81
FIRMA – 2006 National Training Conference Searching the Clues for IT Risks….

FIRMA – 2006 National Training Conference

  • Upload
    others

  • View
    0

  • Download
    0

Embed Size (px)

Citation preview

Page 1: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Searching the Clues for IT Risks….

Page 2: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Introduction – Paul Rozek

• 17+ years with M&I Corporation • 9+ years with Jefferson Wells

Director – Tech. Risk Management Services• Member of IIA, ISACA, ISSA, HIPAA-

COW, Infragard, BRPA-SW• Masters Degree in Project Management

Page 3: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Jefferson Wells

• Headquartered in Milwaukee, WI• 10 year anniversary in 2006• 45 offices & over 2,500 employees• Subsidiary of Manpower International• Provide services in the areas of:

• Internal Controls• Technology Risk Management• Financial & Operational Management• Tax

Page 4: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Disclaimers / Ground Rules

The views and opinions expressed today do not necessarily reflect the position of Jefferson Wells International, Inc.

Any copyrights/trademarks belong to owners...

No recommendations of vendor products or services are intended. Such discussion is for illustrative purposes only. Each firm must assess its business, IT audit, and IT risk & control needs.

Page 5: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

OR, Please Do Not Use These Tactics!!!

Page 6: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Session Overview

• What’s Happening With IT?• Why Worry About IT?• What Is IT Risk?• IT Risk Assessment Process - Examples• Future Trends and Considerations• Q&A

Page 7: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

Herman Hollerith – 1890’sComputer Tabulating Recording Co.

Page 8: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Page 9: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

Rear Adm. Grace M. HopperENIAC Team / COBOL – 1940/50

Page 10: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

09/09/45 – Computer Debugging Is Born…

Page 11: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

Thomas Watson Jr. - IBM

Page 12: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

“Apple-A-Day”

Page 13: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

Bill Gates – MS V.1.0 - 1985

Page 14: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

Clifford Stoll

Page 15: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Appreciate The Past…

MOVIES:

“War Games”

“The ‘Net”

“Sneakers”

“Firewall”

Page 16: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Can You Guess the Hacker?

Page 17: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Contestant #1 – Hacker?

Page 18: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Contestant #2 – Hacker?

Page 19: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Contestant #3 – Hacker?

Page 20: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Contestant #4 – Hacker?

Page 21: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Contestant #5 – Hacker?

Page 22: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

And the Answer Is….

Page 23: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

What’s Happening With IT?

Technological and sourcing revolutions are changing how firms conduct business:

AlliancesInter-networkingOutsourcing“Menu Of Options”RegulationsAttacks

Page 24: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Financial Industry IT Challenges

1. Data Integrity & Quality

2. Data Security

3. Continuous Availability

4. Maximizing Performance

Page 25: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Why Worry About IT?

• Firms with 200,000+ attacks daily

• 2,500+ software security flaws yearly

• Numerous software patches

• Close to 100,000 known viruses (& hoaxes)

• 1,600+ default passwords

Page 26: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Why Worry About IT?

CSI/FBI Computer Crime & Security Highlights

• 85% Detected computer security breaches

• 70% Stated Internet is a frequent attack point

• 64% Acknowledged financial losses

• 36% Reported intrusions to law enforcement

• 35% Could quantify their financial losses

Page 27: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Justify Solutions Using F.U.D.?

Types of Costs Associated With A Breach:1. Hardware / Software replacement2. System / people downtime3. Consulting fees / Legal fees4. Information recovery5. Lost business / Reputation6. Incidentals (food, lodging, transportation)

Page 28: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Phishing – Any Bites???

Page 29: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Keystroke Logging Anyone?Check out: www.winwhatwhere.com or

www.keyghost.com

“before” “after”

Page 30: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Keystroke Logging Anyone?

or via keyboard…

Page 31: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Seen This Before?

Slide 31

Page 32: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

1. Leave computers unattended

2. Use Post-it Notes or poor passwords

3. Open email attachments

4. Download software from the web

5. No change control for spreadsheets

6. Fail to take controls training seriously

End-User Errors Continue:

Page 33: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

“Mini-Case Study”

“What’s

Wrong

With

This

Picture?”www.csoonline.com (March 2004)

Page 34: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Senate Bill 1386Where’s The Data???

Data is being disclosed way too easily!!!Tapes falling out of vehicles…Laptops stolen in airports…Laptops / PDAs left in taxicabs…Laptops with unencrypted hard drives…CD-ROMs left on airplanes…Email attachments / “Phishing”…

Page 35: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Risk/Compliance Challenge…

Page 36: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

FERPA

HIPAA

GLBA

UETAE-SIGN

SOX

U.S.A.PATRIOT Act

DMCA

CAN-SPAM

CDC Select Agent

Program Bio-terrorism

Protection Act

TEACH

Copyright

BusinessProcesses

Anti-Terrorism

Research

Instruction

ElectronicRecords

HealthHuman

Subjects

Law EnforcementCopyright © 2004, University of Wisconsin Board of Regents

ECPACFAA

IT Security-Related Laws for Higher Ed.

Page 37: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Senate Bill #1386

(a.k.a. – The “You’ve Been Hacked” Act)California State Payroll system hacked in April 2002 – 250,000 SSN disclosed

Challenges:1. What is “personal information?”2. What constitutes a breach?3. How must individuals be notified?4. What new laws will appear? (NCSL)

Page 38: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Lots of Helpful Resources…

Page 39: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

How Do You Define IT Risk?

Standards for the Professional Practice of Internal Auditing says risk is “the uncertainty of an event occurring that could have an impact on the achievement of objectives. Risk is measured in terms of consequences and likelihood.”Remember – IT makes risk decisions everyday to support business success“IT risk” will become part of “ERM”

Page 40: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Financial Industry – “IT-RMP”

FIL-81-2005 released on August 18, 2005

“Information Technology Risk Management Program” (IT-RMP)

Rescinded IT-MERIT procedures & its work programs

Page 41: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT-RMPFocuses on financial institution’s information security program and risk management practices for securing information assets. Such practices include:• Risk Assessments• Operations security and risk management• Audit and independent review• Disaster recovery and business continuity• Compliance with FDIC Rule Part 364,

Appendix B

Page 42: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessment – Example

Step #1 – Identify information assetsStep #2 – Aggregate and prioritize assetsStep #3 – Identify risksStep #4 – Prioritize risksStep #5 – List and define risksStep #6 – Reference risksStep #7 – Recommend risk mitigation

Page 43: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessment – Steps #1 & #2

Step #1 – Identify information assets

Step #2 – Aggregate and prioritize assets

1. Create IT asset lists – services, hardware,operating systems, applications, etc.

2. Assign relativity ratings – e.g., Critical, Essential, or Normal

Page 44: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessment – Steps #3

1. Projects – “Failure to Deliver”2. Service Continuity – “Going Off-The-Air”3. Information Assets – “Protect & Preserve”4. Service Providers – “Breaks in Value Chain”5. Applications – “Flaky Systems”6. Infrastructure – “Shaky Foundations”7. Strategic – “Disabled by IT”

“Beating IT Risks” – Jordan & Silcock, 2005

Page 45: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #1 – Project Risks

• Planned system enhancements may not occur

• Failures due to timing, quality, and/or scope

• Skill and experience of development team

• Number and types of technologies used

• Stability of requirements

• Poor / limited management oversight

• Defects found after placed into production

Page 46: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #2 – BCP/DRP Risks

• Focus on systems versus services

• Business processes may grind to a halt

• Poor performance and response time degradation can impact user productivity

• Backup data integrity not tested

• Limited off-site recovery capabilities and/or untested recovery capabilities

Page 47: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #3 – Information Assets

• Firm not aware of its information asset value

• Unknown risks of disclosure, change, or loss

• Business reliance on data integrity degraded

• Repair costs of “bad” data may be significant

• Data access is excessive, not reviewed or inconsistent with job roles and responsibilities

• Systems installed without control in mind

Page 48: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #4 – Service Providers

• Failure to deliver impacts systems & services

• Products may be faulty

• Inadequate contract / relationship mgmt

• Failure to check results to scope of work

• Failure to identify and measure service levels

• Vendors provide inadequate professionals

• Lack of formal audit clause in contracts

Page 49: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #5 – Application Risks

• Applications do not perform as expected

• Systems are not easy to maintain

• Documentation is non-existent or poor

• Output is costly or not useful

• System is difficult to use or understand

• Users not involved with design / final testing

• Application ownership not defined

Page 50: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Application Risks Are Increasing…

Infrastructure & Information Must Be Assessed!!!

GeneralLedgerSystem

Application 2 Application 3

Application 5A

Application 7

Application 8

Application 9

Appllication10A

Application 1

Application 9A

Application 10

Application 4

Application 6

Application 5

Page 51: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #6 – Infrastructure

• Lack of environmental controls

• Incompatible or obsolete systems used

• Loss of network connectivity

• Data networks lack bandwidth / redundancy

• Departmental systems outside of central IT

• Costs difficult to measure or control

Page 52: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #6 – Infrastructure

Network devices

Access points – Wired & Wireless

Remote access / Dial-up modems

Business partner connections

Open/required ports & services

Traffic/data flow requirements

Page 53: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

InternalLAN

InternalLAN

HEWLETTPACKARD

HEWLETTPACKARD

HEWLETTPACKARD

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

Internal Router

Novell or Unix Server

Windows NT Workstation

Windows 98 Station

Windows NT 4.0 orWindows 2000 Server

Remote Access Server

Dialup

Internet DMZ/Gateway Servers

Mobile Home UserBranch Office(s)

Perimeter Router

Windows NT 4.0 orWindows 2000 Server

Frame Relay Circuit

Internet

HEWLETTPACKARD

Database Server(s)

Draw The Network

IT Risk Class #6 – Infrastructure

Page 54: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

InternalLAN

InternalLAN

HEWLETTPACKARD

HEWLETTPACKARD

HEWLETTPACKARD

1 2 3 4 5 6

7 8 9101 112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

1 2 3 4 5 6

7 8 9 101112

AB

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

Eth

erne

t

A

12x

6x

8x

2x

9x

3x

10x

4x

11x

5x

7x

1x

C

Internal Router

Novell/UNIX/AS400/OS390/...

Windows NTWorkstations

W2K/XP Workstations

Windows NT 4.0 orWindows 2000/.NET Server

Remote Access Server

DialupConnection

Internet DMZ/Gateway Servers

Mobile/Home User

Branch Office(s)

Perimeter Router

Information"leakage"

Inadequate loggingand detection

Unnecessaryports or services

Misconfiguredweb services

Inadequatepassword controls

Excessive file anddirectory access

Improperlyfiltered networks

Windows NT 4.0 orWindows 2000/.NET Server

DedicatedCircuits

Excessiveuser rights

Misconfiguredoperating systems

Excessive trustrelationships

Improperlyconfigured routingUnsecured Remote

Access Services (RAS)

Unauthorized serverson the network

Ineffective enterprisepolicies and standards

Misconfigured firewallsand/or TCP/IP

ports or services

InternetConnection

Inadequate databackup and retention

HEWLETTPACKARD

Database Server(s)ORACLESYBASEDB2/UDBMS-SQLACCESS

Inappropriate administrativerights and table attributes

Inadequate application anddata integrity controls

Inadequate controls overphysical access to devices

"xSP" and"BusinessPartner"Access

SLAs, "Confidentiality,Integrity, and Availability ",and encryption concerns

"Wireless"Networking

Remote ControlSoftware/Modems

InternetFirewall

InternalFirewall

"Hackers "and

"Script Kiddies"

Viruses, Worms, andTrojan Horse Programs

Page 55: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Weaker Wireless Architecture

Page 56: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Stronger Wireless Architecture

Page 57: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class #7 – Strategic/Emergent

• Too many tactical / ad hoc approaches

• Mgmt rebukes importance of IT systems

• Policies are informal or not deployed

• IT control frameworks not deployed

• Regulatory or audit issues not taken seriously

Page 58: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Class** – Compliance Risks

• Regulations are misunderstood

• Regulations are not fully implemented

• Financial impact is not measured

• Poor communication with employees

• Lack of monitoring & metrics programs

Page 59: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Ranks: 25-30 Critical, 16-24 Essential, 15 or less Lower Priority

12RANK:

1=1X1What Data Can Be Replicated Manually? (1=all, 2=some, 3=none)

2=2X1Who Is Impacted By Disaster? (1=internal, 2=customer, 3=both)

2=2X1Time Before Disaster Impact Occurs? (1=days, 2=hours, 3=minutes)

4=2X2% of Processes With Dependencies?(1=0-33%, 2=34-66%, 3=66-100%)

3=3X1System Integral to Cash Flow? (1=no, 2=somewhat, 3=entirely)

Total=WeightXScoreSystem: Wireless LAN

IT Risk Assessment – Step #4 - BIA

Page 60: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessment – Steps #5 & #6

Create a comprehensive list of IT risks

Reference the risks back to your assets

Create the IT Risk Management Report

(similar to a Business Impact Analysis)

Page 61: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessment – Step #7

Risk AssumptionAccept potential IT risk

Risk AvoidanceChange how the IT system is used or,remove IT vulnerability/ability-to-exercise

Risk LimitationArchitect IT system boundaries (VLAN/IDS)

Risk TransferSomeone else “pays” (e.g., insurance)

Page 62: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

DecisionSupportAnalysis

“Safeguard”Assessments

ThreatAssessment

VulnerabilityAssessment

RiskDetermination

ProcessCapture

IT Risk Assessment – Simpler???

Page 63: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Risk Assessments Must:

• Be Effective & Repeatable

• Identify & Prioritize Risks

• Support Mitigation & Reporting Decisions

• Be Monitored & Measured

Page 64: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

“Future Trends & Observations…”

Management’s expectations of IT

Management’s responsibility for IT

“Both reasons” support IT Governance

• quality up• time-to-market down• service levels increased• costs contained

• re-engineered processes• right-sized operations• distributed processing• flattened organizations• empowerment• outsourcing

• safeguard assets

• information has become a valuable asset

• leverage IT

Page 65: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Future Item – IT Governance

• Structure of processes to direct & control the IT enterprise

• Designed to create / add business value

• Balances business risks with IT controls

Page 66: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

IT Governance Options Include:

• FFIEC

• CobiT

• IT Infrastructure Library (ITIL)

• Microsoft Operations Framework

• ISO-17799

• NIST (SP800-30)

Page 67: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Future – IT Thinks Like Management

1. Maintain credibility by citing business benefits

2. Rely more on ROI than FUD

3. Consider use of an IT control framework

4. Use metrics to support benefits of controls and to quickly detect anomalies / defects

5. Help keep the firm out of regulatory reports

Page 68: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Future – Authentication Technologies

1. Authentication has major implications with virtually every type of business:

Function Application Data

2. “Multi-factor Authentication” risks must be analyzed and addressed

Page 69: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

The 2nd of Security’s “5 A’s”

1. Access

2. Authentication

3. Authorization

4. Accountability

5. Awareness

Page 70: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Why Use Authentication?

Network AccessServer AccessDatabase AccessInternal Application AccessWeb Application AccessATM Cash MachinesEmail Message Validity and Integrity

Page 71: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Common Solutions Include:

User ID and Password CombinationsSecurity TokensBiometrics

FingerprintHandprintRetina ScansVoiceprint

Digital Certificates / LDAP / PKI / PGP

Page 72: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

“New Solutions” – Passfaces

www.

passfaces.

com

Page 73: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Trends and Observations – “I think…”What’s Next – IT Perspective

Self-Assessments & ERM practicesVendors - risk assessments & SAS/70Regulations - lower risks / better controls IT policies and procedures deploymentEmphasis on SOD controlsIT governance / framework deploymentIT hiring & retention will be critical!!!

Page 74: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

What’s Next – IT Audit Perspective

Increased demand for IT auditorsSoftware will “commoditize” reviewsFollowing standards will be standardIT auditors will bear ‘good news’ tooFrameworks/metrics will become a way for

IT auditors to add value with IT controlsIntegrated audits and application auditsIT auditor hiring & retention will be critical

Page 75: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

What’s Next – IT Audit Perspective

Three Goals of Better IT Risk Management:

1. Improved Inputs to Audit Planning

2. Audit Plans Align with Strategic Plans

3. Audit Plans Reflect Changing IT Risks

Page 76: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Embrace The Future…

Who Knows The IT Risks & Opportunities…

Page 77: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Information Please…

Peers & Co-workersBooks and Manuals (hard & soft copy)Magazines (hard & soft copy)Email SubscriptionsSeminars / Conferences / WorkshopsVendor Demo SoftwareInternet Web Sites

Page 78: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Web Sites…

www.cfo.comwww.cio.comwww.csoonline.comwww.drj.comwww.baselinemag.cominfotech.aicpa.orgwww.dogpile.com

Page 79: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Watch For Warning Signs!

Major changes in systems or technology?Significantly changing business?Right-sizing or reengineering?Open access to systems & data?Excessive systems errors or crashes?General complaints by end-users?Ad hoc reporting for critical data?

Page 80: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

Key Take-Away!!!

Manage and monitor IT risks 24X7

No “silver bullets” with IT controls

Obtain and use the best people, processes, technology, and business partners available

Make your IT control processes and current status visible in your firms!

Page 81: FIRMA – 2006 National Training Conference

FIRMA – 2006 National Training Conference

“Searching The Clues For IT Risks”

Further Questions?Jefferson Wells888-444-5415

or414-347-2345paul.rozek@jeffersonwells.comwww.jeffersonwells.com