I. then, then General Motors has enjoyed a

Overview of General Motors and Compliance audits

The basic definition of an I.T. audit is the
examination and evaluation of a company’s
I.T. infrastructure, policies, management
and operations. Companies do these audits to determine whether their I.T
controls protect its assets, uphold the integrity data, and if they are in line
with the set objectives. General Motors (GM) is an American corporation
that designs, manufactures, markets and distributes vehicles and vehicle parts
in the country and around the world. The company was founded in 1908 and has
its headquarters in Detroit, Michigan (GM website). At the height of the 2008
global economic meltdown, GM took a hit and filed for a government-backed
Chapter 11. After reorganization, the company changed its name to General
Motors Company LLC,   the “new GM”
which was followed by an immensely successful IPO in 2010. Since then, then
General Motors has enjoyed a good financial run as it continues operations in
37 countries with flagship brands like Buick, Vauxhall, and Ravon. 

We Will Write a Custom Essay Specifically
For You For Only $13.90/page!

order now

GM is keen on delivering quality vehicles and
vehicle parts to its customers. They achieve this through extensive testing and
research so that only the highest quality vehicles are cleared for the release
in the general market. To demonstrate its commitment to quality, GM hired
Jeffery Taylor as its Chief Compliance Officer whose role would be to strengthen
its legal arm. The CCO will also spearhead a compliance program to ascertain
total commitment to integrity company policies that include the IT pillar that
streamlines the flow of operations within the company (Stoll, 2015). Just as a financial
audit is mandatory, so is an IT infrastructure audit. GM employees are well
aware of the importance of upholding the integrity of company information, to
keep it from falling into the hands of competitors through espionage, blackmail
or downright bribery. The IT infrastructure audit would focus on all branches
as each branch contributes to the overall success of the company. The
objectives of the audit are to check compliance to ISO/TS 16949:2009, the
quality management standard that guides operations. The audit would also look
into the electronic communication channels such as the Electronic Data
Exchange, to ensure accuracy of company records. Information life cycle is
another area that needs attention as failure to comply can expose GM to
lawsuits (GM, 2016).  For instance, if an
employee had unauthorized access to sensitive data pertaining to a lawsuit,
they may destroy, conceal, falsify or alter these records and the company would
find itself in legal jeopardy. This audit will be done bi-annually by an
external audit firm and the results will be presented to the top-tier
management then later disseminated to all employees through the company’s intranet network.

Critical requirements of the audit

IT auditing evaluates the controls around the
information with respect to availability, integrity and confidentiality. Given
the magnitude and implications of an IT audit for a multinational like GM, it
is imperative that the company avails the resources needed for a successful IT infrastructure
audit. IT audits are knowledge intensive as the auditor must be trained on the
particular processes that the company uses. For example, GM has used business
softwares like Oracle and SAP to help manage the Shop-Click-Drive platform that
enables customers to buy vehicles online (Bennett, 2015). In 2015, the company
opted to end its outsourcing contracts with Hewlett Packard and set up an
in-house IT department of 8,000 employees that would focus on developing
custom, internally-built software and this move has radicalized operations and
opened up new sources of sales revenues like online shoppers. 

For a successful IT audit, the company would have to
give un-prohibited access to their burgeoning staff of engineers so that the
auditors can perform checks on a specific sample obtained through random
sampling technique. The audit process would also require detailed records of
the current IT policy for benchmarking against what is actually being done.

Privacy laws that apply to organization

GM’s privacy laws
extend to wide network of stakeholders who consist of its employees,
shareholders, suppliers, GM affiliated companies, and most importantly the
customers. Integrity of handling client’s
information is paramount to the success of this company. Prior to investing in
a robust CRM system, GM faced a myriad of challenges with its paper-based certification
program that was riddled with corruption and inefficiency where clients’ information would be recorded inaccurately or get
lost in the piles of paperwork (Hines, 2002). 

Holden, a subsidiary of GM based in Australia has
shared instances where the company may use consumers’ personal data as long as the laws and regulations
apply. For example, the company may use contact information to reach a customer
in the event of a safety-related product recall, or for any other purposes that
the customer has consented to (GM Holden, 2016). GM employees who interact with
customer records need to adhere to this privacy law as infringing this would
put off customers. For instance, up selling company products through email or phone
calls to people who have previously declined to participate.

Social media is another murky area where companies
with wide geographical reach must pay attention to. In November 2013, GM
released a Global Social Media Policy to prevent accidental or deliberate
disclosure of company’s confidential
and proprietary information through social media platforms. The policy also
establishes the parameters for official or personal social media communications
made by GM staff or representatives, so as to avoid misconstruing such as the
company’s standpoint (GM
website). The Chief Compliance Officer working in tandem with the HR department
is responsible for ensuring that employees uphold these privacy laws, and
issuing scads of punishment to employees who consistently fail to obey.

Plan for assessing IT security

For companies to
remain competitive in the cutthroat business environment that prevails in the
21st Century, companies must invest resources in support departments
like IT instead of diverting all effort to boosting their bottom line. This
mistake has proven costly to corporations like Apple through cyber attacks,
either instigated by competitors or by other entities.

The plan for
assessing IT security will entail risk management, with a special focus on
cyber security. The first step is to identify all information assets that the company
interacts with. These could be human resource data, credit card numbers of
customers, sketches of designs, etc. The next step is to locate where these
assets are stored; in the intranet, workstations, removable media, and CRM
databases (News Report, 2010). Classify the information assets on a 1-5 scale
depending on their use, and then rate potential threats that could harm the aforementioned
assets. Microsoft provides an easy way of doing this by applying STRIDE
(Spoofing, Tampering, Repudiation, Information disclosure, Denial of service,
and Elevation of privilege). The final step is computing the threat level by
multiplying all the cells in the worksheets by the classification ratings you
recorded per asset. The result of this exercise is a comprehensive ranking of
threats that face the company and a list of possible contingencies. The
management can start tackling threats that registered the highest scores.


Threat analysis
helps a company like GM to know how to best allocate resources towards the
protection of their IT infrastructure. The first step is to identify the
problems that may arise. In this case, GM stands a chance of being hit with
credit card fraud where identity thieves may penetrate their CRM data base and
gain access to credit card information of clients who use the Shop-Click-Drive
platform. The next step is to identify the characteristics like and development
of threat profiles. The company would borrow from past experience of payment
fraud to know who and what type of culprit would be expected to commit this
crime. Next, the company would identify a generic attack path that the adversary
would use to commit the said crime. The risk auditor would then identify
activities leading up to the threat to give an early warning of the pending
attack (Duggan and Michalski, 2007). For instance, the auditor may find some
missing files in the CRM or a sign of unauthorized entry by staff or an
external entity. The final step in creating a threat analysis framework is
finding the best strategies for mitigation against the threat identified, and
ways to reduce the overall impact should the culprit find other loopholes
through which to propagate his crimes.

The goal of
vulnerability analysis is to analyse how serious and extensive a specific
incidence affects the organization. Vulnerability analysis differs from risk
analysis in that the former compares more than one scenarios to identify
various vulnerabilities in more detail as compared to risk analysis which is
narrow (Swedish Civil Contingencies Agency, 2012). Risk assessment analysis
involves refining the descriptions of risk scenarios that GM would face and
assessing how probably it is that these risks would occur. For instance, cyber
crimes such as phishing, identity theft, electronic payment fraud and financial
scams are some of the threats that GM could be prone to. The aim of risk
analysis is to addresses questions; what could happen? How likely is it? What
are the consequences (Swedish Civil Contingencies Agency, 2012).

Obtaining information, documentation and resources

The external audit
firm would obtain information from the relevant leaders in the company. The
head of IT would provide the bulk of the information considering the nature of
the audit. The Chief Compliance officer would also provide policy documents
that would be used as benchmark for the infrastructure audit. Interviewing a
select group of employees would also be helpful in measuring their awareness
and comprehension of IT policies used by GM. When it comes to identifying
threats to the integrity of data, the legal department can share discovery
documents based on past cases that the company has litigated. The audit firm can
also borrow from their experience working with similar clients, as long as they
do not disclose information that is covered by Non-disclosure Agreements (NDA)
from previous or current clients. 

How the 7 domains align with organization

a.       User domain

This domain defines the list of employees who
have access to GM’s information
system. Careful to note that being an employee, whether full time or part time,
does not automatically qualify one to access the company’s IS. Conversely, the company has the liberty to open
access to non-employees, for instance, people from the key accounts who need
constant access to particular data in the GM’s intranet.

b.      Workstation domain

This refers to the device used to connect to
the company’s IT
infrastructure. According to Glassdoor.com, one of the many perks accorded to
GM employees is a mobile phone discount that they can use to access the company’s IT system (Glassdoor, . Other devices include laptops,
desktop computers, and tablets.

c.       LAN domain

Local Area Network (LAN) is a collection of
computers that are connected to one another like in a work place setting. They
can also be connected to connection mediums like wires, radio waves or fiber
optic cables along the walls or beneath workstations (Duc, 2012).

d.      WAN domain

Wide Area Network (WAN) is used to connect
remote locations like off-site offices that are away from the main branch in
the city. WAN domain includes dedicated internet access and managed services
through routers or WiFi hotspots. The latter is popular in technology hubs in
the Global South, where internet access is primarily through data bundles on
the cell phone. These hubs provide open spaces where people can access the
internet on their laptops and other devices either for free or at a small fee
(iHub Nairobi, 2016).

e.       LAN-WAN domain

The organization’s IT infrastructure connects to a wide area network and
the internet at the main offices of the company. For instance, the main branch
located in the capital can connect to smaller branches spread across other
towns in the region.

f.       Remote access

This domain helps to connect remote users to
the company’s IT system (Duc,
2012). For instance, if an employee has traveled for work, they can access
documents in GM’s server and carry
on with a given task. Remote access helps to save time as employees can still
access important documents when attending conferences or other business related

g.      System/ application

This layer holds all the critical systems,
applications and data. It is important for GM to emphasize on security of this
domain as it holds all the company’s, staff, vendor
and customer information. The common vulnerabilities associated with this
domain are authorized physical and logical access, and data loss (When et al.,

Examining existing security policies

Before embarking on
a security audit, the external firm needs to find out if the company has an existing
security policy and what directives are stipulated therein. As discussed
earlier, GM is very strict on how information is handled, particularly data pertaining
to its customers. The auditor needs to speak with the policy compliance team
and learn how the said policy was disseminated to employees. Failure to inform
and train employees on new procedures or as part of general capacity building
is a common pitfall for many corporates and this becomes costly on the business
(Rizkalla, 2014). Training is an opportunity for the staff to seek
clarification on areas where they may find vague or difficult to comprehend.
The auditor can enquire on the effectiveness of the existing procedures and
problematic areas that the staff is grappling with.

The auditor needs
to examine existing controls for the policies that include a control environment,
risk assessment, control activities, information and communication, and finally
monitoring. Factors in the control environment include integrity and ethical
values as defined by the HR department, commitment to competence as seen in the
quality commitment by GM through continuous research and innovation, leadership
philosophy and operating style in all GM branches and affiliated companies.
Lastly, the environment also consists of different policies and procedures that
guide employees and other stakeholders like vendors (Controller’s Office, USU, 2010). Control activities help to ensure
that management directives are adhered to by all employees. Examples are
authorizations, approvals, reconciliations and performance reviews. Information
and communication is also pertinent to the process and it should be two ways;
top down and bottom up approach. The personnel must understand their role in
the internal control system and how individual activities are interlinked.
Monitoring is a process that assesses the quality of the systems performance
over time without disrupting the normal course of operations. This can be
achieved through regular management and supervisory duties where those in
charge make observations and document them.

Critical security control points

Security controls
refer to technical safeguards and operational procedures that strengthen existing
defenses against threats that prevail in the internal or external environment
of an organization. These controls involve the key stakeholders of a company
like employees, processes and products. Most companies utilize security
controls that were developed in an international consortium made up of international
agencies and experts. The list is based on actual incidences that occurred in
companies in the US and other parts of the globe, and it is designed to give
maximum benefits toward improving risk posture against threats in today’s business environment (Tripwire, 2016).

a.       Inventory of
authorized and unauthorized devices

 This a
must-have item in infrastructure audits. The head of IT should be in a position
to share updated records based on a tally of company devices against
corresponding authorized users. For instance, the scanner in the executive
boardroom may be restricted to the top-tier staff while the photocopier machine
on the main floor could be open to all, including interns.

b.      Inventory of
authorized and unauthorized software

Similar to the devices, the IT department
must maintain updated records of the softwares in use and the respective
employees who have access to them. Furthermore, the document should be specific
on what functions each authorized employee can execute like read, edit, delete,
etc. With these stringent procedures, the compliance team can keep watch on
everyone’s activities apply
corrective action where deemed necessary.

c.       Secure
Configurations for Hardware and Software on Mobile Devices, Laptops, etc

Passwords and authentication processes like biometrics
are prerequisites to maintaining the security of a system. Access to the server
room should be done through biometrics or eye-ball scanning. Employees with
company phones must have chips installed so as to track the whereabouts of the
device in case it is stolen or missing. This way, GM can negate against
information theft when employees leave the office.

d.      Continuous
Vulnerability Assessment and Remediation

Performing a
bi-annual security audit is not enough to cover everything. As competition in
the global market continues to heat up, it is safe to assume that GM will
always have a target on its back. Therefore, the company needs to be mindful of
its actions and perform routine, and sometimes random, vulnerability
assessments as outlined in the previous section.


I'm William!

Would you like to get a custom essay? How about receiving a customized one?

Check it out