I. Overview of General Motors and Compliance auditsThe basic definition of an I.T. audit is theexamination and evaluation of a company’sI.T. infrastructure, policies, managementand operations. Companies do these audits to determine whether their I.
Tcontrols protect its assets, uphold the integrity data, and if they are in linewith the set objectives. General Motors (GM) is an American corporationthat designs, manufactures, markets and distributes vehicles and vehicle partsin the country and around the world. The company was founded in 1908 and hasits headquarters in Detroit, Michigan (GM website). At the height of the 2008global economic meltdown, GM took a hit and filed for a government-backedChapter 11.
After reorganization, the company changed its name to GeneralMotors Company LLC, the “new GM”which was followed by an immensely successful IPO in 2010. Since then, thenGeneral Motors has enjoyed a good financial run as it continues operations in37 countries with flagship brands like Buick, Vauxhall, and Ravon. GM is keen on delivering quality vehicles andvehicle parts to its customers. They achieve this through extensive testing andresearch so that only the highest quality vehicles are cleared for the releasein the general market.
To demonstrate its commitment to quality, GM hiredJeffery Taylor as its Chief Compliance Officer whose role would be to strengthenits legal arm. The CCO will also spearhead a compliance program to ascertaintotal commitment to integrity company policies that include the IT pillar thatstreamlines the flow of operations within the company (Stoll, 2015). Just as a financialaudit is mandatory, so is an IT infrastructure audit. GM employees are wellaware of the importance of upholding the integrity of company information, tokeep it from falling into the hands of competitors through espionage, blackmailor downright bribery.
The IT infrastructure audit would focus on all branchesas each branch contributes to the overall success of the company. Theobjectives of the audit are to check compliance to ISO/TS 16949:2009, thequality management standard that guides operations. The audit would also lookinto the electronic communication channels such as the Electronic DataExchange, to ensure accuracy of company records. Information life cycle isanother area that needs attention as failure to comply can expose GM tolawsuits (GM, 2016). For instance, if anemployee had unauthorized access to sensitive data pertaining to a lawsuit,they may destroy, conceal, falsify or alter these records and the company wouldfind itself in legal jeopardy. This audit will be done bi-annually by anexternal audit firm and the results will be presented to the top-tiermanagement then later disseminated to all employees through the company’s intranet network. II.
Critical requirements of the audit IT auditing evaluates the controls around theinformation with respect to availability, integrity and confidentiality. Giventhe magnitude and implications of an IT audit for a multinational like GM, itis imperative that the company avails the resources needed for a successful IT infrastructureaudit. IT audits are knowledge intensive as the auditor must be trained on theparticular processes that the company uses. For example, GM has used businesssoftwares like Oracle and SAP to help manage the Shop-Click-Drive platform thatenables customers to buy vehicles online (Bennett, 2015). In 2015, the companyopted to end its outsourcing contracts with Hewlett Packard and set up anin-house IT department of 8,000 employees that would focus on developingcustom, internally-built software and this move has radicalized operations andopened up new sources of sales revenues like online shoppers. For a successful IT audit, the company would have togive un-prohibited access to their burgeoning staff of engineers so that theauditors can perform checks on a specific sample obtained through randomsampling technique. The audit process would also require detailed records ofthe current IT policy for benchmarking against what is actually being done. III.
Privacy laws that apply to organizationGM’s privacy lawsextend to wide network of stakeholders who consist of its employees,shareholders, suppliers, GM affiliated companies, and most importantly thecustomers. Integrity of handling client’sinformation is paramount to the success of this company. Prior to investing ina robust CRM system, GM faced a myriad of challenges with its paper-based certificationprogram that was riddled with corruption and inefficiency where clients’ information would be recorded inaccurately or getlost in the piles of paperwork (Hines, 2002). Holden, a subsidiary of GM based in Australia hasshared instances where the company may use consumers’ personal data as long as the laws and regulationsapply.
For example, the company may use contact information to reach a customerin the event of a safety-related product recall, or for any other purposes thatthe customer has consented to (GM Holden, 2016). GM employees who interact withcustomer records need to adhere to this privacy law as infringing this wouldput off customers. For instance, up selling company products through email or phonecalls to people who have previously declined to participate. Social media is another murky area where companieswith wide geographical reach must pay attention to.
In November 2013, GMreleased a Global Social Media Policy to prevent accidental or deliberatedisclosure of company’s confidentialand proprietary information through social media platforms. The policy alsoestablishes the parameters for official or personal social media communicationsmade by GM staff or representatives, so as to avoid misconstruing such as thecompany’s standpoint (GMwebsite). The Chief Compliance Officer working in tandem with the HR departmentis responsible for ensuring that employees uphold these privacy laws, andissuing scads of punishment to employees who consistently fail to obey.
IV. Plan for assessing IT security For companies toremain competitive in the cutthroat business environment that prevails in the21st Century, companies must invest resources in support departmentslike IT instead of diverting all effort to boosting their bottom line. Thismistake has proven costly to corporations like Apple through cyber attacks,either instigated by competitors or by other entities. The plan forassessing IT security will entail risk management, with a special focus oncyber security. The first step is to identify all information assets that the companyinteracts with.
These could be human resource data, credit card numbers ofcustomers, sketches of designs, etc. The next step is to locate where theseassets are stored; in the intranet, workstations, removable media, and CRMdatabases (News Report, 2010). Classify the information assets on a 1-5 scaledepending on their use, and then rate potential threats that could harm the aforementionedassets. Microsoft provides an easy way of doing this by applying STRIDE(Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,and Elevation of privilege). The final step is computing the threat level bymultiplying all the cells in the worksheets by the classification ratings yourecorded per asset. The result of this exercise is a comprehensive ranking ofthreats that face the company and a list of possible contingencies. Themanagement can start tackling threats that registered the highest scores.
Threat analysishelps a company like GM to know how to best allocate resources towards theprotection of their IT infrastructure. The first step is to identify theproblems that may arise. In this case, GM stands a chance of being hit withcredit card fraud where identity thieves may penetrate their CRM data base andgain access to credit card information of clients who use the Shop-Click-Driveplatform.
The next step is to identify the characteristics like and developmentof threat profiles. The company would borrow from past experience of paymentfraud to know who and what type of culprit would be expected to commit thiscrime. Next, the company would identify a generic attack path that the adversarywould use to commit the said crime. The risk auditor would then identifyactivities leading up to the threat to give an early warning of the pendingattack (Duggan and Michalski, 2007). For instance, the auditor may find somemissing files in the CRM or a sign of unauthorized entry by staff or anexternal entity. The final step in creating a threat analysis framework isfinding the best strategies for mitigation against the threat identified, andways to reduce the overall impact should the culprit find other loopholesthrough which to propagate his crimes. The goal ofvulnerability analysis is to analyse how serious and extensive a specificincidence affects the organization. Vulnerability analysis differs from riskanalysis in that the former compares more than one scenarios to identifyvarious vulnerabilities in more detail as compared to risk analysis which isnarrow (Swedish Civil Contingencies Agency, 2012).
Risk assessment analysisinvolves refining the descriptions of risk scenarios that GM would face andassessing how probably it is that these risks would occur. For instance, cybercrimes such as phishing, identity theft, electronic payment fraud and financialscams are some of the threats that GM could be prone to. The aim of riskanalysis is to addresses questions; what could happen? How likely is it? Whatare the consequences (Swedish Civil Contingencies Agency, 2012). V. Obtaining information, documentation and resourcesThe external auditfirm would obtain information from the relevant leaders in the company. Thehead of IT would provide the bulk of the information considering the nature ofthe audit. The Chief Compliance officer would also provide policy documentsthat would be used as benchmark for the infrastructure audit. Interviewing aselect group of employees would also be helpful in measuring their awarenessand comprehension of IT policies used by GM.
When it comes to identifyingthreats to the integrity of data, the legal department can share discoverydocuments based on past cases that the company has litigated. The audit firm canalso borrow from their experience working with similar clients, as long as theydo not disclose information that is covered by Non-disclosure Agreements (NDA)from previous or current clients. VI. How the 7 domains align with organizationa. User domainThis domain defines the list of employees whohave access to GM’s informationsystem. Careful to note that being an employee, whether full time or part time,does not automatically qualify one to access the company’s IS. Conversely, the company has the liberty to openaccess to non-employees, for instance, people from the key accounts who needconstant access to particular data in the GM’s intranet. b.
Workstation domainThis refers to the device used to connect tothe company’s ITinfrastructure. According to Glassdoor.com, one of the many perks accorded toGM employees is a mobile phone discount that they can use to access the company’s IT system (Glassdoor, . Other devices include laptops,desktop computers, and tablets. c.
LAN domainLocal Area Network (LAN) is a collection ofcomputers that are connected to one another like in a work place setting. Theycan also be connected to connection mediums like wires, radio waves or fiberoptic cables along the walls or beneath workstations (Duc, 2012). d. WAN domainWide Area Network (WAN) is used to connectremote locations like off-site offices that are away from the main branch inthe city. WAN domain includes dedicated internet access and managed servicesthrough routers or WiFi hotspots. The latter is popular in technology hubs inthe Global South, where internet access is primarily through data bundles onthe cell phone. These hubs provide open spaces where people can access theinternet on their laptops and other devices either for free or at a small fee(iHub Nairobi, 2016).
e. LAN-WAN domainThe organization’s IT infrastructure connects to a wide area network andthe internet at the main offices of the company. For instance, the main branchlocated in the capital can connect to smaller branches spread across othertowns in the region. f. Remote accessdomainThis domain helps to connect remote users tothe company’s IT system (Duc,2012).
For instance, if an employee has traveled for work, they can accessdocuments in GM’s server and carryon with a given task. Remote access helps to save time as employees can stillaccess important documents when attending conferences or other business relatedactivities.g.
System/ applicationdomainThis layer holds all the critical systems,applications and data. It is important for GM to emphasize on security of thisdomain as it holds all the company’s, staff, vendorand customer information. The common vulnerabilities associated with thisdomain are authorized physical and logical access, and data loss (When et al.
,2013).VII. Examining existing security policiesBefore embarking ona security audit, the external firm needs to find out if the company has an existingsecurity policy and what directives are stipulated therein. As discussedearlier, GM is very strict on how information is handled, particularly data pertainingto its customers. The auditor needs to speak with the policy compliance teamand learn how the said policy was disseminated to employees. Failure to informand train employees on new procedures or as part of general capacity buildingis a common pitfall for many corporates and this becomes costly on the business(Rizkalla, 2014).
Training is an opportunity for the staff to seekclarification on areas where they may find vague or difficult to comprehend.The auditor can enquire on the effectiveness of the existing procedures andproblematic areas that the staff is grappling with.The auditor needsto examine existing controls for the policies that include a control environment,risk assessment, control activities, information and communication, and finallymonitoring. Factors in the control environment include integrity and ethicalvalues as defined by the HR department, commitment to competence as seen in thequality commitment by GM through continuous research and innovation, leadershipphilosophy and operating style in all GM branches and affiliated companies.Lastly, the environment also consists of different policies and procedures thatguide employees and other stakeholders like vendors (Controller’s Office, USU, 2010).
Control activities help to ensurethat management directives are adhered to by all employees. Examples areauthorizations, approvals, reconciliations and performance reviews. Informationand communication is also pertinent to the process and it should be two ways;top down and bottom up approach. The personnel must understand their role inthe internal control system and how individual activities are interlinked.Monitoring is a process that assesses the quality of the systems performanceover time without disrupting the normal course of operations.
This can beachieved through regular management and supervisory duties where those incharge make observations and document them. VIII. Critical security control points Security controlsrefer to technical safeguards and operational procedures that strengthen existingdefenses against threats that prevail in the internal or external environmentof an organization. These controls involve the key stakeholders of a companylike employees, processes and products. Most companies utilize securitycontrols that were developed in an international consortium made up of internationalagencies and experts.
The list is based on actual incidences that occurred incompanies in the US and other parts of the globe, and it is designed to givemaximum benefits toward improving risk posture against threats in today’s business environment (Tripwire, 2016). a. Inventory ofauthorized and unauthorized devices This amust-have item in infrastructure audits. The head of IT should be in a positionto share updated records based on a tally of company devices againstcorresponding authorized users.
For instance, the scanner in the executiveboardroom may be restricted to the top-tier staff while the photocopier machineon the main floor could be open to all, including interns. b. Inventory ofauthorized and unauthorized softwareSimilar to the devices, the IT departmentmust maintain updated records of the softwares in use and the respectiveemployees who have access to them. Furthermore, the document should be specificon what functions each authorized employee can execute like read, edit, delete,etc. With these stringent procedures, the compliance team can keep watch oneveryone’s activities applycorrective action where deemed necessary. c. SecureConfigurations for Hardware and Software on Mobile Devices, Laptops, etcPasswords and authentication processes like biometricsare prerequisites to maintaining the security of a system.
Access to the serverroom should be done through biometrics or eye-ball scanning. Employees withcompany phones must have chips installed so as to track the whereabouts of thedevice in case it is stolen or missing. This way, GM can negate againstinformation theft when employees leave the office. d. ContinuousVulnerability Assessment and RemediationPerforming abi-annual security audit is not enough to cover everything.
As competition inthe global market continues to heat up, it is safe to assume that GM willalways have a target on its back. Therefore, the company needs to be mindful ofits actions and perform routine, and sometimes random, vulnerabilityassessments as outlined in the previous section.