information protection and handling standard

CPN-ITS-STD-ID.GV-1b Version 8 03/22/2021

Information Protection and Handling Standard


CPN-ITS-STD-ID.GV-1b

of 19

Table of Contents

Document Status: .................................................................................................................................................... 3 Revision Tracking: ................................................................................................................................................... 3 Purpose: .................................................................................................................................................................... 3 Scope: ....................................................................................................................................................................... 3 Adherence:................................................................................................................................................................ 3 Format: ...................................................................................................................................................................... 3 Requirements: .......................................................................................................................................................... 4 Roles and Responsibilities: .................................................................................................................................. 15 Terms and Definitions: .......................................................................................................................................... 15



of 19

Document Status: Standard Name Standard ID Approved for

Deployment Effective Date

Information Protection and

Handling Standard

CPN-ITS-STD-ID.GV-1b McKenzie, Annessa, VP of IT & Chief Security Officer

06/03/2016

Revision Tracking: Revision Date Revision

Purpose Version Approver Approval Date

06/03/2016 Standard Updated 8 McKenzie, Annessa, Chief Security Officer & VP of Supply Chain

03/22/2021

Purpose: To minimize the possibility of an information breach, this standard provides recommendations for methods to identify high risk (classified) information and provides a minimum set of standards to safeguard it.

Scope: This standard is applicable to all Calpine workers (employees, customers, contractors and third parties) who may handle information on behalf of the company and its customers.

Adherence: Known or newly discovered exceptions shall be formally documented in 90 days via the ServiceNow Exception Form. All newly implemented Information Systems shall adhere to this standard.

Format: · Mandatory requirements for all Calpine Information Systems are written in standard format · Guidance and document narrative are bolded and italicized

· Industrial Control Systems are offered certain exceptions to mandates due to the nature of operational risk. Exceptions or special considerations for these systems will be outlined.



of 19

Requirements:

1 Recommended Practices Summary

The following activities are strongly recommended for information owners:

Classify information being handled

Reference the classification chart to select safeguards

Establish procedures for safe information handling when required

Exercise good judgment and request help when required

Additionally, all information owners shall ensure additional NERC/CIP requirements are followed (See Appendix B). If there are any questions or suggested updates regarding this standard, they should be submitted to the IS Compliance Team via email to [email protected].

2 Recommended Practices for Handling Classified Information

2.1 Classify information being handled In order to decide the type of security measures to apply, it is important to classify the information in accordance with business risk and potential impact of unauthorized access. The following classification levels provide definitions to be used company-wide. Public - Information that may be disclosed or disseminated without restrictions. Examples include finalized annual reports, press statements or other information which is commonly found on the Calpine public website or from other public sources. There are few information handling and security precautions necessary for public information as it is approved for full disclosure to any individual. Internal – Information that is not approved for general circulation outside the organization, as unauthorized disclosure can inconvenience the organization or management. Confidential – Information, if disclosed to unauthorized individuals, can have significant impact to business operations, financial status, safety, legal or regulatory obligations, or customers. This classification of information often includes business, employee or customer information.

Secret – Information, if disclosed to unauthorized individuals, can have major impact to business operations, financial status, safety, legal or regulatory obligations or customers. This is the most sensitive information classification which requires the highest degree of special handling and security precautions. This classification of information often includes trade secrets, commercially sensitive or high volumes of highly sensitive information regarding employees or customers.

2.2 Reference the classification chart to select safeguards

Table 1 provides an overview of information classifications and the types of information that typically fit into those classifications, as well as the safeguards that should be followed for safe handling. Please reference Records Management Policy CPN-714 for records destruction practices.

Please note: if information is attorney client privileged or subject to a legal hold please contact the legal department for further instructions. For further information please refer to CPN-714 Records Management Policy.

mailto:[email protected]



of 19

Classification Labeling Safeguards Duplication Distribution Destruction*

Public None None None None Delete when information is no longer required

Examples Information publicly available News and public announcements

Financial information when approved for disclosure Email, not classified as internal or above


Internal Use a watermark or footer with the classification INTERNAL. See Appendix C for examples

Ensure information is properly marked. Ensure internal information is shared on a need to know basis. Do not leave internal information visible on desks, printers, or other public locations.

Limited copies may be made only by employees or by authorized third parties.

Internal: use an internal mail envelope. External: use a sealed envelope. Electronic: use internal email system. See Appendix C, Email disclaimer. Faxing: Verify fax number before sending.

Paper: place in approved shred bins or where possible shred using an approved cross-cut shredder. Electronic Media**-Send to IS for destruction. CD’s, DVD’s or hard drives send to IS for destruction.

Examples Department policies and procedures

Emails between employees relating to company business

Information before becoming a Record

Reports generated from systems that can be duplicated

Safety related (LOTO)

Network diagrams

IP Addresses

Recordings

Safeguards for information classified as confidential are required, to meet laws, contractual commitments or when regulations require them.


Confidential Use a watermark or footer with the classification CONFIDENTIAL. See Appendix C for examples

'Originator: responsible for ensuring that confidential information is distributed on a need-to-know basis, properly marked and secured. Recipient: responsible for ensuring that confidential information is electronically or physically secured. It is prohibited to store Confidential Customer Utility Information on any mobile forms of storage media, including, but not limited to, laptop PCs, mobile phones, portable backup storage media, and external hard drives,

Limited copies may be made only by employees, or by contractors and third parties who have signed an appropriate nondisclosure agreement. Use secure print or retrieve from printers immediately. Replication: of Confidential Customer Utility Information in full to non-company assets, systems, or locations is prohibited unless an NDA and security review are in place.

Internal: use an internal mail envelope. External: use a secured method such as a sealed envelope and registered mail Electronic: use internal email system and encrypt. Where possible use a link to the document. See Appendix C, Email disclaimer. Faxing: verify the fax number before sending.

Paper-Shred Electronic Media**-Send to IS for destruction. CD’s, DVD’s or hard drives send to IS for destruction.



of 19

unless the storage media or data is encrypted.

Examples of Possible Confidential Information

Transactional records

Customer data

Financial records

Contracts

Confidentiality Agreements

Copyrights

Confidential Customer Utility Information

Personally Identifiable Information(PII

Information required by contractual or regulatory obligations

Press releases (before release)

Phone directories

Social security numbers

Non-Disclosure agreements

Password, PINS

Engineering Studies

Commercial Trade Floor Analytics( forecasting/planning/pricing)

Engineering Studies

Commercial Trade Floor Analytics( forecasting/planning/pricing)

Plant Diagrams

Information covered under Attorney/Client or investigatory privilege

System security information (system hardening, design, access controls etc.)

Any information that could allow unauthorized physical access to facilities

Any information that could allow unauthorized Information System access

Audits, assessments, vulnerability scans and reports about physical security and information system security

NERC/CIP related information see Appendix B

Credit Card related information see Appendix F

Confidential Customer Utility Information and Third Party Computing Environment for Confidential Utility Information Requirements See Appendix H

Table 1 - Classification Guidelines and Information Handling Examples

Safeguards for secret information are mandatory in all cases possible.


Secret****

Use a watermark or footer with the classification SECRET. See Appendix C for examples

Ensure secret

information is

handle(d) on a need to know basis.

Secret information should be encrypted. Kept under lock & key when not in use.

Privacy Screens on computers where information may be seen.

Privacy Screens on computers where information may be seen.

Limited copies (hard copy or electronic) may be made only by permission of the information owner or his/her delegate. Only share information with contractors and third parties who have signed an appropriate nondisclosure agreement. Only print when necessary.

Use secure print and delete print job option where available.

Internal: use a sealed envelope inside an internal mail envelope. Hand delivery if possible. External: use a plain sealed envelope. Hand deliver or send by registered mail, courier etc. Electronic: use internal email system only, and encrypt information. Where possible use a link to the document. See Appendix C, Email disclaimer.

Faxing: requires phone confirmation of receipt of a test

Paper: place in approved shred bins or where possible shred using an approved cross-cut shredder. Electronic Media**- Send to IS for destruction.

Specify the period of time the information may be retained before destruction with all parties the information is shared with.



of 19

Meeting rooms/facilities should be reviewed to prevent unauthorized disclosure.

If information systems will be used to handle secret information, ensure Calpine Information Technology policy (CPN-532) is followed.

page immediately prior to sending the FAX, and phone confirmation of full receipt.

Examples Board Minutes

Internal investigation/audits

Financial Records before becoming public

Merger/Acquisition information before becoming public

Corporate Market plans(strategic plans and analysis and forecasting)

*Records under retention or legal hold may not be destroyed.

** Electronic media includes CD’s DVD’s Hard Drives, Laptops, Thumb Drives, SD Cards, etc.

***Electronic soft copy includes files created and stored on a system

****When working with Secret information in a public location a privacy screen must be used.

2.3 Establish procedures for safe information handling when required All Information Owners, Information System Owners, or any worker handling information classified as confidential or secret should maintain up-to-date procedures to safeguard information, including but not limited to:

How the information will be stored

How the information will be distributed (electronically/physically)

How the information will be labeled

How access will be controlled and monitored

How information and information systems will be properly reused and disposed of.

Further guidance when using technology is provided in Appendix A Outline of Procedures.



of 19

2.4 Exercise good judgment From time to time, information does not fit neatly into one of the classifications defined. In these cases, it is suggested to estimate the worst-case impact to Calpine or Calpine customers in the event of a security breach. Table 2 provides guidance to determine the appropriate level of classification. If you need help you may contact [email protected] for assistance.

Table 2 - Classification Reference

Risk Possible outcomes Example impacts Classification

Low No loss in mission capability

No loss to organization or assets No financial loss.

No impact on profitability

No impact to shareholder value and reputation No cash flow impact

Public

Medium Limited loss in mission capability for an extended duration or,

Results in limited damage to organizational assets, or,

Results in limited financial loss.

Limited impact to shareholder value and reputation

Limited cash flow impact Risk of limited regulatory violation Require middle management attention

Internal

High Significant loss in mission capability for an extended duration or,

Results in significant loss to organizational assets, or,

Results in significant financial loss.

Significant impact to shareholder value and reputation

Significant cash flow impact Risk of significant regulatory violation Require senior and middle management attention

Confidential

Very High

Major loss of mission capability for an extended duration: or

Results in major loss to organizational assets, or,

Results in major financial loss, or, Results in loss of life or injuries.

Major impact to shareholder value and reputation

Major cash flow impact Risk of major regulatory violation Major alliances are threatened Require Board and senior management attention Potential for loss of life or injuries

Secret

2.5 Frequency All information should be classified and handled in accordance with this standard when it is collected, created, handled and/or when the data classification changes (e.g. a document may be classified when created, yet after release it is no longer confidential in which case labels should be removed).

mailto:[email protected]%20



of 19

Appendix A - Outline of Procedures

Recommended Practices

Guidance Security Classification

P=Public I=Internal C=Confidential S=Secret

P I C S

Access Control X X X

Terminated user access

"Minimum: - For standard users, access is revoked within (24 hours) of termination (by changing the user’s password(s) or disabling the account(s)). -For high-risk terminations (emergency terminations) or privileged account users, access is revoked prior to termination, immediately upon termination or no longer than (24 hour) after termination to the service desk. - The user's privileges and access must be revoked. Preferred additional: - All shared passwords known by the user on all applicable systems should be changed. - All privileged account passwords known by the user on all applicable systems must be changed."

Least Privilege

Managers and/or process owners determine what "least privilege" means in practical terms to conduct operations. Only the minimum access necessary to perform an operation should be granted, based on the user's role.

Access Validation(Privileged users)

"Minimum: Access to systems and applications is reviewed at least annually Additional preferred: Privileged access is reviewed at least semi-annually"

Access Validation(Non-Privileged users)

"Minimum: Access to systems and applications is reviewed at least annually Additional preferred: Privileged access is reviewed at least semi-annually"

Portable storage devices

"USB ports are only functional for a defined group of users. Storage devices are scanned prior to connecting to operations-related systems and storage devices require encryption before sensitive data can be written on the device."

Encryption "Secure system configurations to enforce secure communications such as: WPA2 + PSK (minimum) or AES (preferred). Minimum 128-bit encryption."



of 19




P I C S

Identification and Authentication

X X X

Multi-Factor Identification

"Minimum: Multifactor or two-factor authentication is implemented for remote privileged access. Additional preferred: - Multifactor or two-factor authentication is implemented for all remote access. - Multifactor or two-factor authentication is implemented for all privileged account access."

Passwords "All passwords are to be treated as confidential company information. - Do not share company passwords. - Secure password management tools are used. - Do not store passwords in a file on any information asset without encryption. - Passwords should not be hardcoded. - Passwords should be masked or hashed in user entry fields."

Media Protection Shred, incinerate, or pulp hardcopy materials so that data cannot be reconstructed, or - Render data on electronic media unrecoverable so that data cannot be reconstructed." Sensitive data stored on removable media is encrypted at 256-bit AES or higher if leaving company-controlled areas.

X X X

Personnel Security "Upon Termination: Minimum: - Keys must be collected. Additional preferred: - Lock combinations or access codes should be changed."

X X X

Process A process is in place to handle data based on classification, as determined by the sensitivity and criticality of the data. - A data classification schema is established. - Data is handled based on its classification (e.g. storage, transfer)."

X X X X



of 19




P I C S

Ensure Computer Screen Privacy in Public Locations

Shoulder surfing is a risk if you have classified information on your screen on airplanes, in conferences or other public locations. It is recommended that privacy screens be requested from IT. Use the Calpine IT Services Catalog if you are a frequent traveler handling classified information.

X X

Printing When classified information must be printed, ensure the documents are retrieved in a timely manner. Also ensure to routinely check print queues and purge any unnecessary copies. Many Calpine printers offer Secure Print features. Please refer to the “Dell Secure Print KB0113704 to learn how to use the Secure Print features and keep information private.

X X

Establish Non-Disclosure Agreements

Signed Non-Disclosure agreements should be established with individuals accessing classified information, where practical. Non-Disclosure agreements may be incorporated in an overall Master Services Agreement with vendors or business partners. If a Masters Services Agreement will be relied upon, rather than individual agreements, the vendor/business partner must ensure training and awareness, about protecting Calpine information, is delivered to all relevant employees and subcontractors.

X X

Remove Sensitive Information Prior to Information System Testing

From time to time Information System Owners are involved in the testing and design of Information Systems. Data breaches can commonly occur when classified information is used on Information System test environments; therefore, classified information should be removed prior to testing.

X X

Labeling Labeling a document with a watermark, footer or property that identifies a classification should be done when the document is first created.

X X X

Recordings Only Authorized use of recording devices are allowed:

Recording devices include but not limited to: o Cameras o Chat recording o Video recording o Collaboration system recording (Teams,

Webex) o Applications (Snag-it)

Recording devices are to be approved by Calpine Legal Department, Chief Security Officer and IT leadership.

Due to data privacy regulations, all recordings must ensure that participants are notified in advance and agree to the recording prior to initiation of the recording

X

https://calpine.servicenowservices.com/serviceportal/?id=cpn_sc_home

https://calpine.servicenowservices.com/serviceportal/?id=kb_article&sys_id=5512d5a36f0eee4004f1faa17b3ee4c3



of 19

Appendix B – NERC/CIP Additional Requirements All workers are accountable for identifying when they have access to NERC/CIP relevant information, and are to protect the information as confidential. This includes any information listed in classification matrix above or regarding High/Medium BES Cyber Systems (BCS), Physical Access Control Systems (PACS), and Electronic Access Control Monitoring Systems (EACMS) whether in hard copy or electronic format.

If a worker encounters NERC/CIP relevant information that is not being handled in accordance with the confidentiality requirements within this guideline then please contact [email protected]

Any worker who cannot handle NERC/CIP relevant information in accordance with this guideline should seek advice regarding obtaining an exception by contacting [email protected]

Information owners of NERC/CIP relevant information should ensure that cyber assets (media and equipment) is sanitized (wiped clean) prior to reuse or disposal.

See Terms and Definitions Section for: BES, BCS, EACMS and PACS

Appendix C - Examples of Applications and Labeling

Word document with Footer and Watermark added

PowerPoint with Footer added

E-Mail with labeling added in the body of the e-mail.

Email Disclaimer Example

Disclaimer: The sensitivity of the information contained in this email has been classified under Calpine’s Information Protection and Handling Standard as (Secret, Confidential, and Internal) Information. The recipient of this information should follow the procedures outlined in Calpine’s Information Protection and Handling Standard.





of 19

Appendix D - Logging into IT Service Catalog (SNOW) - Calpine Knowledge Base This standard contains several links to the Calpine IT Services Catalog. When clicking on the links you may be taken to the SNOW login screen. Please follow the steps below.

When provided with the following login screen, click on Use external login

I the User ID field type in your Calpine e-mail address and click Submit

Appendix E - List of files external to this document

Document Name Knowledge Base Document ID and URL Link

IT Service Catalog (SNOW) IT Service Catalog

Bitlocker FAQ KB0200176

Secure Email attachments with Winzip KB0113739

Citrix ShareFile Request a Citrix ShareFile Account: KB0113010 How to Upload a File: KB0113343 Sharing Files with Internal & External Parties: KB011437

Protecting Information in File Shares KB0113740

Dell Secure Print KB0113704

Additionally, you may login to the Services Catalog and search the knowledge base for the Knowledge base number.



https://calpine.servicenowservices.com/nav_to.do?uri=%2Fkb_view.do%3Fsysparm_article%3DKB0200176%26sysparm_rank%3D1%26sysparm_tsqueryId%3D7c0f0448dbf57380c33d365e7c96198d

https://calpine.servicenowservices.com/nav_to.do?uri=kb_knowledge.do?sys_id=5d9f61276f8eee4004f1faa17b3ee4f6

https://calpine.servicenowservices.com/serviceportal/?id=form&table=kb_knowledge&filter=&sys_id=95fae4d06f022240ebd6faa17b3ee4ae&v=

https://calpine.servicenowservices.com/nav_to.do?uri=kb_knowledge.do?sys_id=4e7534a26fceaa40536f5185eb3ee4e9

https://calpine.servicenowservices.com/serviceportal/?id=form&table=kb_knowledge&filter=&sys_id=8c53a8726f32e200a0c3faa17b3ee4b0&v=

https://calpine.servicenowservices.com/serviceportal/?id=form&table=kb_knowledge&filter=&sys_id=8812bd676f8eee4004f1faa17b3ee4fe&v=

https://calpine.servicenowservices.com/nav_to.do?uri=%2Fkb_view.do%3Fsys_kb_id%3D5512d5a36f0eee4004f1faa17b3ee4c3



of 19

Appendix F - Sensitive Cardholder Data Sensitive cardholder data such as Primary Account Number, 3-to-4 digits Card Validation Code, Personal Identification Number, or Full Track Data shall not be stored in any Calpine information systems, including databases, shared-files, and cloud storage. Additionally, this data shall not be recorded or stored physically.

Appendix G – Confidential Customer Utility Information “Confidential Customer Utility Information” means information that Utility is: (A) required by the UBP at Section 4: Customer information(C)(2), (3) or UBP DERS at Section 2C: Customer Data, to provide to ESCO, Direct Customer or DERS or (B) any other information provided to ESE by Utility and marked confidential by the Utility at the time of disclosure, but excludes:

(i) information which is or becomes generally available to the public other than as a result of a disclosure by Receiving Party or its Representatives;

(ii) information which was already known to Receiving Party on a non-confidential basis prior to being furnished to Receiving Party by Disclosing Party;

(iii) information which becomes available to Receiving Party on a non-confidential basis from a source other than Disclosing Party or a representative of Disclosing Party if such source was not subject to any prohibition against transmitting the information to Receiving Party and was not bound by a confidentiality agreement with Disclosing Party;

(iv) information which was independently developed by the Receiving Party or its Representatives without reference to, or consideration of, the Confidential Information; or

(v) information provided by the customer with customer consent where the customer expressly agrees that the information is public.

Appendix H - Data Security Agreement Requirements

The Data Security Agreement (DSA) supersedes the “Confidential” information requirements listed above

for CUI in the state of New York. See DSA for requirements.

Appendix I - Personally Identifiable Information (PII)

“Personally Identifiable Information (PII) means information about an individual maintained by an organization. This may include (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

http://departments.one.calpine.com/Corporate/InformationServices/ISSecurityandCompliance/ITS%20Compliance/DSATracker/Shared%20Documents/DSA%20Final%20Clean%2008-16-2018.pdf?Web=1



of 19

Appendix J – Implementation of Azure Information Protection (AIP)

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps to classify and optionally, protect its documents and emails by applying labels. The applied label classifies the document and protects it. The following table provides an overview of the labels that may be applied. Please note that this is available in Office365 at this time and on a limited basis.

Table 3

Label Text Public Information that may be disclosed or disseminated without restrictions.

Internal This label is for business data which is NOT meant for public consumption. However, this can be shared with internal employees, business guests and external partners as needed.

General (Calpine Companies)

With this label, recipients will be able to read the message or document but not forward the contents outside of Calpine. Recipients are trusted and get full delegation rights (including the ability to remove the protection). The information is NOT protected and owners cannot track or revoke content. (Documents and emails CANNOT be accessed if sent to external emails.)

Trusted 3rd Parties With this label, outlook will encrypt the email and its attachments. Recipients are trusted and get full delegation rights (including the ability to remove the protection). The information is NOT protected and owners cannot track or revoke content. (Documents and emails CANNOT be accessed if sent to non-Trusted external emails.)

Confidential This label is for sensitive business information that could have a significant impact on the company if over-shared. Information with this label is automatically tagged and marked in accordance with the Information Protection Standard.


With this label, recipients will be able to read the message or document but not forward the contents outside of Calpine. Recipients are trusted and get full delegation rights (including the ability to remove the protection). The information is protected and owners can track and revoke content. (Documents and emails CANNOT be accessed if sent to external emails.)

Trusted 3rd Parties With this label, outlook will encrypt the email and its attachments. Recipients are trusted and get full delegation rights (including the ability to remove the protection). The information is protected and owners can track and revoke content. (Documents and emails CANNOT be accessed if sent to non-Trusted external emails.)

Restricted (Recipient-only)

With this label, recipients will be able to read the message but not forward, print or copy the content. The information is protected and owners can track and revoke content.

Secret

This label is for very sensitive business data, which would certainly cause major business impact if over-shared. Information with this label is



of 19

automatically tagged and marked in accordance with the Information Protection Standard. This includes: PII, DSA, NERC, Financial and M&A.


With this label, recipients will be able to read the message or document but not forward, download or save outside of a secured location. Recipients do NOT get delegation rights (or rights to modify or remove the protection). Data is protected and owners can track and revoke content. (Documents and emails CANNOT be accessed if sent to external emails.)

Trusted 3rd Parties With this label, outlook will encrypt the email and its attachments. Recipients do NOT get delegation rights (or rights to modify or remove the protection). Data is protected and owners can track and revoke content. (Documents and emails CANNOT be accessed if sent to non-Trusted external emails.)

Restricted (Recipient-only)

With this label, recipients will be able to read the message but not forward, print or copy the content. The information is protected and owners can track and revoke content.

Appendix K – Personal Storage Tables (PST)

Personal Storage Tables or PST files are an archive created in Microsoft outlook to store old emails. PST files are created automatically or manually in Outlook. There are several risks associated with PST files which may include:

• Compliance issues

o Unknown content may be subject to various regulatory statues such as CCPA

(California Consumer Protection Act),

o PST’s may store confidential or secret information that is subject to discovery

o PST’s are not easy to search

• Unknown information-PSTs may contain emails that you have forgotten about or should

have been deleted. This may put the company at risk during litigation when we are

asked to produce it.

Due to the risk associated with PST files Calpine does not allow PST files to be created without approval from the Legal department.

CPN-ITS-STD-ID.GV-1b Version 8 03/22/2021

Roles and Responsibilities: Role Responsibilities

Information Owner(s)

Identify when classified information is being handled and ensure the recommended practices specified in this standard are followed

Establish procedures for all workers who may handle any classified information which may not be freely shared

Ensure all workers are trained on procedures for handling classified information

Monitor to ensure procedures are being followed and are operationally effective

All Calpine Workers

Understand the classification of the information being created and take appropriate action including: classifying information, labeling documents containing classified information, securing information, maintain awareness and follow procedures established by Information Owners when handling classified information.

Terms and Definitions: Term Defintion

BES Cyber System (BCS)

One or more BES Cyber Assets logically grouped by a responsible entity to perform one or more reliability tasks for a functional entity.

Bulk Electric System (BES)

Bulk Electric System (BES) - Unless modified by the lists shown below, all Transmission Elements operated at 100 kV or higher and Real Power and Reactive Power resources connected at 100 kV or higher. This does not include facilities used in the local distribution of electric energy. Inclusions: • I1 - Transformers with the primary terminal and at least one secondary terminal operated at 100 kV or higher unless excluded by application of Exclusion E1 or E3. • I2 – Generating resource(s) including the generator terminals through the high-side of the step-up transformer(s) connected at a voltage of 100 kV or above with: o Gross individual nameplate rating greater than 20 MVA. Or, o Gross plant/facility aggregate nameplate rating greater than 75 MVA. • I3 - Blackstart Resources identified in the Transmission Operator’s restoration plan. • I4 - Dispersed power producing resources that aggregate to a total capacity greater than 75 MVA (gross nameplate rating), and that are connected through a system designed primarily for delivering such capacity to a common point of connection at a voltage of 100 kV or above. o Thus, the facilities designated as BES are: The individual resources, and ? The individual resources, and ? The system designed primarily for delivering capacity from the point where those resources aggregate to greater



of 19

than 75 MVA to a common point of connection at a voltage of 100 kV or above. • I5 –Static or dynamic devices (excluding generators) dedicated to supplying or absorbing Reactive Power that are connected at 100 kV or higher, or through a dedicated transformer with a high- side voltage of 100 kV or higher, or through a transformer that is designated in Inclusion I1 unless excluded by application of Exclusion E4. See NERC Glossary of Terms for a complete definition of BES including description of exclusions.

Confidential Customer Utility Information (CCUI)

Information that Utility is: (A) required by the UBP at Section 4: Customer information(C)(2), (3) or UBP DERS at Section 2C: Customer Data, to provide to ESCO, Direct Customer or DERS or (B) any other information provided to ESE by Utility and marked confidential by the Utility at the time of disclosure.

Electronic Access Control Monitoring Systems (EACMS)

Cyber Assets that perform electronic access control or electronic access monitoring of the Electronic Security Perimeter(s) or BES Cyber Systems. This includes Intermediate Systems.

Handle or Handled

Information that is managed, processed, accessed, created, transferred, printed, presented, distributed, duplicated, retained or destroyed.

Information Owners

The individual responsible for key business processes within any department within Calpine including, but not limited to, those responsible for safeguarding information to meet regulatory or contractual obligations.

Information System Owner

The individual responsible for the overall procurement, development, integration, modification, or operation and maintenance of an Information System.

NERC/CIP Regulated Information

Critical Energy Infrastructure Information means any information defined as Critical Energy Infrastructure Information by FERC pursuant to 18 C.F.R. § 388.113, and shall include all Critical Infrastructure Protection (CIP) standards (CIP-002 through CIP-009) established by NERC



of 19

Personally Identifiable Information (PII)

Information about an individual maintained by an organization. This may include (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Sensitive Cardholder Data

Sensitive cardholder data such as Primary Account Number, 3-to-4 digits Card Validation Code, Personal Identification Number, or Full Track Data shall not be stored in any Calpine information systems, including databases, shared-files, and cloud storage. Additionally, this data shall not be recorded or stored physically.

Label

A label, such as a header, footer or watermark, placed on documents, which identifies the classification of that document. An example would be a Word document with a watermark or footer, “Secret”, “Confidential”, “Internal” or “Public”.

Physical Access Control Systems (PACS)

Cyber Assets that control, alert, or log access to the Physical Security Perimeter(s), exclusive of locally mounted hardware or devices at the Physical Security Perimeter such as motion sensors, electronic lock control mechanisms, and badge readers.