Manual of Compliance Procedures and Guidelines

SECTION 11. INFORMATION PROTECTION

Revised July 1, 2013
Overview
Chevrons business information and information technology assets are essential to the success of
our business, and not following Chevron Information Protection policies could damage our
business. Information risks are real and the consequences are significant. The people of Chevron
have the greatest ability to protect our information. All Chevron Corporation employees,
contractors, and other third parties must understand and abide by the compliance requirements as
outlined in this Section of the Manual of Compliance Procedures and Guidelines (MCP&G).
The goal of the Information Protection (IP) compliance program is to ensure the confidentiality,
integrity, and availability of Chevrons business information and information technology assets in a
manner consistent with risk and business value.
Business information includes digital and/or electronic data, as well as printed (hard-copy) data
and information. We also consider photographs, illustrations, recordings, diagrams, and other forms
of content and media as business information.
Information technology assets process, store, and transmit business information. This includes
business applications (whether licensed, purchased, or internally developed) and the Companys
telecommunications and computing infrastructure. Additional examples of information technology
assets include:

Computers, servers and network devices;

Smart phones and tablets;
Storage devices such as USB memory devices, external hard drives, CD-ROMs, and DVDs; and
Process control systems including Supervisory Control and Data Acquisition (SCADA) systems
and Distributed Control Systems (DCS).

The examples above are intended to be a guide, not an all-inclusive list of business information and
information technology assets.
Every employee must understand and fully comply with three core areas of the IP compliance
program. Failure to do so may result in disciplinary action up to and including termination:

Protect Information
Classify, retain, and limit access to information based on its classification;
Protect intellectual property;
Retain or dispose records;

MCP&G Section 11: Information Protection Page 1

Process and protect personal data in accordance with applicable laws and Companyapproved procedures; and
Ensure goods, information, and devices we use to transport information meet export
compliance laws.
Protect Access
Manage access to information;
Keep control and confidentiality of unique identifiers (CAI), Smartbadge, PIN, and
passwords;
Use the most secure way to gain remote access to Chevron network; and
Stop social engineering attacks by not providing confidential information without first
independently verifying the requesters identity.
Protect Equipment and Systems
Appropriately use equipment and systems, and limit personal use;
Lock access to your computer when not in front of it and ensure it is physically secured;
Encrypt all mobile devices that have Company classified or sensitive personal information;
Use caution when using the Internet, email, and social media sites; and
Understand the ways malicious software (malware) can infiltrate our system and how to
respond to it.

Related processing and protecting personal data requirements are fully discussed in MCP&G
Section 9, Data Privacy.
The Information Risk Strategy & Management (IRSM) organization, within the Information
Technology Company (ITC), develops and oversees the enterprise IP compliance program designed
to comply with IP laws, regulations, and related Chevron policies, standards, and procedures. With
the advice of the Corporate Law Function, IRSM helps interpret applicable law, incorporate it into
Chevrons policies, standards, and procedures, and communicate these to personnel having
responsibility for IP compliance within their organizations.
IP Champions and Coordinators are responsible for ensuring that an appropriate IP compliance
program, including a strong evergreen component, is implemented in their respective
organizations. These plans should include the components of the enterprise IP program and, in
addition, take into consideration local laws, regulations, and additional risks specific to the
organization. IP Champions and Coordinators must regularly manage compliance with the IP
policies, standards, and procedures, and perform periodic internal or external audits to assess
effectiveness.
Reporting Units are responsible and accountable for their organizations compliance with Chevrons
policy, standards, and procedures and for ensuring that their IP Champions and Coordinators take
into account additional laws and regulations applicable to their business operations. The Law
Function and IRSM are available to serve as resources to assist local compliance efforts.

MCP&G Section 11: Information Protection Page 2

Incidents involving suspected violations of IP compliance requirements, including applicable laws

and regulations, should be reported immediately in accordance with the Chevron Incident
Reporting guidelines located on the Incident Reporting Procedures page on the IRSM website.
Employees can also promptly report any incident involving potential violations of law, ethics or
Company policy to their management, Corporate Audit, Global Security, the Chief Compliance
Officer or, consistent with applicable law, via the Chevron Hotline.

MCP&G Section 11: Information Protection Page 3

TABLE OF CONTENTS
I.

INTRODUCTION ...............................................................................................................5

II.

GUIDELINES .....................................................................................................................5
A.
Protect Information ........................................................................................................ 6
B.
Protect Access ................................................................................................................. 8
C.
Protect Equipment and Systems ..................................................................................... 9

III.

POLICIES, PROCESSES, TOOLS AND TRAINING ................................................................. 11

A.
Policy and Standards ..................................................................................................... 11
B.
Processes ....................................................................................................................... 12
C.
Tools .............................................................................................................................. 12
D.
Awareness and Training ................................................................................................ 12
E.
Reporting....................................................................................................................... 13
F.
Incident Response and Violations ................................................................................. 14

IV.

ROLES AND RESPONSIBILITIES ........................................................................................ 14

A.
Chief Technology Officer ............................................................................................... 14
B.
Reporting Units ............................................................................................................. 14
C.
Employees ..................................................................................................................... 14
D.
Information Risk Strategy & Management and Legal ................................................... 15

V.

RESOURCES.................................................................................................................... 15
A.
Chevron Intranet ........................................................................................................... 15
B.
Subject Matter Experts ................................................................................................. 15
C.
Investigations ................................................................................................................ 15
D.
Business Networks ........................................................................................................ 16
E.
Audit .............................................................................................................................. 16
F.
Standards Tools ............................................................................................................. 16

MCP&G Section 11: Information Protection Page 4

I.

INTRODUCTION

The use of information and information technology is fundamental to Chevrons business and
success. Rapid advances in technology and its use within Chevron continue to enhance the
Companys ability to deliver superior performance and achieve business objectives. Effective
management of the risks to which Chevrons business information and information technology
assets are subject will help optimize their business value. Information Protection (IP) is the
proactive management of risks to the confidentiality, integrity, or availability of the Companys
business information and information technology assets.
Chevrons ability to succeed at managing these risks is based on meeting core business capability
requirements, such as:

Enabling Chevron business by improving support for third parties and by balancing risk, business
value, and costs;
Protecting Chevron systems from both legacy and emerging threats and attacks;
Securing emerging environments or technologies that Chevron is or anticipates using;
Managing the security implications of the influx of the millennial generation into the
workforce; and
Meeting regulatory requirements.

Chevron uses a risk-based information security process to identify, prioritize, and mitigate cyberrisk. Some examples of our top current and emerging business risks include:

Process controls network a breach of process control systems in Chevron facilities.

Joint venture and third-party access unauthorized and inappropriate access to data for their
job role.
Data leakage unauthorized, unlawful, or unintended access to data.
Encryption leakage of sensitive data.
Espionage malicious theft of information.
Mobile computing non-Chevron devices inappropriately access Company data.
Cloud computing confidential or data integrity breaches, or loss of availability of IT systems.

II. GUIDELINES
Chevron takes steps to prevent loss and reduce risks by developing policies, processes, and
technologies and communicating those requirements and capabilities through training and other
awareness methods. You are responsible for becoming familiar with the areas highlighted in these
guidelines as you play a key role in protecting our information. Beyond protecting our business, it is
important to remember that failure to comply with Chevrons policies, including those related to
information, could result in disciplinary action up to, and including, termination, and could subject
you to civil and/or criminal liability.

MCP&G Section 11: Information Protection Page 5

A. Protect Information

All information created, produced, received, or used in the course of Chevrons business is
Chevrons property, unless that ownership is limited by law or agreement or disclaimer. While
Chevron owns the information, the individuals working for Chevron and creating the
information are responsible for managing it or ensuring that it is being managed appropriately
(storage, use, access, and disposal). If you create information, you are responsible for what
happens to it, either on your own or by assigning it to the appropriate parties. The following
topics discuss information management policies and laws that everyone is responsible for
understanding.
1. Information Classification

You are responsible to use information appropriately and minimize the information security
risks to information. This includes classifying your information and managing access to that
information. Since everyone at Chevron uses information in some form, everyone is responsible
for classifying the information they work with and managing it in a way that corresponds with
that classification.
Four confidentiality classifications indicate information sensitivity and who should have access
to the information. These are:

Public non-sensitive information that is intended or available for release to the public.
Company Confidential Company information available within the Company to those with a
business need for the access.
Confidential-Restricted Access for disclosure and use only by those with a specific legitimate
business need for access.
Classified most sensitive business information and data.

While you are not expected to memorize all confidentiality definitions, you should be able to:

Recognize the general nature of the information you handle; and

Use resources when you are unsure how to handle information. Use the Confidentiality
Definitions.

Basic tips for managing your information must be followed:

Label;
Protect (manage access, encryption);
Follow policies and standards when sharing; and
Dispose of per Chevrons retention rules for records and other information.

MCP&G Section 11: Information Protection Page 6

2. Intellectual Property Rights

Intellectual property is the product of human intellect and creativity that is legally protected and
has commercial value. It consists of new and novel inventions, products, services, processes, and
images (intellectual property assets) that are protected by trade secret, patent, copyright, and
trademark law.
Carefully protecting intellectual property of all parties means we can continue to use internally
developed or acquired technology without threat of legal actions that could slow or stop our
operations. To ensure compliance:

Identify trade secrets you work with and how to protect them. Remember, intellectual
property, such as trade secrets, patents, details of negotiations or acquisitions and mergers
could be a target of corporate espionage.
Understand that incorrectly sharing intellectual property, especially when shared beyond
Chevron, could compromise or result in the loss of our Intellectual Property Rights.
Ask your Information Risk Management (IRM) Coordinator or Intellectual Property Manager if
you are unsure about how to handle information.
Assume that all information is copyrighted and get permission to use it. Never distribute
copyrighted materials without permission. Rather than copying and pasting information you
find online, you may link to a website or article.
Never download and use software unless a valid license agreement has been obtained that has
had prior business approval and legal approval as required by our policies.

3. Records
Some types of intellectual property or information discussed previously may also be classified as a
record. Records have legal implications and they must be retained or disposed of based on legally
determined schedules.
The Chevron Retention Schedule defines what is considered a record, the length of time each type
of record must be retained, and when it can be disposed of. Actions for handling records include:

Review the retention information, training, and the U.S. Region Records Retention
Schedule.
For non-U.S. Chevron locations, please contact your Records Coordinator for your local
Retention Schedule guidelines and practices.
Ask your Supervisor if you are handling records in your job.
Know who to contact as your organizations Records Coordinator by viewing the Records
Coordinators list.

4. Data Privacy
Another type of information that must be closely guarded is personal data. This is covered in
MCP&G Section 9, Data Privacy.

MCP&G Section 11: Information Protection Page 7

5. Export Compliance
Just like all other goods, information and the devices we use to transport information are subject to
export compliance laws. These laws are in place around the world to protect national security,
promote foreign policy, prevent terrorism and protect short supplies. Failure to follow export laws
could result in:

Heavy fines;
Limitation of Chevrons export privileges;
Civil and criminal penalties for individuals and for Chevron;
Negative publicity; and
Exposure of business and personal information, including intellectual property (such as
trade secrets) and employee-sensitive personal information (such as health records).

What you should do:

Be aware of when an export is taking place.

Before leaving a country with information or computing devices, check with your Business
Units Export Compliance Officer to ensure you are in compliance with country laws and not
putting Chevrons information at risk.
Understand that failure to comply could lead to actions up to and including termination.
Individuals could also face legal action.
For more information on Export Compliance, visit the Law Department site.

Exporting of goods, technology, software or services are covered in more detail in MCP&G
Section 6.II.B.i., International Trade.
B. Protect Access
The ability to share information with the right people and partners provides significant value to
Chevron. Recognizing when not to share and recognizing situations that may result in unintentional
sharing of information are also important.
1. Information Management and Permissions
Organizations and individuals have the responsibility to define who has the ability to view and use
information. The organization of your information can affect the complexity or simplicity of
managing access and should be considered when designing an information management plan. For
example, large data repositories should not be shared when the risk profile suggests that only
targeted information should be shared. Those authorizing access are responsible for understanding
both the contents and appropriateness of granting access.

MCP&G Section 11: Information Protection Page 8

2. Access Keys
Two factor authentication tools control access to most Chevron systems, which requires something
you have (SmartBadge) and something you know (PIN). Some systems rely on a unique identifier
such as your CAI (Chevron Account Identifier) and passwords. Your SmartBadge also doubles as the
facility access badge. Keeping control of what you have and keeping secret what you know to access
Chevron systems is the responsibility of everyone.
3. Remote Access
The ability to connect to the Chevron network remotely may be necessary. Keep in mind that this
may introduce different information security risks.
Using a GIL computer with a VPN connection is the most secure way to gain remote access. Using a
VPN connection allows you to sign into the Chevron network using all the protections you have
when you are at a Chevron location. Chevron also provides other remote access solutions that
provide much better protection than emailing information to yourself or leveraging unauthorized
cloud sharing and storage solutions.
4. Social Engineering
Social engineering uses tactics to gain the trust of an individual for the purpose of gaining access or
gathering information. Social engineers can gather information in many different forms and use
small pieces to put together a full picture. This information could be used to just create an
annoyance, such as a phone list sold for telemarketing purposes, or it could have more catastrophic
effects, such as information used to sabotage our operations and cause dangerous conditions. If
contacted for information, you should:

Never provide confidential information without first independently verifying the requesters
identity;
Stop what you are doing if your instincts tell you that something may be at risk; and
Ask your Supervisor, IRM Coordinator, or Global Security Advisor if you are unsure.

C. Protect Equipment and Systems

While Chevron employs many methods to protect our equipment and systems, such as firewalls,
antivirus programs and access controls, those measures are only as strong as the weakest link.
People are still Chevrons best line of defense against risks to our equipment and systems.
1. Appropriate Use
Excessive personal use is inappropriate and could create information security risks. Inappropriate
use of Company IT systems could result in disciplinary action up to, and including, termination, and
could subject you to civil and/or criminal liability. You can limit the risk by:

Using Company equipment for Company business only.

MCP&G Section 11: Information Protection Page 9

Reading the Appropriate Use Guidelines.

Incorporating the guidelines into your work practices and reminding your coworkers to do the
same.

2. Equipment
There are simple steps that you can take every day to protect Chevrons equipment from
vulnerability to information loss or misuse:

Always lock access to your computer when you step away from your work area.
Ensure your computer is secured in your office by using a cable lock. Use your cable lock when
traveling so your laptop can be secured in your hotel room or conference rooms. If you need to
obtain a cable lock, contact your local IT support.
Minimize transferring data between your personal computer and your work computer, as any
movement of information (email, USB storage device, etc.) may introduce a virus.

3. Mobile Devices
The convenience of mobile devices is that you can take them with you, but the risk of mobile
devices is that you can take them with you. The most significant risk related to the loss or theft of a
mobile device is not the device, it is the information on the device. Follow these simple steps to
protect information when you must take it with you on mobile devices:

Use only Company-authorized mobile devices to conduct business and never disable security
features, such as encryption.
Get familiar with and follow the Guidelines for Personally Owned Mobile Devices.
Avoid putting classified or sensitive personal information on mobile devices. If you must put this
type of data on a mobile device, it must be encrypted.
In order to protect all data, the safest thing to do is encrypt all mobile devices.
Click here to learn when to encrypt.
Click here to learn how to encrypt and where to get secure mobile devices.
Keep all mobile devices in your control or locked in a secure location.
If you must use a USB key, scan it prior to use. Click here for simple instructions on how to do
this.

4. Systems
Equipment and mobile devices are not the only thing that can pose a risk to Chevron if not
protected. Chevrons systems, including internal networks, shared server drives and email, connect
our equipment. If one part of the system is compromised it could quickly spread throughout the
network to different computer systems and may lead to a serious information breach.
5. Internet and Email
Use caution when using the Internet, email, and social media sites. The Internet in general is not the
only risky space. Email, especially email hosted outside of Chevrons network, is another gateway

MCP&G Section 11: Information Protection Page 10

for threats to be introduced to our equipment and systems. Consult Chevrons Guidelines for
participating in social media.
6. Malicious Software (Malware)
Malware is used by criminals to cause disruptions to our computer systems or steal information.
Whether their motivation is financial gain, competitive advantage, notoriety, or sabotage, the tools
they use are a significant threat.
Chevron takes many steps to reduce malware coming into the Chevron network, including:

Antivirus programs;
Firewalls; and
Junk email and spam filters.

Even with these preventive measures, malware still has the potential to enter our network. The
most important thing to remember is that those who use Chevrons computer systems make all the
difference in protecting against malware.
We must all be responsible for understanding the ways malware can infiltrate the system and how
to respond:

Do not open unsolicited emails or a link in an email especially if it is unsolicited or from an

unknown sender.
Avoid using portable storage devices that are not Chevron-approved. If you must, scan the USB
key prior to using it.
Always accept all GIL updates and let them install. Do not delay your updates and never disrupt
the download.
Report any suspicious issue to the IT Service Desk or your IP Coordinator. Do not delay and do
not try to fix it yourself. Call for help.

III. POLICIES, PROCESSES, TOOLS AND TRAINING

A key element in achieving compliance is having policies, processes, tools, and training in place that
provide for high-level governance, subject matter experts, training and guidance, analysis, and
reporting.
A. Policy and Standards
Policy 575 describes the Companys policy for the protection of business information and
information technology assets. Activities involving the use of these must also be in compliance with
Chevrons Business Conduct and Ethics Code.
Policy 575 is supported by a set of IP standards and technical controls. IRSM coordinates the
governance process by which new or revised standards and controls are developed, reviewed,
approved, and communicated.

MCP&G Section 11: Information Protection Page 11

Reporting Units are responsible for providing sufficient resources capable of implementing Policy
575 and all applicable standards and controls.
B. Processes
IRSM has established an enterprise-wide IP compliance program that advises the Corporation in
creating policies and standards, and is responsible for communicating the program and
expectations to the appropriate personnel. The basic components of the IP compliance program
include:

Monitoring, assessing, and interpreting applicable laws, to assess risk to the business
information and information technology assets (risk assessment component);
Developing and continually improving policy, standards, and compliance procedures (policy,
standards, and procedures component);
Communicating policy, standards, and procedures to the appropriate personnel
(awareness/training component);
Advising the appropriate personnel of significant changes to compliance requirements
(updating the program component);
Reporting and measuring compliance (reporting component); and
Reviewing and assisting in resolving issues/incidents of non-compliance (incident response
component).

Reporting Units are responsible for adopting these components into their organizations IP
compliance plan. All plans must contain specific processes to inventory business information and
information technology assets, conduct risk assessments to identify areas of non-compliance, and
implement remediation initiatives. Additionally, it is the responsibility of Reporting Units and
Corporate Departments to assess and address any impact of local laws, regulations, and additional
risks applicable to local business operations in their plans.
C. Tools
To assist the Reporting Units and Corporate Departments meet their Information Protection
requirements, several tools are available. These tools are designed to help organizations conduct
assessments and evaluate compliance. A link to the tools is available on the IRSM website.
Additional tools can be found for Intellectual Property Rights, Data Privacy and PCN Security
(Process Control Network Security).
D. Awareness and Training
The degree of awareness and training requirements depends on the role of the work force and
nature of the business operations. Training requirements for various groups are periodically
deployed as part of the Corporate Compliance annual compliance training plan.

MCP&G Section 11: Information Protection Page 12

IRSM is responsible for defining the curriculum for awareness training and for providing an
enterprise-level training course suitable for use in all Reporting Units and Corporate Departments.
Reporting Units and Corporate Departments are permitted to develop their own training course and
program, provided the curriculum is comparable to that developed by IRSM. This may be beneficial
if that the Reporting Unit and Corporate Departments have local risks and procedures not
addressed in sufficient depth in the IRSM awareness training.
Additional training is required for all personnel that have elevated systems and data access
privileges, such as employees and contractors with system administrator capabilities. This training
provides information that allows personnel with higher-level access privileges to understand the
potential additional risks that their privilege levels allow and to make better work and process
decisions.
Personnel with responsibility for the design, maintenance or operation of process control systems
(including SCADA & Distributed Control Systems) should periodically complete the process control
systems training course.
Reporting Units and Corporate Departments are responsible for ensuring those employees,
contractors, or other third parties who use or access the Companys information systems complete
all required awareness training. A method for monitoring and tracking training completions must
also be established.
E. Reporting
Reporting Units and Corporate Departments are required to attest to the effectiveness of their
Information Protection compliance processes in their annual Compliance Representation Letter.
When preparing the Compliance Representation Letter, several key processes should be assessed to
assist in determining the effectiveness of the compliance program. Included among these key
processes are:

Standards and controls process having an effective process to access current standards and
controls documentation and to identify significant gaps in complying with applicable standards
and controls.
Compliance plan having an effective process to develop and implement a plan to prioritize
the remediation of compliance gaps based on appropriate criteria including risk, resource
availability, and business value.
Training and awareness process having an effective process to develop and/or deploy
training and awareness requirements.
Self-assessment process having a process to periodically assess the effectiveness of the most
significant elements of your organizations Information Protection compliance and risk
mitigation plan.

Other data that may be useful to consider when preparing your organizations Compliance
Representation Letter includes approved exceptions, training statistics, incident data, SOX
compliance results, and audit performance.

MCP&G Section 11: Information Protection Page 13

F. Incident Response and Violations

Incidents involving suspected violations of IP compliance requirements, including applicable laws
and regulations, should be reported immediately in accordance with the Chevron Incident
Reporting guidelines located on the Incident Reporting Procedures page on the IRSM website. Use
of Chevron incident response systems is an acceptable method of reporting near-miss and actual
incidents. IRSM gathers information from these sources on a periodic basis to understand the
effectiveness of the risk and compliance program.
Employees can also promptly report any incident involving potential violations of law, ethics or
Company policy to their management, Corporate Audit, Global Security, the Chief Compliance
Officer, or, consistent with applicable law, via the Chevron Hotline.
IV. ROLES AND RESPONSIBILITIES
A. Chief Technology Officer
The Chief Technology Officer (CTO) will ensure that these Information Protection processes,
policies, standards, and procedures are established and maintained. The CTO, with the support and
actions of IRSM, is responsible for reporting and measuring Chevrons compliance with the
Information Protection compliance program. Audit results, incident reports, and other measures, as
appropriate, are analyzed to help assess the effectiveness of the program. Information Protection is
an element of Chevrons Corporate compliance program and, accordingly, requires management
and the CTO to perform an annual assessment of the Information Protection compliance processes
throughout the Company.
B. Reporting Units
Reporting Units are responsible for establishing Information Protection (IP) Champions and IP
Coordinators across the enterprise. Reporting Units are responsible and accountable for their
organizations compliance with Chevrons policy, standards, and procedures and for ensuring that
their IP Champions and Coordinators take into account additional laws and regulations applicable to
their business operations.
C. Employees
It is the people of Chevron who have the greatest ability to protect our information. All Chevron
Corporation employees, contractors and other third parties must understand and abide by the
compliance requirements as outlined in this Section of the Manual.

MCP&G Section 11: Information Protection Page 14

D. Information Risk Strategy & Management and Legal

The Information Risk Strategy & Management (IRSM) Division, within the Information Technology
Company (ITC), develops and oversees processes designed to provide reasonable assurance of
compliance with information protection laws, regulations and the related Chevron policies,
standards and procedures. In addition, IRSM, in conjunction with the Corporation Law Department,
has the role in these processes to interpret applicable law, incorporate it into the policies,
standards, and Corporate procedures, and communicate these to line management having
responsibility for compliance with those laws and policies.
V. RESOURCES
A. Chevron Intranet
IRSM maintains and operates an intranet website that contains information on and materials about
the Information Protection program. In addition, a Community of Practice website offers timely
useful information, including a discussion forum, for those responsible for information protection,
risk assessment, risk mitigation, and compliance activities. Questions about information protection
can be sent via email to InfoRisk@chevron.com. This email box is monitored by IRSM. For urgent
matters, such as to report an information risk incident 1, please follow the incident response process
located on the Incident Reporting Procedures page on the IRSM website.
B. Subject Matter Experts
IRSM provides subject matter experts on the Information Protection program to assist Reporting
Units and Corporate Departments to achieve compliance requirements. IRSM is responsible for
establishing the enterprise-wide Information Protection program and for setting the direction and
requirements for the program and Information Protection section of the annual representation
letter.
C. Investigations
For specific investigations, IRSM maintains an IT Forensics organization to assist in properly
acquiring electronically stored information and providing forensic analysis. Use this link to visit the
home page of the IT Forensics website.

An information risk incident includes, but is not limited to, reporting of computer malware, such as viruses, etc.;
intrusions or other types of electronic attacks; lost or stolen computer equipment and devices, etc.; loss of
personal data in paper or electronic form; violations of Chevrons electronic environment, such as sharing
passwords, etc.; inappropriate use of Chevrons electronic environment such as pornography, etc.; Process Control
Network (PCN) Security incident or near miss; potential Export Compliance issue; intellectual property
infringement of patents, etc.; and possible scams (for example., a suspicious email that might be legitimate,
etc.); misuse of Chevrons Corporate brand or identity. Fuller details are available on the incident reporting process
website.
MCP&G Section 11: Information Protection Page 15

D. Business Networks
There is an established network of Information Protection Champions and Coordinators, both at the
enterprise and the Reporting Unit and Corporate Department level. These Champions and
Coordinators have responsibility for ensuring that appropriate Information Protection programs
have been implemented in their respective organizations. Information Protection Coordinators are
considered subject matter experts, some of whom are also Certified Information Systems Security
Professionals (CISSPs).
The Information Protection Coordinators Forum (IPCF) is a network comprised of Information
Protection Coordinators from Reporting Units, Corporate Departments, technical subject matter
experts, Internal Audit and other interested parties, who meet regularly to coordinate and share
information protection ideas, review compliance activities, share best practices, and stay apprised
of current and future risks relating to information protection. Meeting dates, agendas, and
presentation materials as well as a list of participants are available via a link on the IRSM website
and on the Community of Practice website. IRSM also utilizes the resources of the IRSM Leadership
Council, a grouping of Coordinators representing the major Operating Companies.
E. Audit
Corporate Audit provides information protection audit services. Internal Audit uses and shares
compliance verification tools with the Information Protection program and also provides
assessment services for specific areas of focus, or upon request.
F. Standards Tools
The Information Protection program utilizes two tools to help manage the inventory of standards
and exceptions to those standards: Chevron Information Risk Standards (CIRS) 2 and Chevron
Exception Tool (CET) 3. Descriptions of and access to these and other tools are available through the
IRSM website.
Reporting Units and Corporate Departments needing compliance assistance have several tools
available to help conduct risk assessments, calculate risk, and evaluate Information Protection
compliance. IRSM also provides tools to automate some of the required tasks and makes available
in many forms the standards and controls to be used by system and data custodians.

Chevron Information Risk Standards is a repository of the approved IRSM policies, standards, and technical
controls.
3
The Chevron Exception Tool provides a means for the Business Units to request, seek approval for, and lodge an
exception to a CIRS standard or control.
MCP&G Section 11: Information Protection Page 16