Trust & Security

Security Built
Into Everything.

As an IT consulting firm, security is not an afterthought — it's foundational to everything we do. Here's exactly how we protect your data, our systems, and your business.

Last Reviewed

February 17, 2026

Applies To

All Ornetis Operations

Owner

CISO / Security Team

Section 01

Our Security Philosophy

At Ornetis, security is not a product feature or a department — it is a company-wide discipline embedded in every process, every system, and every engagement. We apply the same security standards we recommend to our clients to our own operations.

Our approach is built on three principles: Defense in Depth (multiple overlapping controls), Least Privilege (access only to what's needed), and Zero Trust (verify continuously, trust nothing by default).

We continuously review and improve our security posture through internal audits, third-party assessments, and threat intelligence monitoring. Security is a continuous journey, not a destination.

Section 02

Compliance Frameworks

Ornetis aligns with industry-leading security and compliance frameworks to ensure our practices meet and exceed regulatory requirements:

🔒

ISO 27001

Information Security Management System standard

Aligned

🛡️

NIST CSF

Cybersecurity Framework for risk management

Aligned

🇪🇺

GDPR

EU General Data Protection Regulation

Compliant

🏥

HIPAA

Healthcare data security (where applicable)

Ready

💳

PCI DSS

Payment card data security standards

Ready

🌐

SOC 2 Type II

Service organization security controls

In Progress

We hold and maintain documentation to demonstrate compliance. Clients may request relevant security documentation under NDA for due diligence purposes.

Section 03

Data Protection

All data entrusted to Ornetis — whether client data, personal data, or project information — is protected by multiple layers of security:

→
Encryption in transit — All data transmitted over networks uses TLS 1.3 or higher; older protocols are explicitly disabled
→
Encryption at rest — All stored data is encrypted using AES-256; encryption keys are managed using industry-standard key management systems
→
Data classification — We classify data by sensitivity (Public, Internal, Confidential, Restricted) and apply controls appropriate to each level
→
Data minimization — We collect and retain only data necessary for the stated purpose
→
Secure deletion — Data is securely wiped or destroyed using NIST 800-88 guidelines when no longer needed
→
Backup integrity — Regular automated backups with integrity verification; tested restoration procedures

Section 04

Network Security

🔥

Firewalls & Network Segmentation

Next-generation firewalls with intrusion prevention. Networks are segmented to limit lateral movement in the event of a breach. Sensitive systems operate in isolated network zones.

👁️

Continuous Monitoring & SIEM

24/7 security event monitoring using a Security Information and Event Management (SIEM) system. Alerts are triaged and investigated in real time by trained security personnel.

🔍

Intrusion Detection & Prevention

IDS/IPS systems monitor traffic patterns for anomalies. Automated blocking of known malicious IP addresses, domains, and attack signatures via threat intelligence feeds.

🌐

DDoS Protection

Cloud-based DDoS mitigation in front of all internet-facing systems. Capacity to absorb and filter volumetric, protocol, and application-layer attacks.

Section 05

Access Controls

Access to systems and data is strictly controlled at every level:

→
Multi-Factor Authentication (MFA) — Required for all employees on every system that processes sensitive data, including email, cloud environments, and collaboration tools
→
Role-Based Access Control (RBAC) — Access is granted based on job role and the principle of least privilege; no user has more access than required for their function
→
Privileged Access Management (PAM) — Privileged accounts (admin, root) are managed in a PAM vault with just-in-time access provisioning and full audit logging
→
Access reviews — Quarterly access reviews ensure permissions remain appropriate; terminated employees' access is revoked within one hour of departure
→
Single Sign-On (SSO) — Centralized identity management with SSO reduces credential sprawl and simplifies access governance

Section 06

Physical Security

Physical security controls protect our office environments and any on-premise infrastructure:

→Office access requires key card authentication; visitor access is logged and escorted
→Sensitive hardware and physical media are stored in locked cabinets or secured server rooms
→CCTV surveillance in all server and infrastructure areas with 90-day retention
→Clean desk and screen lock policies are enforced for all employees
→Secure shredding for all physical documents containing sensitive information
→Third-party data centers used by Ornetis maintain SOC 2 Type II or ISO 27001 certification

Section 07

Application Security

Security is integrated throughout the software development and delivery lifecycle (DevSecOps):

•
Secure coding practices — Developers follow OWASP guidelines; code reviews include security checks before merging
•
Static Application Security Testing (SAST) — Automated vulnerability scanning on every code commit
•
Dynamic Application Security Testing (DAST) — Runtime vulnerability scanning of web applications in staging environments
•
Penetration testing — Annual third-party penetration tests on all client-facing and internal systems; critical findings remediated within 72 hours
•
Dependency management — Automated scanning of third-party libraries for known CVEs; patches applied within defined SLAs based on severity
•
Web Application Firewall (WAF) — WAF deployed in front of all web-facing applications

Section 08

Vendor & Supply Chain Security

We apply rigorous security criteria to all vendors and partners who may access our systems or client data:

→Security assessment questionnaire and review before onboarding any vendor with data access
→Contractual security requirements and data processing agreements (DPAs) with all vendors processing personal data
→Annual vendor reviews and continuous monitoring of critical suppliers
→Vendor access is scoped to the minimum required and logged; remote access uses VPN with MFA
→Software bill of materials (SBOM) maintained for key client-facing applications

Section 09

Incident Response

We maintain a comprehensive Incident Response Plan (IRP) aligned to NIST 800-61. Our process covers:

•
Preparation — Trained incident response team, defined playbooks for common incident types, pre-authorized tools
•
Detection & Analysis — 24/7 SIEM monitoring; incidents triaged within 1 hour of detection
•
Containment — Automated and manual containment actions; isolation of affected systems
•
Eradication & Recovery — Root cause analysis, patching, and clean system restoration; full documentation required
•
Post-Incident Review — Lessons-learned analysis and process improvement within 30 days of incident closure

In the event of a data breach affecting client data, we will notify affected clients within 24 hours of confirmed breach discovery, and notify regulatory authorities within the legally required timeframe (72 hours under GDPR).

Section 10

Business Continuity & Disaster Recovery

Ornetis maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure service resilience:

→Recovery Time Objective (RTO): Critical systems restored within 4 hours
→Recovery Point Objective (RPO): Maximum 1 hour of data loss for critical data
→Automated daily backups with geographic redundancy across multiple data center regions
→Quarterly DR drills and tabletop exercises to validate recovery procedures
→Redundant internet connections and failover systems for critical infrastructure
→All critical data and systems replicated to geographically separate backup environments

Section 11

Employee Security Training

Every Ornetis team member is a line of defense. Our security culture is built through:

→Mandatory security awareness training during onboarding and annually thereafter
→Regular phishing simulation exercises with remediation training for failures
→Role-specific security training for developers, system administrators, and client-facing staff
→Security champions program with dedicated ambassadors in each team
→Monthly security briefings on emerging threats and company-specific risks
→Clear acceptable use policies with acknowledgment required annually

Section 12

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities in our systems or website. If you discover a potential security issue, please:

→Report the vulnerability to info@ornetis.com as soon as possible
→Include a clear description and, if possible, steps to reproduce the issue
→Allow us a reasonable time (typically 90 days) to investigate and remediate before public disclosure
→Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability

We commit to acknowledging your report within 48 hours, keeping you informed of progress, and crediting researchers in any public disclosure (with permission). We do not pursue legal action against researchers acting in good faith.

Section 13

Contact Our Security Team

For security concerns, vulnerability reports, compliance inquiries, or to request our security documentation:

Ornetis Security Team

info@ornetis.com

For general privacy matters, contact info@ornetis.com.
For legal and compliance documentation requests, contact info@ornetis.com.

For emergency security incidents involving Ornetis client systems, contact your account manager directly or call our 24/7 incident response line listed in your service agreement.

Security BuiltInto Everything.