Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles...
-
Upload
betty-andrews -
Category
Documents
-
view
217 -
download
0
Transcript of Information Technology (IT) Regulatory Compliance Planning John R. Robles President, John R. Robles...
Information Technology (IT) Information Technology (IT) Regulatory Compliance Regulatory Compliance
PlanningPlanningJohn R. RoblesJohn R. RoblesPresident, John R. Robles & AssociatesPresident, John R. Robles & [email protected]@coqui.netwww.johnrrobles.comwww.johnrrobles.com
IT Security Summit – 2005Centro de Convenciones, August 22-23, 2006
What Is Compliance?What Is Compliance?
The act of complying with a wish, request, or demandThe act of complying with a wish, request, or demand
A disposition or tendency to yield to the will of othersA disposition or tendency to yield to the will of others
The act of submitting; usually surrendering power to The act of submitting; usually surrendering power to anotheranother
Acting according to certain accepted standardsActing according to certain accepted standards
A disposition or tendency to yield to the will of othersA disposition or tendency to yield to the will of others
Happy friendly agreement Happy friendly agreement
2 / 35John R. Robles & Associates
What Is IT Compliance?What Is IT Compliance?
Perform Perform IT functionsIT functions according to a wish, request, or according to a wish, request, or demanddemand
Disposition or tendency to yield to the Disposition or tendency to yield to the ITIT will of others will of others
The act of submitting; usually surrendering The act of submitting; usually surrendering ITIT power to power to another another
Acting according to certain accepted Acting according to certain accepted ITIT standards standards
A disposition or tendency to yield to the A disposition or tendency to yield to the ITIT will of others will of others
Happy friendly Happy friendly ITIT agreement between IT and others agreement between IT and others
3 / 35John R. Robles & Associates
What is IT Regulatory Compliance?What is IT Regulatory Compliance?
Perform Perform IT FunctionsIT Functions according to a wish, request, or according to a wish, request, or demand demand of the government or regulatory agencyof the government or regulatory agency
Disposition or tendency to yield to the Disposition or tendency to yield to the ITIT will of others will of others (government or regulatory agency)(government or regulatory agency)
The act of submitting; usually surrendering The act of submitting; usually surrendering ITIT power to power to another (government or regulatory agency)another (government or regulatory agency)
Acting according to certain accepted Acting according to certain accepted ITIT standards standards (of government or regulatory agency)(of government or regulatory agency)
A disposition or tendency to yield to the A disposition or tendency to yield to the ITIT will of others will of others (government or regulatory agency)(government or regulatory agency)
Happy friendly Happy friendly ITIT agreement with (government or agreement with (government or regulatory agency)regulatory agency)
4 / 35John R. Robles & Associates
How do I Comply with Government How do I Comply with Government or Regulatory Agency?or Regulatory Agency?
Know the IT regulations pertinent to your company or Know the IT regulations pertinent to your company or industryindustry
Discuss with: Discuss with:
Compliance OfficerCompliance OfficerLegal CounselLegal CounselInternal or External AuditorsInternal or External AuditorsExecutive ManagementExecutive Management
Determine methodology to ensure complianceDetermine methodology to ensure compliance
Perform Self AssessmentPerform Self Assessment
Improve ComplianceImprove Compliance
Maintain Compliance Officer, Legal Counsel, Internal Maintain Compliance Officer, Legal Counsel, Internal /External Auditors, and Executive Management informed /External Auditors, and Executive Management informed of self assessment and progress of improvement effortsof self assessment and progress of improvement efforts5 / 35John R. Robles & Associates
Sample of some IT regulations Sample of some IT regulations Financial Services:Financial Services:
Financial Institution LettersFinancial Institution Letters
The IT Compliance Institute has a DataBase of The IT Compliance Institute has a DataBase of Regulations by Industry and by CountryRegulations by Industry and by Country
Some known regulations include:Some known regulations include:
Sarbanes-Oxley ActSarbanes-Oxley Act
Gramm-Leach Bliley ActGramm-Leach Bliley Act
HIPAAHIPAA
Base IIBase II
USA Patriot ActUSA Patriot Act
Email/records retentionEmail/records retention
6 / 35John R. Robles & Associates
If you do not comply with Best Practices and General If you do not comply with Best Practices and General Internal Controls you may get an Audit Comment.Internal Controls you may get an Audit Comment.
If you do not comply with Regulatory Compliance you, If you do not comply with Regulatory Compliance you, your company, your company officers, or the Board of your company, your company officers, or the Board of Directors may get a Fine or Jail Time.Directors may get a Fine or Jail Time.
However, Regulatory Compliance is a subset of Best However, Regulatory Compliance is a subset of Best Practices and General Internal Controls.Practices and General Internal Controls.
That is, If you run a clean IT shop, most likely you are in That is, If you run a clean IT shop, most likely you are in compliance. compliance.
7 / 35
Regulatory Compliance is Above and Regulatory Compliance is Above and Beyond Best Practices and General Beyond Best Practices and General Internal ControlsInternal Controls
John R. Robles & Associates
How do you set up a compliant IT department?How do you set up a compliant IT department?
Establish an Internal Controls methodology with includes Establish an Internal Controls methodology with includes addressing pertinent IT regulations.addressing pertinent IT regulations.
Some of the more well-know methodologies include:Some of the more well-know methodologies include:
COSO (Committee of Sponsoring Organizations of the COSO (Committee of Sponsoring Organizations of the Threadway CommissionThreadway Commission
Cobit (Control Objectives for Information and Related Cobit (Control Objectives for Information and Related Technologies)Technologies)
ISO-17799ISO-17799
8 / 35
IT Compliance is all about IT Internal IT Compliance is all about IT Internal Controls.Controls.
John R. Robles & Associates
The GAO “Standard for Internal Control in the Federal The GAO “Standard for Internal Control in the Federal Government” and COSO define Internal Controls as:Government” and COSO define Internal Controls as:
““An integral part of an organization’s management that An integral part of an organization’s management that provides reasonable assurance that the following provides reasonable assurance that the following objectives are being achieved:objectives are being achieved:
effectiveness and efficiency of operationseffectiveness and efficiency of operations
reliability of financial reporting reliability of financial reporting
compliance with applicable laws and regulations”compliance with applicable laws and regulations”
9 / 35
An Internal Controls MethodologyAn Internal Controls Methodology
John R. Robles & Associates
Internal Controls address the following:Internal Controls address the following:
It is a processIt is a process
It is performed by peopleIt is performed by people
It provides only reasonable assurance, not absolute It provides only reasonable assurance, not absolute assuranceassurance
Internal Controls consists of:Internal Controls consists of:
Control EnvironmentControl Environment
Risk AssessmentRisk Assessment
Control ActivitiesControl Activities
Information and CommunicationsInformation and Communications
MonitoringMonitoring
10 / 35
An Internal Controls MethodologyAn Internal Controls Methodology
John R. Robles & Associates
Sarbanes-Oxley - Section 404: Sarbanes-Oxley - Section 404:
““It will beIt will be
(1) the responsibility of management for establishing and (1) the responsibility of management for establishing and maintaining an adequate internal control structure and maintaining an adequate internal control structure and procedures for financial reporting, andprocedures for financial reporting, and
(2) contain an assessment, as of the end of the most (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuers internal control structure and procedures of the issuers for financial reporting.”for financial reporting.”
11 / 35
Regulation with the greatest impact on Regulation with the greatest impact on internal controls and ITinternal controls and IT
John R. Robles & Associates
Some IT internal control frameworks:Some IT internal control frameworks:
Cobit and IT Control Objectives for Sarbanes-OxleyCobit and IT Control Objectives for Sarbanes-Oxley
ISO 17799ISO 17799
IT Infrastructure Library (ITIL)IT Infrastructure Library (ITIL)
Capability Maturity Model Integration (CMMI)Capability Maturity Model Integration (CMMI)
Naional Institute of of Standards and Technology (NIST)Naional Institute of of Standards and Technology (NIST)
12 / 35
IT Internal Controls FrameworksIT Internal Controls Frameworks
John R. Robles & Associates
The IT Compliance Institute (The IT Compliance Institute (www.itcinstitute.comwww.itcinstitute.com) has ) has the Unified Compliance Project, it addresses the the Unified Compliance Project, it addresses the following:following:
Leadership and High-Level ObjectivesLeadership and High-Level ObjectivesAudit and Risk ManagementAudit and Risk ManagementDesign and ImplementationDesign and ImplementationTechnology AcquisitionTechnology AcquisitionOperational ManagementOperational ManagementIT Staff Management and OutsourcingIT Staff Management and OutsourcingRecords ManagementRecords ManagementTechnical SecurityTechnical SecurityPhysical SecurityPhysical SecuritySystems ContinuitySystems ContinuityMonitoring, Measurement, and ReportingMonitoring, Measurement, and ReportingPrivacyPrivacy
John R. Robles & Associates 13 / 35
Unified Compliance ProjectUnified Compliance Project
BUSINESSBUSINESSREQUIREMENTSREQUIREMENTS
BUSINESSBUSINESSREQUIREMENTSREQUIREMENTS
IT PROCESSESIT PROCESSESIT PROCESSESIT PROCESSES
IT RESOURCESIT RESOURCESIT RESOURCESIT RESOURCES
Fra
mew
ork
COBIT: An IT Control Framework
John R. Robles & Associates 14 / 35
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Plan and Organise Acquire and
Implement Deliver and Support Monitor and
Evaluate
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
COBIT Framework H
ow
do t
hey
rela
te?
John R. Robles & Associates 15 / 35
IT Processes
IT Processes
IT Resources
IT Resources
Business Requirements
Business Requirements
Data Information
Systems Technology Facilities Human
Resources
Planning and organisation
Acquisition and implementation
Delivery and Support
Monitoring
Effectiveness Efficiency Confidentiality Integrity Availability Compliance Information
Reliability
COBIT Framework H
ow
do t
hey
rela
te?
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
How IT is How IT is organised to organised to
respond to the respond to the requirementsrequirements
What the What the stakeholders stakeholders
expect from ITexpect from IT
What the What the stakeholders stakeholders
expect from ITexpect from IT
The resources The resources made available tomade available to— and built up by— and built up by
—IT—IT
The resources The resources made available tomade available to— and built up by— and built up by
—IT—IT
John R. Robles & Associates 16 / 35
Processes
A series of joined activities with natural control breaks
Activities or tasks
Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.
Domains
Natural grouping of processes, often matching an organisational domain of responsibility
COBIT Framework I
T P
rocesses
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
John R. Robles & Associates 17 / 35
Data: Data objects in their widest sense, i.e., external and internal, structured and unstructured, graphics, sound, etc.
Application Systems: Understood to be the sum of manual and programmed procedures
Technology: Covers hardware, operating systems, database management systems, networking, multimedia, etc.
Facilities: Resources to house and support information systems
People: Staff skills, awareness and productivity to plan, organise, acquire, deliver, support and monitor information systems and services
COBIT Framework IT
Resou
rces
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
John R. Robles & Associates 18 / 35
IT Domains• Plan and
Organise• Acquire and
Implement• Deliver and
Support• Monitor and
Evaluate
IT Processes• IT Strategy• Policy and Procedures• Feasibility Study• Acceptance Testing• Change Management• Contingency Planning• Problem Management
Activities• Record New Problem• Analyse• Propose Solution• Monitor Solution• Record Known Problem• Etc.
Natural grouping of processes, often matching an organisational domain of responsibility
A series of joined activities with natural (control) breaks
Actions needed to achieve a measurable result. Activities have a life cycle whereas tasks are discrete.
COBIT Framework IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
IT IT ProcessesProcesses
BusinessRequirements
IT IT ResourcesResources
John R. Robles & Associates 19 / 35
PO 1PO 1 Define a Strategic Information Technology Plan Define a Strategic Information Technology PlanPO 2PO 2 Define the Information Architecture Define the Information ArchitecturePO 3PO 3 Determine the Technological Direction Determine the Technological DirectionPO 4PO 4 Define the IT Organisation and Relationships Define the IT Organisation and Relationships PO 5PO 5 Manage the Investment in Information TechnologyManage the Investment in Information TechnologyPO 6 PO 6 Communicate Management Aims and Direction Communicate Management Aims and Direction PO 7PO 7 Manage Human ResourcesManage Human ResourcesPO 8PO 8 Ensure Compliance with External Requirements Ensure Compliance with External RequirementsPO 9PO 9 Assess Risks Assess Risks PO 10PO 10 Manage Projects Manage Projects PO 11PO 11 Manage QualityManage Quality
Plan and Organise
John R. Robles & Associates 20 / 35
AI 1AI 1 Identify Automated Solutions Identify Automated Solutions
AI 2AI 2 Acquire and Maintain Application SoftwareAcquire and Maintain Application Software
AI 3AI 3 Acquire and Maintain Technology InfrastructureAcquire and Maintain Technology Infrastructure
AI 4AI 4 Develop and Maintain IT ProceduresDevelop and Maintain IT Procedures
AI 5AI 5 Install and Accredit Systems Install and Accredit Systems
AI 6AI 6 Manage Changes Manage Changes
Acquire and Implement
John R. Robles & Associates 21 / 35
TopicsTopics
Delivery of required services Delivery of required services Setup of support processesSetup of support processesProcessing by application Processing by application systemssystems
QuestionsQuestionsAre IT services being Are IT services being delivered in line with delivered in line with business priorities?business priorities?Are IT costs optimised?Are IT costs optimised?Is the workforce able to use Is the workforce able to use the IT systems productively the IT systems productively and safely?and safely?Are adequate security, Are adequate security, integrity and availability in integrity and availability in place?place?
Deliver and SupportDeliver and Support
TopicsTopics
Assessment over time, Assessment over time, delivering assurancedelivering assuranceManagement’s oversight of Management’s oversight of the control systemthe control systemPerformance measurementPerformance measurement
QuestionsQuestionsCan IT’s performance be Can IT’s performance be measured and can measured and can problems be detected problems be detected before it is too late?before it is too late?Is independent assurance Is independent assurance needed to ensure that needed to ensure that critical areas are operating critical areas are operating as intended?as intended?
Monitor and EvaluateMonitor and Evaluate
COBIT Domains D
om
ain
s
John R. Robles & Associates 22 / 35
DS 1DS 1 Define and Manage Service LevelsDefine and Manage Service LevelsDS 2DS 2 Manage Third-party Services Manage Third-party Services DS 3DS 3 Manage Performance and Capacity Manage Performance and Capacity DS 4DS 4 Ensure Continuous Service Ensure Continuous Service DS 5DS 5 Ensure Systems Security Ensure Systems Security DS 6DS 6 Identify and Allocate CostsIdentify and Allocate CostsDS 7DS 7 Educate and Train Users Educate and Train Users DS 8DS 8 Assist and Advise CustomersAssist and Advise CustomersDS 9DS 9 Manage the Configuration Manage the Configuration DS 10DS 10 Manage Problems and Incidents Manage Problems and Incidents DS 11DS 11 Manage Data Manage Data DS 12DS 12 Manage Facilities Manage Facilities DS 13DS 13 Manage OperationsManage Operations
Deliver and Support
John R. Robles & Associates 23 / 35
M1 Monitor the ProcessM2 Assess Internal Control AdequacyM3 Obtain Independent AssuranceM4 Provide for Independent Audit
Monitor and Evaluate
John R. Robles & Associates 24 / 35
The control of
IT Processes which satisfy
is enabled byControl
Statements consideringControl
Practices
COBIT Framework W
ate
rfall
Mod
el
4 Domains - 34 Processes - 318 Control Objectives4 Domains - 34 Processes - 318 Control Objectives
BusinessRequirements
John R. Robles & Associates 25 / 35
PO1 Define a strategic IT planPO2 Define the information architecturePO3 Determine the technological directionPO4 Define the IT organisation and relationshipsPO5 Manage the IT investmentPO6 Communicate management aims and directionPO7 Manage human resourcesPO8 Ensure compliance with external requirementsPO9 Assess risksPO10 Manage projectsPO11 Manage quality
AI1 Identify automated solutionsAI2 Acquire and maintain application softwareAI3 Acquire and maintain technology infrastructure AI4 Develop and maintain IT proceduresAI5 Install and accredit systemsAI6 Manage changes
M1 Monitor the processM2 Assess internal control adequacyM3 Obtain independent assuranceM4 Provide for independent audit
DS1 Define service levelsDS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and attribute costsDS7 Educate and train usersDS8 Assist and advise IT customersDS9 Manage the configurationDS10 Manage problems and incidentsDS11 Manage dataDS12 Manage facilitiesDS13 Manage operations
IT RESOURCES
IT RESOURCES
• Data• Application systems• Technology• Facilities• People
• Data• Application systems• Technology• Facilities• People PLAN AND
ORGANISEPLAN AND ORGANISE
ACQUIRE ANDIMPLEMENT
ACQUIRE ANDIMPLEMENT
DELIVER AND SUPPORT
DELIVER AND SUPPORT
MONITOR AND EVALUATE
MONITOR AND EVALUATE
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
• Effectiveness• Efficiency• Confidentiality• Integrity• Availability• Compliance• Reliability
Criteria
Business ObjectivesCOBITFramework
John R. Robles & Associates 26 / 35
PO1 PO1 Define a strategic IT planDefine a strategic IT planPO3 Determine the technological directionPO5 Manage the IT investmentPO9 PO9 Assess risksAssess risksPO10 PO10 Manage projectsManage projectsAI1 Identify solutionsAI2 Acquire and maintain applications s/wAI5 Install and accredit systemsAI6 AI6 Manage changesManage changesDS1 Define service levelsDS4 Ensure continuous serviceDS5 DS5 Ensure system securityEnsure system securityDS10 Manage problems and incidentsDS11 DS11 Manage dataManage dataM1 M1 Monitor the processesMonitor the processes
The Most Important IT Processes
3434
1515
77
SurveySurvey
John R. Robles & Associates 27 / 35
High-level Control ObjectiveOne per process
Detailed Control ObjectivesThree to 30 per process
Control PracticesFive to seven per control objective
COBIT—Content
John R. Robles & Associates 28 / 35
Based on the 41 primary references
Developed following a rigorous research process
Three to 30 detailed control objectives for each of the 34 processes
Directed to IT management, IT staff, control and audit functions and business process owners
For each process, detailed control objectives are identified as « good practice » that need to be in place, and that will be assessed for sufficiency by the controls professional.
Control objectives provide a working document, a place to start, from which selections need to be made based on the enterprise value and risk drivers.
COBIT Control Objectives
John R. Robles & Associates 29 / 35
To improve audit approach/programs To support audit work with detailed audit
guidelines To provide guidance for IT governance As a valuable benchmark for IS/IT control To improve IS/IT controls To standardise audit approach/programs
How Is CHow Is COBIOBIT Used?T Used? ( (Results from Surveys)Results from Surveys)
The COBIT Framework
John R. Robles & Associates 30 / 35
COBIT—Benefits
WhatWhatComfort about:Comfort about:• Dependence on ITDependence on IT• IT risks are mitigatedIT risks are mitigated• IT delivers valueIT delivers valueAssurance of: Assurance of: • Cost down and revenue upCost down and revenue up• Business operations improvedBusiness operations improved• Service levels maintainedService levels maintained
WhoWho• ExecutiveExecutive• Business managerBusiness manager• IT managerIT manager• Project managerProject manager• DeveloperDeveloper• Operations staffOperations staff• UserUser• Security officerSecurity officer• AuditorAuditor
John R. Robles & Associates 31 / 35
COBIT Products
Management GuidelinesManagement Guidelines Provide management direction for:Provide management direction for:
• Getting the enterprise's information and related processes under control Getting the enterprise's information and related processes under control
• Monitoring achievement of organisational goals Monitoring achievement of organisational goals
• Monitoring and improving performance within each IT processMonitoring and improving performance within each IT process
• Benchmarking organisational achievementBenchmarking organisational achievement Action-oriented and genericAction-oriented and generic Provide answers to typical management questions:Provide answers to typical management questions:
• How far should we go in controlling IT, and is the cost justified by the benefit?How far should we go in controlling IT, and is the cost justified by the benefit?
• What are the indicators of good performance?What are the indicators of good performance?
• What are the critical success factors?What are the critical success factors?
• What are the risks of not achieving our objectives?What are the risks of not achieving our objectives?
• What do others do? How do we measure and compare?What do others do? How do we measure and compare?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
PracticesResponsibilities
Executives & BoardsExecutives & Boards
Business and Technology ManagementBusiness and Technology Management
Performance measuresPerformance measures
Critical success factorsCritical success factors
Maturity modelsMaturity models
Audit, control and security professional Audit, control and security professional
What is the ITWhat is the ITControl Framework ?Control Framework ?
How to assess the ITHow to assess the ITControl Framework ?Control Framework ?
How to introduce itHow to introduce itin the enterprise ?in the enterprise ?
John R. Robles & Associates 32 / 35
Raise awareness
& make decision
Analyse values
and risks
Select processes
Identify needsIdentify needs
Define projects
Develop & implement
change plan
Plan the solutionPlan the solution
Integrate into day-to-
day practices
Integrate measures into ITBSC
Implement the solutionImplement the solution
Define where you
are
Define where you want to be
Analyse gaps
Envision the solutionEnvision the solution
ImplementationRoad Map
Post- implement.
review
FeedbackFeedback
IT Governance Implementation Guide
John R. Robles & Associates 33 / 35
Conclusion—COBIT Values
Sharing knowledge and leveraging expert volunteersInternationally accepted good practicesContinually evolvesMaintained by reputable not-for-profit organisationMaps strongly onto all major related standardsIs management-orientedIs supported by tools and trainingMaps completely to ISO17799 and COSO
Provide action-oriented solutionsFUTUREFUTURE
PRESENTPRESENT
John R. Robles & Associates 34 / 35
IT Governance InstituteIT Governance Institute3701 Algonquin Road, Suite 10103701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USARolling Meadows, IL 60008 [email protected]@[email protected]@isaca.orgwww.isaca.orgwww.isaca.orgwww.itgi.org
John R. Robles and AssociatesJohn R. Robles and Associates787-647-3961787-647-3961jrobles@coqui.netwww.johnrrobles.com
The COBIT Framework
John R. Robles & Associates 35 / 35
Thank You!Thank You!
Questions and Answers.Questions and Answers.
John R. Robles & Associates 35 / 35