GM Information Security Controls

Similar documents
Employee Security Awareness Training Program

Acceptable Use Policy

Checklist: Credit Union Information Security and Privacy Policies

Acceptable Use Policy

Acceptable Use Policy

Acceptable Use Policy

Department of Public Health O F S A N F R A N C I S C O

Acceptable Use Policy

INFORMATION ASSET MANAGEMENT POLICY

Jacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope

EA-ISP-009 Use of Computers Policy

Terms and Conditions 01 January 2016

DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

ISSP Network Security Plan

II.C.4. Policy: Southeastern Technical College Computer Use

Information Security Policy

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Security and Privacy Breach Notification

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

SECURITY & PRIVACY DOCUMENTATION

HPE DATA PRIVACY AND SECURITY

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Legal notice and Privacy policy

HIPAA Federal Security Rule H I P A A

Red Flags/Identity Theft Prevention Policy: Purpose

Effective security is a team effort involving the participation and support of everyone who handles Company information and information systems.

Information Technology Standards

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

Information Security Data Classification Procedure

Internet, , Social Networking, Mobile Device, and Electronic Communication Policy

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Department of Public Health O F S A N F R A N C I S C O

Information Security Management Criteria for Our Business Partners

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

A company built on security

Beam Technologies Inc. Privacy Policy

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

Guidelines for Use of IT Devices On Government Network

2. What is Personal Information and Non-Personally Identifiable Information?

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

The Apple Store, Coombe Lodge, Blagdon BS40 7RG,

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

Acceptable Use Policy

Donor Credit Card Security Policy

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

RMU-IT-SEC-01 Acceptable Use Policy

Date Approved: Board of Directors on 7 July 2016

University of Pittsburgh Security Assessment Questionnaire (v1.7)

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

These pieces of information are used to improve services for you through, for example:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

REGULATION BOARD OF EDUCATION FRANKLIN BOROUGH

Policy and Procedure: SDM Guidance for HIPAA Business Associates

Class Composer General Terms of Use

Corporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial

PCI Compliance. What is it? Who uses it? Why is it important?

Virginia Commonwealth University School of Medicine Information Security Standard

BHIG - Mobile Devices Policy Version 1.0

1 Privacy Statement INDEX

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

IT ACCEPTABLE USE POLICY

Regulation P & GLBA Training

The City of Mississauga may install Closed Circuit Television (CCTV) Traffic Monitoring System cameras within the Municipal Road Allowance.

ADIENT VENDOR SECURITY STANDARD

HIPAA Compliance Checklist

Name of Policy: Computer Use Policy

Privacy Policy Effective May 25 th 2018

An Overview of the Gramm-Leach-Bliley (GLB) Act and the Safeguards Rule

The Common Controls Framework BY ADOBE

Privacy Breach Policy

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Ferrous Metal Transfer Privacy Policy

Wireless Security Access Policy and Agreement

Juniper Vendor Security Requirements

XO SITE SECURITY SERVICES

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)

Personal Communication Devices and Voic Procedure

Remote Access Policy

BCN Telecom, Inc. Customer Proprietary Network Information Certification Accompanying Statement

EU GDPR & ISO Integrated Documentation Toolkit integrated-documentation-toolkit

GOCO.IO, INC TERMS OF SERVICE

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

HIPAA Privacy & Security Training. HIPAA The Health Insurance Portability and Accountability Act of 1996

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

Ulster University Standard Cover Sheet

COMMENTARY. Information JONES DAY

Identity Theft Prevention Policy

Transcription:

: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5 Physical of GM s IT Assets... 2-4 2.6 Theft and Loss... 2-4 2.7 Malicious Code Prevention... 2-5 2.8 Password Use and Protection... 2-5 2.9 Laptop Network... 2-5 2.10 Mobile Device... 2-6 2.11 Travel... 2-7 2.12 Classifying GM... 2-7 2.13 Labeling of GM... 2-8 2.14 Handling of GM Classified... 2-8 2.15 Encryption of GM... 2-9 2.16 Digital Signatures... 2-9 2.17 Disposal of... 2-10

2 Key Points must take individual responsibility for protecting GM Resources are expected to only access GM, and the computing and communication resources for which they are authorized and have a need must abide by applicable laws and regulations are responsible for the physical security and care of computing equipment. Refer to the GM Glossary for definitions Executive Summary This volume of the Controls contains the information security requirements applicable to users. It is expected that all users understand their responsibility to safeguard GM. All Employees and authorized users connecting to GM network resources and viewing or storing GM must adhere to GM s ; whether the computing equipment is GM owned or non-gm owned. How There Controls Apply to You are expected to understand their responsibility to safeguard GM and GM s IT assets regardless of classification. This includes the following: Complete GM awareness training upon being given initial access to GM resources in order to understand the value of GM, and the responsibility to protect it Take individual responsibility for protecting GM Resources including remaining vigilant against suspicious attempts to acquire GM by telephone, email, or other socially-engineered means General Principles and Applicability a. GM in any form is considered an asset of GM and must be protected in accordance with the requirements outlined in the Policy and Controls. b. Computing equipment and associated software are provided by GM to users as tools to support GM business operations and user job-related functions. c. Employees and connecting to GM network resources or viewing or storing GM must adhere to the GM Policy and Controls regardless of computing device used, location, or ownership of device. d. Employee-owned or contractor-supplied computing equipment is also subject to these governing GM to the extent that it is used to create, distribute and print GM 2-1

Records or access GM Resources, including the requirements set forth in the ILM Record Retention Policy and Schedule. e. All GM is proprietary regardless of classification and must be protected. f. It is the responsibility of GM employees, other GM system users, and service providers to protect GM from unauthorized disclosure, modification, or destruction. g. GM classified as PERSONAL INFORMATION must be protected appropriately, based on data protection laws and regulations, and only shared based on a need to know principle. To determine whether particular information constitutes PERSONAL INFORMATION in any jurisdiction, and applicable restrictions on processing and handling of such information, including restrictions on the transmission across national borders, contact the Global Privacy Center at GM Headquarters or the Legal Staff. For more information, visit the Global Privacy Center. h. GM must be protected against unauthorized disclosure during the disposal process. Implementation Requirements 2.1 Responsibility to Maintain 2.1.1 must not engage in any activities which could disrupt or compromise the confidentiality, integrity or availability of GM or GM s IT assets, (e.g., maintaining confidentiality of passwords). 2.1.2 must protect all GM according to the provisions of these Controls relating to the authorized release of GM including any electronic distribution, (e.g., email attachments, Lotus Notes databases, social networking sites, and web pages). 2.2 GM s Right to Monitor 2.2.1 Employees and users acknowledge, in accordance with local law, that GM and / or GM s Third-party Service Providers: 2.2.1.1 Have the right to monitor, audit, store, retrieve, or otherwise capture any electronic information occurrence, including but not limited to transmissions, sessions, or storage that occurs over its owned, controlled, or connected computing and communication resources, (e.g., email content, Instant Message, Text Messages, voice mail content, network addresses, frequency of occurrence, and identification of specific on-line services). 2.2.1.2 Reserve the right to block, alter priority, or terminate execution of, or access to, any service or activity that diminishes the effectiveness of use of computing and communication networks by whatever means it deems necessary. 2.2.1.3 May temporarily or permanently disconnect any user, division, or subsidiary to prevent any further unauthorized activity. 2.2.1.4 Will report any violation of local, state, federal, or international laws to the appropriate authorities. 2-2

2.2.1.5 Has the right to review, audit, or monitor email or messages created, stored or transmitted on GM email, instant messaging and social networking systems. 2.2.1.6 All GM email, instant messaging and social networking messages and associated records remain the sole property of GM and may be deleted or disclosed at any time without prior notice. 2.2.2 Employees and users acknowledge that violation of the Policy and Controls may be used as a basis for the possible termination of employment and/or criminal penalties, including fines and imprisonment. 2.2.3 GM employees, contractors, suppliers, and business partners, must cooperate with internal and external auditors and provide timely responses. 2.3 Personal Privacy 2.3.1 should have no expectation of privacy, other than provided by local laws, concerning their use of GM and GM s IT Assets, including but not limited to email, corporate approved instant messaging tools, GM-provided computing equipment, the GM Intranet, GM-provided access to the public Internet, or other GM Systems. The required use of passwords to gain access to GM and GM s IT Assets is for GM s protection; password protection does not imply that users can expect that their communications and use of GM and GM s IT Assets are private. 2.3.2 specifically consent to having their use and communications monitored and recorded to the extent permitted by applicable law when using GM and GM s IT Assets. 2.4 Comply with Applicable Laws and Site Specific Restrictions 2.4.1 are responsible for any software or any other material that is not provided by GM on GM computing equipment. must have the appropriate license or permission to use the software or other material and are responsible for any consequences of not having the appropriate authorization. 2.4.2 GM reserves the right to remove any software not provided by GM on GM-provided computing equipment without notice to the user. If appropriate, GM may also seek to recover the costs for rebuilds or other expenses associated with the use or installation of the software on GM computing equipment. 2.4.3 must not copy software on GM computing equipment for installation on home or other computers. 2.4.4 Employees must obtain the copyright owner s permission before reproducing or photocopying a non- GM copyrighted work. 2-3

2.4.5 A copyright notice must be used on General Motors copyrighted works that takes the following form: o XXXX, i.e., year of first publication, if applicable, General Motors Company. All Rights Reserved. o The notice may also contain the GM business unit responsible for the work. 2.4.6 must adhere to site specific authorized use requirements for mobile devices. 2.4.7 Use of employee-owned computing and communication resources for business purposes is prohibited unless expressly allowed by GM Management or the IT site manager, (e.g., Cell Phones, Smart Phones, and PDAs). 2.5 Physical of GM s IT Assets 2.5.1 are responsible for the physical security and care of end user computing equipment assigned to them by GM. 2.5.2 are responsible for the physical security and care of their mobile device(s) and must be careful not to damage it during transportation, subject it to extreme temperatures, or expose it to liquids and/or magnetic fields. 2.5.3 must employ reasonable means to physically secure their computing equipment when not in use, including using locking devices or storing in a locked cabinet to minimize the risk of loss or damage to a laptop. 2.5.4 must lock devices in a secure compartment when left unattended. Devices left unattended in vehicles must not be visible. 2.6 Theft and Loss 2.6.1 If a laptop or mobile device storing GM is lost or stolen, the user must do the following: 2.6.1.1 Immediately notify their management, GM Global and IT. 2.6.1.2 Complete a GM Global Reporting & Investigations Tool (GRIT) form for all losses. 2.6.2 If a laptop is stolen, notify the appropriate local law enforcement agency. 2.6.3 Specific to Mobile Devices: 2.6.3.1 For GM issued mobile devices, contact GM s service desk, open a case and request the service be stopped. 2.6.3.2 For user owned devices, contact the appropriate wireless carrier or vendor and request account / device suspension. 2-4

2.7 Malicious Code Prevention 2.7.1 must not compromise the malicious code prevention efforts of the company or otherwise create the possibility of malicious code being introduced into GM computing systems. 2.7.2 must connect to GM networks to install security software and upgrade packages, (e.g., virus protection and patches), as soon as they are made available or as directed by GM. 2.7.3 must take individual responsibility for protecting GM Resources by avoiding risky IT behavior and installing required software or security upgrades as directed by GM IT, (e.g., enewsline communications, required patch notifications) 2.7.4 All malware infections must be reported immediately to the GM Service Desk. All performing suppliers and vendors must inform the GM Manager of malware infections that impact GM. 2.8 Password Use and Protection 2.8.1 are required to adhere to the GM password control requirements when selecting and using passwords. 2.8.2 are required to keep passwords confidential and not share them with other users. 2.8.3 are required to enable appropriate protections for unattended information processing equipment, (e.g., terminate sessions, enable screensavers, and log off). 2.8.4 are required to protect sensitive information from casual observation or theft, (e.g., don t leave sensitive information unattended). 2.8.5 must take due care when using removable media and be aware of the associated risks to the GM environment, (e.g., malware, loss / theft of Intellectual Property). 2.8.6 Laptop users must make all reasonable efforts to store GM on a secured server, where access is controlled, (e.g., H drive, network S drive, SharePoint). 2.8.7 must ensure GM stored on removable media is not the sole existing copy 2.8.8 may not store GM on a laptop for any longer than is necessary to fulfill a specific business need and must delete or transfer laptop data to a secure device as soon as practically possible. 2.9 Laptop Network 2.9.1 Only users with GM issued laptops may connect to General Motors corporate wireless networks. 2-5

2.9.2 with GM issued laptops may connect to a wired or wireless public network only if the laptop has the GM issued Virtual Private Network (VPN) solution. must browse the Internet through the VPN. 2.9.3 with non-gm issued laptops that contain GM may connect to a personal or corporate wired or wireless network only if the user s network complies with the minimum GM IT security standards. 2.10 Mobile Device 2.10.1 Asset Management 2.10.1.1 GM owned and managed mobile devices must not be shared with anyone not authorized by the primary user to operate the device in accordance with GM s Acceptable Use Practices. 2.10.1.2 Screen must be locked after, no longer than, 30 minutes of inactivity. 2.10.1.3 Where available, anti-virus (AV) software is required on AV-compatible mobile devices accessing or storing GM or any third party information GM has an interest in protecting. 2.10.1.4 must not circumvent the vendor security features or GM policy, (e.g., jail break), on GMissued or personally owned mobile devices accessing GM / networks. 2.10.2 Camera and Video Restrictions 2.10.2.1 Mobile devices equipped with camera / video capabilities are permitted unless local facility policy prohibits their use. Local facility management has the right to restrict or forbid the making of images or videos with mobile devices equipped with camera and / or video capabilities. 2.10.2.2 Photos and recording of sound are only allowed when authorized. 2.10.2.3 Permission must be obtained from individuals involved before taking photos, recording sound or videoing them. 2.10.2.4 Written permission must be obtained from individuals involved before publishing or sending photos, recorded sound or video to anyone else or to any website. 2.10.3 Access Controls Requirements 2.10.3.1 GM issued mobile devices may only download / install / use applications available from GM approved app stores. 2.10.3.2 GM issued mobile devices may automatically connect to known or stored networks; automatic connection to unknown WiFi or Bluetooth networks must be disabled. 2-6

2.10.3.3 For mobile devices containing GM, or third party information which GM has an interest in protecting, all GM business-related data connectivity must occur through a GM IT approved secure connection, (e.g., SSL, SSH, and VPN). 2.10.3.4 Non-GM issued mobile devices may not connect to the GM production network. They may connect to the GM Guest network, GM authorized test networks, and applications available via GM approved methods. 2.11 Travel 2.11.1 must not access GM Classified in a public place, such as on a train, aircraft, bus, or on any unsecured wireless connection, such as a coffee shop if it can be viewed by others. 2.11.2 must not leave an asset containing GM unattended in unsecured public areas, such as airport lounges, check-in counters, hotel lobbies, restrooms and conference centers. 2.11.3 must not put computing equipment in checked baggage when traveling, except as required by law. 2.11.4 should label computing equipment and carrying cases with their desk or mobile telephone number and must not use a General Motors business card or any other identifier with the General Motors logo. 2.11.5 should only place computing equipment on X-Ray or other security scanning systems to coincide with their entering the human scanning systems to minimize the opportunity of theft. 2.11.6 should store computing equipment in a hotel room safe where available. 2.11.7 If a suitable room safe is not available then users should keep the computing equipment in the user s possession whenever reasonably possible. 2.11.8 If a room safe is not available and if it is unreasonable to keep the computing equipment in the user s possession, user may leave the device(s) in the hotel room, however, the user must make all reasonable efforts to secure or hide the device(s) within the locked hotel room. 2.12 Classifying GM 2.12.1 GM must be classified based on a risk assessment that considers the severity of impact from unauthorized disclosure. 2-7

2.12.2 Where required, the classification of GM must be one or more of the following: CONFIDENTIAL SECRET PERSONAL INFORMATION EXPORT CONTROLLED 2.12.3 NOTE: Classification definitions can be found in the glossary. Management responsibility and ownership of GM must be identified and documented and data classifications must be periodically re-evaluated. 2.13 Labeling of GM 2.13.1 All GM classified data must have a classification label that includes a prefix, (e.g., GM), along with the classification, (e.g., CONFIDENTIAL). 2.13.2 All unclassified GM intended for public distribution must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Copyright notice Trademark, (e.g. logo and image), of the GM business unit Signature or name of the GM business unit 2.13.3 All classified GM must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Classification label Copyright notice Trademark, (e.g., logo and image), of the GM business unit Signature or name of the GM business unit 2.13.4 Business entities within GM may have a separate documented classification prefix for information created by the business entity for a third-party. In doing so, standard criteria for classification described in the GM Control must be applied. Business entity developed third party information controls must be auditable, that is, documented and consistently used. 2.13.5 Customer or supplier information must be labeled with the customer or supplier name and not labeled using any of GM s internal classification labels. 2.14 Handling of GM Classified 2.14.1 GM managers must identify and adhere to local laws protecting employees by specifying additional controls required when handling GM pertaining to GM personnel matters. 2-8

2.14.2 All users must employ all reasonable means to store GM securely based on a risk analysis that considers the sensitivity of the information.mobile device storage of GM SECRET, GM CONFIDENTIAL, EXPORT CONTROLLED or SENSITIVE PERSONAL INFORMATION is prohibited. 2.14.3 Proper export authorization is required for GM deemed to be Export-Controlled prior to export or sharing. storing EXPORT CONTROLLED information on a laptop must maintain a separate list identifying such information for reporting purposes in the event the laptop is lost or stolen. 2.14.4 If a laptop containing EXPORT CONTROLLED information is lost or stolen, the user must immediately advise the Office of Export Compliance. 2.15 Encryption of GM 2.15.1 To protect the confidentiality and integrity of certain GM based on its level of classification or sensitivity, information as identified in Table 2-1 must be encrypted while in-transit and/or while at-rest. Type of GM Encryption Requirement Transmission / Storage / At-Rest In-Transit SECRET Mandatory Mandatory SENSITIVE PERSONAL INFORMATION Mandatory Mandatory 1 SOX Discretionary Mandatory CONFIDENTIAL Discretionary 2 Discretionary 2 EXPORT CONTROLLED Discretionary 3 Discretionary 3 Table 2-1 Notes: 1 Applies to data transmission beyond the GM controlled network. 2 Must be based on the GM manager s assessment of sensitivity and determination if encryption is required. 3 Contact the Export Compliance Office to determine if encryption is required. Table 2-1: GM Encryption Requirements 2.16 Digital Signatures 2.16.1 Digital Signatures must be used when proof of authorship and / or integrity of the data are required. 2-9

2.17 Disposal of 2.17.1 GM provided laptops, desktops, mobile devices, media and any other hardware must be returned upon terminating the employment with the company or at the end of the specific contractual agreement. 2.17.2 GM reserves the right to audit any personal device upon separation to ensure that it does not contain any GM. 2.17.3 GM stored on any form including electronic media must be destroyed prior to disposal of the media. 2.17.4 GM must be protected against unauthorized disclosure during any disposal process. 2.17.5 All GM must be removed in an irretrievable fashion from any device at the end of lease or prior to redistribution. 2-10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback