مركز الثقة والأمان

إدارة الأصول

ID.AM-1

Physical devices and systems within the organization are inventoried

الدليل:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-2

Software platforms and applications are inventoried

الدليل:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-3

Organizational communication and data flows are mapped

الدليل:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-4

External information systems are catalogued

الدليل:

Third-party service documentation, integration records

ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

الدليل:

Data Classification Policy.md), Database Encryption Architecture.

ID.AM-6

Cybersecurity roles and responsibilities are established

Business Environment

ID.BE-1

The organization's role in the supply chain is identified and communicated

الدليل:

Service provider documentation, TSA integration, Stripe payment processing

ID.BE-2

The organization's place in critical infrastructure is identified

الدليل:

Service architecture documentation, critical service monitoring

ID.BE-3

Priorities for organizational mission, objectives, and activities are established

الدليل:

NIST compliance framework, GDPR compliance, service SLAs

ID.BE-4

Dependencies and critical functions are established

الدليل:

Service dependency mapping, critical function documentation

ID.BE-5

Resilience requirements to support delivery of critical services are established

الدليل:

Service status dashboard, maintenance mode system, error handling framework

الحوكمة

ID.GV-1

Organizational cybersecurity policy is established and communicated

الدليل:

Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records

ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

الدليل:

Internal security coordination, admin role structure

ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

الدليل:

NIST compliance dashboard, risk assessment through compliance monitoring

تقييم المخاطر

ID.RA-1

Asset vulnerabilities are identified and documented

الدليل:

Past audit with Cloude Sonnet 4.5 in January 2026

ID.RA-2

Cyber threat intelligence is received from information sharing forums

الدليل:

Composer security advisories, dependency monitoring

ID.RA-3

Threats, both internal and external, are identified and documented

الدليل:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-4

Potential business impacts and likelihoods are identified

الدليل:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

الدليل:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-6

Risk responses are identified and prioritized

الدليل:

Security improvements, vulnerability patching process

استراتيجية إدارة المخاطر

ID.RM-1

Risk management processes are established, managed, and agreed to

الدليل:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RM-2

Organizational risk tolerance is determined and clearly expressed

الدليل:

NIST CSF compliance, GDPR compliance, security headers implementation

ID.RM-3

The organization's determination of risk tolerance is informed by its role

الدليل:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

التحكم في الوصول

PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

الدليل:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-2

Physical access to assets is managed and protected

الدليل:

Hetzner ISO 27001 certification, data center security documentation

PR.AC-3

Remote access is managed

الدليل:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-4

Access permissions and authorizations are managed

الدليل:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-5

Network integrity is protected (e.g., network segregation)

الدليل:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.AC-6

Identities are proofed and bound to credentials

الدليل:

Email verification system, email_verified column in users table

PR.AC-7

Users, devices, and assets are authenticated

التوعية والتدريب

PR.AT-1

All users are informed and trained on cybersecurity awareness

الدليل:

PR.AT-2

Privileged users understand their roles and responsibilities

الدليل:

Admin dashboard with security controls, role-based access documentation

PR.AT-3

Third-party stakeholders understand their roles and responsibilities

الدليل:

Vendor agreements, partner documentation, API documentation

PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

الدليل:

Admin role documentation, Hetzner security procedures

أمن البيانات

PR.DS-1

Data-at-rest is protected

الدليل:

By Google Cloud (external provider)

PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

الدليل:

User data management, certified_emails retention, data export capabilities

PR.DS-4

Adequate capacity to ensure availability is maintained

الدليل:

Hetzner infrastructure monitoring, service status tracking

PR.DS-5

Protections against data leaks are implemented

الدليل:

HASH 256 AES bits in sensitive data

PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

الدليل:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.DS-8

Integrity checking mechanisms verify hardware integrity

الدليل:

Hetzner infrastructure security, ISO 27001 certification

عمليات وإجراءات حماية المعلومات

PR.IP-1

A baseline configuration of systems is created and maintained

الدليل:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-2

A System Development Life Cycle to manage systems is implemented

الدليل:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-3

Configuration change control processes are in place

الدليل:

Git repository, .env file management, version control practices

PR.IP-4

Backups of information are conducted, maintained, and tested

الدليل:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-5

Policy and regulations regarding the physical operating environment

الدليل:

Hetzner data center certifications, environmental controls documentation

PR.IP-6

Data is destroyed according to policy

الدليل:

Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.

PR.IP-7

Protection processes are improved

الدليل:

NIST compliance dashboard, regular security updates, dependency updates

PR.IP-8

Effectiveness of protection technologies is shared

الدليل:

Internal security reviews, NIST compliance public page

PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

الدليل:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

الدليل:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

الصيانة

PR.MA-1

Maintenance and repair of assets are performed and logged

الدليل:

Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation

PR.MA-2

Remote maintenance of assets is approved, logged, and performed

الدليل:

Server access logs, admin activity monitoring

تقنية الحماية

PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

الدليل:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

PR.PT-2

Removable media is protected and its use restricted

الدليل:

File upload validation, allowed file type restrictions

PR.PT-3

The principle of least functionality is incorporated

الدليل:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.PT-4

Communications and control networks are protected

الدليل:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.PT-5

Mechanisms are implemented to achieve resilience requirements

الدليل:

ErrorController, maintenance mode, service_status monitoring, Hetzner backups

الحالات الشاذة والأحداث

DE.AE-1

A baseline of network operations and expected data flows is established

الدليل:

Service status monitoring, normal operation baselines

DE.AE-2

Detected events are analyzed to understand attack targets and methods

الدليل:

Error logs, admin notification system, support ticket analysis

DE.AE-3

Event data are collected and correlated from multiple sources

الدليل:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

DE.AE-4

Impact of events is determined

الدليل:

Service status levels, impact assessment in monitoring

DE.AE-5

Incident alert thresholds are established

الدليل:

PasswordResetLimiter.php, rate_limits table, API rate limiting

المراقبة الأمنية المستمرة

DE.CM-1

The network is monitored to detect potential cybersecurity events

الدليل:

Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity

DE.CM-2

The physical environment is monitored to detect cybersecurity events

الدليل:

Hetzner data center monitoring, environmental controls

DE.CM-3

Personnel activity is monitored to detect cybersecurity events

الدليل:

Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending

DE.CM-4

Malicious code is detected

الدليل:

File upload validation, MIME type checking, input sanitization

DE.CM-5

Unauthorized mobile code is detected

الدليل:

Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.

DE.CM-6

External service provider activity is monitored

الدليل:

Stripe webhook monitoring, email service status tracking

DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

الدليل:

Session tracking, authentication logs, rate limiting system

DE.CM-8

Vulnerability scans are performed

الدليل:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

عمليات الكشف

DE.DP-1

Roles and responsibilities for detection are well defined

الدليل:

Admin role system, automated monitoring, alert notifications

DE.DP-2

Detection activities comply with all applicable requirements

الدليل:

GDPR compliance, privacy policy, data protection measures

DE.DP-3

Detection processes are tested

الدليل:

Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.

DE.DP-4

Event detection information is communicated

الدليل:

Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts

DE.DP-5

Detection processes are continuously improved

الدليل:

NIST compliance dashboard, continuous improvement process

تخطيط الاستجابة

RS.RP-1

Response plan is executed during or after an incident

الدليل:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

الاتصالات

RS.CO-1

Personnel know their roles and order of operations

الدليل:

Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts

RS.CO-2

Incidents are reported consistent with established criteria

الدليل:

Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers

RS.CO-3

Information is shared consistent with response plans

الدليل:

Service status page, notification system, user communication channels

RS.CO-4

Coordination with stakeholders occurs

الدليل:

Support ticket system, admin dashboard, stakeholder communication

RS.CO-5

Voluntary information sharing occurs with external stakeholders

الدليل:

Internal incident communication, public status page

التحليل

RS.AN-1

Notifications from detection systems are investigated

الدليل:

Error logging system, admin monitoring dashboard, support ticket investigation

RS.AN-2

The impact of the incident is understood

الدليل:

Service status levels (operational/degraded/outage), impact tracking

RS.AN-3

Forensics are performed

الدليل:

Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.

RS.AN-4

Incidents are categorized consistent with response plans

الدليل:

Service status categories, support ticket types, incident classification

RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

الدليل:

Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement

التخفيف

RS.MI-1

Incidents are contained

الدليل:

Maintenance mode, rate limiting system, authentication controls

RS.MI-2

Incidents are mitigated

الدليل:

ErrorController, automatic error recovery, admin tools

RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

الدليل:

Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes

التحسينات

RS.IM-1

Response plans incorporate lessons learned

الدليل:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RS.IM-2

Response strategies are updated

الدليل:

NIST compliance updates, continuous security enhancements

تخطيط التعافي

RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

الدليل:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

التحسينات

RC.IM-1

Recovery plans incorporate lessons learned

الدليل:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RC.IM-2

Recovery strategies are updated

الدليل:

NIST compliance monitoring, recovery process updates

الاتصالات

RC.CO-1

Public relations are managed

الدليل:

Public status page at /status, user notification system

RC.CO-2

Reputation is repaired after an incident

الدليل:

Service Status), Automated Incident Notification Templates.

RC.CO-3

Recovery activities are communicated to stakeholders

الدليل:

Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

مركز الثقة والأمان
LegallyMail

ملتزمون بأمنك

وضعنا الأمني

تحديد

حماية

كشف

استجابة

تعافي

الضوابط المنفذة

إدارة الأصول

Business Environment

الحوكمة

تقييم المخاطر

استراتيجية إدارة المخاطر

التحكم في الوصول

التوعية والتدريب

أمن البيانات

عمليات وإجراءات حماية المعلومات

الصيانة

تقنية الحماية

الحالات الشاذة والأحداث

المراقبة الأمنية المستمرة

عمليات الكشف

تخطيط الاستجابة

الاتصالات

التحليل

التخفيف

التحسينات

تخطيط التعافي

التحسينات

الاتصالات

هل لديك أسئلة حول أمننا؟

مركز الثقة والأمان LegallyMail

ملتزمون بأمنك

وضعنا الأمني

تحديد

حماية

كشف

استجابة

تعافي

الضوابط المنفذة

🎯 ID - تحديد

إدارة الأصول

Business Environment

الحوكمة

تقييم المخاطر

استراتيجية إدارة المخاطر

🛡️ PR - حماية

التحكم في الوصول

التوعية والتدريب

أمن البيانات

عمليات وإجراءات حماية المعلومات

الصيانة

تقنية الحماية

🔍 DE - كشف

الحالات الشاذة والأحداث

المراقبة الأمنية المستمرة

عمليات الكشف

⚡ RS - استجابة

تخطيط الاستجابة

الاتصالات

التحليل

التخفيف

التحسينات

♻️ RC - تعافي

تخطيط التعافي

التحسينات

الاتصالات

هل لديك أسئلة حول أمننا؟

مركز الثقة والأمان
LegallyMail