The C3 Cyber Security Program is a multi-layered security approach that employs technical, physical, and administrative safeguards.
The C3 Cyber Security Program has been developed to comply with the applicable legal and regulatory requirements, including compliance with the NERC CIP smart grid cyber security standards. This program encompasses a comprehensive set of cyber security controls and business processes based on NIST best practices that align with the NERC CIP standards.
- Physical and Operational Security: C3 combines state-of-the-art data center facilities with industry best practices to ensure operational security. A detailed description of C3’s physical and operational security follows in Section A.2.
- Network Security: C3 provides Virtual Private Clouds accessible over robust network infrastructure to provide secure and reliable systems. A detailed description of C3’s network security follows in Section A.3.
- Data Security: Data security is a fundamental requirement that is systematically addressed throughout the C3 Platform™. This includes access controls, encryption, user roles, and data retention/destruction A detailed description of C3’s data security follows in Section A.4.
- Continuous Monitoring: C3 uses multiple, redundant, continuous monitoring systems application and data security. A detailed description of C3’s continuous monitoring follows in Section A.5.
- Business Continuity: C3 backup, failover, and redundancy services ensure data availability and protect information from loss or destruction. A detailed description of C3’s business continuity measures follows in Section A.7. Business Continuity: C3 backup, failover, and redundancy services ensure data availability and protect information from loss or destruction. A detailed description of C3’s business continuity measures follows in Section A.7.
- Secure Design and Engineering Principles: C3 follows best practice secure software development processes to incorporate security throughout the product development and release lifecycle. A detailed description of C3’s design and engineering methodologies follows in Section A.6.
- Corporate Governance: Cyber security is a strategic priority for C3. C3 has implemented extensive corporate oversight to ensure its ongoing success. A detailed description of C3’s cyber security corporate governance follows in Section A.9.
- Third-Party Attestations: C3 offers a variety of third-party attestations regarding cyber security processes and controls.
- C3 undergoes regular testing by external security experts, including source code reviews, software vulnerability testing, and penetration testing.
- C3 uses data centers that have been audited for the leading industry IT security standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, International Traffic in Arms Regulations (ITAR), and FIPS 140-2.
A detailed description of C3’s third-party attestations follows in Section A.7