January IIA MeetingTopic: Cybersecurity - Securing Your 2016 Audit Plan

January 5, 2016

Agenda

2015 Major Published Cybersecurity Incidents 2015 Global Threat Index 2016 Threat Predictions Facts & Figures Potential Risks of Cyber-Attacks 10 Cybersecurity Areas to Consider Auditing Questions

2

3CrossCountry Confidential1/6/2016

What is Cybersecurity?

Cybersecurity is the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access. - TechTarget.com

Confidentiality: Protecting information from unauthorized disclosure

Integrity: Protecting information from being modified by an unauthorized party

Availability: Ensuring information is available to authorized parties when needed

4CrossCountry Confidential1/6/2016

2015 Major Published Cybersecurity Incidents

Q1 February Anthem healthcare insurance firm databases hacked, containing 80 million customers personal data

March State Dept. is breached by Russian hackers and shuts down to remove malware

Q2 June Office of Personnel Management hearings occur as result of 21.5 million names, addresses and social security numbers

hacked, some entire background checks were stolen.

Q3 July Fiat Chrysler remote hack vulnerability affecting transmission and steering (recalled 1.4 million vehicles)

July --The UCLA Health System discovered that hackers had access to 4.5 million patients health records

Q4

November Hilton acknowledges that customers credit card information was breached via malware on the point of sale system

November Pearson VUE credential system was successfully targeted, law enforcement and forensics are still analyzing

5CrossCountry Confidential1/6/2016

World Economic Forum2015 Global Threat Index

Technological (Purple):

Critical Information Infrastructure Breakdown

Cyber Attacks Misuse of

Technologies Data Fraud or Theft

Other:

Failure of critical infrastructure

Failure of Financial Institutions

Terrorist Attack

6CrossCountry Confidential1/6/2016

Top Cybersecurity Risk Predictions for 2016

Internet of Things (IoT) Gartner predicts 21 billion online by 2020 (FitBitsto Refrigerators, Cars to Thermostats)

Operational Technology (OT) systems that operationalize utilities, power systems, water, etc. increasingly networked

Artificial Intelligence (AI) IT cognitive functions advancing in 2016, difficult to know human from computer communications

Insider Threat Roughly 75% of IT professionals are most concerned about malicious or negligent employees, and the FBI and DHS agree

Cloud Provider Target Increasing hacker targets beyond businesses and web servers

Mobile Malware Malvertising, injecting malicious adverts into legitimate online advertising networks

eCommerce Banking Google Wallet, ApplePay present new targets for hackers

Healthcare Provider Data Children in particular are lucrative targets, given the long-range benefit to hackers of a lifetime of identity theft

7CrossCountry Confidential1/6/2016

Facts & Figures

73% - Americans who have fallen victim to cybercrime (GadgetsAndGizmos.org)

$3 trillion the total global impact of cybercrime (ISACA) 556 million people who fall prey to cybercrime annually,

resulting in more than 232 million identities exposed (FBI Cyber Crime) 15 million mobile devicesmostly Androidthat are infected

with malware (Alcatel-Lucents Kindsight Security Labs) 37.9% US Web pages infected with malware (Inspired eLearning) 600,000 Facebook accounts that are compromised each day (FBI

Cyber Crime)

38% smartphone users who have been a victim of cybercrime (2013 Norton Report)

1 in 5 mature organizations that do not have a cybersecurity framework (FINRA Cybersecurity Report, 2015)

8CrossCountry Confidential1/6/2016

Potential Risks of Cyber-Attacks

Major Risks include: Loss of intellectual property Breach of customer data privacy Service and business interruptions Damage to Information Technology infrastructure Loss of brand value Recovery and response costs Loss of stock market value Regulatory inquiries and litigation Management distraction

9CrossCountry Confidential1/6/2016

Top 10 Cybersecurity Audit Considerations for 2016

1. Cybersecurity Framework2. Vulnerability Assessments3. Insider Threats4. 3rd Party Management5. Business Continuity & Disaster Recovery6. Data Governance7. Network Monitoring8. Cloud Security9. Mobile Security10. Security Awareness & Training

10CrossCountry Confidential1/6/2016

The stories you are about to hear are mostly true

Names have been changed to protect the innocent.

11CrossCountry Confidential1/6/2016

1. Cybersecurity Framework

What is it: A supportive cybersecurity structure that leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like National Institute of Standards and Technology (NIST) and the International Standardization Organization (ISO).

Why you should care: Cybersecurity frameworks provide an assessment mechanism that enables organizations to determine their current cybersecurity capabilities, set individual goals for a target state, and establish a plan for improving and maintaining cybersecurity programs.

12CrossCountry Confidential1/6/2016

Case Study: Cybersecurity Framework

I thought having a cybersecurity framework would be a costly and time consuming process to adopt and implement. Things move so fast that we often dont have time to consider yet another set of processes. Instead, we sustained a major data breach in a business area that we didnt even realize was vulnerable, and the costs were exponentially higher than any framework would have been.

Wellina Intentioned (CISO, Investment Group)

13

Cybersecurity Framework Audit Considerations

Stakeholder Cybersecurity Framework Questions to Consider

Board/Audit Committee What is the communication plan for cybersecurity issues and tone at the top?

What cybersecurity or risk framework governs the organization?

Information Technology (IT)

What cybersecurity or risk framework governs IT activities related to IT assets and staff, policies and procedures?

How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

CISO What cybersecurity or risk framework governs CISO activities related to IT assets and staff, policies and procedures?

How often are IT assets and documentation reviewed to ensure holistic risk assessment occurs related to a framework?

Business Units When selecting new systems or tools, do you engage with a change control board?

What sort of approval is required to stand up new systems, tools or data types?

14CrossCountry Confidential1/6/2016

Cybersecurity Framework Benefits & Considerations

Benefits: Reduces risk by identifying areas for improvement Increases efficiencies and reduce the possibility of

miscommunication within your information security program and with other organizations such as partners, suppliers, regulators, and auditors

Aids in holistic view of organizational cybersecurity risk

Considerations: Its a framework, not a prescription It provides a common language and systematic methodology for

managing cyber risk It does not tell a company how much cyber risk is tolerable Having a common lexicon to enable action across diverse set of

stakeholders

15CrossCountry Confidential1/6/2016

2. Vulnerability Assessments

What are they: A process that defines, identifies, and classifies the security vulnerabilities in a computer, network, or communications infrastructure. In addition, vulnerability assessments can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. (http://searchmidmarketsecurity.techtarget.com/definition/vulnerability-analysis)

Why you should care: Hackers can exploit vulnerabilities in your network and gain access to data. Common vulnerabilities are often widely know and easily exploited. Data breaches and other incidents are often crimes of opportunity, meaning hackers look for targets with specific vulnerabilities.

16CrossCountry Confidential1/6/2016

Case Study: Vulnerability Assessments

We didnt think we needed to perform monthly vulnerability assessments on all of our end user equipment, we have anti-virus and that should have caught all issues. We didnt realize that there were vulnerabilities that our anti-virus software couldnt detect, or that specialized tools existed to perform more in-depth security inspections.

Ineda Clue (VP of IT, Non-Profit)

17

Vulnerability Assessments Audit Considerations

Stakeholders Vulnerability Assessments Questions to Consider

Board/AuditCommittee

Does your organization perform periodic vulnerability assessments? Are you aware of any instances where vulnerabilities were exploited and

adversely affected your organization?

Information Technology (IT)

How often do you perform periodic vulnerability assessments? Are assessments performed internally or by external vendors? Are there separation of duties between system owners and assessment

teams? What mechanism are you using to keep track of open vulnerabilities? Do the assessments consist only of vulnerability scanning or do they include

detailed penetration testing?

CISO Do you regularly review the results of vulnerability assessments? Do the results of vulnerability assessments drive changes in security

measures? Are there separation of duties between the system owners and assessment

teams? How are tools selected, relative to IT environment and CISO objectives?

Business Units Are you aware of any open vulnerabilities in any of the systems that you utilize?

Are you aware of any instances where vulnerabilities were exploited and adversely affected your group?

18CrossCountry Confidential1/6/2016

Vulnerability Assessments Tools & Techniques

Network Security (Routers, Firewalls, OS and Patch) Tools: Tenable Nessus, Retina Security Scanner Nmap, Wireshark NIST & DoD Guides and Controls

Operating System (Windows, Unix, Linux, Mac OS) Tools: NIST & DoD Guides and Controls Various automated scripts Password Crackers (John the Ripper, Brutus, Medusa)

Web Server (IIS, Apache, WebLogic, Web apps) Tools: WebInspect, AppScan NIST & DoD Guides and Controls

Database (Oracle, MySQL, SQL) Tools: AppSentry, AppDetective NIST & DoD Guides and Controls

19CrossCountry Confidential1/6/2016

3. Insider Threats

What is it: The risk that an internal user, maliciously or accidently, performs an action that compromises the confidentiality, availability, and/or integrity of an organizations data.

Why you should care: Since insiders inherently have easier access to data, losses resulting from insider threats are often more damaging than those posed by external parties.

20CrossCountry Confidential1/6/2016

Case Study: Insider Threat

A vengeful employee recently reset a large number of our servers to factory settings after he found out he was losing his job. We could not conduct normal business operations for about 30 days, resulting in lost revenue totaling more than $500,000.

Losta Lottawork (CISO, Oil and Gas Industry)

21

Insider Threats Audit Considerations

Stakeholders Insider Threats Questions to Consider

Board/AuditCommittee

Have you been informed of the risks posed by Insider Threats? Does your organization perform periodic security risk assessments with

consideration of Insider Threats?

Information Technology (IT)

Do you utilize data loss prevention tools? Is logging and monitoring performed on accounts with elevated access? Do you have a process for controlling access to removable media? Do you limit administrative access based on job responsibilities? Is data appropriately encrypted?

CISO Have you established a mechanism for reporting security issues? Have there been any security issues related to Insider Threats? Are you aware of common threat actors for your industry?

Business Units Is separation of duties enforced for key activities? Do you perform background checks on new hires? Are you aware of warning signs for disgruntled employees? Do you have a mechanism to report concerns of insider threat warning

signs?

22CrossCountry Confidential1/6/2016

Insider Threat Data Loss Prevention Tools

Data Loss Prevention Tools use automated means to detect and prevent data loss (offerings from Symantec, Intel, Websense, etc.)

They can assist in identifying where sensitive data is stored and/or prevent senstive data from being transmitted via unauthorized means (e.g., email, thumb drive)

These tools are often used to comply with standards such as HIPAA, PCI-DSS, and HITECH

Tools can be perimeter-based or client-based

Installing these tools requires a balance of cost, system performance, and effectiveness

23CrossCountry Confidential1/6/2016

4. 3rd Party Risk

What is it: The potential risk that arises from institutions relying upon outside parties to perform services or activities on their behalf

Why you should care: May reduce managements direct control and can present risks if not properly managed

3rd Party Relationships

Reputation

Operational

TransactionCredit

Compliance

Other

Strategic

24CrossCountry Confidential1/6/2016

Case Study: 3rd Party Risk

One of our outside service providers employees had some of our client data on an iPad that was stolen, and now it looks like were going to have to report this event to regulators in 40 countries. I hate to think what the impact of this is going to be.

Ima Needajob (CISO, Media Company)

25

3rd Party Risk Audit Considerations

Stakeholders 3rd Party Risk Questions to Consider

Board How are vendors selected? Who manages contracts, and how are cybersecurity considerations included

in contract language in event of data breach or loss?

Information Technology (IT)

How often do you engage vendors? How proactive are vendor system updates made? How do vendors gain access to internal systems? Who within IT reviews vendor systems for vulnerabilities?

CISO Who are your vendors? How well do you know and understand products and contracts? What top risks are inherent to each vendor technology? Who monitors these risks?

Business Units Who are your vendors? How well do you know and understand products and contracts? Do you engage Board, IT and CISO when making vendor buying decisions? What criteria is used in selecting vendors? Are criteria set across business

functions to ensure all requirements are met?

26CrossCountry Confidential1/6/2016

Managing 3rd Party Risk Best Practices

Develop a inventory of 3rd parties and classify them by potential risk

Define governance and ownership Build Service Level Agreements (SLAs) to hold vendors

accountable Clearly define what data 3rd parties can and cannot access Include audit rights clauses in contracts Obtain and review independent service auditors reports if

applicable

27CrossCountry Confidential1/6/2016

5. Business Continuity & Disaster Recovery

What is it: The processes and procedures an organization puts in place to ensure that essential functions can continue during and after a disaster. The term Disaster Recovery is often associated with the recovery of IT Infrastructure.

Why you should care: Without Business Continuity and Disaster Recovery plans, there is a risk that data could be unavailable and potentially irretrievable in the event of a disaster, disrupting or permanently damaging business operations.

28CrossCountry Confidential1/6/2016

Case Study: Business Continuity Plan

Our employees are competent, and I thought they would know what to do in an emergency. We did not have a Business Continuity Plan and the data center was flooded during Hurricane Sandy. It took us weeks to resume normal operations and a large amount of company data was unrecoverable.

T Confident (CIO, Software Vendor)

29

Business Continuity Audit Considerations

Stakeholder Business Continuity Questions to Consider

Board/AuditCommittee

Is there an organization-wide Business Continuity program that involves the key business areas?

Have Business Continuity Plans been reviewed by management?

Information Technology (IT)

Do you regularly test and update Business Continuity or Disaster Recovery plans? Do you back up data to an offsite location, and have you tested the ability to restore from

those backups? Do you have an off-site location that could be used to host your organizations IT

infrastructure?

CISO How are security considerations integrated into the Business Continuity strategy? Would the integrity and/or availability of your data be compromised in the event of a

disaster? What is the physical distance between primary and failover/backup location?

Business Units Are you involved in the Business Continuity planning process? Have you performed a business impact analysis (prioritization of business functions)? Do you have a plan for resuming business in the event of a disaster? Could your business functions resume without access to IT Infrastructure? Do you have a chain of command or call list for use in a disaster?

30CrossCountry Confidential1/6/2016

Creating a Business Continuity Plan

Define the Scope

Identify Critical Business Functions, Key Processes, and Dependencies

Determine Acceptable Downtime for Business Functions

Develop a Recovery Plan (or Plans)

Periodically Test and Update the Plan(s)

31CrossCountry Confidential1/6/2016

6. Data Governance

What is it: Data governance is a framework of roles and responsibilities, decision-making models, and standards/processes governing the management and use of data. Data governance addresses: Who can take what actions With what types of data At what times Under what circumstances (e.g., processes, requirements) For what intended purposes

Why you should care: Data is everywhere and it is important to consistently prioritize, assess, and manage risk associated with data across an enterprise. Consistent definitions of data and how data can be used will help to ensure good data quality and a balance between securing data and using data as a valuable asset.

32CrossCountry Confidential1/6/2016

Case Study: Lack of Data Governance

We had inconsistent systems of record (SORs) and too many sources of data. We did not know where all of our data was located, and who had access to what, why or when. Additionally, historical data was determined to have been lost or disorganized during post merger or acquisition activities.

Sam Dataman (CISO, Exploration & Production Company)

33

Data Governance Audit Considerations

Stakeholder Data Governance Questions to Consider

Board/AuditCommittee

Is there a clearly defined and communicated vision and objective for the Data Governance program?

How are the organizations strategic mission and business objectives aligned with Data Governance objectives?

Are there metrics to measure the success of Data Governance? Has Data Ownership been clearly defined?

Information Technology (IT)

Do automated tools facilitate Data Governance? How do you ensure that Data Governance requirements and initiatives are

supported by technology? How do you assist business units with ensuring that third parties meet Data

Governance requirements?

CISO How do you collaborate with the Chief Privacy Officer? Is security integrated into the Data Governance program? Is Data Governance a driver for security? Have Data Governance Roles and Responsibilities been clearly defined?

Business Units Is it clear to your group what data you own? Do you have retention policies for data in your group? How do you communicate Data Governance requirements to third parties?

34CrossCountry Confidential1/6/2016

Data Governance Best Practices

Understand your data Who utilizes it (need to know, confidentiality, separation of

duties) What the data is (definition, integrity) When it is required (availability) Where it is located (System of Record (SOR)) Why it is needed (need to know, role based access, value of

data and loss) Understand your risk Value of Data (Trade Secret, Loss, Corruption) Sensitivity (Top Secret, Confidential, Public)

35CrossCountry Confidential1/6/2016

7. Network Monitoring

What is it: The use of a system that continuously monitors a computer network for slow or failing components and that notifies the network administrator (usually via alert, email or other notification mechanism) in case of outages. Commonly measured metrics are response time, availability and uptime. Network monitoring tools can also be used to identify and/or prevent network security issues.

Why you should care: Network Monitoring can save money in network performance, employee productivity, and infrastructure cost overruns. 24x7 monitoring and knowledge of network health and status information is critical to many businesses. Additionally, information gleaned from this capability area provides valuable insights into attack vectors, threats and trends for further investigation.

36CrossCountry Confidential1/6/2016

Case Study: Network Monitoring

We didnt think our network was big enough to justify using Network Monitoring tools and staff. Our system administrators were not able to respond rapidly enough to proactively respond to system failures in real time. We lost two weeks of work. We are still working on establishing lost revenue and work productivity.

Nat Werk (CISO, Financial Services)

37

Network Monitoring Audit Considerations

Stakeholder Network Monitoring Questions to Consider

Board/AuditCommittee

Are you aware of any network monitoring of IT assets? Do you know how many times systems have failed or breaches have

succeeded? Are these activities outsourced to a 3rd party?

Information Technology (IT)

What network monitoring tools do you use? Do you utilize Intrusion Detection Systems and/or Intrusion Prevention

Systems? Have you established who will receive network alerts and defined an

escalation protocol? Is network monitoring holistic to the entire IT enterprise, or are aspects of

systems segmented?

CISO Are you made aware of issues identified through network monitoring? How often do security and IT teams meet to discuss threats, trends and

failures related to infrastructure and network monitoring?

Business Units To what extent do you rely on the network to function? Are you aware of any of your critical IT assets requiring 24x7 access? What impact would result in system failure? Are you aware of network monitoring occurring on any of your critical

systems?

38CrossCountry Confidential1/6/2016

Network Monitoring Best Practices

Baseline Network Behavior Understand normal network to tune alerts to anomalies

Escalation Matrix Policies and Procedures to escalate up management chain

Report at Every Layer Monitoring should occur at all layers of OSI Model

Implement High Availability with Failover Options Remove single point of failure, replicate to failover site

Configuration Management Proactive planning and prevention of common network

issues Capacity Planning for Growth Ensure network monitoring scales with IT as it expands

39CrossCountry Confidential1/6/2016

8. Cloud Security

What is it: A broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing.

Why you should care: Cloud computing typically means that data will be hosted on external servers and databases, possibly in many physical locations and by multiple vendors. If any one of those servers or databases is not adequately protected, your data could be in jeopardy.

40CrossCountry Confidential1/6/2016

Case Study: Cloud Security

We consider ourselves a technically progressive company utilizing the latest Software as a Service (SaaS) applications. Unfortunately, an HR employee was able to transfer confidential employee files from our trusted, sanctioned cloud environment (Amazon Web Services) to her own unsanctioned cloud storage tool to work at home. We had to self-report to Legal Council that employee information had left the companys control, as we had no idea where else that confidential information could have been seen.

Ava Pennysava (CISO, Software Vendor)

41

Cloud Security Audit Considerations

Stakeholder Cloud Security Questions to Consider

Board/AuditCommittee

Does your company have a policy governing usage of the cloud? Does the company utilize private, public or a hybrid cloud environment?

Information Technology (IT)

How prevalent is usage of cloud computing in your organization? Are there plans to move assets or systems to the cloud? Are any 3rd Party vendors cloud-based, or have backend systems supporting

your organization that utilize the cloud?

CISO How do you verify the security of data that is hosted in the cloud? Do you obtain and review external audit reports, such as Service

Organization Controls (SOC) Reports, for your cloud vendors? Do you utilize a framework for managing risk related to cloud providers?

Business Units Does your business use any software that is externally hosted? Are you looking at any new systems or technologies that are cloud-based? If you did decide to procure or contract cloud-based solutions, how would

you request permission to implement the services?

42CrossCountry Confidential1/6/2016

Cloud Security Best Practices

Learn what cloud applications are being used in the organization, including sanctioned (approved by business) and unsanctioned (personal or not approved)

Understand work and data flows and information being passed

Monitor cloud applications using commercial or custom tools

Understand security mechanisms available, including Identity Management, Role Based Access and Single Sign On

Ensure that policies and procedures are understood by organization, and extend through cloud environment

43CrossCountry Confidential1/6/2016

9. Mobile Security

What is it: A comprehensive set of policies, procedures, and infrastructure that manages the usage of mobile devices in a business setting. These devices include cell phones, tablets, and PDAs.

Why you should care: Mobile devices are becoming increasingly prevalent, and bring your own device (BYOD) is becoming increasingly common as well. Mobile devices provide additional means of data loss, including additional attack points. Mobile security is a means to harness the increased productivity that comes with mobile devices, while minimizing the risk of their usage.

44CrossCountry Confidential1/6/2016

Case Study: Mobile Security

We implemented BYOD at the corporate offices at our firm. We then realized that while iPhones and other Apple devices are widely used throughout the organization, that an iOS 9 password hack had been released. We no longer have confidence that our information or devices are secure. I worry at night that we have external threat actors alive and well, in our internal infrastructure.

Ivanna Fon (CISO, Health Care Provider)

45

Mobile Security Audit Considerations

Stakeholder Cloud Security Questions to Consider

Board/AuditCommittee

Does your organization have a policy for mobile device usage? Do you use your mobile device to download work files?

Information Technology (IT)

Are mobile devices controlled by enterprise-wide settings? Have you implemented remote management software, including the ability

to remotely wipe data and locate devices? Is data on mobile devices encrypted?

CISO Have you performed a mobile security review? Do mobile devices require strong authentication mechanisms? Do you allow employees to bring their own devices and if so, how are you

managing the associated risk?

Business Units Do your employees use mobile devices? Is mobile device use in line with company policies?

46CrossCountry Confidential1/6/2016

Mobile Security Managing BYOD

Develop a BYOD policy with input across the business Be sure to clearly define what the organization has control over

and what it doesnt Define what devices can be used by employees Require employees to sign an acceptable use policy Consider using tools that help to manage the risk of BYOD

these can enable remote-wipe and device tracking Put extra focus on upper-management and executives devices,

as they have more access to sensitive data

47CrossCountry Confidential1/6/2016

10. Security Awareness & Training

What is it: Security Awareness & Training is a formal process for educating employees about various important security risks.

Why you should care: Employee and contractor behavior is amajor source of costly data breaches. An effective security awareness training program decreases the likelihood of a number of common vulnerabilities.

48CrossCountry Confidential1/6/2016

Case Study: Security Awareness & Training

Russian hackers gained access to the White House by way of a phishing email. White House staff declined an optional 90-minute training session on online security offered in advance of the attack.

Skip DTraining (CISO, Federal Government)

49

Security Awareness & Training Audit Considerations

Internal Audit Interest Area

Security Awareness & Training Questions to Consider

Board/AuditCommittee

Have you received Security Training? Is there an organization-wide approach to Security Awareness & Training?

Information Technology (IT)

Are employees required to periodically participate in Security Training? Are you involved in developing the content of Security Training?

CISO Have you established a Security Awareness & Training program? Are roles and responsibilities defined for Security Awareness & Training? Do you raise security awareness through periodic reminders to employees? Is there is a mechanism for reporting security issues? Is Security Training content periodically reviewed and refreshed to confirm

that it is relevant?

Business Units Are employees required to periodically participate in Security Training? Do your employees know what to do in the event of a security incident?

50CrossCountry Confidential1/6/2016

Security Awareness & Training Phishing

Security Awareness & Training is a preventative measure for Phishing, Spear Phishing, and Whaling.

Phishing is a type of fraud where the attacker masquerades as a reputable entity vie email or other communication method in order to gain sensitive information such as login credentials

Spear-Phishing targets a specific individual Whaling targets a high profile target such as a CEO or high-

ranking politician Vishing, also called Voice Phishing, refers to Phishing

performed over a phone

51CrossCountry Confidential1/6/2016

Questions

52CrossCountry Confidential1/6/2016

Contact Information

Cameron Over, CISSPDirector, CrossCountry Consultingcover@crosscountry-consulting.comContact: 703-899-6486

Zach Walker, CISSP, CISA, CPAManaging Consultant, CrossCountry Consultingzwalker@crosscountry-consulting.comContact: 410-610-8194

mailto:cover@crosscountry-consulting.commailto:zwalker@crosscountry-consulting.com