Acceptable Use Standard
Transcript of Acceptable Use Standard
CPN-ITS-STD-GV-1a Version 5 09/10/2021
Acceptable Use Standard
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 2 of 10
Table of Contents
Document Status: ..................................................................................................................................................... 3 Revision Tracking: ................................................................................................................................................... 3 Purpose: .................................................................................................................................................................... 3 Scope:........................................................................................................................................................................ 3 Adherence: ................................................................................................................................................................ 3 Format: ...................................................................................................................................................................... 3 Requirements: .......................................................................................................................................................... 4 Roles and Responsibilities: .................................................................................................................................. 10 Terms and Definitions: .......................................................................................................................................... 10
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 3 of 10
Document Status: Standard Name Standard ID Approved for
Deployment Effective Date
Acceptable Use Standard
CPN-ITS-STD-GV-1a McKenzie, Annessa, VP of IT & Chief Security Officer
09/01/2016
Revision Tracking: Revision Date Revision
Purpose Version Approver Approval Date
09/07/2021 Annual Review 5 McKenzie, Annessa, Chief Security Officer & VP of Supply Chain
09/10/2021
Purpose: The Acceptable Use Standard establishes expected, acceptable, behavior for Calpine Workers using or accessing Information Systems. Many of the practices described within this standard align with local laws and best practices for any company. Workers should always use their best judgment, and when in doubt refrain from the activity. Acceptable use of Information Systems is the first line of defense for protecting both the worker and Calpine from adverse and damaging consequences resulting from the unacceptable or misuse of Calpine information. Such consequences include but are not limited to legal or governmental action, claims or regulatory penalties and fines.
Scope: The Acceptable Use Standard applies to all Calpine-operated Information Systems worldwide and to all Calpine Workers (employees, customers, contractors, consultants and third parties) involved in the acquisition, implementation and operations of Information Systems. The standard is applicable when using any Calpine IT Service issued Information Systems, wired or wireless networks, or any third party Information System Services and facilities supporting Calpine business operations.
Adherence: Known or newly discovered exceptions shall be formally documented in 90 days via the ServiceNow Exception Form. All newly implemented Information Systems shall adhere to this standard.
Format: · Mandatory requirements for all Calpine Information Systems are written in standard format · Guidance and document narrative are bolded and italicized
· Industrial Control Systems are offered certain exceptions to mandates due to the nature of operational risk. Exceptions or special considerations for these systems will be outlined.
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 4 of 10
Requirements:
1 Minimum Requirements Summary
Calpine’s Information Systems are provided for business purposes. Though limited personal use of information systems is permitted by most Calpine business areas, all activities when using Calpine Information Systems should be conducted in a way that:
• Is ethically and socially acceptable
• Is compliant with all applicable laws, regulations
• Adheres to Calpine policies, procedures, standards and guidelines
• Does not negatively affect information security
• Does not cause additional cost or waste of resources
Workers shall have no expectation of privacy when using Calpine’s electronic resources. The company
can and has the right to monitor, track and review use of electronic resources by individual employees.
If there are any questions regarding this standard, or suggested updates, they should be submitted to the
IT Services Security Team via email to [email protected]
2 Acceptable Use: Do’s and Don’ts
Acceptable use of Information Systems by Workers, and prohibitions, include the following:
2.1 Use Good Judgment
Exercise good judgment regarding appropriate use of Calpine Corporation Information Systems,
and in accordance with Calpine policies, standards and guidelines. Calpine Information Systems
may not be used for any unlawful or prohibited purposes.
2.2 Acknowledge Security & IT Policies and Training
All Calpine Workers are to complete and sign (electronically or hard copy) upon employment and
annually thereafter, an agreement to adhere to all IT Services policies. Workers must also
complete Information Security Training annually.
2.3 Avoid Excessive Personal Use
Do not use Information Systems in a way that results in wasted time and or resources. Reasonable
levels of personal use are determined on a case-by-case basis by Worker’s manager with
oversight by Legal and HR. While Internet usage is intended for job-related activities, Calpine policy
permits incidental personal use of electronic resources but prohibits excessive use that interferes
with work productivity. Managers are responsible for informing employees about this prohibition,
identifying cases of excessive personal use on a case-by-case basis and enforcing this policy.
2.4 Protect Account Information
Ensure the security of data, accounts, and Information Systems by keeping passwords and other
identifying information secure. Do not share account or password information with anyone,
including other personnel, family, or friends. Providing access to another individual, either
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 5 of 10
deliberately or through failure to secure the access, is prohibited. Passwords should never be
stored in readable form. (E.g. in files, spreadsheets, printed materials, etc.). Only use Calpine
Information Security endorsed tools to store passwords in encrypted form.
2.5 Use Strong Passwords
All passwords should be protected in accordance with the Calpine Identity and Access Management
Standard. Workers deploying or supporting Calpine Information Systems may be asked to meet
more stringent guidelines to protect systems, or meet regulatory obligations, as described within the
Calpine Framework and Risk Management Standard.
2.6 Maintain Control of Business and Customer Information
Ensure company proprietary information remains within the control of Calpine Corporation at all
times. This can be achieved through legal (e.g. Non-Disclosure and/or confidentiality agreements)
or technical means.
• Confidential business, or customer, information should not be stored and/or downloaded on
personal or non- Calpine approved environments. Calpine business, or customer,
information should never be stored or transmitted to third parties with whom Calpine
Corporation does not have a contractual agreement.
• Workers’ User Identification (IDs), company websites and e-mail accounts may only be
used for organizationally sanctioned communications.
• Further guidance for protecting Calpine Business and Customer Information can be found
in the Calpine Information Protection Standard.
2.7 Protect Information Systems from Theft
Any Information Systems, containing company information, should be protected from loss or theft,
especially when unattended.
• Leaving an information system unattended, in plain sight, should be avoided in all cases
possible.
• Information Systems left at Calpine Corporation overnight must be properly secured by
placing in a locked drawer or locked cabinet and/or using a Calpine IT Services provided
cable-locking system.
• Information Systems containing confidential or secret information, as defined in Calpine
Information Protection Standards, must have encryption enabled. This helps ensure
confidential information cannot be accessed in the event a device is stolen or lost.
2.8 Safeguard Information on Unattended Systems
When an Information System must be left unattended (e.g. when working in Calpine offices or at
home), be sure to log-off, power-down, or lock the computer to prevent others from accessing
information on the system. A password protected screen saver should protect the system when it is
left unattended (e.g. after 5-10 minutes) except in cases where this poses a safety risk.
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 6 of 10
2.9 Maintain Calpine IT Services Approved Information System Settings
In all cases possible, for business activities, Workers should use Information Systems that have settings reviewed by Calpine IT Services to prevent security breaches. It is important to ensure these settings are working as intended. To ensure this:
• Do not disable or interfere with any security technologies, including but not limited to,
antivirus, proxy/web filtering settings, password requirements, registry settings or any other
settings designed to protect the information system and/or information.
• Receive security patches/updates offered by Calpine IT Services in a timely manner and
reboot Information Systems when notified. This is required for the patch to be effective
• Be sure to join IT Services managed information systems to Calpine’s network, at least
every 30 days, to ensure all patches are received and protections are functioning properly.
Information systems which have not attached to Calpine’s network in 30 days may not be
able to join the network at the discretion of IT Services, as unpatched systems can cause
harm to other information systems in Calpine.
2.10 Avoid Disruption of Information Systems and Services
Avoid activities that can cause a disruption of service for Calpine Information Systems. Activities to
be avoided, include, but are not limited to:
• Placing unauthorized (Non-Company) devices on the network;
• Consuming excessive amounts of bandwidth (e.g. by streaming or downloading video,
photographs, or music;
• Sharing large digital photographs;
• Tampering with network devices;
• Leaving unprotected (e.g. unpatched) devices on the network; and
• Intentionally or unintentionally introducing malicious software to Calpine Information
Systems (e.g. viruses, worms, Trojan horses, e-mail bombs, spyware, adware, and keyloggers).
2.11 Do Not Access or Misuse Prohibited Information
Do not use Calpine Information Systems or services to access, view, procure, send, or save information that is harassing, discriminatory, threatening, disruptive or otherwise inappropriate, as determined by company management or other company policies. This includes, but is not limited to, the following:
o Political or commercial usage not related to or sponsored by the company;
o Inappropriate or offensive language, material, data, or graphics;
o Sexually-oriented or explicit language, material, data, or graphics;
o Gambling;
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 7 of 10
o Criminal activity;
o Discriminating groups;
o Proprietary information;
o Personal information about employees; or,
o Any other activity that the Company deems inappropriate for the work environment
2.12 Only Use Calpine E-Mail Accounts for Company Business
Calpine business related e-mail should be sent using e-mail account(s) provided by Calpine Corporation. Personal email accounts, or accounts belonging to customers/partners, should not be used for Calpine company business.
Do not open e-mail attachments from unknown or unsigned sources. Attachments are the primary
source of computer viruses and should be treated with utmost caution.
Sending communications to third party email systems with the intent of circumnavigating Calpine’s
Acceptable Use standard or security procedures is prohibited.
2.13 Do Not Transmit or Use Calpine Data without Authorization
Transmission of confidential, proprietary, or private data, including employee data, customer data, trade secrets, financial data, or similar materials in violation of the Calpine Code of Conduct or without prior authorization from the copyright holder or information owner is prohibited.
2.14 Do Not Perform Unauthorized Information System Scanning or Testing
Port scanning, network sniffing, or security scanning, penetration testing, or any other unauthorized access on Calpine’s network is prohibited, unless approval is formally received in advance by Calpine Information Security & Compliance.
2.15 Do Not Intentionally Mask Communications
Transmitting electronic communications in a way that hides the identity of the sender, or gives the appearance the message is being sent by someone else to mislead the recipient (e.g. “spoofing”) is prohibited.
2.16 Do Not Send Spam
Sending Spam via e-mail, text messages, pages, instant messages, voice mail, or other forms of
electronic communication is prohibited.
2.17 Do Not Export/Import Software Illegally
Exporting or importing software, technical information, encryption software, or technology in violation of international or regional export control laws is prohibited. When traveling to countries outside of the US, Workers must validate with Legal and Compliance on local laws/regulations as it relates to export control.
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 8 of 10
2.18 Only Install Calpine IT Services Authorized Software
Downloading and/or installing software on Calpine Information Systems without prior authorization from IT Services is prohibited. Doing so can pose compliance risks (e.g. NERC CIP), violate copyright laws and places the security of the network at risk. Reference the Calpine App Menu (Software Center) on your “Start Menu” and/or contact the Calpine IT Service Desk for authorized options or utilize the ServiceNow Service Portal. Hacking software and tools are strictly prohibited.
2.19 Only Install Calpine IT Services Authorized Hardware
Installing hardware on Calpine Information Systems without prior authorization from IT Services is prohibited. Doing so can pose compliance risks (e.g. NERC CIP) and places the security of the network at risk. For hardware requests utilize ServiceNow Service Portal and/or reach out to the Service Desk.
2.20 Only use Authorized Copyrighted Software and Materials
Only purchase, download, install, copy and/or distribute software, hardware, code or other copyrighted materials when authorized, and in line with terms and conditions, set forth by the copyright holder. For further information please refer to the CPN-516 Copyright and Intellectual
Property Policy.
2.21 Only use Authorized Instant Messaging (IM) Software
Only Calpine IT Services approved Instant Messaging systems should be used. Commercial workers may be subject to additional restrictions when using IM, and should follow all regulatory compliance policies.
2.22 Only use Authorized Methods to Connect to Calpine’s Production Networks
Connection of any non-company information system to company’s production networks (e.g. Calnet), including but not limited to, personal computers, modems, routers, switches and wireless devices, without prior Calpine IT Services authorization is prohibited. Non-company information systems are allowed to connect via Calguest wirelessly where available. Contact the Calpine IT Service Desk for additional authorized options. (Reference Calpine Mobile Device Standard) Calpine network services provides a wireless access ID for non-company information systems (e.g. BYOD, Calguest).
2.23 Only Authorized use of recording devices are allowed on Calpine’s Networks Recording devices (e.g. cameras, chat recording, video recording, Collaboration System Recording (e.g. TEAMS, WEBEX, SnagIT) are to be approved by Calpine Legal Dept, Chief Security Officer and IT leadership. Due to data privacy regulations, all recordings must ensure that participants are notified and accept recording prior to initiation of the recording.
3 Penalties for Improper Use Improper use may result in:
Restricted network access Loss of network access Disciplinary action Legal action.
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 9 of 10
4 Incident Notification and Reporting Any real or suspected adverse event that involves Information Systems or information compromise should
be immediately reported (e.g. loss, damage or theft of company resources) to IT Service Desk by
telephone: Toll-Free, 1-866-862-1383 select option 5 to document the priority incident.
A police report is to accompany the reported incident when theft of a company asset is involved.
In the event of a cyber-related incident, worker is to contact the Service Desk and escalate the priority of
the incident to a Priority 1 to ensure engagement of IT Services Security ([email protected]).
5 References and Related Policies/Standards
CPN-516 Copyright and Intellectual Property Policy
CPN-532 Calpine Information Technology Policy CPN-448 Calpine NERC Critical Infrastructure Protection Policy
CPN-545 Social Media Policy CPN-533 Information Technology Acquisition and Support Policy Calpine IT Information Protection and Handling Standard Calpine Identity and Access Management Standard Calpine Mobile Device Standard Calpine Framework and Risk Management Standard Calpine Malicious Code Protection (MCP) Standard
Acceptable Use Standard
CPN-ITS-STD-GV-1a
Page 10 of 10
Roles and Responsibilities: Role Responsibilities
Human Resources
& Legal Set standards related to the personnel or legal actions for appropriate and/or
inappropriate use, violations of laws or regulations or policies. Commence
internal investigations when appropriate.
IT Services Monitor, track, and routinely review Information system utilization. Manage
the infrastructure to control prohibited use.
Workers Engage in safe and acceptable use of Information Systems. Protect
Information Systems from loss or damage. Responsible for compliance with all
legal and regulatory requirements as appropriate, including but not limited to
all policies and procedures.
Managers, Legal
and HR
Responsible for ensuring compliance with policies and legal and regulatory
requirements and where required, enforce policies and commence
investigations.
Terms and Definitions: Term Defintion
Information System Services
Activities and individuals involved in the procurement, development, integration, modification, or operation and maintenance of Information Systems.
Information Systems (IS)
Computers, systems, industrial control systems, equipment interfaces, network and internet equipment, software, applications, databases, data, telephones, mobile devices, voice mail, cloud service providers, and facsimile machines.
Worker(s)
All permanent and temporary employees, contractors, consultants, and vendors who access Calpine or Calpine Customer information or Information Systems regardless of day, time, location or purpose.