Risky business: internal audit teams up with the audit committee to tackle IT security needs.EXECUTIVE SUMMARY * CPAs ACKNOWLEDGE THE IMPORTANCE of being proactive on IT security issues but often find it difficult getting corporate boards and audit committees to realize IT security protection requires ongoing, consistent investment in talent and technology. * THOSE WHO PERFORM IT AUDITING must report their risk management concerns to boards in a framework they can understand--cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks. * COMPANIES HAVE CRITICAL INFORMATION assets consisting of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. can help management determine how much information security is enough and who should manage it. * INTERNAL AUDITORS CAN DESIGNATE someone to be responsible for managing information security within an organization, with audit committee oversight. For companies that do not have a chief information officer, avoid having IT security become everyone's concern, with no one in charge. * AS WITH MANY AUDIT ISSUES, preventing security breaches is more important than fixing the problem after it's happened. One way to make risks real to boards is to conduct penetration tests A test of a network's vulnerabilities by having an authorized individual actually attempt to break into the network. The tester may undertake several methods, workarounds and "hacks" to gain entry, often initially getting through to one seemingly harmless section, and from there, of IT systems. It's no secret why audit committees are examining their information technology systems and security risks for their companies: They have no choice. Amid more frequent virus and hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. attacks and concerns about cyberterrorism See cyberwar and information warfare. , boards are diligently gathering information on the subject. "Audit committees are beginning to see IT security as a challenge they can't ignore," says Stephen Head, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , senior security consultant in the enterprise security practice group of Royal & Sun Alliance Inc., Charlotte, North Carolina “Charlotte” redirects here. For other uses, see Charlotte (disambiguation). Charlotte is the largest city in the state of North Carolina and the 20th largest city in the United States. . Now is a perfect time for internal auditors to identify information risks and get board approval to protect their company's financial viability by ensuring appropriate, cost-effective IT security controls are in place and working. "Boards want CPAs to be able to advise them on real and potential cybersecurity risks and what the best practices are for handling them," says Head, who is also vice-president of the Information Systems Audit and Control Association Information Systems Audit and Control Association (ISACA) is an international professional association for information system audit. ISACA is an affiliates member of IFAC[1] and IT Governance Institute. (ISACA (Information Systems Audit and Control Association, Rolling Meadows, IL, www.isaca.org) A membership association dedicated to information systems auditing and security. Founded as the EDP Auditors Association in 1969, ISACA provides certification in auditing and security (see CISA and CISM). ) in Rolling Meadows, Illinois Rolling Meadows is a city in Cook County, Illinois, United States. The population was 24,604 at the 2000 census. Geography Rolling Meadows is located at (42.076209, -88.025911)GR1. , and serves on the AICPA AICPA See American Institute of Certified Public Accountants (AICPA). information technology executive committee (see "Get Your Internal Controls Up and Running," page 68). Internal auditors can learn from the following "best practice" examples of how their counterparts addressed IT risk management at AT&T Corp., the Williams Cos., J.C. Penney Co. and Comdisco Inc. TIP 1: CONVINCE THE BOARD TO SPEND WHERE IT COUNTS CPAs in internal audit acknowledge the importance of "stepping up to the plate" on IT security issues to assure protection of information. But they often find it difficult getting corporate boards to realize IT security requires ongoing, consistent investment in talent and technology. Mark Eckman, CPA, financial director at AT&T in Morristown, New Jersey Morristown is a town in Morris County, New Jersey, United States. As of the United States 2000 Census, the town population was 18,544. Its estimated population in 2004 was 18,842. It is the county seat of Morris CountyGR6. , observes companies reap many benefits from having e-commerce strategies and a workforce using efficient technologies, but their board members need to understand those benefits come at a price. "One of the unrecognized costs of technology is the one associated with maintaining adequate controls for IT systems. It's crucial to allocate costs to have employees with the necessary skill sets in both IT and internal audit departments to manage these controls effectively," says Eckman. To obtain adequate resources for risk management, internal auditors must report their concerns to boards in a framework they can understand--cost/benefit analyses, for instance, or concrete comparisons of IT risks with physical or market risks. "Boards have got to understand that technology is a strategic initiative. The price includes controls and a commitment to continual employee training to keep the controls adequate and ahead of any potential threat," Eckman says. One way to get the audit committee's attention, he says, is to examine the significance of the issue and assign a dollar value to it. The danger in quantifying various risks, however, may focus audit committee's attention on the obvious costs while missing the bigger picture where risks are less quantifiable. Eckman notes it is very difficult to do a cost/benefit analysis of unknown risks, even though it's a necessary component of efficient risk mitigation. "But in the end you're asking what's the exposure, who's affected by it, and at what cost," he says. Eckman believes IT risks differ little from more conventional risks such as shoplifting Ask a Lawyer Question Country: United States of America State: Florida caught shoplifting at sears 12/05/05, first time, 20yearsold, have no criminal record. losses at a retail store--although with IT the potential for extraordinary damage to the bottom line, customer loyalty and shareholder value are exponentially greater. "Retailers want to minimize shoplifting. They hire security guards and put electronic tags electronic tag electronic n → elektronische Fußfessel f on items," he says. "But those same companies don't think about how to prevent someone from stealing their products or trade secrets or other online information." Eckman points out a key difference between these two types of "stealing": In the physical world, "shoplifting is just shoplifting," he says, with potential exposures easily estimated, understood and managed. "In the IT environment, there's a new security threat every day. We don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. what the next threat is going to be." Bruce Adamec, CPA, president of creativeAssurance, an internal audit consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a in Chicago and former general auditor of Ameritech, agrees with Eckman: "One of the challenges of managing risks is convincing a company's decision makers to spend a lot of resources to protect their assets. Management doesn't necessarily understand the importance of this, but where there's poor IT security and no (or inadequate) auditing of it, someone can bring a company or an entire industry to its knees." Ironically, the demands of Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 provided a wake-up call to companies regarding the importance of IT infrastructure. "Many people thought Y2K was a sham because so much money was spent on it and nothing happened," says Larry Baye, a principal for IT consulting at Grant Thornton in New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of . "Perhaps nothing happened because businesses spent all that money." Many CPA firms provide tools to help companies address their IT risk management issues. For example, PricewaterhouseCoopers (PWC), concerned that companies get preoccupied by single IT catastrophes and events instead of looking at a bigger picture, designed a program called ORCA Orca - Vrije Universiteit, Amsterdam, 1986. Similar to Modula-2, but with support for distributed programming using shared data objects, like Linda. A 'graph' data type removes the need for pointers. Version for the Amoeba OS, comes with Amoeba. (objectives, risks, controls, alignment) that examines technology and security from the top down. "The model helps companies determine what risks to focus on and what risks will impede or support meeting business objectives," says Sean Ballington, CA, of PWC in Washington, D.C. TIP 2: PRACTICE PREVENTION Security breaches to company systems can come from sources both internal, such as employees, and external, such as e-mail viruses A virus that comes within an attached file in an e-mail message. When that file is opened, the virus does its damage. Macro viruses can come in Microsoft Word documents that are sent as e-mail attachments. . After the terrorist attacks of September 11, companies started paying more attention to all kinds of security issues, particularly the reliability and integrity of their information systems and internal controls. Unfortunately, internal auditors and IT security specialists say, some senior executives and board members look at these issues reactively rather than proactively--which makes it harder for IT risk management to be an ongoing and effective corporate governance Corporate Governance The relationship between all the stakeholders in a company. This includes the shareholders, directors, and management of a company, as defined by the corporate charter, bylaws, formal policy, and rule of law. tool. Where audit committees are responsible for information security oversight, they assess the steps management and auditors have taken to address risks. For example, both internal auditors and the audit committee at Williams in Tulsa, Oklahoma Tulsa is the second-largest city in the state of Oklahoma and 45th-largest in the United States. With an estimated population of 382,872 in 2006,[1] it is the principal municipality of the Tulsa Metropolitan Statistical Area, a region of 897,752 residents projected to , a large-volume transporter of natural gas, take a proactive approach: "As recently as last year we were providing risk management updates (to the audit committee) on an annual basis, whereas now they want it twice a year or more," says Kathryn Schooley, CPA, general auditor. "That's significant when you consider audit committees meet only four times a year." As with many audit issues, preventing security breaches is more important than fixing the problem after it's happened. "Yet, it's much more difficult to value prevention costs and get management to allocate the expenditure for a potential problem," says Schooley. "The challenge is getting management and the board to recognize IT risks on a par with financial risks and business opportunities." Questions auditors should pose to the board include: What events will effective IT security prevent, and what would those events cost the company if unmitigated un·mit·i·gat·ed adj. 1. Not diminished or moderated in intensity or severity; unrelieved: unmitigated suffering. 2. ? And what is the likelihood of those events occurring? "One way to make the risks more real is to conduct penetration tests of the IT systems," Schooley says. "Sharing confirmed vulnerabilities with the audit committee is the preferred way of making IT security risk more concrete." Due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. is a concept that appeals to boards, of course. "Members of audit committees are very conscientious when it comes to fulfilling their responsibilities," notes Schooley. "The expectations and standards surrounding IT security are becoming better known since September 11. As they do, audit committees, particularly those at companies in critical infrastructure industries such as energy, will look to those standards to help them perform their fiduciary responsibilities." As with most important business decisions, different people in a company may have alternative solutions for protecting the organization's information assets, making it more complicated to get everyone on the same security wavelength (see "CPAs and Online Confidence," page 70). "IT risk management is not a one-recipe, one-time thing. And it's not really a technology issue; it's a senior management issue. It's a continual cycle of events," says Carol Langelier, CPA, assistant director, information security issues, the General Accounting Office, Washington, D.C. TIP 3: MAKE SURE ASSETS ARE SECURE Companies' critical information assets consist of customer files and transactions, strategic business plans and marketing strategies, budgets and other financial information. Internal auditors can help management determine how to secure these critical assets. Before implementing an IT system, says Kenneth Askelson, CPA, IT audit manager for J.C. Penney, based in Plano, Texas Plano (IPA: /ˈpleɪnoʊ/) is a wealthy suburb of Dallas, Texas, located to the north, mainly within Collin County, but also extending into Denton County. According to the 2000 U.S. , IT audit staff in conjunction with other key departments must perform the following tasks: Evaluate business risks and exposure and present them to management, ensure available vendor solutions are compatible with the company's existing software, determine costs involved to buy, implement and upgrade the software, identify training and staff commitments and assess existing controls including firewalls, routers, virus scanning, network logs and incident response plans. While there is no magic solution for handling IT risks, Askelson recommends internal audit take these steps: * Identify critical information assets of the business. In order to get the right input, create a cross-functional team In business, a cross-functional team is a group of people with different functional expertise working toward a common goal. It may include people from finance, marketing, operations, and human resources departments. including employees from areas such as risk management, systems, legal, finance, security and internal audit. * Have insurance providers and external CPA valuators perform risk assessments to determine costs to protect those assets. * Designate someone to be responsible and accountable for managing information security within the organization, with audit committee oversight. For companies that do not have a chief information officer, avoid a situation where IT security becomes the concern of everyone, with no one in charge. * Assign IT audit staff to review the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental for information security that systems professionals develop prior to their implementation. * Provide training and awareness programs for employees. This can be done through ongoing Web-based training and internal and external programs. * Update the audit committee on initiatives dealing with security and privacy of critical business information. The heads of internal audit and of systems security must get the topic on the audit committee meeting agenda with time allotted al·lot tr.v. al·lot·ted, al·lot·ting, al·lots 1. To parcel out; distribute or apportion: allotting land to homesteaders; allot blame. 2. for presentation and discussion. * Provide for independent reviews and assessments by internal or external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. . Internally, the audit department, particularly in larger companies, will do continuous security checks. Outside consultants can perform certain other tests, such as a network penetration study, to see how well the controls work. TIP 4: EDUCATE EVERYONE Audit committees need assurances that auditors have the resources to evaluate IT security and management's responses to risks. A board member and internal audit and IT staffs cooperated to address IT risks at Comdisco, an equipment-leasing company in Rosemont, Illinois Rosemont is a village in Cook County, Illinois, founded in 1956. The population was 4,224 at the 2000 census. Geography Rosemont is located at (41.990730, -87.873816)GR1. . The chairperson of Comdisco's audit committee, Carolyn Murphy, attended a seminar on information security held by the Critical Infrastructure Assurance Office (CIAO), a committee--established by former president Bill Clinton--whose co-sponsors included the AICPA, the Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ) and the National Association of Corporate Directors. After Murphy attended the seminar, and with the support of the company's audit committee, its internal audit and IT departments and the IIA, Comdisco held a corporate forum on IT security which featured a discussion of best practices. Here are some examples: * Security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. . Make sure IT security is on the radar screen for management and audit committees. Evaluate employee knowledge of policies and standards. Determine whether IT risks are assessed regularly and adequately. * Security procedures. Implement a process to control and document who requests access to information technology, who can approve, revoke To annul or make void by recalling or taking back; to cancel, rescind, repeal, or reverse. revoke v. to annul or cancel an act, particularly a statement, document, or promise, as if it no longer existed. and change access and how any "incident" is handled. * Security authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. . Tie rules to specific individuals and ensure privileges are not excessive. Control the number of people who can access systems. * Security IDs. Assign them to individuals rather than to groups or departments. Have the ability to revoke IDs instantly. Install systems that allow encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. and transmission of files. * Security passwords. Consider their length and complexity and the number of passwords needed to gain access. Evaluate how frequently passwords should be changed. Executives from all of Comdisco's businesses (leasing, availability services, other technology services) served on the best practices panel and responded to a questionnaire on the adequacy of the company's reformation security, who specifically was responsible for it, and what concerns they might have. The upshot of that meeting was that Comdisco created an information protection group consisting of internal audit, IT and other executives which now issues a biweekly bi·week·ly adj. 1. Happening every two weeks. 2. Happening twice a week; semiweekly. n. pl. bi·week·lies A publication issued every two weeks. adv. 1. Every two weeks. bulletin on IT security sent electronically to all employees. "The bulletin has been well received," says Myles Crane, Comdisco's director of internal audit and a certified internal auditor. "We have addressed securing laptops after business hours BUSINESS HOURS. The time of the day during which business is transacted. In respect to the time of presentment and demand of bills and notes, business hours generally range through the whole day down to the hours of rest in the evening, except when the paper is payable it a bank or by a , password construction and usage, junk e-mail See spam. and virus hoaxes Considering the speed with which messages can be copied and sent via e-mail on the Internet, pranksters love to spread phony warnings just to upset as many people as they can. Virus hoaxes such as the Good Times virus tell people that if they open their e-mail, their hard drives will be ," says Crane, who also heads IT security audit, makes a presentation to the audit committee on the subject at every audit committee meeting and has a CPA on his staff specializing in this area. "I believe internal audit should be a catalyst in educating management about IT security risks." Managing IT risks requires companies to conduct continuous reevaluation and review. The internal auditor's role is to help the company design a cost-effective solution for ensuring the security and privacy of critical assets. By using the CPA's usual control and auditing skills, organizations can strengthen their information security, reduce technology risks and set up an ongoing, company-wide dialogue to build and operate systems with effective controls. Internal Audit and Organizational Risks In a survey of CFOs, chief audit executives, corporate counsel and chief risk officers from different industries, 90% said the internal audit department conducted risk-based audits at the business unit level, and more than 30% said internal auditors performed companywide risk management assessments. Source: "Enterprise Risk Management: Trends and Emerging Practices," 2001 study by the Institute of Internal Auditors Research Foundation and Tillinghast-Towers Perrin, www.theiia.org Get Your Internal Controls Up and Running Security consultants often come into a company after something bad happens: a hacker breaks in, an employee is suspected of stealing intellectual property, accounting systems fail to keep track of receivables. When these "security cops" analyze what led to the security breaches, they frequently find common threads: No one equipped a server with security patches A fix to a program that eliminates a vulnerability exploited by malicious hackers. See vulnerability and patch. after the manufacturer released them, no one checked the background of an employee who had a prior history of problems or installers did not configure a firewall properly. If the company's internal controls had been working, many of these situations would not have occurred. Most companies already have staff who are experts in internal control design and monitoring--the internal auditors, who can play a vital role in helping to prevent high-tech disasters. Internal auditors will ultimately be involved when a crisis occurs and can use their financial control skills in the planning process to establish who is responsible for and what the responses are to IT security risks. Here are some items for an internal audit checklist to help companies avoid IT system problems: * Install and maintain security patches. Vendors such as Microsoft and others regularly issue patches to fix newly discovered security problems called "holes" in software already in use. Hackers distribute the code needed to attack the system by passing through the hole. The patch code closes the hole and protects the system from attack. An internal auditor should be responsible for ensuring that IT is aware of any new patches issued and installs them promptly. * Do background checks. Are new employees trustworthy? Kroll Information Security Group investigated a technology employee who was stealing laptop computers, printers and thousands of dollars worth of other hardware from his employer. The investigators caught him red-handed and then learned worse news: His former employer had dismissed him for theft. Internal audit can design control and audit features for human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. personnel to assure procedures are followed--for example, something as simple as matching up new hires with credit histories from a background checking service. * Use simple technology. If there is not enough staff to support a complex firewall, install a simple one. Vendors can implement effective firewalls either in hardware or in software that provide great protection with little maintenance. (See "Remote--But Connected," JofA, Mar. 02, page 63.) Early in the planning process, internal audit can insist on sticking with the simplest solutions. * Monitor the Internet. Organizations should discover themselves that information on the Internet about them is either untrue, defamatory def·a·ma·tion n. The act of defaming; calumny. de·fam  a·to ry adj. or represents an unauthorized release of confidential data, rather than learning about it from shareholders or journalists. Sometimes IT support finds simple search engines such as Northern Light, Altavista or Google are all it needs to review what's being said online about the company. Large organizations can engage a monitoring service The general surveillance of known air traffic movements by reference to a radar scope presentation or other means, for the purpose of passing advisory information concerning conflicting traffic or providing navigational assistance. to track a site; searches should include names of executives and brand names. * Monitor your network. Network security has become a tremendous issue for most companies. Monitoring computer use logs, network logs, firewall logs, intrusion-detection-system logs and similar data sources requires a lot of work to identify significant events. If the network operates on a 24/7 basis, it may be necessary to oversee the security and interpret alerts continuously. If an employee cannot realistically do this job, internal audit can recommend the use of an outside monitoring service. * Install appropriate user identification systems. Authenticate (1) To verify (guarantee) the identity of a person or company. To ensure that the individual or organization is really who it says it is. See authentication and digital certificate. (2) To verify (guarantee) that data has not been altered. the people who have access to systems either on-site or remotely. At the very least employees should select passwords to computer systems that are hard to guess and change them regularly. If a password is not enough protection, IT staff should choose stronger techniques such as tokens (which range from devices plugged into the computer's USB port A USB socket on a computer or peripheral device into which a USB cable is plugged. See USB. to credit-card-sized units that display passwords that change every minute) or biometrics. For companies requiring more sophisticated ID systems, fingerprint readers A scanner used to identify a person's fingerprint for security purposes. After a sample is taken, access to a computer or other system is granted if the fingerprint matches the stored sample. A PIN may also be used with the fingerprint sample. and iris scanners are becoming more practical and less expensive. * Account for invisible people. Many companies require employees to sign a confidentiality/nondisclosure/computer-use agreement. But some with network access may not sign one, such as nonemployees with only occasional access to their system, temporary workers, vendors or contracted personnel. Companies should make sure they sign. Another "invisible person" is the ex-employee whose access was not terminated promptly. Strong controls must assure IT knows when someone is leaving, so it can cut off that person's access immediately and make sure he or she doesn't have additional ways of getting into the system (for example, through another account or by using someone else's password). * Watch data backups. A backup tape See tape backup. represents potential danger; it can contain confidential files in a form easily reloaded onto another computer. Employees should be particularly wary of what happens to the backup tapes when new ones are created and not throw them into a box of tapes to reuse. Until tapes are erased, they contain sensitive data and should be protected and inventoried. * Clear out long memories. Files deleted long ago can still linger on the hard drive. When computers that processed confidential company or customer information are going out for repair, being returned to the leasing company at the end of the lease or being given to charity, it is not hard to unerase files. Internal audit should assure every computer going out the door, for whatever reason, is cleared of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead . --Alan E. Brill Brill or Bril, Flemish painters, brothers. Mattys Brill (mä`tīs), 1550–83, went to Rome early in his career and executed frescoes for Gregory XIII in the Vatican. , senior managing director, Kroll Information Security Group, New York, www.krollworldwide.com. CPAs and Online Confidence CPAs offer IT security consulting to companies--especially to those that don't have the budgets to hire technology staff. To attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to the validity of financial data, CPAs must look at everything that supports this information, including the existing systems and networks and the design, construction and implementation of new systems. In some cases auditors decide to pursue another professional designation--certified information technology professional (CITP (Certified Information Technology Professional) A specialty credential awarded by the AICPA to its CPA members who excel in the provision of technology-related business services. ). There are several ways to earn the CITP designation, involving a 100-point system (see "IT Credential to Help CPAs Make Business Sense Out of Technology," JofA, July00, page 95). Another way CPAs can offer independent verification of system integrity is through these AICPA services: a WebTrust review (see www.cpawebtrust.org), which identifies and helps reduce e-commerce business risks, and the SysTrust engagement, an evaluation of system reliability against specific criteria and principles (see www.aicpa.org/assurance/systrust). In 2001 the AICPA updated Statement on Auditing Standards no. 94, The Elect of Information Technology on the Auditor's Consideration of Internal Controls in a Financial Statement Audit, strengthening procedures for auditing internal controls. Professional associations have jumped into the IT security auditing arena in a variety of ways. For more information see the Institute of Internal Auditors at www.theiia.org and the Information Systems Audit and Control Association at www.isaca.org. LAWRENCE RICHTER QUINN is a financial writer who lives in Chicago. His e-mail address See Internet address. e-mail address - electronic mail address is larry_quinn1@hotmail.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion