comp_s11.pdf

8/16/2019 COMP_S11.pdf

1/16

MCP&G Section 11: Information Protection – Page 1

Manual of Compliance Procedures and Guidelines

SECTION 11. INFORMATION PROTECTION

Revised July 1, 2013

Overview

Chevron’s business information and information technology assets are essential to the success of

our business, and not following Chevron Information Protection policies could damage our

business. Information risks are real and the consequences are significant. The people of Chevron

have the greatest ability to protect our information. All Chevron Corporation employees,

contractors, and other third parties must understand and abide by the compliance requirements as

outlined in this Section of the Manual of Compliance Procedures and Guidelines (MCP&G).

The goal of the Information Protection (IP) compliance program is to ensure the confidentiality,integrity, and availability of Chevron’s business information and information technology assets in a

manner consistent with risk and business value.

Business information includes “digital and/or electronic” data, as well as printed (hard-copy) data

and information. We also consider photographs, illustrations, recordings, diagrams, and other forms

of content and media as business information.

Information technology assets process, store, and transmit business information. This includes

business applications (whether licensed, purchased, or internally developed) and the Company’s

telecommunications and computing infrastructure. Additional examples of information technology

assets include:

• Computers, servers and network devices;

• Smart phones and tablets;

• Storage devices such as USB memory devices, external hard drives, CD-ROMs, and DVDs; and

• Process control systems including Supervisory Control and Data Acquisition (SCADA) systems

and Distributed Control Systems (DCS).

The examples above are intended to be a guide, not an all-inclusive list of business information and

information technology assets.

Every employee must understand and fully comply with three core areas of the IP complianceprogram. Failure to do so may result in disciplinary action up to and including termination:

• Protect Information

Classify, retain, and limit access to information based on its classification;

Protect intellectual property;

Retain or dispose records;

8/16/2019 COMP_S11.pdf

2/16


Process and protect personal data in accordance with applicable laws and Company-

approved procedures; and

Ensure goods, information, and devices we use to transport information meet export

compliance laws.

• Protect Access

Manage access to information; Keep control and confidentiality of unique identifiers (CAI), Smartbadge, PIN, and

passwords;

Use the most secure way to gain remote access to Chevron network; and

Stop social engineering attacks by not providing confidential information without first

independently verifying the requester’s identity.

• Protect Equipment and Systems

Appropriately use equipment and systems, and limit personal use;

Lock access to your computer when not in front of it and ensure it is physically secured;

Encrypt all mobile devices that have Company classified or sensitive personal information;

Use caution when using the Internet, email, and social media sites; and

Understand the ways malicious software (malware) can infiltrate our system and how torespond to it.

Related processing and protecting personal data requirements are fully discussed in MCP&G

Section 9, Data Privacy.

The Information Risk Strategy & Management (IRSM) organization, within the Information

Technology Company (ITC), develops and oversees the enterprise IP compliance program designed

to comply with IP laws, regulations, and related Chevron policies, standards, and procedures. With

the advice of the Corporate Law Function, IRSM helps interpret applicable law, incorporate it into

Chevron’s policies, standards, and procedures, and communicate these to personnel having

responsibility for IP compliance within their organizations.

IP Champions and Coordinators are responsible for ensuring that an appropriate IP compliance

program, including a strong evergreen component, is implemented in their respective

organizations. These plans should include the components of the enterprise IP program and, in

addition, take into consideration local laws, regulations, and additional risks specific to the

organization. IP Champions and Coordinators must regularly manage compliance with the IP

policies, standards, and procedures, and perform periodic internal or external audits to assess

effectiveness.

Reporting Units are responsible and accountable for their organization’s compliance with Chevron’s

policy, standards, and procedures and for ensuring that their IP Champions and Coordinators takeinto account additional laws and regulations applicable to their business operations. The Law

Function and IRSM are available to serve as resources to assist local compliance efforts.

8/16/2019 COMP_S11.pdf

3/16


Incidents involving suspected violations of IP compliance requirements, including applicable laws

and regulations, should be reported immediately in accordance with the Chevron Incident

Reporting guidelines located on the Incident Reporting Procedures page on the IRSM website.

Employees can also promptly report any incident involving potential violations of law, ethics or

Company policy to their management, Corporate Audit, Global Security, the Chief Compliance

Officer or, consistent with applicable law, via the Chevron Hotline.

http://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://irm.chevron.com/compliance/InfoRiskReporting.aspx

8/16/2019 COMP_S11.pdf

4/16


TABLE OF CONTENTS

I. INTRODUCTION ...............................................................................................................5

II. GUIDELINES .....................................................................................................................5 A. Protect Information ........................................................................................................ 6

B. Protect Access ................................................................................................................. 8

C. Protect Equipment and Systems ..................................................................................... 9

III. POLICIES, PROCESSES, TOOLS AND TRAINING ................................................................. 11

A. Policy and Standards ..................................................................................................... 11

B. Processes ....................................................................................................................... 12

C. Tools .............................................................................................................................. 12

D. Awareness and Training ................................................................................................ 12

E. Reporting ....................................................................................................................... 13

F. Incident Response and Violations ................................................................................. 14

IV. ROLES AND RESPONSIBILITIES ........................................................................................ 14

A. Chief Technology Officer ............................................................................................... 14

B. Reporting Units ............................................................................................................. 14

C. Employees ..................................................................................................................... 14

D. Information Risk Strategy & Management and Legal ................................................... 15

V. RESOURCES .................................................................................................................... 15

A. Chevron Intranet ........................................................................................................... 15

B. Subject Matter Experts ................................................................................................. 15

C. Investigations ................................................................................................................ 15 D. Business Networks ........................................................................................................ 16

E. Audit .............................................................................................................................. 16

F. Standards Tools ............................................................................................................. 16

8/16/2019 COMP_S11.pdf

5/16


I. INTRODUCTION

The use of information and information technology is fundamental to Chevron’s business and

success. Rapid advances in technology and its use within Chevron continue to enhance the

Company’s ability to deliver superior performance and achieve business objectives. Effective

management of the risks to which Chevron’s business information and information technologyassets are subject will help optimize their business value. Information Protection (IP) is the

proactive management of risks to the confidentiality, integrity, or availability of the Company’s

business information and information technology assets.

Chevron’s ability to succeed at managing these risks is based on meeting core business capability

requirements, such as:

• Enabling Chevron business by improving support for third parties and by balancing risk, business

value, and costs;

• Protecting Chevron systems from both legacy and emerging threats and attacks;

•

Securing emerging environments or technologies that Chevron is or anticipates using;• Managing the security implications of the influx of the “millennial” generation into the

workforce; and

• Meeting regulatory requirements.

Chevron uses a risk-based information security process to identify, prioritize, and mitigate cyber-

risk. Some examples of our top current and emerging business risks include:

• Process controls network — a breach of process control systems in Chevron facilities.

• Joint venture and third-party access — unauthorized and inappropriate access to data for their

job role.

•

Data leakage — unauthorized, unlawful, or unintended access to data.• Encryption — leakage of sensitive data.

• Espionage — malicious theft of information.

• Mobile computing — non-Chevron devices inappropriately access Company data.

• Cloud computing — confidential or data integrity breaches, or loss of availability of IT systems.

II. GUIDELINES

Chevron takes steps to prevent loss and reduce risks by developing policies, processes, and

technologies and communicating those requirements and capabilities through training and other

awareness methods. You are responsible for becoming familiar with the areas highlighted in these

guidelines as you play a key role in protecting our information. Beyond protecting our business, it isimportant to remember that failure to comply with Chevron’s policies, including those related to

information, could result in disciplinary action up to, and including, termination, and could subject

you to civil and/or criminal liability.

8/16/2019 COMP_S11.pdf

6/16


A. Protect Information

All information created, produced, received, or used in the course of Chevron’s business is

Chevron’s property, unless that ownership is limited by law or agreement or disclaimer. While

Chevron owns the information, the individuals working for Chevron and creating the

information are responsible for managing it or ensuring that it is being managed appropriately(storage, use, access, and disposal). If you create information, you are responsible for what

happens to it, either on your own or by assigning it to the appropriate parties. The following

topics discuss information management policies and laws that everyone is responsible for

understanding.

1. Information Classification

You are responsible to use information appropriately and minimize the information security

risks to information. This includes classifying your information and managing access to that

information. Since everyone at Chevron uses information in some form, everyone is responsible

for classifying the information they work with and managing it in a way that corresponds with

that classification.

Four confidentiality classifications indicate information sensitivity and who should have access

to the information. These are:

• Public — non-sensitive information that is intended or available for release to the public.

• Company Confidential — Company information available within the Company to those with a

business need for the access.

• Confidential-Restricted Access — for disclosure and use only by those with a specific legitimate

business need for access. • Classified — most sensitive business information and data.

While you are not expected to memorize all confidentiality definitions, you should be able to:

• Recognize the general nature of the information you handle; and

• Use resources when you are unsure how to handle information. Use the Confidentiality

Definitions.

Basic tips for managing your information must be followed:

•

Label;• Protect (manage access, encryption);

• Follow policies and standards when sharing; and

• Dispose of per Chevron’s retention rules for records and other information.

http://go.chevron.com/confidentialityhttp://go.chevron.com/confidentialityhttp://go.chevron.com/confidentialityhttp://go.chevron.com/confidentialityhttp://go.chevron.com/confidentialityhttp://go.chevron.com/confidentiality

8/16/2019 COMP_S11.pdf

7/16


2. Intellectual Property Rights

Intellectual property is the product of human intellect and creativity that is legally protected and

has commercial value. It consists of new and novel inventions, products, services, processes, and

images (intellectual property assets) that are protected by trade secret, patent, copyright, and

trademark law.

Carefully protecting intellectual property of all parties means we can continue to use internally

developed or acquired technology without threat of legal actions that could slow or stop our

operations. To ensure compliance:

• Identify trade secrets you work with and how to protect them. Remember, intellectual

property, such as trade secrets, patents, details of negotiations or acquisitions and mergers

could be a target of corporate espionage.

• Understand that incorrectly sharing intellectual property, especially when shared beyond

Chevron, could compromise or result in the loss of our Intellectual Property Rights.

•

Ask your Information Risk Management (IRM) Coordinator or Intellectual Property Manager ifyou are unsure about how to handle information.

• Assume that all information is copyrighted and get permission to use it. Never distribute

copyrighted materials without permission. Rather than copying and pasting information you

find online, you may link to a website or article.

• Never download and use software unless a valid license agreement has been obtained that has

had prior business approval and legal approval as required by our policies.

3. Records

Some types of intellectual property or information discussed previously may also be classified as a

record. Records have legal implications and they must be retained or disposed of based on legallydetermined schedules.

The Chevron Retention Schedule defines what is considered a record, the length of time each type

of record must be retained, and when it can be disposed of. Actions for handling records include:

• Review the retention information, training, and the U.S. Region Records Retention

Schedule.

• For non-U.S. Chevron locations, please contact your Records Coordinator for your local

Retention Schedule guidelines and practices.

• Ask your Supervisor if you are handling records in your job.

•

Know who to contact as your organization’s Records Coordinator by viewing the Records

Coordinators list.

4. Data Privacy

Another type of information that must be closely guarded is personal data. This is covered in

MCP&G Section 9, Data Privacy.

http://go.chevron.com/retentionhttp://go.chevron.com/retentionhttp://go.chevron.com/retentionhttp://go.chevron.com/retentionhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttps://collab001-hou.sp.chevron.net/sites/imcentral/imcop/Lists/IM%20CoP%20Members%20List/RecordsCoordinators.aspxhttp://go.chevron.com/retentionhttp://go.chevron.com/retention

8/16/2019 COMP_S11.pdf

8/16


5. Export Compliance

Just like all other goods, information and the devices we use to transport information are subject to

export compliance laws. These laws are in place around the world to protect national security,

promote foreign policy, prevent terrorism and protect short supplies. Failure to follow export lawscould result in:

• Heavy fines;

• Limitation of Chevron’s export privileges;

• Civil and criminal penalties for individuals and for Chevron;

• Negative publicity; and

• Exposure of business and personal information, including intellectual property (such as

trade secrets) and employee-sensitive personal information (such as health records).

What you should do:

• Be aware of when an export is taking place.

• Before leaving a country with information or computing devices, check with your Business

Unit’s Export Compliance Officer to ensure you are in compliance with country laws and not

putting Chevron’s information at risk.

• Understand that failure to comply could lead to actions up to and including termination.

Individuals could also face legal action.

• For more information on Export Compliance, visit the Law Department site.

Exporting of goods, technology, software or services are covered in more detail in MCP&G

Section 6.II.B.i., International Trade.

B. Protect Access

The ability to share information with the right people and partners provides significant value to

Chevron. Recognizing when not to share and recognizing situations that may result in unintentional

sharing of information are also important.

1. Information Management and Permissions

Organizations and individuals have the responsibility to define who has the ability to view and use

information. The organization of your information can affect the complexity or simplicity ofmanaging access and should be considered when designing an information management plan. For

example, large data repositories should not be shared when the risk profile suggests that only

targeted information should be shared. Those authorizing access are responsible for understanding

both the contents and appropriateness of granting access.

http://lawfunction.chevron.com/law_groups/corp_law/compliance/trade/export_compliance.asphttp://lawfunction.chevron.com/law_groups/corp_law/compliance/trade/export_compliance.asphttp://lawfunction.chevron.com/law_groups/corp_law/compliance/trade/export_compliance.asphttp://lawfunction.chevron.com/law_groups/corp_law/compliance/trade/export_compliance.asp

8/16/2019 COMP_S11.pdf

9/16


2. Access Keys

Two factor authentication tools control access to most Chevron systems, which requires something

you have (SmartBadge) and something you know (PIN). Some systems rely on a unique identifier

such as your CAI (Chevron Account Identifier) and passwords. Your SmartBadge also doubles as the

facility access badge. Keeping control of what you have and keeping secret what you know to accessChevron systems is the responsibility of everyone.

3. Remote Access

The ability to connect to the Chevron network remotely may be necessary. Keep in mind that this

may introduce different information security risks.

Using a GIL computer with a VPN connection is the most secure way to gain remote access. Using a

VPN connection allows you to sign into the Chevron network using all the protections you have

when you are at a Chevron location. Chevron also provides other remote access solutions that

provide much better protection than emailing information to yourself or leveraging unauthorizedcloud sharing and storage solutions.

4. Social Engineering

Social engineering uses tactics to gain the trust of an individual for the purpose of gaining access or

gathering information. Social engineers can gather information in many different forms and use

small pieces to put together a full picture. This information could be used to just create an

annoyance, such as a phone list sold for telemarketing purposes, or it could have more catastrophic

effects, such as information used to sabotage our operations and cause dangerous conditions. If

contacted for information, you should:

• Never provide confidential information without first independently verifying the requester’s

identity;

• Stop what you are doing if your instincts tell you that something may be at risk; and

• Ask your Supervisor, IRM Coordinator, or Global Security Advisor if you are unsure.

C. Protect Equipment and Systems

While Chevron employs many methods to protect our equipment and systems, such as firewalls,

antivirus programs and access controls, those measures are only as strong as the weakest link.

People are still Chevron’s best line of defense against risks to our equipment and systems.

1. Appropriate Use

Excessive personal use is inappropriate and could create information security risks. Inappropriate

use of Company IT systems could result in disciplinary action up to, and including, termination, and

could subject you to civil and/or criminal liability. You can limit the risk by:

• Using Company equipment for Company business only.

8/16/2019 COMP_S11.pdf

10/16


• Reading the Appropriate Use Guidelines.

• Incorporating the guidelines into your work practices and reminding your coworkers to do the

same.

2. Equipment

There are simple steps that you can take every day to protect Chevron’s equipment from

vulnerability to information loss or misuse:

• Always lock access to your computer when you step away from your work area.

• Ensure your computer is secured in your office by using a cable lock. Use your cable lock when

traveling so your laptop can be secured in your hotel room or conference rooms. If you need to

obtain a cable lock, contact your local IT support.

• Minimize transferring data between your personal computer and your work computer, as any

movement of information (email, USB storage device, etc.) may introduce a virus.

3.

Mobile Devices

The convenience of mobile devices is that you can take them with you, but the risk of mobile

devices is that you can take them with you. The most significant risk related to the loss or theft of a

mobile device is not the device, it is the information on the device. Follow these simple steps to

protect information when you must take it with you on mobile devices:

• Use only Company-authorized mobile devices to conduct business and never disable security

features, such as encryption.

• Get familiar with and follow the Guidelines for Personally Owned Mobile Devices.

• Avoid putting classified or sensitive personal information on mobile devices. If you must put this

type of data on a mobile device, it must be encrypted.• In order to protect all data, the safest thing to do is encrypt all mobile devices.

Click here to learn when to encrypt.

Click here to learn how to encrypt and where to get secure mobile devices.

• Keep all mobile devices in your control or locked in a secure location.

• If you must use a USB key, scan it prior to use. Click here for simple instructions on how to do

this.

4. Systems

Equipment and mobile devices are not the only thing that can pose a risk to Chevron if not

protected. Chevron’s systems, including internal networks, shared server drives and email, connectour equipment. If one part of the system is compromised it could quickly spread throughout the

network to different computer systems and may lead to a serious information breach.

5. Internet and Email

Use caution when using the Internet, email, and social media sites. The Internet in general is not the

only risky space. Email, especially email hosted outside of Chevron’s network, is another gateway

http://go.chevron.com/appropriateuseguidelineshttp://go.chevron.com/appropriateuseguidelineshttp://go.chevron.com/appropriateuseguidelineshttps://collab001-hou.sp.chevron.net/sites/mobility/Docs/Documents/Personally%20Owned%20Mobile%20Device%20Guidelines.pdfhttps://collab001-hou.sp.chevron.net/sites/mobility/Docs/Documents/Personally%20Owned%20Mobile%20Device%20Guidelines.pdfhttps://collab001-hou.sp.chevron.net/sites/mobility/Docs/Documents/Personally%20Owned%20Mobile%20Device%20Guidelines.pdfhttp://go.chevron.com/encryptionhttp://go.chevron.com/encryptionhttp://go.chevron.com/encryptiontoolshttp://go.chevron.com/encryptiontoolshttps://collab001-hou.sp.chevron.net/sites/GLIRM/IRM%20Web%20Documents/USB_Virus_Scanning_Instructions_GIL_Machines.docxhttps://collab001-hou.sp.chevron.net/sites/GLIRM/IRM%20Web%20Documents/USB_Virus_Scanning_Instructions_GIL_Machines.docxhttps://collab001-hou.sp.chevron.net/sites/GLIRM/IRM%20Web%20Documents/USB_Virus_Scanning_Instructions_GIL_Machines.docxhttp://go.chevron.com/encryptiontoolshttp://go.chevron.com/encryptionhttps://collab001-hou.sp.chevron.net/sites/mobility/Docs/Documents/Personally%20Owned%20Mobile%20Device%20Guidelines.pdfhttp://go.chevron.com/appropriateuseguidelines

8/16/2019 COMP_S11.pdf

11/16


for threats to be introduced to our equipment and systems. Consult Chevron’s Guidelines for

participating in social media.

6. Malicious Software (Malware)

Malware is used by criminals to cause disruptions to our computer systems or steal information.Whether their motivation is financial gain, competitive advantage, notoriety, or sabotage, the tools

they use are a significant threat.

Chevron takes many steps to reduce malware coming into the Chevron network, including:

• Antivirus programs;

• Firewalls; and

• Junk email and spam filters.

Even with these preventive measures, malware still has the potential to enter our network. The

most important thing to remember is that those who use Chevron’s computer systems make all thedifference in protecting against malware.

We must all be responsible for understanding the ways malware can infiltrate the system and how

to respond:

• Do not open unsolicited emails or a link in an email — especially if it is unsolicited or from an

unknown sender.

• Avoid using portable storage devices that are not Chevron-approved. If you must, scan the USB

key prior to using it.

• Always accept all GIL updates and let them install. Do not delay your updates and never disrupt

the download.• Report any suspicious issue to the IT Service Desk or your IP Coordinator. Do not delay and do

not try to fix it yourself. Call for help.

III. POLICIES, PROCESSES, TOOLS AND TRAINING

A key element in achieving compliance is having policies, processes, tools, and training in place that

provide for high-level governance, subject matter experts, training and guidance, analysis, and

reporting.

A. Policy and Standards

Policy 575 describes the Company’s policy for the protection of business information and

information technology assets. Activities involving the use of these must also be in compliance with

Chevron’s Business Conduct and Ethics Code.

Policy 575 is supported by a set of IP standards and technical controls. IRSM coordinates the

governance process by which new or revised standards and controls are developed, reviewed,

approved, and communicated.

http://go.chevron.com/socialhttp://go.chevron.com/socialhttp://go.chevron.com/socialhttp://go.chevron.com/socialhttp://itc.chevron.com/support/helpdesk.asphttp://itc.chevron.com/support/helpdesk.asphttp://itc.chevron.com/support/helpdesk.asphttp://governance.chevron.com/policies.asp?policy=575http://governance.chevron.com/policies.asp?policy=575http://governance.chevron.com/policies.asp?policy=575http://itc.chevron.com/support/helpdesk.asphttp://go.chevron.com/socialhttp://go.chevron.com/social

8/16/2019 COMP_S11.pdf

12/16


Reporting Units are responsible for providing sufficient resources capable of implementing Policy

575 and all applicable standards and controls.

B. Processes

IRSM has established an enterprise-wide IP compliance program that advises the Corporation in

creating policies and standards, and is responsible for communicating the program and

expectations to the appropriate personnel. The basic components of the IP compliance program

include:

• Monitoring, assessing, and interpreting applicable laws, to assess risk to the business

information and information technology assets (risk assessment component);

• Developing and continually improving policy, standards, and compliance procedures (policy,

standards, and procedures component);

• Communicating policy, standards, and procedures to the appropriate personnel

(awareness/training component);• Advising the appropriate personnel of significant changes to compliance requirements

(updating the program component);

• Reporting and measuring compliance (reporting component); and

• Reviewing and assisting in resolving issues/incidents of non-compliance (incident response

component).

Reporting Units are responsible for adopting these components into their organization’s IP

compliance plan. All plans must contain specific processes to inventory business information and

information technology assets, conduct risk assessments to identify areas of non-compliance, and

implement remediation initiatives. Additionally, it is the responsibility of Reporting Units and

Corporate Departments to assess and address any impact of local laws, regulations, and additionalrisks applicable to local business operations in their plans.

C. Tools

To assist the Reporting Units and Corporate Departments meet their Information Protection

requirements, several tools are available. These tools are designed to help organizations conduct

assessments and evaluate compliance. A link to the tools is available on the IRSM website.

Additional tools can be found for Intellectual Property Rights, Data Privacy and PCN Security

(Process Control Network Security).

D. Awareness and Training

The degree of awareness and training requirements depends on the role of the work force and

nature of the business operations. Training requirements for various groups are periodically

deployed as part of the Corporate Compliance annual compliance training plan.

http://dominous1.chevron.com/itc/ipcop.nsf/webpages/6A257DA3E9443531862575920071B8A3?OpenDocumenthttp://dominous1.chevron.com/itc/ipcop.nsf/webpages/6A257DA3E9443531862575920071B8A3?OpenDocumenthttp://dominous1.chevron.com/itc/ipcop.nsf/webpages/6A257DA3E9443531862575920071B8A3?OpenDocumenthttp://glirm.chevron.com/programs/IPRpresentations.aspxhttp://glirm.chevron.com/programs/IPRpresentations.aspxhttp://glirm.chevron.com/programs/IPRpresentations.aspxhttp://glirm.chevron.com/compliance/dataPrivacyCompliance.aspxhttp://glirm.chevron.com/compliance/dataPrivacyCompliance.aspxhttp://glirm.chevron.com/compliance/dataPrivacyCompliance.aspxhttp://dominous1.chevron.com/pcn/pcnipcom.nsf/webpages/8CDF8CE5F9915E7586257333005716FD?OpenDocumenthttp://dominous1.chevron.com/pcn/pcnipcom.nsf/webpages/8CDF8CE5F9915E7586257333005716FD?OpenDocumenthttp://dominous1.chevron.com/pcn/pcnipcom.nsf/webpages/8CDF8CE5F9915E7586257333005716FD?OpenDocumenthttp://dominous1.chevron.com/pcn/pcnipcom.nsf/webpages/8CDF8CE5F9915E7586257333005716FD?OpenDocumenthttp://glirm.chevron.com/compliance/dataPrivacyCompliance.aspxhttp://glirm.chevron.com/programs/IPRpresentations.aspxhttp://dominous1.chevron.com/itc/ipcop.nsf/webpages/6A257DA3E9443531862575920071B8A3?OpenDocument

8/16/2019 COMP_S11.pdf

13/16


IRSM is responsible for defining the curriculum for awareness training and for providing an

enterprise-level training course suitable for use in all Reporting Units and Corporate Departments.

Reporting Units and Corporate Departments are permitted to develop their own training course and

program, provided the curriculum is comparable to that developed by IRSM. This may be beneficial

if that the Reporting Unit and Corporate Departments have local risks and procedures not

addressed in sufficient depth in the IRSM awareness training.

Additional training is required for all personnel that have elevated systems and data access

privileges, such as employees and contractors with system administrator capabilities. This training

provides information that allows personnel with higher-level access privileges to understand the

potential additional risks that their privilege levels allow and to make better work and process

decisions.

Personnel with responsibility for the design, maintenance or operation of process control systems

(including SCADA & Distributed Control Systems) should periodically complete the process control

systems training course.

Reporting Units and Corporate Departments are responsible for ensuring those employees,

contractors, or other third parties who use or access the Company’s information systems complete

all required awareness training. A method for monitoring and tracking training completions must

also be established.

E. Reporting

Reporting Units and Corporate Departments are required to attest to the effectiveness of their

Information Protection compliance processes in their annual Compliance Representation Letter.

When preparing the Compliance Representation Letter, several key processes should be assessed to

assist in determining the effectiveness of the compliance program. Included among these keyprocesses are:

• Standards and controls process — having an effective process to access current standards and

controls documentation and to identify significant gaps in complying with applicable standards

and controls.

• Compliance plan — having an effective process to develop and implement a plan to prioritize

the remediation of compliance gaps based on appropriate criteria including risk, resource

availability, and business value.

• Training and awareness process — having an effective process to develop and/or deploy

training and awareness requirements.

•

Self-assessment process — having a process to periodically assess the effectiveness of the mostsignificant elements of your organization’s Information Protection compliance and risk

mitigation plan.

Other data that may be useful to consider when preparing your organization’s Compliance

Representation Letter includes approved exceptions, training statistics, incident data, SOX

compliance results, and audit performance.

8/16/2019 COMP_S11.pdf

14/16


F. Incident Response and Violations

Incidents involving suspected violations of IP compliance requirements, including applicable laws

and regulations, should be reported immediately in accordance with the Chevron Incident

Reporting guidelines located on the Incident Reporting Procedures page on the IRSM website. Use

of Chevron incident response systems is an acceptable method of reporting near-miss and actualincidents. IRSM gathers information from these sources on a periodic basis to understand the

effectiveness of the risk and compliance program.

Employees can also promptly report any incident involving potential violations of law, ethics or

Company policy to their management, Corporate Audit, Global Security, the Chief Compliance

Officer, or, consistent with applicable law, via the Chevron Hotline.

IV. ROLES AND RESPONSIBILITIES

A. Chief Technology Officer

The Chief Technology Officer (CTO) will ensure that these Information Protection processes,

policies, standards, and procedures are established and maintained. The CTO, with the support and

actions of IRSM, is responsible for reporting and measuring Chevron’s compliance with the

Information Protection compliance program. Audit results, incident reports, and other measures, as

appropriate, are analyzed to help assess the effectiveness of the program. Information Protection is

an element of Chevron’s Corporate compliance program and, accordingly, requires management

and the CTO to perform an annual assessment of the Information Protection compliance processes

throughout the Company.

B. Reporting Units

Reporting Units are responsible for establishing Information Protection (IP) Champions and IP

Coordinators across the enterprise. Reporting Units are responsible and accountable for their

organization’s compliance with Chevron’s policy, standards, and procedures and for ensuring that

their IP Champions and Coordinators take into account additional laws and regulations applicable to

their business operations.

C. Employees

It is the people of Chevron who have the greatest ability to protect our information. All Chevron

Corporation employees, contractors and other third parties must understand and abide by the

compliance requirements as outlined in this Section of the Manual.

http://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://irm.chevron.com/compliance/InfoRiskReporting.aspxhttp://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://corp-compliance.chevron.com/hotline/http://irm.chevron.com/compliance/InfoRiskReporting.aspx

8/16/2019 COMP_S11.pdf

15/16


D. Information Risk Strategy & Management and Legal

The Information Risk Strategy & Management (IRSM) Division, within the Information Technology

Company (ITC), develops and oversees processes designed to provide reasonable assurance of

compliance with information protection laws, regulations and the related Chevron policies,

standards and procedures. In addition, IRSM, in conjunction with the Corporation Law Department,has the role in these processes to interpret applicable law, incorporate it into the policies,

standards, and Corporate procedures, and communicate these to line management having

responsibility for compliance with those laws and policies.

V. RESOURCES

A. Chevron Intranet

IRSM maintains and operates an intranet website that contains information on and materials about

the Information Protection program. In addition, a Community of Practice website offers timely

useful information, including a discussion forum, for those responsible for information protection,

risk assessment, risk mitigation, and compliance activities. Questions about information protection

can be sent via email to [email protected]. This email box is monitored by IRSM. For urgent

matters, such as to report an information risk incident1, please follow the incident response process

located on the Incident Reporting Procedures page on the IRSM website.

B. Subject Matter Experts

IRSM provides subject matter experts on the Information Protection program to assist Reporting

Units and Corporate Departments to achieve compliance requirements. IRSM is responsible for

establishing the enterprise-wide Information Protection program and for setting the direction and

requirements for the program and Information Protection section of the annual representation

letter.

C. Investigations

For specific investigations, IRSM maintains an IT Forensics organization to assist in properly

acquiring electronically stored information and providing forensic analysis. Use this link to visit the

home page of the IT Forensics website.

1 An information risk incident includes, but is not limited to, reporting of computer malware, such as viruses, etc.;

intrusions or other types of electronic attacks; lost or stolen computer equipment and devices, etc.; loss of

personal data in paper or electronic form; violations of Chevron’s electronic environment, such as sharing

passwords, etc.; inappropriate use of Chevron’s electronic environment such as pornography, etc.; Process Control

Network (PCN) Security incident or near miss; potential Export Compliance issue; intellectual property

infringement of patents, etc.; and possible scams (for example., a suspicious email that “might” be legitimate,

etc.); misuse of Chevron’s Corporate brand or identity. Fuller details are available on the incident reporting process

website.

mailto:[email protected]:[email protected]:[email protected]://glirm.chevron.com/compliance/InfoRiskReporting.aspxhttp://glirm.chevron.com/compliance/InfoRiskReporting.aspxhttp://glirm.chevron.com/compliance/InfoRiskReporting.aspxhttp://glirm.chevron.com/programs/forensics.aspxhttp://glirm.chevron.com/programs/forensics.aspxhttp://glirm.chevron.com/programs/forensics.aspxhttp://glirm.chevron.com/programs/forensics.aspxhttp://glirm.chevron.com/compliance/InfoRiskReporting.aspxmailto:[email protected]

8/16/2019 COMP_S11.pdf

16/16


D. Business Networks

There is an established network of Information Protection Champions and Coordinators, both at the

enterprise and the Reporting Unit and Corporate Department level. These Champions and

Coordinators have responsibility for ensuring that appropriate Information Protection programs

have been implemented in their respective organizations. Information Protection Coordinators areconsidered subject matter experts, some of whom are also Certified Information Systems Security

Professionals (CISSPs).

The Information Protection Coordinators Forum (IPCF) is a network comprised of Information

Protection Coordinators from Reporting Units, Corporate Departments, technical subject matter

experts, Internal Audit and other interested parties, who meet regularly to coordinate and share

information protection ideas, review compliance activities, share best practices, and stay apprised

of current and future risks relating to information protection. Meeting dates, agendas, and

presentation materials as well as a list of participants are available via a link on the IRSM website

and on the Community of Practice website. IRSM also utilizes the resources of the IRSM Leadership

Council, a grouping of Coordinators representing the major Operating Companies.

E. Audit

Corporate Audit provides information protection audit services. Internal Audit uses and shares

compliance verification tools with the Information Protection program and also provides

assessment services for specific areas of focus, or upon request.

F. Standards Tools

The Information Protection program utilizes two tools to help manage the inventory of standards

and exceptions to those standards: Chevron Information Risk Standards (CIRS)2 and Chevron

Exception Tool (CET)3. Descriptions of and access to these and other tools are available through the

IRSM website.

Reporting Units and Corporate Departments needing compliance assistance have several tools

available to help conduct risk assessments, calculate risk, and evaluate Information Protection

compliance. IRSM also provides tools to automate some of the required tasks and makes available

in many forms the standards and controls to be used by system and data custodians.

2 Chevron Information Risk Standards is a repository of the approved IRSM policies, standards, and technical

controls.3 The Chevron Exception Tool provides a means for the Business Units to request, seek approval for, and lodge an

exception to a CIRS standard or control.
http://archer.chevron.com/http://archer.chevron.com/http://archer.chevron.com/http://glet.chevron.com/http://glet.chevron.com/http://glet.chevron.com/http://glet.chevron.com/http://archer.chevron.com/