Updated: March 2023
This document describes the technical and organizational security measures and controls implemented by Ontic to protect personal data and ensure the ongoing confidentiality, integrity and availability of Ontic’s products and services.
This document is a high-level overview of Ontic’s technical and organizational security measures and controls. Additional details on these measures and controls may be available upon request. Ontic reserves the right to revise these technical and organizational security measures and controls at any time, without notice, so long as any such revisions do not materially reduce or weaken the protections provided.
02. Measures and Controls
2.1 Confidentiality & Integrity: The following measures and controls are utilized to prevent the unauthorized access, modification or deletion of personal and other confidential data
- Encryption of all data in transit using TLS 1.2 or higher
- Encryption of all data at rest using AES 256
- Each Ontic client has a dedicated database
- Access controls using the principle of least privilege
- Data Loss Prevention (DLP) rules
- Role based access requiring strong passwords, VPN and Multi-factor authentication (MFA) for access to client data or production infrastructure
- Equivalent or stronger security requirements for cloud service providers where data is processed and stored
- Stateful firewalls, security groups and access control lists
- Web Application Firewall (WAF)
- Intrusion detection and protection (IDS/IPS)
- Separation of production and non-production environments
- Mobile Device Management (MDM)
- Full Disk Encryption
- Incident Detection and Response (IDR)
- File Integrity Monitoring (FIM)
- Automated updates/patching
- Annual assessments of locations used to provide products and services
- Badge access for entry
- Visitor management requiring identification and escorting
- Video surveillance
- Clean Desk policy
- Secure document storage and disposal
Secure Application Development:
- OWASP Top 10 secure development training and testing
- Static Application Security Testing (SAST)
- Third party web application penetration testing
Vulnerability, Threat and Risk Management:
- Regular vulnerability scanning
- Monitoring of threat intelligence feeds
- Annual risk assessments
- Vendor risk management program
- Senior level information security risk management committee
- Risk register updated and reviewed quarterly
2.2 Availability: The following measures and controls are utilized to ensure high availability of the Ontic platform, the quick resolution of incident and rapid recovery from disasters
- High availability architecture
- Denial of Service (DoS) protection
- Daily and weekly backups
- Documented and tested incident response plan
- Documented and tests disaster recovery plan
2.3 Review, Assessment and Evaluation: The following measures and controls are utilized to ensure that the Ontic information security policies are being followed and that the information security program is effective
Audit and Reviews:
- Annual SOC 2 Type 2 audit
- Annual HIPAA Security Compliance Assessment
- Third Party Penetration tests
- Internal audits of security controls
Monitoring and Alerting:
- Security logs captured, reviewed and retained in a Security Information and Event Management system (SIEM)
- 24×7 monitoring and alerting
- Third party Incident Response team on retainer
2.4 Organizational Security: The following measures and controls are utilized to assure that Ontic, as an organization is able to protect our clients’ data
- Dedicated Information Security staff
- Separation of Duties
- Information Security Policies reviewed and updated annually
- Annual Data Privacy and Information Security awareness training
- Employee background checks
- Employee confidentiality agreements
- Employee Handbook and Acceptable Use policy
- Foreign Corrupt Practices and Anti-Bribery Policy
03. Related Documents
3.1 Ontic Security Policies
- Ontic Security Policy: High level Ontic Security Policy document that calls out security requirements that all Ontic employees must know and follow.
- Ontic Security Policy – Acceptable Use: Policy related to the acceptable use of Ontic hardware and Ontic communications systems.
- Ontic Security Policy – Access Control: Policy related to how access to sensitive information and information systems will be secured, granted, tracked and revoked.
- Ontic Security Policy – Asset Management: Policy related to the tracking of hardware and software assets.
- Ontic Security Policy – Business Continuity & Disaster Recovery: Policy related to requirements for creating and testing business continuity and disaster recovery plans.
- Ontic Security Policy – Change Management: Policy related to managing application and infrastructure changes that could potentially impact the security of Ontic data and our clients data.
- Ontic Security Policy – Cloud Security: Policy related to securing cloud infrastructures used to host client facing applications.
- Ontic Security Policy – Compliance Risk Management: Policy related to requirements for identifying and managing risks associated with laws, regulations, guidelines and contracts
- Ontic Security Policy – Data Storage and Destruction: Policy related to the protection of data at rest, backups, retention periods and destruction.
- Ontic Security Policy – Encryption: Policy related to how and when encrypting sensitive data is required, how encryption keys must be managed and what encryption technologies may be used.
- Ontic Security Policy – End User Computing: Policy related to securing workstations, laptops and other mobile devices used by Ontic employees and contractors to conduct Ontic business.
- Ontic Security Policy – Incident Response: Policy related to the response to information security or data privacy related incidents.
- Ontic Security Policy – Logging and Monitoring: Policy related to what information must be captured in application and infrastructure logs and how those logs must be stored and monitored for suspicious activity.
- Ontic Security Policy – Office and Work Space: Policy related to physical security requirements for Ontic facilities and home office setups.
- Ontic Security Policy – Privacy: Policy related to the requirements for protecting the confidentiality, integrity and availability of personal information.
- Ontic Security Policy – Secure Software Development: Policy related to the development of secure applications.
- Ontic Security Policy – Risk Management: Policy related to the identification, assessment and tracking of risks to Ontic and our clients.
- Ontic Security Policy – Vendor Risk Management: Policy related to the identification, assessment and tracking of risks to Ontic and our clients specifically related to vendors and subprocessors.
- Ontic Security Policy – Vulnerability Management: Policy related to the identification, assessment, mitigation, tracking and reporting on vulnerabilities in Otic systems.
3.2 Ontic privacy statement: https://ontic.co/privacy
04. Revision History
Date of Change
Summary of Change
Ontic InfoSec & Risk Management Committee
Incorporated content from the old Ontic Security Manual.
Ontic InfoSec & Risk Management Committee