: Table of Contents 2... 2-1 2.1 Responsibility to Maintain... 2-2 2.2 GM s Right to Monitor... 2-2 2.3 Personal Privacy... 2-3 2.4 Comply with Applicable Laws and Site Specific Restrictions... 2-3 2.5 Physical of GM s IT Assets... 2-4 2.6 Theft and Loss... 2-4 2.7 Malicious Code Prevention... 2-5 2.8 Password Use and Protection... 2-5 2.9 Laptop Network... 2-5 2.10 Mobile Device... 2-6 2.11 Travel... 2-7 2.12 Classifying GM... 2-7 2.13 Labeling of GM... 2-8 2.14 Handling of GM Classified... 2-8 2.15 Encryption of GM... 2-9 2.16 Digital Signatures... 2-9 2.17 Disposal of... 2-10
2 Key Points must take individual responsibility for protecting GM Resources are expected to only access GM, and the computing and communication resources for which they are authorized and have a need must abide by applicable laws and regulations are responsible for the physical security and care of computing equipment. Refer to the GM Glossary for definitions Executive Summary This volume of the Controls contains the information security requirements applicable to users. It is expected that all users understand their responsibility to safeguard GM. All Employees and authorized users connecting to GM network resources and viewing or storing GM must adhere to GM s ; whether the computing equipment is GM owned or non-gm owned. How There Controls Apply to You are expected to understand their responsibility to safeguard GM and GM s IT assets regardless of classification. This includes the following: Complete GM awareness training upon being given initial access to GM resources in order to understand the value of GM, and the responsibility to protect it Take individual responsibility for protecting GM Resources including remaining vigilant against suspicious attempts to acquire GM by telephone, email, or other socially-engineered means General Principles and Applicability a. GM in any form is considered an asset of GM and must be protected in accordance with the requirements outlined in the Policy and Controls. b. Computing equipment and associated software are provided by GM to users as tools to support GM business operations and user job-related functions. c. Employees and connecting to GM network resources or viewing or storing GM must adhere to the GM Policy and Controls regardless of computing device used, location, or ownership of device. d. Employee-owned or contractor-supplied computing equipment is also subject to these governing GM to the extent that it is used to create, distribute and print GM 2-1
Records or access GM Resources, including the requirements set forth in the ILM Record Retention Policy and Schedule. e. All GM is proprietary regardless of classification and must be protected. f. It is the responsibility of GM employees, other GM system users, and service providers to protect GM from unauthorized disclosure, modification, or destruction. g. GM classified as PERSONAL INFORMATION must be protected appropriately, based on data protection laws and regulations, and only shared based on a need to know principle. To determine whether particular information constitutes PERSONAL INFORMATION in any jurisdiction, and applicable restrictions on processing and handling of such information, including restrictions on the transmission across national borders, contact the Global Privacy Center at GM Headquarters or the Legal Staff. For more information, visit the Global Privacy Center. h. GM must be protected against unauthorized disclosure during the disposal process. Implementation Requirements 2.1 Responsibility to Maintain 2.1.1 must not engage in any activities which could disrupt or compromise the confidentiality, integrity or availability of GM or GM s IT assets, (e.g., maintaining confidentiality of passwords). 2.1.2 must protect all GM according to the provisions of these Controls relating to the authorized release of GM including any electronic distribution, (e.g., email attachments, Lotus Notes databases, social networking sites, and web pages). 2.2 GM s Right to Monitor 2.2.1 Employees and users acknowledge, in accordance with local law, that GM and / or GM s Third-party Service Providers: 2.2.1.1 Have the right to monitor, audit, store, retrieve, or otherwise capture any electronic information occurrence, including but not limited to transmissions, sessions, or storage that occurs over its owned, controlled, or connected computing and communication resources, (e.g., email content, Instant Message, Text Messages, voice mail content, network addresses, frequency of occurrence, and identification of specific on-line services). 2.2.1.2 Reserve the right to block, alter priority, or terminate execution of, or access to, any service or activity that diminishes the effectiveness of use of computing and communication networks by whatever means it deems necessary. 2.2.1.3 May temporarily or permanently disconnect any user, division, or subsidiary to prevent any further unauthorized activity. 2.2.1.4 Will report any violation of local, state, federal, or international laws to the appropriate authorities. 2-2
2.2.1.5 Has the right to review, audit, or monitor email or messages created, stored or transmitted on GM email, instant messaging and social networking systems. 2.2.1.6 All GM email, instant messaging and social networking messages and associated records remain the sole property of GM and may be deleted or disclosed at any time without prior notice. 2.2.2 Employees and users acknowledge that violation of the Policy and Controls may be used as a basis for the possible termination of employment and/or criminal penalties, including fines and imprisonment. 2.2.3 GM employees, contractors, suppliers, and business partners, must cooperate with internal and external auditors and provide timely responses. 2.3 Personal Privacy 2.3.1 should have no expectation of privacy, other than provided by local laws, concerning their use of GM and GM s IT Assets, including but not limited to email, corporate approved instant messaging tools, GM-provided computing equipment, the GM Intranet, GM-provided access to the public Internet, or other GM Systems. The required use of passwords to gain access to GM and GM s IT Assets is for GM s protection; password protection does not imply that users can expect that their communications and use of GM and GM s IT Assets are private. 2.3.2 specifically consent to having their use and communications monitored and recorded to the extent permitted by applicable law when using GM and GM s IT Assets. 2.4 Comply with Applicable Laws and Site Specific Restrictions 2.4.1 are responsible for any software or any other material that is not provided by GM on GM computing equipment. must have the appropriate license or permission to use the software or other material and are responsible for any consequences of not having the appropriate authorization. 2.4.2 GM reserves the right to remove any software not provided by GM on GM-provided computing equipment without notice to the user. If appropriate, GM may also seek to recover the costs for rebuilds or other expenses associated with the use or installation of the software on GM computing equipment. 2.4.3 must not copy software on GM computing equipment for installation on home or other computers. 2.4.4 Employees must obtain the copyright owner s permission before reproducing or photocopying a non- GM copyrighted work. 2-3
2.4.5 A copyright notice must be used on General Motors copyrighted works that takes the following form: o XXXX, i.e., year of first publication, if applicable, General Motors Company. All Rights Reserved. o The notice may also contain the GM business unit responsible for the work. 2.4.6 must adhere to site specific authorized use requirements for mobile devices. 2.4.7 Use of employee-owned computing and communication resources for business purposes is prohibited unless expressly allowed by GM Management or the IT site manager, (e.g., Cell Phones, Smart Phones, and PDAs). 2.5 Physical of GM s IT Assets 2.5.1 are responsible for the physical security and care of end user computing equipment assigned to them by GM. 2.5.2 are responsible for the physical security and care of their mobile device(s) and must be careful not to damage it during transportation, subject it to extreme temperatures, or expose it to liquids and/or magnetic fields. 2.5.3 must employ reasonable means to physically secure their computing equipment when not in use, including using locking devices or storing in a locked cabinet to minimize the risk of loss or damage to a laptop. 2.5.4 must lock devices in a secure compartment when left unattended. Devices left unattended in vehicles must not be visible. 2.6 Theft and Loss 2.6.1 If a laptop or mobile device storing GM is lost or stolen, the user must do the following: 2.6.1.1 Immediately notify their management, GM Global and IT. 2.6.1.2 Complete a GM Global Reporting & Investigations Tool (GRIT) form for all losses. 2.6.2 If a laptop is stolen, notify the appropriate local law enforcement agency. 2.6.3 Specific to Mobile Devices: 2.6.3.1 For GM issued mobile devices, contact GM s service desk, open a case and request the service be stopped. 2.6.3.2 For user owned devices, contact the appropriate wireless carrier or vendor and request account / device suspension. 2-4
2.7 Malicious Code Prevention 2.7.1 must not compromise the malicious code prevention efforts of the company or otherwise create the possibility of malicious code being introduced into GM computing systems. 2.7.2 must connect to GM networks to install security software and upgrade packages, (e.g., virus protection and patches), as soon as they are made available or as directed by GM. 2.7.3 must take individual responsibility for protecting GM Resources by avoiding risky IT behavior and installing required software or security upgrades as directed by GM IT, (e.g., enewsline communications, required patch notifications) 2.7.4 All malware infections must be reported immediately to the GM Service Desk. All performing suppliers and vendors must inform the GM Manager of malware infections that impact GM. 2.8 Password Use and Protection 2.8.1 are required to adhere to the GM password control requirements when selecting and using passwords. 2.8.2 are required to keep passwords confidential and not share them with other users. 2.8.3 are required to enable appropriate protections for unattended information processing equipment, (e.g., terminate sessions, enable screensavers, and log off). 2.8.4 are required to protect sensitive information from casual observation or theft, (e.g., don t leave sensitive information unattended). 2.8.5 must take due care when using removable media and be aware of the associated risks to the GM environment, (e.g., malware, loss / theft of Intellectual Property). 2.8.6 Laptop users must make all reasonable efforts to store GM on a secured server, where access is controlled, (e.g., H drive, network S drive, SharePoint). 2.8.7 must ensure GM stored on removable media is not the sole existing copy 2.8.8 may not store GM on a laptop for any longer than is necessary to fulfill a specific business need and must delete or transfer laptop data to a secure device as soon as practically possible. 2.9 Laptop Network 2.9.1 Only users with GM issued laptops may connect to General Motors corporate wireless networks. 2-5
2.9.2 with GM issued laptops may connect to a wired or wireless public network only if the laptop has the GM issued Virtual Private Network (VPN) solution. must browse the Internet through the VPN. 2.9.3 with non-gm issued laptops that contain GM may connect to a personal or corporate wired or wireless network only if the user s network complies with the minimum GM IT security standards. 2.10 Mobile Device 2.10.1 Asset Management 2.10.1.1 GM owned and managed mobile devices must not be shared with anyone not authorized by the primary user to operate the device in accordance with GM s Acceptable Use Practices. 2.10.1.2 Screen must be locked after, no longer than, 30 minutes of inactivity. 2.10.1.3 Where available, anti-virus (AV) software is required on AV-compatible mobile devices accessing or storing GM or any third party information GM has an interest in protecting. 2.10.1.4 must not circumvent the vendor security features or GM policy, (e.g., jail break), on GMissued or personally owned mobile devices accessing GM / networks. 2.10.2 Camera and Video Restrictions 2.10.2.1 Mobile devices equipped with camera / video capabilities are permitted unless local facility policy prohibits their use. Local facility management has the right to restrict or forbid the making of images or videos with mobile devices equipped with camera and / or video capabilities. 2.10.2.2 Photos and recording of sound are only allowed when authorized. 2.10.2.3 Permission must be obtained from individuals involved before taking photos, recording sound or videoing them. 2.10.2.4 Written permission must be obtained from individuals involved before publishing or sending photos, recorded sound or video to anyone else or to any website. 2.10.3 Access Controls Requirements 2.10.3.1 GM issued mobile devices may only download / install / use applications available from GM approved app stores. 2.10.3.2 GM issued mobile devices may automatically connect to known or stored networks; automatic connection to unknown WiFi or Bluetooth networks must be disabled. 2-6
2.10.3.3 For mobile devices containing GM, or third party information which GM has an interest in protecting, all GM business-related data connectivity must occur through a GM IT approved secure connection, (e.g., SSL, SSH, and VPN). 2.10.3.4 Non-GM issued mobile devices may not connect to the GM production network. They may connect to the GM Guest network, GM authorized test networks, and applications available via GM approved methods. 2.11 Travel 2.11.1 must not access GM Classified in a public place, such as on a train, aircraft, bus, or on any unsecured wireless connection, such as a coffee shop if it can be viewed by others. 2.11.2 must not leave an asset containing GM unattended in unsecured public areas, such as airport lounges, check-in counters, hotel lobbies, restrooms and conference centers. 2.11.3 must not put computing equipment in checked baggage when traveling, except as required by law. 2.11.4 should label computing equipment and carrying cases with their desk or mobile telephone number and must not use a General Motors business card or any other identifier with the General Motors logo. 2.11.5 should only place computing equipment on X-Ray or other security scanning systems to coincide with their entering the human scanning systems to minimize the opportunity of theft. 2.11.6 should store computing equipment in a hotel room safe where available. 2.11.7 If a suitable room safe is not available then users should keep the computing equipment in the user s possession whenever reasonably possible. 2.11.8 If a room safe is not available and if it is unreasonable to keep the computing equipment in the user s possession, user may leave the device(s) in the hotel room, however, the user must make all reasonable efforts to secure or hide the device(s) within the locked hotel room. 2.12 Classifying GM 2.12.1 GM must be classified based on a risk assessment that considers the severity of impact from unauthorized disclosure. 2-7
2.12.2 Where required, the classification of GM must be one or more of the following: CONFIDENTIAL SECRET PERSONAL INFORMATION EXPORT CONTROLLED 2.12.3 NOTE: Classification definitions can be found in the glossary. Management responsibility and ownership of GM must be identified and documented and data classifications must be periodically re-evaluated. 2.13 Labeling of GM 2.13.1 All GM classified data must have a classification label that includes a prefix, (e.g., GM), along with the classification, (e.g., CONFIDENTIAL). 2.13.2 All unclassified GM intended for public distribution must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Copyright notice Trademark, (e.g. logo and image), of the GM business unit Signature or name of the GM business unit 2.13.3 All classified GM must bear the legal, business markings, and legends necessary to communicate General Motors ownership, rights, management controls, and information integrity. Examples of such markings include Classification label Copyright notice Trademark, (e.g., logo and image), of the GM business unit Signature or name of the GM business unit 2.13.4 Business entities within GM may have a separate documented classification prefix for information created by the business entity for a third-party. In doing so, standard criteria for classification described in the GM Control must be applied. Business entity developed third party information controls must be auditable, that is, documented and consistently used. 2.13.5 Customer or supplier information must be labeled with the customer or supplier name and not labeled using any of GM s internal classification labels. 2.14 Handling of GM Classified 2.14.1 GM managers must identify and adhere to local laws protecting employees by specifying additional controls required when handling GM pertaining to GM personnel matters. 2-8
2.14.2 All users must employ all reasonable means to store GM securely based on a risk analysis that considers the sensitivity of the information.mobile device storage of GM SECRET, GM CONFIDENTIAL, EXPORT CONTROLLED or SENSITIVE PERSONAL INFORMATION is prohibited. 2.14.3 Proper export authorization is required for GM deemed to be Export-Controlled prior to export or sharing. storing EXPORT CONTROLLED information on a laptop must maintain a separate list identifying such information for reporting purposes in the event the laptop is lost or stolen. 2.14.4 If a laptop containing EXPORT CONTROLLED information is lost or stolen, the user must immediately advise the Office of Export Compliance. 2.15 Encryption of GM 2.15.1 To protect the confidentiality and integrity of certain GM based on its level of classification or sensitivity, information as identified in Table 2-1 must be encrypted while in-transit and/or while at-rest. Type of GM Encryption Requirement Transmission / Storage / At-Rest In-Transit SECRET Mandatory Mandatory SENSITIVE PERSONAL INFORMATION Mandatory Mandatory 1 SOX Discretionary Mandatory CONFIDENTIAL Discretionary 2 Discretionary 2 EXPORT CONTROLLED Discretionary 3 Discretionary 3 Table 2-1 Notes: 1 Applies to data transmission beyond the GM controlled network. 2 Must be based on the GM manager s assessment of sensitivity and determination if encryption is required. 3 Contact the Export Compliance Office to determine if encryption is required. Table 2-1: GM Encryption Requirements 2.16 Digital Signatures 2.16.1 Digital Signatures must be used when proof of authorship and / or integrity of the data are required. 2-9
2.17 Disposal of 2.17.1 GM provided laptops, desktops, mobile devices, media and any other hardware must be returned upon terminating the employment with the company or at the end of the specific contractual agreement. 2.17.2 GM reserves the right to audit any personal device upon separation to ensure that it does not contain any GM. 2.17.3 GM stored on any form including electronic media must be destroyed prior to disposal of the media. 2.17.4 GM must be protected against unauthorized disclosure during any disposal process. 2.17.5 All GM must be removed in an irretrievable fashion from any device at the end of lease or prior to redistribution. 2-10