Ameresco, Inc. Information Technology Acceptable Use Policy

2.0 Purpose

Ameresco, Inc. (hereinafter referred to as the “company”) has adopted the information security guidelines of the National Institute of Standards and Technology (NIST) “Framework for Improving Critical Infrastructure Cybersecurity” (hereafter referred to as the “NIST CSF”), which necessitates protections against data leaks that includes user activity prescribed in formal agreements. To meet this policy, the company has chosen to implement this requirement as the “Information Technology – Acceptable Use Policy” (see Section 5.0), and included “Acceptable Use Agreement” (see Attachment A), that assists in meeting the goals of:

• Adequately protecting the safe and secure handling of sensitive information that the company entrusts
  employees with;
• Reducing the potential of security breaches and other security risks posed by users of the company’s
  Information Technology (IT) resources and information systems (IS);
• Complying with the intent of US federal, state, local, and non-US country/regional mandates, which
  includes the protection of Controlled Unclassified Information (CUI) under the Defense Federal Acquisition Regulation Supplement (DFARS), and other laws, rules, and regulations stipulated in other company policies and standards; and
• Ensuring the highest levels of ethical and legal conduct by all the company employees and its contractors in relation to using the company’s IT resources and IS for company related business and responding to client needs courteously and efficiently.

This Information Technology – Acceptable Use Policy document describes security controls associated with user responsibilities and certain expectations of behavior for following basic security tenants and the application of the company policies, plans, standards, procedures, and guidelines by both privileged and general users within the organization.

The “Acceptable Use Agreement” ensures that users have read the Information Technology – Acceptable Use Policy and other company policies and standards, will abide by the requirements and guidelines container therein, and understand that any non-compliance could result in administrative/punitive actions.

3.0 Scope

It is often the case that different standards apply to internal and external users, as well as for privileged and general user types. Internal users are employees of the company, including its contractors who can be either privileged and general users. External users are anyone else who has authorized access to a system that the company owns and who is not an employee or contractor. External users might be clients (customers), partners, or potential prospects that, for example, have been issued temporary accounts.

The scope of this document includes all users of the company IT and IS resources.

4.0 Requirements

4.1 General

Company employees and contractors who have access to the company’s networks must acknowledge this Policy within the Ameresco compliance tools. When the company provisions an account for contractors, including privileged/management accounts, it is the sponsoring manager’s responsibility to ensure that whomever they request an account for complies with this Policy and signs the Acceptable Use Agreement.

The company’s employees and contractors are advised that they have no reasonable expectation of privacy in the use of the company IT resources, IS, and hosted environments and that any use thereof is subject to monitoring by the company’s IT Department and its Managed Security Services Provider (MSSP).

The Policy presented in this document highlight requirements from several laws, policies, and best practices. This Policy and the Acceptable Use Agreement establish the expected and acceptable computing behaviors of all the company’s employees and contractors. Because written guidance cannot cover every contingency, users are asked to use sound judgment and the highest ethical standards in their decision making.

4.2 Non-Official Use

All employees and contractors may ONLY use company provided computer assets for business purposes other than as set forth in the company’s Mobile Device Policy and in accordance with Section 5.10 of this Policy which governs the use of personally owned computing devices for business purposes.

5.0 Acceptable Use Policy

Users, whether employees or contractors, entrusted with access to the company IT resources and IS, must comply
with each of the following requirements:

5.1 Identification and Authentication

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to unauthorized access to the company IS operating systems, applications, and databases. Users will:

• Maintain the confidentiality of login identification (ID) associated with passwords, tokens, PIN codes, etc.;
• Never write down, share with others, electronically store (other than in the authorized company’s password manager service), or otherwise record or reveal login and passwords for any reason;
• Create authenticators (e.g., passwords, passphrases, PIN codes) that meet the complexity and length requirements dictated by the system and follow current guidelines and procedures for the IS;
• Change password/PIN code when directed to do so by the IS and when compromise is suspected;
• Utilize Multifactor Authentication (MFA, 2FA) as required for all users;
• Agree to statements contained in the company’s security banner, which may be presented when logging
  into networks, devices, applications, and components, prior to performing any authorized functions;
• Follow proper logon and logoff procedures: (i) Manually logon to sessions; (ii) never store any password locally on the system or utilize any automated logon capabilities; and (iii) promptly logoff when operating system and/or application session access is no longer needed; and
• Lock active user sessions (network and applications) when leaving the immediate vicinity of the device.

5.2 Access Control

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to access misuse, unauthorized access, or excessive privileges of the company IS operating systems, applications, and databases. Users will:

• Never use privileged access to perform non-privileged functions (i.e., using administrator access to read normal user email, browse the Internet, download software, etc.);
• Ensure that access to the company’s IS operating systems, applications, and databases is assigned based on direct manager’s and resource owner’s approvals;
• Ensure that access to sensitive information entered into the company’s IS are restricted to only those persons with a documented “need-to-know” that is based on assigned duties and background checks;
• Notify direct manager if access to system resources exceeds that which is required to perform assigned duties;
• Coordinate requests for changes to access requirements and access parameters with direct manager/resource owner and ensure that any changes follow approved change control processes using the approved and applicable access request system/form from the help desk;
• Only use the data for which authorization has been formally granted;
• Only use approved, and the company controlled, software and methods for remotely connecting to the company’s network; and
• Never retrieve and/or transfer information from the company’s IS or use any other form of the company electronic data exchange, on behalf of someone who does not have authority to access that information.

5.3 Application and Information Protection

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to user activities and lack of proper control and to reduce technical, operational, and management risks that could cause harm to the company’s IT resources, information, IS, and personnel. Users will:

• Never install software onto any system that has not been authorized. Only designated personnel are authorized to load authorized software after receipt and review of help desk ticket request;
• Never store company, partner, client, or associated entity information on a system or component that is not a company authorized platform;
• Comply with copyright and site licenses of commercial and proprietary software in accordance with vendor end user license agreements (EULA) and other company licensing agreements;
• Process only data that pertains to official company business and is authorized to be processed on the system (application, database, etc.);
• Adhere to any special requirements for accessing, protecting, and utilizing data, including privacy data requirements, copyright requirements, and procurement of sensitive data; and
• Ensure “official electronic records” (including attachments) are saved/printed, stored, and retained according to the company’s practices concerning records retention and applicable contractual obligations.

5.3.1 AI and Data Management

• Users working with AI should be trained in AI responsible use, ethics, data sensitivity, data classification,
  data risk management & protection and safety;
• Users may not make decisions or use data created by AI without user’s independent review;
• Company data used in AI searches or AI tools must first be labeled and classified through the company’s Data Classification and Labeling Process;
• AI-driven systems may not be deployed without adequate testing, validation, and authorization by the IT Department
• Users may not use AI that compromises safety, regulatory or company compliance
• Users may not use AI to:
  • generate or disseminate disinformation;
  • create deepfakes or impersonations;
  • conduct surveillance or profiling.

5.4 Cybersecurity Incidents

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to unmitigated cybersecurity incidents and to reduce technical, operational, and management risks that could cause harm to the company’s IT resources, information, IS, and personnel. Users will:

• Report all cybersecurity incidents, or suspected incidents, to the IT Department via our helpdesk or in accordance with service provider instructions. Note: Cybersecurity incidents include incidents caused by internal or external persons through either intentional or accidental actions and may include those that are the result of natural causes.
• Understand that cybersecurity incidents involving IT resources, information, and IS include, but are not limited to:
  • Breach or loss of Personally Identifiable Information (PII);
  • Breach or loss of the company sensitive information via the network;
  • Copyright violation;
  • Criminal activity;
  • Denial of service;
  • Lost or stolen the company resources;
  • Lost, stolen, or misplaced the company sensitive information;
  • Malicious code activity (e.g., virus, worm, trojan, spyware);
  • Phishing email;
  • Policy violation;
  • Reconnaissance activity;
  • Rogue service or device accessed through or connected to the company network;
  • Spam email;
  • Unauthorized access (physical or network);
  • Un-patched vulnerability; and
  • Website defacement.
• Discontinue the use of any system resources that show signs of being infected by a virus or other malicious software or code and report the suspected incident in accordance with current procedures.

5.5 Physical Security

Purpose: To minimize the risk of loss or exposure of sensitive information and assets that can be attributed to
unauthorized physical access. Users will:

• Report to their supervisor any attempts to gain unauthorized access in accordance with current facility physical security procedures;
• Never allow unauthorized person (whether an employee, contractor, or other known person) to gain access to company-controlled areas;
• Prevent tailgating, in which an unauthorized visitor gains access by entering right behind an authorized person. All unauthorized visitors must be directed to where visitor access is managed;
• Authorized visitors will always be escorted by the visited employee within the company facilities;
• Non-Authorized personnel or visitors shall not be allowed within company-controlled areas containing IT resources and sensitive information without prior approval from the proper department manager:
• Ensure that facility security procedures for authorized visitors are adhered to at all times when persons are within company-controlled areas containing IT resources and information;
• Ensure visitors sign logs that are in use at facilities and within segmented areas;
• Keep track of all assigned IT devices and information and make sure they are secured from unauthorized access;
• Never leave mobile devices (e.g., laptops and phones) unsecured; and
• Never plug unauthorized devices into network jacks or any communication ports on computing devices or allow others to do so without formal approvals.

5.6 Travel

Purpose: To minimize the risk of loss or exposure of sensitive information when the company IS users are traveling, especially to designated high risk areas. When travelling, Users will:

• Never leave mobile devices (e.g., laptops and phones) unsecured in automobiles, hotel rooms, conference rooms, etc.;
• Utilize a safe or lockable file cabinet, when available, to secure devices and documents when leaving working spaces for long periods of time, and only when the key or combination is restricted to the person issued and in possession of the company IT asset;
• Prevent unauthorized persons from viewing the screen or printed output of the company sensitive documents or sensitive email;
• Ensure computing devices have all available updates for operating system and applications applied by the IT Department prior to traveling;
• Remove any unneeded/unnecessary data from mobile computing devices (e.g., laptops, notebooks, smartphones, etc.) prior to traveling;
• Ensure passwords and PIN codes are changed prior to and after traveling to high-risk locations;
• Obtain specially issued computing devices (when required), from the IT Department, when traveling on business to high-risk locations. Follow directions by the IT Department on not taking the company IT resources to high-risk locations. Return all temporary computing devices following travel so that the IT Department can check for malicious content and then safely transfer any files created or obtained during travel; and
• Obtain a pre-travel approval from the IT Department via an international service request at least two business days prior to traveling with the company IT resources to locations outside the company’s official operating countries.

5.7 Security Training

Purpose: To ensure the company’s IS users maintain a high level of IT security/cybersecurity education and
awareness to support the protection of sensitive information and reduce technical, operational, and management
risks that could cause harm to the company’s IT resources, information, and IS caused by attackers and malicious
insiders. Users will:

• Participate and complete all security awareness, privacy training(s) and associated activities that are assigned and ensure full comprehension of trainings assigned; and
• Supervisor should ensure training assignments are completed in a timely manner.

5.8 Internet Usage

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to user access to
Internet services and to reduce the risk of acquiring malware infections that could cause harm to the company’s IT
resources, information, and IS. Users will:

• Never proceed to an unsecure web site with a revoked or expired security certificate.
• Ensure that all transactions managed over a secure web session (Hypertext Transfer Protocol (Secure), or HTTPS) are valid prior to using and/or logging into web-based applications;
• Ensure that the web browser window, and any other instance or tab, is closed after logging out of any secure Internet session before proceeding to other sites or domains;
• Avoid clicking on links on pages that are not known to be safe; and
• Never install web browser toolbars, unauthorized extensions or reconfigure browsers to execute
  unauthorized code.

5.9 Email and Electronic Messaging

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to user email and messaging services and to reduce the risk of acquiring malware infections that could cause harm to the company’s IT resources, information, and IS. Users will:

• The company email and electronic messaging is for authorized business use only;
• Never respond to Spam or Phishing email messages;
• Never respond, click on links or open attachments from emails unless you have verified recipient and content;
• Never configure the company email client software to forward the company email to any non-company external email account, to include personal email accounts or any partner’s, or client’s email services;
• Never configure personal email accounts, or any other non-company email system, to forward to the company corporate email account(s). Note: there are no exceptions to this requirement;
• Ensure that personally owned devices used to access the company email servers (i.e., Outlook Web Access (OWA)) are configured with a strong password, Personal Identification Number (PIN) code, and/or bio-metric authentication to gain access to the device;
• Clearly and accurately indicate who is being represented in electronic communications. Pretending to be someone else when sending/receiving messages will result in disciplinary action;
• Be considerate when sending attachments via email. Consider whether a file may be too large to be accommodated by the recipient’s system, may be in a format unreadable by the recipient, or may contain a computer virus, macros, or other inappropriate content;
• Only “Reply-to-All” in email when necessary. Do not make “Reply-to-All” a default action on replies to emails received. Excessive use of “Reply-to-All” results in unnecessary use of network resources and additional costs to the company. The result of this may also be an email response to someone who should not be part of the conversation or result in loss of productivity;
• Never send sensitive information over email unless encryption is used;
• Report spam or phishing email as indicated by IT process; and
• Ensure that email signatures adhere to the following guidelines:
  • Meet company branding standards;
  • Adopt company assigned signature template(s); and
  • Personal quotes, unauthorized graphics or messages that are not related to business are prohibited.

5.10 Devices and Telecommuting

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to unauthorized access to the company IS operating systems, applications, and databases. Users will understand the Acceptable Use Policy while telecommuting.

5.10.1 Company Equipment

Unless the used of personal equipment in permitted under 5.10.2, only, company provided equipment should be used
for business use and may only be used by the authorized user. The company provided equipment have been built to
integrate with the company’s security services and it is monitored at all times.

5.10.2 Personal Equipment

The use of personal equipment is restricted. Personal equipment can never connect to the company network.
Access to the company web applications is allowed but are restricted and have limited capabilities. Smart phones
and tablets can be used to access the company applications such as communication systems and other business
functions in accordance with security policies determined by the IT Department.

5.10.3 Device Management and Use

When using devices to access company systems, Users will:

• Operate and configure devices in accordance with this policy;
• Ensure that devices, such as smartphones, used to access the email are capable of being remotely wiped in the case of a lost device;
• Ensure devices are configured to require a password, PIN code, and/or biometric authentication to gain access.
• Never knowingly connect company mobile devices to non-company computers, peripheral devices, and other mobile devices;
• Synchronize only the mobile device content and file/object types that fulfills a legitimate business purpose;
• Never circumvent or reverse the disk encryption on the company mobile devices to render the contents unencrypted;
• Never write down or reveal the code used to unlock the disk encryption of mobile devices that allows the operating system to start;
• Never “jailbreak” any mobile devices. To jailbreak a mobile device is to remove the limitations imposed by the manufacturer or the company. This gives access to the operating system, thereby unlocking all its features and enabling the installation of unauthorized software;
• Never load pirated software or illegal content onto devices;
• Abide by all “Internet Usage” section requirements when using mobile device browsers;
• Ensure loaded applications on devices are kept up-to-date;
• If any device is lost, stolen, or otherwise removed from the user’s control, the user will be responsible for reporting this to the IT department immediately;
• Not download or otherwise store the company sensitive information on their personal devices or personal services such as cloud storage:
• Ensure the security, integrity, and confidentiality of sensitive information; and
• Refer to the “Travel” section for devices pre- and post-travel requirements.

5.11 Removable Media

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to misuse of removable media and to reduce the risk of acquiring malware infections that could cause harm to the company’s IT resources, information, and IS. Users will:

• Not use removable media unless authorized for business purposes;
• Never allow removable media (e.g., Universal Series Bus (USB) drives, mobile devices, smartphones, music players, digital video discs (DVDs), compact discs (CDs), etc.) that does not belong to the company to be connected to any company-owned computing devices;
• Never allow the company owned removable media to be connected to, or used in, computing devices that are not owned or leased by the company without authorization;
• Limit the quantity of the company information/data that is written to removable media (if authorized for use) to only that which is necessary to perform a business function; and
• Never store sensitive information on removable media unless required in the performance of assigned duties and ensure data is always encrypted on removable media.

5.12 Clean Desk / Clear Screen

Purpose: To minimize the risk of loss or exposure of sensitive information unattended on desks, work
surfaces, whiteboards and displays. Users will:

• Users must “lock” or “logoff” their computers when their workspace is unattended;
• Not change system default set to auto lock after a 15-minute period of inactivity;
• Remove all sensitive information from the desk, white-boards, and workspaces or lock in a drawer or file cabinet when the work area is unattended and at the end of the workday;
• Lock file cabinets containing sensitive information when not in use or when not attended; and
• Not leave keys used to access sensitive information at an unattended work area.

5.13 Printing and Facsimile (Fax)

Purpose: To minimize the risk of loss or exposure of sensitive information processed that can be attributed to user
access to the company printing and facsimile (fax) devices. Users will:

• Limit the number of documents printed or faxed to only that which is required and never use the company printing, scanning or Fax devices for personal use;
• Dispose of paper copies of sensitive documents in approved and marked destruction bins and the company approved high-security shredding devices;
• Ensure that sensitive information sent to a fax or printer is handled in a secure manner and never left unattended; and
• Ensure that printed copies of sensitive information (e.g., Personally Identifiable Information (PII), the Company Confidential, Intellectual Property (IP), Proprietary, etc.) are irretrievably destroyed (after it is no longer needed) commensurate with the sensitivity of the data, and in accordance with current procedures.

5.14 Encryption

Purpose: To minimize the risk of loss or exposure of sensitive information that can be attributed to users storing
files or transmitting these via electronic means. Users will:

• Use only approved encryption applications on the company owned IT device, that are acquired and installed by the IT Department, for protecting files stored on network drive shares, emails/email attachments, or other electronic communications method;
• Ensure that sensitive company information is marked and protected against unauthorized access using encryption, in accordance with current procedures, when transmitting/transferring data via electronic means (telecommunications networks, Internet, e-mail, and/or fax); and
• Never store or send, or otherwise allow an association to exist between the encryption key and the encrypted file or encrypted electronic communication/attachment for which it provides protection.

5.15 Hardware

Purpose: To minimize the risk of loss or exposure of sensitive information or injection of vulnerable devices that can be attributed to unauthorized hardware or hardware changes and to reduce the risk of acquiring malware infections that could cause harm to the company IT resources, information, and IS. Users will:

• Never add additional hardware or peripheral devices to any of the company IT device or IS without prior approval by the IT Department. Note: only designated personnel can direct the installation of hardware, following current procedures. IT Department approval is not required to:
  • Add/Remove a company network printing/multi-function device to a personal computer (PC);
  • Plug a company mobile phone into a company issued PC; and
  • Add a PC keyboard and/or mouse [Screens?] through Bluetooth connection or by plugging in the associated USB transceiver or direct USB cable.
• Never reconfigure hardware or software on any the company IT devices, systems, networks, or interfaces without prior approval. Note: only designated personnel can direct the configuration of hardware following current procedures; and
• Never remove IT resources, other than assigned company laptops and associated peripherals (keyboard/mouse), from the facility without prior written approval. IT resources may only be removed from the company facilities for authorized official use.

5.16 Wired/Wireless Connectivity

Purpose: To minimize the risk of loss or exposure of sensitive information or injection of vulnerable devices that can be attributed to unauthorized wireless system and network connections and to reduce the risk of acquiring malware infections. Users will:

On Company Premises;

• Never install a wireless access point (WAP) or hotspots to the company network.
• Never introduce devices that may interfere with WAP signals (e.g., cordless phones, microwave ovens, cameras, light ballasts, etc.) without prior coordination with the IT Department. Any device found to interfere with wireless signals will be confiscated and/or removed from the company premises; and
• Ensure the guest wireless system is only used by approved guests for authorized purposes. Note: the company employees are expressly prohibited from using the guest wireless access without explicit approval from the IT Department.

Off the company Premises such as Telecommuting;

• Working from home, hotel and/or public establishments for the purposes of authorized business continuity events or as an authorized Teleworking/Telecommuting arrangement is authorized for business purposes and should follow best practices including properly secured internet access;
• Connecting to a customer’s on-premises connectivity must be approved by the customer and for authorized business purposes; and
• User must adhere to all the company and customer policies.

5.17 Prohibited Activities

Company users are prohibited from performing the following activities when accessing and using the company IT resources:

• Participating in or operating online gambling or lotteries;
• Managing a personal business, whether for profit or not;
• Using company resources for personal entertainment purposes that impact corporate resources or hinder job performance;
• Obtaining any the company proprietary information, intellectual property, trade secret, or otherwise sensitive company or personnel information/data, or that of any of the company’s partners, clients, or associated entities, for the purpose of industrial espionage, terrorism, personal gain, coercion, blackmail, or other unethical, nefarious, or illegal purposes;
• Sending, receiving, or posting materials, or enticing or soliciting others to do so on their behalf, that are abusive, obscene, pornographic, sexually oriented, threatening, harassing, perceived as bullying, damaging to another’s reputation, religious, political, racist or are otherwise illegal and/or unethical;
• Maliciously harming or destroying any equipment or data belonging to the company, its partners, clients, or associated entities or the data of another user, or allow such to occur through neglect or inaction;
• Deliberately attempting to degrade or disrupt system performance of the company’s IT resources or that of any other entity;
• Downloading to, uploading from, or creating computer viruses or other malicious code to the company’s IT resources, any hosted environments, or that of any other entity;
• Participating in chat rooms, newsgroups, or social networking sites unless doing so is an assigned duty relevant to the company business;
• Installing, accessing, or using Banned Software or Online platforms on any device issued by the company or any personal device used for business-related activities. This ban extends to all company-owned devices, including smartphones, tablets, laptops, and desktop computers, as well as personal devices used for work purposes, irrespective of the operating system or platform;
• Engaging in activities that would, or could potentially, reflect negatively on the company, its employees, partners, clients, or affiliated entities; and
• Engaging in any other unlawful or unethical activities not previously mentioned.

6.0 Accountability

All personnel subject to this Policy are accountable to the company’s CEO for complying with this Policy.

7.0 Monitoring Activities

The company’s authorized Security Operations, reserve the right to monitor the activities of all users subject to this Policy and report all violations to the company’s management.

8.0 Review Cycle

This Policy will be reviewed annually and as dictated by the results of risk assessments and when changes occur to applicable Policies.

9.0 Enforcement

This policy will be enforced by the company management. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment or business contract. Where illegal activities or theft of the company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.

10.0 Waivers

While some of the policies contained in this document must be strictly adhered to and no exceptions can be allowed, in other cases exceptions may be appropriate. Any employee, contractor or consultant who believes that a waiver of any of these policies is appropriate in their case should first contact their immediate supervisor. If the supervisor agrees that a waiver is appropriate, the approval of the company’s Head of IT must be obtained. The Company’s Head of IT shall be responsible for maintaining a record of all requests by employee, contractor, or consultant for waivers of any of these policies and the disposition of such requests.

Appendix I – Terms