-
The following IT security policies are in place and reviewed annually and are implemented across the
ESE's corporation which include officer level approval:
-
An Information Security Policy
-
Acceptable Use Policy
-
Business Continuity Policy
-
Disaster Recovery Policy
-
Vendor Risk Management Policy
-
Risk Assessment Policy
-
An Incident Response Procedure is implemented that includes notification within 48 hours of knowledge of
a potential incident alerting utility when Eversource's Confidential Customer Utility Information (CCUI)
is potentially exposed, or of any other potential security breach.
-
Role-based access controls (least privileged access) are used to restrict system access to authorized
users and limited on a need-to-know basis.
-
Multi-factor authentication (MFA) is used for all remote administrative access, including, but not
limited to, access to production environments.
-
All production systems are properly maintained and updated to include security patches on a periodic
basis. Where a critical alert is raised, time is of the essence, and patches will be applied as soon as
practicable.
-
Antivirus software is installed on all servers and workstations and is maintained with up-to-date
signatures.
All Confidential Customer Utility Information is encrypted in transit utilizing industry best practice
encryption methods, except that Confidential Information does not need to be encrypted during email
communications.
-
All Confidential Customer Utility Information is encrypted in transit utilizing industry best practice
encryption methods, except that Confidential Information does not need to be encrypted during email
communications.
-
A Non-Disclosure Agreement (NDA) will be signed by all employees with access to CCUI that includes
restrictions stated for employment term as well as when employee/contractors are terminated.
-
All Confidential Customer Utility Information (CCUI) is secured or encrypted at rest utilizing industry
best practice encryption methods or is otherwise physically secured.
-
All CCUI is not comingled with other company's data.
-
It is prohibited to store Confidential Customer Utility (CCUI) Information on any mobile forms of
storage media, including, but not limited to, laptop PCs, mobile phones, portable backup storage media,
and external hard drives, unless the storage media or data is encrypted.
-
All Confidential Customer Utility Information (CCUI) is stored in the United States or Canada only,
including, but not limited to, cloud storage environments and data management services.
-
Your company monitors and alerts their network for anomalous cyber activity on a 24/7 basis.
-
Security awareness training is provided to all personnel, including contractors, with access to
Eversource's Confidential Customer Utility Information (CCUI).
-
Employee background screening occurs prior to the granting their access to Confidential Customer Utility
Information (CCUI).
-
Replication of Confidential Customer Utility Information (CCUI) to non- company assets, systems, or
locations is prohibited.
-
Access to Confidential Customer Utility Information (CCUI) is revoked when no longer required, or if
employees separate from the Third Party.
-
Your company maintains an up-to-date SOC II Type 2 Audit Report from a third party on an annual basis,
or other security controls audit report.
-
The company does not operate or manufacture in any countries of interest (Russia, China, North Korea,
and Iran).
-
Eversource data will not be shared or used within the any platform in any way with a generative AI
platform/tool.
-
Your company has Cyber Insurance.
-
Your company has been in business for more than 5 years.
NDA Statement Terms and Conditions
I agree to treat as confidential all information that will be received from Eversource Energy while participating in the Green Button platform, to use this information solely for the purpose of evaluation and analysis, not to disclose any of the data to any third party and not make it publicly available or accessible.