From b857ded488da1cb835a833c042401245151b3156 Mon Sep 17 00:00:00 2001 From: Abderrahmane Smimite Date: Sun, 26 May 2024 18:43:53 +0200 Subject: [PATCH] Add ASF baseline v2 --- .../library/libraries/asf-baseline-v2.yaml | 257 ++++++++++++++++++ tools/intuitem/asf-baseline-v2.xlsx | Bin 0 -> 14847 bytes 2 files changed, 257 insertions(+) create mode 100644 backend/library/libraries/asf-baseline-v2.yaml create mode 100644 tools/intuitem/asf-baseline-v2.xlsx diff --git a/backend/library/libraries/asf-baseline-v2.yaml b/backend/library/libraries/asf-baseline-v2.yaml new file mode 100644 index 0000000000..e62faa352a --- /dev/null +++ b/backend/library/libraries/asf-baseline-v2.yaml @@ -0,0 +1,257 @@ +urn: urn:intuitem:risk:library:asf-baseline-v2 +locale: en +ref_id: ASF-Baseline +name: Agile Security Framework - Baseline +description: Quick overview of essential security domains - holistic baseline for + custom framework +copyright: "\xA9 intuitem" +version: 1 +provider: intuitem +packager: intuitem +objects: + reference_controls: + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-01 + ref_id: ASF-REC-01 + category: process + description: Risk assessment framework + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-02 + ref_id: ASF-REC-02 + category: technical + description: EDR deployment + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-03 + ref_id: ASF-REC-03 + category: physical + description: Facility surveillance + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-04 + ref_id: ASF-REC-04 + category: policy + description: IAM/PAM Policy + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-05 + ref_id: ASF-REC-05 + category: technical + description: Immutable backups + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-06 + ref_id: ASF-REC-06 + category: technical + description: SAST + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-07 + ref_id: ASF-REC-07 + category: technical + description: SCA + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-08 + ref_id: ASF-REC-08 + category: technical + description: DAST/IAST + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-09 + ref_id: ASF-REC-09 + category: process + description: TPRM Framework + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-10 + ref_id: ASF-REC-10 + category: technical + description: CMDB + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-11 + ref_id: ASF-REC-11 + category: technical + description: Network Segmentation and Isolation + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-12 + ref_id: ASF-REC-12 + category: policy + description: Data Retention and Destruction Policy + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-13 + ref_id: ASF-REC-13 + category: technical + description: Multi-factor Authentication (MFA) Implementation + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-14 + ref_id: ASF-REC-14 + category: process + description: Incident Response Plan + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-15 + ref_id: ASF-REC-15 + category: technical + description: Application Whitelisting + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-16 + ref_id: ASF-REC-16 + category: physical + description: Biometric Access Controls + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-17 + ref_id: ASF-REC-17 + category: process + description: Regular Security Awareness Training + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-18 + ref_id: ASF-REC-18 + category: technical + description: Email Security Gateway + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-19 + ref_id: ASF-REC-19 + category: policy + description: BYOD (Bring Your Own Device) Policy + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-20 + ref_id: ASF-REC-20 + category: technical + description: Cloud Access Security Broker (CASB) + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-21 + ref_id: ASF-REC-21 + category: technical + description: Compute Vulnerability scanner + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-22 + ref_id: ASF-REC-22 + category: process + description: Vulnerabilities triage and review + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-23 + ref_id: ASF-REC-23 + category: technical + description: Web Application Firewall (WAF) + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-24 + ref_id: ASF-REC-24 + category: technical + description: Secure Coding Training - Tooling and practices + - urn: urn:intuitem:risk:reference_control:asf-baseline-v2:asf-rec-25 + ref_id: ASF-REC-25 + category: process + description: Third parties compliance questionnaire + framework: + urn: urn:intuitem:risk:framework:asf-baseline-v2 + ref_id: ASF-Baseline + name: Agile Security Framework - Baseline + description: Quick overview of essential security domains - holistic baseline + for custom framework + requirement_nodes: + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:01 + assessable: true + depth: 1 + ref_id: '01' + name: Risk, Governance and Regulation + description: Risk analysis, assigned personnel, management involvement, regulatory + framework identification, independent audit + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-01 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:02 + assessable: true + depth: 1 + ref_id: '02' + name: Inventory + description: Hardware and software components listed, regular controls and audits, + lifecycle management, categorization, visibility, and continuous improvement + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-10 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:03 + assessable: true + depth: 1 + ref_id: '03' + name: IAM/PAM + description: Identity federation, SSO and MFA, group-based access management, + secrets management, AD hardening, IAM aligned with onboarding and offboarding + processes + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-04 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:04 + assessable: true + depth: 1 + ref_id: '04' + name: Data Protection and Privacy + description: Encryption (in transit and at rest), audit trails, privacy by design + (data minimization at least), GDPR compliance + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-12 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:05 + assessable: true + depth: 1 + ref_id: '05' + name: Endpoint Protection + description: Antivirus/Antimalware, EDR, MDM, Application Control, quarantaine + management, email and browsing security + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-02 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-18 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:06 + assessable: true + depth: 1 + ref_id: '06' + name: Network Protection + description: Network segmentation, Firewall, IDS, Remote Access Control (VPN + and/or ZTNA), WAF, NAC, and Wireless Security + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-11 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-23 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:07 + assessable: true + depth: 1 + ref_id: '07' + name: Vulnerability Management + description: Identification on all workloads and assets, monitoring and communication, + triage and prioritization processes, continuous patching, periodic checkpoints + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-21 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-22 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:08 + assessable: true + depth: 1 + ref_id: 08 + name: Training + description: General cybersecurity awareness, specialized training, campaigns + to check for efficiency + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-17 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-24 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:09 + assessable: true + depth: 1 + ref_id: 09 + name: Third-Party Risk Management + description: Vendor management, exit strategy, privileged communication channels, + decoupling, incident management, contract management + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-09 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-25 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:10 + assessable: true + depth: 1 + ref_id: '10' + name: Physical Security + description: Facility access control, surveillance, security personnel, visitor + management, locks and safes, emergency response, secure disposal + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-03 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-16 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:11 + assessable: true + depth: 1 + ref_id: '11' + name: Cloud Security + description: Understanding of the shared responsibility model, applying the + same principles of IAM, network, and data protection, threat detection, and + response + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-20 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:12 + assessable: true + depth: 1 + ref_id: '12' + name: Software Security + description: Application security and DevSecOps principles, threat modelling, + use standard libraries, software factory security through gates (SAST, SCA, + secret leaks, DAST) + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-06 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-07 + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-08 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:13 + assessable: true + depth: 1 + ref_id: '13' + name: Security Detection and Response + description: Aggregation of events for inspection and correlation, logs protection, + tooling and processes for timely incident response involving relevant stakeholders + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-13 + - urn: urn:intuitem:risk:req_node:asf-baseline-v2:14 + assessable: true + depth: 1 + ref_id: '14' + name: Disaster Recovery & Backup + description: Offline or immutable backups, performed and tested, protocols and + playbooks for disaster recovery documented and tested, cyber resiliency strategy + documented and known + reference_controls: + - urn:intuitem:risk:reference_control:asf-baseline-v2:ASF-REC-14 diff --git a/tools/intuitem/asf-baseline-v2.xlsx b/tools/intuitem/asf-baseline-v2.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..a2d62b14ddc7ee600aff4bc800a93728e62dd217 GIT binary patch literal 14847 zcmeHu1$P`tvUQ7@nOPR2Ew-4MnVFdxEM{iOVp+`0XfauAF@wcq;n(Bc@6D`d-Y(?SlVD$OvxrlrP3^j>R(6c=4aJqeKip7xF%j zHbCO-T}CirpF5kI`LZu9bjn)=CdA1IhfVb%L+V+)ZuLE{wR+U*6$Z`DH>U0Jw zO{|?58UA?uuaEv8cFe#0^@;=;DKKW_kn_MdlJQRNRT|P+Yetbn8RHia=JXeR_Vl>I zwwHTR0q49XLeH#fw;Yf3ThqD%_X1=uSJV^{n7}O4xpvh)sh5@(D3nA;(dbk0z5r6| zvXk;#)@Yi&yro;-h>Gp}PYe`q{@5;Js)K|kS;skRvNv>PcRqm3&To{ZCYh+7sszW$J}npZ^LTjM)=6gK)q zY6M33PV*)A@Z4%fQBjm4I0Gzu|K}+OL_;cm_7X6I;SXlG~j$JAD+Y-5+ng#5~D z@domfdyo<)ue4AyMK!WPHhH0uh<2ExmuBhI9yP!0&Bsjfs?Pfh7r1YG`#}yjk(EY@=ph$H zYoiJ(c;i=-krOy2iRgsjfCR1YeJrK4aXjTt)HWL6Bt;7HjzuGgBmuGdX@i0=oF5ET zByHS?iQ#PHeY4BU&ZZ?VQCbrE$I7mPscAo@l?yK0z)5x}lGhip^&CKitknc80=iIq zqqdPK||ru(>4!oN|ILTvcXF#H6 z-b9VmHEk-%(>mnx5$?VVvb1TI3i6&wF7Bw@CZ?Vh!){}AG_j}Gu}F;|H=B|nL4j@e zmSt2Z2Pld{(UJF>>rLKol2jzyBUw%iVya}d1Qd>4bV494)*m6=Tt!yTyc137Ox+z1 zxXWqu|MamN(aw&NJ=NhfwqRr_cANKhM}p(F|FW5*4SzT)y2LIGGYr+>VRZj|i{miq zCjKe?For$*(~NOZ9ayy5pp%0(XP>~tBtnI!h2^}#(v4txzq6m>z`=34)a3whmwB-0|0OV&>%os z{!7gNO3wc;>>$A43pn=w_R*0zW!cXJKXe|{88qYLkYH<)#MK!kP_1l6n_XY3 z&mSn{;MeTeFYELyTzpHOA3*^TvV2}xIICYx?LcUg^^M^s!w3iW$i-s;VU$OvndN!j z->{fECOOc)f{j=IZ|bhyL^2p=p9`6_yLSfgYL|A)yQ*zOeAow+Syh8F%<{FpOtL z)WdEop;>E&mvH~YAm}KsMrL4?Acz0}VE-v>PUa>i&Q6TKo|ykoxU58}*i0t$;QQo9 zBD!;!C1gqYucbn`F0LxMR>Nuf5Jr~V)vDJUUI>ZCg-4_j;7c7{PO;~g&s(LM4Ol~x zYZz(Lq*21dE)?xD0e;?k5ICX>wN-|dXTkw;ecPdfPj1&iY+9?(Tgb>B(PVLc3<+Z&>L5+HllhaDwSgB+16EDtsV8CVX)r@e*M*j%tMA(?-Ib^k z@HYEi)*RieH&mkzew2!&w?cYbKfN+#Z>NN%;PM8CaX zA|eO2o;`UCr3QSY+!?4K*6`yjhg8+{8_NqR;@vAyG~V8T+<1FSN?ElHVuI)QgV+NT z)v>jK5VtCSfie{LvET+dY3j~JBMY1m8PO6!HKhl{$&$uyNuW8RVTB`me429)y_+0zfpAKgI1|9#6w4aNi~b?)rHEw!AD{#&i~xo8E@xkOEB0HM|+lVH*#5|hVxJ;OfG4m7z^8wqL;)Lb*+sh64w3EQbtxvn(9 zELj9CK4&1+2v4Ha=h;`|b38;bfkk%g3FBa=LV_`mXK{^pkQ>JJo9JhG!Vl<|celTK zyty~sOR{&sN-J}GXzHeE8G8^IG2XElZh?*OgjFiSYRX#P-xAqog)(^bk=lheE>BOB zOKnskjK+>x4XtOwFk?pP9~EW7N;^+nIi&8Ie&v3E`ky<*6D0uK#}6-3jp_)X4GWt- z8m%nP(f{U5sh$~E4EwQD$>96TJ#UAqQNC5fz#Kdo0-=33Hwku$c5~$GDasb**;QE* zHSbq8E@F66-Mpif%GE?hSlr}_gJjSglz}wL*hv-$W#;CuF>#T4Mff`+t>`H0#*_Da zsm9kRUX$rx+Zlfm<@Y6rVUh|~H&A96(f(JNVfmNLtj4S`0pm{ETLQX`Q2YQ2(h7Ni z%Xt}LHG!ER-6==o#21wfpJ9O-T8ALjh@IL*@3*Lfspp@CWWw^g6tdD2O&h zOf|(@SqGGd#wNihQe}LK2#?W)ZuR(-mnmwmZqcPS-3mA0Z;W`|TzU8-x%h#MV{qJd z14_G`5G6UTFB^)ABI1B?RTfWGqT&hNEGjXvm$o-v*CgbHn}VWcMwQ+6)9yvWwa?Fb zdrTHzvbDuGWXefFFsLoOhY(5L6h)q{+5~p>M}ehX$m?N~tIkrmN5;s76Gz;VUb@Ml zUXF>B-Z^U}$hk}M<-(I&8ZFbeBST%d)0*lCY;)MQsB4z=X?tcO_#3I7nXbqYy~=sF zN$=`yc%9Q14U5ie#;(t{pTyx%Tijp`I0!z2Q^RReD&0Kf3JeZYp{&1OA6Dy}*gUEZ zQ63lkvS+8zj%lLM7!vZM=&3kXkKbA=wB4v;E%ROV6m1Q@PUJ`wDr0}6Fy(qU>cjmO zHMJ}5{tiUCNWpuV{P(hPiUBToTk%O3oi3U>!J$b|OSHc@@h=5QRj}=2LKdzLboAeL z0hN#s`_?0ZEOLxhi7ULix>!|qI$0If=GSxDqmMLYnx@B?x_ar%9o;{?dT?x{r_h+O zA-Bl+abYU6b>ql|W+lG@n zxkXCiVUG9=dAyhWm%xfh$f2d9AwvHiY}L$aaU4k3A1F&P()iiLC^EkI8(m#+AVu=*>q3aLJwcc{Q1`!F$)}TRQ_1&{W1|31c)riasWGb>bt(CNur-0Zy)$kdDrR*HLZ>Cdc< za&Jw4Ntb}onf?Qw@e?I0!a(auMH7aLcb*S_Sge`F$>b)tej`H4B_nPEexdh533o>3 ztgpude!x^TFC%}`Q?Tj8!H2i4=Rap2p4h+WT4|Vm`%E;Pz#)uirYqzLd7(mW344S~ z>OI!^n>B?arBrI7;Mg*vOt=)d7ff=R$M8=9F7iorWi1#2f*@CFq-iB9ib*poa2cH} zTce-Fw4YcrFKzP0^GIH%K|8~30&|-w+u_8KXSt$vy9D%QlIYVGQ>iM7NpJ*jyl*P= zHl!TM0_|?FUQb82M?48g<5lebQS@L4cZb-43&tt*|5fx@f2|%9waRyhk%u?1?zqFw zCmIoKEIidG^G-dq?jEhj3*#-v%Q|aM-8Psd80D#o@K8S#yuPwdwzzXrNx14)Ov}jb z0MjWsNG)s&yh3C^LOTTY;H$FiIucH#!pSiCE5q&}eN$zymT`6KE z_kNJ5m)ewV)pelJ5=8-;`g?7VV*bOk&zgBZY`6o_HuKJ|{)NnilpIU;i>L$)FtSR9 zi^IR;-3Z}>Gb7nCo3(jHGT3%7*MH{?%2>L~nYulao~*5Zlvr~L57fMUErtCXx%WI| zr$!sXsr&EmQyH*|df=Z*!vbhZa<_ldN}$_;+^Vq76sb5eIPd$ETs{a<`rdcW}5d8!Dv zl1~vfMeW!ny}yKu@?fOe^9^U9&9w!hQU_vUYzI$0h9Wu#GWy12;HNeT@GLzqqL! zN8qFz_9>KfR?Hh&jrFDh-^J`M4a9xyyVJ>MqQAx*T!0}7*(Adifrq`AYqQ}P;-H_PaZa1RpXiL|f>XWBK zUoTF!cD}Oib=|JF`TI*(KfeyPP(~Xk99zPd%GN9e8VP2E4H`n=WS+iD9FK5r`Rhi^$InbS-+@Y+tIfC(n4w?)! zTBrc<3t~RG2xk%7Xk)leuZgdAY~|3qLkV9MYaVB330_ft^5{Qg<;>S?VO(Gi_ux?( ze^xdC0(tP0JC!jzaTI1CnODVR=pe{x(VYC-gE)@I#jx~-Ys+b!& zPS7MZ1)mrSV-5~^7IZ6~Pn6r&q@x1S!t=od#nkdJRs35Cq%YIJ|-Lvi|n`Sq3wPPA#Y~N z_s!Y6XqT8mSUNLX{wU{U&sSlW_{WIH4<52M(9UpV#|QCMgW~M$`j2Tx;Gza$_tM+l zs5>e$6`7l}r%!q{nRqpGu_LyoX?&vG0Sefb9}^#T+}3$t$)12|t$#=P#xeiaT9#da zs%0ZO*V^GwFtK~!OmTLvD@&om%pBfe)%U%Zp0{e*98$>^{AFi!lMPL(p0BKV!QxsG zZoAa-pDMm2o?LFWAUUvrxf&X@QuW#&zIekG*|kABQKI0QT^(xfB31IIikm*%=E&QQ zAVWoM3q#S98yaANM=d@Vx!NujeGc?cQO;zkb{4t)_WG9BxE%Dr!uad)*BbUzL&^@19k~nZ(2w{oN4<_>n2i)Fg^t2zd!Qy6 zol~*>8-vlAqkv+Q3vGf?0I0}Zeky3^t$YJQ9H6tXd&nk&4dM!mi(IX|NaSZSxQ_^w z7tsd%!356Pyj3W*(37zEXuYa@w>BK|h#=t%oh^jhQ>PRyNCK=GiYX6SrM|SWz0J$Z zebx4dpP(^0`5ZWZT$l4uPMI3gAIgvq1m=w9-6+KUzN#O^kZ;841 z!a9M1F_d~ zT5t8Y6g<30#C3nVF3upk26nD&6DT`=%x<2ba~%yG+ZJ~)N$iO`)9IDGPTk(lPw<@W zTfx-;?;_Qn5~{EembM#Ip`0%swJFGHnz#ipt}SMzyajZNh~1;hy`h3k6%+-)|K)AhbRI^Xzs*TW7@ zsJ!Kqff{a`2-eWAG(CYml$-@W@RRBhrWg@I*1tK_MU4XS;trdYs7gkAXAMoB$GhjG z04k=UJsg|*SmUQ@0#^_Hq(&xOHHhtTBMs(RY~50K3$}^_H}?6{!rA7ygN<8~(0mqn zk0%GO1~E9*JMn#AVoiujDl9Lw)G2sL+=fXjw%Zf~ zN{sqAjzxtfi6#g@9#yk^(S$m$+I%9Tm9VJM*RC%+f;p>6*?;Q3>$NybPB)dncnbI) zggj`TNlWA%*^ZNc-iySMd2;5J#Bs*kiTu5&mTdMt|4nB6#lscXmMw40GBTQy$>&1u zWUiuR36o5P($(|PJ7c0%f0^-A9`+cF6OR@@gYfl%0_#kE)p1*ebDEoWSc2yR+M5n- z-)k2S&4@fnIWL7H3Yl|y1F#6si)nZWQx-a?TAqNh{0TSv+MWzTR9t1rG(kvaDnX$|AM)x2rjY`Y zQw>fR>-sx_aKanbe$eqcMCv}$x0X(?&?Ibzsbg`*(pHt@ZO90kqv{YYW>00z^K-!$su#Bi(HQ#6Ddex z{VgXWl5(XOxB9W53^5doE#5SLRANV4yfNIw(8pXCqslNneJuJpav}t=iM_xd;TxQI zZ38IDRkH+$tFw+&h!AR7Sv{@Xcx^BUdU9MWI!e2Qvp=LYxhqo(k#*T^cb z$(Gn}Q_3@|AX&t8A}e4d_-C+D&RtEQ49b0ZuzN5FUZ9hm(m(vo1JE?x5r#s^Ot1Cg zd|o#8v-S*TaUlg7g^b9ltl!a~e6kkOV3~1)t@o_GRZpqVHzqA3ts1Xf0;`i#*IVo{ z(Fp=e;xEm#R7?U1;wJPv^NAM-QopBq`!+O4dF|om*4es>I5L}Cn{2Ke;cG&xe%s9Y zjvZSGWwH)r?8vdnaKgM}DXabZP_=SpYS$j|(+$zmTPbw4pBd+RbDU$p^$oJGVPD~4DU{o#PJzOhL@UW!B#^%pPh6=7J(Xxw&t1U>72JvN$UTS-AE?f$> zo+artVF|zVCw9+$t)TJ8mGop6R|t%<^vC++R8=E(l?~aKar%w_P^Wyg30^|L8yY$e62cX3H#vnW6B;QXpUpAi`5uvC zd4X-Yzg-~r(J+y0a-1ECPxh*62YwB0UY=TUtlfcLSeQhL=I+bwqK+*i-8XYO$?-zs zFD~TKw+v4&&4n{!qP9q%%)u#z6E&eKPl|Tl4+hwO|Nb=t`aw}*ur{P}gl;U?M4& z%f)e4%I~7zBF~tN)(6a$KtrX0n6EE7d#QJD5LMkbn}X3%`%U09+q0->T46UQ<4QwA zQ6djd`K#*Tw+KL~MDJB(oSuj+uR!pylE$pJ(0y9KKz$Y+HF+Ye1r>pDRVwuOh`nJn z&Kk94j7pl4EB-(i%FR6Clml!lyWsF9_O$f#&B5EfkxqJZ@W|n6i@# zEkGcpM`uCcsp7!s5{$*#w3x zIRqPHjcB|(<-_w?;etIzePN+HBZO&jwJh!qXdgASQFBNHuNqSRF%7w9j?+t?G(GW$ zx%d(aa25tAuYSl=zG8I$*8<5&^ge)jAVmmA^>AR@v4%WlX>Jgg6`A(p=|j#;=jMQX z;0TxYzCk3S;*4D!RzGMlq|bcYv5bGUi^V#j3>;V1BNw)ui!soi$+RyT5 zOlgPTt#n_t_*Xcz3wQPydC$kLuGFcO?lzm}1FqX7ifd7w^m?pY`X#@|vJMQuW0}2= zSQ}v{3CM`i$qwD>WINVW$Uj;mayT(KE8&&tl4SbGYK%wRfTTC!iLiySMEjPyy#4(aKYqdCa#m6m6zCt2oD=;lc+HQ^x=mk zpV*jtU#xb)Fm)>kQl5w9fX+lCy!w5 z!S0baT{qVwlS`>)=EDcY|4Eq-A`M&xo>gn9b^DC5Hen1&R<7qp`Eu|X2vTq*Ti(9z z-XA>GyS*Fds#46cpjgj6{q*tYkH_4%mbwMzES0;Lk(JhMM~;RO&E4;>pW*U|H7paI zLUT<&Gz6pYG+L2p=O8dnPHiAMG0ekAIe)?LdP2;lPJY&mSoPd1$(5_BuIT7;Tx7Li zkD|@_QPBW4RGCamp{UAlQTmxSN)0mE%N~Ek+5< zT9sL<=kxm0H(zf;N1P#Tu1FKLDM-I<7TB-1s8)PMxV1VfLSf_y3MHhx2FVQ9=I$Mm zAgwTIPEKArDmfBUbSXu6+PEHOR(|2>BC3hqSsjJUb&wK$w@*rqAdTkxywy_xuiC?o zbChVYSydO**tfOTs*36l=&^d*=Zss_@5O;3_JD!^WK+cqVJ)W#r#*8i(W_H8q*GJU z^QueN*G?X4y#|JL%~WlB&mG8H1L5m`}?`n?;AdnCr!2&9J(yJH_F;*{Mw1ILsRPsL1UzepBbG&LRu%WdOk)NNUXtytt zbalqG8%^U=1ym4v54p|-lP^A#%2qdM1rj-6D7;XT*)|&dP=D4nSg?MEQ`sR3X(8-; zW(cD604B+W@=^>WSm_?){fg=t4SmjTeUn7I8)gWe#J;7|BC2gc;Sw&P+o5BlDeY!| z-P}+2S04TA)!O@L6kY^t`+o31_V})H4Ae>_kGjyM$3k)Bdd|G1;FhF5#%#U+emI2PY~c^0jH64ilE^Vp!h4Hp=13h3N{ zGv0xaV>1!JQNX6r>;XA~<$lPL#XT;R*cTacgR2Y>^dw{o*`413dl@JOnc>+u)eG+!zT|u&5ezM!lX!X|UA&+LbGoc7qENQk_{NzSoWVki_64X_3{_buqQ@J_# zs8!300Ll`IWW4?}M^+3`{~k>8k_DWn-%~@`z}5nH@*~acGNG+S#Mx_~{V=c+nxMoC zd$%-OXusj4W1WB7`2J`)39s2GC-hd2Stlr$qSV$$<&ka9WQ8`Hy`${hy*`Fc-E3xs zU1d9#Zf#({B7DLxFX}aO?ZF<&O-;h_zUX~?B%Z=V!jo)1+akDw zK`@!o1_K1PBWc(B=y^9cZxTI1Av0z6V@Nv5&BoL|Mv~i#FFIlFCJH6p7yKZKXspgx zTc>AtbXA>|(9O-e=Y$4KCLmKIj9TubISzfPp|xw#&d4|KY6Lmo}A zwdXffo5*P!7*cii{Rk@2r;aeohJ-Lj;OPlG1K%g4MIfso-a}Xq~Ua;$fz?oD$x&py*U3y4CdgW_7DjJulX&+8qY1FXXeI?GZF} zfTXHMAi4|4*JZVbf>$;d+#{y?W+LPcP=1V%~P zb^6eTYS3+wW#-~HT72k17V3)IHD#r&jZ2m1{OQTIa1ufkU4lt4oJLnfeWD9FDia6n z#K_Yv?dy+LyeEIri(oO0%l+6A81Bx?okTuoi>0~9{3d0}Z5cU#wT9}PpAF<^Lx%{s zC3CBn&y+aG_^S!XiL3*2l>SsI(y3^2^9-iV4UymaSpxhxQx?M?TT7AR( z%(UNti;2I-E#nU%wvNEs%>r;Of&y$yGPX04ceJy2Vl=XIH2Gu20jyX2w;Kr<&_yLE z$N{UN!y7Wsh*BG3&CFpML*m~q$iu_2qwN|$iketu-q~OLpvQwZ^}eWddu!J__p{;M zSX8+{SdgeRB_|Xi2MjjGm1V^*&XabK1qc;`mp26BaQc&7Z{JZKQ0}bs)z1SZ!#?00 zb*cj^8J=*W!tn#7<-TZ_poc@H&BSzQQ(?#@J#7G`!uz5R#Axt1A3=rY&_-aW-DBT# zYc&FTsg>n}1jTj~q!}Bbn_T_a8b(!2=r8po^dLFt~@H(o#8kay}-m`uKtjGps@BZen6vuEO|iE_MV96;#^m;s|$% z`R}OW-o!56BA|A)0gLdj9~MyuUh>GECt=nZitzx#o0X<(hLfYK4_gk6#3HB^7T7X< zkUB|oKt!Hau?4^U7y%~|4a!x2243yI z6V-;y=&%V$R9|5Djr>=l8ra+am#4r>_U|JrQO0hS2|nZ;?2ZV24X=Gd9zLKVUtH~` zMjs^Mj;n@+04|v#Rx!%G+qWUQO}1Ufb!V9N3Wa(kQ^_U~lN$Tn(V_LLaG>l{UyBd} z;r%_9o(L*w3uuK~S|nmni$X5n2>nk;YFv1jRC^LEm8c0CnV_ngkebbg9qFSlAzv8? z6!lU>cd{3Uado7t>rS}_m4wyw9cH8<2Gt$rhu-Kl-Pf*zOMDiYY7&}djG{xnHY?*5 zj6mrP8H25~9110Sb6Yg9WRH}z@Mp67tbMS_+h z{@h_NAK$!1RHsLD#u*hCzQJtU(+d)gme_db0#>y%ZS2E-M#018m))D8;` zr+d{fLrqNNu3`K{dII|$BvNf+Som!=XXw0;p&DzMWv7HSa^&X6PAMPouKk_sx_xq> zy+E$704vhK9XfvzWfv!BJDdN~{r{640BA^>h*~u)=Fmy&f<^02mm3OXBIpU8?jGa!;=A$*APopye3h3hxq zY8y2;&1~+6gJt4}4xN-}8ENFqHzLD~8y6GLMD=>(!$>LhT0}sXn=yaPY#Ru=$(wxD z3~~$?!StmmRu&|M2-O~ehh=z=LA|Ycp|Jpsz*Wh=u<$UQSUwa>;YyEi!#Mt+IXZU! zKgY@qqw@b`@af0}Lpi