud Service Provider:\n\n - provides the cloud service from data centres\ + \ operated by third parties; and\n\n - provides a SaaS service and uses\ + \ the IaaS or PaaS of another Cloud Service Provider.\n\n\u2022 The service\ + \ cannot be obtained within one month from an alternative service provider\ + \ or supplier, as: \n\n - It is unique on the market and no other supplier\ + \ can deliver it;\n\n - It is strongly individualised by the service provider\ + \ or supplier and/or the Cloud Service Provider;\n\n - It cannot be supplied\ + \ by any other provider in the required quality of service; and\n\n - It\ + \ requires specific knowledge that is only/mainly available to the current\ + \ service provider or supplier and not to the Cloud Service Provider." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + assessable: false + depth: 1 + name: Security Incident Management (SIM) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sim-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + ref_id: SIM-01 + name: Policy for security incident management + description: 'Policies and instructions with technical and organisational safeguards + are documented, communicated and provided in accordance with SP-01 to ensure + a fast, effective and proper response to all known security incidents. + + + The Cloud Service Provider defines guidelines for the classification, prioritisation + and escalation of security incidents and creates interfaces to the incident + management and business continuity management. + + + In addition, the Cloud Service Provider has set up a "Computer Emergency Response + Team" (CERT), which contributes to the coordinated resolution of occurring + security incidents. + + + Customers affected by security incidents are informed in a timely and appropriate + manner.' + annotation: There are instructions as to how the data of a suspicious system + can be collected in a conclusive manner in the event of a security incident. + In addition, there are analysis plans for typical security incidents and an + evaluation methodology so that the collected information does not lose its + evidential value in any subsequent legal assessment. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sim-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + ref_id: SIM-02 + name: Processing of security incidents + description: Subject matter experts of the Cloud Service Provider, together + with external security providers where appropriate, classify, prioritise and + perform root-cause analyses for events that could constitute a security incident. + annotation: The Cloud Service Provider simulates the identification, analysis + and defence of security incidents and attacks at least once a year through + appropriate tests and exercises (e.g. Red Team training). + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sim-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + ref_id: SIM-03 + name: Documentation and reporting of security incidents + description: After a security incident has been processed, the solution is documented + in accordance with the contractual agreements and the report is sent to the + affected customers for final acknowledgement or, if applicable, as confirmation. + annotation: 'The customer can either actively approve solutions or the solution + is automatically approved after a certain period. + + + Information on security incidents or confirmed security breaches is made available + to all affected customers. + + + The contract between the Cloud Service Provider and the cloud customer regulates + which data is made available to the cloud customer for his own analysis in + the event of security incidents.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sim-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + ref_id: SIM-04 + name: Duty of the users to report security incidents to a central body + description: 'The Cloud Service Provider informs employees and external business + partners of their obligations. If necessary, they agree to or are contractually + obliged to report all security events that become known to them and are directly + related to the cloud service provided by the Cloud Service Provider to a previously + designated central office of the Cloud Service Provider promptly. + + + In addition, the Cloud Service Provider communicates that "false reports" + of events that do not subsequently turn out to be incidents do not have any + negative consequences.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:sim-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node106 + ref_id: SIM-05 + name: Evaluation and learning process + description: Mechanisms are in place to measure and monitor the type and scope + of security incidents and to report them to support agencies. The information + obtained from the evaluation is used to identify recurrent or significant + incidents and to identify the need for further protection. + annotation: Supporting bodies may be external service providers or government + agencies such as the BSI. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node112 + assessable: false + depth: 1 + name: Business Continuity Management (BCM) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:bcm-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node112 + ref_id: BCM-01 + name: Top management responsibility + description: 'The top management (or a member of the top management) of the + Cloud Service Provider is named as the process owner of business continuity + and emergency management and is responsible for establishing the process within + the company as well as ensuring compliance with the guidelines. They must + ensure that sufficient resources are made available for an effective process. + + + People in management and other relevant leadership positions demonstrate leadership + and commitment to this issue by encouraging employees to actively contribute + to the effectiveness of continuity and emergency management.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:bcm-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node112 + ref_id: BCM-02 + name: Business impact analysis policies and instructions + description: "Policies and instructions to determine the impact of any malfunction\ + \ to the cloud service or enterprise are documented, communicated and made\ + \ available in accordance with SP-01. The following aspects are considered\ + \ as minimum:\n\n\u2022 Possible scenarios based on a risk analysis;\n\n\u2022\ + \ Identification of critical products and services\n\n\u2022 Identify dependencies,\ + \ including processes (including resources required), applications, business\ + \ partners and third parties;\n\n\u2022 Capture threats to critical products\ + \ and services;\n\n\u2022 Identification of effects resulting from planned\ + \ and unplanned malfunctions and changes over time;\n\n\u2022 Determination\ + \ of the maximum acceptable duration of malfunctions;\n\n\u2022 Identification\ + \ of restoration priorities;\n\n\u2022 Determination of time targets for the\ + \ resumption of critical products and services within the maximum acceptable\ + \ time period (RTO);\n\n\u2022 Determination of time targets for the maximum\ + \ reasonable period during which data can be lost and not recovered (RPO);\ + \ and\n\n\u2022 Estimation of the resources needed for resumption." + annotation: Scenarios to be considered according to the basic criterion are, + for example, the loss of personnel, buildings, infrastructure and service + providers. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:bcm-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node112 + ref_id: BCM-03 + name: Planning business continuity + description: "Based on the business impact analysis, a single framework for\ + \ operational continuity and business plan planning will be implemented, documented\ + \ and enforced to ensure that all plans are consistent. Planning is based\ + \ on established standards, which are documented in a \"Statement of Applicability\"\ + .\n\nBusiness continuity plans and contingency plans take the following aspects\ + \ into account:\n\n\u2022 Defined purpose and scope with consideration of\ + \ the relevant dependencies;\n\n\u2022 Accessibility and comprehensibility\ + \ of the plans for persons who are to act accordingly;\n\n\u2022 Ownership\ + \ by at least one designated person responsible for review, updating and approval;\n\ + \n\u2022 Defined communication channels, roles and responsibilities including\ + \ notification of the customer;\n\n\u2022 Recovery procedures, manual interim\ + \ solutions and reference information (taking into account prioritisation\ + \ in the recovery of cloud infrastructure components and services and alignment\ + \ with customers);\n\n\u2022 Methods for putting the plans into effect;\n\n\ + \u2022 Continuous process improvement; and\n\n\u2022 Interfaces to Security\ + \ Incident Management." + annotation: The consistency of plans according to the basic criterion must also + be maintained when different locations are used. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:bcm-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node112 + ref_id: BCM-04 + name: Verification, updating and testing of the business continuity + description: The business impact analysis, business continuity plans and contingency + plans are reviewed, updated and tested on a regular basis (at least annually) + or after significant organisational or environmental changes. Tests involve + affected customers (tenants) and relevant third parties. The tests are documented + and results are taken into account for future operational continuity measures. + annotation: "In addition to the tests, exercises are also carried out which,\ + \ among other things, have resulted in scenarios from security incidents that\ + \ have already occurred in the past.\nTests are primarily conducted at the\ + \ operational level and are aimed at operational target groups. Tests include\ + \ e.g.:\n\n\u2022 Test of technical precautionary measures;\n\n\u2022 Functional\ + \ tests; and\n\n\u2022 Plan review.\nExercises also take place on a tactical\ + \ and strategic level. These include e.g.:\n\n\u2022 Plan meeting;\n\n\u2022\ + \ Staff exercise;\n\n\u2022 Command post exercise;\n\n\u2022 Communication\ + \ and alerting exercise;\n\n\u2022 Simulation of scenarios; and\n\n\u2022\ + \ Emergency or full exercise.\n\nAfter a completed exercise:\n\n\u2022 Review\ + \ and possible adaptation of the existing alarm plan.\nRelevant third parties\ + \ are in particular service providers and suppliers of the Cloud Service Provider\ + \ who contribute to the provision of the cloud service (cf. basic criteria\ + \ SSO-02 and SSO-05)." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node117 + assessable: false + depth: 1 + name: Compliance (COM) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:com-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node117 + ref_id: COM-01 + name: Identification of applicable legal, regulatory, self-imposed or contractual + requirements + description: The legal, regulatory, self-imposed and contractual requirements + relevant to the information security of the cloud service as well as the Cloud + Service Provider's procedures for complying with these requirements are explicitly + defined and documented. + annotation: "The Cloud Service Provider's documentation may refer to the following\ + \ requirements, among others:\n\n\u2022 Requirements for the protection of\ + \ personal data (e.g. EU General Data Protection Regulation);\n\n\u2022 Compliance\ + \ requirements based on contractual obligations with cloud customers (e.g.\ + \ ISO/IEC 27001, SOC 2, PCI-DSS);\n\n\u2022 generally accepted accounting\ + \ principles (e.g. in accordance with HGB or IFRS);\n\n\u2022 Requirements\ + \ regarding access to data and auditability of digital documents (e.g. according\ + \ to GDPdU); and\n\n\u2022 Other laws (e.g. according to BSIG or AktG)." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:com-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node117 + ref_id: COM-02 + name: Policy for planning and conducting audits + description: "Policies and instructions for planning and conducting audits are\ + \ documented, communicated and made available in accordance with SP-01 and\ + \ address the following aspects:\n\n\u2022 Restriction to read-only access\ + \ to system components in accordance with the agreed audit plan and as necessary\ + \ to perform the activities;\n\n\u2022 Activities that may result in malfunctions\ + \ to the cloud service or breaches of contractual requirements are performed\ + \ during scheduled maintenance windows or outside peak periods; and\n\n\u2022\ + \ Logging and monitoring of activities." + annotation: The Cloud Service Provider grants its cloud customers contractually + guaranteed information and audit rights. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:com-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node117 + ref_id: COM-03 + name: Internal audits of the information security management system + description: "Subject matter experts check the compliance of the information\ + \ security management system at regular intervals, at least annually, with\ + \ the relevant and applicable legal, regulatory, self-imposed or contractual\ + \ requirements (cf. COM-01) as well as compliance with the policies and instructions\ + \ (cf. SP-01) within their scope of responsibility (cf. OIS-01) through internal\ + \ audits (cf. \xA7 9.2 of ISO/IEC 27001).\n\nIdentified vulnerabilities and\ + \ deviations are subject to risk assessment in accordance with the risk management\ + \ procedure (cf. OIS-06) and follow-up measures are defined and tracked (cf.\ + \ OPS-18)." + annotation: "Internal audits are supplemented by procedures to automatically\ + \ monitor applicable requirements of policies and instructions with regard\ + \ to the following aspects:\n\n\u2022 Configuration of system components to\ + \ provide the cloud service within the Cloud Service Provider's area of responsibility;\n\ + \n\u2022 Performance and availability of these system components;\n\n\u2022\ + \ Response time to malfunctions and security incidents;\n\n\u2022 Recovery\ + \ time (time to completion of error handling);\n\nIdentified vulnerabilities\ + \ and deviations are automatically reported to the appropriate Cloud Service\ + \ Provider\u2019s subject matter experts for immediate assessment and action.\n\ + \ \nCloud customers can view compliance with selected contractual requirements\ + \ in real time.\nSubject matter experts operate, e.g., in the Cloud Service\ + \ Provider's internal revision department or expert third parties commissioned\ + \ by the Cloud Service Provider, such as auditing companies, and may hold\ + \ relevant certifications such as \"Certified Internal Auditor (CIA)\". \n\ + \nWith regard to ISMS compliance, see Section 9.2 of ISO/IEC 27001." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:com-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node117 + ref_id: COM-04 + name: Information on information security performance and management assessment + of the ISMS + description: The top management of the Cloud Service Provider is regularly informed + about the information security performance within the scope of the ISMS in + order to ensure its continued suitability, adequacy and effectiveness. The + information is included in the management review of the ISMS at is performed + at least once a year. + annotation: 'The top management is a natural person or group of people who make + final decisions for the institution and are responsible for these. + + + The aspects to be dealt with in the management review of the ISMS are listed + in Section 9.3 of ISO / IEC 27001.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node122 + assessable: false + depth: 1 + name: Dealing with investigation requests from government agencies (INQ) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:inq-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node122 + ref_id: INQ-01 + name: Legal Assessment of Investigative Inquiries + description: Investigation requests from government agencies are subjected to + a legal assessment by subject matter experts of the Cloud Service Provider. + The assessment determines whether the government agency has an applicable + and legally valid legal basis and what further steps need to be taken. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:inq-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node122 + ref_id: INQ-02 + name: Informing Cloud Customers about Investigation Requests + description: The Cloud Service Provider informs the affected Cloud Customer(s) + without undue delay, unless the applicable legal basis on which the government + agency is based prohibits this or there are clear indications of illegal actions + in connection with the use of the Cloud Service. + annotation: This does not affect other legal or regulatory requirements that + requires earlier information for cloud customers. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:inq-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node122 + ref_id: INQ-03 + name: Conditions for Access to or Disclosure of Data in Investigation Requests + description: Access to or disclosure of cloud customer data in connection with + government investigation requests is subject to the proviso that the Cloud + Service Provider's legal assessment has shown that an applicable and valid + legal basis exists and that the investigation request must be granted on that + basis. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:inq-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node122 + ref_id: INQ-04 + name: Limiting Access to or Disclosure of Data in Investigation Requests + description: 'The Cloud Service Provider''s procedures establishing access to + or disclosing data of cloud customers in the context of investigation requests + from governmental agencies ensure that the agencies only gain access to or + insight into the data that is the subject of the investigation request. + + + If no clear limitation of the data is possible, the Cloud Service Provider + anonymises or pseudonymises the data so that government agencies can only + assign it to those cloud customers who are subject of the investigation request.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + assessable: false + depth: 1 + name: Product Safety and Security (PSS) + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-01 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-01 + name: Guidelines and Recommendations for Cloud Customers + description: "The Cloud Service Provider provides cloud customers with guidelines\ + \ and recommendations for the secure use of the cloud service provided. The\ + \ information contained therein is intended to assist the cloud customer in\ + \ the secure configuration, installation and use of the cloud service, to\ + \ the extent applicable to the cloud service and the responsibility of the\ + \ cloud user.\n\nThe type and scope of the information provided will be based\ + \ on the needs of subject matter experts of the cloud customers who set information\ + \ security requirements, implement them or verify the implementation (e.g.\ + \ IT, Compliance, Internal Audit). The information in the guidelines and recommendations\ + \ for the secure use of the cloud service address the following aspects, where\ + \ applicable to the cloud service:\n\n\u2022 Instructions for secure configuration;\n\ + \n\u2022 Information sources on known vulnerabilities and update mechanisms;\n\ + \n\u2022 Error handling and logging mechanisms;\n\n\u2022 Authentication mechanisms;\n\ + \n\u2022 Roles and rights concept including combinations that result in an\ + \ \nelevated risk; and\n\n\u2022 Services and functions for administration\ + \ of the cloud service by privileged users. \n\nThe information is maintained\ + \ so that it is applicable to the cloud service provided in the version intended\ + \ for productive use." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-02 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-02 + name: Identification of Vulnerabilities of the Cloud Service + description: "The Cloud Service Provider applies appropriate measures to check\ + \ the cloud service for vulnerabilities which might have been integrated into\ + \ the cloud service during the software development process.\n\nThe procedures\ + \ for identifying such vulnerabilities are part of the software development\ + \ process and, depending on a risk assessment, include the following activities:\n\ + \n\u2022 Static Application Security Testing;\n\n\u2022 Dynamic Application\ + \ Security Testing;\n\n\u2022 Code reviews by the Cloud Service Provider's\ + \ subject matter experts; and\n\n\u2022 Obtaining information about confirmed\ + \ vulnerabilities in software libraries provided by third parties and used\ + \ in their own cloud service.\n\nThe severity of identified vulnerabilities\ + \ is assessed according to defined criteria and measures are taken to immediately\ + \ eliminate or mitigate them." + annotation: 'The procedures for identifying such vulnerabilities also include + annual code reviews or security penetration tests by qualified external third + parties. + + Known vulnerabilities in externally related system components (e.g. operating + systems) used for the development and provision of the cloud service but not + going through the Cloud Service Provider''s software development process are + the subject of criteria OPS-23 (Management of vulnerabilities, malfunctions + and errors - open vulnerability assessment).' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-03 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-03 + name: Online Register of Known Vulnerabilities + description: "The Cloud Service Provider operates or refers to a daily updated\ + \ online register of known vulnerabilities that affect the Cloud Service Provider\ + \ and assets provided by the Cloud Service Provider that the cloud customers\ + \ have to install, provide or operate themselves under the customers responsibility.\n\ + \nThe presentation of the vulnerabilities follows the Common Vulnerability\ + \ Scoring System (CVSS).\n\nThe online register is easily accessible to any\ + \ cloud customer. The information contained therein forms a suitable basis\ + \ for risk assessment and possible follow-up measures on the part of cloud\ + \ users. \n\nFor each vulnerability, it is indicated whether software updates\ + \ (e.g. patch, update) are available, when they will be rolled out and whether\ + \ they will be deployed by the Cloud Service Provider, the cloud customer\ + \ or both of them together." + annotation: 'Assets provided by the Cloud Service Provider, which must be installed, + provided or operated by cloud users within their area of responsibility, are + equipped with automatic update mechanisms. After approval by the respective + cloud user, software updates can be rolled out in such a way that they can + be distributed to all affected users without human interaction. + + Assets provided by the Cloud Service Provider that cloud customers have to + install, deploy or operate themselves in their area of responsibility are + for example local software clients and apps as well as tools for integrating + the cloud service. + + + If the cloud service relies on other cloud services, this registry has to + incorporate or refer to the vulnerabilities of those other cloud services + in order for this criterion to be met.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-04 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-04 + name: Error handling and Logging Mechanisms + description: "The cloud service provided is equipped with error handling and\ + \ logging mechanisms. These enable cloud users to obtain security-related\ + \ information about the security status of the cloud service as well as the\ + \ data, services or functions it provides.\n\nThe information is detailed\ + \ enough to allow cloud users to check the following aspects, insofar as they\ + \ are applicable to the cloud service:\n\n\u2022 Which data, services or functions\ + \ available to the cloud user within the cloud service, have been accessed\ + \ by whom and when (Audit Logs);\n\n\u2022 Malfunctions during processing\ + \ of automatic or manual actions; and\n\n\u2022 Changes to security-relevant\ + \ configuration parameters, error handling and logging mechanisms, user authentication,\ + \ action authorisation, cryptography, and communication security.\n\nThe logged\ + \ information is protected from unauthorised access and modification and can\ + \ be deleted by the Cloud Customer.\n\nIf the cloud customer is responsible\ + \ for the activation or type and scope of logging, the Cloud Service Provider\ + \ must provide appropriate logging capabilities." + annotation: 'Cloud users can retrieve security-related information via documented + interfaces which are suitable for further processing this information as part + of their Security Information and Event Management (SIEM). + + In the case of a SaaS service for secure data exchange, the terms data, services + or functions would mean, for example, the logging of all read or write accesses + to the stored files and their metadata.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-05 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-05 + name: Authentication Mechanisms + description: "The Cloud Service Provider provides authentication mechanisms\ + \ that can force strong authentication (e.g. two or more factors) for users,\ + \ IT components or applications within the cloud users' area of responsibility.\n\ + These authentication mechanisms are set up at all access points that allow\ + \ users, IT components or applications to interact with the cloud service.\ + \ \n\nFor privileged users, IT components or applications, these authentication\ + \ mechanisms are enforced." + annotation: 'The cloud service offers out-of-band authentication (OOB), in which + the factors are transmitted via different channels (e.g. Internet and mobile + network). + + IT components in the sense of this criterion are independently usable objects + with external interfaces that can be connected with other IT components. + + + Access points in the sense of this criterion are those that can be accessed + by users, IT components or applications via networks (for users, for example, + the login screen on the publicly accessible website of the Cloud Service Provider). + + + Multi-factor authentication can be performed with cryptographic certificates, + smart cards or tokens, for example.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-06 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-06 + name: Session Management + description: To protect confidentiality, availability, integrity and authenticity + during interactions with the cloud service, a suitable session management + system is used that at least corresponds to the state-of-the-art and is protected + against known attacks. Mechanisms are implemented that invalidate a session + after it has been detected as inactive. The inactivity can be detected by + time measurement. In this case, the time interval can be configured by the + Cloud Service Provider or - if technically possible - by the cloud customer. + annotation: Known attacks include manipulation, forgery, session takeover, denial + of service attacks, enveloping, replay and null cipher attacks. + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-07 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-07 + name: Confidentiality of Authentication Information + description: "If passwords are used as authentication information for the cloud\ + \ service, their confidentiality is ensured by the following procedures:\n\ + \n\u2022 Users can initially create the password themselves or must change\ + \ an initial password when logging in to the cloud service for the first time.\ + \ An initial password loses its validity after a maximum of 14 days.\n\n\u2022\ + \ When creating passwords, compliance with the length and complexity requirements\ + \ of the Cloud Service Provider (cf. IDM-09) or the cloud customer is technically\ + \ enforced.\n\n\u2022 The user is informed about changing or resetting the\ + \ password.\n\n\u2022 The server-side storage takes place using state-of-the-art\ + \ cryptographically strong hash functions in combination with at least 32-bit\ + \ long salt values." + annotation: "The state-of-the-art regarding cryptographically strong hash functions\ + \ is described in the current version of the BSI Technical Guideline TR-02102-1\ + \ \"Cryptographic mechanisms: Recommendations and key lengths\". In version\ + \ 2019-01 of this guideline these were:\n\n\u2022 SHA-256, SHA-512/256, SHA-384,\ + \ SHA-512; and\n\n\u2022 SHA3-256, SHA3-384, SHA3-512." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-08 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-08 + name: Roles and Rights Concept + description: 'The Cloud Service Provider provides cloud users with a roles and + rights concept for managing access rights. It describes rights profiles for + the functions provided by the cloud service. + + + The rights profiles are suitable for enabling cloud users to manage access + authorisations and permissions in accordance with the principle of least-privilege + and how it is necessary for the performance of tasks ("need-to-know principle") + and to implement the principle of functional separation between operational + and controlling functions ("separation of duties").' + annotation: "In IaaS, a role and rights concept would describe, among other\ + \ things, the rights profiles for the following functions of the cloud service:\n\ + \n\u2022 Administration of the states of virtual machines (start, \npause,\ + \ stop) as well as for their migration or monitoring;\n\n\u2022 Management\ + \ of available images that can be used to create virtual machines; and\n\n\ + \u2022 Management of virtual networks (e.g. configuration of virtual routers\ + \ and switches)." + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-09 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-09 + name: Authorisation Mechanisms + description: 'Access to the functions provided by the cloud service is restricted + by access controls (authorisation mechanisms) that verify whether users, IT + components, or applications are authorised to perform certain actions. + + + The Cloud Service Provider validates the functionality of the authorisation + mechanisms before new functions are made available to cloud users and in the + event of changes to the authorisation mechanisms of existing functions (cf. + DEV-06). The severity of identified vulnerabilities is assessed according + to defined criteria based on industry standard metrics (e.g. Common Vulnerability + Scoring System) and measures for timely resolution or mitigation are initiated. + Vulnerabilities that have not been fixed are listed in the online register + of known vulnerabilities (cf. PSS-02).' + annotation: Access controls are attribute-based to enable granular and contextual + checks against multiple attributes of a user, IT component, or application + (e.g., role, location, authentication method). + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-10 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-10 + name: Software Defined Networking + description: 'If the Cloud Service offers functions for software-defined networking + (SDN), the confidentiality of the data of the cloud user is ensured by suitable + SDN procedures. + + + The Cloud Service Provider validates the functionality of the SDN functions + before providing new SDN features to cloud users or modifying existing SDN + features. Identified defects are assessed and corrected in a risk-oriented + manner.' + annotation: 'This criterion is typically not applicable to the SaaS service + model. + + + Suitable SDN methods for increasing confidentiality are, for example, L2 overlay + networking (tagging) or tunnelling/encapsulation.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-11 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-11 + name: Images for Virtual Machines and Containers + description: "If cloud customers operate virtual machines or containers with\ + \ the cloud service, the Cloud Service Provider must ensure the following\ + \ aspects:\n\n\u2022 The cloud customer can restrict the selection of images\ + \ of virtual machines or containers according to his specifications, so that\ + \ users of this cloud customer can only launch the images or containers released\ + \ according to these restrictions.\n\n\u2022 If the Cloud Service Provider\ + \ provides images of virtual machines or containers to the Cloud Customer,\ + \ the Cloud Service Provider appropriately inform the Cloud Customer of the\ + \ changes made to the previous version.\n\n\u2022 In addition, these images\ + \ provided by the Cloud Service Provider are hardened according to generally\ + \ accepted industry standards." + annotation: 'At startup and runtime of virtual machine or container images, + an integrity check is performed that detects image manipulations and reports + them to the cloud customer. + + This criterion is typically not applicable to the SaaS service model. + + + Generally accepted industry standards are, for example, the Security Configuration + Benchmark of the Centre for Internet Security (CIS) or the corresponding modules + in the BSI IT-Grundschutz-Kompendium.' + - urn: urn:intuitem:risk:req_node:bsi-c5-2020:pss-12 + assessable: true + depth: 2 + parent_urn: urn:intuitem:risk:req_node:bsi-c5-2020:node127 + ref_id: PSS-12 + name: Locations of Data Processing and Storage + description: 'The cloud customer is able to specify the locations (location/country) + of the data processing and storage including data backups according to the + contractually available options. + + + This must be ensured by the cloud architecture.' + annotation: 'This criterion supplements the General Condition BC-01. + + + The cloud architecture must exist in such a way that it enables the technical + design of the IT infrastructure to provide the cloud service in accordance + with the data location specifications agreed with the customer.' diff --git a/tools/bsi/bsi-c5-2020.xlsx b/tools/bsi/bsi-c5-2020.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..cadad42a2b2091471f26556b399d34ce3ddc01dd GIT binary patch literal 59450 zcmeFX1D9n>ur6A*ZL`a^?dq~^tIM`+bXi^MvTfV8ZNIhmIroiw&pYoIoIA&uGuK@C zt;o#C_#$FurlJfe7#a`+5EKv)5HV0$dijPOFc44*I1msj5EO{Eh`pVQshx|yiid-# zvo5{6tqoBD7zkA!5C{POf3N?+8W>0(x9ej>5_?X0LriE^H8S|AiXI?FIF3>N0IK6f zgyB1CO!eVI3GwHTv=CI0oe}x()@S#pU}DL3RRNefZKWAPvQ){!BLN5U;79>;~X!{QiYG8F6Z4o-xh@!8+kwH$pXT z{PNWP*ao@m1XEdfzZeOI^Eyve;50uQ4};cZKf4?=VVz9f*uMb zYzP`(S$?ObnZNn_-QN#E{CC<{h|t=-=`Jc4#P>kL$rkYR^u0`iX)GSz{1A}d+q3zs z@l;HB-j-4kLMLaB!lekFiy!4IWRZNVgD3h^)tXsaKrj&n{PyJ9uhVXPOPFk3SBv9l zkY9hAb&T$wY~HJ6!?>nJemww)`27tEr1*c(6jiUw6a+xiZ2${l0W{TjGPQALp#SIj zf9d%@n3Mn8&?^(=WI&maLazhAi6=UF)_;)9*)WKm$eDZsGi7`laAd?6wS7K|3%TSs z5qM_Txc&CXcr>dkbT35maz#lMgAU9#n{QX^llg3EfkaMn5|6o%>$BZ4!h@~2K45J0lOtpN*Q|i+kC{tT? zZvZX)e<{OpY00_YwFrUez_0SyeQh)>wbtQMmEynKw~NP#8As1@lK{2t^VjR8=%kPs}i{_J6{cIEz$Wkd;TbmpUH}yU- zlSS1LIw53^ym4kh#^%SQrJ2)|t>z9Rl#z}S@z1FElV^jnL19LI)k^x-2DtRp42HN_aG+rlH2PRFM~Ifz-WfeD8cfn zKfve5%0l=+EjAMQXB9wXM=I!6vafpI<4G!CrCV4w>gR4DH3z*aUx35|6$+96s_mzM zv0n#SeDXCT#Yn*Zym?=0BdGeL-{3;2N>r0Kjf)*wPR?26=KMO63s+SyPT-yTU-QAc;(`=}yB!$+9TT5i=C=d0sU7L9p2+)`YmH!}Ja_Y!#%1sO;{#;&3SnE| zJ!qOq`$Ly25waaWBbz2$`@eAeT7@t#w`N&^i<0LnPozW}wsf${hP2sszVcMe6;` zZbCD^d8u|6Lnd^zxzgWRTlj6`RD$Fz_xP01=o*T9jmX~%bF zXVl{M?CdGw+&6@>nHh}%hcclG?~e62`WJiFM{el*zomh6d5Pga1d#v*0>S};0tV3F zKZ3{qPKN&#NPq!(9w5s6&%QbmC#?n;;exM2x`Jjq9TUG4$GE+yLpqz*AsK5?!sKj> z%LP2%Gn22_{}!dq6q2#tGfkMib3N?glm6PGrmDjOYg@~jYJ|~yR#1N?3U6d-dqzNy zmi${q&%i#tVlA&=(k@6+&Z%UO(I1qoqK(ID%AY5bHZ&~cjAKj_RE^jsrg`+56Wz_0 zmuVT9^ApMK2xq_-ZuHgOcAHfPb=tVSFT2nY*c694Hyoh?jFU7Q*IEtvlCq}fSwaaoLjz?1SuNV^>r zKt>fMtY)kB^I1)G^XVd;SfiGyQSKi{>IMg`Nu6ea>>e$_dynAT>CJB`hG3AxDkqdg zRRV@%D7|_C^Y-M-qN%vYYcE|b3kuE`R5)ERotr9Q{9Fxj0|p&KV{z$|#d0JHpV>ar zFk?`{tmYh7<2tNk9gy}Zp;gNo%Tm&6b0Ro$NeZW|s?-yOoD({Phy)wywQy~<+D0Q6 zCE<{{?z1c(JWEH?q$K5cm7i>p(0zqt{HkWSU1~A}&ZXI*>|L_V{Q0I!P8Y&9rNS@F zjLW*+{5|j+3zPJ;>pP5bG+L8$j0(LR0VFNTv5y-oO0Z>y! zc>Tajc`8EP^0Nn53JUPfqIC(czP^X{o``(F>iD-`um1Lve4+)$=!7H1%s?H zrBd94NdgnMxFfokx2QUo_(^HUm<}Lx(b9#i7D(cTLU<9WyHo|BujO&W`FfdRn(R^a z{#$|fxY*&z;Zq)kH3jr#z=2sSB8+-O_p60SOR#T%So!@Qt|U3d&@PA(E~F;V$v+?< zRS9^mO%IHz=Sl#{POdl>s?u>%y!(dt4-F~(`~q2BPb?(?&Yr@ z{ox5Q{rKk1+t2q6L|s38>$Hxd>T>SHt^$m0xEF8x#2;N8svDoxIU~dEwInnFY)o@l z894D}rXscX>s$$l#Fjk3Xlf0u+zZS$q2HFw=0u%Tny9NnXo*G3qMB1l%CV ztgtg^$X?4xq8>?}W%j`7fVcVhcw43pa!8W&FOTY{B5m+>u_DFjNKJL-cZqY?Ce0DT ze(m)NiqfGLyP+m{t9XG9%>DB=Xh)J5*Oe5&0u~Vo6VQL;1NXutyF&7_d4SHX+&!cqgDZ-Z)F&VARTd#wEU}(b=-R59cdssDQJjhfTwMw<=RbJ$)PIx z$0g9{*XX^^o3Y;o%U06Wy&n|nKv!ta35>f~2w^>1w5OVTh!|loIbY>EJ>P01NwHu5 zpiCXyUP$v;;zU%C`{`uiYo8Z(RUIcx;!h;X?-Ls>s7i-4^jXCc7XsNjA{=Eu_Fwo9 z$~{{f6A`AbxC=dWdD4QTgvAHA=DN3m4x&=ae_NHZ=x@;dunR&RfpZ}C)h-O6f91@X z2A1}GxYljrk$>vlyZX*f>m>Otl9@xK{`n$@(axtef}vV%YFds{2r8w*6Q7#%xXoJg z1Fo&64bA(xtdz9Z0@7bQJbOxX!Rw$}NW>q3wy8OYVG7A{rQm5S?Zn8AiXV>B#ilkI zmBzA*7B%>*mh-o<1V6~LXFfA}L)_6|4v1e}UB)d;*w#yvTe|tKY9!*M z@XHhpd_8!fib?3%05c+-_e%JbaC*7sh z2z=jnFWYZ-`@Z*oxxZL?yndWkWPSA8`g*MD@vm%muj_w*b>Q*)e7xV6#_1FO=!QuN z{?QGcg05OEY$}xEq+W}2{cE($$y#-3y!w6?XRnbB!zSh@&Bxj0?X$VKDS5||3EwYY zGxV6>_eG177Q-z+y=tEA@+e{{sFNnyq?ci(qLy#dFe?_m3MK4T)yzBb^v{9ltic=i zFBk*hx~JmngYo2)wrG?kuF!X96z_g88@iT;ao zmVg6K{OgX6&BV4^wW!Hp9NL5*YofG}fT9wy4z3%^A9r3Pln z4m+9M1{8^)qtp|Sl`A&1a=cg6UDAh-&EHm{-@>O+99gAsZ5fuSbfq*pBBRr_4wudj z`n!@r_hh2nxzax!2(o?>-indLQdk!H9O4wy00bc;AA{N^a}?KKH~Vw0w&79UIpDII zHX?dr8cDC3ig1xqVa42Xj83$;Y7BqTpNCjnp#(7jr;mV<88qhMg4Kwv0CViqXo&K?8Qv6j27U`N% z{<#dLB~NAtvsvNt?fpQJ+K;w(LAdno8v?bC?DAU8M9L zuHr5gUy>Zt&>@h<5q?2fF`5=ZrlW@f_Yb7ts=%2A4A<^8f4y|PI{V%3KPi<1?j3V$za3s$9$g50Mw~>4HmEC`BwR=K0CBI=P;&b6dCk~Ox`5{zNpe%zhX_tS>Q%uAjS*L1Pzj7Cq4ux>;{!8 zMn5MHw5SdjoX21wSg)^%fwfqH>jc6+Z$>5%2QIW}=?^~{nSc|e@rTYKOF0PpIae&UOs&^{>6f_qrWIo(8#qWI8lHh0CU5v^qXwWE z&RncuB|UDH9ww)g0ObJbSeBiMuZUm6*85dpul({;V%o+!*xHP1)oHfZAmGif^qMF9}) zy_w58tLCUrE}Mu8^7g>=&A7p0*%}7#N+fBI)0rxOn37$YW*l0IOt65T+-w1_8Wit@ zGF6n1FCo+D!qg1-C9uX@rmk+?p=lvb!<>rlC{nYrt#NC*93QuKC>g1I)55$bicnBEi>D@r^JJf3Fw)qATKYNJg&IrZH_Ez+GE{^> z3SG?90Y(a|ZpG&4UcD>4!WT}Le7EMvVSDy_dcyQt9CRbo5->L$%f!YR7r``*nbBG0 zjf!K$oG>Ep%Cgq3n*A{lEo`&@2r2+Kdg@Klk{gHpZ!WG*%Bbh;aj<>MQv{=pU z$G)4`5<{wot!_y!x$-m!q)v8%(jc)DYB>5jupMcT{XxmeNXP%GmoMw8j-JNelVJ!` zj0chmrNc%aFFBV?wd zQF7&Etb%2ss~I`}(<@&DAU;b+>)Ga9EnZ*d%I-ASVH5G}KeH@)-X{t>W5U%$zV&R#D=ISym0Nuq2bOz)7ZkNZ zerBnrcou^%Nu~g}!9Lg=$SVyBo`OhRj+Ts9Xn<}T!{0N)HylU&WPiNlM!#sdhA^)p ztLm)nnC(#}JGsXPw&d;#3=@Ad0hA@a+c;I&U6}rHua>1TcFo8P9+g^dgAtgc3{s0Z9G}h%;5EO6pV`EQY^2%FlHW4@n~n z*A{~;o#u)Yi8WDz#*0R{FbHB^Raey+Ltu~1*(y?^r1eC>v&7+XDEtbvQwqV2=~K=c zrWpo|q(Qoh!nx=ur?7<>y)SxZxAfV8Oxab`d$DKS-8PhscIZV$A!Pq!YA!E=O+vWv zX5nadpjP%N2c5$%RBe7hx_lp=4?31rSL9#ELB^~5Nf4aw2+(XsT;IRV{JFu(%Ev6^JHQO%-(8G$zMj+|r^;S+O*=P|8XCj#^tnfc# z0Onbbs{sJ4itLCchAyX0SW_$~j@T~=I^3jz(Pijaa>83iNSVS0Arnf}C{pm8M#^Mi z92tiJ_!S)9l5%Z!=En=~5g|qHz_=%}hdyS)pzCM}nmvsVa3)A3AnF|^ZwF7T2jmnf zJ-t*NQ|`1BKPT+k_PSSqj)MR~b{~O(p3hIOyFgCGKPUT(U^s9>ma*M7h|JXW$`^|! zNp(8gc`$;N5FEt^J|~Kc?-`TLlp=7W`_7{Q#$-1){KCNgxtX7CF6Lj-Yu$|VP)s3c zF)+^bs!P~=xR@-&uetj2`?ESAp1azNA&k9QnXJ2hSFv7j~zk%1(4jo zqB z(XsfL4VLKjy?X1AbHBI#hh^Fqc~yvueFS!-qSgj#Qx^vYQ>zCOa`;Zi?MRux@&9 zTKVgs!mz@`d0xqYhokav%T!U3nx6q6Pzg1u9J*8&D=c<7vA4`D?of#a~hO$pn7EykO#Dm^Qa3jOgjMP%U~`WBqn`A zUnqMe=HCp#>mWqw>d@up0p1%a^9sR^6{tGr2S7QqyxgetM}M7b0U4-+86XdQ)}w2$ zxY?u>lTCa?k?eFGIv~dBP-0FD5PwaE1x9LC zq)x?BD^de!|3=&2lij7($lheA9IJ*( z;evqndCiH3z4iD9#ll$UOTy3MCg7uH`HIytVD3?{&t+E@`D6=tAd}F|;3c5I$p<_2 zk|3iW^O#$UHegjr$}@g+g8LPr8a74>c|xeMC{wV`%37_*(+d2tS#oxs0e>=Ma0FR! znT=yDeQ;lujMDPh{GqTN1F@`ucGaOdFfCjK&{>(c*tCdsE6q95L(IjWa|oj3E(97N zEJP$S7$`MBsjBp>M*F=2B}N-mA4a|jHpM&1q96waN=kbV%nEmxMmfUGvSnsNadkdT zYl<72phz9{2&^yFXu{q>SvOROEX8}G31e>E<`4?7OI27ucI*wWi+3?+$)rekg?tC5TjThkcX=nN zOn8n^cWcB;9;|}QvJGdMQ6xZ;R}eM-WaEQ&MrDYLp~%GUzfs>ySu-z&IQgm6gB zHm|-Ta@LQrc8?qF5&M!uM(QNDH}J@E$zU)7)xW8LVz_y0#W;(h_h6!zz`35`JVAMua=os7YB( zOE}76e;z~m+KRE#4%IfX*B}}S9)MXKnTaNSX=Db*K7Q#^$4Id4yrx@ydm~VPBdvAh zc`T$fy>!x+=ejt*I6Hs6X)UP=*biwEVH=6oZ!oT;UE~F0bg+(L7Lj#%7;eaMbabw6i>H<(7FtY+e%8*o?E-fZBvvt>R(7Od+32`zu zJ+6RMHos`mtn z49e9tla3Z4dEfj+tHz+knzvL8#|RZB~sfr-*-*+=>d*vB&R z6icW;mdYZ9OodMG9@q(p9)}0oOF&iUX6L@rQpIxB?IR{&(Z*6a6Qj^hqzu`cbNoLc zo=r2SCserJ={Qx>*aXkpR@-t_?ly+;Z>QSi~jdHKVRjZ`2P6! zb`S8-M|ILx>(|;;PA0={9&fGve5&BCv{iR2RYTL3xqqVc-A5=eBZ9qVz9%?X{ZTzv zBl9~~{;U5)XPpbko{C-*5EROaH}~=W*WvXyU<2(xS90s9C1n*JFW#$>1cou%(!ZBpP;&=T)tr0<-2C!!Yyk{3wgt@8F7K0Z*eB(|r-yLr2* z+Br$t8V3;m+eO*Fu=P71zy|j+?mx%3{@tT-u`snYW%&2`@Ak}vri?u<2T~X2i67C^ z?-N6*rs$CXav8@gP9__2vDk&kHPZoIddaa^J259(#XJkG2c^7bg2*Odl)SWu~9wn&q?whTzjV z^QC;NUUlmW$Y%<9M%JZk`__bMttkA6Zx!9{@>tB8*Ab@Ygvo6T zxwn1eYFVp0Xe74Wu#Cm!j2=TNe^@l<`cvOBP?y@&E-ad8KkpoC6tcpi<{o`7V#^7z zhP{!-ELypxxHxC9z{r7Lx^j7%m&Vt!tR6*!?8R-Kv9^<&hvez$w5 zUbnmF!^!JxVQwse0Kex$Vez5O#*n4T#>?6I^w-Cm@xySvy&m6dUtF5lM~#5@-S~9w zdqBJ#Y=oZg>qGOgg1+zL>Gd|>Z4U=H0otxlCQ^i5l1Rfa>dYk8P)au3z^m(nv1|@L zC&U`ToGv;~&${x2cMH2?jGKZW@hz~uECFZT)v!@PS=jv~r=velc0D_$9_YqG2MorQ z!raKTj%;KLUo@h32M^~jo%I|OMLBb!)0Hk%REY`QP~{NPM3j&R7JiC>!c8A({PwFE zMTb!dn9b6%nDS*ZA8rQ_%Ua7Uik-A_1#^c+6fBl2B6HoN*uBBIbD zV|`fd4X2_;==iS&I7d5}=UM5E1mcaMenz{t-u1e*WD&n{ya1O{w!IUO$F?glfVo*7 zgf~DTeVUN)c6A7~WW_17_YJ6EQ(em!%Uisa)J;+?T#ncA@eH%?BHfcuKh+xfpj_!| z6g1zEZIZ{Mk4r3=hICcV^!jxP=O&M1>Zf5AWBqw3xMtUNcPgRq7R6pyR~EOEnh%rV zj1J|~VC@ggAUFoq!suV__;hnf=rKb?(eV*g?I7HT^L&ZKmLbhZiX|Is3Fexk%>qux zE3_TbfU)h!5I*Q_YU~el^(f{Hn;K0oXJvN2j-HLAa8NU&skk1hG%DtvwW+p3 zC(WdekF|16>CGMg)4R8kIde#K64NsVk9E>`!T4?<9=dkrDxTXaR^O$FIf{iSbwyhB zTo?CaNUB~VBP3y1!n1^TPy*aePVNc6C1+4d%(W49WwPU$UM~}V4wm5*k3Th*mX3l_ zX4a6#VyWU0D1_4*oD?f-*E%s^x!8`DDQd^}he}`QXZfg2->==t5&>Eo2O6WxuA;xn zkj%u37^$`J@b^@Rz^R$U+avl_L7EKGz__RO#DilvVEx+^;48Dg=&)lX%Oa=fE7N(9 zKu2V#bE!z4_IHVK{zk0y@A%^X$(xRsZuw+H7y990h&yIZ*H_abB{(@s*`#vwRh1pnkN+{q_?25;Fpb(0tATBW80?Tm%Q*MC z2GgR*6!s%|ko5w(MUWoBfy;K52 zqVk$)~C3>zh05o`TW^-&cgCtQmx1XYDkA{qRO2}4G2rA=QcdC47~$S_*4 zAc5&C&ZFj^gYeV%_|l#`AuUDZk!AxyEs(mEKli+9lj|x(x3n{n1Mi?N{u3TrwbmwA zMMaI{T()Po<58=POyOW|sCUS~q=fwFq0iG=X;rWq>R1xDgdwiV|J{PFlmHJ|Rz;YI z*XUabvhZgYh30ejcjTcod))$u!E%b}sM8ziMh1_wly4JQ>bBWvoDM_FO{c1T16o@o zL3%zSL!uJQW}ePfh`b||pd8duZpa4-^F0jKRU?MfJvu%VWJKJiSfUI)`kWxX=#(^A zxkag?0_QrF*@CnZlkdeq0J27tS7)TqMa&EvCpT;N4#D+B+?t(Iw(0Lr?Az6H0V)B- zNvFFaZA=22=v>TMPfZ(7(x+KLPOM`}Cy;(nC=6(m+7fA#ze1mHw;G_ZATZTYC5!C^ zovH^Xkh3TL)(kpixaBZZH^g)klQ|X%4q8?Y^0k*!yp5H+ex!||BpPJkq}tR_9MK4r zLzMYUf{2o}TSD-N)S^#XPuK@I_nnUwZ5Tlz4yxz|2vjv^u2a01GS_H|Ny<}%(JbGo zn2uI5WKXJUr*UGD`D~dT1gV13-4{l4wnS>v_;^fbVg?i)=X(WDBXGn1Cpe0cllq zRd4-#gvyl#*Va{3D3tClyH~y?o?lh|NW<28q56}>x1SlI%=P)*6NI0j5^(a^J~1W@!0e>2Q_$}#~eKr)x0T|gfh0?0*CIplc?>}%-E|ARx#>nBl?0vE~|B@ zsT|dvYCAC1WcqRc)HHJXT)?vTY4M`yk%LFlR<7u!}S1Lz6soi@C)edIaYX75!VE2*3%hB6^Z%=d3({~`BS0rJyH3`_d)n=i*C z_RXwLeWViwL^VX{kP;DelYnC%e!9bS($gN#f18!6yMsn?R009za)JP%{U^^Y44q6( zlwF)G?acqB`-IQB6W(y+VLRyuBEC150bFmE=_|!Kn3xj#emF^3-T~*mQ^Bk*kd}>0 znA)9$k`@9Vbpt@q^`zt4)Aru9v* zZe3dd%&1xW`*ybQ@}i(U+m7(*+%BX$`!Q?$6ybX#TVSo4W7DOp^Q3L_@NRZ~IIi2< zg-f^cO3v)lxAFbHlcBrE>$zfZ`+3v3{cfGIyY=}|eSL6Q|FTPuUY=uq^3m^tqoRi3 zvg_*%nIX;ZjsffazAjfTZF5DRV{_Gy_Q=>zSB^o#kL$Xre$uG3{~+emd#R>|BkDeC za|Qlf?%R>+n!V63cZy$j`n)^Wmho?e?|nWS!)e@QoQ$8nkKWsP0HQ31F1^}!ZO&ts zRc4)bN$y(nMM-Ht;`N`_kE4UdgI9aX?F>A)>tX${H1^Hy=O{V1)hgHZ-R+Wf+vZJq z1#6FVxART0&$3j92D8f^9UmP2$H|JM{b7YHb-($JH?jLO`z-Zt8@ar(|R0RQ&EfS9<`o43~KhrgJ+i=8l9hX zYBibMdX@iY)zNyzqW3&rQuUJ45?;zx)nO$U{igOf_O)%?#dC`6-IhQ@HNVG3ht?#= z@J-RHt-=}KfLGS`Q_+@4M>F6x6Y%jriUvRdsQ6#STa!A27LTZU#qpWdqmHhvKyxO` zruJk;wVHED#bWlU6`T3=_NSL|>8aHtdYhI{NVS^&?T4H->5m6^mp zw|d3u?4p(HR+kkuo=zn?0=-(0&+XmtP*vMnSMwX=rnXOdwHhHnY8XJ4VVf2mPtB6m z&cT7)xY4bZZJm4L8#`bA8@p~**X4n#HR!3;C;OImcZ~XZ^R3lmll|}JEx>QrT^c>J zs@cKn9ygBdwNjPTaRayBBGtFQmxr`Ytg7_f?E!bAA^3VpqpkM(P@}Ex`cb2;zP8!L zC3N)?Zjw69>tSc($C*{XtwlzyI!#nAlBTSD+p2Hey7dXi*2{gMD@A0+vbrC_jwa4m`4&Oeqb{fNsm}_l}`Va_k4~5_J!)3#x2Vgo zkHYob8=KCdv_Z#9`nJ(a-Af2VkSwahZXa&C#enVZ4^|PPK1zit_RqtE!_q<5F!zrqg_qiO z+NnC~*LUAGSukvBRlU^t zDqrTBv(RG{j*cR(%WwNI^PN-p4Z`iTPjSKV8Cj33^X+gI+0_=uzi#^F*d1lJ?#Ao8 zpv`D+{xQF@d3_tzmPg#$G4^Jph8!vOT)qUVE~-V?woSV6j#z0;F1#)&-Avr(`WRe~ zI;SIZ$VkTAzIS?btUWD;x}iLal>O?1U`vT@?bMu;=)! zo{z=DA9tS*KO2WJL047Jlzl(K#5A~&D^Y|2uQugOQMzFDh3HIgb{ zoO_NRpEPOD)sOo5;&(OCg|w!oVq{tUA^W=9|L81nJ~Y3bdieqjpsbts(y4=SnL3k&9 z#?B$bP_9h#itQul&cnvP;MWr8>~+4{pN6FWdn{F@?PaDYmu~90N!|XtE^Y??>&Gf} zG`IG6(wEJ$(t{RN^=I7sAXM zyunxB-k^wz)%LG>`R@?R@FbrJM{pwD8w_p^&^*{`SZk(;d>Sz?_Fvv#M%>@f!blfw zKD#DuDTzI_zUe&=vYRwEoM|O397hczAP7?n>+le57gJ1sgPt>nvM=67E0N}*Rd3~{ zs32>@BKtGl8S5lx4GuF?-1J;^x(A=?n#QGg%lK<4oD$UQCmVHeJx{yt8`$_=99oTf zxV$gNA9&!@AwmNo2W!{blDN6%x|hP4)0H2VReG&ni)?B4n5&i0 zXUF$!zCjSZyH1T|WlnFfE_@*r< zr+T~$YyeIl)Q6V`&B7LLK0+0|-;Z4l&7|+ci-bF=czB0Qm8?%R7C&+J$1i)8f#{q+ z^L&+NyY1q}=!PNYTq5C`@8*_7zZZsoYPT;PA~HpM5OsC_(!RCzzQJ=muhXC3;oD0M zqEIg?nWdaDr|~b%+~#=C`LIL8fJC&(1Ph(W)=<8fiQ+Rm9KvLh9LU~6n^k~93E0v(lr<0Cr zmuz3SDTNAr#t`qDi_G{My=}%{=R&d99YSIj5Ev-9b#+VFW5(jUTI(xld z>=G5Hu1wzsbPWe@1XK;_EjJ;-e&{TX!$P8Zq@>WN;}i6$~O_<;Vxx!70~uwl2#qSY#Bl%(3_RlRFE(gHz<_kGWs{@BosPrVdC| zo?6LrHxQn?HW?cbPSX4hRRQ}9(+zr&o!C9L5@XN$+v&28CJBjP5B6pb)n`^zemeRsi3n-#W&p^5~LMRTg zuMYxY3N#O%NMQ#9t!w!5y1(gxmNvbi{C{M?fvC@sQKKiYI%7d3p{OQLXriLEZ9;fS zsGz$;JHt4<=v6_1HaWu}@LC5^Y~!%VfqAT=avY6^)C)U|WZPU>kGBFN! zub_U{NsK_-p6Am!Qsr&+FyK!O`_mn_w@)+*Z6Hx&O1!EX~{5GITatg^~-i|a#aVt1Sb1OcHS_}ix`CHETnEnd&ZyVrx$ zYXSk^JBPmIz_aEhyF%nWwXinQZzW(iFWK-oK~Pg2oEbZ^HCI72sfmV8LwTKO!PCE) z6}|9d9GXOzb|d}z-;pBF)TA66JeNnGZ@_Y~hC?rppy{;1z?x=bRZzUD!R#$5KeM~V zwnZvEuYQVi_;J>zh0vJM8=9nfDSmyuoa=wSsegYAe`jW^%sT}m3HeW9BKq~yX-ph` z3WN}n)PkOH3JdhkF|PmOi zD^IJiQpC4@Af>kcuUEw7a5~8@zR6U7BVn2jV8c}uS~~3~11A_8c-OVLaIpmizxp9` z4tzL1wq-^aCsf?DM9^?M4Zku555qAotqu?N)rYDO&E#wALim=9%o?~m->-?1Y_O~&&v zH&i38nyJl{qUxh1+1UefKztlds5>Lq)opgFRw1+-tfC14310N6_4{QKVA{xMC)0HX z5$;AM1RI918^C8#&zLt(L4iGa@y4N^KOg#lvx!O0Yuu%%FN%aAO8Dt5Cu$_7yEGzs z>HO)8)~wv%$>|)(mSsTkn{u-I_lFlQJWWWBO8V|YaP1JFU-SauQ)&zCXMOtMD0e|z zz%-L^v(dVCSXR(C~<5SR4C(wpehG&)7Ip#W;E7Tll0!$(OExUm-VO(?IGJOmk1X)ada6@VdVqLjA z*4=_Nrxf3&>he7t$*?F%-nfjNJOh=eZ)6Tdx4Ha}T9B8CH8uQIN1g+d&d=>`6<@r_ z2%Qf>6@Q{DCXQ?gv+35Yck~1YPiqW~UfUkHpnR}#qnB7Gh^VUmRrrQY2ip#dSWfue zOumr-D@n$QMC`!)Aj5Y_($S%eS8hu}WuM+Gp@ISd5sZ~Y#G)VrjJlE8kRpE!>liYz zV8XY*$(?y8n7ytnaN+z0F4Dgz0b1i3@iva$g^PfL!`WwvO%!p7awfIfP5HgYI7zi6 zssZn|7HejXNIAqh^_ci(u*D2b|2xm0Q?9r)e0k$R^?ZU<(H`twJ0E#6hgx{5tmoL-<{w)PTi|;m(wLyy#vE#-AKc$fy3SlB^BP9DH?~g^#0-QkFlR$(Lp=y4Bi1VL0affNK z)(%55s|Yzz(YX?Z^WqISiR}B0nmSR^zIhZPH4dFDmIR2jxcC^RvV!BdMOI{#55^}p zi?n=U>_h*&0jnmRtl)~@hdGstmR5G}g(Chs-z6G;m@lE55VMqV6;%*3BvT4`}1OWry}pV zxu(c7=JE_3hzG?fMn<@I&?n-!<}m?fL0M7+x=xB^35>kMHfwP66 z0^hYY_u;;c#;SReeM^NYhfD#v<{;VeV2kPar3G~!TJo1 z;O{fo;8)5U*qTHPjA{(*_do@eVXE}ld)@P9XyWMJUh0D{LN3cv`-wy@#HA*aJ^K=b z$(s6%Gc3bwp77PZD?c;p$a|D$XA0t#;QbuYXQ=eh2&PB zH?MJpe!r)7igW^*!TT|Q{%~cewmR0+79C8YAvojsZy&Ty`R8j|g5L^J>3~Y~Mny3A z{N4n~=ezdu^p!?aZm9%Q8QUP<2zJ>z2+JrN zL$M+@wLnzIY`v&5T(QwEUU+Z$%^v<+DjT?cG-uvodu`R0oHkh}fj6d`a)=bxedmKS zOJIWFt|Fa}SwwekUDPCvtws77jPJcxt;){RTKE za{=MjW5(M7y@uGBGRWIXcHx+G_yAJ@#|S+?R|&Bac?NH!qDd%IUFAjZ!I@D&B(5w* z3h#+~6NG?%g@~MN&T%bqXzNO5$UWwL%+ZalWCGb?uswo?`A{>@jy}{}2nCg5Dm3R` zY&yykloqcc-FK`d_6xYq>}ma_)V^tl$-R4&KBeJxI`<~v>S(?;LAQfqI1R2a?;Fm{ z>?ApI7U(_1Q8c`Zae{s6HU1UF?2~04Q5$0RU$SNEv z(m~ItRU#GTfOSlonxt<;z_~hm``yTi?Wi4@la{6JbX{O(OOjr={9kXxLg6MM=b_L* zV-+SmoPiCxNA`Xmh@;Kl(tc6%DOKZ+lYsG=N`E>?zcS(ovhf4)^&Zp(j(SuGvvn=k zBTQzM;WGyVK;6G@j&>I4CD%GHkOZm-2L&oPq&QR2ZefWD zW0?hr|jC^{Dk%{p{4U@R>e|3*no6bImkJwE{zFHku6x<`19 z@5*)8v#v_HuPJK!qhH8kD_&(XUT@)Yq7H}ZICxaFCNPoka7y4gz|m>2A+n13eHGB7 z|3EjpM!cgh@QQc~4oEl)N{nO3J#-3}JHIgXhHQzPo>jBH4RuSCqvuFR3IzEbm{JMt z;8SCA&nzLcdZMuMvjKk;X@IezPo8_uS%8i>9tpc<0+78#Xp(1=bal;99_3DK$WhwF({c> zQfxvX4LP8(c1OOJ5nD4D(q$lM$@O%Hwx0>4$Wv?aNt_dl z(O56SdO-8?yk5bdAtTQGeM@k6J+nW#64tfkqo9sQZPf67t|@BE*84RU&LM)MYU5bevJ1OM6gt(!MPY@ zya(R01+|7-A^`aa(kw%Oy!4DRDX(D2c{IHWc+#e?Fk1aJIB~T>*dSWiJY>Ogi-bwTvi&dS__hBv(ItbMUzuZ4Puq1?sv5Q>6$mj3%4?2>!lR_Q**PR0}sb5sC0e&>O(K zegc+@x%>xs-+|YG-6ZgG$c;GDYWcqSSWERC)JA^|dQ<6MGP#BQ!5Kv4IF z$m_sRSbQMc5$A5Bc1HM|lTzD>S``DGI91hG%G{~Ak?WFAapVY@A<~}r zWI`TpiF}~_OfH}*(=#H<7FC8avzA?##~d_Ya++-l8@QUHsTMprRvQ?-=x?X0>M#PL z8ahP};)i-qWsdH4&$4}j=ScFWMpNxOri;xnvq$pEb8qHbR4AB#cG-XE{v@=8^(}vc zq;HbXlQ+LAc@YbmP?TwAX+Tg-z5hU9ZE|`>G!66@TgLf@WBeNTo0}$2vE-cmfs;`@ z+VF^giKM!b;FC6G`oI9i3x%&N$Vf^o8%YLFW%MHLD-o($={WQ-BG=1Hi;&0wMV`r6 zMxrCaRS@AMRP91<@I8Xau~(4DmexrX4V~0Gwc=E=vHu^pDB4BCe=G!*NO$jR+O|@| z5qbza+uX6MJ}c>xIj|Vtnz*U_2Y&U1@p(+8q!O@891kFi(BAWhL0o;8dSIuPbKt5I z3^Y=y#pi4tU}^|Z_?(m(`ud>MDGN*7BMwg~H?NAxaY)kCttB16hOB{Gx=u_6E(4g< zLFHY6SF7nTSS7>K3PNY0Szkk+vvOz%*k&IL z4K&7BBoZOQj%tt0ZL@bEMr~%Yewt)!G>fKFw=21Blv@K|tlB2T20m-H98q2S&ojEo zrWFnU%v7+aBU-bV;PW&(X$vsyYZ0kcnp6yA)wC0uY++M1IIl4!z z=y=y3lLwGLC|XRE9UC-D4vUw)iVV{HE_24O5uL$aSWyE~6bjMgj}Y@+fB=FKJY{{t z?xOLcvI|#x0`KsmFYQGMO?iLSAEVd_MKwe0Dd3s}8O2uuf^>nRL@sQdot9<{K*JzM zocY7?3x6b-NMk0m8Y)N=AShl2`Y%w)E#Tt7_cWrUBjJP1gmM6P?BKeviBrhxwiOUi ziHI){6;-=WD^|nvK`2zG)hjT2_*6=+E^?OEh+Isx5K2>RyemrlmiEyEj?0Akn%z$nKdO4 zSf%%W)>m=JVnmI~C7<3$YXGCq103=GidIVcG88`r%C){4w#zE*jZ`(!ML2iC_kkFu z8uUOh{=;KnW~)7X0b`|sb(bbg-GeM8b$TDIPeZG^p6_rBtcM*6Ez?dLjUO+{m}8z z4xJTS-y$*e20*2RwR`slNTFqr!wyEh^yyurqZ4ODzQOGNR`&xWSXpcMmLG&!EjUUEoq$Ts8xE$VYIV?rmvFbzxfk0nm zZximLu>wH;Hmd+eYQSbR)f1XPI&_^CQAuw!67g=YgfSQRhbK1NW;XDG_bKB=nD9AD9I; z=O(&5Wr`{m@kUnFwCvA45*%SbS}wd+{K5bCkr5{u+xB&)c8(0i!$PRUSXBVbq@wQ^ zP@MZ=FQ9fMHOL?KaWPf4+S6S_UVkHEIdQt!oydTT`Te|^Hq(~^dVF^YMnozs0em{9 zz&jo_`lVa#;^qwAfhBmgTIRRGv)#^tudnf8kyjbAb0l;6Vnm81`ed-VW3Wvmi6N>6 z^K&l-Q?3t`pgeF>o%LG+AmU zn5bg7&4guaiwF6e**ONGLJnS=oj@=-%0fS^#jE$^Hre0qJ71d8+~!(wz2dh_KlZ4p zjqFclqx$u)+5i<)&#;9+3R)tgD|p9DF{+uOT-_MYl!={;UpjPwA|66< z35Vp=nJ33Cqg`%IDLH9Cy1j2f=qEeAsET4Ky^EPnT|kErQn=Km$x1*t4oE%wXVWb) zkEL??^qiKZ%xdit$+VWw81Xd1#nf*)B1c*GRcYohaY0qjI{-&MnGPKkVTEa255Z|M z_b_?~@)QNuoOTP*kqFykAfyNeqKx)DWl-U~O^vV-b1C!ORnERu5d#eKFhDS*!5YU7 zP-{h8Ho}@PXU9-!4xE>Ztsl?-iJ*2Yhzw~?9T8)5GJuho=nmS(jF3)0G14R2F%9S* z793=A20FOV{E+GO{*7LGn>Sf`L}{ya3ODd<(_g8j0KOo5HfJw2;L5Ui8Pr(ks;l_r z?zMz5K@+GSun9Q#$(YbZ{@8c%2*-mG6&P&TZt^soR+ZD=DsdXEbrAnJi$?LEtn?|c zd%cCLlIjLxS;nzt+rtgRixru4KYgXW2SxHJM-)T! zIfuqWfy5!MOrCIaJ4H9QA_2sse%`Z$I5sz!9KC!0#+<=;$6F?rid){k$+{Ntj2t*j zTr8RlC5N0{X|1DRN{;)pW6aPoOb>VdWy+2}GZf#|gFWOJ57GREuPr(ZKmo8Dl_5{o zT^H{a%Gx5jZVNy~2eZ(XjRGY&!W!FHKON>mf8TESSd60(0Zc%`+=!MRGI7DVcsMwi zM&&f2v#({aQmAE(BWxc6kPKNM^B_~WKeQydfaU$$h)oTOB%I1Vn#79<$wHXQ-DK@@ z4s93tXv5v&M^#ix;+?IvkttL6A*NU{KUsiVm10<6?73LB4Wu7iwoLytUpka~zGso^{wQ_6 z33)guX%j^(J!G&k@f2)Ki$3OP`(fB_Ng2!p5iCTAl?S5d3yPmvAaNGuYYcxF3x0Bg1!a)8$#dOC^O?UAtAK&{5g$&q;duR> zz8i~!VFKEr&l+?^M3iQfb}SiHtYx-PBVr539+l>cLXi{-*>*}!!Nf2geW0S z!1fW%H}kWgTOGhSCBey0967Kpm~)Ne9;O`Xds^JWK`io`A!=c)2uL>-~o359l#K zS=?buGy(1gJ}UZ!*4BJ-prtBJ0hlu0RohUBbb^S>LqZT~8n)M~89LI0PTwlR7)B~} zbwid@(&-BR5wX7y(tMX4GxK+8Y!(cebN6G@L97?pQg$ffk-;w1dfw?Qw*5X-T{SLe z1TPLJU?^tsP)7AESOQR|AHa>JNNfv}>usG7^fCjZYBpg-d8cmvpei`eZ*ZAN;)A9{ zOGp^>2&)5ome)YS;&ec@dI-ozcPq>phzB*O6MEII;C+E($44?z=xp*i4t|4{RrkpB z+i+4J!5(~NqLO~khaeFFju|r9_*3$#!;z0hc{y8rGOV7&7wg&yz5{~-VEW0zhmQ_O z?+ke`%Y7#%EM5otzRG;Ou*cc&<3E-|a<*TB%NiQKo$UdRvvseZi;305j4XR#ujt1T z0MNMM1gr`vYj~}NNVUVMrkW30S%#Y>=S2l*a^^XOxjwrDBhl*WZGngCYYfI7u>wW6 zGi!j2+G6%%u{QbcDrHr4p{Y7j;%LGa`g!{hj|?xA*|&rZID<@$g?^e?Zoie*q5SBf z%a`~0%TaGmiFtH*R&frFd24qutI)VgNK)RB*ko@53=xx+BESzFyUpPS!-vWSggCMW zij%0lIOp7c({np--5nvFI0Nkhf=}w?E|6PFmS+xA24GOUk#s!y$0`H8iE{R(xf@3M zgZDgm$TL4|*y6ETLlx`~wC^t@yh^YK6U2$NL^{3}#C!Pg*y66{Y#qPx{_R1W#4&b8 z7w0e)BE#vmvf8S^F>k1i9pw@%NsAp*rBq{KWR@w*>nw6FS2|T~qCNEDiH7jPg{_D7 z-DaeR9%xpKNhQb58UcZxmVKDRfp|wiy@@HD%BPA)>a?TwC`?JdQ1i&be25abrI)9u zAf-AF^t6O&Qr|j(k}fRVM>1NNNTo-KxeIlfM@(YC8Ab*=9@jKP@TaxS@x7TfKj)^* zdv-#jk>Wy^UeEW(yF=|jr^gHuZ>&#t)~S$XKPS%76ma#zG#2UTYS$)cruI%LsUsTA zKf4Vh{PQ3GU0`IxpS7+)R;Ox4DJxp$LLfRQ>d1#>g;Zz?=tmNXt?oFfkM_tJA0xFE zZXb*?c-QGUl1d(n_qX@*XT4fC@q61-#ts_zeoA9fwTTsT#9eV(d@Xh-}3$rOsm^V_kaV5>H z7&ysuI?ZW>(g>BrITv_1^ReV_8%C(r(pq~`E%0fzxI8zkh>eP3`YPX(tSp?)LGOA? z#3$;T3s3k2)z8O|@M`*DQ}fF&mkI2OVd0NkN&J%RJX zf*u%F5`LUARJ~OximZI9aIA}ldmJTWpNoF3;y;&eIjr&`>OB*?>N^M(^R+S9Xr;|a zUaf(T@RRnOhAMjTt5125d={TCuX$V14Q(Ehcl= zl3jt$x7ZxlZkCLJi#6pT^QTA=&S6^+?})xl=c>Zd1dv(4xs&y?7V= ze5)aGwE~(Q&uGO4CnBotUG0s#g#n_|A}9?TGIk&^=+LI$Ir>@7Ml)qT^H7Z#s_ci^ z%dQB@FyBI@gv!{$9}0vHpaLph)e&NT!iSwHVGMu9_MsS&SF~`*QK;^e`^SR>ViIBJ zVfStTbmGgHowB3ly$eO+5jik9B6`>}5gqrT%3aj~Y}RHrwyd+9c=2`Rknf+_>)}OXQ)E3lY`Ti0=mMbe0Mg0b$|$Eez60M7K>z|cpt$=1TM-L! z<4iKZQoYBGk`m4Y5-_cH|2L&ty{!_0KW1qa5`@vK51%xMUQ_h(A5D@`Gkd$~CZ7U< zU}~9{TeR`K69h3rLSdb?LvO)t@Ok5NgozP|QvH@$O+``w{O&-Lg9n z*>@Qp*64+18Ye11!Ipk3mj{L{xWoc6n}iR;e|_{LRrU9fQ%n3Qe5OJC*71%7N@x+q znuK`%*ticUh0T)h=&W1+xYDa4L=uaOJYH7~pt&(-q5X^=bL)tl0gbD{2<2NWzhNhF z5kNJ~ z8hRDAD48aw7M?5e9MWWlS##GG4Kd{(QR5wUm2Zx<2WQCC>6_HTPDH;@IEQ)`aHTX? zz}Fa^g)sClY|9;po7(7VgL~7g7F}Te`H%lGtUv}Z;w8xc{Kx-{6cgN-mlyL-@xGL1 zWWRYHrES%2bGQ?jxPYtYd@9+6l*bDl15lrX7oC)kd7;PPjX0hyo^*TgO+muk@6^e< z5--i{EkrLPRk6fKy`PHCf2pMR2-URAQA*1A4@zyUAZM6P6@0suv9mp-k9=zl-NWVq z4tZm3%k5NcGCVD2RmUA#ArFi1yvr(H3;S+7(;EaSJ>whiM&~J0P#YzcUQ}*=x{kS| z{*El{#mbMGLa}ie4Y@o{oD8|5<2lcLVtt}0lM2J;Kf!K>4PxIEbVkMXPVF*(>Q58( zMsZ2@;#5Y?B|{XlI8atD2-V!-Sh+8A59Jj%!@FUJL**2LI8hwSQX60K?9dckxnT`z zAE<6?U=e1~)8O_Z`3tDv#Pm`wztYAYl$byHGqrHuF*Zx+bLOS!IqPm*g3Ze+ws_lT z*r{p}e(+R>*);`mKdU$R|IHb!LlACmI;(2UcB^g>tcOz=0)IC4I8+Vmt$U|>5r7}s z0oP~0;y65Y>9N0o1~|T6Y}sPcTN&Ap=p}_+YRs#}r!+)eNgXjPvV_0*tsRCouc^1|ERp`wW=T+wC9 zkm?Lp%gbe>w^RyT?qmZMjVJTO5>mA6p^oG66xQ=H9+{B5$t>dxa%^h&GEa109YO_q z0{i;zf=6PtkXEWpG7!7wk;A&0{7!P7wh@LF3sZ1EgdtVbo8!vzHHV|iRzC7(%*8YH zRhOlV?e^O^6}efC$xidTZiqSwfd&_r_TH4w5UvWzlg|iC^Ao3yWD%nLNq|Y*jSv!Z zQ0ZCr2_d{NnCdvX96$F&NM7 zNhY|5y0?0pG4!)WV$f{YAvZd=492}F3flavYaU1CCs;!&DqoyGVeLISQWE87Ile<| z@sW^4KX2g%;#$DFh6FZ7f-Ld$ad=6z8Zxomm(5>D$4Hs8x(vGP8Z}bxoKXy{XKwTq zTuFth3!jht=vSNZ$r0Og<}lO81f?IIyAGk=g}skbvTW@x6$K%{`&6t z@fXdE)*#x=0sh0sy72H6Cb$z^^cfOLKBv5oE1vHh>%)uE9ynDB&jTz3;M9>rI#lFo zdBSApo<1IR%@vxzGVK&cgu=VX=L5 zMP-35_gQV3Li5S3m?Iln{Y2uju_LW|hw=O#OI!MJ z*6p)s+mo-l73p6&&(?U?m+8O|;_{5JsoGP?oSviuzxv(N$^rKG4RequjrdxF9e3Z` z%z&yecQj2>kRlDKyhCV0BNk(mWJ@ypKhmtv5=BaA#@0KZAEUtcFUluJaz>tzfr#D~ zFoHqA4tI6XekzE!3SP^zGYV>{pRmj3eW*d0!$qAh&e0s2`6P$yX6bBBOuuNwp*@7H zrT3A|>ie>DI-Q5fSRou&$pe@UzlBR+*`ooubl{wi$bF=_Da8Ia&~&pSb>w9|fA{al zkDt&pAvEJ3UuMNPhT?4awx5)aqq^zHn)IGPXzEZ5ZT-Qp5%j zYn=1yV40^ZZCS*lIJ7L?hSQ7S zSb6CWcAZ9!UTvU5#Vp)lTHTr&9Gk{&m350bYCEo|Qbo&WD?U1J96b8rq22pB4R&KQF+`V8h`& zNSmPI#W)()-U_0zb+u@*VCIY#uXt7D5W z)i8Q_h35p(-wsve;n)K^4p}5QV29R26k>!^UD)$j?VQfhZv&OAn<-DFU>`c>VI(<} zj2EG+9ftg(TcPyt7*9Js@gDa_FJAQQ6=^ShIC(+SX0145DYzaVzZT0As>`B9&F2M9 z!I^kJ_;8d)QPMg@t}KR}oVupit<@3AgIWE8v_l|V zCFV@5VxwW_qhh6G2z|Q~o%wR+&pt49xxFB^W#t-n zev8a;XfG^n(qrpqjfLHCjK%^kQ~te8VvB)2k+yfo*y)c^3t%X&wg^2rmClcx`%lyo zddFuLy@rs*9j4i&9MuKX`nn(C9-GKdjVY8oYTpJ^F34tV<{IvfQnkS7%4)01s#%*++bU=stn@ zf+pGOvcm7g9`%3uJAg<=9bLsPp+l6^X5^CLOHm~qos+nkOr*x)^|+`?JREU2FJAvQ z_<=A7(K|)76;Bi79Zr2ypZM^Ath1#FLhP0+#N7iO!&%s5h-^6XFpTpfsmR@V_?f$aiXu%v2_d$HdV;o4B>gUx?8ShfE$Yb>DeziZ9NH<5~y7~+TSO{JX$ z+MnA&ckjaet9yoa|6?X>iCHb?ci+)C}~=U(wGAz3U_%c zp)$ppof;nqT6g9>Cx0VkW17jPCi~83DxNSAGYnzW`cR8oLL~|@())!7W%{totr&Rj;y$xeq^GEPW4K#Dby!b4$&w~87PA<>93v1}VkKTkqr zP?TxSa<0&$8+B{JxkCa4lM`f5PM5pv;f^qOm$88z+M&Z2mDab`#l^lp{Xrjr1M78mN%lMuDfed5k-etj=srOP zu?pB=KJDens4}j-TP#sr*IAVL_0{$r>7sSKj0}(65$F_Ir%&EbN&J*lyMt2Q%9`)cVlQ43%rG=IkRx z5<5`i)$wERwMunoBf~VsmR{C!%p0^1nK~Itfs9t@wg>9p;qZA<+wO)Uc?HShFib6#)C4Qm=8O7{71m;3}J+x&3bX1*>T-M>-I}_ehUW` z)NQRSaYy9ZQ^_qK(qOMp$)|G)KpP^rN*O0qwHpn2Va$ zB-}EdlObalPP89%Z{iYrwmzN4tX;&a@a$6l#f1dE6{qljv-d5#b!A7E^9K4KE;KO{ zNXp8G({`e(0Hsp438zwOF*7~BB(Fr4NL_&sOY+FSQ9$>kKcYuHt3UCV^ja$(JN7>3 zT$1TTPpW|e$|>G^?mqhwJ7UF(6)LV^-o->X;SLqe;_mIO3#T+5YATU&#|_Uu+GcT3 zo9rdZboHE~!IVa@sLFf0^&FT6#swcBrzyXz1H0gJ=0o%!|9c0MNFihDR@svRkJCO(FGgUFcrN<=UMpP=0Ks$^*7 zgxwnJy9+i;{}apldqT9S7+@N96nz5bm??>NK&Q+ELjQ8Z_*;ueWh->cDAB`C?B^Ck z&){`U`(!@O_0us_M7C_i*z_RX?}Z$~yl1!jO(v*Z>`-2+;>v*+E4U4b8)ssOJ=wRE zt9R*aA?~p83S)-HXHLA|HKo>LVl&ORKvV1LiK&oI`&J&iB4$OLplXOm4 zyd>Vd*}!&_nzf0pTxCZEK81=-;2Da4(crT%?ZA~qL}EhX$!25c9n0l}wpFV$V@{RC zB3P~&&u~tul7p)Xf(E-~(a;Vx^6)vXbIf!2huL-MR_Fe>O)(SpI!rN>CkF0W0(DAg z9p1CWrB(--1exj0CQ$t{Fj!tyc}*nG!nFx2R5rsa8uddv(YYb#SgXpy%mw#yY4eWS8eD69h{+&3@5S_;yS!yZ*d2!+hGC`&5fFSo@AJb9%_u?7p{If zgaJ9alp~C|uS7g2n`5=*QyPQ>FEk3B2qVpEMuj++9(pgys5{6)=@jb(3rIHs>*FnI zR7ysXADVOTCUp^n!}9QAf$r!|?sj0t1GHL{FQ{nt!MD#qmzSOHQ^FUZsG;-h)rBQU znWV(_1Qjw^5A%pI6YSM2dDR@JhUpSm?@N;`!IN;wi0cl5UYx)dD=KX=oft1qG^puf zvT}&Ch2?ohydEdZFsr{c&jjfO4N3Fz!V;=hH&>YuVLzyYePwMArb8nV#O;Vsf~7$h%?}Wx<5r}5o0RF}yZWaAn=HYCtk?w>pDv2GN$l)#f-955wzqkR z&d0J=_Cm(1Z3@MDJlywBuw4jqg#-is*C1&$i~XkV%e<#&uXnK4(PKt)xq2e zeF*Lqf2%<#s(Vufz@QH$T)Q)&cV~TU~r9A{l-=RqOR!n`Z+k1 z4tVG#4IAaoA!&V%=x)Sk^UYe8qn@N#vbP`r)gvPXT zGc<|7+Si&5ifk|?Ye>hsuSJ?Vv6JD-KMfOji;o~S>uWXZ8;NzQ<=6f3D$ zWf$bu)^lSe?YcogYot+D$%Hv6k^7j<3|YXoJ^>oJW^&Y6yA%3qBY2WU%U;~)A7_cS zSfl%gbrGfd^s7}Dd={kCnI4>SX-lV}zMnv7aG!w((fZ$f+C+F~5h%L^?v?O@s}nUS zmeQWcr!EMbV}w=STv$=me0tNGY9STdQYCds0bz2Kiq0RhYl!f;rcefL13qGY>ooG< zyD#muM_h>c>xg0vkzH30O8HvDNvf_yLev8IT@x1>3tX+74wK@n>OW~kZZ6@iX);=p zPieNXtz(q&!Y)V?4tgjcfZd~}mmL?a&l9)35Q5{|&7-@3)GrQ-wIfk@Q-~au2eU z%(y9Xma*$B9guA;hyC#Dn2~!tqxUA`N-3P5u5_~O!u-gS-Y47Tg5`I<*`Tmeps>JL zYjH0NH74@#ccue|n)PyHx5Vo#V$?0C<&RN7DP5ZoD4$d|=q%|c*$5K+AofOp<4RjD zs0scEIG@vQ=F8_f`a+W<-?Es&O?9oFvB|P>*R%r$IKp$Xc9VK@b%9gj{pANpKvvaj@2u22`d;aqJh0X_ zDY54HEOl6$R%O-8RM@3nU^ge${%U54-Cio~lSzp@4RFTY)-%!EVxnP~r7MNeaV?jW z8iLfCZQbn<=(-);kL+k_U1bS1-s$B5S^lmf_Mcfo>%afi=E;F7XJ;7jhwm6+d9Zuw3r z<_XT=8+ai;#cA)aAN_Xr@ZpC}nRHsb);+jJBk!hYw=-j11>bFz+ z&5K`#%(>|a#1N`Z7^%PBI(fR?G9-7$!qWA`cISp>!4cs|T7GCoS`aK5v1fg2^6FAJhG$q~mXJZf+ungn&V zz7iY4@4h;76~y~QBGJaEh<3rr%H_6ZR6Tv84z_vS1g?2zHQK{oTv=k_RQ4-WvNW|K`!Ensq_JO zy^`<1629x3OMw2Q>B(JeNT7e%8fGv;Q;P?toM_JEdd!5d&obrcrC6(X=g1K9>0TyW zu_I%GOtk$L3_YIVE067R!AC~(SU|gPkLg;=(m_1zAThvWw+uap8wrkAL#S!eI zdrJLB&~9Rvc~yU8#L!ZNrQL9wv_kVJd*s}uM|7LqV zkj99rXds46Bu7Z`)%0h44or`CvqfrwT;1U{ zt=up94B#E2hMTRyslDc9BPZxWflEWxp5+6|h@+71%v?rU8qC@mWT3!ohqM-CX%PBK z2&tJ%+6>US!J0y?UPE5ovUk1aEPhWPWofzYk%q&sBqKwo4~)3Lt4%&hfV*P`mUY=&qC!LL#C|A)>Y2J6GV5U zSfX#o45TXDj40V6556z1Ti1Qtz4)QUN^3Xs3VJ?;9JVK`y_Y{cZ;8sg4J95)X%;{n zoE3kX=O8Rl5a{W(%I8~Pa9jW;>Af5YtF`y?1%AEe$ezN@b(QN#qoCU(Fl)FAOcL-` zB!xU@V`4`-6|vlM_#5=&e&t zw6uboj}LUid=sa*ysHn0%qfMM78BaPswa4l??rK}lzs?5psG1do$5HTX3mn;WLQap z0;;f+U8B9c)-odkFR9_|UcsrZNP3o1&_qoOf$S*w?3%Li2V* zL75$--e#e3js{)?oLrBkOFF<67G&gcI5&7aT!|ap8bThZ0^62%u;YLH0bYC%~ceA3L_XsS>%`&PTvc1K_X%|Jc#!a6PL&9!A{ z={f2UX?%7;w7aL(uZ4SwlS&>Mf2gxP2Xqotvd#^Xb!`XkL>I~5S@(F^*37xFyH1&r zRk@d#vkc0(?pK%qGJ(~}+JSdqpfD19leC7Ky+se97849@MC2SnIBTnkFYJHS5fY)Y zM!Yl8`yR3-=<5eo6NlECeb=n|$YmZ3V-opzD8Wu;y{rzW%!mgk@*NfobLcqDu82q| zI8d4>CLc*3Ie)c}4FDFFISUoa=&~wf^YYomjo(oNN2_(gqN!ZW__kBoGEgFe1Qmb6 z2*E5tJtO4mt87)9*L(8Y@*cCmK!~|gl+aRjsgz&BTQ(@ea-{O%m+N4GK1zj+u8zXz z^~t{Ui(NvBG4z~t{A?|Q$pEkUGBOf2j@p0(j|)7GtL2^k`YR_}fml@yS`j&=R-su@ ztMPzn5`P$7zO%EKUn0ohzg*Pf(Ufij%}G9Er1z>^QwFDn+b;Z?50CABN7G zSk3S+zuUf6G{*%lnG7--7}BZ7$z9_8TVweowfN=16P7)!XOB-USu5dq7AuF;h#h-KTam6xdmo{otlBEV}pz zxHi|TkI+|{DYXH2;@TA<#4uwmo&h|s8I0Jq7nqQol%cZ58Fh_$Nu2y=fZ9%0YR}2o zn*NcY-JJJvSnQ`qC!yx1IlmegU;(%|XZ~LZ@aV-R@8roF*wUegAaDVYpAv zj<^9;0!D(S^|Qyelm?P&&kO$pZNq>>66LmBAGR~LZpcVxV47#LO7^RSJO$MP>e|sgG3vsH}LdEM`=sjND#t1 zy)O0UwBVA)WAb?RvhWa^yL7f(vEqX~D1#Fbn6OfAY-2N#+~g$#$R?oKT|dHGgxUg> zeGz3+ZfBom4=l+lB+IRycS{pBKrjkzYY#&OWu%ksq7^Mj`UrN_T|fMU1yN?I0i_wZ zz36q#+sy99e4aY^_13bx%u`Um1~^_YAVQ{T>z11CY245*yfF?A*Qzg8S?_uLQgB8b{K7! zK2j+Js<4<}qmK_(+!^&4y&@Ja9sor;>)>k{{68zY;1)#2UuSV4J*9vWx14FRnIQLW z9*B$v51y?-OH(SJgdwvM7YRHGxblILZWk-ZCI!I->=SRD(D%>mc0vWhEplCvhGUAf z!#~D-WoODRE{e$Eminnkr+i!;f;z+F=?#_kp8RxpXqvTLlyP2R*J08)^Su}r^B?_- zPcu{Ww@kE67an#zoggcWK#LzDfp(J$4H@V-T#)3H&M5IZ*(i*YjfDmCNRiQ({R2Z) zl5Xn+;a)efxD-%KCngVLv{kSQ9Z2gRpGH)T&=vMDRmq5@AqK_EvGf(-+>yF5)BC17 zVGd2YNbNILNE(NHDde-_?S78Ag^rNUadXTJp)n3-@2&pYNz=k5g%HNOcNl>Y6)rFF z+@x*EP4g&VsINqb=?Z>jzLn3G4NN9RA(e5-U8p0y`^Ja@4?-CaiA7(&qg+QE$ zqWY;kH_Xw9VV?&1*;-z@$*|+&8f{4*#)T+LMrTESJEM;BL612;X1O zU**(GK7e-U-eX0y2<@&4I97F2-H&j0 z!3!R;VWaH10fFw5b{Al&n2(j^20$7bNoC!Duf5G3eF>y+VX#>(aF=a2+d_ zF)-!vvzZM`C4@;=5zrW28r1o2nV#5Y@_;GzxuQplj-gZ^?FRH?a8zLeB<41r?ua*x z{@_CGU3sXpi%7qPs}-a(eusQ*YE`WmIL!g7-VmAg`HTzXI zJc(r_@?Kgsrv0c2w*WLi%fIqZgo_5mDL+p|{&FOgf8Uhso4;4SHscQNkj>@3u<7Xg zRyDh=F~;PecMaF9X{a@M#MwNp9wH&Miz7y-Occm0B^3L`=lg)?pvO+)G26{!&2H{j zyq5Q1^^5ISRwYAAd`CDmB@uPA$?7SC(zTpl9b9{3x+Cl(>q$*>_6kjY8_T14z&&m- zNWiDNGd@QbT-af5Z8`U%vB@<_uh?vJTz{R{WtbbnS~S(RW^YTSw}?8A&&W{2wxssm z^?qJ*+QpQ2x9F^i?8SMj&_8$eEgj$WJYKh9(9JN^5frJ&(pE6!IY%WnWns{}gmcqo zeeXfvk?;gXz?&;HoS!hPyB556TsC(ImEAH!@9u{WhFM(KTCrW-oUTvo`jU<%;!elu z=Nt(Ma&&H#f|{n`QW9RQaKbejxb$s>5pi`I7SZP0Yi{M+E{s1US>A5mm+77%L^5J4 zTUGb|(DQxJk6D^BF^Q?+IV|zJ=7qLVkY!)6@!1G^V>+^x_bzFkT%s9u-ov)980!b#0u!*wM6(%A6 z6azrX4`F(IsDA^_WUCy*456Ufh+`%l#}!n73@W&)-gvNQyL-*8(1>}4UcL8JL-yGl z_h6g>17iJ_!hz|6zmQ5VfKj<^rT@k<6M$~S0GBcBB%e}k+V~@I2d$$bcLAt_uPw=b z%dk6eoHCBR8gy$_X&0t86`lA#zUN@XOgLZPyag7-@x&0iS#pt7EKt=z!^g$&NVJ;E`?~9EM=+3!od840fx#KKK%k5%o{>nO6Kh4D&U~Ruk$IPnbPo@P zLN&~SzsczJ^fn{65G~c|`Vyyso4(E|$chNZ89(r9eP_08)V|q)t!CmBt1Ubm?_zty z(n_tx&tCk`UyG{*S@g~h72u7hGCbhM;HxVBlYL<%duvR>cd>|_o|Y)U0g7UfA&)nN zTeefz(0YLI@-Yq0lqh?6u>a&Y`=3Ah{LyH!Q?B_5Fj_=VNTNUa&G@0`m#-<*m${3B zA|#Y~y*>2g{bc-R{UC8OyLb3v^0gPZFqkzzU+w+r<>arAnd>PWz1801 zXVXWxf?8wu?Y)?e@3~c4gT%kudp`4bGs7;m;ko!{r7#BKhLc}@Qjkp9=|3aKP``x! zKGQFC9go_iK6ySJ^b2$mbZ)PnFE*pBxU*vSUK~v4qbYQKipIjdD(yB-IY^49W|!vj|zF3!KcLSfG4 zUmhr}iSYlyzp5qoXRA5Ym|1&KRw>e%WLu#?9hFgh#2J@E3fNG>u4?ux;y9BWS&b_)hN0`nm zU=WLpuF{XgJx?Qv{c~ed?W??-nT$iSsqVBmQ~8psTR*3Ir3K2>1w<8Nlb7-yxBERO3a5j zU5&Y|zlD?%!yTj$v8qQcs2NupZgQ#gw}7+VMCf=&80Ev7z{97b>hZ5?fv`OKRGLTY z!JBiypDG+^BXHo)*k#ztz{_X~SxsI9DMk)&1ym>HEfBhpsFYq9C zI>u}UN?k@{pK`%k5cIvAA)F)RwGMF*%r|<%s%oqJms1Zlg%!M&?J)v$ujk^we{*<% zrGHt{tk-%von1kBHbn`V{{hudJhRWOSeqZ2cfs)BmLz`um&b=Mu%}`F^y_`zmqW{j zwBP>W`+Z73prz0s_MaRc;BTAjW2;QP(>w}M(2jJBMnb8|v;v=C*t3Aiss_@!u6hAk zk>n0_Jl;ZoWgEQB#o0bIeNb|0|D@y8{R2>!(=9}93?Rpi@Wp43K6?b6;3^+;e)a}@ zr_(K};$#F=WO^^bGZTpx#L|kHxh~1XFqJ$cTD+Ex8P8T@)cC`qDbLrI&Xh?g(NURy z`k9}_ZfJZp&H=YxAu7!0U3V9Gx2jjTn#{M|B5fKV&S=8~G_*$Yo(Saek#=CK-;&~p zngGF2&NUn#+skGqEwYR3UE2X}feAC4fUpy$iP)Qp5?fu`HBKuUB>xpnZn~s$Ew)wG z&nk=x`AS}+Tc$XCwSMUpOqNwT2_*N0u@;DZ3OrNuhV0>JkeHuPr_-O?LE1De_Tc2UmbI+&2Lp;MkiEP&^%95&N~{dRbzp2Z>N5WS{k zuKw}&|G^*-DZ8H=j{f8C|5H2sa5(zyc8f#%>FVXzT=#!xA%$JsJ%@JB>U!Z-WPE8L!G zg;X){69cn%xk+nJ^npZo_iuJM*sSg0xVPv$4M@+KYDCLZej=08p+jv>Iw6-=fz_!-IR%6(l(2qg42JY=qFAE|FEox#)~o=5hSGm>Ba4P z{#@s(uldHU&V*n(rCS;ZZJ~-dQ$}*kS*5+GS|E~n{0NZh0GXGsK8e8-l5)8M`re$a zD&fa%Lsm5B0AGF#Px|xxZXys9t#1VNaOPPaf#)6FoSk#6;8VT8Z-18Ge-Q{9bVyiD z$2;H9Oq@V{_RIV%4rZp!%Y`1)9`7(93~v9?{MSNRHH3sYwyZ%Wcvt78{$B7x*zK}R#7jJr-<*&blE3YM|Mu;F{Vz{H@JtGX zcgu_lg@7IAaWW;7cX^l6xC24h`n+GIonlpI3&G*n0ZBmLPD4(xRV3(_Dp&#;SW4r$ z6<^9SMYT+n5ZNq3wjS`2E&_f$sV!bX3ye-$u%`Iyz{C{FlB~d7G}zEANS&r}3YUB$ zS8P5|t1_W4BXeD<&ypB|U#jv_ILeT@Fp7Rh(hJ3~rNo(5+-6owtjV3P&0UoLth4M5 z#pSBEaU*5boHe>B!a5i?nZqk09@X_w@HF@16UXW42TAIlH=iKfhHi6KR|IR%Rx6bJ zi2CkU@62yo-mn)oT-;eZJ*bD!&U|;i{kXB*GhF2<)V4H`F(b?BuA$;Gu=LH-Q zI@4SCwV-*3b^`#3FsSe>gME9%Gma325Wj~Mr8Dq|Py!1*-5kH6V@K)$=$%j(Xp?sz zP}|P5hk(4Fmxa4gIY*|$KP?Sz;$?FQ8Bq947#xuz#VB!8B7F?FliX=E>|~J*r+U6O z4E8B|UxNQER+p8{8kFW}fcdo$Zk_D`3WI^vy)m*p>Qke0i)*=OCjcMl?7{%C`e>~J zT_K?g@9i>-b5{TQCU=5L?U>r7x&iW2Ksf*tBaVUKxdKu(IVBuw6su45K8K zN4yPNCLxueY?3xRGYLo&>9Q-tEA{O*>FK<-Yr-P~7ps-3!w=rV8}erBa})XEvBoK< zN*PBM5fe|`!2fE)aLgv3@fQ^uIHw?f(h$@e$PndZBn;1N7&SxqQl3pg0x5V2oUzM| z$&Y$h2NuiTT;vb_3G=6DHf5w>#D>Z>*Q41qrFjjL&Bs-HPK8sWsz>xTl=zp|@1Bis znKC46C@Ev5JYsThJ4c7J%al&2q6&ChMOzc2ALUF4|3GZhv+gc&{k+{TW6RGQmmfQU zidlAh;7B7pC%Ol16ob``BiF5fac9$bFwKHq)j^Zt0c=hRUxiV zU6NzO>BgAz5>yY6tDlovtNOC*PY%`Ec63V-BeTfnIZqXxDamPN&~46347@%1H`3Zr zPHbgwq#>dI32x|a=nf^?lR^(;gwAJt9r=|;FKYXpnMbi`45)MOp9|-pjMOfwk0s2< z_PfSQI946m?Z}Q3omHZK<@d-^Q9iJWiS1ieT8~)+AdZ*VOU_QGKEe6Ma3;1qEN68% zcm^}gJI27k=93$415h2Zc@J6{R^xn&g*$@8JFp9$u=krIuXW&3S?#EXV+9blDHtg; z*%Y4)$eg>wXO4%Fok}n_q_**rRiv6_%>F^x)IY`F}WhM8A(IvX9jb-Iep&5G{9CG=bSAgFUdPeZSzZP{FuF zAmdfi4g|~7;;AedrM<^54z60=|M?jR!XF_=<3?9T4WGBZUwJb>KE{DH&ES%Af8tBiM0Ir?jt4-R_D<)eCHAiP7Tx%6$!3o!6KFAksE<@3iXaN%vde$>balR#UK^ z`89Tt>k5@yIfO!8@cQk+_p7hI`r`M$rX@ybJpcaTSCcU|vt{74 zyr$i5x55muE)leua6Ov8bN7jGfypd5rimPY=k3SSj+ou84ur#z@wR`wc#0G_Tx&#* zun58r6vDP!N98u40y7+3ppqe=wz$)F0Im(#kHO5C?Lj!dIofXD;Mhw|;~M|t>H^N( zyHk`%<3Gs1P$v#(OLuPY=wqsDw1gtDM=qjuheh==X`^9WXawvSQz>3{*m<^?(%!8o0~wp0AXE=Nt_h_wScJ$pHo)2|o%Fwh<3ax#j9)#sj5Tx6y}w^7#m5qI zp?|djz{*A^eTG0{811&->k@{R>PpS|DGJsUdX$=k8Ad|v2?9I#`|dy^FG)eYHm zXX>31tp9+P(`np9N(6U`&#P+*fmQ&pgeeJ4D}Xb&&ya9I#n$RQbX*iKyvP5fq7}9$ zLQR6;0A&5&)WQ*^BT6~B+WhtQ9K=3~DS=5#$p(;J-vj(YX?h^K(h#6H*RAj35uyxI zvSPmc-3mDt@a@N2fc>@3&Rt57yE@@6dqEqnhJg&ZBov^hJ3EOU&aG`S49GFENGx+G zmx9f%saI8;A09=tl4)@M87kSDl9Y-U#$Kdg`$3kb(;*V*mr2=D`7O(DU9N2u3_`;xyGBfRcpD4=Y(xP z-XiV7NPx{wy{||>-dnW50jb{PpJNJMk*y{m=NP*M|NCV9u@P+;U%EbQH_LtN*Zz&Y zmJ^Bd)r)pBMpAy*A3jcS+PG7JZdw2WOX7PTfTMJsm1tr)BKJNG-P&X$4CcfuhmcoU z5FR3lEZMXCw&FC}KXk98OJaCtfceph)-Pt(r3>VY;}i-G?c~LY(|(I%*xpjEO_q}K zb(n4xN=t;ib|>!kN`!scJ1{8OX4fm=_F|rH5zQTE{jY?BJj}BUy_{oDmRhL4Lgz6c z&9DK&p{H`nftyDNGZa25LQviaZ`(4XHcw1lCk#YLQioeH4FQmebhDdM8Bp6!l5MY6v-w{{N5nl8C*$FiWsTYDKkQA2Y^<#@jNu$0zTK3!BCoB}W{J61l z{_0QvJi}T6lYr(6I=s|q!RYN8FLoe*BHMx7YVoet2KqrC~F1t=sDKa>kUNG+9T+TcR$XH zH}?l5_vF;Vv92vjjHwjAEJ`6fNPI2phw+1OiP&Ec&f7IA`OZUuF+4vTeK#64g;e*G zNa4OmCSJ2KNnkJEeZGh65xlJz?mo{SUq7^w%*u?knc~=%J9|qb-IYnNCAlsq?8D~r zSX4&&I@&2;LOkmyWE(^OZ|LH}FFS@X)6IicCX0qKrDb?-GI*lJqb}RVo$ncXRq+}4 zey`c;S(ryxu(D`Pyvn55k|wdnmmtz5GZ7|W!AmwDBU#)AxZ#$N1T2I_Hn3cxSzOWa z^vFn;8t^gHjNA8_fd+kt`Ba1Qt(6FtpM_M|f0~+@C+_SreO88eg)Us@81e>I4(CUA z75A@ofHmfT=Q6@77E{@-tcK~zv_0+*UChQ^*UD<~*U$rYeZxzLWJ)IEbvQtl8}}7d zL(>&rdNOM~#cW807{bJZ;S(I6T^`?D#6sDev7zceF=;Se*0EDO2|~11bz&sy2Y)u= zJQT}b{m1{It~^9iFzF{qI=)|@0yF=Q|9yOVb&Ubw@2`)r9a#EzQYVpNE;@=s_3Upd zdVBkzflWl_>~$>c#KuM@9M_)7`@$|W<0Y(bd*gI>z%8LM$X{9Ut932J z)`8z}7RB$gc_4MnNx<8@?I5+3?Pgp<*xlNrJuNxA-tkZw7luV3=RgjQp%}OOQW>`I zt~O67QIzaP^U}n@1Sf$kh_Z6{Pd9{v;>@n15A>47f`tsqI4}Y7g8d;cQ zQ#5DIvB>>xkzq)m!Qo~&M2 zT%7(eM{XU`Fh)$Hsbc!r&Ec3!G1PVv_sHrR5UI{@TNWjpWV`{m16$_=9m(Muqxb@W zyrtlc8Dk)zsf>_^VidE@2leyNwk_=2d`pkc2|S>)h+-3*ouiw}*XQ)!p*{)-%jEyk zAN%YP8-HRnprr-QfF>Qns(1;LP9Wf>iJlan-N7u842$$`u59JhmYS*E*l6w&7qVwE zr8o%z8W6q0UHg`;mgC6gRG1uqL|F1wKc~5jR0h&h)a@o;1z;7tPcdv2N&&;%&q?!a zEfy|IPP(E?+d!PDxqag-&FQdae_e5!77GV|&7_DW+Dnw0caw1J)ypSe_6ZecHxYz> z_SNUVMf%4PKexC$c3U>P6Zx#$J@6IY?34U(+wS4z^5Y?X6_beT5-MW*hd+GF@^?sF zyxjct;U6EW^MjhFk*PQ#*_tQD3L}5UH2>O=K3z{lT#SBl0lvc=TXYf0l$&T3HB8A# z0#)e~DoT>EEAj&i@<8JO*#yHPz|P*D%oA{Vz&*WEi9MfXl1}^{HxYmeP-9pH;0V|} zq30ie|M%9v232A-3TT}M-ae`iIH7$fEJ58%&@4HD=5$!>qJk%XF&lXTe=PVKU-0L= zR8`GbsFlRIaY7Gn9|n`A1?McKW1KvU%3%W9Lf@ne{mwkE_3C{64u4@%d0gQiCFyW^ zd4p0AqS!A4&$&4A(+4V2c=OfrGd#AsO@?bCs*d zLC(yhJ0RxDv^wn&hs!EXU~D~J&5a0W^d9KE$XIk4LS~CD#N8lxaKw?hBe81^i2r|* z?%+j8VPRx?>-nBAoDxH5YSqyL_bH7 zOH_dqCZkYeCP6aM${G!(r{jeQ-$0{D$O|(v!TG{15T&)qLvO5~u5uMDWHi*h%_Se?d-Q^fe*iXe7iUY-R3@phw__+u1rn&m9oi}-HIAVN^72DWq-&bU=Dw% zU2Ygm@_jv`u6-`JU&|T1#>MP(4GVn&z_LzcakpVAHz$Mi9jw!bU=F|5}iq?>>yP5emIR4XMe6jS}oL5-)%u^Yc z&7BwNF1q&;>KOv&AhbZFixGAsPAJ~SJ}#`0Nl~<_Ma?w$wGvmuvTXN{R`X;_ydSCK z%2;fOR@3b=_8lFb21Ve1axz&KFhd+^eHI7#q1^zdHF*kZvJ#?DKEj1UqcLQL^Dqp9TEN)gnwDePAh`y4uB^FF_+bELSj=h*rJnW z5XAt)Obf1KW6>;HFyf;dbdJ4n_UU1Q3c1?LVu`TPDA(!?bX+E*z$HFs3%Wi57E6A= zjx(BRwDwq#ZLoyQ`kXaa4_7~`A*s7pDoaV2G~(D-yaok&WY18TSR~5Wd|FprN_R^y z3IB}S1EwKlYG$`Z)*RV=IMiAg*J$4|z;kCrL%C94HuaP-Xc75H!??Y+(J4zv4iJBNhOlk@$h(y)VnpBxlVy`@=Wa{3q_J}}R&(8A07bfi z#9*>Rj0QyWk+rh>IyFZduvjsoOWzX?m=l?j2+~F9>ER|AhCa`VQILLQv^l2< z1@Q;g!0WG3#Kya~eiloP^F(KKeF;fV>y_&L|L}37$5q--PC%SLjxhKj@n|bMqO@5M zUO5lF)~McgQeOjuGI{ZrnNsT}gMM(qPb9p)&7n)OgG5JLzjFq)55Ug4d0?_^j` zdWV_#C=*vJgNW8_TFi&KdJEX}bZZ3}W1|TqK=aQhTk+*#ouMzmQZF(R5h^l^?3+g{ zAiuAC>Sd)iAYm195OV5d^%G=;2e*2j)xoR1moJ_pY*fJI{Yy`bQ|ryM$SP{sBlbO- z1%ud(nbh1wa@(@1$!)nu*RiMkI21IT92r zcTYhl%XE@bUCCaGO&bVPhhwM4=edNg3hd=p>eIJ*9RpQ1uBQ2$9D9Lmfmr&;@p)P%7XGbgimScZd0_RF`q zy14)lZp>8eM8EPYSFX8)w}yw>AvLnY9G2~c``=NK!E|z-suc+LfqsOlSEwO={eEM8 zsTY8+45#~fBmB`e3T_7c2Y;{0QrWRza5KHhtdTbKBv6!G)LJ$87`LT~gUV*)Zu18v zA~soy$Chv|o}BE(72qmP_QFUkgfAX?E{AVtvn6@vQvy&l5$cNixpvwJu8qwFG~t;? z^s&$XGCW9d1U$pleAEBGnpbE4`roeq^*`m7CamxneyOU0lWgl3y2+j6kdYW%30u39 zKV$Is9hh;ZSnFyrTU`Fxpu>_D-VH&&2$?PMPNlwK4nOZ@0HnP65xW#z|}`n3JQ+E-KeV1A&1)n9}+)oxRLp|7~p#hEoEVpnY&(VF*zrZ z&$5QXAa|_abPWZQU!w?pB+xgVkgwc4>NZKwfnavJT+-!MFRh z_-rt=;K#z5~2ue!CBg4#y2s={w%qLJiaR4R0r`h4OS$#Nm z2^FY3^Q`9e`3Xye)Ia5nM{jpRQ_M43O-0N+uSx6^6(@1|Ak?8^IbTBa&iRME-~}uAtIH9<55wYNMAZdom$&1T=_7AcTfridbv4cT#2UCXkVlBCz+eRZ2EV!M`x- zphGB4m3AViPV6~|${#plvJp}eYZZnnsR*0k z8)D$uDosxF*$Dj@CLK)^n%rOESXulSm*|T#Cnl&Vp@0j9m}DOv0@vsRStgw6acrF z`-*+iFM1IU5|rE_1*5u0L>n<%gEG;A6Gv3V*r0RC$}&sJM0V<3TdxIIlH)a_d}+7a z>5DgvWSaC}c)^&-oi1|Dyq^rB!=C?fg3J(^@9sNHe>WQC!euMU8WJBlq;>ZPCb6fC$5wE#hhYW>pMmR9CJr_H;+5k`zL61CKV;wut>FBq9RlcAP2wPOR8P*-)GmYVEU3LXSi zbZ7#Z{v=x^yJ+<4$xnxeJaOt^WVd17tpXd!-KT63OY!kJBreWg^MCK?>D*&|*5Y%) zvSsO&_0%n5Wx|xwmZEqWBFFn8O1vf81b2RBLOKb`*(GiPYDH7&t$+)4_JQC!80dQa zlm`I25sFe$%j6L@9J*Gpq>6(m3ZTZ5EaK`)jnK`#^bWqPXGsJ*0g?iBGNcD-TJl+A zvW4=2Ki!i6h1t`pGqR?jn*?~4kpeuk6^+0H@EDK{Am_uN! ztn6jvmDm5DzytkybpVB2+oG%$;|H3+nxsU(ULBqynFo>)jB&hDe&)OF`>$8e^ugg1 zG>xytEw<{&A(tM z0J7qkMGG8x;z)nO>!`c>9&IxuxBap%1nh$4*lK}^w?wfjL#oQZY;9L)g}QAgLIV&s0w9ASqu6Dd0R+; z3Rxh*~Tn;bNiU?PN3gDouTiMZ9m} z%ARH>Tb`4qNbPoj;v>SVJ1N6DTGBe0;W$Yn z%97`!kZg40SargryTwR7_YE?|jPxkr6w{x1B>oU z1xTf8aVInS0=)r4;p3=M4SpCXQ(}7B7^B#Y;Y2guBk7C#*3l^6q zbeVh@_RiUX5n9s3U2R?)m5!t-BQ&l4CbIf!@4Fwr2PkQ;%6-WHzChDP!CJ7ZV+Xm| zgcrcNFTuXYWYNhXIimk%I{e8!#R!Ny3DyVF$pQiX@2r$|jUYZIFh;K(C#<7vc;}={_e+P^nB2Jp<%C5g#Q5$d55=31kxR2T)UZb=x3Zyuv%^4cTuvMBp)*)MD3> z#Iw&S5McF&Ou?dPlQ;B7XW!AS2lF9WEED$&KAAdEDl?VGxJ7D6wR1oH+Zq6 zdCEV`AIwYsBcGBlnW|cseL1_ksW<^94}nFpPw%rYYp+XHt)H-jB`rYWIIClxqx_)G z!9ocJSg{<=4u`I7o1Fs<7b@tda{>grLYEs5i9jnyefC`~hM$OTT zHYnYd;wK0N8q!1n-%w!!DN|G>*tD5paq*_vYd&RC8XQ{`#^lZP%@>ZEza74w}qWoo^e*ffOAxV%Gv!w zijrSRKH=|w`Cp(o(0Tzo=Piq1(f@Fm+`j%dt5fCu=bFv>cx^EKMeSDfj22?eOZblD zj{`IvCe>ReVrek~CBjM%Mc;F&5RN~Rp|PB@7k0-1XWM_>_r1SU4Qs=0zt2PCGKYzv zZU9-+)V04~IEyWUouo!xOy@5JBj;PePegA!Z_+JFV`!aI>(bgk_NH!p(AmJ15=YhrNYn5S z?PR*BX)iI!19Q3ll$JV$ifQM{bD(JuW(ptV`j#4I$wIWq%Tm4a5*4L-U3a8iRe-JH zw9#YB6Nj}eXN`CeI2EXu*N03uN`<_yy4oNUDbO3~eMDK~nuKZtdXH0;4+os#HD1Up zxRO-%1J77B{xV0H$reIW@|AQqd#@Y_8e!Tq1?%0w^yp)3Dm)lD?E;6!zlo}r+y4@0 zKBmtd4NtxcJ3w5k@?dW#Nhli{Y$jG8R?e+9v?(Mvjl3|pkhSous$9dx|5o~Z4Qi`g(|^D{Y6vxOZrE>; zgdccsQpiS?%7@KM;SFd!V9%>uN94adttu$%qvfv!XoylL$t-3Z`-RiRD_7$DirH^n5@L?AF7F^XsQ%v%AHyWQXKCxVzo82v0)e%s5;xyh zz@Smkpv&|xhmddD$)`%-LJr`U04QGn}VNJ%Rx;bO$E*+ z{YKMHs0Wj;!lyW?h)roSq^@Bvl+A zRqM%D)dh*IReHe5cH!WWeukG&dcexHO}P}u1R-1k4*8cYQfF8~wX<%45X?2of8K~5 z2e^u!6!bG?ZFdohzucovV@0I0MR!XX8$^(+4VJi3-V@P_AwQpnRB<&{N8dMl?Cn&XNohXoWxG`=mk&_rsm4ImEe^dPjwyJcq zE&Vyd3!GwX*OPk-=7@))qnJ~_=j>KW(cDjW?&2;e$O;ay4qv)4O>tc0Uj+$yZ0ZQj znyzY^g8}-gqPnwQ$pC?!9>GCh*>T=;s1?8ZW&!Y-Ypa#~aaw%T)lat8mTW@->iojST1Ge?CR=S>r1ldK97XdKqsPKFtWKz5t5H zQq*SMYxLb1+SIM;uiH8_k_nS^gHfCsmK{nu{o7l-mq`K169`R2sV>WbD6Wk@d9?jt z=i!5$?T1K)ykFkL#Rymi7yA7A&GlDERggMOfqCP*a;d*Z&-SNU`BK<#9=NmSfpDrg zB`=ulU9t`6)8qHpY+1J1dhvArQSO=Mv5z)CHtRTt;3)I-RS!Nm#Fy9}&p+ds>R38I;BcWrJ(dNVtDCsnxQ_G|( zcze}H@w)Cgs@T_A0JvaH;V`oBbYKkXPR+GT;&7nPSE%0&4z=do%*62mFYhRbW*S|)+^`%C{B$V{1(UgWi5WtB5>!f!hzkxzzkpr z+=^zKRraok!>mw zy)W81B%amh-p%@!zsW~E!f1sln!N}kvopKbS{cl-D-(^a3`{q?5Z*7;Y+#dt9YBEY zWIpbFGRqROWk3AVM2GQLfc~)0VsVdxOc)m*7bgm$c>uFW-)9$w=c-HcSrV7sU`Ti| z`Fxb?t$N5Jv85oZcG4*vI@;W$yadyG3`}|96=F%{B+zyG`I6dmk!TJ?ckSKNaBwR@ z%uQmZ;yx;2Agp5v3k&noTySmqisH5Q-b6@%tsKqBVnCHav0z5;QpO!ERppm-)nC>x zQ5fZ~e5o1z0@ZlM8DaX6zZ#pSl=)g=lxu?wOB36c!{&F@U$j}K%VA+C8j*?YUY`0s zgo->jgFGYQ5Up>TN<=mLILua#hJx0iO*x02O?iE}8!M=8(pXJ|02ITy$gk3Sy~j$sU* z?e5{8X=(ij`}_N|FCOfC^6*bz?L2t+0CkAp{^kek!R>nR;w&^f_#fw8=($e={^Jjo%Vqh>VSZ-FgtuqCas`Xa>_1kzF zS^Ff!UjNtcVaw0$9sMWzBf78#l$Ntrq&T{OCFn)G9*_ zCrO1)r>RreOkPu;NzrW^GHXq*50!GgTcK3MtnG%fohX#EKN4?1BD<}&%uvw)A)?{Z zKeiS_cL5)+meW29qHrTJsHCdt-d^BH_n#N7PMZkrRXYZl1fS=<0do+p( zay1dtfD9F9Q#ZDUuK=ply2sX~WDE?k6T`%&+)eLpAIiA&##q)a(WiNvjC8GZaP`YM z#%_|i4PGI_Hmg;JGKppIBT_Ax7u9+WrXG=Iqj*KFtyDk548h7 z)W?xqT2)e}ykD^)43$wb8yR=H9t~U0c&0C2lwPN;jOCT+;0pZ7dX9M>(UrB@1EuxV zO5RvU@#aOFLeLcrhl6br1A41S8K|0k<~oV7o7?=as**Sk!cMM0Qn50R<-4JFqUV^o zC8~SO-Ji+##SNWg9?aV&7LSsA@*?Kx3wNttrh={di1=V8OS#(V#@dv3dZPGDh>}bU zbl+Eq$0ddcP%Co{2F@bjV$C)J1rn=e@gUR41dVZP)>3jFQVGG}aw5n~CtbPucH-qs zDw=99+0V(wf={V)-t}y6{>P7Jzn?$?LtdZ6%%Yy{}Xb9*)A0he*ERmr=QQh`}S+=2m@p1 z9=P{fDAFAznW<_X*y}Vb;C<3)4yc;JAP!MGgH0^^F37L8^oB=@ExbXwVw=#dHs6Y!_gi-iQeXHU;jReBE{ zrrFkfd;a9<-n6Fq96h1bfdmAt>XTuqiVVt>Zd(+YbTw9=Cg@@UXJoinIEk#v<(1Pk z!$t;z0k~a~*p7Z}t||d=t?H52;IXNKzx5}mq*?QOvQ7joFQk%OK|W@+SW)+3$VkNP z)-_CIya1G%h;fSgUE-o}62x}%8<b6M(z@{GT>J$BkFLukN_?GnFfcDe%8k@)X=(*iP?~n5kf0F)~B1%&_?LLl$jT*MnCpaV;W4Kq`R1W`+ zGt@AF<@IxNVXX&dDxo$EP)wOBdh@xQl1qOrYd_`jl~qB zTOF_@Q#LG0Ojnom(CAP)cZ4|IhN;;>J^Ykyn1Ux@hm#<0qsv9!cvLI3=%xcdd2&}s z4a@U3k9J&^z_kxiZC8G`K!HjXvS4s`KKkS+=pRk17?a=Sx?kfotE4NCrs81k!}MI! zdbLx8N>E+T#ap8fn;Jz>D;;%3buQD6|fzgG3g zD(ESkHOl(|uXK5~ny;{UiBz`{;qF9P@H1iAPw)20#V#z7=q+LF!QN}9Z3s9nXQ;e4 zUIWl|*5P~4;-qMgmamt1`^5EMWy+4!hg_VmL6}(2m}~=W0SgON-NVK$ua6TRjUqHw zVo%SQyvWpsy-fEa!!!weO2{?IC-3cj1yfziw)Mt6uyJ>HX9L0Ao#5{79^8VvLvVKq z?h-aGL4zl_Yw&#Bb6?dxx$pdg@2yqUOULNh-J@sEs#U97!i`>=LB|FWNad*e9vEe% zqkKAC2o5{(|3P$PPaX19#IWmyRW<^a1S!jz{v67s^+AejpD?rEJq)_8FI9^#G(R}4iWDp#|L|=xzJfc z!|=Uxs^K@!D09)=E(ZH+v9XqN)g#W{ND#8fT}nSC52K!CO8-*#g8%I?-8~zQ-5!q+ zvB6!@D;YIK-A#?XVdt;YhpQn?knte%;6<-eot1627V3gLw;Rn7DNhEiWL6tsU%30# zpFl`^HUEQ%rz=gg(!}HPM%nC+6+HslY^#lbAN&xKPYlsQSqmDrHd>C!hPN;w(COR7 zU_BbW5S2bIwVKrZS!5c2ty=C#2D5@ZvtFvPCCkKcVk`b*K*O<@kq-eJ5i}&!VQpGB z2!R`Quk)!%DxTy-nD_x4&jC*s@NhU7Z+X2Be|sRkT067)8?JJDbmIpacEx+ddr0kN zttEy01W|c4@5WL&9|6Mdv=qD6C{VhkMlHUJ+qWb2gh2qOU_xDrID$V>f}H}k*(OYgQARn*H9HzLbP9||;s|vj-?pqp zN>zWcv9bIWA1oW3NsELJEzgNaKuuGCYw=+4n|=IxH7NLAAq>NA4CCXg!U8%mKzz@x zO&m130O>PJukh1Mo!1hQEv2YafUZI4OU%cC-VaZMS@)21<`ZW&RcY3F9VI*v*i5#H zP?JYO{0`)j{iKPszysKMQPw!+NOxd^&IWTczQOw8@%Kr6GV^9b{#pZ$f*ZVVpFdOx z`hGnz*XZQy9y&WJ^^#U@d4Z;BP__P{)e@tbGyfn~CFD(6LS=zOn^l3=Lwo2hVO2nq za22iJI&zTQ4`+ACh9=lw(8!Tjfz?q`QDQ%wsB?SkCvs>!=XhU|p9kPOv+d* zWy|<(eeJ?{aGiwhA>Pm~Zz4aZbNoVg=42PbBUc(FoolhDDaL-NkW>GXaP?_^roWYs z^Ux=Nj@}}>i>i(ajbQ{mGF0)g?G(y^wywW~Uge%rMe2|_f(s|Q+b^K$5-K@&(mG{P zti&%`p+%Snrg$rIaj#4sIhy6*Q-O>@nlQMt&b)Vj0fu6BaOdWZvA93L$ew zUbjZT?un~5pEcBAe>Ea0Wo+7>fOOoN`#pAph0T|0K0pz%Vpb7dXKHd!-7yYog`>Lv zbeA_Eew%v~-?C?ot8G{52T7y<2%N&HmhDN17(m)1Jc z8Ca4h&w5KD6H?TW2)$#T9&Y-VqOLk}J;D;F6OsaKHH$O}$rLZVXCz)Om9euV#DIiw z-vv`c_5<+I)o9sCnH@%HcI=#IDeJe4vqKNko>OQhL*vCgurGh0Ra?<%x@;oU0Jn#@_wjK8ZChc~2S_g?uJ6y9CnN9E{sbX38h8;(x0GcU~bnN(8fB(V#1&4wZj za!Kl51DYIoYsv@HUMP#4m9DBPsgy6uyK#L4w?Pe0$mo7^#P1bIDX8y8gQ&Y#;k&qy zuL5~p2z4=3)||uwY0K3;y7{@j1@b%0mTspgn!r2ORu1n(o$Qj({fA!xUB?zbtyuw3 zP%u!weAs#0wXh=}r*&gWYS*w{+B-sg1tOM0m)|0(rL~-s_KqO9vg;V&T*)xl$ce!u zK8I8)dg!2eHK-YduYx&PN4Oc&#i-#AhB;Cnr8X1k+MN%GNfTYgDAS^%x_FdZjGFZ5y{Uf8Tz9%pKwwEk4ueH6xe~+&umd&o zqc%Vzk)-)7pR%Up>7^(Oju^siPM%Zsx+w|sjeen9grbUiVOF=JchejUj}<7`9HX(J zDekfCmpNwM(OplrQ`>>5>W1K8zs_}dSvh()Kg@mm7)rjMYkUt#gqm+yXzk(^*lizo zCZqOOKu=y{DZsnDV~G?Xfra`#L#4IL^kOF#Ff$H1`+K zu5^jPPgBNUL>5|W3_#fz-K+IDPH&xctA$U|&t8WM*zs5x`7X%oH9UN#^aSmF7Rk{r z>BWnr>zIjkO7{h`#X(C`v%xxe%2WZgat&D#HKUyj$W!~%1y_Zh3jzL*WImMYpKfBp zunMib!$C030)|xu{Lp1fl@SE%1nrM9GRl` z^J>FChdq-nSrv;bi+>UtE|ntG-*k=b;`UN#l3UJJb<~P*opU zBs$|l1s-R2i|~;Koe7+W_rFYAjR#mzK z$SEdtS)|(({0s_nRz(9C%t(t-?RTel?XCi7WftFr%Fz?lcuxl_gA)x36Ea-_D`9jb zl!YZleKb>`ZYN2;*e>BfA4_|@O*^ir>DGNPflE<2sZbYaQ7@H#hlK2Y$f9%EM2|ao zp(R<+gW+pKzCbM>;8F6fX&)8knXaI6L5AognUl!Pba%R$G>L37*X^RSUzTqf{@h@@ zf(3@IprU}}T1g^4l2bEor~i4SE6YyD%bj{okN|Jg7;?`7;yQHZK|Tz#gxG?XB~Tr% zD~yl|rb9Z35ep`dS(>u&xV&_|oM{WSsKx5CErX8&CeXk`93&8+BE_bL&~MYSO5}FP zGNYYm=8L*tCGthXauUj(yz^KqnCO}0bC{IB!o=BhPUh9tHUNI&__LfCV zatU67P!~`Vq3swjBm4w=g0`TFG48KNo$eG#}z!3Lg8kBbF5;h?q2UeklyHT=_@G{rOFh<#dvb_`h zIwh`0n`sD{UdtU|co*A|7nBQ-yPm~iu!?e(7BjVHN1b$1m}~PamE8r*EWB5R+JfRO z`wPG?{aJo2`jZHCVPk-iHB7`ni6&sn#MEiA;h~hoh#HTkM2tqG`$uLpYq1ADOSBe> zXE43BZTFQKaPhrXJ2hy!YqMkg{blPSyW^MJ>if!izvSA58B_HRoLHwI^PyZ|5RqLzW4Xs`WKYUGkBY|L4TOrc4y zF-!DoTc90{B=t>WwG;f(I0Pij(f&JFC35nJEyvZ6B>ded*P9?V!797S<;E_myn?yp z;6s1gC3CUdJ9WR8L+rdR3Cm9mFZtjvEa&I^rpcGMM?04B;k(14b{j^(E01ezdIAgG zWChdhxggpGnI@*vL#nmw6Q?#kM8b=^l=F#7;@x{JNw`6s2ns#EU!Ml>a{1&W-j?N# z7)c-}pIMsm{T3Tv#@E5IxVJC*J`rjtXnXldEEZ(DHinvfr7XzjdzR& zBu-hH?9?9aws;A?_($*gu2Up$744LohyGWNJ)ny3w*gRVj~KazK`WxxbCnfThuW@vGrCz4h zXf_HwUk8QryED2ospCMM;yGG(oz7fe@`QflCwVX9XqX}q>Z>qWH&mrn>dd%?_NbG` zYrad|?t^^unK+0gm~4?QXnw7W<%QPO zF$S?OQ@&xG=?wH+%RJ4lS49PV1g{uE&uPk(v%)7>;ih~4y^y1l65wt;-1U>i02d+r@@7Hg|=kBFP8B2*9wD9qeJ`mVg7c5XGyb$E(@rtR{@B?v)3;wV9Ho zog42P#;}3-)vn87m2`{8)Gxo2?sY|ik&m|GP51%Uaec)f^||=^pU`paFuUMrP%M~xfQVy; zs-sey^0ZdsubiQ63>!PrmJ^)69Xx&a=ck1sh64N^o%a1-f6U^&! z-ginp-;6h~oFA@MYg|;z>!hWO)jp&nmyGR*P z@H@RSf5Xqu?KdnnkyNd5K}zxVsj;%hPh77YTRIa>}>-f zKfaz_zF=SJ@@)ClnwR*!l!~own9Pqj2jPi1;I|TXREW9|XoXN--KxoD0VVP~Vq!*@}9Bz3n*g(+n z1xsF^Jkl4im$n33YRD;=n_!lmCLjTs5T*&?Zf7{2|Cl*{gNHAh%->K4Us z!Lb@0@{~W`zswoCB;SF{9T3R#FyB#ilvdb{1(QM*GolW`)-s0vp7>;&zEHuzv5P5a zoutXVXY9l90NFWm3c0T$G$>jjaZ9dl*MrLk#QGIB`U&51*Zt~3i%|vpaXa={$^pa> z{PvxAc>YkAV0X!%pgCZxO!zmMWSFC~3ZXc~4xZ7IfnVGS!9NLcY()R0^i5?7Pyhhh z--T%GJ@N$z*}&Wap<4t4h~{493ejy7CaldYJ^N2>uK<4dHK85cH|L^CVd zRYqc8R69=$dm?#NHmX!iS*O&Zz=u5Rl^#8=L5=RViZepwdg;~Hc~6}ry@go6Va)6k zv!nCzmD01H2Y1v+zAZGmy*x5YAxl!<7{z(G(X`~I0M>+uP|Yw+@<;5FeQeyEdzyZU z7r7e@HqNA;vOE?K(Tn5kz;O_ZAkkxZQ0nsr=b{y9Pl*pJ-~EA{EU_?wl%OW~RHi8P zkX?a&pV*xM`IbKUa4yvs1-o@kG}VY=?1qW-92kCi+80`GCYAk;>mfn>Is&c@8_Xe2 z*yl1U!nzd+5z!3Bv;QuRc=S%!lu4?7|Bko@jDBuD=K&$3E2@`Q*``_kk8f4PAQTEAXCFp?~GQo}G(#f5FpD z!S4IaR31zy&ny#LI%8GmZ*BN*KiB# z763r~1GxHj$IFhz)6vD&#L?0ApK_J0C^de314+H*f&T}18{seTzccB6G=ZU=gtuS?O?SS$Jfj#421g>u0cIK}C zl=lZOsA!&Q0N^tS@=Y9n-!xeN4Ye|MF*j3lbFp@?{6~gABh|k%^sE5@|0{0&Z#DcG xU;G^|wfQ&r|3n-AjsDYv{~b-S^EdQ={JF9m%v((Z0LX7U+*_3q?f&cP{{f7HnKA$X literal 0 HcmV?d00001 From 12d48a6954d8f5db88cfc04d6f318f7bb347b650 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 29 Sep 2024 20:51:11 +0200 Subject: [PATCH 2/2] Update description --- backend/library/libraries/bsi-c5-2020.yaml | 4 ++-- tools/bsi/bsi-c5-2020.xlsx | Bin 59450 -> 59424 bytes 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/library/libraries/bsi-c5-2020.yaml b/backend/library/libraries/bsi-c5-2020.yaml index f61608f83..7510c4aa3 100644 --- a/backend/library/libraries/bsi-c5-2020.yaml +++ b/backend/library/libraries/bsi-c5-2020.yaml @@ -2,7 +2,7 @@ urn: urn:intuitem:risk:library:bsi-c5-2020 locale: en ref_id: BSI-C5-2020 name: BSI C5 Library -description: Criteria Catalogue C5 +description: Cloud Computing Compliance Criteria Catalogue (C5) copyright: BSI version: 1 provider: BSI @@ -12,7 +12,7 @@ objects: urn: urn:intuitem:risk:framework:bsi-c5-2020 ref_id: BSI-C5-2020 name: BSI C5 Library - description: Criteria Catalogue C5 + description: Cloud Computing Compliance Criteria Catalogue (C5) min_score: 0 max_score: 100 requirement_nodes: diff --git a/tools/bsi/bsi-c5-2020.xlsx b/tools/bsi/bsi-c5-2020.xlsx index cadad42a2b2091471f26556b399d34ce3ddc01dd..f3b7aa838222ed451f3d4582c8ffcb03406eae1e 100644 GIT binary patch delta 28074 zcmYIvQ+Os_({*fH6Wf?*V%xTDb8^SFZQHhOPHfx$^Ss}|f6^zts#on=RkiEd-Q7M5 znmY?xdjbJnx|@u-00IOQkZ=n@0VPxUM`eLlvoL`Wk_e!uZ9Cqt$)#-jq#Xu!W^VBfF2`%=ef#-M^mN8{8YA_UsoXNGZ}iK z0WC{Nsp>V4L@>L$!hsGZG+tlaFi^~kYulV*A666d2_tf&Z=jbEX26sbYrni!Tgvja zDIUYSb>UHCCW;>D{g2v?{Wbfy7VH#JU9Vm)y5u;@A9nV|Bi*V9v|TRHJ*F%(?S01# zz%4q){4!z3U~IjVxWQzg0xzp*D_-;Ti3wfSSe0T>pA*SVT+FG({6|Ovl@o5*GtR%~ z7B6r`=lQnBVN1jt_dQTYfEQ>c`8`Q zlhl@pXCidLja#Or+S!d^qw$@ytANwM$lq2*6c&Q&upELr^38ZP@}!%f005Mb2a48k z4gCiMT0ml=Wfv3(NHu{OjuY@`^lUweRJoe^Z#t#?>p9v$NOhb{6Kpv0^7t=gOiBzz z)hKXfLNT2=%1|OdjWpT1jR4^LpEO1y$IN;-&4Qr7%+AUF*?r03+-jB;5VwHfIm|!z z?ZZgUIo~6C=3k8*intYRBXS)k)eXHBK5?qFQTve=^jd$A9K8?+7MlQQH^zgyLg$d7 z;6prbZc!H-LB&Hn98;IJ+cJT3zlbHv3i+PpB^yU`TB_Xg}yP zu1!>Cdv4cR``l2{U;Y8Khri~Q>f>7nh-eJ+=uc8e^(e4SDophF8Bn6HbaLEvzreuz zLBmNC1K(())`G%ju)>i~-=KlVf>I#W0~EnO({p*AOVptMCh8Xqzki9?Ev!7aNl9Mm z+bmX8dI#jYyHc0F>b_dpBhwXIaLdfUa=Z-S_4sYD;iu>~*5m>@|M2;ts?VSNmJEP2 zK!Y)qYJ?L*rHRi8UWDlS9Z_$MVFs+@e~*hDni$%3FRCZql?MT3Yl+zR?BF|T_AIDw zcftn*1oZv=ze{4$rfmQtT#z34Auz;INg_<_@}mfn(3uK5`l5{;A1+&lyK%o8Kf-ZD z!b>53%>bhgpuNoM{C!=_*$%JO-22*=gg1*B^RM96W64U*1mn|yjivToVtezI#9O51 z2lL*0fy~*<+_J+riz|7~S`@klSvr zR@<%>aIkPX_@VsdxO$y?4c-K~{betNkxRoE2x7}LN~;#6F)=zjUv=!zQj`2uI^nxH z9&B?oaX4udmd1Gje%W-KRcXeenLj=|a$nY9@}&m7@%*I8Q1jTowJxo2MApOfAYlArlosRf9{+VB<| zDm-<#hQVmqikqFRmfWs)NJ$kjqN2f8S0|sp_pyr^#HePoEe2Gyc4i3-1~tp6w`^fP zKDADxn3$6r(UHqdzM*K_&My_1eO`2@c;fqmqVHbp`|sT?d+gR`StjUAwF7@XhV9Y6Xw=Yb9x% zk{Q%L9Nl{Fb`@7JhYireCtNUO%g`X8Uo{A(FM(%=cwi5s;!PG;2l&{#GP*fEXi>c; z#doV4BpNQVpJNnb<3+t~okfG-HPQbNqeK<0I;*t6b?ECmE(ExOm z0L$hwa9Y&232M#28okPu$!v4T~Nc55Gn5V=S@99Sa##U^>(EY(T*6ASw@ zu`bARFsOc1iLLL9+4zH#;Q$181FkN4}x zHQ?(w1n~V(=KZ#N-sAH+qV~R>BbVdz@_zk9@c!IW^mTWh^9^|FS+~;zd|nbfjSS>O z=X862EeUlZ__hRm?oZs_ypHhw+__yTnV9J>%AL>)nh2(6-*psDd9ts= z={ZxJJLGM*URh!IG>5;P!x6KN(xCacxV#;~6g469UNq*S;A;pIt#O$KJA9K3sFEJGA7RC{r=t({(Pl%nN7Kf~quql>v z`9=+iv`&kMl%o~_Ev+N!9Up2WUWO?M2OeMNfsV}tXd3_fuvT5;2z2|JrC=lQD$FZ2 z$W*vULlg`$w)!8L=HY*2YMj0=cd`Up^3gBE$Rn}!3;Tx{Rk;7hQ?VhIlYGg;X*E#{k}KhFtm#UDMc_SQvI;@7s;iAME!!}@LZi1z?s?hm+m zJm}R!c__fI252%PMNF)>psn>j9jnQ&g-LAmcEWS-_Yv;^I~K>eJrf5^n2cLb{=+735ZhtnVoJbG zY-4J1pkY8Zvux_HFAuTCL+t{j&7?v)VZYepX{~eaDu~R6?{{Z1DCruQjFUr{*0KD3 zNbfY|(9o)(K*Yt-a@$o##J2CFm!+A$&`KL~o_hfCAD_lUnZ(t|&%%CkiH5smd<|fy2QEl*y!5lNt&)4m;w&1mujE5Ug^9LI0!rfq)ITb|F&sbxtcofj`z0 z-GmJzRHuv;)_YjWvXcO_yvgyv<*EVdaU&^?rTEyF0)6srAn$SMN@-}k)Uhy&;*|rV zPSxVHu59k+dIOT*NfVCk(yU1Z7%CSt23Z_Teqc@}Ag8KV6R<31yUJ4i%rX8TOXy<{ zxnsCGpcU^!Z2bQC<>(HPTQx7zr^VY;_Z2hK++79z7jnC}4+*N2d%tvVZf*OUfq3 zb}>3UrFSwiRh&N>OLr=v$Uder`pGcn+Gx#b#H2?W0%ZIMOTmCE3BtB|C+7`+P&=JQ zNIxif;E_==I$p!01~*B+N^#Cm0Wib3iz9Ro7Y?N!U72B?$*tSKGW>=BrF{N{tobKG z_D-dGzL3oiPR_Np#EW`e!jj5?@kAN8N|H=$z7W;l4YO;WJZ)jGjY1qtM#LtzlCBzj zC?$aUh$Je%fD1=c_!X-=94%VLCr^|c8atXmB_7j?(s-TZk(BjBurw7ANEEcfEwdOg zmh+e?K-{yE+LjtriKn!9tQ74)+ofZvmvVP_x(aYeE{bwEq&;K9*QzH^7%ZL#dXnrI zUX4E(otgq-`pz;Ql)q%|uG~i5WES|at_%SGv@`F&sMzPeEzc$VNN$AyCO}5pEVt9^ zr*3fZ6A$UIYhqJeHoS38+Ltxv7Ia&yqh1lk?vE^I&p!unE4TDR`Ibt(&eQ;GgSg zK!rM4+25oqlbNE`iocYz`O}34${4qTl%Ks-<3D*#G) zG0Os#Hc^7xXo{QKD|ZDFzLtey{l|k2MHm|(Ry|L~dbOU>rK)mF{|JOPeyNmiq8f%9s_O2vUl;UKe?mWW z_7rBs?^@$2Vlt{$Q+b4?HyxPlj1An2o;)5+rgxN?mK^!R-Dtw+Clq)0YUst%Rx8pI zUwFyqH}#_pECp$Yc}IOhX7$TdKfnTr9eS(!yQa)e0DhudtHu&xa4w22w#NN_ z3{{K;R^g{GLR4D;ch-AzWx<%XNH1K93l`(Plhh8NpfGmj+z$T-a_F6!l;c>k7mjKL zY{#W*N2E(r$@mhM20p7~w;H9<3bP{O+q2xG{sdQ^h$BH*ri* z`6pf(VL3nQ_~JP93;_OjI}F#~UCZ@Hnvnlu#d7^)-5DCt3jWe74)}3GXx7hz zAaRWOfA${#*~0;F9bn@deT-!}=Ovs--<{Oa5NK=t(o{-+O5*t@KL@Fxf1N2*D+_^M z@0eSLGhV|aL`dHK@Sv?$gvCnbXT9KTyuZ7pN`y7IVWS(lxo&d31=uV4qXc$&Vj*oA z8*-OCS<^`1uQ|hU6?eVS|9pJ#;EiSeLe^uwVdhQmqX#UWp8pJO<{SW>?vovb1oCA( z=zxA2iW%}~lX}->PoC3{Bt(nrc`AjGX@3&B75V@5kRJ#x#ZM2BUY^#hAxEU!a)l~s zr=Y&kurEBsITJwLNGCCv^-~dG)O&epQcJLR$`AS3@OSx9OA>d)&pX_XsU(;yw54K6 z>j1P+|M6^$BgWW+U)EtG{lwgy*q&Ho!Ahz)eXNOeK8Fs8>w`={Dp?I@T1nGTb*=wL zhPfXZh;^LKXZt%Z|1-%Vwk_JEeH^(@Oi5J%2_f7f-O80#Jx$kw-08gjKY;y^RC3Km zc1h=8B?<>vPzzdig!%6Vfb_}-<`3xhe;^S1p6stpH9{UrJ>jWxdn0*wsa-$ZNgY))f(I^-grGm-pB$#)e0{&OV23=`fIZ5HeIP#!~?7VJ+;NJefU z{2EOMB#icXk- zpWw;uJ0l;MZl)>OI!V-D@gpUCW{3nW;3n^+XF%?FvuJQE(dLW>jZS%YbF0H%_jN@w z>c!(askuOUwn09ZdiSTQz|+I+{T+gzbm8c|LNCG|7_+?UFEedBsrHvkJRDdlARlGT z>&?BfoiJj8a5BhicnoKDES~N!3l;(xq^eeLF$HK7czG^@wH5!uLff+SAPy;@N&cf% zLrG$GMVo1vEPV8aaD9^tZ9m1uNZILh2Zms#M(gr3Z9-(9B(At|1VPF$TFCkd?7GBL zkhi7|Fq{6j-B*snmZTp#-#ox`N2bU@BBlean&iVxF-CdGCGOd++V^85AF}M9jKGRVeO+Q zGx@S`kkZsvOGmd;^??BDPWrySyt~*DXL#IxE#<#+iC#{jNga-*i{L>OD2|D)SV$RP z3TOzTQ0!Cqaa!7wrvKar9Qtt~Woa5CO)5f(dNu{I@VZB)1Skq8*YG{pcEWE~uHptc zP!Hq&gPjPtRM4^=A$ryx3Djlf;$to+MTkwVv3{!603{s*`&`jAnB=Jf_MNPiHisvy z{%70*HzB~3bcnmfV+}z!Ms?DIk$W4*f}y1j{o7oSa<`Mw?NEgUz|-@>fsgMv0jtbo zy$qDTCXaP2)7TAeI}o4C>f5S10Bu+a99WHFYdw46b3R*&R}3~X<>@MYu{@K zdmge3v_GeCD22TYG)^N$=kby~P++(v$$Hl_Vq>3de4G0+;>d2EY4*hJ*kEe|wXYq{ zwvpdeYiUtMmxwV9m@um1@m#XE^AFDWBd&?exG(1PA@NTDZa*TRGbS>Slk#UlTE9Q`x3j=d1Sv&Xf>i(KQGs6zKwZ2f@~2 z`>Zr+e>aPngpoN!<4Lt}<1;VW{|)d=R-eyI_?J$xqA*(2S+r0}fmnQP={>-hE=eoO z5pMuykSRTfgR6|8idR(!ZZmeplbjDVmLBJ^8W@|ZQH_K(e2M~(gM^Zd2A@tynwdQ^ z97jw##uUf{cmOBSvSTOIsZSM$ChB99tu}`T%7>+iSO(gohcyFgfj|l*)sDyuE3E$T zQJQ}$dorAPHiqNJy0@_MH)p71(nJmI=ov^7KU5j$Lbn9TmxyRO5C8-RZl}s~0!XPO z>pRyCVrx${srqVn zQJJ5x5H2;!#5#9 zglaW=GaOZS)!U3I*ryyujqNEUm_?_t`W(=M(gYd8(v$@2Y5&E(8l$dB|0`MgpgiIy zJGqhpFcUp8=<>^)(2`74u0C-2au~JZo^B@9aQyLOf$e97%bG?sSMj0ePuA`sAVQu- zezbY?spuZ=1XXHBtWm)=tK8HRXsKkbhbj#<=xdgr7+-CPhCyc*fd-k>^=jlh$Hs9n z<0xMjrgd}!B=vUcghzpcFiWG1kxCiQ<6r>e%>8!-4HUPAYr3_!@KFpUzC4`Rc6V5{ zu3L!-s*u0W9j~6ee{~j?dtU`JqcHj8ijp#Iap)!U2#KN8g=lfEwlJ^Uri%y|?m0Y4)&IhT!R-Oe zfX+j}R#lBOH1>rxT%huhEUgXW) zfJSN?AwG+h0uOS|-Tln~@dzIR5|0j}j6_8;s5AM3ngeSDN_7RXMlA=FnIGemD!(=&! z_6?umFJLOTd-1@IL-g1`&{_s6aBe8cQB<@@cvmuJ0yzSs9Lv-uWWQtTgnQza0`bD; zWm(t{A&X_0q^#ljEQ~+qJz5xSqJ_pz7=jZwNBK#?wK`S?+rkjLUgvk;oEktDO%0E> zS{}MQo?Vqieu-SRy)S81LzTr(dVwJPo4BD$wI#Sg#0835_n6`RZ9EaV3git6nR?$r z+U4}!q}Bni*DvtHig#a1cL_9XM<0$irO7s_)a8WbARphjD|r0!`@F zNH_RlVHG#%v9GM#3<86~0qyBHsI$SE(OMIbqt{&w zp;t_X5H2cTeDO4E`E68s8;d~in13*gE5dTvzg z0P|_v^!&2+fJ`5~9O~u8P`vMDE3&wAT=SGY^RY==Sz+#;{;5&s;b*&hkdlKIt4RJb zBTlf$kmoY}nz*Z)gEe8qs1c3+1YOXkrD5V6w3|#5Lgj{$v-_y#;H?wDOf4A0( zl~r%C^%JS?|LB!S$8OgAvcM8S1d8Esb_wSw#1Iw#6)|tt+Jl(GV3&d&PuA_gm~~-H z%V*(I>r&n0!Q8+v6JT&Xc7M9vQx&cR>kI`v;-s9_6>$CizH!j-;Ozov^%>&LZUnLk z(<9_z&&E}5{0lD)mA8JhXO-;hZ9{bsqeq~VbxANou<+7` zl*_5){k|lj4C#mG@?fZ&GkT>>9c^nHImQGGgck(XI@T7 z`q1aPBZ;tAMnHL7{bP%~gdu6b1)=I==@8AnmULu(#TaeAkprlct+xo^dQRnaL=VuD>s7`(C}<0GR_mApz>(cT1xPU?TfK^a8i{=#sh!1#7;Z{{8@GodbzG8<&D zBZ~G{1HiJu!v|z@QvUK%wV4kp(yK?9O!P?s{gv?_O@e zpMGED_;ksgI-0LpJ+1S3_sFS0I>WvVd?gHke%LtuwH7IHOBeG4{}+eQBMzz}q0EmM zX^yd@n#2y!6jG^yr?Ffo@*dGTskyLkY2#QA(MBwnxXf|RYzF}4I<^P-L>X+iB6q)B z%$day0&6E3OwVljjyt!D^kqc)o{3!-nV7!K2+C<@F|UwGV37NU;Dx7@F{Q1Ihv2ZP z!yUZV&!xdY9Wqjv$?@Gcgu+IJ4|DD;)8GZZCY}MV-Y!*VVbl`J8nu+AKy$EdQW*o6 zNw%E4xq0Kkt&22JP!#|KSmSNFdq&5r((xjDu{IW5v~)YVAvMY5UH)VB#N@l%-HgkdwKKM6%bWaMc<{^& zSla+cOxXy}e-&D3rh2G1HeI4jbMb178qL#=XY-b8ddRa7=m_lR`s~G@}osVEgg=l!C%rKYMw%)Tr9}j^y40*5I?ho<+xKQ_>FTS ziJ@ohHbTu}G>0=zepKS*65rPs9~Kxf?z7Xt9N^;QPyAl9>K>tN2O)8+jUISpt4 z6}MFj^cNx zmNMSrBrTqjFxy-6*~Qv=#WBgFmIV;mii1t=I@3aGYYGuS*4`y)6S~NW34Fi$BdxLjbtxEXZhZ zsz&!N$9%b*xqD{-F$frhf<1IU#+464EuHa6%NgpMjC60C4QSe*0uAiDs;K19S`Z8BWEnF>1B;9tJE`?P*Jj&T5F7HX{jODrV8ai&bleaed^tA zI&BnD+?qJUM&GI5u9&%uO$KZ?6jM1N?oi#U!+jy&if79j%u>HE_jd!+YCL)^Ds;i{K5ytA+Xh)) zr=a{sprq6{Am2(D&ub(!x&7`@-=}aL#;80v=Cp!F@gEA6X9zJ??ou+pcFn_ z^bKK5#)S0Kv4zc+(*d$9zk|qm6^PjgO3`CyQ{vj_gG|O=dl^&?De+7w)v?~Y_qT(v zRuyHXX>3_4$d(VLQ#R?Ty_Pkebax$>)?4GEET?fc(F}e?W=!s)k3{!-l$xZ!--hi! zJOnH{&Sc0T*$TCAR?zr2nPH-rdkCMp(wH2z(2=cLVbEVyW&!XQg+>j#xwd^a)HSiI z@6ar@a7I%vOcIl}k3MJ-!gxn)d-(noE)6$3TXx#{P6%uGLZqO)v7vD-1leS|rsO%{ z#2<3>MXE5I3z*?Kr)h$iM{;GFD|=+?q%EG71g2F@k!^Yldnvx$l(Ames5~TcF0KR` z*~27K62W1ob^=PxR`#lqy6vKFL876cPpjTFV_7DBo_94M>YhT)@Q7fDd=RN57q*e} zz%V@9IemmiqAP(I*@^IG$**~Ho3ktsfj#&btQ-p{qe+7Snvd(wV@D{=`p0QU?8G8x z(tE|irdakA7IP;*7brvR8O7xhgh81y@W{jo(QlA|fHo23P*`-VwLTuo78$>&YfI8-dhY|7_7Y*qrr zAm~*gR6+<61KA4)mygNshK!<=WPzEZX^F|RTmAkm1@ETH@a{8|6WPlOd=wIuvdd$Q zkBMVtuQ87M-4t)81+;V8Nk>8#qTr5~itq{5_$W-2A5Bt{@nGsMPmJvG74IuZp?1Z{*r8@2wEJ1%9?rkb4L@! zx%kAz5@R@rC4aodhdC{P4XvR}Ae9<(=>~{Ov9C<8T95lh@duXwbNo84h}cqp2x+~A zIv>9Qf*+5eE+x}l_SEk_YFGNgRDJr){szu8-7V73Z;FC_10wgv=pH|ksdD%g1J(`f z(N!Ol+u)jAOn11qsJ>nve#8>jT8UB7w4RC=JC@TeWCjnBBqLVec2skptU{cXCK2!% zP+JBF?-_BsT?;Kk0pw|6f{9%`NiklJRT~z@ufdvOy^B}fBX^8>AVP6iNXvm&H)T(Aq-^yS`t`t*qG9m4pBVRL^$C6^2-X)sHA#pvN_H^qP5v)BXp z1TBW6sv~iD?dZDhOntl~L9HBn$&SHJ^^#n6DDL!fSS`wkmBcgK|0Z*>kpZM;(@HHp&l6Cyr{zFA@t@6oL-rQr_)Pm@23|i7O(f4V$%4P(*>#I$JFF_k5?}egv4J_^FpQtzTr*NRfYVB#?>>pF z^a2A=(0WYCFQyKyUr-?=`@cTjZ_$$MT9-rd43Gl}CbOc+;6FtP;~I( z7jY3M;|2;{(*Mk{Fg-v13@e|-|8mW)N@#3hJf9g964pN>+xvubU7dmEwea$b38UwW ztSV&>+=fa+(jGf6fCrpDdxEMBg@bn;cLOY$;`K1&ZpO#jM;UI^GtBD+nsCWUN+_*V#o`u`>nz|PZy!5jkJG;VCQ_fht4?caVULRd-rF| z0=eiwv<8xb3otuyS1gMf@{vuRh+!B*u-CVIRH{LjVe)_kLJlB}Z*~_mVUxAxXaD@S(5WNeS_~Eo{eu$G*1{|nkBrVDWUVfo|gVmYJ%~6OLaupg@CLox& zi8U4@014pF{G1_H!H(1k%q9_!9K23#x1mZ;T7_$@Hd&w3NK>%C|1YQ)CTb9~f=>*- zblYH)9F*qi*V}{S{UjMw0e!mFYNuEA?U7BAf^9p8!Fo)Kcn2ejK7o=QHcIR>#-ZLT7$W{A@kHBG#S!&{xJh#w zkClzB@AEtDF(QrZ7=&}5BZxzY%fn%>aeEJ|xh2smK_%b&S21qTJPJ`wR7gh`ih*7; zI2=H-dF>IVwJWtmOL%)&T?h~aoOp$OxwW>y(aoWfJ&&kAm{~`U}dMu2+8ymiS z(QtY{TFMKDq#Ut)KA;m5VpBKuiIHVBdOQoArtcQt5VuX$x%KIp!E)Z~5}{{)W^v(N z%9;|FK@ZYWTMKr?2_rGEs?Wa!lEKKt-42{}W3`V9gQ|TjBf^Z}e3-`k+czUPtqtHT zy=1kZ7;%oz68~mU

E3cKTeg&HZ*ZSFohZ6Ictz(^%9tYyAe&!7127jLzK>jVFEY zlB&4mV;?}-)0};HtJqgah8(U2X4YpJW0y-|NFIZI_43Fo6{a)!d*Cg;d<+0u3|To# z3A-n|hO;2uZPgO*my?hK&S%_3nB|F+v6Qos;+PH!b$dctLB)JjisVByDD0O1^ z8E9=J{tgeX`C>AHWQyZ5J8nG3SlkFVBLgAV=)P#O-g?g?R71@Rx_!;s!2x@J0;7si z6{ePkrZvB~@PZ=TZcN?}M(aLyWJDUV4#d8JqUaW6Itr02^*e&*Pc{G_`&1E>7edD6 zotI@c_nI-sQoh>-y6>(b7Uo?}3H5$3OQ(2d9I0kj{~S+ft9N|&vA9r{y>O1~2Ua@29Z+y6|Zy71}4qrTx?hsBP5V~A08!7y`Gb5TAg0)uh{lb?R z8S({9{s|^A@_eqOfAoFZ6C+ns%>?xE`H0*MD)lXUM#?-X(qIpj{wX73XGie6Hf%Jr zD>^7^b#*jw{~ybt?y8AtXW*laUFH=+>M#zofgqYi!|*=XD-D3grztpa_0J9NbpFd< zHpD_x4rup`mS2U*^_!7aP#s$9H6>(bLR|RN`~9_02Y91>OoKbFdej3?n=T`(1&z?t zWOwnUzb{N3tQi$#n)=H8f<%?`8(nnu_q-aXB~wf8T7=!;p6bzr*<#9M<;i`I$#Ig> z&=M)8H6hJ)ktYF>o}cB7nmgUZsx&pr3UNHawY0xE>DBajKkjzzlo&~1ovg!;DmgLQ zdgz$pPFXlM;EqoedadcsuU70urs{hQhwAr)li5>e%7rD9R4>qw8dcyX=MSziS{&X- z=!a%=Hv?U){(aYL*k_h7;9lKt6D zBmI1fnFaB~6(-pT7R!a!n``av>3IH7-1rs~h0EBxM%&WsJ_$a0tn$%lq zIZwmsZ9pB0kDj6$ewPfSf4U4=Xwu?+uqF^En==3uEVpF(>(m%>yw@m{Q#XZ?-qzG| zzA;V-#6C9mu2yZ!{rkY| zpJS|TEh`-5usO{K4T;eXcZ}2_(B=TxzX{9_T=$*J759%^A3+j_4ncs#!hyp> zcu9d!!yY8=V?mxB-VZ1Z(yEaKSRe>{e_mPMyDna4ZP+PaI>SP6guVJe<5{;!m1=xQ zPL`M}-&C4~vqm92`U(!ex<_|bcH+!AuiSfLqd5~OaJqIRw}72KWU-^@!D>#zuWx`v zdjKX8YXFfGO;H|wQ(yA*Lk=C(jSwq~>PnwBB`r}&L~noEs{;7oabybB4jULyE6u(W z1tJ)xN8|7vlbpgXDe#hv0g$=WJNk9cACfG{uKl@F_J+s^^(x)-bk;OMG>$B1OJ7seAm0ax$opPm=M2J70M@` z2)zQhY-%Jjo^igDw`m~iuH6>WY6mVmN{!~|KcLI_DE4y4syVPSI0nP7UHNXHkjr$s; z=o9cOT0L?}q2J)J-(ueW^n2!jUo!omQqec`(1YNVkPwq)mH!GaKTgqQ?dYdtLj!K$ z&ByF&e>eD$R&T*WP5I0{e6+S1mXmqMv;|iiA{z~B4UX?mm3Xc$$z!GNfY|XIGR;g23a(o`}`GL4V;!g zC+0r}uFD@?VC4JMe)d6h4*zG*6CzY?$f5Qted2N?7B)f9a`Yv#DC-~8bLpkBQS!cd3o?zefQZ2umKVia z-J+7@eI@F#Y-7WAIyf)j9aD=ZL|J zv4!`QU75%+G%q^@ZISfB7a;?z3VS$zQ0UBr`J#uI>xNHNEON(c}AuC zh{$`&4-dZb4E;3h+!Md=sBB>2O5x&8v zIh8r)s_V^l|^Dbq5s>gMc@gXZ@=HfF5R3+GVSB##F;2yq3?T<)PN9g_?de1*b< zi5iZ@o}Tc19Le1D_k7soPvBm4V!4NJq$`m8P*ZS+;wAFBD}$ZI8?8sO(OAbllRo*v@i3^{99x#QiJ{?S{Jbk~WuOfx_&WhKlZ6a_C`q@nNI#q_azFyV z|MX9^gx0`@$U;h)_98t&+LY&8y;`=WJ~EGR@h0G-dq>2_sjEmhpUqN6+4bj;4~q^xuh1LSuP88@xu{i z_L}pmdIY&`r6w3~p8hi3E0EUKfg#pxuwWuMJEPNISg1lbj^rVY1)Ac^u^vhZaS84Q zlj<537cL#8t+&Ik^Zn?)D@#fG=NqUpDll4>up}3Yj=yo{p$b{^q}%NtU8?|`(n1d4 zVUn$S9wM$NHHcY#J^_U@WHD8ALLIZ2C?{_@#Q*u*N>{iKDN^;HD7_=C$BUKA_6{k9 zOf=*jLTB~Qw=oCe@|7Dr;90Z_5|S=tUQ}#0gwnsFvv6{bQQE0%Q?$zDwvSxkl-F9* zkL(;Tz%f9+&`%%_=rju;5b*+IiMGf9-rO$(N%qi0n8mer_8!P|R7NvgYHAI`Jqw(I z5(zMjbvQCo3A7U@rAwPY*powXc@z@GDC`^se=Dii_^74b26v)`@Z4+rnHe2F^qzm8 zTgRm{F7q52KOs!mBe9TeADtb6@V7E4HKBfv*J!sLp={ycTZSx-A~>lxV_pFOVj>U= zV;<$Igd31=$mP0u!7q>RQB9e;K;6ulSI1E|V(XNx*f#_pUF1?GBR+jo4_|en|7H{T z6&w|;mUfIblF1RMGvYd?2oghAjj8ap`rF(c>oL`QD>&9*N$QZg-A~%^y0fN|57OkI z`R9a7Y0i%SS&+1{v0=^zn&Hm@MtHv`ZV3C3Z{XDKWxl^Hb+bOt0Uci}--%l3wf#mf zMddKE^;LQ&|me7#?6CVNpHcN zADt<{vCP}&yu0dPyx{nYUqsrV0_j73D>MyXl<2SelAFUesd%d{{_9Nu=`8MCj01j5 z4IW3C+^OEe$~Dqy2AaLJ4xw9?nA7${hozxSabH++P&EP>DoPFzw}Nus5IkF0Z}E@X zUD2a`L*Hwr#>5~6(<{%ap@U3e-U(0efQ>R&#p$Vk27~3H$y`;H+Yz}g%``P|9a=Ws z2&xG(%SESCz#dBiqknt>=aAc1D|-!nv;G9IZudJPcbGSNLw8@dLk97npd^%3$T4s% zB*Yiuhb%e#kAuL8FWIIc3#N~|t7OW#casfo^T!ml$co>IEciC-&@xOj=B(&U_nqW* za>|*5hXL{-;fLPPQ(VUcPyU#Lf#YEN-mU(Us2+{foE1^J`4?k=z)9p;LL5IN93Lvf zs--Q7q_zxxQPJ?;tqE1CHB#{J{?Y)1yx%JS!gBxA9TO(E#3V>7ZMAL>A{CB9K!Rx50*y6 zd>HhP21P#vke9A0;*xL{J|2aQFAVz+CqIsDR5#Ytm7<_E_k3eQfvF@CH~ZFZ5Lw2d z6;{t(_VB7xlOV6n3<+9+J|@DZ{H4In!IvBdy?uG5M07gtc>`PiM!wol1cElN`s@!K>skdGH&pq_EEw~rgsXt-+{scx4g#Xb-eTXV?Lem% zI9qIo+}h94@V=9{c4pVn_tso>+sIp`*Rj9J#5|2viq_zGAXO2a$St#Q^s`8!yHqpu z)yHHYz!@d6L23hJF}!$Q3mEh40<_PCarW_z3K7Va1g)qrd5pxG!?{Xd0v%ETjX#P) zV{j=6CojY6^q05BOgxk;2r2lPu{h#<<3Yo)G3+5IpqJAt6VVc-1@{`>9D(Ns-WpUhOxOm+A5D?AGyp|kr#xrYi(+{e*x5)2=i z_R#`Pg+43KS9C86&Pb?sQT!-aY(ndkO?@vv^!ac22vE*3;rt z|KQjG5VXPJALC&Ju3f+4%83zMTZxPu9+Mo~oU*yq&V3<>_uCoH5SdeM7p7B5{dEa3 zCRZv~653XHEPEDz0+evu(P-~cQ*i#{{;PVXg2oLl)piBx=pM(w3SjeDo@c2DNw|e| zj(-Wt@ex3I_xbABkpOk=`=s&zHFS1H=Rc) z_{OIOToGHv5uRxbGL(DEd1TIr+Q_lcDqe!5lmxquNzt6Q;qZQEA*Cp;?5o<`!v;V{ z4NquP5WTUhSB~Dda>zCjkHp&a$}QnPwhW{Gr zdlefmKxJ_xW`$>Me|9vYxxO**q}-|%C2&Gzj+9r}<+rrUO%U6z_%5O^4&4^vnj_;U za&t-CXr!7-8;Jdd@3rQ?${~=W3AJA5jW@T_$WeIV-z8bJ{?RppfPnf*^e3p7=0d2G+GUS3901(2+r z!Mlpp!^*a=*jIG*C6kQTl+WPM%EYiXGu;U^k0wO65O344;N+=Nu#|`N=Zx1AI4}+q z!xyU_y&Mb+^|qtWa7iQ)q->U8BBZJ(w{gAdEejQAsXJqJnDkB_ht_@(LaA2N}P5M)cDk7zj zTdrbFQtzS{S6-jDOLY20`YsSR@3_SbT5{HmHBiOc7J(=R&rx&2WEN>%Pm|~S%M8(v zrJD6|0H{QfYzQ1?5z3UhJ!*BT99M z=5%y_gGnC^r=CGV<;y+_(+tgjOhsm(R0(N47~0u>K1+v9JsOw!n{ z^K8@$lhARB_S`LT+_X6nx9oa1J#KL3Yq(JCho2PVzURa-Gr*#GhD(6VEp;AG8#ABr zvDuc7EhPl~fn&?$R(pn|4nemxAnl80Hd|kCGq%|+h933nz36N6zizFS+Toz? z{p#WZ0*G0`z%A~Nsjp!2Hb!7?G1VNp>ZZCo?U2VE7JJ%JDW_G7;UECDyU8yK@$3;B zVN#!!T5zmO|2t7B%+1a1$#Mnxhg}NgkpL-cx~Nyt-a+U*JCiYy2~0gKvtPOe%Qu+} ztR0$O^Ub?b-rynvEX(Q7+`d51f3URzY{{SR^H{54-O0ZFTkvJ}Pkz9*66`v0P=@_d z^}w}`sN3ORAQI?Q`y2%m1^>rbX0*SQ*gh!4)Zs)Vm|;r+PksP>EJ} z$c)u9NDz;0T#{ORGy)hST4d)F8jjNY8immKH$N`=|GpPE=n?z8ijWay2`IyOLr>;b zHoU(N>pNloq2@Wa5DaD@5ZFON)VpuLqy1gV9knXJv#qC&g6s7`%;!wbq*yg=CdbT% z@M_)ksVHJE+F_piyjpYP(6`h4WdT2!#VlAI*T;wIxSMeAg%dEJrByn&(~O+1iNq6+ z6BX)9pAgd)eWWVzfioD;a~%n8yvk6*A!L2>?qvP;Zs~eH4j(KOkI6|=-}zBlpp4IR zNki*z#=2Itq*uUz1J&(Lfevo^!{Y546t{E@*b2`vb(Jlj)uaon3V+rG#1q^; z7vc3N>;*+hg~{40$&%`93dZn^NqHxQfnWK29RjGb%O9DY-*3>pB%~=C|7qmoist7%6AsS6WzL7xC%!@j~o{sbF?OR~T6XcpE|M*q8YrEp1jx7%g^;8&G zY{fnwI;^{9P-V0L$lRKZ`Tfd^_Gr?{8akTPjJQHt=_(~@r z8%pV5-<9<@jU)Ei9;=u2Fl(F^ert}yVIDe!)3~HRO5a;dvQ11B*Y83d@JKl;JM`zS z5fFbZvq+_S^&G`MsFX^}I*fNV&1atPPz8D>k-!TG$(vY15;2x5%yBw_=)&FnU8CV# zY|6d#QAZn$FMa}Q!H=S!QSLkaJmN@Kg2yHk^Huv+{H~~QP+%)8WJ~4IKXj+-ok~3~ zQ}wv+qJ0+71e8o3UQ2&emR$C~Nkl^WhG_<_#zHAXGaamA3B>McA;!pl@T~x5b$}w@ z=28(=?;yjtk4RUCS&|>UV4T21plU+}&fL4#1?yE1v@Gfa~E4AK*kXoH)&?|2YJUF`-_Bi&iD{N^7)JAdRX*CFRQlUE_f{I4Q!R3)1Q5%_K4VzfQsM zd5;}rTRXpkLaZiVkF<>vLag0N)Yx{6zJ_YS)-2;>^Yt@jy$Ibq0ks)yk?+T$hK^(i zRdJx(u&HgD%@9$MpyatsYalNXU+u)#^9Ofwu-~0!OHvDZ5~rH!!){-2Q0(Q+8(07I zmC)lV@4x=dckeo9lns>K#X0DOz+xmC+?B-Vw@nTdKUm)QbITA{YOi|EU-?gvGzG_= z4mnz|uHRqiP1Z!@a9;(HA@J)NNM!K}(Gnzn*L3-)lAzr`BR%vCl>j;>gHJ2vmh1oc zPs_}srUxx{g{Clb#@D^&jjQ_U<*Z+RKo;OICp;hpK*WI#;0DIszv{=6w<2tH)w!8H zva>@IKy{RE&Ps%iBJ!M)@d*pa za`&{#QEDC@4H8K~~ ziL((FVd2~CL_xBxzGVBKXw%$N_79{5@_+iwR~jjZ2m1&6(h>kSx*6Wt>!0CkBX0#! zrTu1N6ht=KqGXRgZFGI=b{wk}Rl!IpxxB#iEVF>*PzJVMN#>e-m~Pd9d{7`O)?Dam zLth{fnhQ-#m%^;pmK+UAgg3Lfxw%O$as!L0M(^r&9s*)xMj4?#N;M}v-t4LIbZ1#b z?OR&I%ghT6QW@};!NyZ&T1>>oPo+$Lt82NO&S}b&;NhGi0w_qZpylmo1B-K<#%Rb= zi!sVpkGDS`zi1tH5grmEM%x81Yf;v2OqjQO0BP3=C7pH|((+EDl)W-CAZwNsLkty8FVIGz$q&6&7DkL0--&!pS$ILgQ zaWd)H77Eng7H%&tIxKu!C-fioZ)tE!R%@i=LoYmq&WWea2S)|c_gto1-e8GP9Oq#@ zMh||-MF5rr;kKJXowf!BpW9bgSASYw4avox?(hvC$+zT4_mhFA?Etse!sv7kD{4;Z z=o=a&`u30pE@8s$zZQ`C%2XvzdpgS#?>Tc|EV)i`2;2uF!I=OaT`>UYFlw%)89%iXnA=zr~@e&1%^p zl?nFJWw^*#vRhwHRA5ka>u!~qrX~( z0NLGHv ziY2u)zN*87#6MNYDi!Q@?eN4Js)_X~Z=z<>^DUeANC<6{9vFXWul(1cLcQ74@2a88 zAHd8;I$#*yQ>)NJc!NWacA<{gJS?b^qG!dIO*o%OUPs4O z+#Tv7KbXb3Rbkqu)khRGOP1}=ad^RNKW#O=Hlt<@mM^3#jQ;A-<8nCmlsM5L9sNlj zB~F=isbk^N;uepw>%33?CX>8=6(bV&=EfA^55n5Q#$y6K5?;_}LYOFH09{_Oh%@mV zOB~h9GumYS21=eLpQ z|5r@UA*bECZ4MebyC1C3JU^IZ`Nqfq+Wx+d5j9Pplb9f6oE*hsYbv~q&!+f&S!euK z(aR0?!%AdAIQewi;4*aS#ev4PzRd5gROQQQT-3-AZ!Bb=b~%ccil}?R==z-Vhpx5) z3A{O-E=7%A&cv;;hR~wt>=xFF$nn*W!`J;NRZjHdOECHf5zx)>_g?x&Kab$F|2syq z5(;Lq&M^^6zRciQt}_f0wa(1GL}e->(ZOnc#i4LHR@l&ybV`nDx5wS(=uD0l_lik# z5jYXHNb{t3W@G+sBH0GW75gk?dOxvM>x)X>Vt)0gQ5ZqBP)kw?n!Cal2^yTQ6LI{v ze@!}Q1OYg`eR+39CkqzbjLIx$q+KunpgV+XF=ixrdz$$+Q8eHGe#``(84(A3PG{(P z#D?wj2iMKcvU#PE!2cxTB9!|G<{>DYw_aN1GU>y)nbJscF7MI>S`Hpot$=O z9F$b3el89brt>h>s3ikut=Pd5r`%0cr-tpt5z586#gs3tb96gxpKDG9Jp{4Es^BCy zz^j`9(W&z=>3F?vHNbSSE#GqdXjOn&{TRgl9C#;`OPtV(hriJ2lD{u zp=VTPk2>b^n2){esuaNL8D{eO!|q9S8W5%G?98)3hKEc8r;#TX{A71ttV(_A zg*R*M6RLsMTiOK02Ik|j7(u|375!Rnm2ZsGhT-plS~XKPcR&O}p|4yRW+&}~c;Rce ziRB#uxkyLg>AO4GzSi0xbqsEBN3rw`MCCX!5-t^v%yG=L$KYw)pV3h?Adu5 z84;=CNfJiYCcw@kR2@y;f(p8Z`QwIl=g13Gg__QFN(2NnzU+6(@N+Q+1-1Y++er~9MrGPx!)W8VzoLj_grMa zbQ82_)pp65-?RK)M;}bBr_sQM6XcL;;J^tMfaTtqHvDxl!=v}Vcc~Q>Ni~gPZ7;|ywTRG@b z7+0a6pfK*|51qu3y#7yiV~y6}>z|Gra0O}rt{0zg^V4X3@}+PRo*YOaB&J{c4qBGN zWWn-Jwdl9V#>ucw|J0-PHOfs*DC>(*75UnZWsSv);aN z;gkgkZY6}@R*U!k%IspR&G;f>OZF9I)YHqRmMVFqV3INi6WX9{m^_o3eyS@k9z9}y zijdqDdK!09o*^{y@!z=Us=N-?thD|Dg;}Y_I=cYk82ilQOO}4&8XC^1D`UPHs4xb| z3*F>sbP|M!ncZ-UbxVndy)V_yot&!nn1`{Tm-7wQvH+Y2Un79;|Dt(rU^S<+f3N7U zEDL)peTQN;Sj~saT>*Tyq!YpJ@eYXny`lo#q!c^6BC1+cER8og5PsvYx{KBUZp9UqLo#b=`D{W)o@}36M$P+1AsUolFi+@v>HmysvMweB}F*^ zo6d=^JZPWW>-rm-O82&DT-=7rcG?N2mak=*z( zlm3B?r_ibSV{XNZ63zaxN`vA&C`~tM$2$;h)ENH#=mIsHQ3*`KRm}rOH|raF%#Sa!O>ru^384gqFb+g#rfScO6+5nB`l}Hk=^n)07X?`Mbmd zy4#1sU5d2F+04VXlC`gI1g7XJC6m2FCRplos{~Q$aSagC0V_o=v0{K{8t3&}Yysh~ zQ``^Kx~#<)9XRT)_+F3ilUwG>Dvnqa?Nh|Wq>+h7lC1SRJ}!I#1EYU3ls_35%4LNV z>;(AoKz#yeRzDiy)=sLN;1q@k0EdLgWwSOP?6)|Q%F+BB%HnJoKNNaRNNBp$6vs}A zZZ9-U2JH$8uBM*fGx5NlfhWG>7=a6^m)IWr#_NX3H?$cYQ=LtT*(Ch1$FOMgBU4uD z$EaWgWF(iARlrFRE%^eUr#9q~#6_bVcMm5S;PRh*$ zrg?3)XUXbcn-()e=%mm)YsRCq-C;$Up(iN9j0ZK8wq>jJzS{zsYXqnv_Eu8YxNKbi ztR57u(u*}k8Ac|m?7x`n5H#I+8pCst=O9qOG45WciM2`{W?O%9s=I?Zd|y+I#rizJnJR_Fr1znQdfi;IU^ zlN|fi$>!`Jzs(DX1Ku700=SaWB9-ZDbW8W`g#zh=+&v&qW5y?66-2b`#JldMc8oN* zWz>A8<&7?qkNG9F$LKg*hQ5J#XcR>xHXn0jp=p{)(Y1|0n%NcdH)~RF`tB)uB@@l3 zQ|cgmzM#cOB821LW;)aD1e3$;QWAK_7?fD!Aa@6m<^Mvx=x&-<)Hxl^Y*#uEvFJNI zAs9X=C8JTlf~NB7Y#k8fw)#ZSQHUx~2HIKZf@VrM-}~b zloIEitbra$NgE88_@{Ff=6v|Z2EJ}5z-wjctkMVWJR5&?hA3J^Z?_2Fl_&hyMk5Ep zcmrG3HV42f>|*I^rNo@!s7LD)itKtrlqt?=@M{Dl7xE3h7EQ_zncSc@blsVT$^oJ_ zl+RpMm@zFj>e^$VgeKR8=8zzU5_Gbawk!k4`w4i$dC%OGth%EFN9(WL zh>li;I*3Xnd|jvVC+}R5MS^WezAoc@g2=x{VgpdMy^aKs>9y(Uv(D_KnUBZziRNVr zT<+VkjyX&Hi~~-|21EY4_oaPyp@^~99<%)m9_W94<(4ti)X}9;@y5Bc>Is(_c_$Pz zd)gTf`oN?XHTI%IGCZycT+PsD{eDsgeLY&$n#Km@$kR8uL*CQ|wF$dx*dvJ{g2vv# z0#3+r~ceLuO*#V}kV zzst=7i|F!Q?|K!oOA2=I6Qa1t{7J<=v`Zx@&=E>$m!MmbQAdu+q(CJRa@6!VANtF# z2+iX_qUgU&_}=1&hQ+xp8{y(5$t@%+SpyvL%r2r~i|UxJ45sLo4kV5oxwxaxoJZ?9 zoENJ|&m;Y%tt!38Lc7X=9G3om>i(8-g#51ojkb2+Z%h-mXNap89JCH}L2I%bHWPiz zOq?WtKFSKo#nV2gt`yqL?$1-fr4zItZdxYhoF;L_g$*Rs9t|<0ni{E(aJ6_&nejkN zl7QEE$%*epHZ)@#Mm#uj-;p9Vf(7E6IBuUg0fvOQDHcybj#iSqYXQ&BFGr z-Cae^D}v0t(8x6;C48l2ovXj+e=3TeSqGBJZ@JXehWl?Eb>D+TiRx2$M4woCnepdZ z_@f#89nS6np^hGza(ExDyMy)KPnY(lF$Out2WE21uD|Rf`zEpK=R0YCeTt`+&t>aW zjSiy`NGVz5p;I9;q)uJ>770Ncld!zRd>h7T2I2RWF+st@=!vwby*_bxKTCmJre`Vr zxD{b1nQdcpH&FmB1HZ5Ca%;FR5{7UW3@8uVF2AHSn@%0uB^0`1TB#SU>8^GGs1RG(Mn!R3SUViqL+{v-4TzL=e&V(qF2=|RQ*U; zG_WsLE1fg9Hh*O+>3rcd;;(SD9zMG{E}pvk#?Yha2adCADV z?aGq%-mFJj03^NuS5F(Fj)LZD1q&TTo`PhG@f|X6ai6e(yvUOi7;2dpIF*g0Gs3IK z^}O7?^t=e5P@Ss=)M+THJbp!M!&3E0f8jcU&_-^JD-KDBxUZ*&KhG0$T5DiKSWW%I zPfA-*e;Tlu!y&81$JYmyJ49yui;ewf#em(|k6JU75lh0z7u7#Cv08cT?;9C{vxQ>Z z*Hsac|>K@*I6-K5y~Y!fw;gs z+dGG5`@NMM`Bx_^ifF{_I@nok$rEf`&Gdlml3oZ+(rY}AbevO4g=Q@rzg~*en1-@k zpR)E4v4qvqu>*_q1RMzW*x2>3rpxDe!MGen1f9B-t70V}YW|iQ*bL-1MQ#2j=t%Yy z z@>(%eEKO=V3J}r(kr8!VhLGpwKd;Vn+=J2m0%*#J`kseC{KeMT3Cd@jFPj0yl=5bO z%~>boA-(o*pNPb5KOrZ|qh&n2(-}*rei8@L5#cy$KiQ@MZACtX{5?;^B?)_5fPCc& z+d)lBeT%Q=p{V^*z)*kn?=FO>y3!0`WBejX$%9CU*|E)IUI#mpR&nm%^!IUHBQ+)5 z&)kn$L6mK^6X8f!F&)ruiMDv{`gkL_ zI<&M@dw6ZY^(%Zz!^(FuZj`nI9F`D+sSCB8>)bcr0X9Gz-d3raqM#&=U z%g1}CMiUFdTGgUvT$!uzCt8SJ!GI)*y{~vyaVbMmdgkPSOWsCy=Oy(&P51bQ>AjuyN6m^X;{6d$(p6cZrG9K{EH|X zv#&FhNb+U{q8>{)ll&}1_t2G#dq6Va}rZ7_VAgHP?f72I@<81=m5Uw1H zEaENqkEUtnjjv^;)CpYj(4D*a6Ly*pFnM;TRl;Jf$;lA^W}@s5@@CUcf9zsI7rLN< zzikl0G~f+TfTuTTAoIc38+brb%Xs{7PKsa@J`q`AY{FNDjNi>S*rXeOAVxqH#DjZI zdrblAzF-oDZU?WhM;g{njcc-e?(D87S$cXv^$U40S4lDEvu98z)Aqi+?JW1FPoU?; z4P7zBz8IO-kan0Oz=5 zcyO*JGf%C6<=E=Qx9S(y6hTXh1j>?4Zu_;yQ!|yr7jvHYC4uECeBF9o{1&R4DB70c zcg*C7p5&f+eF*kq=~Muf#Gb2gYOeTb+`bp%bkMt-!>E|uu3WEAJ5YNYv(WM|+lY-l zoei|eSX9o#pPuTZQbz>Ru3V|T$Kln|s5$9OdVccZS2f5dehka)$-&iYCqYN^DP^b``I#9JFa_deG6BK3ExC<~L*QBm^-73Ky|kYZ zD~N&wAnXJlp^)NVEok;*#uYF;K3aiBpns~5AyPX<764?FhXcJ!sEY{3BH`3VNWGZW z1|9pjv?c?uE?j}f3S@xSNk2k-A_sbJ; z>8^G8vT4X6Za+(Cj#OQvMRaguhOVpW%o%uK4Ec7I?$YetKA(jad{B%dg1|VW?{Y`* z`Om;bSF9`=+SiGFX|0o<4g4A%6uGp3?rH>FMJ)?=(k$jnFFFz*O?)M81u#y;Kflc1 znaNTXMSR5gL9X`?h|0adwn*&Q{Qv1@jYq1GzrdeIEX4l|Ksz&84o+y xogEKsbAmzq|Lrd%1cd#6#5K(S%cu;TdLjzR0$w-~fkXtOozlWVAN_BG{{>OpCm;X- delta 28085 zcmZ5{Q*1-x%sV&DIv)p4Qdw6O3CF`lZc(zz&ooB-8;MH**G|ewMwe4E(JDT`dxB1 zo4PY>QrH4T%iNNz9qqKWh0Bb+_AWDwiJl6Ha!lgsqfy1M2(zGiHDgCJL*y}Ji}222 z5i5bt_%^tv%DWnhrl6`hB(keAOqacIl4j$fPs%*B8XyU;eEqu8Nmx^9*z887PFz)8kt!B_pA{UQcRkeoMqskC(p4t;|8(@-WOita@W`hJIt63HI{{j zel=MqptJ;%=+e!9#q|Ki$nXdb|MLA9ur1^v$9#fs7LnE#IXMpB*sO9-BK5Nr<}bU8 zwbgTA1AYyNY~Y$@V5@k*(!^#lPn3_qWDKt0^i-F!b*NV|dpSS|-m(bDXMZ}enmdr) z7>K@pc+?3;EAX~$YhCoe-v5KnT_frYz5~xN>-zW01A56fRgUWLrUUC9I;8)3D#0RS zD1mBzDSt?LSFvocV24PdE_|^cK62i90KLZk7tj!;aE)43LdcFx%E+rN5jM7sKq^P7l;4I-)(dPt@H>cimnH9qf({M&akPDPXo*N}~0 zS9|Dx_UFGi| zl6YD?!tr+W7p5OX8_6A5{PR%CAH1?11kM~x+C3j#eI#86Mo_o1V=)m>r_>R>u45Y0p(!gb5s#Q|&C9dhS zhVf3h*$5<$cDJfu*(&S%i#`QI7{`p7pa?4-`%c^E&<|`ZvOm8*BbdiywYkUYgSgaQ zSft1O%u2b|{)N=rg@)~z-zlU+zT+9z!j6z5+}H!{#~<^{jj8Q}g>)u`w5J*5hEzD_ zRpyQbhN$tETe%QI4sq)dLv$-qD0{*|Ff+vXgPxvjFK!bDEM41hU z@79ZvSKwd1fq;B|g8cVLO*3`~VMYk63w8+%3QAW2UFbA`U@7@HD+}JZcxW252$7_H zt4myc9QL@a2$$VSIPtK{IeWN?bZ7y`0ub{r-1`hir^F2t+qQ1rUpK$$0|d4i-6gd@ zd6Rz?VeTM2`8g)j{^C;Ke6P(L8|`W!r3>Ow2p7c?6ACdud2M`e8 zZ=X5LBTX^9IBuGWwj-|rU|V?ZnQL`(8h^93JT`0s7l zfiyYcS4t2YL{yNpNq9Oh%$T$)_#lMp%hUn%$I+||NEjo67HZ@W>UZ9d?&VflaN1bT zE!>xsId^*R$v7-%`f)Ln{)vCAWv)jxAIX|f4KNh-C8$x5<*wtp&T~{G1#qP&hK=61 zLGff0tn2Z-yN-p+Ki{+j8-!9azZJq+iyTH6Vt{~f1f|d;-~geuvLHaw48Na?UIwLFyhugtQj4@e%{2E&q8ab z5Ll6^r7RdRmq6gw!p&E!z8v@-3n-h=+rnv7L88 z?7xO<5@+F5U;?;$G->Hm`&9<7Wy^hVSmd@s_(*7mtn+hd#zjQN6^-cl8qtmv><?>*NN)m1z24fonxGg`PK_@y zv*3M`vjKoM)Y69+D6gud?6-prHjK{yAwK7KQZFVJj6&bi9>z3>=DJk$F_m#)=0qci zME%8~F&>k_wuc@w?B2lr!&H*1l`zyunE+xGhzYtOK1=aU42I>CSx_CAufZ`*(1$(v zJUZ^W@P__>t(vQU5s%M>*jbwcKZpvRj1$m|DoONTWiad~->ury`gBtv2C z8L+OEjGHDXTQcegeQm6!2;M z*#LZ|+-B4Xectu1I_~raybgYNJz0A{zx}Doc^kA3@Lo3%T-)jWZTR`ojW6i`_Ig*I zU`RyU3zrs3+Y6h9p4;5?d;;_(Ne;k zqI<6Vt&whBw_!Q~>Sj26)XAp5 z#AGN(?0+~{Nd(B`dM^wd7LN6rWo;(QxHSvokSBIsIioYy{bDiT|3kG*{D;Ddd-^w3 z!CCwvCMZ2LPkz+H>N%uD3>%}FgrZutsgviorstrn&eW^%fYVzxs0jGA=x8hum8 zz6Q8l_C}!cMr4-W_wMB8B_CEw;0Ln^4Ux}5=ION8$Yz%8V8p?ijv@hJ8bpm&>mNUy zTR6I=WG~9oK6=iw1cMa+a5n$y`$NjI26r@>=Q(i3wPELxtaoZQY@KX_FUy&t!Cn;B z&NNqod)P``=Q&Cf5lC@zip~gaxFD^+KZrN!}EZnw05`_MCjj z+A2TU7O;v4evvVHdq}udeMoWrJab}}ku1v~o|$5@73dgzMkYyhIdeJ-)0$hmaH8Uh z+aXELxnHt1`ObTODntS_O(wc!s&P8A%SawKDOp&E{9UlXI8u#Kn)o>=huJT;4dOQ@ zS1kvN-_0mlmSvE#dXt@HvEp;Pc7`vAwWrFXSUx#dZXzxtwX4p<8uTyvJTX&v#Rj#6 zjm@$!b#a^fv;+;EdRFR~)l8T&tvv{|;q@<^xdmkw;}MHrSx^9gCd1<%Z$8O}Fct?j zS!^L}lo~(vCOqXZtWq`pK7FV|eYE5{0SCo?bwvWI!w%Xg6!CsNHuY`jT$i5l=$)Ab zG+BmV-jS)lH$u zm(BHWn%{Y1k){CtoBv?6yC14`V+%<UI%fW%!g1id4z`Qo1+OYqIK!I z_gH8tGP}DTJgnoPtm`fR!O&9VO3_JG>b1gwN?aedG=BQUr2K zS5kbt5B#+-I(Xy`qz?jBsER_*!?g2O%|?f+Ygd32mK$kl>Z8&@2#x;06?X~CEgR-& z4oI+KbbKREEdI##7OgKo-1*p{Dh9l2eJm~&!;({84@fkL7&Oo?{3d;3a5jCmz}ab z**08y%4~=rWnPY;XD!NCBH0?M`=_v33=tY80@OpsbV>(4f-{F@Xa^OJrG9EiqDL}* zqDiw))1UX`jP=(xq-nga{P3vk`r=!FRiLgbF|$lR-(4TU^V;-cfOxh@QZQ2!*r3*r~hEmb#c=*drALT>aHTv`w{b6C%Scyx)pm{FaohWq* zLBw#Wd;}X4ri}MRVg|j|Z@j>7+Bs=7LEyH0Y_@mV-SMOk_+JC)^2UM=t(sv7uVEC! zHs@+jbj3oD6Bb|VcNW>zWft%|$W?2t^t>3RP;7`CW_{@@Bf@X01QnILbY^O_K<)t! zGlMgveUO{;drMj3W<@V?mfCl)VmAxTFQ&q4+Hg2~)$WO`2}Cla-flQ^*`NKGoie|Y z0N>2E{wfdGDv4>{=c5Kei7NrRiZa7gdRXJM^?ZG&xc8+?KVdOpDN`Y>Ad?r10`@Qgkk|6s8W^A`iX)fR~i?-y8er<_dv~;ZqcW z0M*IkL5f&$9t)JC&B4}_-&3C{jwt-=sZ4t{kQe7+H41XC+RN z+3W)X2Y%;5Us790s@)jcIkDY+%|kI8lt;E&%13d;vQ)~ifj9u42YsnU$yXGO$JL(o z4EvSdmdMwv$W7-lK#ukmFZM~xBaC$&MO|-W*J7V4)x|3@xIKSQXq4oWea!CaF%rAKMF6!G%7FyBccEQ35!R~)*0mM1|p-b@7+KNjiSD1>!gQ(bQY zi8DTLyF`VG-Uk)m8kf(h_#@asB@8caKs9HSZuBdZW|rldNAk45%B*(6#qLPPiY@@ceD2{RQ%AM=BK!U zD9`+$JoOQPye7ICOg4SBofl3%UV_SOtahU+7fPp7ElmRGxC^-0xijISKi) zvUd*(^7!}9)i1C=67SQ4C2(B0VXHWvo5U8H20xcerpfery7(|dRgjz|hTf-2OYfLd zEmWfLVh8@lei6!HVf2ZK^L?u@(^5RJtlzc`_g^Wcu+`8kTP?8#lm5^9!(WG@VM@RR zNnf=8b8N~fKl#^!_J@^-8thl1?3(!s=9k%jWP+*xYWBdgt|f1&FJ?Q3D0@NOVh<`$ z)i&+-j)i8JmUES&gT+PWz|18==Uz>P&!Rt^c$J-omd*??u=&p&NQB^&Zn0XSZ|Csq zaHo$ebpF@Zm99G6@HTAUSb)xDkd$LitJF+^VD1L!+NEezY6TTnG?|VJjRX3z>29`& z&5`KTMabC9bHg6ey11-0NX`Ei;+@4;XJ=xbz$fM0_;oa;Tl^B!X@rtQd0P=IR4$L) zuKywWA!lC#NDk~EwRyB(`I+bEMPod!cWwC6rA`)K;_%Ucp{we8i%OX5OFZI3#|`jh zLp!x+4Q>ys{2lM(!=hk{KAakmabWK&;X%T^;mf9rMDs=Z+Qp_O`4wNsd-TY#-2eIv zQv3CpLGDsG7wH_m=AL{vm*ki-)#WODNSqsRDzhZ{vVTR64MAp6qDjrxAX@izfNO*+oztzs#L;ZzCw3jR;yEGxF?i^gjp9vJey6MXc>*I{>04 zMRg8f5I(31*RnHFEclKVk2(YIs;bj*GOH*UpCj+!6I7WUhbzp6$7&jH?T`1YVvKeQ;`TN&qyw8)j6569DcH?J#gX@wzkHXyXU z(4dQW1!vz>Bes_4izSM?@mxSE!YNl{f7^95zAD|rnkSzDad;Z$$UxqtdJB%1Q$&+U z8F}LS13gdAPx$g_7c)%xz6vtVeBfm&hd8ZmfvEp?E$q>Kf%_ ztif%vMgvJPu);EmB97;0jkgOynBIh~C+<(VF-L3(QLGr0_!(v}Hia^)I79=?2W}lx z_>G0GE9;zJ#N@6L#}*+31Hh1rkOZ4ThSgkPV!iBq0j$WtA8$K+SP@i*usLqjP_sND zE@J)0Oeq49V2dCsp>(N4st0-<@W?LuT+mHiVdP{d>kwSwC;jd8X8%)P>GT7Q1W;yE zL3>k>O{R0xX3FcAg{T;`a9y-!9Ui@%0!rd+c5T_qe-UJ8uxPZ8Z9qx+W$T&;&ktt; zgioe-r)Yctn)m8U2~mqsFr{SN&WhS2O)r<;NPH4G{uzo85E3n7r+M zJVh?ay7v0N5i^&n{vUv;NgPoJyinW$yM9VD){=h^3(jklT(3)%?UhujWr>)6^2>+{asm#|Xyg05$Fy17uU z68RGNcX(%n-7fhJ9~)?Ix2_G>HoIKeinr_B}>}sr{ubJHBXh@r@v?c5>+7ieBD61k;+K6<5K0OvJtL?8J;I~Twk`m+`20TIO z9Kw?vtxj>lxWYqGWmop7hcuYr1!$C{Y`>hNhsz#ZSxEuV+YP_K#&i+OuA0{*$}Fn& z4YTg{?+T_ty^sF1|BjqUNp)xTS%UrZIYA*B_T=7HK5JH1-h-26GIEa%mvByG6)0EG zK&(|oi&=_YUcGUWzIh)V>aKv){I&QSAR}EWU)wci1`%s2oi{ZO>q5qqyR{&w4E1Q9 zJv*hw^U45lt7mWs|Lt7w%vZbJ9L1Nk}48(QKjBc;6rec$(qZ4Y z-KCEP+LWk%6Atq1f@lDl>FMN=%$%V&LXL^8T}T)dP$Y|bcQsYHsOrwiA#?ovT@`0& zm$`aOCE*2g^_y~+v02c-EwQm5qhE(KOKTbB#>L5W0azmvgLj{f|u7k_Ze{F$H zTVkhPlGsOs*?oiM#b-BlHbM3LFKXG6fBSP>`|@e=t;n2qmm#2&mOc2F|<5~lesK)(+1zn)x@T(ZL!BxmF) zE}wx)o2s`A)o&bO7~N?XEMRVRC;PpCt5;wtpuJGN>cg9-|J|EY95(wCbXkeNX|_fy zhbYUl|9Ur_Jm4c^G=izV-1zg~U;ph4(aG@UosYd&e;J{I(mA4se0;)P$DF^WRdPLx z{BX*1@oupafXL5@X0UvtwWh%FN~nd-S|3pDq(dZk{%sM!9ItzNcwLa)U&+Phv*cju z9b746kwMG>fp|3Tde|~S&=(?amzKyi-~r07e37AY-wZ;{%!jF;4J`_DXdybQgK>O_ zIgOuOr#n3kXI8^>>1nWtW_C4wCRLhxUO5YR$;uxF9IX5}W+bT8N zv!~j&NbPZnXRHPx*qbG8f505xBzYKB?IiCqt zlTta9V|-c~gTh2_AWpi&To9coQmx6L`96DJQ#sgk;HX7jL;sa*!9i}`|h$q9Q z3|pyDh6|iA`N4}o;VG2@CslGmxx|I>D%Zv}BhKu$S%J8rr>4dr=Mc6A;4y1jUy-;LU*) z8Lh?<;@;_4n=t5vU@JGzwPshfr_T{c-vLly@Z6-dLx0rDmop>-$)+0rDnK&ijr|=WHs61^Yh?L?C}xeCTqi_I-nzk6 zXxO)7J|G&6)7}=h9+-O{>^g~MzbWJpj^SANVG9;tbECBs69OI0(5JKz@ZD<{wJ&!R zb9x__SnqO9^rn$l%Wa+HL(td{Lvtsf$VX;UXH|S@UkYPEWCdTrBsBzJ56hdxw$#oO zC`i9AnZRBDwxcp6%b&87n~0sjagIq1MJoM07ikxNBhrx$4@yiQ^S z3*i6BVDKG2Rzat}?CCGiH-tWsT-~R~zBWfMl~?8rm*GdMX(y;u#ahTj=Bi&gn~WW7 zSb3|$J(1YK933FJ06$z`I+UfcX`vxoJ)T!Lt)Kc?-E@vPd{o)yOlH2E%h5?Qz>Ce5 zHAqKFxO}g4&Hi|RHu~oewDj2zu6*Lna0gcnO$ggr4Z75~$d^k%<7&!Lce@^oQ*Tq7 zPoN@VZpP2^*L!=zCY#<7%~C6SA`96RHC^xYvo=1efBaSe(5zgw<@jgG%N2Arxe)}B zkwVO=BC-trcjQ&A`iUNeY-q4xRrqQMHV-#Pi^80hH}^a>q(B#|z>*>?n=X@F=X2x( zIrzS+?b`3kNJdwnq7HU+7oA#J1e=xF`)09L+=;|*r}G37ABA^O_pznGJJJIjB#OD> znm)wecZe+>ISjcs0=<;&I#LM?USJEqx6oAb4CFLV3Ck+QlSt|JOmjqFcYa1#mokrJ z*`N>uqQkzqD=d!ElN>gF66r9tvnr`SLVL=lHT$_)5@I>v^NS1NfyUP`_>*2EBW)Tt z_1G%#xdquF?*bGqBxtFJrIG(kwb(Vrw!@MNgy{5q0Hoo?ss`+^8_n^UIo6(Wqd+HN z%lu7MDQi9KbT_-GP#(Vy<2;jr%#DH1Rv`cj@4x_Blh8t`gk8thH(t%LLfGOG*0cNX zlk~JMGb}uStUHBP%2c6kTACfU)@(~@fD>j{-*|*ouP=IxP)wdC*^Q`6Ns?Azm(0n> z1}la3r;%=m?*4-F&!6sA+W|6gtg5ui!Ef6Gc()dRUD2NR8%Ai#WpE@hQP31O`#x<3 zou(-BZ?G_Mxyy+I7Lb?l#=e?>9AVZDn?v+T<%c}*9gM~cHn(9iZal$96B=`JTkr7O z2kc$B6{mTL(NOpV$7=C9d#N{K%JitZuR@q=ai!!x&eW%j)vF(Ij#;eaw$wDHrTiu? zj(n04O_Qk#6-97fy5hQM#Y9JPFrUJ9i%pk|&hOn@Os12wco{@|LDAYCzPnOn{8XLL zEwZ=(D>V`e8rdK1c13U<`Il#P8`;3)X(QK08mtm|-iIpkNnUl5T1EY2)1f~jnRlpa z-x90xQ*^3c8viOHEpK?Z$)b=ojUDqSV&u_`Tbs|>&&VQl3%qbGY$z$%nLCz{6n?@w zoI0E$QEa4$d@~K5vGgN&PLp7=dCkj`Y_LKADqOGf;ZF);ml!J(D5gdqx<+KVH3-%( z#^TZP)QbX+9>-La1?!`uE_Bs(612gI<1^M|XB5f>`=3XgC|mjIE#0}jpxCDQM*8}W zQ}7(Xl?WQWzvnx(0apHRrR@H#8UB*3yl zy733RKeVha&qC2RAsN(W|!cKsP93)==1w8bu0296}E7J(9m z4CWM%5%UzC)p6!WiiJ3F=i?YQ#OrnAw11v^d)R~4DMAG5%l&(I>y-N2#fT5o7my$( z7x#bC}4S;-Z)1Sbh{I?F7n{l)L6tA+SUm?}gmb(_~N9vO{>_~8ZfVM&`su{I}i1r!$C zPR^#@-8`b2-<~hYD8Ff(%(MHQpu#I4E}>w+)|&T|rX3~W1-Zf9XS+4J1u2`4Wdj?M zIWQEEnIFMmy7<#s=8k<`;Wcl84xp|QpjnRVWdW9nKeK7KR@;~Q&>2g%y*l+%eEZa z1`rw;QJS-y1hRWwAETUt#_74sqVNMxE=CvQGq-AxLI;y>T7hn_XmoBs&sHqH9%kSh z`ar9$F4a`2 z1EH~AB`PEtbU)D~NM!RT=}2HSgBUh3$cAA+&EO zK|l8*xdhgXg{YoNE+7Q~N*z#^)*@<@0J3H=CyKfR&XSV`8vj-1^zgoqQ$hr3|9x0V z_L@xJbJ0^S>62F3#Nb+(jPFgdlX*4TDXoxlP^`nzTG4#ahOL(MnYM0V&jQCy?i5kZ zT#}h=Zs0gMdBkep1Z!bSS+zpPxH|W6oOPauyun(fbl5>0+zhbKNFUR0N<4Rhq_o`|myg+ts%qILQxeewW0P{3 z-V!VDq0HQ+bWu3~lK?c1G{1#K!hqLBEicddKoi+6H72z#Z)2!zdK^N^vxWWx>KgNs zj@2m6%HZuPCQ&ELJl_Ch{8`;?JfuK=&(4AX9`C{U?}kP{gVRX-debT26!i0D#C2E8 zvpkgQ&%pFW>rF8k2+!!*DqGkf4Uqa!8d!O{K(_YTM5ph-@XDEhn;tq-_vmLy5k@PO zh+nG8?I#@qb^{*YiaO^~$gI8>tk4)~jhwGVOU0&)TOYR%O?N)due zqsgzgEjS*`>x)s{!1tD!8GV_=F5W#x-|u*};Xw!;>NQWRV>)B@Rhrm+>ssTx%Z`zpHg(&MsFP58 zp>5KO0ja=gg`PSo;ceaKKG2`rhxw*(21zxP#3$H57v$%w*?R+uJ+@(|pdHtw|KHV* zxSn*hsJrDD4>k#vfHfjP1*eU6)gT8Q5HQ(&U&6p*x4bkf6CTn>LBy>MGcttZA-ae} zO>JaC(kS}%rnlC8_6;Gox)NCvFN?tE`KT2piheJ*)PJ3inR?w~m2UUJ^PX}V zt$Wm#IX5Z8S;>>fLF%& zMwrgkAqtxDokSk%gCS(2pxhl4%^4JfyZ3ci4w#=Bsk`F;ddSzxZ_?es59H zqqo1cH@JM9DSq+~>VT#M9>eo?FIn}UzKx&%aHI(`7!*BxCwEJS~L7M^P7YAc}6sdgr!x*$WW*`X=)<2Ict9{ozGX6Y%5K= zj-rE+>U{9{R!dFdnRkQ6P=x<4l^LGsr{n4V025z0^Wt=f24ze*OR2e+1FKija53ZW zk-RG$AN3oYr+~WkGwn=C&H6?w`R<95wPebMkqqJm3N{oO{^sA9R0i%f%Tny`$E+YI|A=R`klUIxnDqQGwKX6+JCo}2oYh|=+$)Sx z?*#i6N(1Rc(i7vc&OMOhIPipZfEH7Ay|z01&qTApa7S-QWIeZ`@JxusnpuCPL6sj? zq*=q=g!~K|;N0g&pEP(M{Vc5I7gJ&WLnX!g%P=2|?K9!i-_OTA4s`dbE}@=4>%~)r zD#@6UH(K=m+>zGD_q8BMUhMeXo&J1iM1m53^~d<@03+K0MYW?ZaNy?I$G*}6i&i9+ z!$C+jW~hBr<<2m)613xlIegXRP3%4;-S@lug19C1!a`4UZEK@gfPtrL`$h=|D_orT zL>MW)5WDSF1*i3@mT!cxRNje^B2%o?m@CFKB+6z1Ndb|by$H3m<_-*Pr?|y%fIqF5 zqSLfKqm;ODP|iIVUyK|an!}6$TjN* zZ3ovqfgl*)!!3RS3+gW2jl(e|F8CRn7-53mG!1=!H`mH={@YJBVFs4JpefP>EjO@0LaVK+oUmr%ytN`R7n; zceIqA{c~&0>Jk;J(UP^48x|B7xo1HCHN7VNVC+~e6F*Q)>sDQ;ydzc(YC(1Bg3=Ju z2%}q(#STLTbZ~Q4`p%94lTlWovq<*0aPH3z{{#AI;7`2;pzoZG2@efSmqb!*$fjm{ zrZ}B1Pf{5^z+zZ%p@arJET8m>zl@>?wYBqk=yGBHad-LsnkBF%9E+o4==_fbIdN$Pv92qde{<)DTsIMrd7aQOL z`fCs$&~-x@PtCEy;E)@a22=loMk|xtKz9oce=B?dx(+c&+BdWPV+zg5yHB7;B}yRQ zJXzt5kP9UcPRUdYau;Tezwm?z_8UAc-kBX?-wV0Z}OW`RpXWxc2~s)*;oh|eyy94I{AL(<@Pd7 ze?Y21Wi)svM!v39%&i~HN5EuvYFWAps1>mLZ6~@~2fmWO7ClJ^T2HUCTx;l93opPU zcj2jB31Z_C-|_V$&*@Z&2}vf&ss*7@7Au)jerKJZz(p)8KL~@}5iXV>b-|!FV_)hyM8h8AV9`5D(ujulIZrWDsakUq!Y9~@v*ebO`h_@nzt z`RFwaLYASaq;KGjpgU}1pT|$@udl9aN4L1BO}l`aAW^QkE&1UB35k?FcJrT@O9C`0 zBdV<|I$LAhi%!FQWX?jiB^|^$Z{cd{TlOhMq1B!p@Vp{Uz1h9QD(o3RJ>uBqmE};R zD8<=Vo#_rq<=00|GXD z%RNWjJ}yIW>PpI5tRve%Q~*84j|Kj}Lmg-r=WP~2-+F!hy11dYjs9`g34g40 z_CYCW{HCeAHiDngHcNP(B%G>I{6JKX#5bupA%Wz86(|5V=@%E0_E$w?G(JX+xXlTx zm6Lx?YaCDCipG_cvHf9c4vdi+ApsTo4%l+H{sKj{{*3L0lQ`YL$nd!vBD_CXU!#JV zbDJ?O7j+Dj_ZTnEn!uH^YGcFq)x=FO`ya>vuX}1w!J?z;4?kxIuZhQ|>?&mQlb13@ zQHpQ*-s|2BG#U&^LA5id=7-Hv@YjQoRcN43?cGd^q>6B+aaVuXQ-;p`ql6hH+=P8e zQS+orIZ&W2-g(e~^XMVhv^sAX0&Wd{xet&rS@$g(W7JR=Y!0SRhYiKjGjQ9)LqF;I z?9G&$^ALC%S zj*Ur^sQP*8)iVS)J<8%f3PDTwPC-yi*?``7wruO>2dzZ=`p~JDTn^1|nnIN%Kf5$( zWu-IO_t!MLp&)(CW|cCv$S2nPbTsv3JY|_+KVyFb;AJFcHWqE-EBNdF+)Fyxt5!R# zeXf>bq8%!RocF0LRw&O>gY7-7^E9$rx>6gc81P-k^Z^Cf3kv=B=3#eWp2H7?__0@Gg@c77vXRn2LorP25MwjNjZ*fHo{A|V6b;q~_K zV_j(gt%=w!Y>Ih`?TLeIYe|DEyN2tQ35a-S&_Ps0)sRu6Xe^Z2T~bTqD=&v6UcDAe zk?al{QYKnfGR%Vb>7PAH>~O)^XywEJvu2)hSjZdbmA=1q%0nYvZ2_3F@podDZvL>+ zihtA2-aoIMOGec<6cvPXh2oi?h;OXu_==hVZDa!;OnxMK!Eo_S>PR^)6})%V?WCXh zw~Z1P;GzV_)M458N=(S2FjUOh3F-!Wd7f8hS_(c9Sx?kxnsgzND|R|l5uHBpYyaGA zA#qHLVabK>W~p>-^5lOF4;+FISd-3;&mp2Nj*pQ}H|1q+7Cz{S402qq749*i-ifunwX8)tl^Xo)gXi>J1vG z8&_FxFmz(;8Lv*_{70^os<))W@r2!08Wl2Oap-UdO+m`39X*=v#P}okd>CVwR^eel ziawNy(1$U?(Xxrc`&boBi5=w(h<@qt*np{xn}%fH%aZ)pF#E~MFXaTmKe+6-_}QDS zY5DoGQ~P-@bd*k6eT^OPvobiv?k`s7c-}!`61EGdN)rgNFrUmF%(y^r;R z!DP&B#P7W@SqwJ{rN4}kgs#j%N~Rt=6}d5k6oa5!0GL(bL<{HL`-y5HKt^0JQ>D!r zj}qD=Z`XrCmFimsB+s0Td9O-?F4C z99(?gRz>A3NyKk3B2*!}_N3=_>|I|326N-otS$pv79Ogv-vYx2h&?M$QeB%oup4NL zjuhzrK9XAH*>BMeUTWmj0U^s~R36qouEGZH$c;$5Fa2$=El+mL&AX!mTl`*0Z;)@A z4c&mBbLL@RAB>F55ZT~VBn+R*^AwemfHMfiuk!W1W^I3N4_J%}{=4eq`)63$&?TXx zSV>1u5!ER+9eMF7{yOP%Gz==|XX2$o6COj6yP4;Ro?S?mLe_q6fT*@$L5#3QX2zyC zgW8vs#1(=)Qi3=%+%Q_pw#8G${E{*;DT%cHu~A)yQ@X#G`K&;cT0YH#v_j#WC-Ugx zfP4|XO|Z)eU34uinbdJUAOfo~0DOXo+oTai1=SWKoc1S7&MsckMr&(+;t|+yal`M2 z$Dgsqbsll#4-FdDK;!o#o1xqaNJK;4D8!qY z>rhA&wPi2gB6(4K!R`2pLFAFuj}3XKhW3?Ulej+qFfr%orJ_VF$s`>VUZ!ul*5fNF z%L{?g(Q#Sn?WdE?yU(QInb`YC?#+a1NG#+vqg8lI@D2ay03uRVRJF6L+HMB~79NL> zYpABnf5FS{^jX@STBlHfLq18)COV!^1e1kv4JLRE>PP?>I!IgQYqb9YlMf0KYU(Bl zWO1jY7#@pm2nxxwBT7m2M1gq?Xn8%sEZXKj%@&QM&pLN^sKQUafX4(G?z4|l9 z^B7%by7Li=fWaT1&cRd2S+^n=7_jw&O7b;Dozm{&M2Bp}#Qk3=P z+%JzRGF3+qXP>zCBg?oq!bmM)2cpz<=tdxfIZALdU$woCAvfSD*HLoJ0*86%vkTPp2=Y<+DlHt6VPq9z zUpFhKyLwS1Vp&jImV)=`Py?B;vv^Yq(>YsA!PAvA-Sg73&(+}wA=KThz_LEbbt$^6 z{+*30Mnv#CpBb688E@Bs;f-yT+o8zb-0+Yy&KTSQSEqkAP5oE)UHco&|D@e7F_@SS zq%Ncv0bV$yqpzeg-4wqeJOeC5cwr~jDI7p;#8v;)1j4&N1nu%-pZdI~LW6XnM60Mw z9-?sKcWTs^M2Aqr6^x|N@1M!U%}w|GL;6*1DGk8~nhfU7S^{mYbE|FI7`}=Hyt;xi}Hnld>=gUkcm!F0dfK7%$Q{3Z5m3*4Mk^j{$yp4{3Qh4{E2>t+8=QW$pZ=B7y7bSent(aD&`(O*M<>Y`+N&Nb^Ca zBs_udfec{ivhw%);RVVHT%X2MMXBLCg?1J|?%hnqwA-ZN+w%D%GEqhEeX}GoQRod% zjcm!#)~#s+z2^1E`FZlM;AgLp3}NCJOJN?ABB{`Onb3Qh(0kTqShwVZdm>R_1o6)h z@p*eFcB3`z{ggtu64KW$`qPH_zqol~Sto|(@l`5N#88hkxJo!nX&ihmO zR#f`=z;c;uub>0+#gc`AcXjuYr_slL6};AzY8NyVT>otEiYF@QY}v)?4%!-e_mPm? z=p5GP>GC`h9#Mlsls<*u1QG8y&xSvMs!|hO0Y3V;AzA5ZW1>}l+F?GuCBDpk9$E6K zl+%(V2aiJ?&!N)aqcVd35ZOlKo@n+kmb%G#r!9$FO0dw&UaE>H^9&x5BDtKwWB(gQ zmnpMzrDlHz>jf3xKde+k48);PH}l)VDcOkMmtfx|Kac&`G?v>?fqhSVsxK4;5cxnJ zl~_or8^rKKW#M*y5g*P)q_-hvfMfsp+I+RCHJ#%P2sUJ zs64U)a9-v%gHiRCMhqQ|@Y51XX~{Y2zNwnu?QVY)_e0azHcb7R_~{c_mKxM+tTBh~ z+6coQ=w=@58@E`TB;_ssvE=)l6dZ+#;)h*>UYZ00{l2YD^@=AEqGFK(G!RnPmN@ua z@{xm%Hq}_Nxs87#OG5wg6hW<3EyL*c2FWj)eOmTT>>mdpt8$O4RV&xYS!Ei8f_W>E zzTpQ>dz_yOQ7foaDWD319|@omQ$kK8vf9I1pxr^MsQY;SAu;F~;y**&bmo!RW6fGI zTTdQonWsfDd5%yREVcmxxSyo0|1Q=+Ka%P)p#Osx%HoU5smy)asr}Xy1AjioA<4q) zrlSX^W!_TAFO9rm@-N!i5#HK)hP^QjPIompVh99flqYx2`iT&sa>+>fVO6vA6}qXC z{qWSvJ-ne0su3@zNZmj8&4K;*;D$;AqB|8Sz-aNChD+LYv^;zTAYA%UPcotSPdU?& ztmVLH8zOv*TS$lFC!@>$PyA(f$}Q*vGGZ?RVrII;q_zpz0)``dIs=k^H2b5J9L8*> z8MjYUsqd8V4DpQoH+ew{b5^xp#xLIAzpHpasgQ#uo0V@{nC%&!EaORLA>m76Qz!8tN!rwebRYm#PK{7pGHh_OynE>~b(Wc-P_m$l# zN1U$U=yG?}Y_?TuW6yXV=JyEbOSjf2Ni7C49x?7MMw}9`2Zztfr}Dy|izJd$?tBI` zzs`h)$HDVVwYoWaV07Sh?r28!^kV5K`{aFw+fOAO--XyI#!`Pc{r{aD&}+CG<$r(l zQr1Fx65oE^pv0B$9|C-tF-@HBG|Od6zK8VR29o=KIMw!;tv6|vY|Jj3j^$L?%E}n$ zwn93>^R)9_wT6P+HG-!$zrp!}zdu_lW@E}7eX-`q9o$6u$} zv+q8REMJn>T2FCUX0!6I2}g`c!7NtYDNwa>$Z@-2qi73BoBwO}Wk3UgMzF ze*ioGdi&K8?T4NE=fw}%BBKkPKy;T^+WL)oVi`m7N~H`HPMIOePxS|tC7k)4ml);D zZSvF);~_^?L{Ix&mtUHSJ*pABMjk>Mjj=u&R)8n&_~lv7d3X(LAB_57zZTcQ)}S>_ zt+~zWb5QG<(E(!)&7}!cnw7bFHlU?vEsyrTpX$f%!b`T+h0n3iT-(r>MqLug`ys}W zmrGm1FXc`F3!4LJXwqwtGRt?!*B0HCw#=-P;O<@Dsp)*-F}9~u?uE7}R&c~e@9B6} zlVYtC(`vmBXqaVwhTf%ynn863t&8T<=#g!V*6}_lJOIqfjP*zbZn^NDhVCsAblL^{ z^IsCWhuL9v;C_kfX~@vI`JMoi-2M#&FnFe0?2wl` z15an>4s-%Iyw_lnWBt+9>3@FEtcA+w2@#e1;Q2)iY934iGN*geZesAj0p4WpzKGv(3>PfElmd$?#;I8^M9oOHM2A^1VvrBtYsKS;`4nh(L;mh%R|J-Y@kWgts z7urjCS|2l9b6}8;wl|5V&DWR9QdUs*2$IOs-~;d+sI-W+=IXdwX(_nldssS?+U{zq z4TeX5wB7>{?P?5`0Rw_|Fq|$<8_vmL#6Hey6H;kYk+bsqh&BQy^EC$2NB#VDbTpSG z#|@A+QEJqa3|0gm;mf1++6SL8n~v4x^Ilm=H~EoDA{G=w;o6my&DZv5W(iG9w6d~s*zoeFxDxrZ5Llrz#QHr)~$0BG52st$H=^ok* zHf;Clg~_~iAlH8uz8_xSD{2YYE$gO z7>6J=07H7qU{tf#5o>F43PzdXoC54d5kYsxoixUjXR#YL6DiFWw>eTr-Dtpg;UcRAg~Urh5PBm6qJ% zwzBul0Tayx98x2aaW|{tf7QSk64uw@0%kV5-Yz>7^u4;cyTxb{Bsh;~P}F$Sb=SQT zv;W-+^e)T3ChgNzFJNU=xdXeQqp80gwHBk2z!iHkk)jeU!C)5}$)k2m6(G|@GEt>$ z$)}>|Kha*1l*XR?yF|S|w(p`q7gJmluRV^9bR)PMvm7^jv1nXQ(`O3jABQJBKotQRhcF4Iad7*>)1SWYyoSE@fiuZB z9^v#5AS8LOdq_{ra+pVf!dj6$C?@evPnW(enB-o{zhmtw-%CH&nZ29ot2EakLebevW<6HG6 z>!c}>OPK4DCvuPG@ktX|h-V~YgJ@p(u;!}Y-P!SS@8iqZYilfN7KF%|C}l1s`P#L4R7_vx-LkkiQ+y>^PPtY z!iCaooBV-G;k=C>!S58b zny|P>E?OL0yZD>gPVrADMb2i15_=Q&!fzg*cYTl=C3t&#A&tsgDzUej){y9>svtTWu4yySyLHFjn@(_0pHek zNe{%bKZ1hqKBk%MF~x%C`&-JEd$J9Zg!lE%vWpA7=!~LS`GF9fDM_t4EIj<P#wYSgqcX1Xp@Q5t=bqNqvmmj$ExufGe8yRxFMhl_X}**XB5};J*gir zr#$sd&otFO6hR*SPx|nQ_o{KLZuzvSDGgq7^p#QmyHHq+0C%VW`94aWbGDoW=LgS> zRzgIWHNvQ5jYb4UXFAnFCD-dOJArHyAMp^{)nhf1s9r{WgG1OHworj(u%0oTQb+Fl z1ef(S5x~~ncBYhBJo*aKypXh~{EncBPmBQ94+k83zBwz*JzaakUu~(zh zcxiN+U#v(+Vl|!o9uaRbLDwV2Of9F;8=J(Ii_v3w8nHU{ zXe{uK46l`rl-1y9cbZ{o+W7}-8vQ;UcM2jI#VCBB~QJ7EE6BDL8k&C&h4hb*s8YwmsB=C5tYDuA|>GgVeu-e0w_m zZ2&31dJQ)^J^dSlTK2*~>kmA^5eq}Ah9GE+j;hE;8N18xsTTi!cYX|yvlr?Ix$=(u z5MIwwi+>OjLeY;zlug>H9R9=g;)TqC!!?>fsEl7VqMpuTmzKvu!328O^hv;$CS>(zQ;q&+lsUl^**9~ zjQCxP2hnhYb{UAoA9@x2g46(~+p9g?%ZJ4^B4<{!IY0RFO1_x3r6>svfabw!KZ>4h z&c<~QdokY1wLq#ELgf?UVdW1T8D)fP&I*Y#Rmx)Yx;vH~8fqT@^CkXSU}%y*SqZr3 zb#&@=x;E)#?CAm2r0jX7tZW--)i8L52xE3uV^r(8ol@jBi8?;8D2jngx4gPa?hLTS z<1?wdB}_)RTjcVt)u?D|HmL9c9me1LBn|h^ntD9moe*!TsjjU?)C+lP#VIG?E;&Ta zl6Oq3c(~ImSsz$$k$UywTh-Io>;TTHsB+$7Dplh$L{-~CcofrywYXloR*p(qOaaE2 z$9;5F9Dm+#Mq|ZImX`h*Jz57@nwhXL=s0P0)UiVXtDm*Lpa1ya>3&d*82zl@noiGO z6Mj*@Q=H-Ty8D~+RUkzngsN11>xwl=lP|n9S3!Z&y$YCuV6t-TXM2%BhXdA>Qp*xG zzNej>w%T7(-&(>05vgUvl`5*#Hx!K2 z3uG4^@!9MZ8<5l7di9GmMryAkn)7H)SUsGiO?Ez$xxSgY+r(>I!nyXY~)CfGZrjv~Z{x@x%_G!!`j+2E& zeukaCG_;|}D`TXBNtX?Q;-2i;V*vc{`1Fc+GxBx}04Mfm1mzc~>y*vT)OH_(npSY; zG}3?&D03ZuZ%wT`h;iZ6EyfDqFiy=LQ|y-<2v4-WEou%bIQaDEhylR5aiT58vp=R`}+`dDMBhJWunEIi++V8j%ih z)o4brMO)sHt1)I`ulgaC6D3=f_(;~(X$TJ=(XN;!RNM3pmxnB$2g{eOj3?{sX{wd? z7&nn3q^Yvu<9c@!A)4yX`IIvor5aV##T}=e?ZJIc`X%@hEvB_?ftNk6%I)e%-=9e4 zh%I0uMus|~f&10S;8tb_obW|A<^1_)=>{F58ZIbAECxM7hd+_u0Yudpyy)zd-mWnEtE6 zTDdnOahu`8tx9$ns)>4>s?X|QG?9?W>1sZwzw0NG2~&_TdHeUvdSs$-!L^vY8Ya4f z+7G&0=q3{;QsC$DTt&fr-^YtRFm_l3;B+=k{Q(GD<_T^ZTw-;EVdA(B#emK7W6cE> z+3I|@O=M7ovelyCr`bBCb+;P7tVy=o%YUpVRFB8n^VyI2?IEst~Wuv`Fk6k}Y zhJ!}Gt5}W=hv>Cdo>$fMLnbT-Y_0|Pe;=LiwwAvU2o|jbLqODB08Oi65T;U{^f9tL zIJF9>&dk89EjqP%qHCv))0R1grJzDUI}KAd5&|9T=|ElTE|S;xnyNzjpQ$TLbsznk zl^__IOH&L)g{<0iRR5Vy$c$XCaVl8!fTU(exyHO39u&Kvjd(rcXR3MwaHrrJ7Mg}< z;tMZf^`2$qGUTN~*$t`PO=uO-_rIy!ruFjET&ro7D`NA#2qEx}q4<^L-IL9k|7K^i zqUA$mXp98!-{ANKe|tH>;y`G8i!%#g58r22xa(eoKg9L73wmwQAJz|ntirJ?h3$O| zQ;T=43G|v&A~_l;{&SQmAt=$SG)NJT085@Og&;cy=PHHbn(LQynuy zs7)e)B+ez%lDj?{^lfM5;KIIc+A@gKk6ejf2I&KB$f}OofgK{ja+u8~F5W`#M>J=| ziZwXEzsKFiha5Gf^hxChCO5-R2FreJ>S1y!hV!HPCCE8=k}C9so|2wS%Zpy`a?uuQ zRLb;I^2p&aq?Uzml>aenub2h>)K1mWV%iqg<00E=OH(4_OG<;xwyyklsBe1#>VIz0B zs`{m3=BRq9uy!2+^#*V>W$-iKWZ!(~RBN+yEVjek5SET(*`pLlA(SoZ0glDT=8@m;Y2R3xDD2p9-fdeoj@P2WGs}*f1Sh^^=X1l&31gI`6cf*Y+ zbXLNYhB#E}(yupB>HPKTd1IMOiV92yX{Of9Go#5Jc<+FwOCJ+Id}u-lF!1yG^j;oV zF65KnA1%^}#8)CjZdx>ivn`Llmqk0k~H%-3^^} z;Piwz;NJ_vMPyU!r;q{?gprppm=4R~UAQoVtV)V|PAqcR+$1isGx(K4=Y|dmW#irM?#4LYq+CcA z4Llx%0tXyE6?GAg)tk`|+w|jBaLB7-IJ(0W0R7ju;wl;uh{TCQrv%T$Dwy9Qo#K&& z2Cp?3Yih}FLE0wa_PAd|{n{VH*{@)=mct$(tmw#prNiAEA`Rk3?i=J>-3bd<){Ku~>HGlK1Y#-ei&K^^+ zyd;{s6wDNs^e(?>Z(JNgx#i1aWb&*|09xW~=Zd+FUr7(q%L{`Yd>rR~09rb$oF2*s zN)-Arw5Twp_s(l@Cz^)AGCI{)3RUTIrbtfg*xmp@%RM+SZ`L+-O}s21Rr^`~40D8W@NDxvAk&7NpDCxCCV*A8AE^X7=EH4Ycx zneTJx)a^j@lSR_9T9?DnP=OMG$7l=;$Wk0(F-0-unM=rN(oQH`1^#;gn02mgkLs~T z=tJ))^C-Lowrkf6H?L-_I-#^2hVS+6nd-b{z)$v?5)Xw8DeaB+gm%x7qz1DDd*S;w4G;3jyRC;_9>ae}(PQurw=Q#oYDe`$QzKXQTvK>(;1~faG7iH^e?})$xnOL?B5K{;TH3Y-f`f z4-*wv6%Od-Iq^&0y7Co(*AL_GNK+KL_svp- z9~P|Bh#LyLb%dWk33}~^9@$HoRxN`O{%q@_Fq#nQN}B%`4slV@x~46Kbixk0Q59wu zfD^c^2!u5~#ZOwXq9YGj3)crD@~{ctCf#Ze^H{I}16AZ)+c1qUOwbR^n<<18^o;>&ig2plID0j| z*GX$L<~i9}7bf^x_SU*?gh77W-fOW}<{{#Tnq0m3ofDb^h7Y-3q}oT+x*{yiusdOB zb3~3HA#DpIM%TbKBT0M0kr`J-uG&*jIYCwja#*N|FefF%eY*ZGpec5sxgkg-SGhY) zo)-&K^yKn}b|1g0T=GQp76ni``&?X9(d$Q`5g#mza2AkA3121mAaC1|hl8z4zpCN} zfGGKdXGG8ex*u{OQ|T~Lr#(2xupaGP;ZKW|xc&5D-EmcWm;^l%O$Ll}iOBg~!sDYa z{bzdS{4gAav&mR!Yid%;`C@#VcgAp<)NzGPUjL2-e4|nb8G2B|>7P{judNoUf;|?4 z-;GqXrZ9uqbM{XBEof{5`vbYB|62@25Q(LO-8WeekW&_R`t}ddb7^&C%K`!p4hinh zhn2ry4>k5{UO%p^ejD?vt2@+RFmgR?#w6FJffx!?MUXP<-^U3S(f4AGLL{l2padSL5$~+@S6GgYXqKTC#?Zb+<%!NX_Iekdn+{Zk)OxazcR+B- z103*P4dU73m?YU&8xkYw=XrqzxfUcuw8X;)Gz zK%gR83Zv_H=Bl<3F{0K49`PrZQF`o&ZtifZK%2*Vf8L)RGXBW~yFh}Re}Ct>+Ify; z%8ZW88U7Jk>1@-Z%6;iS>?Cmb>h0L9M#p~ooUdXfVxkwiA?(y~^O@7(cMVtpW8E@J z*GP6Sk{gs?ixx|R*XI^P^l()u0W|VWfb7V+iQn`HbEoq~55?ZAfWUWBKMIZLr?_y; zVjJJ^^;mUdu`<5fZGyWc?z^aWwFtht2SQ2Ju=HBnZM(PZFX6E4VTGXc;Ro0~!n0VD zevC<+D=CRhIF1|xpAf8KmVstTM0-`mvSBFSsY)?rp{R?k@s{D<&}-_mEFg3dfF@jr z=Hed|`uxT7`evNSJBy(u2F+o3JAc*#92f^{pJon$gq#i_;c)JAYAZhA76-GD*_AIg2 zW%bdcQSX#{7Nyc^1@g|J0@?WsfQ8tojjDr+rotx(QchQDtySrT=_hzY;XAc}y%w2x zFiOChv)72z(gb>G|lTV`*{fqQ-IUiI+yC6m`HY??`tLY)xZS ziP(Z0<>WM*N2H$&>J4bZNXkNHW&&6-GR#_B17brDBRId&wKG7nfCeL9N|cr<$Q%tD z_qf5fqT;9$^G(A+b!W<^V&iY9!3PXsxo}N76TEdga0R||B5SkGu~9CiS?RWLZZ*a5 zk)5lsS3plj@Y4)9xx@vqDH%d%f?td2dbxh-au-CYuv!tWL`zcVy&kR(Nj54@%5n>; zhSZZ(5s?z}(@F(@o+WO#U&n^Hl<~?%0xD^F^q$S&kXO$tHUwEUN@u*lBY2)O>)p4| z;SAsDNEP*=``eMNQYiqu%8*)4kr6*>i>g;;39o=0gdXO{^Q{1q6w=u|kGtQ4a(o*w zw?_L_%#gH2RYk;)%94pu99jtngP)r{*$#R>o>WUh__!0MU?*0fk6{aM3gH-KL{>D+ zK^o9K;RKYB-7+Z*n2`BQG8Dy^mE}8?jC;r>Z8rCvnSA7sK}KE@Jc0mKX;yXELA$ms zLXUIi1>JlLe`LUEjcB{3^(?p}+3!o85W-L5f^g|T#hIJ=+^mPaeGr(L%K~|u96mn^ z_F*NQ`$0;Jj8)>a265$R*9{F)c@=FRBeKez^#1UIbU1x*In|^rSyhxiogrHjXMqgC z@_^DsPN91qGUR-J@08LIE-Kh40;@$ zN+QNY;U$*i#TqjCbMfSW%I<(ZRQ21E5QO{x)VudXLtOL%`0{paT*1a~>Q?Vj-n2@s zp)6ZNxD|r}w=uH$F|98h8X8K!xva|8QANpA3IPN@i)TXju}r9iG`$@MLobBFTg*os z$l{4y2}-#T#t1yJl|G`&r)`s)$IREcI<4F7oFH@@@8mUA!K#Ki&M$56)Q;3a^e!1Z zHc*hUqx!gPKuMD}ZOxQtcwL!T&*Vsazt*B9!CKe~)tT`;6FHlbx!$pEF$fg5jX*il?B3 zmG72tXK4biz)JNT$TNU;nQO+9_z0%T<^tH}y=kWJld2>9Kpp z@F`bmQpFa7=4`R?&L9VBDXORDS{Io0X;3i8i&G>hWiqnJJ?E{^6ujdY_orZ1p&EzT zjpiQ8{Gugb$a$dsx}|vDi$=iLIRGoaN76c){;P1Zo%!~b-yC?4b8%pu7;!u*=CEsm z`r!45MTc*t4^%YYUkaval5JruKd0P&ymIL@fFrnjNxhw^COUq_l!6}CizGMT`xiZg zo5v?F`8XUBIhI65OtX<-+NZis`i`6+2T64dxqCG4pF^4$EOc`AW?-XU3}8D=P=k;? zY~DbKK}Sbko(r$z*wI^GqL!Mqd%&FP@BvulVx`gk!LYGPZZmQBS@Z}YuuM38zQ&}Q z!B>=Ur}mB01jDXKmzz7m*_SB8llbMk+;a`@tE!t?_cr*=euAp%zcR$r(I-x(X%qqm zRfzx(W48#VPp0S06meAD3b=rx@jAagcoAbXVutPwZ?Q)npxjVp;B}L{m z_*MI><#)M{c`b^aBKP>PNMUbgZx&So&u@ubotNLPobCC-KX@s=8`zrW@C1gcjJ8cR z>D77*?qPizWQkfx$$z<-ljR_05*U;=Y&W7evmdditUvOB<@c2-sf zd6|x|J>Awmz zHWJ?)VV(552Qt<(96wIp{-?|HBA_FHfOnVE!0*FF?8L_k$IrW+o089&lIz#s(x0y+ zq|`wbrLHJ|)wmG6mLk?<^VY}%kCK={M0&xSw?{P%Ca*5ovK^08{#&FHf@|pTQ}mq% zMo;K39M#n&Jlqhi-rOhcF&&%6dG(kwDNgI!4ZmJY%^yTHYlJXW3J-bmYdkE%+Gqpe zS}RpP>-W!#i02D4FN$3d^39Z{gJhR~uIs$;AW*3Qn&x0~$FUX^!f4Mf(F(#4B!de4 zVMw@8shCy$Htl1=eO{@A$!9R}H#W?=2U)#PbKJ?b)@oKwOTD_SgyF>a=OzMvJOhV9 zp@H&^#ma|mABk6KReSqz*~0`Uk(njbl`=MD(1thkr(S4R|6q>9u6P5!V-wEjT_#0@ z7}!w2KiZ2zo*@qNJ_m%+_MYJ$Jl4P4%>`(FFS$F?@6SHbLB_%F82w81FbbS(Uve*~ zY9MC#!wi3Mor5sKy5q=U(>l%DqWqKMba`E@#Z2@#30l-|U>%pVQCiCpGKEHl#PK|o z4SB}pvnr`TvD2u?>Q+1`dzSzKh|R%~H?p!CMxZ+J`Ir{F*w;0awaY=J+Fk3pi4Cmd z!l(y?ogado>>CdTn;t8mAu!QrLcXT{HO<&iTrFILNmoF#% z9sSTS;qih_K+6QA; z5@l zv-4e2X?!xADmzeGz7VO$t9QC0w(_a}&K+{u9&_1B| YsSv0%u>DjJlpOeUN(DuD{6Dw;KP>_n8vp