Privacy Statement

This system is made available by the Energy Facilities Contractors Group Cybersecurity Working Group (EFCOG CSWG). Neither the EFCOG CSWG, nor any agency thereof, nor any of their employees or subcontractors, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the EFCOG CSWG, or any agency thereof. The views and opinions of originators expressed herein do not necessarily state or reflect those of the EFCOG CSWG, or any agency thereof.

Privacy Notice

EFCOGCSWG.ORG utilizes web measurement technology in order to improve our website and provide a better user experience. This is classified as a Tier 2 usage, since we are utilizing a multi-session web measurement technology that does not collect any personally identifiable information (PII).  This technology anonymously tracks how visitors interact with EFCOGCSWG.ORG, including where they came from, what they did on the site, and whether they completed any pre-determined tasks while on the site.

This technology is provided by Google Analytics and the information collected is used to optimize our website; helping us determine top tasks, improve our user interface and diversify our content offerings to meet the needs of our customers. No personally identifiable information is collected, so the anonymity of the end user is protected.  The measurement data that is collected is only retained for as long as is needed for proper analysis and optimization of the website and is accessible only to employees whose position necessitates it.

Since disabling this web measurement technology requires modifying individual browser settings it is enabled by default. If you wish to opt-out, you can change security settings to opt-out. Google also provides a browser plug-in that will allow you to opt-out of all Google Analytics measurements, which you can find http://tools.google.com/dlpage/gaoptout. Please note that opting-out in no way affects your access to content within EFCOGCSWG.ORG or how you see the site.

EFCOGCSWG.ORG is committed to expanding the national conversation on cybersecurity issues and upholding the open principles of transparency, participation and collaboration. One of the key ways we seek to accomplish this is through the use of third-party social media websites and applications. We do not collect or request personally identifiable information through these outlets, but may occasionally come into contact with unsolicited PII due to circumstances beyond our control. As a result, we reserve the right to moderate or remove comments that offer personally identifiable information such as address, phone number or social security number in a public manner. No PII will be retained in our system or shared with outside parties.

Comments Sent by E-Mail

You may choose to provide us with personal information, as in an e-mail message containing your comments or questions. We use this information to improve our service to you or to respond to your request. There are times when your message is forwarded, as e-mail, to other EFCOG representatives or Federal sponsors who may be better able to help you.

Security Notice

EFCOG CSWG uses software programs to monitor this web site for security purposes to ensure it remains available to all users and to protect information in the system. By accessing this web site, you are expressly consenting to these monitoring activities.

Unauthorized attempts to defeat or circumvent security features, to use the system for other than intended purposes, to deny service to authorized users, to access, obtain, alter, damage, or destroy information, or otherwise to interfere with the system or its operation is prohibited. Evidence of such acts may be disclosed to law enforcement authorities and result in criminal prosecution under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act of 1996, codified at section 1030 of Title 18 of the United States Code, or other applicable criminal laws.

Notice of Automatic Collection of Information and Persistent Multi-Session Measurement on Website

Some websites use the technology called a cookie.   A cookie is a small file that a website transfers to your computer to allow it to remember specific information about your session while you are connected.  There are two types of cookies used on some websites, session cookies and persistent cookies. Session cookies last only as long as your Web browser is open. Once you close your browser, the cookie disappears.

Persistent cookies are stored on your computer so the website that placed them there can recognize and remember when you return and keep track of which pages on their website you visit. This type of cookie will remain on your hard drive until it reaches its expiration date or is deleted by you.

To learn more about how to disable cookies in your browser click here: http://www.us-cert.gov/reading_room/securing_browser/#how_to_secure.

Privacy Policy for Email Updates

EFCOG CSWG maintains a list of subscribers who have asked to receive periodic email updates. Any recipient of an EFCOG CSWG email may request to be removed from email lists via emailing [email protected].  We do not sell, rent, exchange, or otherwise disclose our list subscribers to persons or organizations outside of the EFCOG or EFCOG Federal Sponsors. 

Messages sent from EFCOG CSWG to email subscribers may include a tracking pixel to provide basic aggregate analytics, such as the percentage of recipients who opened an email or clicked on a link in an email. As a matter of policy and practice, this data is only viewed on an aggregate basis.

If You Send Us An Email Or A Forms Request

If you choose to provide us with personal information as in an email to one of our online email boxes, or by filling out a form, with your personal information and submitting it to us through our website, we use that information to respond to your message and to help us get you the information you have requested. We do not collect personal information for any purpose other than to respond to you.  We collect personally identifiable information (name, email address, or other unique identifier) only if specifically and knowingly provided by you. We only share the information you give us with EFCOG personnel with a specific role in communicating with you or with EFCOG Federal Sponsors for metrics purposes.  We do not collect information for commercial marketing.

Links to Other Sites

Our web site may at times contain links to other sites.  We also link to other organizations’ web sites when we have a good business reason to do so. This does not constitute an endorsement of their policies or products. Once you link to another site, you are subject to the privacy policy of the new site.

Vulnerability Disclosure Policy (VDP)

The EFCOG CSWG is committed to ensuring the security of the public by safeguarding their digital information. The Vulnerability Disclosure Policy (VDP) provides guidelines for the cybersecurity community and members of the general public on conducting good faith vulnerability discovery activities directed at public facing EFCOG CSWG websites and services. The VDP also instructs the public on how to submit discovered vulnerabilities to the EFCOG CSWG cybersecurity team.

Vulnerability Disclosure Policy (VDP) Guidelines

1. Notify us as soon as possible after you discover a real or potential security issue.
2. Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
3. Only use exploits to the extent necessary to confirm a vulnerability. Do not use an exploit to compromise or exfiltrate data, establish command line access and/or persistence, or use the exploit to “pivot” to other systems.
4. Once you have established that a vulnerability exists, or encountered any of the sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test and notify us immediately, and not disclose this information to anyone else.
5. Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
6. Keep confidential any information about discovered vulnerabilities.

To report a vulnerability, please send an email to [email protected]