Security, confidentiality, integrity, and application availability are vital to the success of customer business operations. C3 IoT meets these requirements by delivering a unified, cohesive product suite through a scalable and secure hosting model.

System Status



US: Available


EMEA: Available


APAC: Available

Global Infrastructure

C3 IoT Leverages Amazon AWS’s Secure Global Infrastructure

C3 IoT Operations & Security

Introduction

The C3 IoT applications platform employs advanced analytics and machine learning at scale to deliver real-time actionable insights for enterprise business imperatives. With C3 IoT, organizations are attaining unprecedented levels of operational efficiency, productivity, and competitive advantage.

C3 IoT understands that the security, confidentiality, integrity, and availability of C3 IoT applications are vital to the success of customer business operations.

C3 IoT meets these requirements by delivering a unified, cohesive product suite through a scalable and secure hosting model:

  • C3 IoT products are delivered as hosted SaaS offerings deployed in secure Virtual Private Clouds. This provides unmatched system scalability and data security combined with low overall cost of ownership.
  • C3 IoT implements a rigorous Cyber Security Program to protect critical systems and information assets, constantly monitoring and improving applications, systems, and processes to meet the growing demands and challenges of security.

C3 IoT’s Hosting Operations and Cyber Security have been validated in successful, production deployments for leading utility operators and large commercial and industrial organizations around the world.

The C3 IoT Platform™ is delivered as PaaS offerings hosted at C3 IoT’s data center facilities and managed by C3 IoT personnel.

The C3 IoT Platform™ has been designed to effectively process large data volumes in near real-time. C3 IoT Hosting Operations have been architected to elastically scale system resources as necessary based on customer usage and data processing requirements. This elastic scalability eliminates any limits on the amount of data that can be securely processed by the C3 IoT Platform™ while delivering enterprise class system performance and low total cost of ownership.

C3 IoT applies best practice hosting operations and support processes to ensure the integrity and availability of C3 IoT’s customer systems. These processes encompass all aspects of reliable system delivery, including maintenance, software release deployment, backup and recovery, and system monitoring for performance and availability. C3 IoT Hosting Operations are managed in alignment with NIST (National Institute of Standards and Technology) best practices and established IT standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II) and SOC 2.

The C3 IoT Cyber Security Program is a multi-layered security approach that employs technical, physical, and administrative safeguards.

The C3 IoT Cyber Security Program has been developed to comply with all applicable legal and regulatory requirements, including compliance with the NERC CIP smart grid cyber security standards. This program encompasses a comprehensive set of cyber security controls and business processes based on NIST best practices that align with the NERC CIP standards.

Physical Safeguards
  • Physical and Operational Security: C3 IoT combines state-of-the-art data center facilities with industry best practices to ensure operational security.
Technical Safeguards
  • Network Security: C3 IoT provides Virtual Private Clouds accessible over robust network infrastructure to provide secure and reliable systems.
  • Data Security: Data security is a fundamental requirement that is systematically addressed throughout the C3 IoT Platform. This includes access controls, encryption, user roles, data retention/destruction, and regulatory compliance.
  • Continuous Monitoring: C3 IoT uses multiple, redundant, continuous monitoring systems application and data security.
  • Business Continuity: C3 IoT backup, failover, and redundancy services ensure data availability and protect information from loss or destruction.
Administrative Safeguards
  • Secure Design and Engineering Principles: C3 IoT follows best practice secure software development processes to incorporate security throughout the product development and release lifecycle.
  • Corporate Governance: Cyber security is a strategic priority for C3 IoT. C3 IoT has implemented extensive corporate oversight to ensure its ongoing success.
  • Third-Party Attestations: C3 IoT offers a variety of third-party attestations regarding cyber security processes and controls.
    • C3 IoT undergoes regular testing by external security experts, including source code reviews, software vulnerability testing, and penetration testing.
    • C3 IoT uses data centers that have been audited for the leading industry IT security standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, International Traffic in Arms Regulations (ITAR), and FIPS 140-2.

Physical & Operational Security

C3 IoT’s customer systems infrastructure is hosted at Amazon Web Services’ data centers in Northern Virginia, Oregon, and Dublin Ireland depending on data jurisdiction. These data centers provide best practice security and reliability features, including secure premises with video surveillance, power supply & backup, precision environmental controls, equipment monitoring, comprehensive security policies & controls, and third party security compliance and attestation.

Secure premises – Facilities are nondescript and unmarked to help maintain a low profile. All visitors must pass through a security check-in before accessing the facility. Biometric scanning controls data center access, and access is available only to data center personnel and contractors who have a legitimate business need for such privileges. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. Data center access is logged and monitored. 24x7 onsite staff provides additional protection against unauthorized entry. CCTV camera monitoring is present at all data center locations. Audit logs for sensitive areas are maintained and reviewed regularly.

Power supply and backup – Multiple levels of built-in power redundancy provide the highest level of availability. Generators and Uninterrupted Power Supply (UPS) provide backup power sources and prevent power spikes, surges, and brownouts. If a total utility power outage ever occurs, these power systems are designed to ensure that the data centers will continue to operate without interruption. The UPS power subsystem is N+1 redundant, with instantaneous failover if the primary UPS fails. If an extended utility power outage occurs, on-site generators can run indefinitely. All on-site generators are tested regularly.

Precision environment – Heating, ventilation, and air conditioning (HVAC) systems provide appropriate and consistent airflow, temperature, and humidity levels. Every data center's HVAC system is N+1 redundant. This ensures that a duplicate system immediately comes online should there be an HVAC system failure. Advanced fire suppression systems are designed to stop fires from spreading in the unlikely event one should occur.

Equipment monitoring – All electrical, mechanical, and life support systems and equipment are monitored to ensure that any equipment issues are immediately identified. Preventative maintenance is performed to maintain continuous operability of all equipment.

Third-party compliance and attestation – The data centers are designed and managed in alignment with security best practices and a variety of established IT standards, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II), SOC 2, FISMA, DIACAP, FedRAMP, PCI DSS Level 1, ISO 27001, International Traffic in Arms Regulations (ITAR), and FIPS 140-2.

Policies – C3 IoT’s Executive Management has instituted a set of policies, procedures, and guidelines to ensure the security of the C3 IoT applications. These policies include C3 IoT’s Information Sensitivity Policy, Customer Data Handling Policy, Secure Coding Guidelines, and Cyber Incident Response Plan. All C3 IoT personnel with access to C3 IoT applications, software code, or customer data are trained on and required to adhere to these policies.

Corporate security – C3 IoT maintains stringent physical security at all offices. Each person with authorized access is provided an electronic key to gain entry and move within the facilities. All visitors are required to sign-in and are escorted by authorized staff.

Background checks – Background checks, as permitted by law, are mandatory for all employees and contractors. These include criminal checks, education and employment verification, and reference checks.

Proprietary information – All employees and contractors are required to sign a Proprietary Information Agreement as a condition of employment. All subcontractor agreements include rigorous confidentiality and non-disclosure clauses.

Security awareness program – All C3 IoT employees are trained on C3 IoT's security policies upon initial hiring and on an annual basis.

Employee access – Formal procedures govern user accounts for all employees. They regulate user roles and access, as well as the ability to add, delete, and modify user accounts. The C3 IoT Human Resources (HR) department provides an immediate alert to the C3 IoT Operations team when an employee has had a change in functional role or has been terminated. C3 IoT Operations then modifies or disables system/network/email access as per the HR alert’s listed time frame (immediate or scheduled). Privileged user accounts are controlled and reviewed quarterly.

Asset management – An inventory is kept of all hardware, software, and intellectual property assets. This inventory documents permitted configurations, usage, and access, along with other applicable controls.

Workstation protection – Anti-virus software is installed on all Microsoft Windows workstations (with daily virus signature updates). Preventative controls, such as screen and session timeouts, are required to prevent unauthorized access to unattended systems. Confidential corporate information stored on workstations must be encrypted. Confidential information is not allowed on removable media or mobile devices.

Audits – Multiple security audits are performed regularly, including daily review of user access logs, quarterly review of user access rights and asset policies, etc.

Network Security

C3 IoT applies security best practices to a state-of-the-art network infrastructure to provide a secure and reliable platform.

C3 IoT’s data centers maintain redundant relationships with multiple Internet Service Providers, and employ robust routing using the BGP4 networking protocol to allow network traffic to take the best path. All customer data in transit (network connections to C3 IoT) is securely transmitted using HTTPS (SSL/TLS) with 4096-bit RSA encryption.

The C3 IoT network architecture is designed to ensure security, scalability, and reliability.

Network access to and from C3 IoT customer system infrastructure is controlled by network devices (including firewalls), switching access control lists, and load balancing. These boundary devices employ rule sets, access control lists, and configurations to enforce and monitor the flow of information to the C3 IoT servers.

Firewalls and ports – Multiple network devices provide traffic filtering services. The only open inbound ports and protocols are HTTP, HTTPS, and SMTP. All other ports and protocols are explicitly disabled, thereby preventing worms and other network-based attacks.

Reverse proxies – Load balancers serve as reverse proxies, distributing system load while further protecting C3 IoT application servers from direct access.

Two-factor authentication – Access to C3 IoT servers requires use of a Virtual Private Network with multi-factor authentication and access monitoring.

Hardening standards – C3 IoT follows the National Security Agency’s (NSA) recommended hardening standards for all deployed server instances. These hardening standards are applied at server instantiation and reviewed monthly.

OS upgrades and patches – Operating system patches are reviewed upon release. Depending on the assessed priority and risk, operating system patches and upgrades are scheduled for implementation in accordance with industry best practices.

Virtual Private Cloud – C3 IoT offers customer-dedicated Virtual Private Clouds. Each Virtual Private Cloud is a private network subnet that isolates customer server instances from any other customer’s deployment. This provides uncompromising cyber security while enabling cost-effective system scalability.

Direct connect – C3 IoT offers customers the options of Virtual Private Network (VPN) encrypted tunnels and private lines to connect to C3 IoT’s data centers, thereby ensuring secure transmission along with the option to completely bypass internet service providers (public internet) in the network path.

Development, staging and production environments – C3 IoT implements independent development, staging, and production environments for all customer deployments, thereby further protecting the security and reliability of production systems.

C3 IoT corporate segregation – C3 IoT’s internal corporate network is segregated from all customer systems, further restricting unnecessary access to production systems.

Data Security

C3 IoT has implemented comprehensive defense-in-depth customer data security and protection, encompassing data access administrative controls, regulatory compliance, data encryption, user roles, and data retention / destruction.

Data access – Access to customer data is restricted to authorized personnel only, according to documented processes. Only those C3 IoT personnel explicitly identified in a customer support or application implementation role have access to customer systems. For application implementation personnel, customer system access is promptly deactivated as soon as the implementation is complete and access is no longer necessary. Access to all servers is limited, logged, and tracked for auditing purposes.

Data security policies – Customer Data Handling and Secure Document Destruction policies are strictly enforced for the management of all sensitive information. All C3 IoT employees are trained on documented information security and privacy procedures. C3 IoT’s Cyber Security Team performs quarterly reviews of C3 IoT personnel who have access to customer environments and systems, to track activity and validate access.

Data and environment separation – Each C3 IoT customer has separate databases with distinct access controls. C3 IoT implements independent development, staging and production environments for each customer system deployment. C3 IoT's internal corporate network is segregated from all customer environments.

Data encryption – C3 IoT implements enterprise class encryption to provide added data security. Sensitive data at rest is encrypted using 256-bit SHA-2 encryption. Data in motion is securely transmitted using HTTPS (SSL/TLS) with 4096-bit RSA encryption.

Data protection – C3 IoT implements comprehensive data protection and recovery measures in accordance with established industry best practices. Data backups are performed on a nightly basis and are replicated to a designated backup C3 IoT data center. The backup data center is geographically separated and independent from a customer's assigned primary and secondary C3 IoT data centers. Backup data is transferred in a secure, encrypted manner using HTTPS (SSL/TLS) with 4096-bit RSA encryption, and is securely stored in encrypted form at the backup facility. To facilitate rapid data restoration, the primary backup method is encrypted, hardware-level replication. Backups can be restored and end-user accessible within eight hours of process initiation. Backup data restoration is tested on a monthly basis. All backup activity, including transport, storage, and access, is logged and regularly audited to ensure proper handling.

Data destruction – C3 IoT applies rigorous data destruction measures in accordance with established industry guidelines. Standard backup data retention is 30 days, after which the backup data is permanently destroyed. Should a customer terminate its contract with C3 IoT, C3 IoT’s Operations team will permanently destroy all customer data at the end of the contract, including all then-existing customer databases and backup repositories. All data destruction is logged and regularly audited.

Role-based access – Application access for customer application end-users is controlled via user roles. These roles control security and access rights for standard users, super users, and administrators.

Application access segmentation – End-user application access can also be restricted based on data values. For example, customer end-users can be granted access to only the assets, accounts, or geographic regions that are necessary for their areas of responsibility.

Network IP access – Customer application access can be restricted to specific networks and locations (configurable via designated IP space whitelisting and/or blacklisting).

Single Sign On (SSO) – C3 IoT enables customers to use their existing end-user authorization systems to manage access to the C3 IoT applications. C3 IoT supports SSO integration with any version of LDAP or Active Directory that supports SAML.v2.

Login information protection – To prevent password guessing attacks, account access is automatically suspended after a configurable number of unsuccessful password entry attempts.

Configurable password parameters – Customer system administrators can configure the complexity, length, and expiration requirements of end-user application passwords to adhere to their existing corporate standards.

HOSTING OPERATIONS


C3 IoT proactively monitors comprehensive system health measures, including service and hardware heartbeats, system function performance measures, and disk and computing resource utilization. C3 IoT uses widely adopted open-source and commercial monitoring tools such as Zenoss and CloudWatch. If any potential issues are detected, automated system fortification measures are triggered to address the issues before end-users may be affected:

  • Additional back-end and data-loading CPU capacity is automatically scaled up depending on the size of the job queue, thereby ensuring data processing and loading is kept current. Automatic scaling of CPUs takes on average less than 5 minutes to complete.
  • Automated failover activates if a system component fails or suffers performance deterioration, thereby ensuring that a component failure will not negatively impact end-users.

In addition to the automated system fortification measures, C3 IoT's Network Operations Center (NOC) staff is immediately alerted if the monitoring systems detect a potential issue or if a customer has submitted a support ticket. These issues are promptly investigated to diagnose root cause and monitor the automated fortification process. If the automated system fortification measures are insufficient, C3 IoT's NOC staff follows established processes to manually resolve any outstanding issues. If necessary, particularly complex issues are rapidly escalated to C3 IoT’s Engineering Support Team. Any affected customers receive regular incident status updates until successful resolution.

C3 IoT uses continuous monitoring methods to ensure application and data security.

Application access logging – C3 IoT tracks all application access, including failed authentication attempts, and keeps two years of historical records to support reporting and auditing requirements. All successful and unsuccessful access activities are recorded in the system and in application logs, along with username, IP address, action, and date/time of access. Every data change is logged in the system and in application logs.

Alerting – C3 IoT is committed to frequent and transparent customer communication. The C3 IoT Cyber Security Team monitors and alerts customers of suspicious activity including but not limited to multiple failed login attempts, abnormal usage patterns and large data access/downloads. C3 IoT has a formal process to notify customers of a verified security breach, theft, or loss of data. High alert (Priority P1) incidents are responded to on a 24x7 basis, with all incidents tracked in a case management system.

C3 IoT is continuously improving the C3 IoT Platform™. As these products are delivered as software-asa-service hosted and managed by C3 IoT, C3 IoT’s customers immediately benefit from these frequent improvements.

C3 IoT uses a rolling upgrade (zero-downtime) approach, when possible, to avoid any end-user impact during system upgrades and maintenance. Customers are notified at least two weeks in advance of each system upgrade or maintenance event via the C3 IoT Support Portal, which also includes release notes and scheduling specifics.

If a rolling upgrade is not possible based on the scope of the planned maintenance or upgrade, C3 IoT employs the following maintenance procedures:

  • To minimize impact on customers’ work schedules, maintenance windows are scheduled from 11pm to 3am Pacific Standard Time.
  • During the maintenance period, customer end-users have read-only system access (i.e., existing analytics can be executed and retrieved, but account updates and configuration changes are disabled). Customer end-users are informed if the system is in read-only maintenance access when they login.
  • Designated customer system administrator contacts are informed at least 4 weeks prior to any planned maintenance.
  • Designated customer contacts are informed of the commencement and completion of the maintenance period.
  • Maintenance that causes system downtime will not be scheduled more than once per calendar quarter.

C3 IoT provides customers with management and automation tools to make data loading reliable and transparent. C3 IoT provides a system management console for customer’s system administrators to check the status and details of current and historical data uploads. In addition, notification alerts can be configured to automatically notify designated customer contacts of data load job completions, missing jobs, job exceptions, and statistic summary reports (e.g., number of records, data load size, exceptions, time, etc.).

SECURE DESIGN AND ENGINEERING

The C3 IoT Platform™ is the software foundation that handles data management, multi-layered analysis, and data visualization capabilities for all C3 IoT applications. The C3 IoT Platform™ has been specifically designed to process and analyze significant volumes of frequently updated data while maintaining high performance levels.

The C3 IoT Platform™ architecture is comprised of multiple services that each handle a specific data management or analysis capability. All the services are modular, and have been architected specifically to execute their respective capabilities for large data volumes at high speed:

  • Every tier in the C3 IoT architecture can have additional processing resources added without service interruption;
  • Every tier is operated with a surplus standby processing capacity that is monitored and maintained;
  • System performance has been architected and validated to scale linearly with the addition of further resources;
  • Additional computing resources are automatically scaled up when needed.

To ensure high availability of the C3 IoT Platform™, C3 IoT implements redundancy and automatic failover for every component in the C3 IoT architecture.

C3 IoT load-balances at every tier in the infrastructure, from the network to the database servers.

Application server clusters are enabled to ensure that individual servers can fail and be seamlessly switched out without interrupting the end-user experience. Key/value database servers are similarly clustered for failover. Each device in the network has a failover backup to ensure maximum uptime. Dedicated routers and switches feature redundant power and Internet connections.

Component failover is automatic and does not require any manual intervention. Moreover, as soon as a component failure is detected, C3 IoT's NOC staff is alerted, diagnoses the failure, and adds additional component resources to maintain overall system redundancy.

Failover testing is performed on a monthly basis in accordance with industry best practices.

C3 IoT’s software development process follows the Open Web Application Security Project (OWASP) standards for building secure applications, including mandatory internal review by the C3 IoT Cyber Security Team. The C3 IoT software development cycle includes stringent code review, as well as integration and regression testing prior to release with internal and external testing tools to check for security vulnerabilities. Static code analysis tools are run as a part of the standard software build process, and all deployed software undergoes recurring penetration testing. All test results are shared with the C3 IoT Engineering team and any detected issues are resolved prior to final product release.

To ensure that security is maintained throughout the entire lifecycle of the C3 IoT Platform™, security testing is performed regularly and systematically. Quarterly vulnerability scans are conducted to ensure that software components remain secure. All third-party and open source components used in the C3 IoT architecture are selected based on their stability and industry support, and are subject to the same, rigorous security testing as any internally developed C3 IoT code. All external components of the C3 IoT architecture are kept current with validated software patches. All patches are reviewed and tested by the C3 IoT Operations Team, and then deployed as part of C3 IoT’s standard change management process. All server instances are re-imaged with hardened and tested OS, software, network, and security versions prior to deployment.

New application features within the C3 IoT Analytic Applications™ are designed to be both forward and backward compatible. New features are outlined in product documentation, and the C3 IoT Customer Support team reviews features with customers prior to deployment.

C3 IoT follows a systematic change management process designed to enable reliable system updates while avoiding customer disruptions. All proposed changes are thoroughly reviewed, tested, approved, and proactively communicated. Version updates are deployed into production in a phased process, starting with the areas of least impact. Deployments are closely monitored, and rollback procedures are documented in the Change Management ticket. On occasion, emergency changes to production systems may require deviations from standard change management procedures. These occasions are associated with an incident, and are logged, approved, and communicated.

Application changes – C3 IoT Engineering Operations centrally manages the release management process, using the same process for software patches and upgrades. All new functionality, enhancements, and bugs are reported in a central ticketing system. Each ticket provides a description of the software components to be changed or built, the detailed specification of the new functionality, the engineering resource responsible for the work, the estimated effort, and the targeted release version. All code is change-controlled in a central repository. No code change is included in an integrated candidate release version until it passes unit tests and code review. Once a code change is approved for promotion into a release version, the enhancement, feature, or bug fix undergoes functional, performance, security, and regression testing. If the new code does not pass testing, bugs are reported and fixed. Upon passing all tests, the enhancement, feature, or bug fix is approved for release and included in the next scheduled production release. All new releases require review and sign off of the C3 IoT Security Team. Each production release is assigned a version number for reference by customers and the C3 IoT Support team.

Network and infrastructure changes – All changes to C3 IoT’s network and server infrastructure are authorized, logged, tested, approved, and documented in accordance with industry best practices. C3 IoT proactively alerts customers of any planned system maintenance based on the Maintenance and Upgrade process.

Internal vulnerability and penetration testing – The C3 IoT Cyber Security Team performs vulnerability and penetration testing for every new application version, using open-source and commercial testing tools such as Burp. A version is not released until all identified vulnerabilities are corrected and the version successful passes all security testing.

Third-Party vulnerability testing – C3 IoT engages third-party security experts to perform annual penetration testing and security audits. These testing cycles involve source code review, software vulnerability testing, and penetration testing. Any vulnerabilities identified in these testing cycles are immediately corrected, and C3 IoT has consistently been confirmed as cyber secure.

BUSINESS CONTINUITY AND DISASTER RECOVERY

C3 IoT’s Disaster Recovery (DR) plan incorporates local failover of redundant resources within the data centers and geographic redundancy across data centers. Backup, failover, and redundancy are implemented to ensure data availability and to protect information from accidental loss or destruction.

Every C3 IoT customer system is hosted at independent primary and secondary data centers. C3 IoT replicates critical system components and customer data at both data centers. The two data centers are geographically separated and completely independent of each other in order to avoid potential single points of failure. In addition to discrete uninterruptable power supply (UPS) and onsite backup generation facilities, the data centers are each fed via different grids from independent utilities, and are redundantly connected to multiple tier-1 transit providers.

Every component in the C3 IoT infrastructure is redundant. There are at least two of each hardware component that process the flow and storage of data, including load balancers, application servers, key/value database nodes, and network devices. Each device in the network has a failover backup to ensure maximum uptime. Dedicated routers and switches feature redundant power and connectivity to the Internet.

Component failover is automatic and does not require any manual intervention. As soon as a component failure is detected, C3 IoT's NOC staff is alerted and immediately commences processes for diagnosing the failure and adding additional component resources to maintain overall system redundancy.

Failover testing is performed on a monthly basis in accordance with industry best practices.

C3 IoT load-balances at every tier in the system infrastructure, from the network to the database servers. Application server clusters are enabled to ensure that servers can fail without interrupting the user experience. Key/Value database servers are clustered for failover.

Customer systems replicated to a designated backup C3 IoT data center on a nightly basis. The backup data center is geographically separated and independent from the customer's assigned primary and secondary C3 IoT data centers.

Backup data is transferred in a secure encrypted manner using HTTPS (SSL/TLS) with 4096-bit RSA encryption, and is stored in encrypted form at the backup facility. To facilitate rapid data restoration, the primary backup method uses encrypted, hardware-level replication. Backups can be restored and end user accessible within eight hours of process initiation.

Standard backup data retention is 180 days for weekly backups, and 7-days for daily backups. After which the backup data is permanently destroyed. C3 IoT’s data destruction procedures utilize standard enterprise tools for specialized wipe procedures and follow NIST 800-88 guidelines for media sanitization.

All backup activity, including transport, storage and access, is logged and regularly audited to ensure proper handling.

Backup data restoration is tested on a monthly basis in accordance with industry best practices.

In the unlikely event of the loss of a customer's primary C3 IoT data center, C3 IoT migrates system operations to the secondary data center. Procedures for the rapid migration of full system operations to the secondary data center are documented and regularly tested. Testing is performed at initial system deployment and subsequently on a quarterly basis.

Recovery objectives for a complete data center loss are six hours until critical system function is restored, and 24 hours for the restoration of non-critical, ancillary functions.

Disaster recovery testing is performed quarterly in accordance with industry best practices.

C3 IoT has instituted a Pandemic Plan to prepare for and respond to a threat of influenza or other pandemic that may cause serious widespread illness. This plan addresses the following pandemic-related issues:

Staff education around infection control in the workplace is reinforced during the annual influenza season, and includes options for working offsite while ill and systems to reduce infection transmission.

Contingency plans to maintain delivery of C3 IoT's services during times of significant and sustained worker absenteeism.

Mechanisms to allow workers to provide services from home if public health officials advise against non-essential travel outside the home.

The Pandemic Plan is tested on an annual basis in accordance with industry best practices.

CYBER INCIDENT RESPONSE

C3 IoT has instituted a Cyber Incident Response Plan (CIRP) based on NIST’s recommended approach (NIST SP 800-61). The C3 IoT CIRP plan includes:

  • Training and procedures for reporting different types of incidents such as security breaches, threats, vulnerabilities, or security-related software malfunctions that may affect any customer information.
  • The execution of information security event reporting, incident response, and escalation procedures in the event of a potential incident. C3 IoT immediately reports to customers any suspected loss, unauthorized disclosure, or unauthorized use of customer confidential information. During any suspected incident C3 IoT provides frequent and ongoing CIRP customer reports that include all the then-known details of the incident along with a summary of corrective action that has been undertaken. After confirmation that the incident has been resolved, C3 IoT provides a formal post-mortem report with all of the details of the suspected incident and the follow up actions undertaken to prevent future incidents.
  • Communication guidelines are agreed to with each customer prior to system launch. This includes designated customer contacts, preferred communication methods, and escalation protocols/timelines. CIRP communication guidelines are annually reviewed and tested with each customer.

CORPORATE GOVERNANCE

Cyber security is a strategic priority for C3 IoT. C3 IoT has assigned operational and executive teams responsible for the management and success of the C3 IoT Cyber Security Program.

C3 IoT Corporate Security Council – The C3 IoT Corporate Security Council has executive oversight over the C3 IoT Cyber Security Program and is responsible for ensuring its success. The Corporate Security Council is comprised of C3 IoT’s Head of Operations and Cyber Security, Senior Vice-President of Products, and Chief Technology Officer.

C3 IoT Cyber Security Team – C3 IoT has assembled a world-class cyber security team that is responsible for the implementation and management of the C3 IoT Cyber Security Program.

THIRD PARTY CERTIFICATIONS AND ATTESTATIONS

The C3 IoT Cyber Security Program has been developed to comply with all applicable legal and regulatory requirements, including compliance with the NERC CIP smart grid cyber security standards. This program encompasses a comprehensive set of cyber security controls and business processes based on NIST best practices that align with the NERC CIP (versions 3 and 4) standards.

To objectively verify adherence to these processes, C3 IoT works with industry auditors who bring additional levels of scrutiny to the security of C3 IoT applications and the processes that govern how they are developed, tested, deployed, and supported. C3 IoT has successfully completed multiple third-party security tests, including source code reviews, software vulnerability testing, and penetration testing.

The Amazon data centers are regularly audited for a variety of established IT security standards, including:

  • SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70 Type II)
  • SOC 2
  • FISMA
  • DIACAP
  • FedRAMP
  • PCI DSS Level 1
  • ISO 27001
  • International Traffic in Arms Regulations (ITAR)
  • FIPS 140-2

Featured Case Studies

Read All Case Studies

C3 IoT PRODUCT TRIALS

Turnkey Projects in 6 to 12 Weeks

C3 IoT provides trials of the C3 Applications, C3 IoT Platform, and C3 Data Lake. Trials range in cost based on duration and include C3 IoT professional services and AWS infrastructure services

Get Started