CPN-ITS-STD-GV-1a Version 5 09/10/2021

Acceptable Use Standard

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 2 of 10

Table of Contents

Document Status: ..................................................................................................................................................... 3 Revision Tracking: ................................................................................................................................................... 3 Purpose: .................................................................................................................................................................... 3 Scope:........................................................................................................................................................................ 3 Adherence: ................................................................................................................................................................ 3 Format: ...................................................................................................................................................................... 3 Requirements: .......................................................................................................................................................... 4 Roles and Responsibilities: .................................................................................................................................. 10 Terms and Definitions: .......................................................................................................................................... 10

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 3 of 10

Document Status: Standard Name Standard ID Approved for

Deployment Effective Date

Acceptable Use Standard

CPN-ITS-STD-GV-1a McKenzie, Annessa, VP of IT & Chief Security Officer

09/01/2016

Revision Tracking: Revision Date Revision

Purpose Version Approver Approval Date

09/07/2021 Annual Review 5 McKenzie, Annessa, Chief Security Officer & VP of Supply Chain

09/10/2021

Purpose: The Acceptable Use Standard establishes expected, acceptable, behavior for Calpine Workers using or accessing Information Systems. Many of the practices described within this standard align with local laws and best practices for any company. Workers should always use their best judgment, and when in doubt refrain from the activity. Acceptable use of Information Systems is the first line of defense for protecting both the worker and Calpine from adverse and damaging consequences resulting from the unacceptable or misuse of Calpine information. Such consequences include but are not limited to legal or governmental action, claims or regulatory penalties and fines.

Scope: The Acceptable Use Standard applies to all Calpine-operated Information Systems worldwide and to all Calpine Workers (employees, customers, contractors, consultants and third parties) involved in the acquisition, implementation and operations of Information Systems. The standard is applicable when using any Calpine IT Service issued Information Systems, wired or wireless networks, or any third party Information System Services and facilities supporting Calpine business operations.

Adherence: Known or newly discovered exceptions shall be formally documented in 90 days via the ServiceNow Exception Form. All newly implemented Information Systems shall adhere to this standard.

Format: · Mandatory requirements for all Calpine Information Systems are written in standard format · Guidance and document narrative are bolded and italicized

· Industrial Control Systems are offered certain exceptions to mandates due to the nature of operational risk. Exceptions or special considerations for these systems will be outlined.

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 4 of 10

Requirements:

1 Minimum Requirements Summary

Calpine’s Information Systems are provided for business purposes. Though limited personal use of information systems is permitted by most Calpine business areas, all activities when using Calpine Information Systems should be conducted in a way that:

• Is ethically and socially acceptable

• Is compliant with all applicable laws, regulations

• Adheres to Calpine policies, procedures, standards and guidelines

• Does not negatively affect information security

• Does not cause additional cost or waste of resources

Workers shall have no expectation of privacy when using Calpine’s electronic resources. The company

can and has the right to monitor, track and review use of electronic resources by individual employees.

If there are any questions regarding this standard, or suggested updates, they should be submitted to the

IT Services Security Team via email to CSOC@Calpine.com

2 Acceptable Use: Do’s and Don’ts

Acceptable use of Information Systems by Workers, and prohibitions, include the following:

2.1 Use Good Judgment

Exercise good judgment regarding appropriate use of Calpine Corporation Information Systems,

and in accordance with Calpine policies, standards and guidelines. Calpine Information Systems

may not be used for any unlawful or prohibited purposes.

2.2 Acknowledge Security & IT Policies and Training

All Calpine Workers are to complete and sign (electronically or hard copy) upon employment and

annually thereafter, an agreement to adhere to all IT Services policies. Workers must also

complete Information Security Training annually.

2.3 Avoid Excessive Personal Use

Do not use Information Systems in a way that results in wasted time and or resources. Reasonable

levels of personal use are determined on a case-by-case basis by Worker’s manager with

oversight by Legal and HR. While Internet usage is intended for job-related activities, Calpine policy

permits incidental personal use of electronic resources but prohibits excessive use that interferes

with work productivity. Managers are responsible for informing employees about this prohibition,

identifying cases of excessive personal use on a case-by-case basis and enforcing this policy.

2.4 Protect Account Information

Ensure the security of data, accounts, and Information Systems by keeping passwords and other

identifying information secure. Do not share account or password information with anyone,

including other personnel, family, or friends. Providing access to another individual, either

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 5 of 10

deliberately or through failure to secure the access, is prohibited. Passwords should never be

stored in readable form. (E.g. in files, spreadsheets, printed materials, etc.). Only use Calpine

Information Security endorsed tools to store passwords in encrypted form.

2.5 Use Strong Passwords

All passwords should be protected in accordance with the Calpine Identity and Access Management

Standard. Workers deploying or supporting Calpine Information Systems may be asked to meet

more stringent guidelines to protect systems, or meet regulatory obligations, as described within the

Calpine Framework and Risk Management Standard.

2.6 Maintain Control of Business and Customer Information

Ensure company proprietary information remains within the control of Calpine Corporation at all

times. This can be achieved through legal (e.g. Non-Disclosure and/or confidentiality agreements)

or technical means.

• Confidential business, or customer, information should not be stored and/or downloaded on

personal or non- Calpine approved environments. Calpine business, or customer,

information should never be stored or transmitted to third parties with whom Calpine

Corporation does not have a contractual agreement.

• Workers’ User Identification (IDs), company websites and e-mail accounts may only be

used for organizationally sanctioned communications.

• Further guidance for protecting Calpine Business and Customer Information can be found

in the Calpine Information Protection Standard.

2.7 Protect Information Systems from Theft

Any Information Systems, containing company information, should be protected from loss or theft,

especially when unattended.

• Leaving an information system unattended, in plain sight, should be avoided in all cases

possible.

• Information Systems left at Calpine Corporation overnight must be properly secured by

placing in a locked drawer or locked cabinet and/or using a Calpine IT Services provided

cable-locking system.

• Information Systems containing confidential or secret information, as defined in Calpine

Information Protection Standards, must have encryption enabled. This helps ensure

confidential information cannot be accessed in the event a device is stolen or lost.

2.8 Safeguard Information on Unattended Systems

When an Information System must be left unattended (e.g. when working in Calpine offices or at

home), be sure to log-off, power-down, or lock the computer to prevent others from accessing

information on the system. A password protected screen saver should protect the system when it is

left unattended (e.g. after 5-10 minutes) except in cases where this poses a safety risk.

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 6 of 10

2.9 Maintain Calpine IT Services Approved Information System Settings

In all cases possible, for business activities, Workers should use Information Systems that have settings reviewed by Calpine IT Services to prevent security breaches. It is important to ensure these settings are working as intended. To ensure this:

• Do not disable or interfere with any security technologies, including but not limited to,

antivirus, proxy/web filtering settings, password requirements, registry settings or any other

settings designed to protect the information system and/or information.

• Receive security patches/updates offered by Calpine IT Services in a timely manner and

reboot Information Systems when notified. This is required for the patch to be effective

• Be sure to join IT Services managed information systems to Calpine’s network, at least

every 30 days, to ensure all patches are received and protections are functioning properly.

Information systems which have not attached to Calpine’s network in 30 days may not be

able to join the network at the discretion of IT Services, as unpatched systems can cause

harm to other information systems in Calpine.

2.10 Avoid Disruption of Information Systems and Services

Avoid activities that can cause a disruption of service for Calpine Information Systems. Activities to

be avoided, include, but are not limited to:

• Placing unauthorized (Non-Company) devices on the network;

• Consuming excessive amounts of bandwidth (e.g. by streaming or downloading video,

photographs, or music;

• Sharing large digital photographs;

• Tampering with network devices;

• Leaving unprotected (e.g. unpatched) devices on the network; and

• Intentionally or unintentionally introducing malicious software to Calpine Information

Systems (e.g. viruses, worms, Trojan horses, e-mail bombs, spyware, adware, and keyloggers).

2.11 Do Not Access or Misuse Prohibited Information

Do not use Calpine Information Systems or services to access, view, procure, send, or save information that is harassing, discriminatory, threatening, disruptive or otherwise inappropriate, as determined by company management or other company policies. This includes, but is not limited to, the following:

o Political or commercial usage not related to or sponsored by the company;

o Inappropriate or offensive language, material, data, or graphics;

o Sexually-oriented or explicit language, material, data, or graphics;

o Gambling;

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 7 of 10

o Criminal activity;

o Discriminating groups;

o Proprietary information;

o Personal information about employees; or,

o Any other activity that the Company deems inappropriate for the work environment

2.12 Only Use Calpine E-Mail Accounts for Company Business

Calpine business related e-mail should be sent using e-mail account(s) provided by Calpine Corporation. Personal email accounts, or accounts belonging to customers/partners, should not be used for Calpine company business.

Do not open e-mail attachments from unknown or unsigned sources. Attachments are the primary

source of computer viruses and should be treated with utmost caution.

Sending communications to third party email systems with the intent of circumnavigating Calpine’s

Acceptable Use standard or security procedures is prohibited.

2.13 Do Not Transmit or Use Calpine Data without Authorization

Transmission of confidential, proprietary, or private data, including employee data, customer data, trade secrets, financial data, or similar materials in violation of the Calpine Code of Conduct or without prior authorization from the copyright holder or information owner is prohibited.

2.14 Do Not Perform Unauthorized Information System Scanning or Testing

Port scanning, network sniffing, or security scanning, penetration testing, or any other unauthorized access on Calpine’s network is prohibited, unless approval is formally received in advance by Calpine Information Security & Compliance.

2.15 Do Not Intentionally Mask Communications

Transmitting electronic communications in a way that hides the identity of the sender, or gives the appearance the message is being sent by someone else to mislead the recipient (e.g. “spoofing”) is prohibited.

2.16 Do Not Send Spam

Sending Spam via e-mail, text messages, pages, instant messages, voice mail, or other forms of

electronic communication is prohibited.

2.17 Do Not Export/Import Software Illegally

Exporting or importing software, technical information, encryption software, or technology in violation of international or regional export control laws is prohibited. When traveling to countries outside of the US, Workers must validate with Legal and Compliance on local laws/regulations as it relates to export control.

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 8 of 10

2.18 Only Install Calpine IT Services Authorized Software

Downloading and/or installing software on Calpine Information Systems without prior authorization from IT Services is prohibited. Doing so can pose compliance risks (e.g. NERC CIP), violate copyright laws and places the security of the network at risk. Reference the Calpine App Menu (Software Center) on your “Start Menu” and/or contact the Calpine IT Service Desk for authorized options or utilize the ServiceNow Service Portal. Hacking software and tools are strictly prohibited.

2.19 Only Install Calpine IT Services Authorized Hardware

Installing hardware on Calpine Information Systems without prior authorization from IT Services is prohibited. Doing so can pose compliance risks (e.g. NERC CIP) and places the security of the network at risk. For hardware requests utilize ServiceNow Service Portal and/or reach out to the Service Desk.

2.20 Only use Authorized Copyrighted Software and Materials

Only purchase, download, install, copy and/or distribute software, hardware, code or other copyrighted materials when authorized, and in line with terms and conditions, set forth by the copyright holder. For further information please refer to the CPN-516 Copyright and Intellectual

Property Policy.

2.21 Only use Authorized Instant Messaging (IM) Software

Only Calpine IT Services approved Instant Messaging systems should be used. Commercial workers may be subject to additional restrictions when using IM, and should follow all regulatory compliance policies.

2.22 Only use Authorized Methods to Connect to Calpine’s Production Networks

Connection of any non-company information system to company’s production networks (e.g. Calnet), including but not limited to, personal computers, modems, routers, switches and wireless devices, without prior Calpine IT Services authorization is prohibited. Non-company information systems are allowed to connect via Calguest wirelessly where available. Contact the Calpine IT Service Desk for additional authorized options. (Reference Calpine Mobile Device Standard) Calpine network services provides a wireless access ID for non-company information systems (e.g. BYOD, Calguest).

2.23 Only Authorized use of recording devices are allowed on Calpine’s Networks Recording devices (e.g. cameras, chat recording, video recording, Collaboration System Recording (e.g. TEAMS, WEBEX, SnagIT) are to be approved by Calpine Legal Dept, Chief Security Officer and IT leadership. Due to data privacy regulations, all recordings must ensure that participants are notified and accept recording prior to initiation of the recording.

3 Penalties for Improper Use Improper use may result in:

Restricted network access Loss of network access Disciplinary action Legal action.

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 9 of 10

4 Incident Notification and Reporting Any real or suspected adverse event that involves Information Systems or information compromise should

be immediately reported (e.g. loss, damage or theft of company resources) to IT Service Desk by

telephone: Toll-Free, 1-866-862-1383 select option 5 to document the priority incident.

A police report is to accompany the reported incident when theft of a company asset is involved.

In the event of a cyber-related incident, worker is to contact the Service Desk and escalate the priority of

the incident to a Priority 1 to ensure engagement of IT Services Security (CSOC@Calpine.com).

5 References and Related Policies/Standards

CPN-516 Copyright and Intellectual Property Policy

CPN-532 Calpine Information Technology Policy CPN-448 Calpine NERC Critical Infrastructure Protection Policy

CPN-545 Social Media Policy CPN-533 Information Technology Acquisition and Support Policy Calpine IT Information Protection and Handling Standard Calpine Identity and Access Management Standard Calpine Mobile Device Standard Calpine Framework and Risk Management Standard Calpine Malicious Code Protection (MCP) Standard

Acceptable Use Standard

CPN-ITS-STD-GV-1a

Page 10 of 10

Roles and Responsibilities: Role Responsibilities

Human Resources

& Legal Set standards related to the personnel or legal actions for appropriate and/or

inappropriate use, violations of laws or regulations or policies. Commence

internal investigations when appropriate.

IT Services Monitor, track, and routinely review Information system utilization. Manage

the infrastructure to control prohibited use.

Workers Engage in safe and acceptable use of Information Systems. Protect

Information Systems from loss or damage. Responsible for compliance with all

legal and regulatory requirements as appropriate, including but not limited to

all policies and procedures.

Managers, Legal

and HR

Responsible for ensuring compliance with policies and legal and regulatory

requirements and where required, enforce policies and commence

investigations.

Terms and Definitions: Term Defintion

Information System Services

Activities and individuals involved in the procurement, development, integration, modification, or operation and maintenance of Information Systems.

Information Systems (IS)

Computers, systems, industrial control systems, equipment interfaces, network and internet equipment, software, applications, databases, data, telephones, mobile devices, voice mail, cloud service providers, and facsimile machines.

Worker(s)

All permanent and temporary employees, contractors, consultants, and vendors who access Calpine or Calpine Customer information or Information Systems regardless of day, time, location or purpose.