Updated: December 2020
01. Ontic Security Manual Overview
The purpose of the Ontic Technologies, Inc. (“Ontic”) security manual is to outline the security policies and processes Ontic has implemented. The policies highlighted in this document ensure a secure environment in which Ontic’s technology, client data, Ontic’s clients and Ontic employees can operate. The processes, protocols and tools in place reduce risk towards hardware, network, and services operated and offered by Ontic.
Ontic Technologies, Inc. works with independent third party auditors to undergo audits, reviews and to receive certifications disclosing compliance. Ontic is SOCII compliant and Ontic’s service commitments and system requirements were achieved based on the trust services criteria relevant to Security, Availability, and Confidentiality (applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria). Ontic’s management team includes an internal audit team that is responsible for its service commitments and system requirements and for designing, implementing, and operating effective controls within the system to provide reasonable assurance that Ontic’s service commitments and system requirements are achieved.
Ontic is compliant in accordance with the Security Final Rule established by the Department of Health and Human Services under the Health Insurance Portability and Accountability Act (HIPAA) of 1996. As detailed in the Ontic Employee Handbook, each employee undergoes extensive security training to ensure compliance. Although Ontic is not a covered entity under HIPAA, Ontic strives to be fully compliant with the requirements of HIPAA. Therefore, Ontic has adopted a separate HIPAA Privacy and Security Plan, a copy of which is provided to every employee upon commencement of employment by Ontic and during HIPAA training that is provided to each employee of Ontic at least annually.
There is a formal internal ethics policy in place to ensure professional ethics and business practices that are implemented and maintained. The policy addresses security processes around all technological components, roles, responsibilities, standards, guidelines and procedures that are utilized for communicating to appropriate employees and service providers.
03. Human Resource Policies
Summary of Employee Handbook Security Policies
Ontic Technologies, Inc. has an employee handbook that is accessible by all employees and includes a summary of the employee benefits, personnel policies, and employment regulations in effect. For the purpose of this security manual the sections of the employee handbook pertaining to security are summarized. Employee security awareness training is detailed in the Employee Handbook and employment agreements cover accountability, awareness and acceptance of the Acceptable Use Policy outlined in the Asset Management Policy. Employee agreements cover accountability, awareness and acceptance of confidentiality and non-disclosure agreements along with the acceptance of all security policies, standards and procedures.
Employee Background Checks
Ontic performs an appropriate background investigation to evaluate a job candidate’s qualifications, character, fitness, and to identify potential hiring risks for safety and security reasons. Ontic complies with applicable laws, including but not limited to the Fair Credit Reporting Act, in conducting background checks.
Internet access and virus detection
To ensure security and to avoid the spread of viruses, employees accessing the Internet through a computer attached to Ontic’s network must do so through an approved Internet firewall. Accessing the Internet directly without use of Ontic’s firewall is strictly prohibited unless the computer is not connected to Ontic’s network.
Protecting personally-identifiable information, protected health information, confidential and proprietary information, or other sensitive or confidential information (collectively, “protected information”) is a critical goal of Ontic. All new employees are trained on security policies, procedures, and technical security controls and have the necessary skills and training to carry out their assigned duties and to ensure the security of protected information maintained by Ontic. All employees receive updated annual Information Security training by January 31st of each year. Ontic requires a written statement from each employee confirming the employee has received the necessary training and is aware of and understands Ontic’s security policies.
Ontic Employee Account Security Policy
All Ontic employees and select contractors with access to privileged information agree to utilize and maintain industry standard security procedures including MFA, password requirements and automatic software updates to ensure the protection of sensitive and proprietary information.
04. Asset Management Policy
Asset Management Policy
Ontic has a formalized Asset Management Policy approved by management that addresses roles, responsibilities, software and hardware inventory processes, inventory data storage, asset tracking, and asset life cycle management. Program awareness training is provided annually for employees. Processes are in place to address how data is managed, stored and segmented. Employees and service providers do not have the ability to view an unencrypted version of regulated or confidential information. Ontic has encryption management policies in place with procedures and standards to ensure secure handling and storage of confidential and highly sensitive data. Ontic has a formalized data retention and destruction policy with procedures that includes handling information on live media and backup/archived media. All media containing highly sensitive data is disposed of securely and all media disposal processes are logged to maintain an audit trail.
Media Destruction Policy
Ontic has a formalized management approved Media Destruction Policy. The media destruction policy applies to any computer/technology equipment or peripheral device that is no longer needed within Ontic. Ontic has an internal asset protection team that is responsible for verifying compliance to the policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
Removable Media Policy Summary
Ontic has a formalized management approved Removable Media Policy. The purpose of the policy is to minimize the risk of loss or exposure of sensitive information maintained by Ontic and to reduce the risk of acquiring malware infections on computers operated by Ontic. Ontic employees may use only Ontic removable media in their work computers.
Acceptable Use Policy Summary
Ontic has a formalized management approved Acceptable Use Policy. The policy applies to the use of information, electronic and computing devices, and network resources to conduct Ontic business or interact with internal networks and business systems, whether owned or leased by Ontic , the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at Ontic and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Ontic policies and standards, and local laws and regulations.
05. Physical Security and Resilience
Business Resiliency + Disaster Recovery
Ontic has an executive-approved Business Continuity policy that applies to all employees and third-party vendors. The policy does not detail the response to a Business Continuity incident; rather, it provides a set-up of activities for establishing a Business Continuity capability and the on-going management and maintenance, including planning, development, training and exercising of response arrangements. The policy applies to disruptive events which may impact Ontic Technologies Inc.’s ability to deliver its business objectives to its customers. Ontic has a Business Continuity Management System (BCMS) in place that dictates the governance of the program. In accordance with the BCMS Ontic will produce business impact analysis, business continuity risk assessments, activation and recovery plans, training and awareness programs and debrief reports. Per ISO22301, Ontic Technologies Inc. applies the “Plan-Do-Check-Act” (PDCA) model to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving the effectiveness of the organization’s BCMS.
Physical and Environmental Security
Ontic has a Physical and Environmental Security policy in place to protect physical access to Ontic information technology, hardware, and systems in order to reduce the risk of harm to assets and to enable safe functioning of Ontic processes. Ontic ensures entry to secured areas is restricted to authorized users. Employees shall not lend their smart card to anyone, or allow anyone to follow them through card-controlled doors. Access rights are revoked immediately for staff who terminate employment with Ontic Technologies Inc. In accordance with the Visitor Access Management Policy other visitors can be granted access for specific and authorized purposes only, and shall be supervised.
06. Access Control Policy
Ontic has a management approved formalized Access Control Policy that specifies the approval and provisioning requirements to access applications, operating, database and network systems. Access control rules and procedures are required to regulate who can access the Ontic’s information resources or systems and the associated access privileges. The policy applies at all times and should be adhered to whenever accessing Ontic information in any format, and on any device.
Control activities provide reasonable assurance that logical access to relevant applications, data, and system resources is restricted to properly authorized individuals and programs. Ontic Tech Operations team is responsible for configuration and administration of the firewall and security groups to control security and access to “internal” network infrastructure. Ontic defines user access using a role-based access control (RBAC) approach, where role is used to determine user access privileges required. All sensitive data used by the system is stored encrypted, and direct access privilege to data store instances is given to database administrators only. There is no direct end-user access to data store; end-user access is available only via the application.
07. Application and Information Security
Backend Security Policy Overview
Ontic has a system security policy to ensure that information systems are always operating optimally in the most secure manner possible. This Systems Security Policy applies to all information systems and information system components of Ontic. Specifically, it includes; Servers and other devices that provide centralized computing capabilities, Database Maintenance, Load Balancers, Firewalls and antivirus software that provide dedicated security capabilities. The firewalls should block all unneeded inbound and outbound traffic and only enable administrative access from computers used by system administrators.
Cloud Hosting and Maintenance
The Ontic platform is designed to provide a strong level of enterprise grade security. Ontic is a SaaS platform deployed on the cloud. Network level security is managed by the Cloud Provider with application level security managed by Ontic. The Cloud Provider restricts client access to their data centers, and network security system to enhance their security. The Cloud Provider verifies their network security and has best in class security features and world – class protection.
The Ontic Platform is hosted by Amazon Web Services. The Hardware and software maintenance agreement with Amazon are detailed at http://aws.amazon.com/agreement, http://aws.amazon.com/ec2-sla. The Ontic operations team is responsible for configuration and administration of the firewall and security groups to control security and access to internal network infrastructure. IT operations team that ensures that equipment is properly maintained with services such as anti-virus software and software updates. IT Operations and development team ensures that information on equipment or elsewhere is kept private and protected. Access to the system is controlled according to the roles and responsibilities of the employees/users. Access to the monitoring tools is restricted to IT Operations team members with System Admin Privileges. Ontic has operations policies in place to address equipment and server outages and application outages.
Ontic has a dedicated team with identified roles and responsibilities that handles application access, application program security, application management and security reviews. Only authenticated and authorized users can view, create, modify, or delete information managed by applications. Two-factor authentication is required when accessing sensitive information. Per the Access Control Policy, passwords must be protected and are masked when entered and displayed.. The dedicated application security team handles application program interface (API) security reviews. The API is tested for security weaknesses and APIs have the ability to alert, block, or lock based on rate limits.
Each Ontic customer receives their own database instance. This ensures customer data is not co-mingled with any other Ontic customer. Additionally, end users never interface directly with the database and they cannot issue SQL commands. This ensures that data is secure from a variety of SQL based attacks. Ontic’s network facing system limits access to only the load balancing servers and the direct UI facing servers. All data storage and application devices are protected from direct access to the Internet. Ontic’s databases are hardened against common attack forms. Ontic end users are never given access or exposed directly to the databases that comprise the system.
Ontic development has a formal policy that requires all changes to code be reviewed for security implications. Static and dynamic security scans are performed for every major code release. Ontic performs quarterly penetration tests using a commercially available system. Results of the penetration testing are available upon request. Ontic does not allow clients to perform network level penetration testing on the multi-tenant system
Data Security Policy and Data Classification
Data Security Policy control activities provide reasonable assurance that data maintains its integrity and security as it is transmitted between third parties and the service organization.
Proper data classification is established in Ontic applications. Access controls are based on data classification. Data owned, used, created or maintained by Ontic are classified as either Public, Internal Use Only, Confidential, or PII.
Ontic has a formalized Cryptographic Controls Policy with associated Data Handling Procedures that establish requirements for the use of encryption techniques to protect sensitive data both at rest and in transit. This policy defines the controls and related procedures for the various areas where encryption and other cryptographic techniques are employed. Ontic encrypts data at rest and data in transit.
Data Backup and Restoration
Ontic has management-approved data retention policies and procedures that govern actions taken for data backups and data restoration. Ontic’s system performs periodic backup of data via custom scripts, which can be utilized in data recovery and data loss prevention scenarios. At any point of time Ontic has 3 snapshots of recoverable data stored across different regions and zones.
Server and Database Security Administration
A multi-step login process is required for backend access by Ontic personnel. Access to Ontic’s servers and databases is limited to authorized employees only, with a dedicated system administration team. The system administrator password of server applications is under the control of a minimum of two authorized employees. All administrative access is logged as well as the activities of administrators.
08. Incident/Event/Change Management Policy
Overview of Change Management Policy
Ontic has a formalized Change Management policy that has been approved by management. The full policy can be reviewed upon request. The policy is intended to define and describe a consistent change management process for all changes implemented to Ontic’s information technology (IT) production systems. The goal of the policy is to ensure standardized methods and procedures are used for efficient and prompt handling of all changes.
Ontic has standards and guidelines in place that specify scope and requirements for conducting recurring code reviews of internal and external applications for security issues, vulnerabilities and defects before deployment. Secure code reviews are required and performed upon major code changes or releases and/or annually as dictated by the software development lifecycle. New software, including patches, feature releases and other updates must be tested in an environment that is segregated from the development and production environments. Automated updates will not be used on critical systems. All changes (other than minor changes pre-approved by the CTO that have no impact on the delivery of IT services) to the production systems fall under the purview of the Change Management policy.
When new systems are introduced, upgraded, or enhanced, information security requirements are specified and implemented based on pre-approved standards and guidelines. Controls and associated processes are related to security specifications such as authentication, access control, provisioning and training. Security specifications are implemented prior to the introduction of new information systems, upgrades, or enhancements to the environment. There is an operation policy in place pertaining to production environment changes that has been approved by management. Changes to the production environment, including network, systems, application updates, and code changes are subject to pre-approved standards and guidelines. Information security specifications are identified using requirements from policies and regulations, threat modeling, incident reviews, or use of vulnerability thresholds.
Ontic maintains a robust Security Incident Management Plan that organizes resources to respond in an effective and efficient manner to an adverse event. An adverse event would be a malicious code attack, unauthorized access to managed systems, unauthorized utilization, a denial of service attack, or general misuse of the Ontic platform. The Incident Management Plan defines the procedures and the communication plan that Ontic will use to promptly notify affected clients. A limited number of Ontic information technology personnel and support personnel have access to production SQL databases as needed. This access is only as needed by request by customers, or as identified through monitoring procedures. Ontic has procedures in place to prevent and mitigate a Distributed Denial of Service (DDOS) attack. The Ontic application is set behind Firewalls jointly managed by the Cloud Provider and Ontic. In addition, all internet traffic terminates in load balancing servers with dynamic IP addresses. Ontic continuously monitors the key parameters for all services or any unusual activity.
The Incident Management Plan includes an incident response process. The Incident Response Process is an escalation process where as the impact of the incident becomes more significant or wide spread, the escalation level increases bringing more resources to bear on the problem.
09. Ontic End-User Security
Management has approved a formalized password policy that clearly specifies the requirements and restrictions. Specifications include password length and complexity and there are automated processes in place to restrict access after a number of invalid login attempts.
Support Incident Management
The purpose of the Support Incident Management policy is to provide directions on how a support incident is reported, process of classifying, recording and management of reported incidents. The policy applies to all the issues or requests coming to Ontic from client platform users. Security incidents are managed with the same policy. Support tickets are managed as appropriate for the severity and in compliance with commercial standards and in accordance with each client’s MSA.