[From the desk of Paul G Davis – his opinion and no-one else’s, apart from those of the authors of the articles.]
And so, now the news
* QinetiQ : Lack of process and security culture are chief factors leaving firms open to cyber attack
* Smartworld to launch ME’s first of its kind Cyber Security Centre
* Auto Dealers Under Imminent Threat of Security Breaches, Helion Technologies Announces
* Cybercrime damages expected to cost the world $6 trillion by 2021
* OT, Compliant with Discover’s Latest Specifications on Dual Payment Cards
* Reserve Bank takes action to fend off sustained cyberattacks[South Africa]
* Rio Olympics sees more IT security events than London games
* Third-party vendors — your weakest link?
* How to get your network and security teams working together
* Data security and breach notification in Belgium
* Feds plan to investigate more healthcare breaches
* Data security and breach notification in Singapore
* Risk Management: Time for Introspection for Asia-Pacific Security Leaders
* Week in Review: Proposed Rule Changes and Another Data-Breach Decision
* California to mull biometric standards in data breach law
* Proof Of Concept: Tips For Successful Testing
* Infrastructure Pros Look To Add Skills
* To really improve corporate culture, it must be measurable
QinetiQ : Lack of process and security culture are chief factors leaving firms open to cyber attack
A lack of understanding of how to mitigate employee negligence is leaving firms wide open to cyber-attacks, a whitepaper published by defence and security consultancy QinetiQ has warned.
In an analysis of government data and work with its own clients, QinetiQ has identified a clear gap between employee knowledge and their actions, concluding that security training alone will not change employee behaviours, with QinetiQ advocating a more holistic approach to security, designed with the integration of people, process and technology in mind.
Recent government data has shown that 81% of large organisations that were victims of hacking in 2015 stated that the actions of their employees aided the attacker, with 90% of large organisations suffering some sort of overall breach.
Despite widespread awareness of this threat, the security consultancy found that most organisations lack a clear understanding of the complex interaction between human behaviour, technology and organisational process.
This often leaves cyber security processes below par, and creates an ideal route for attackers to cause serious damage and disruption to major companies and organisations.
Ensuring company best practice is written in plain English is of utmost importance.
Policy should provide context and relevance to employee’s day to day lives, and be drafted and considered in line with the wider goals of the business.
Analysis has shown that employees will often sign/agree to policy documents without reading the contents because of too much jargon, leading to situations where employees are unaware of protocol when they are most needed.
Human behaviour analysis should form the bedrock of any security strategy and should actively steer policy direction.
A clear assessment process can give a 360-degree view, often yielding invaluable knowledge of where security is optimal or needs improvement.
With this knowledge, businesses can save significant investment and maintain a clear view of the performance of security policies, such as monitoring recent training and how this has impacted employees across different sectors of the business.
Training must be designed to be regular, relevant, short, engaging and empowering to bolster its effectiveness and prevent employees from unwittingly (or deliberately) causing a security breach.
The common pitfalls of training practices are often that it is long and laborious, but infrequent.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=06386539b1&e=20056c7556
Smartworld to launch ME’s first of its kind Cyber Security Centre
Smartworld, a joint venture between Etisalat and Dubai South, has signed an agreement to launch the Middle East’s first of its kind ‘Cyber Security Centre.’ The UAE is among the top three targeted countries in the world in terms of cyber attacks, according to the data shown at the new Cyber Security Centre at Smartworld Headquarters in Dubai.
In its 2015 Internet Security Threat Report, Symantec noted that the UAE has jumped dramatically in the world ranking from 49 in 2014 to 41 in 2015.
The initiative is in line with the vision and development strategies of the UAE and Dubai especially toward technological advancements in all areas and supports the most critical component of security for organisations.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c4d6448180&e=20056c7556
Auto Dealers Under Imminent Threat of Security Breaches, Helion Technologies Announces
TIMONIUM, MD, UNITED STATES, August 22, 2016 /EINPresswire.com/ — Helion Technologies announced today that 75 percent of small businesses have experienced security breaches in the last 12 months, according to a recent survey conducted by Osterman Research.
The findings were published in a July 2016 report titled IT Security at Small to Mid-Size Businesses (SMBs): 2016 Benchmark Survey.
The results were obtained from organizations ranging in size from 100 to 3,000 employees.
Small businesses, defined as having fewer than 500 employees, were most vulnerable to security attacks as they are less likely to have full-time security experts on staff.
Nearly one-third of the survey respondents have two or fewer IT personnel focused solely on security, indicating that smaller companies do not have the expertise necessary to deal with attacks, infections and other problems quickly and efficiently.
The survey also found that for SMBs, overall security-related costs have increased an average of 23 percent in the last 12 months.
The increase is likely correlated to the growing number of security threats; for example, in 2015 the number of phishing URLs increased by 55 percent and the total volume of new malware increased by 14 percent.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=994867da8d&e=20056c7556
Cybercrime damages expected to cost the world $6 trillion by 2021
Cybercrime will continue its stratospheric growth over the next five years, according to a recent report published by Cybersecurity Ventures. (Disclaimer: Steve Morgan is the Founder and CEO at Cybersecurity Ventures.)
While there are numerous contributors to the rise in cybercrime — which is expected to cost the world more than $6 trillion by 2021, up from $3 trillion in 2015 — the most obvious predictor is a massive expansion of the global attack surface which hackers target.
Data remains the primary hacker target.
Microsoft predicts by 2020 data volumes online will be 50 times greater than today.
There are 111 billion lines of new software code being produced each year — which will include billions of vulnerabilities that can be exploited, according to research conducted by Secure Decisions.
The $6 trillion estimate of costs related to cybercrime damages by 2021 is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation state sponsored and organized crime gang hacking activities, a cyber attack surface which will be an order of magnitude greater than it is today, and the cyber defenses expected to be pitted against hackers and cybercriminals over that time.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8e796e0f01&e=20056c7556
OT, Compliant with Discover’s Latest Specifications on Dual Payment Cards
COLOMBES, France–(BUSINESS WIRE)–OT (Oberthur Technologies), a leading global provider of embedded security software products and services, today announced that its dual EMV payment cards are certified by Discover with its latest specifications, D-Payment Application Specification (D-PAS) version 1.1.
These cards can be used worldwide across the Discover Global Network, which includes Discover Network, Diners Club International, PULSE and affiliated networks.
OT’s Discover-certified EMV dual interface payment cards can be used to make payments simply by tapping them in front of a contactless terminal.
It further strengthens OT’s wide EMV certified cards portfolio.
Other functionalities, such as transport, micropayment or access control, can accompany Discover’s payment functionalities.
These cutting-edge payments cards meet international security standards in order help decrease fraud and improve cardholders’ protection.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c6f9ec7682&e=20056c7556
Reserve Bank takes action to fend off sustained cyberattacks[South Africa]
The Reserve Bank has established a special forum of all SA’s major financial institutions to put together contingency measures to protect SA’s critical financial infrastructure from a prolonged cyberattack.
This was revealed on Tuesday by Governor Lesetja Kganyago in Johannesburg at the first ever cybersecurity conference organised and hosted by the Bank.
Noting that the Financial Sector Regulation Bill currently before Parliament will make the Bank responsible for ensuring the safety and soundness of financial institutions, not just overseeing their regulation, Kganyago said the Bank was serious about deepening cyber resilience in the sector.
To this end, the Bank had established the Financial Sector Contingency Forum (FSCF), representing all major financial sector stakeholders.
One of the responsibilities of the forum will be to put contingency plans in place for such an attack.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=cba5a0aa70&e=20056c7556
Rio Olympics sees more IT security events than London games
Olympic IT partner Atos has published a report on its performance and the main highlights of the 2016 Rio Summer Olympic Games.
Atos installed and managed a complete IT infrastructure at 37 competition venues, while the number of IT security events per second amounted to 400, compared to 200 per second in London.
A total of 300,000 accreditations were processed and activated using the Atos IT system (up 20 percent since London 2012), while over 100 million messages were sent to media customers to share the real time results and data from all 42 Olympic sports and 306 events (up from 58.8 million at London 2012).
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7b27b30476&e=20056c7556
Third-party vendors — your weakest link?
In my experience, too many organizations still don’t pay close attention to their third parties.
According to an article by Evantix, of 450 breaches investigated in 2013, a staggering 63% involved a third party.
Experian, in their 2015 Data Breach Industry Forecast, made the case well, saying “As more companies adopt interconnected systems and products, cyber attacks will likely increase via data accessed from third-party vendors.” The same report expresses concern about the growth of a different sort of third party exposure — Internet of Things devices, a risk that the business world is just now beginning to face.
While the lack of appropriate security precautions and risk management processes are very common among small vendors, the big guys have lapses too.
In late 2015, Hartford Hospital shared a $90K HIPAA-related fine with tech giant EMC, because of their failure to safeguard customer data on laptops.
Corporate leadership must make third-party risk management a priority for it to be successful.
Such a program requires resources, and often involves delays in the purchase of products and services while the related risk is assessed.
Without strong support from the C-Suite, managers will simply ignore third-party risk, and just buy whatever they want whenever they get in a hurry.
Third-party oversight should begin with a structured program, with proper documentation and procedures.
The program must be an ongoing effort, rather than a one-time review.
This should include complete analysis of each vendor BEFORE a contract is signed.
For ideas on how to structure such a system, I would suggest that you review “Third-party risk management — not just papering the file.”
Bottom line — unmanaged third parties can pose a risk to your company that is even greater than that posed by your own internal security issues.
Bad actors know this as well, and they will exploit this opening unless you step up and manage the risk.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=7a5a89c9d1&e=20056c7556
How to get your network and security teams working together
Your network and security teams may have different goals and objectives, but as networks grow more complex, it’s time to get these two teams on the same page to help avoid miscommunication around security threats.
One of the biggest reasons these two teams aren’t known for strong communication and teamwork, according to Vigna, is their “conflicting goals.” Network teams are focused on network availability and usability, while security teams are focused on potential risks and vulnerabilities.
And security measures can often slow things down — adding things like two step authentication, firewalls or other precautions that might hinder how fast networks can get up and running.
So, for a team focused on speed and availability, security can often be seen as a roadblock in reaching those goals — and vice versa.
“This becomes a problem when network professionals feel that security measures are red tape getting in the way of their processes, and security professionals feel that network team’s expansion and development of complex architectures are opening up the system to potential attacks,” says Vigna.
The best solution to this problem.
Start communicating, says Vigna.
The time to communicate isn’t after something bad has happened; it’s before. “Both network and security teams should proactively reach out to one another and discuss trends and issues on a day-to-day basis in order to be prepared for the worst,” he says.
Hiring the right tech workers might seem obvious, but if you want your network and security teams to get along, include it in your hiring process.
While network and security professionals have different skillsets, you can still emphasize during the interview process that you encourage collaboration between the two teams, so they come in knowing what to expect.
Schwartz also points to the CIO as a guidepost for the rest of the department.
As the CIO, he says, you need to encourage both teams to understand one another’s priorities and goals.
You can’t expect your teams to understand how they can help one another if they don’t even know how the other operates on a day-to-day basis.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c7548e4929&e=20056c7556
Data security and breach notification in Belgium
Article 16(4) of the Act of December 8 1992 on the Protection of Privacy with respect to the Processing of Personal Data (the ‘Data Protection Act’) provides that data controllers and data processors must implement sufficient technical and organisational security measures with respect to the protection of personal data against destruction, accidental loss and any non-authorised processing of data.
Although the Data Protection Act imposes no specific security measures, the notification form used by the Belgian Data Protection Authority for the notification of data processing activities lists a wide range of possible security measures, including physical access control, encryption, appropriate clauses in contracts with personnel and processors, access logging and prevention plans.
Data owners or controllers must inform the individuals of a data breach without undue delay if there is a high risk that their data could be used by third parties.
Notification is not required if the data is encrypted or if measures have been taken to ensure that the data subject cannot be identified.
However, the Belgian Data Protection Authority can always order the data controller to inform the individual of the data breach.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3c84eb844c&e=20056c7556
Feds plan to investigate more healthcare breaches
The HHS Office for Civil Rights, which enforces rules surrounding HIPAA, has announced it will investigate breaches of protected health information affecting fewer than 500 individuals.
In the announcement, OCR cited five recent settlements with covered entities that had smaller breaches; the settlements included financial fines and imposition of corrective action plans.
But some of these smaller breaches are not recent, highlighting settlements reached one or more years ago.
The settlements included Catholic Healthcare Services of the Archdiocese of Philadelphia ($650,000 on June 29, 2016), Triple-S Management Corp. ($3.5 million on Nov. 30, 2015), St.
Elizabeth’s Medical Center in Brighton, Mass. ($218,400 on July 10, 2015), QCA Health Plan ($250,000 on April 22, 2014), and Hospice of North Idaho ($50,000 on Jan. 3, 2013).
It’s not surprising that OCR now has formally announced more aggressive reviews of smaller breaches, says Thad Phillips, a principal consultant at tw-Security, a consultancy.
In 2013, Leon Rodriguez, then director at OCR, warned covered entities that regardless of size, providers needed to better protect patient information and said OCR would expand investigations of smaller breaches, Phillips says.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=bd9d26d169&e=20056c7556
Data security and breach notification in Singapore
Section 24 of the Personal Data Protection Act obliges an organisation to protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.
Under the Personal Data Protection Act, no explicit requirement exists for organisations to notify individuals in the event of a breach.
However, the Personal Data Protection Commission (PDPC) Guide to Managing Data Breaches provides that it is good practice to notify individuals affected by a data breach.
No general requirements for organisations to notify the regulator in the event of a breach exist.
However, there are industry specific requirements.
On July 1 2014 the Monetary Authority of Singapore instructed financial institutions to report all security breaches within one hours of their discovery.
For further information see the Technology Risk Management Notice and Guidelines.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=05906f5147&e=20056c7556
Risk Management: Time for Introspection for Asia-Pacific Security Leaders
Cyberattacks are increasing at an alarming pace.
With that, the cost of a data breach is also increasing.
In India, for example, the average total cost of data breach increased from 88.5 million Indian rupees in 2015 to 97.3 million Indian rupees in 2016 — an increase of 10 percent.
Because of the nature of data, certain industries have a higher average breach cost compared to others.
As a result of all this, CISOs are faced with big, tough challenges.
Security leaders should ask the following questions about their risk management posture:
-Are you protected from the latest threats?
-Have you protected your most critical data?
-Do you have access to the right skill set?
-Are you adapting to changing platforms?
-Are you operating at an appropriate maturity level for your industry?
You need to find out where you are in your risk management journey.
Are you just starting out or are you well on your way.
Whatever the answer, it is imperative to plan accordingly.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c619f771ec&e=20056c7556
Week in Review: Proposed Rule Changes and Another Data-Breach Decision
Today’s round-up takes a look at the potential impact on class-action litigation of some recently proposed amendments to the Federal Rules of Civil Procedure, and continues our exploration of what type of injury it takes to sustain a data-breach class action.
For Data-Breach Class Actions, the Spoils of the Heist Matter: A case could be made that 2016 is the year of the data-breach class action—we’ve certainly devoted substantial attention to the subject here.
This month’s ruling in Attias v.
Carefirst, Inc. adds another weapon to defense practitioners’ arsenal on the issue of whether a data breach alone is a sufficient injury to support a claim.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c74c017cc0&e=20056c7556
California to mull biometric standards in data breach law
A California lawmaker has proposed that a standard be established for businesses to protect personal consumer information including location and biometric data.
The newspaper notes that the new bill would expand the definition of personal information in California law beyond social security numbers, driver’s license numbers and medical information to include geolocation and biometric data, tax identification numbers, passport numbers, military identification numbers, and employment identification numbers.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=8a41b0d215&e=20056c7556
Proof Of Concept: Tips For Successful Testing
The most important part of the POC is to know what you’re looking for from the outset.
With this in mind, it’s very important to work with all stakeholders to first identify what it is you’re trying to accomplish or what problems you need to solve with the software.
Additionally, POCs are a great way to compare and contrast multiple vendors at the same time.
In doing so, you can often quickly figure out if what their salespeople say is really true, or, if they’re just providing a “marketing checkbox” of hyped features that serve no real purpose or merely meet obligatory criteria.
The first test in any POC is the vendor’s reaction.
If the vendor tries to talk you out of conducting it or uses delay tactics, that generally means the reps know their product won’t do well.
On the other hand, if the vendor is actually pushing for a POC, that could mean the reps are confident in their technology’s ability to perform and have a high rate of success in these situations.
Also be wary if the vendor asks you to pay for a POC.
Having to pay can depend on the complexity of the software being evaluated.
However, if you’re looking at other products that offer a true “try before you buy” approach, a vendor requiring money could indicate issues ranging from possible financial strains and an inability to compete to a lack of ongoing support..
POC criteria should always be developed by a team of business stakeholders, not the vendors.
Vendor-supplied criteria for a POC is designed to make the vendor look good, but may not meet your business requirements.
That doesn’t mean you can’t change criteria if one vendor has a feature you find useful; it just means you shouldn’t let any one vendor determine the boundaries of the POC-playing field.
Next, be prepared.
Most vendors will give you a list of criteria (requirements) for a lab environment to ensure proper testing.
If the vendor has agreed to come onsite and help set up the POC, it can be a long day if the lab is not arranged properly.
For this reason, ask each vendor for its prerequisites and get things set beforehand.
While not always possible, it’s also a good idea to have a separate lab environment for each vendor if you’re doing multiple POCs.
For cloud-based applications, this step is actually easier whereas most vendors will provide you with a “sandbox” area to test the software.
Still, be ready to provide any data or testing criteria that you specifically want to evaluate.
During the POC, stick to timeframes.
Ask each vendor how long the POC should take and then make sure that everyone sticks to the allotted time.
Endless POCs don’t really do anyone any good, and if the vendor can’t get things working in the environment you provided – especially with agreed-upon criteria – only allow so many chances to make it work.
After all, if it doesn’t function properly in the lab, do you think it will work in production.
Moreover, how long installation and configuration takes in the lab also is a good indication of how long it will take in production.
Finally, make sure that you allot enough time for the POC.
Vendors understand you have a job to do, but if there’s not sufficient POC time scheduled on your calendar, you’ll never get it done or you may cut corners.
Remember, timeframes are also important in keeping salespeople off your back: If you tell them it will take a week, they will call you in a week, and will continue to do so until you answer.
The better everyone does in setting proper expectations, the happier all involved will be, and the more likely it is that you’ll get the proof-positive results you’re seeking.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=5e293a6b39&e=20056c7556
Infrastructure Pros Look To Add Skills
As data center and networking jobs change with the rise of cloud and software-defined infrastructure, those working in the infrastructure field are actively looking to expand their skillsets.
When asked what specific skills they planned to learn in 2016, survey respondents chose security as their number one priority, at 50%.
Staff-level employees also cited network engineering and operations (36%), cloud integration (28%), wireless (20%), and data storage (19%).
Those at the management level chose leadership skills (37%), project management (31%), cloud integration (30%), and business skills (21%).
In follow-up interviews, respondents also specified they’d like more training in Amazon Web Services, Microsoft Azure, and agile project management.
When it comes to the type of training respondents would like, the more technical the better.
Seventy-seven percent of staff and 63% of managers chose technology-specific training as most desirable, followed by certification courses at 61% for staff and 34% for managers.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d29ae0081b&e=20056c7556
To really improve corporate culture, it must be measurable
Douglas W.
Hubbard, who developed Applied Information Economics as a practical application of scientific and mathematical methods to complex decision making, goes out further on a limb when it comes to measurement.
According to Mr.Hubbard:
“Anything can be measured. If something can be observed in any way at all it lends itself to some type of measurement method. No matter how ‘fuzzy’ the measurement is, it’s still a measurement if it tells you more than you knew before.”
For the auditor, compliance professional, and others charged with evaluating (i.e., measuring) the effectiveness and value of compliance program activities, Hubbard’s treatise, How to Measure Anything: Finding the Value of Intangibles in Business,3rd Edition, is a worthy read.
Undertaking this methodology forces clarity in considering the objectives you are trying to achieve.
When computing the value of information, you may learn that you have been measuring all the wrong things.
If your “program” is providing a service the value of which cannot easily be measured, maybe you need to reconsider what you are trying to achieve.
Some kind of observable consequence must be present if it really matters (even if dictated by laws and regulations).
Measuring things just because they are easy to measure is ultimately useless.
A thought experiment to try, which Hubbard calls a “clarification chain” is to imagine “if we didn’t do this, would there be an impact, and how would we notice the difference?” For example, a safe work environment has been shown to relate directly to safe employee behavior; similarly, a climate for customer service is known to predict customer satisfaction.
For compliance programs, if we care about an “intangible” that we call culture or ethical climate, because it impacts certain things—such as perceptions that your supervisor and company sets a good example of ethical behavior, or that employees do not fear retaliation for reporting misconduct—we should be able to measure such outcomes.
As described in its February 2016 Targeted Exam Letter, FINRA requested firms submit eight categories of information related to the organization’s cultural values, stating “We will formalize our assessment of firm culture to better understand how culture affects a firm’s compliance and risk management practices.” Significantly, FINRA is, “particularly interested in how your firm measures compliance with its cultural values, what metrics, if any, are used, and how you monitor for implementation and consistent application of those values throughout your organization.”
The evaluation of culture and compliance effectiveness are in fact empirical issues.
The elements of a compliance program and vague indicators should not be taken on faith.
Whenever practical, tactics based on studies by social scientists should be field-tested using randomized controlled trials to estimate their economic benefits.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d6559256c1&e=20056c7556
Feedback, questions? Our mailing address is: dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If you know someone else who would be interested in this Newsalert, please forwarded this email.
If you want to be added to the distribution list, please click this: Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=2e11572e9e)
Update subscription preferences (http://paulgdavis.us3.list-manage1.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)
============================================================
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()
()