US Chaparral Top Image
           Home          About Us          Contact Us          New Customers          Payments          Stations
  Security Policy
Notice of Cyber Attacks and Online Theft

US Chaparral Water Systems takes cyber attacks and online theft seriously. If you are reported and verified as a cyber attacker or online theft, all relevant details will be reported to the Internet Crime Complaint Center (IC3) and all applicable authorities. The IC3 shares information with the FBI and other agencies for the purpose of investigating all aspects of cyber crimes. Punishment can be up to 5, 15, 20, or 30 years in federal prison, plus fines. In addition, punishments for the unlawful use of "means of identification" were strengthened in 1028A ("Aggravated Identity Theft"), allowing for consecutive sentences under specific enumerated felony violations.

SSL Secure Site

SSL Site Report The Chaparral website is SSL SECURED. Our SSL (Secure Socket Layer) Certificate is a 256 bit encryption certificate which is an industry standard for viewing and sending sensitive information on an internet browser. Click on the SSL image below see our SSL site report.


Chaparral is committed to protecting the privacy and security of customers on our website. This Security Policy will advise you about our guidelines concerning the use of your personal information, including, without limitation, the reasonable efforts we make to protect your personal information in accord with these guidelines, and about what choices you have concerning our use of such information.

Please read this policy carefully. We may need to change this policy from time to time in order to address new issues and reflect changes on our website. We will post those changes here so that you will always know our policies regarding what information we gather, how we might use that information, and whether we will disclose that information to anyone. Please refer back to this policy regularly. If you have any questions or concerns about our Security Policy, please send an email to .

This Security Policy applies to your use of the website and services owned or operated by Chaparral (collectively "we, " "us, " or "our"), including, Chaparral and any other retail or website we may own or operate currently or in the future (collectively, the "Site" or "Sites"). Unless we say otherwise, all references to the Sites in this policy include all such sites. This policy does not apply to your use of sites to which any of the Sites link too. This policy covers only information collected on the Sites and does not cover any information collected offline by us.


The intent of this Security Policy is to ensure that all systems installed on the Chaparral network are maintained at appropriate levels of security while at the same time not impeding the ability of Chaparral users and support staff to perform their work. The purpose is:
  • to define where equipment is to be placed on the network;
  • to define who may access network equipment;
  • to define how access to this equipment is to be controlled; and,
  • to define how data traveling over the network is to be protected.


This policy applies to:
  • any IP networks (existing and future) to which Chaparral network equipment is connected;
  • all equipment connected to the networks mentioned above
  • any IP networks across which Chaparral data travels;
  • data in transit over any of the above-mentioned networks;
  • network administrators managing the equipment;
  • project leaders requiring new equipment to be connected to the network; and,
  • all users utilizing equipment that is connected to the network.
This includes but is not limited to:
  • the User LAN
  • the SERVER LAN
  • the Backup SERVER LAN
  • remote sites.
This policy will also apply to all equipment connected to the networks mentioned above, and all Chaparral employees using any of this equipment.


The security policy is based on the principles and guidelines described in the Chaparral Information Security Framework document. All Chaparral network equipment (routers, servers, workstations etc) shall be classified according to the standard Chaparral classification scheme and placed in a network segment appropriate to its level of classification. Access to these segments must be controlled in an appropriate manner. Whenever data travels over a network segmentation of a lower security classification then the data shall be protected in manner appropriate to its classification level.


In accordance with the Chaparral Information Security Framework document, all users, hosts and data must be classified as security level 1 (unclassified), 2 (shared), 3 (company only) or 4 (confidential). All physical network segments, IP subnets and other IP traffic carriers must be classified in the same way. All data travelling on an IP network must be classified, and all users using network equipment or requesting data over the network must be assigned a level of clearance according to the same system.

It is the function of the person designated as the equipment owner to have all equipment under his or her control classified. The owner is defined as the head of division installing the equipment. Classification is done in consultation between the owner (or an assigned representative) and the Security Officer, but the final decision shall lie with the Security Officer.

For a description of the Chaparral system of security level classification, the concept of ownership and the role of the Security Manager, refer to the Chaparral Information Security Framework document.

Network Segmentation

  1. Unless otherwise stated in the security policy or in the Information Security Policy Framework document all network segments are classified Level 1 - Unclassified.
  2. The classification of network segments is given in the section of this article entitled Discussion of Classifications, which follows.
  3. A network segment can only be classified as another security level with approval of the Chaparral Security Officer. Its new level of classification must be recorded in this document and all divisional heads must be notified.
  4. Wherever a network segment connects to another network segment with a different security level, then the connection between the two networks must be controlled by an approved trusted point. A trusted point is equipment capable of regulating the flow of traffic between two network segments in a manner appropriate to the classification of the networks. Trusted points are covered in detail in the section that follows.
  5. No network equipment may be connected to a network segment that is not of the same security level as the equipment itself.
  6. The Chaparral Security Officer may also choose to segment two networks of the same security level.

Trusted Points

  1. The trusted point used to segment two networks shall be appropriate for the network with the highest security level.
  2. The default behavior of a trusted point must be to deny all IP traffic between the network segments it protects.
  3. At the discretion of the WAF Enterprises Security Officer, the default behavior of the trusted point may be to allow all traffic out from the network with the higher security level whilst denying all traffic in.
  4. At the discretion of the WAF Enterprises Security Officer, the trusted point may be configured to allow specific into the network with the higher security level
  5. All trusted points must be completely under the control of the Security Officer. Access to any trusted point shall only be granted with the explicit permission of the Security Manager and under his or her close supervision.
  6. There are a number of technologies that can act as trusted points. They are divided into the following categories:
    • Network Level Control: TCP wrappers, host lists, filter routers, network-level firewalls, V-LAN switches etc.;
    • User Level Control: application proxies, user-level firewalls etc.; and,
    • Strong User-Level Control: token-based user authentication systems, certificates etc.
  7. Whenever there is a connection that skips over one security level the strong user level control must be used. Even if strong user control is used, a connection may never skip more than one security level.

Data In Transit

  1. Data moving on the network between any two network-components is considered to be "data in transit". This also includes all control and management sessions.
  2. All network technologies are regarded as either "safe" or "unsafe" in their native state (i.e. without any encryption). The only networks regarded as safe by Chaparral are Frame-Relay PVCs (as used on the Chaparral backbone) and switched Ethernet LANs. All other network types are regarded unsafe.
  3. All data in transit over an unsafe network segment that has a classification lower than the classification of the data must be protected by data encryption. Data in transit over a safe network segment may be encrypted at the discretion of the Security Officer.
  4. Encryption of data in transit may take any of the following forms:
    • network encryption, in which data is encrypted at the IP layer (for example, with IPSec);
    • session encryption, in which data is encrypted at a TCP layer (for example, with SSL);
    • message encryption, in which blocks of data are encrypted before they are sent (for example, with SMIME); and,
    • data encryption, in which the entire data package is encrypted before it is transmitted (for example, with file encryption).
  5. Encryption systems used must offer strong encryption (more then 100 bit encryption keys) and use internationally recognized encryption algorithms. The choice of the crypto-algorithm is the responsibility of the Security Officer.

Classification of Users

  1. Every user is designated as unclassified until his or her classification is explicitly changed with the written approval of the Security Officer.
  2. When a new employee joins Chaparral, a request is made by the employee's manager to the Security Officer for a new level of clearance. It is the responsibility of the manager to justify the requested level of clearance.
  3. Unless there is strong justification, all new employees shall be cleared for the level Chaparral Only, but only after they have signed an employment contract including acceptance of this policy and non-disclosure forms.
  4. The Security Officer is responsible for managing and controlling the record of clearance levels for all personnel.
  5. It is the responsibility of all system owners and system administrators to determine the security level of a given user before granting that user access to any system.
  6. It is the responsibility of the user to know his or her own clearance level and to understand the rights and limitations associated with that clearance.

Classification of Equipment

  1. All computing equipment must be given a classification by the Security Officer.
  2. Classifications for existing and future equipment are as follows:
    • all user workstations, file-servers, print-servers etc should be classified as Company Only;
    • all LAN servers and other hosts used in the management of the Chaparral backbone infrastructure or Chaparral internal network infrastructure will be classified as Confidential;
    • all backbone equipment (including switches, remote access servers, ADSL chassis etc) that are not located on Chaparral premises will be classified as Shared; and,
    • all equipment used in the transfer of data to and from the Internet will be classified as Shared.
  3. The Security Officer must maintain a complete list of the classifications of all computing equipment in the Chaparral network and in the Chaparral backbone.

Classification of Networks

The Chaparral Security Officer must classify every network segment that constitutes part of the Chaparral infrastructure. A complete list of the classifications of all network segments in the Chaparral network and in the Chaparral backbone is maintained by the Security Officer. Classifications for existing Chaparral network segments are as follows:
  • The Chaparral User LAN located is classified as Company Only.
  • The SERVER LAN & backup SERVER LAN are classified as Confidential.
  • The Chaparral Frame-Relay Backbone is classified as Shared.
  • The Remote sites are classified as Shared.
  • The SERVER LAN and the Portal Segment are classified as Shared.

Classification of Data

Any Chaparral user with legitimate access to Chaparral data may, with sufficient justification, change the classification of the data. The user may only change the classification of data if there is sufficient, justifiable reason to do so. Users will be held strictly responsible for these decisions.

All newly created data must be classified Company Only until it is reclassified by a user, who does so on his or her own prerogative. Users are held solely responsible for any data whose classification they change. Classifications for existing Chaparral data are given below:
  • Chaparral business information (memos, financial documents, planning documents etc) should be classified as Company Only;
  • Chaparral customer data (contact details, contracts, billing information etc) should be classified as Company Only;
  • network management data (IP addresses, passwords, configuration files, etc.) should be classified as Confidential;
  • human resources information (employment contracts, salary information, etc.) should be classified Confidential;
  • Published information (pamphlets, performance reports, marketing material, etc.) should be classified Shared;
  • E-mail between Chaparral employees should be classified Company Only; and,
  • E-mail between Chaparral employees and non-Chaparral employees should be regarded as Unclassified.

Classifications: Roles and Responsibilities

  1. It is the responsibility of the user to:
    • know his or her own clearance level and to understand the rights and limitations associated with that clearance;
    • ensure all the data he or she works with is correctly classified;
    • ensure that he or she understands the restrictions associated with the data he or she is working with; and,
    • ensure all the data he or she works with is housed and protected appropriately.
  2. It is the responsibility of all system owners and system administrators to:
    • determine the security level of a given user before granting that user access to any system;
    • verify the classification of the equipment they manage; and,
    • verify that the equipment is installed and protected in accordance with its classification.
  3. It is the responsibility of each divisional manager to:
    • obtain clearance for employees in his or her divisions;
    • clarify the classification of data on systems under his or her control;
    • clarify the classification of equipment under his or her control and to ensure that those systems are correctly installed; and,
    • ensure all employees in that division understand and implement this policy.
  4. It is the responsibility of the Security Officer to:
    • approve all classifications;
    • maintain a list of all classifications;
    • control and manage all trusted points; and,
    • determine the type of cryptographic protection to be used for data in transit.


  1. Any user accessing a data, equipment or a physical location with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
  2. Any user allowing access to a system that he or she controls for someone with insufficient clearance can face disciplinary action, dismissal and criminal or civil prosecution.
  3. Any person connecting equipment that is not classified to the network or connecting equipment to an inappropriate part of the network or in an inappropriate location can face disciplinary action, dismissal and criminal or civil prosecution.
  4. Any person transmitting data over any network without the appropriate cryptographic protection for that data can face disciplinary action, dismissal and criminal or civil prosecution.
  5. Any person changing the classification of data in a way that is reckless, irresponsible or in any damaging to Chaparral, their share holders or any of their clients can face disciplinary action, dismissal and criminal or civil prosecution.

Points of Contact and Supplementary Information

For a description of the Chaparral system of security level classification, users should refer to the Chaparral Information Security Framework document. For enquiries regarding the classification of data, equipment, network segments or physical locations or the clearance level of users, interested parties should be directed to contact the Chaparral Security Officer.

Last Updated:  July 5, 2023

WAF - Back Page Button WAF - Home Page Button Top
Station Emergencies
  If you encounter an emergency or a problem at any of the water stations, please contact one of our after hours emergency contact numbers to speak to a field supervisor.
Primary:   432-553-0597
Secondary:   432-296-8886
  For all other questions or requests, please contact our corporate office during normal business hours at: 432-694-4930
Copyright © 2004-
About Us | Contact Us | Terms | Privacy | Security | Our Sitemap | Web Design | Web Hosting
All Rights Reserved