Security Overview

Updated: January 2025

Executive Summary

This document provides a description of our approach to protect the confidentiality, integrity, and availability of client and proprietary information, and to safeguard and honor the privacy, rights, and freedoms of data subjects whose personal data we process.

Ontic has adopted a proactive, preventative approach to information security and privacy that includes technological, administrative, and operational controls to detect and monitor existing and emerging risks and keep them to acceptable levels. We align the policies, standards, and procedures underpinning our Information Security Management and Privacy Management Systems with the Ontic business mission, vision, and values and Applicable Laws.

Ontic is committed to safeguarding the Security of our clients and employees. We demonstrate this commitment through the application of our Information Security and Data Protection policies and procedures. We communicate these policies to every member of our organisation and hold them accountable to meet the commitments set out therein. Our Data Privacy Notice is published at https://ontic.co/legal/client-and-prospect-privacy-notice/.

Our Information security and data privacy governance structure is comprised of the Ontic Governance Risk and Compliance (GRC) Committee and our Information Security and Data Privacy teams.

Ontic benchmarks its Information Security and Privacy Management System against the requirements of European Union General Data Protection Regulation (GDPR) and ensures compliance with applicable laws.

Ontic commits to the following:

  • Appropriate safeguarding of information and personal data;
  • Monitoring of and compliance with regulations in all countries where we operate;
  • Honoring contractual commitments with our customers and vendors; and
  • Compliance with our Binding Corporate Rules and Inter-Group Standard Contractual Clauses (GDPR).

We engage qualified and regulated third party auditors to perform independent audits of our systems and services in accordance with the best practice recommendations of ISO/IEC 27002 and TPS 100 Trust services Criteria (security, availability and confidentiality). We maintain compliance with ISO/IEC 27001:2022, ISO/IEC 27701:2019, Star Certification level 1, Cyber Essentials, and SOC 2 Type II.

We select our information and communication technology service providers after a thorough information security and privacy risk assessment process and monitor their performance throughout their engagement. When selecting service providers, we give preference to those have been independently verified to be compliant with industry-recognized standards, including ISO/IEC 27001, ISO/IEC 27701, and SOC2 Type II.

Information Security Principles

#

Principle

Overview
1.

Layered Protections

Multiple security measures can and should be used to protect applications and the data from cybersecurity attacks and data leaks
2.

Least Privilege

User accounts should be granted the minimum permissions needed to complete the required task.
3.

Incorporate Security into all Phases of System Development

Include Information Security in all phases of development; from requirements gathering, design, build, test, deploy, maintain, and decommission.
4.

Security Awareness Training

Don’t assume that anyone fully understands their role in keeping Ontic systems secure. Provide continuous security awareness training for all employees and role-specific training for developers, system admins, and other key roles.
5.

Tailor Security Controls to Meet Organizational Needs

Not all security best practices will apply in all situations. Identify the controls that best need Ontic’s needs on a case-by-case basis
6.

Economy of Mechanisms

Security mechanisms should be as simple as possible to reduce complexity and potential vulnerabilities. “Keep it simple stupid (KISS)”.
7.

Threat Modeling

A structured process that helps identify potential risks early in the development life cycle.
8.

Reduce Risk to Acceptable Levels

Risks can’t always be reduced to zero, so the focus should be on reducing or mitigating the risk down to a level that is below Ontic’s risk tolerance.

Data Protection Principles

#

Principle

Overview

1.

Fair and Lawful

Ontic and our clients must have legitimate, lawful grounds for collecting PII.

2.

Purpose Limitation

Ontic and our clients must be open about their reason for obtaining PII and what they plan to use it for. The PII must then only be used for the original stated purpose.

3.

Consent

Ontic and our clients, when collecting non-public data from an individual, must obtain meaningful consent from the data subject, or have a permitted use or an exception for consent.

4.

Data Minimisation and Accuracy

Ontic and our clients must only obtain data that is required for the intended purpose, only use it for the intended purpose, and should avoid holding more information than is necessary.

5.

Accuracy

Reasonable steps must be taken to keep personal information accurate and up to date.

6.

Retention

Personal information must not be retained longer than is necessary.

7.

Individual Rights

Data Subjects have numerous rights, including the right to access, update, or delete data about themselves. Ontic and our clients must assure that the appropriate processes and procedures are in place to handle these data subject requests.

8.

Safeguards / Security

Appropriate security measures, including encryption and/or pseudonymization, must be used to keep PII safe.

9.

International Transfers

PII should not be transferred to other countries that do not have the same level of data protection in place

GOVERNANCE, RISK and COMPLIANCE

Privacy Policy

Ontic employees are bound by the Ontic Privacy Policy which sets forth our obligations with respect to the collection, use, retention and disclosure of personal data. The Privacy Policy is reviewed and updated annually. The policy is also updated when there is any change in the information-processing environment, which may have a major impact on the information risk profile.

Governance Structure

Ontic has implemented a Governance, Risk, and Compliance (GRC) Committee that includes senior leaders from Legal, Finance, Technology, People (HR), IT, Information Security, and Data Privacy.  The GRC Committee reviews the strategic initiatives for information security and data privacy and is responsible for the integration of information security and data privacy into the business functions.

The GRC Committee also makes recommendations on controls that are required to protect both customer and internal information and ensures senior-level oversight and business input into the strategic direction of data protection and information security initiatives.

The GRC Committee’s mandate is to ensure the integration of data protection and information security into the work of every business unit, employee, vendor, and customer. It also ensures compliance with laws and regulations within Ontic.

GRC Subcommittees

The Supply Chain Management Committee is a subcommittee of the GRC, which provides the operational governance on supplier/vendor management. It supervises the information security and privacy risk assessments for all new and existing suppliers.  The key members of the supply chain management committee are Legal, Finance, Information Security and Data Privacy.

Information Risk Management

The Ontic risk management policies and procedures are aligned with ‘ISO 31000, Risk management – Principles and Guidelines’.

We have implemented tools and processes to identify, analyze, evaluate, treat, and monitor risks associated with the processing of information, in particular in the context of third-party engagement/supply chain, software development, data transfers, where there are specific regulatory requirements for the processing of personal data and where data types or individuals concerned require additional protection.

The processes include the capturing of all aspects of the data processing activity or business process, a systems overview (business and technical overview), initial risk assessment (data asset, third-party and regulatory evaluation as appropriate; threats, vulnerabilities, ease of exploitation, impact, and risk calculation), remediation planning, determination of any residual risk, control implementation, and continuous monitoring.

Risks and treatment plans are communicated to business process, data asset, and vendor relationship owners (the risk managers), and a high-level overview and analysis, specifically of high risks, is regularly communicated to senior, providing the necessary data to support prioritization and resourcing decisions.

Supplier Risk Management

Vendors’ information security and privacy controls are assessed based on their responses to questionnaires tailored to the scope of services they provide. Where controls are found lacking, ineffective, or where information is not available, risks are flagged and reported to the Ontic buyer or vendor relationship owner alongside a description of recommended risk treatment.

For each vendor a risk level is calculated considering their level of access to information, the classification, sensitivity, and volume of the information being processed.  Based on this risk level, vendors are reviewed every 1, 2 or 3 years.

Data Protection Impact Assessment

We perform Data Protection Impact Assessments (DPIA) for all personal data processing activities likely to result in a high risk to individuals, or where otherwise required by relevant legislation.  Identified risks are treated in accordance with our Risk Assessment policies and procedures and applicable regulations to eliminate or at least reduce to a minimum any potential detrimental impact on data subjects’ rights and freedoms.

Data Asset Risk Assessment

We have specified a series of policies and standards that set out security requirements for Ontic data assets. To verify compliance of proprietary systems/applications and those hosted within the Ontic environment and regarded as critical to the organization, we perform annual Data Asset Risk Assessments (DARA). Any non-conformance is identified and treated as a risk in accordance with our Risk Management Framework.

Compliance

Our Compliance Risk Management Policy, defined by the Legal team, provides the guidelines to identify the statutory, regulatory, and contractual requirements and our approach to meet these requirements for each facility and information system. We ensure compliance with data protection and privacy law across the jurisdictions in which we deliver our services. Our Planning Policy and Procedure mandates an annual internal audit of the information security and privacy programs to ensure that they are effectively implemented. The audit results are reported to the GRC Committee.

Information Security Management System

Ontic has implemented an Information Security Management System (ISMS) in conformance with widely accepted and recognized standards. In this regard, the Ontic Security Policies, Procedures, and Plans are aligned with both the NIST 800-53 R5 and ISO/IEC 27002 standards.

Information Security Policies

The Ontic Information Security Policies specifically state our intent to maintain a secure information-processing environment and to protect information assets.  The policies are approved by the Ontic Governance, Risk, and Compliance Committee and are communicated to all Ontic employees.  Compliance with our Information Security Policies is mandatory for all employees. The Ontic Information Security Policies are reviewed and updated annually. The policies are also updated when there is any change in the information-processing environment, which may have an impact on the information risk profile.

Security Organization

We have developed a management framework to maintain information security within the organization.  To this effect, we have assigned security roles and responsibilities to facilitate the implementation of security across the organization.

As described in Section 4, information security is governed by the Governance, Risk and Compliance Committee, who provide input and direction to our Information Security team. Our Information Security team is led by the Information Security Officer (ISO).

Asset Management

Our Asset Management Policy mandates asset inventory and asset ownership, and our configuration standards define the standard security configurations of key IT assets. Ontic maintains an inventory of information assets to ensure that these assets are effectively protected and that periodic reviews are conducted of our inventory of information assets by respective asset owners and custodians. Security classification of information assets is subject to data handling requirement which mandate security practices for handling of information assets.

Personnel Security

Security roles and responsibilities of employees, contractors, and third-party users are defined in the Ontic Employee Handbook and Acceptable Use Policy. All employees are bound by these policies as part of the terms and conditions of their employment.

Background verification checks are performed to ensure the authenticity of the person and to reduce the possibility of threats to critical information assets. Ontic performs verification of employment history, academic and professional qualifications and conducts reference checks of prospective employees. Criminal records checks are applied based on their applicability under local laws, client requirements, and respective job profiles.

Ontic employees and third-party personnel working for Ontic are required to complete training on Ontic’s policies, which includes e-learning modules on information security and data protection. This e-learning is refreshed annually.  In addition, employees receive periodic information security and privacy awareness e-mail updates from our Information Security team. Managers in Ontic ensure that employees, contractors and third-party users are briefed to apply security principles in accordance with established policies and procedures.

Our disciplinary procedures ensure the correct and fair treatment for employees who are suspected of committing breaches of security. It provides a framework for a graduated response that takes into consideration factors such as the nature and gravity of the breach and its impact on business. In serious cases of misconduct, the policy also provides framework for termination, if necessary.

In case of termination, access rights for information assets and information processing facilities are removed within 24 hours for planned terminations and immediately for unplanned terminations.

In case of an internal transfer, access rights for information assets and information processing facilities are reduced or removed depending upon the change in roles and responsibilities, access control procedures, and value of assets.

Physical and Environmental Security

Ontic utilizes AWS to host all aspects of the Ontic Platform.  AWS has implemented the following physical security and environmental controls across all of their data centers to ensure that our systems are protected against unauthorized physical access:

Ontic offices are protected against unauthorized access and damage through the implementation of physical perimeter controls to ensure that only authorized personnel is allowed access.

All Ontic offices with 10 or more employees have in place a Site Security Plan which describes the local risk profile and protection approach for that location. Sites are subjected to a controlled self-assessment once annually and the local risk assessment is updated.

Physical access to facilities by employees and visitors is restricted to authorised personnel only.  Visitor access is controlled through the reception area.  Visitors are not permitted further entry from the reception lobby onwards unless escorted by an Ontic employee. Visitors are not left unescorted at any time.

Ontic has deployed a proximity card system in the Austin office and a biometrics-based system in the Noida, India office for access control.  The access control systems provide varying levels of physical access to employees in the offices on a job requirement basis.  Access rights to the offices are monitored and reviewed periodically.  Access logs registers are maintained and audited as part of our internal audit processes.

Closed Circuit Television (CCTV) surveillance systems are installed in both Ontic offices.  Cameras are positioned at all entrances and exits. These systems support continuous recording, and these recordings are retained for a minimum period of 90 days. Visitor logs are retained for a minimum of twelve months.

We have installed safety equipment for fire detection and suppression, such as heat and smoke detectors, fire alarms, water sprinkler systems, and fire extinguishers to protect against threats of fire, heat, and smoke.

Office keys are maintained and secured by the Information Security team. The keys are provided for a business purpose to authorised individuals only. Our facilities also prohibit, smoking, unauthorised photographic, video, or audio recording.

Ontic employees are required to keep information assets such as documents, printed outputs, correspondence, computer media (IT personnel), in locked drawers and/or cabinets when not in use. This reduces the risk of unauthorised access, loss of, and damage to information assets.

Operations Security

Our secure log-on controls ensure that the log-on process is controlled to prevent unauthorized access to information systems. Secure log-on procedures include controls such as display of log-on banners, use of two-factor authentication through secure tokens, account lockout after multiple invalid attempts, and logging of successful and unsuccessful log-on attempts.

Our End User Computing Policy defines the security requirements to enforce security parameters on company-provided laptops and configure security parameters on personal mobile devices such as phones and tablets. Personal mobile devices may be used to access email and calendaring. The Office and Workplace Policy sets forth the controls required to secure the guest and office wireless networks. It mandates the use of secure protocols such as WPA2 and WPA3.

Changes to the Ontic application and infrastructure are managed through the Configuration Management Policy and Procure, which are a core IT and Technology operations procedure. The procedure requires changes made to information systems to include servers, network, software, and operational programs to be authorized, documented, tested, and validated before they are implemented. Emergency change control procedures are followed for exceptional circumstances in which the normal change management procedures cannot be followed.

Ontic has capacity planning and management processes in place to regularly monitor continued availability of capacity to meet future requirements. The capacity planning and management process includes factors such as new business requirements, expansion plans of the organization, storage capacity, and contingency plans for information systems to determine future requirements of information processing resources.

Our approved software process is in place to ensure that only authorized and approved applications are installed in the Ontic environment. All new applications and systems go through a security and privacy risk assessment before the release to production.

Our End User Computing Policy mandates the requirement for Ontic endpoints to be protected by the approved Anti-Virus software using the latest signature configurations for prevention of network virus or worm outbreaks. We also ensure that a disk-based encryption is enabled on each laptop system. Ontic uses Crowdstrike Falcon and Rapid7 InsightIDR for all laptops, desktops, and servers. Laptops are also installed with Jamf Protect.

Crowdstrike Falcon is continuously enabled on all laptops and servers, and automatic update of virus definition files is performed through the automatic update service. Jamf Pro is used to block the use of any, unapproved electronic media.  In addition, we allow only authorized and licensed software to be used.

Our patch management procedures require security patches, packages, and hotfixes to be applied to Ontic infrastructure elements (servers, laptops, network devices, applications etc.) in order to protect against known vulnerabilities.  We ensure that all patches are applied on systems in a timely manner. Critical patches are also applied on an ad-hoc basis depending upon the scan results and risk levels.

Our Acceptable Use Policy mandates the rules for protection and proper use of company assets including but not limited to laptops, the internet, and company-provided email.

Our End User Computing Policy defines the requirements for computer protection within International SOS. These requirements include but not limited to installation of antivirus, disk-based encryption software, VPN software, and standard requirements for screen lock, password protection, etc.

We have implemented a Zero Trust Network Access (ZTNA) system that allows Ontic to implement policies for controlling devices and user access to sensitive systems based on the resource and compliance with security and patch status.

Our Cloud Security Policy defines the information security requirements for public cloud (AWS, GCP and other) services such as Infrastructure as a Service (IAAS). The standard is followed and complied by information technology teams responsible for cloud solution design, architecture and deployments.

Our Data Retention Archiving and Destruction Policy defines the requirements for data retention and archival. It also mandates the secure disposal of information.

Our information system backups are maintained and tested regularly for the purpose of data recovery in case of events such as system crash, virus attack or accidental deletion of information. Backup procedures define the data backup frequency, storage of backup media, labelling convention for backup media, retention of, and restoration from, backup media and movement of tapes to an offsite location for backup management.

Communications Security

Our defence-in-depth architecture includes security controls at different layers. These security controls include but are not limited to: physical security and surveillance, network firewall, network intrusion detection systems, virtual local area network (VLAN) and access control lists (ACLs), Zero Trust Network Access (ZTNA), two-factor authentication, antivirus, disk-based encryption, web application firewall, spam protection filters, transport layer security, SSL and digital certificates for web applications, and mobile device management systems.

Our System and Communication Protection Policy and Procedure define the rules for firewall management that includes access and authorisation, patching and update, assessment, and rule base change management. To this effect, firewall logs are forwarded to our Security Operation Centre and correlated with Intrusion Detection System alerts and that incidents are logged for any suspicious activity. Ontic systems and network devices are time synchronised to ensure that the audit logs have accurate information.

Our System and Communication Protection Policy and Procedure requires an approved firewall to be in place between the Ontic network and any non-Ontic network to segregate trusted and un-trusted networks and limit access between such networks. All external connections to the Ontic network are required to go through our approved firewall which performs stateful packet inspection to permit, limit, or deny communicating directly with external systems.

Our Audit and Accountability Policy and Procedure define the requirements for logging and collection from systems such as system security logs, and web infrastructure security logs. It also defines the high-risk activities across these technologies that are reviewed in our Security Information and Event Management (SIEM) system. Our security team and our contracted Managed Security Service Provider (MSSP) review the high-risk activities on a daily basis and inform the respective information owners.

The Risk Assessment Policy and Procedure define the requirements for vulnerability assessment and remediation of vulnerabilities within Ontic. We perform periodic vulnerability scans of all external facing applications, internal applications, and infrastructure. Many of our clients are hosted in a multi-tenant environment where some of the infrastructure is shared. Therefore, we do not allow customer-initiated vulnerability assessments or penetration tests. We are committed to being open and will provide independent vulnerability assessment and penetration testing report to our customers.

We have implemented Data Loss Prevention (DLP) controls at the endpoint to block the inattentional or unintentional transfer of sensitive data types to or from employee laptops.  We also block the use of USB devices and implement full disk encryption across all devices.

Our Employee Handbook and Acceptable Use Policy define the rules for internet access and use of social media. They define the rules for website access based upon the category and content of the website. It also documents our approach to monitoring and reporting of internet use.

Our email system provides spam protection, antivirus scanning, and filtering of dangerous file types. We have also implemented regular phishing campaigns to test and prepare our employees for identifying and reporting suspected phishing attempts.

Access Management

The Access Control Policy and Procedure governs the implementation of logical access controls on information assets. They define the user registration process to assign the unique user identification after approval from their respective managers/supervisors. Assignment of Unique User Identification to Ontic employees establishes accountability of individual user activities and provides a formal record of all the users registered on the information systems to prevent unauthorized access to confidential information.

Privileges and access rights granted to Ontic employees are restricted and controlled through the access request procedures. Privileges and access rights are granted to employees based on “Need-to-do” and “Segregation of Duties” principles. An authorization record of all privileges is maintained, and such privileges and access rights are reviewed quarterly to prevent unauthorized access and disclosure.

Our systems are configured to comply with our password requires for the requirements for creation, protection, length, and complexity of passwords.

Encryption Management

Our System and Communication Protection Policy and Procedure defines the requirements for the encryption of information in transit and at rest (AES 256 and TLS 1.2). We use digital certificates to protect information in transit over web access. We also use Zero Trust Network Access (ZTNA) encrypted tunnels for access to sensitive systems. We use various encryption methods for protecting data at rest. These methods include full disk encryption and application-level encryption.

Systems and Services Acquisition, Development, and Maintenance

We have documented the System and Services Acquisition Policy, Procedure, and System Development Lifecycle (SDLC) Plan.  The SDLC plant states the mandatory steps for secure application development. The plan mandates the identification of security requirements, secure coding practices, code reviews, vulnerability assessment, penetration testing, and remediation.

Supplier Management

Supplier information security and privacy controls are assessed based on their responses to questionnaires tailored to the scope of services they provide. Where controls are found lacking, ineffective, or where information is not available, risks are flagged and reported to the Ontic buyer or vendor relationship owner alongside a description of recommended risk treatment.

For each supplier, a risk level is calculated considering their level of access to information, the classification, sensitivity, and volume of the information being processed.  Based on this risk level, vendors are reviewed every 1, 2, or 3 years.

Information Security Incident Management

Our Incident Response Policy and Incident Response Procedure require security incidents to be effectively monitored, reported, and investigated to ensure that corrective actions are taken to control and remediate security incidents in a timely manner. The Incident Response Plan establishes roles and responsibilities for the IT, Information Security, and Technology organizations and outlines the steps to be taken to minimize the impact of a security incident, investigate why, how, and when it happened, identify any weaknesses, and apply appropriate measures to reduce security risks to an acceptable level.  The Incident Response Plan is tested and updated at least annually.

Ontic employees can report a security incident through e-mail, which automatically creates a ticket and notifies the Information Security team.

Information security incidents are assessed for breach notification requirements to clients, regulatory bodies, and media. Our Crisis Response Plan describes the required steps for such situations. We will report to customers in writing within 24 hours of becoming aware of any material breach of security of their data.

Business Continuity Management

Our Information System Contingency Plan (ISCP) enables us to respond to a natural or human-initiated disaster to ensure recovery to a normal state of operations in a reasonable time and with minimal loss.

Our ISCP establishes the roles and responsibilities of our teams for efficient management and coordination of recovery process. The objective of the plan is to provide guidance on the response to an event and is tested and updated on an annual basis.

Privacy Management System

Privacy Notices

We provide transparent and concise Privacy Notices at https://ontic.co/legal/client-and-prospect-privacy-notice.

Data Protection Officers (DPO)

A Data Protection Officers have been appointed in accordance with applicable data protection regulations and best practice and can be reached at privacy@ontic.co.

Controller-Processor Responsibilities

When processing Personal Data in the context of the Ontic Platform, we regard ourselves as the Data Processor.  Where we are Data Processor, we provide a standard Data Processing Agreement as an addendum to our contract with clients.

Data Processing Records

We maintain Data Asset and Data Processing Inventories as well as records of Information Security and Data Protection Impact Assessments and lawful bases for processing.

Data Subject Rights

We have implemented procedures to work with our clients so that Data Subjects may exercise their rights to access, rectify, and delete their Personal Data in accordance with applicable data protection regulation.  We carry out identity checks to ensure that access to data is not provided to unauthorized persons. If requested, we provide data in common, portable formats, such as .csv or .doc. Where we act as Processor of Personal Data on behalf of a client, we will contact the client for instructions if a request is received directly from a Data Subject.

Privacy and Data Protection Impact Assessments

Privacy and Data Protection by Design has been embedded in all stages of product development, application, and architecture design. Risk Assessments are undertaken for all activities involving Personal Data, and where an activity is deemed to create a high risk to the rights and freedoms of the data subjects, we complete a comprehensive Data Protection Impact Assessment and implement appropriate Technical and Organisational Measures to address such risks.

Breach Management

Our Incident Management Plan ensures proper escalation and management of information security incidents. It includes steps for dealing with low, medium, and high-risk data breaches and meets regulatory and contractual obligations such as notification requirements to data subjects/principals, regulators, and Data Controllers. All incidents are investigated, and appropriate action plans are developed to address any risks identified and to reduce the risk of recurrence.

Data Transfers

Where we transfer Personal Data to another country we rely on Standard Contractual Clauses and UK International Data Transfer Agreement/Addendums for Ontic entities as well as Third-Party Service Providers.

Data Retention and Deletion

Data Retention periods have been defined based on the purpose of processing. At the end of the defined period, Personal Data is destroyed, either by deletion of all data or by anonymization. Where we act as Data Processor, clients may, where agreed within contract, be able to instruct us to destroy or return data sooner or later than our standard retention period.

Certifications and Assessments

The nature of our business requires Ontic to collect, process, and store personal data of our employees and clients. We manage such information in compliance with regulation and industry best practices.

Service Organisation Control Report (SOC 2 Type II Report)

Ontic has completed the Service Organisation Control (SOC) 2 Type II Report in accordance with TSP 100 and based upon the Trust Services Criteria, with the ability to test and report on the design and operational efficiency of Ontic security controls.

The SOC2 Report is intended to meet the needs of our clients and employees who require assurance about the effectiveness of controls Ontic has put in place to ensure the security, confidentiality, and availability of their business information and personal data.

Third-Party Vulnerability Assessment and Penetration Test Report

Ontic has engaged an independent security firm to perform vulnerability assessments and penetration testing of our infrastructure and applications. Any vulnerability identified by these assessments is fully remediated. The assessment reports are provided to our customers as and when requested.

The third-party vulnerability and penetration test reports are intended to meet the needs of our clients who require assurance of the technical security of our applications and information technology infrastructure.

CSA Star Certification

CSA STAR registration encompasses the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM).

This registration also confirms that pursuant to our cloud enabled digital products, we adhere to relevant regulations, standards, and frameworks in information security, and data privacy. https://cloudsecurityalliance.org/star/registry/ontic-technologies

Technical Security Controls

Ontic has implemented below listed physical, technical, and administrative controls to protect the client information against cyber threats:

Physical Protection: Ontic utilizes AWS to host all aspects of the Ontic Platform.  AWS has implemented the following physical security controls across all of their data centers to ensure that our systems are protected against unauthorized physical access:

Technical Protection: Ontic has implemented the following technical security controls to ensure that our systems can stand attacks and to allow our security operations to detect and respond in a timely fashion:

  • Web Application Firewall
  • Network Firewall
  • Anti-virus System
  • Intrusion Detection System
  • Role-based Access Controls
  • Database Hardening
  • Server OS Hardening
  • Patch Management
  • Application-Level Encryption
  • Database Encryption
  • Data Back-ups

Administrative Protection: Ontic has implemented the following administrative security controls to ensure that our systems prevent unauthorized access, modification, or deletion of client data:

  • Secure Software Development Life Cycle (Training, SAST, DAST, Pen Testing)
  • Vulnerability Management
  • Access Management
  • Change Management
  • Security Monitoring
  • Incident Management Procedure and Plan
  • Contingency Management Procedure and Plan
  • 24×7 Security Monitoring via Security Operations Centre (SOC)

A detailed list of technical security controls implemented by Ontic is available in Appendix 1: Technical  Security Controls

Conclusion

Ontic is committed to protecting the information we process and store on behalf of our clients. We fulfill our commitment through an information security management and privacy management program that:

  • Is directed by the Governance, Risk and Compliance Committee and executed by the Information Security and Data Privacy teams.
  • Implements policies, procedures, plans, and awareness initiatives and enforces the required security measures to protect the environment from security and privacy risks.
  • Provides measurements that indicate the level of compliance with approved security standards and established security practices.
  • Applies security authorizations to enforce approved standards and policies in order to protect the enterprise.
  • Ensures that the appropriate technologies are deployed and in use to detect threats and vulnerabilities.
  • Recommends and implements effective corrective actions with an appropriate balance of risks and costs.

Appendix 1: Technical Security Controls

This section of the document describes our technical security controls:

  • Defense-in-depth: We have deployed defense-in-depth security controls to protect the information, and we continue to invest in information security and data protection based on risk profiles. This includes application security controls such as Access Controls, Web Application Firewalls, perimeter security controls such as Network Firewall and Intrusion Prevention and Detection Systems, Host security controls such as automated Patching, Server Security, Antivirus and End User Computing Security controls such as Authentication Controls, Antivirus, Disk Encryption, etc.
  • Physical Security & Surveillance: AWS data centers and information processing facilities have physical protections such as 24×7 surveillance, physical security guards, and strict physical access controls.
  • Web Application Firewall: We have deployed web application firewalls to protect the web applications from internet-borne threats. The web application firewall prevents the well know web application attacks such as cross-site script attacks, SQL injection attacks, malware upload attempts, etc.   
  • Network Firewalls & Intrusion Detection Systems: We have deployed firewalls and intrusion detection systems for the perimeter security, and we operate Cybersecurity Operation Center to perform the firewall log and intrusion analysis. A team of security experts monitors the traffic and alerts us for any network intrusion that is noticed.
  • Logical Segregation of Networks: We have performed internal logical segregation of network using virtual local area network (VLAN) and access control lists (ACLs).
  • Zero Trust Network Access (ZTNA): Access to all sensitive systems is routed through a zero-trust network that validates the security posture of the endpoint and provides an extra layer of encryption for data in transit.
  • Single Sign On (SSO) and Two-Factor Authentication (TFA): Authentication to all sensitive systems is done through employees Google Workspace account and requires a second factor for authentication.
  • Vulnerability Assessment & Penetration Testing: We perform the vulnerability assessments and penetration testing of our applications and remediate the known vulnerabilities before the application is released in production.
  • End Point Security Controls: We use Crowdstrike Falcon and Rapid7 InsightIDR to secure our servers, desktops, and laptop. We also configure all laptops with Full Disk Encryption.
  • Digital Certificates and Secure Sockets Layer (SSL):  Our web-facing applications have digital certificates and provide assurance on data security in transit from the client end to the server end.
  • Mobile Device Management: We have implemented Jamf Pro mobile device management system to enforce the information security controls on mobile devices
  • Anti-Virus / Anit-Malware: We have deployed real-time anti-virus scanning across all endpoints to prevent the installation and execution of malicious software.
  • Web Content Filter: We have deployed Web Content Filter across the organization to block employees from accessing inappropriate and malicious websites and prevent the downloading of dangerous file types.