Task 1 - System Security

Summary

Security relates to the security and operability of the eTRM application as well as the data contained in the eTRM. Security will be particularly important if the eTRM houses any Personally Identifiable Information (PII).

Ensuring the security of the eTRM and eTRM data has several elements, including, but not limited to: (1) External certification (SOC 2), (2) “Defense in Depth” – multiple layers of security protection for the system and data, (3) Requirements and guidelines that are regularly monitored and enforced to ensure ongoing security, (4) Regular third-party review of system security, including but not limited to penetration testing, and (5) Breach and restore plans so that if the application and/or data is compromised, the intrusion and any resulting damage is addressed and restored within a reasonable time frame.

Important Note: The discussion and recommendations in this document should be read as best practices and may be modified or superseded by any security policies, standards, or certifications (e.g., SOC 2) being actively implemented by the organization administering the eTRM.

Discussion

Security Requirements & Best Practices

eTRM Role Requirements

Contributor Security Policy Requirement
eTRM Administrator SOC 2 Certification or Equivalent Security Standard
Code Developers SOC 2 Certification or Equivalent Security Standard
Measure Developers Authorized Security Policy Agreement
Measure Contributors Authorized Security Policy Agreement

External certifications & security policies

eTRM Administrator

Organizations that administer eTRM must have SOC 2 certification or equivalent compliance standard. The eTRM must have a security assessment at least annually from an organization that is independent of the administrator of the eTRM and of any organizations or individuals who develop code for the eTRM. Note that the organization currently administering eTRM, Future Energy Enterprises, have achieved SOC 2 certification (as of July 2025).

eTRM Code Developers

Organizations who develop code must be compliant with requirements contained in the “Secure Development Policy” (below). When code is developed externally, the eTRM administrator will encourage organizations developing code for the eTRM to have SOC 2 or equivalent certification.

eTRM Measure Developers or Organizations Who Upload Information to the eTRM

Organizations who develop or update Measures for the eTRM shall be compliant with requirements contained in the “Third-Party Management Policy” (below). Organizations who develop data and/or information that is uploaded to the eTRM are not required to have SOC 2 or equivalent certification.

Security policy agreement

To ensure that eTRM and its stakeholders are protected from cybersecurity threats, eTRM Measure Developers and Measure Contributors will be required to agree that their organization has implemented an appropriate level of security policies and procedures. Users who access the eTRM but do not upload any information will not be required to authorize the agreement.

security policies & procedures

The minimum policies that must be in place for any organization that either develops code or uploads data into the eTRM are the following. Specific requirements that must be included in each policy are described further below:

  • Ensuring Security of Physical Assets and Confidential Data

    • Asset Management Policy: To prevent unauthorized disclosure, modification, removal or destruction of information stored in media.

    • Data Management Policy: To ensure information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

  • Ensuring Effective Security Behaviors by People and Organizations Who Have Access to eTRM

    • Human Resources Policy: To ensure that employees, contractors and third-party entities understand their security responsibilities and abide by them.

    • Third Party Management Policy: To ensure protection of eTRM data and assets that are shared with, accessible to, or managed by suppliers.

    • Information Security Policy: To communicate information security policies and outline the acceptable use and protection of Cal TF information and assets.

  • Ensuring Security During Code Development

    • Secure Development Policy: Security practices when developing or updating code within the development lifecycle for applications and information systems.

  • Incident Response Management

    • Information Security Roles and Responsibility Policy: Establishes roles and responsibilities for managing security incidents.

    • Incident Response Plan Policy: The plan for managing information security incidents and events.

security policies & procedures - Overview

  • Ensuring Security of Physical Assets and Confidential Data

    • Asset Management Policy Goal: To prevent unauthorized disclosure, modification, removal or destruction of information stored in media.

      • All personnel must immediately report the loss of any information systems.

      • All employees and third-party users of equipment shall return all the organizational assets within their possession upon termination of their employment, contract, or agreement.

      • Excepting employee-issued devices, no company computer equipment or devices may be moved or taken off-site without appropriate authorization from management.

    • Data Management Policy Goal: To ensure information is classified, protected, retained and securely disposed of in accordance with its importance to the organization.

      • Organization devices and media that store or process confidential data shall be securely disposed of when no longer needed. Data must be erased prior to disposal or re-use, using approved technology to ensure data is not recoverable. Or a Certificate of Destruction (COD) must be obtained for devices destroyed by a third-party service.

      • Access to highly sensitive data is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner, or a company executive.

      • Access to proprietary information is restricted to employees with a “need-to-know” based on organization requirements. This data can only be distributed outside the organization with approval.

  • Ensuring Effective Security Behaviors by People and Organizations Who Have Access to the eTRM

    • Human Resources Policy Goal: To ensure that employees, contractors and third-party entities understand their security responsibilities and abide by them.

      • Management shall ensure that information security responsibilities are communicated to individuals, through written job descriptions, policies or some other documented method which is accurately updated and maintained.

      • All employees and third parties with administrative or privileged technical access to production systems and networks shall complete security awareness training at the time of hire and annually thereafter.

      • Information security leaders and managers shall ensure appropriate professional development occurs to understand current threats and trends in the security landscape. Security leaders and key stakeholders shall attend training, obtain and maintain relevant certifications, and maintain memberships in industry groups as appropriate.

    • Third Party Management Policy Goal: To ensure protection of eTRM data and eTRM assets that are shared with, accessible to, or managed by suppliers.

      • Information security requirements shall be established and agreed upon with each supplier that may access, process, store, transmit, or impact the security of Confidential data and systems.

      • For all service providers who may access production systems, or who may impact the security of the production environment, written agreements shall be maintained that include the service provider's acknowledgment of their responsibilities for the confidentiality of company and customer data.

      • The organization will consider and assess risk associated with suppliers and the technology supply chain. Where warranted, agreements with suppliers shall include requirements to address the relevant information security risks associated with information and communications technology services and the product supply chain.

    • Information Security Policy Goal: To communicate information security policies and outline the acceptable use and protection of eTRM information and assets.

      • All users are required to report known or suspected security events or incidents, including policy violations, and observed security weaknesses.

      • System-level and user-level passwords must comply with accepted password management best practices. Providing access to another individual, either deliberately or through failure to secure a device, is prohibited.

      • All remote access to organization assets must originate from approved and authorized devices.

      • Under no circumstances is an eTRM user authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing eTRM resources.

  • Ensuring Security During Code Development

    • Secure Development Policy Goals: To outline security practices when developing or updating code within the development lifecycle for applications and information systems.

      • All eTRM software is version controlled and synced between contributors (developers). Access to the central repository is restricted based on a contributor’s role. All code is written, tested, and saved in a local repository before being synced to the origin repository.

      • When operating platforms are changed, mission-critical applications shall be reviewed and tested to ensure that there is no adverse impact on organizational operations or security.

      • eTRM Administrator shall supervise and monitor the activity of outsourced system development. Outsourced development shall adhere to all eTRM standards and policies.

      • Testing of security functionality shall be performed at defined periods during the development life cycle. No code shall be deployed to production systems without documented, successful test results and evidence of security remediation activities.

      • Customer data shall not be used for testing purposes unless the customer identity is anonymized.

      • Software developers shall be provided with secure development training appropriate to their role at least annually.

      • Software developers are expected to adhere to coding standards throughout the development cycle, including Secure-by-Design and Privacy-by-Design Principles.

Secure-by-Design Principles Privacy-by-Design Principles
  • Minimize attack surface area
  • Establish secure defaults
  • The principle of least privilege
  • The principle of defense in depth
  • Fail securely
  • Don’t trust services
  • Separation of duties
  • Avoid security by obscurity
  • Keep security simple
  • Proactive, not Reactive; Preventative, not Remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full Functionality – Positive-Sum, not Zero-Sum
  • End-to-End Security – Full Lifecycle Protection
  • Visibility and Transparency – Keep it Open
  • Respect for User Privacy – Keep it User-Centric

  • Incident Response Management

    • Information Security Roles and Responsibility Policy Goal: To establish roles and responsibilities for managing security incidents.

    • Incident Response Plan Policy Goal: To outline the plan for managing information security incidents and events.

      • If an eTRM employee, contractor, user, or customer becomes aware of an information security event or incident, possible incident, imminent incident, unauthorized access, policy violation, security weakness, or suspicious activity, then they shall immediately report the information to the eTRM administrator.

      • Reporters should act as a good witness and behave as if they are reporting a crime.

      • All reported security events, incidents, and response activities shall be documented and adequately protected.

      • For critical issues, the response team will follow an iterative response process designed to investigate, contain exploitation, eradicate the threat, recover system and services, remediate vulnerabilities, and document a post-mortem report including the lessons learned from the incident.

      • Issues where the malicious actor is an internal employee, contractor, vendor, or partner require sensitive handling.

      • Legal and executive staff shall determine any immediate or long-term mitigations or remedial actions that need to be taken as a result of an incident or breach. In the event that mitigations or remedial actions are needed, executive staff shall direct personnel with respect to planning, communicating and executing those activities.

monitoring, enforcement & penetration testing

  • Effective Monitoring

    • Effective security monitoring involves continuously observing and analyzing an organization's network, systems, and data to detect and respond to security threats.

    • The eTRM administrator organization shall ensure comprehensive security monitoring is in place, either internally or by an external third party.

  • Penetration Testing

    • A penetration test is a simulated attack conducted by third-party security experts that helps identify network, system, and application vulnerabilities.

    • Penetration tests shall be conducted by a third party at least once a year. Following a penetration test, the eTRM administrator organization shall implement solutions offered by an auditor to minimize vulnerabilities.

Recommendations

Funders

To ensure the eTRM administrator can monitor and enforce adequate security, funding allocation must include funding for:

  • Appropriate security certification (SOC 2 or equivalent) and maintenance.

  • Annual security analysis and testing.

  • Developing, updating and monitoring policies and practices of all entities who engage with the eTRM.

  • Incident response, and to address and resolve issues that relate to cybersecurity, including preventative practices.

eTRm administrator

To ensure the eTRM is securely managed and protected from cybersecurity incidents, the Administrator must:

  • Maintain required security certification (e.g., SOC 2) and standards.

  • Annually review and update Security policies and practices.

  • Implement annual penetration testing, continuous monitoring, and security analysis of organization vulnerabilities.

  • Maintain up-to-date documentation, including administrator documentation, user guides and eTRM roadmap.

  • Ensure that all third parties have adequate security policies and practices in place before they are allowed to develop code for or upload information into the eTRM.

    • Note: The meaning of “adequate” security policies and practices will differ depending on how the third party engages with, uses and/or develops code for the eTRM.

  • Implement Whitelisting for USA-based Measure Developer accounts to block unauthorized users.

etrm code developers

To ensure code for the eTRM is securely developed, eTRM Code Developers must:

  • Implement and enforce Secure Development Policies to ensure code is generated in compliance with industry security standards.

  • Promote security as an integral part of code development, rather than an afterthought.

  • Implement Secure-by-Design and Privacy-by-Design code development principles.

etrm measure developers

To ensure measures developed for the eTRM are accurate and secure, Measure Developers should:

  • Enable Multi-Factor Authentication for accounts accessing the eTRM.

  • Complete annual security practice training before accessing the eTRM.