Centro di Fiducia e Sicurezza

Gestione Asset

ID.AM-1

Physical devices and systems within the organization are inventoried

Prova:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-2

Software platforms and applications are inventoried

Prova:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-3

Organizational communication and data flows are mapped

Prova:

Inventory And Asset Management.md), Hetzner Infrastructure Console, GitHub Asset Tracking.

ID.AM-4

External information systems are catalogued

Prova:

Third-party service documentation, integration records

ID.AM-5

Resources are prioritized based on their classification, criticality, and business value

Prova:

Data Classification Policy.md), Database Encryption Architecture.

ID.AM-6

Cybersecurity roles and responsibilities are established

Business Environment

ID.BE-1

The organization's role in the supply chain is identified and communicated

Prova:

Service provider documentation, TSA integration, Stripe payment processing

ID.BE-2

The organization's place in critical infrastructure is identified

Prova:

Service architecture documentation, critical service monitoring

ID.BE-3

Priorities for organizational mission, objectives, and activities are established

Prova:

NIST compliance framework, GDPR compliance, service SLAs

ID.BE-4

Dependencies and critical functions are established

Prova:

Service dependency mapping, critical function documentation

ID.BE-5

Resilience requirements to support delivery of critical services are established

Prova:

Service status dashboard, maintenance mode system, error handling framework

Governance

ID.GV-1

Organizational cybersecurity policy is established and communicated

Prova:

Cybersecurity Policy.md), NIST CSF Compliance Dashboard, GDPR Compliance Documentation, Security Policies Library, Cybersecurity Leadership Designation Records

ID.GV-2

Cybersecurity roles and responsibilities are coordinated and aligned

Prova:

Internal security coordination, admin role structure

ID.GV-3

Legal and regulatory requirements are understood and managed

ID.GV-4

Governance and risk management processes address cybersecurity risks

Prova:

NIST compliance dashboard, risk assessment through compliance monitoring

Valutazione del Rischio

ID.RA-1

Asset vulnerabilities are identified and documented

Prova:

Past audit with Cloude Sonnet 4.5 in January 2026

ID.RA-2

Cyber threat intelligence is received from information sharing forums

Prova:

Composer security advisories, dependency monitoring

ID.RA-3

Threats, both internal and external, are identified and documented

Prova:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-4

Potential business impacts and likelihoods are identified

Prova:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-5

Threats, vulnerabilities, likelihoods, and impacts are used to determine risk

Prova:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RA-6

Risk responses are identified and prioritized

Prova:

Security improvements, vulnerability patching process

Strategia di Gestione del Rischio

ID.RM-1

Risk management processes are established, managed, and agreed to

Prova:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

ID.RM-2

Organizational risk tolerance is determined and clearly expressed

Prova:

NIST CSF compliance, GDPR compliance, security headers implementation

ID.RM-3

The organization's determination of risk tolerance is informed by its role

Prova:

Risk Management Framework.md), Risk Register, Security Advisory Monitoring.

Controllo Accessi

PR.AC-1

Identities and credentials are issued, managed, verified, revoked, and audited

Prova:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-2

Physical access to assets is managed and protected

Prova:

Hetzner ISO 27001 certification, data center security documentation

PR.AC-3

Remote access is managed

Prova:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-4

Access permissions and authorizations are managed

Prova:

Identity Access Management Policy.md), SSH Configuration Files, Admin Dashboard RBAC.

PR.AC-5

Network integrity is protected (e.g., network segregation)

Prova:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.AC-6

Identities are proofed and bound to credentials

Prova:

Email verification system, email_verified column in users table

PR.AC-7

Users, devices, and assets are authenticated

Consapevolezza e Formazione

PR.AT-1

All users are informed and trained on cybersecurity awareness

Prova:

PR.AT-2

Privileged users understand their roles and responsibilities

Prova:

Admin dashboard with security controls, role-based access documentation

PR.AT-3

Third-party stakeholders understand their roles and responsibilities

Prova:

Vendor agreements, partner documentation, API documentation

PR.AT-4

Senior executives understand their roles and responsibilities

PR.AT-5

Physical and cybersecurity personnel understand their roles

Prova:

Admin role documentation, Hetzner security procedures

Sicurezza dei Dati

PR.DS-1

Data-at-rest is protected

Prova:

By Google Cloud (external provider)

PR.DS-2

Data-in-transit is protected

PR.DS-3

Assets are formally managed throughout removal, transfers, and disposition

Prova:

User data management, certified_emails retention, data export capabilities

PR.DS-4

Adequate capacity to ensure availability is maintained

Prova:

Hetzner infrastructure monitoring, service status tracking

PR.DS-5

Protections against data leaks are implemented

Prova:

HASH 256 AES bits in sensitive data

PR.DS-6

Integrity checking mechanisms verify software and information integrity

PR.DS-7

Development and testing environment(s) are separate from production

Prova:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.DS-8

Integrity checking mechanisms verify hardware integrity

Prova:

Hetzner infrastructure security, ISO 27001 certification

Processi e Procedure di Protezione delle Informazioni

PR.IP-1

A baseline configuration of systems is created and maintained

Prova:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-2

A System Development Life Cycle to manage systems is implemented

Prova:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.IP-3

Configuration change control processes are in place

Prova:

Git repository, .env file management, version control practices

PR.IP-4

Backups of information are conducted, maintained, and tested

Prova:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-5

Policy and regulations regarding the physical operating environment

Prova:

Hetzner data center certifications, environmental controls documentation

PR.IP-6

Data is destroyed according to policy

Prova:

Data Retention Disposal Policy.md), Hard Delete Database Functions, Backup Rotation Policy.

PR.IP-7

Protection processes are improved

Prova:

NIST compliance dashboard, regular security updates, dependency updates

PR.IP-8

Effectiveness of protection technologies is shared

Prova:

Internal security reviews, NIST compliance public page

PR.IP-9

Response and recovery plans are in place and managed

PR.IP-10

Response and recovery plans are tested

Prova:

Backup And Recovery Policy.md), Hetzner Backup Logs, Google Drive Forensic Archival Records.

PR.IP-11

Cybersecurity is included in human resources practices

PR.IP-12

A vulnerability management plan is developed and implemented

Prova:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

Manutenzione

PR.MA-1

Maintenance and repair of assets are performed and logged

Prova:

Maintenance Approval Process.md), Git Commit History With Detailed Logs, Hetzner Infrastructure Maintenance Logs, SSH Access Logs, Development Workflow Documentation

PR.MA-2

Remote maintenance of assets is approved, logged, and performed

Prova:

Server access logs, admin activity monitoring

Tecnologia di Protezione

PR.PT-1

Audit/log records are determined, documented, implemented, and reviewed

Prova:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

PR.PT-2

Removable media is protected and its use restricted

Prova:

File upload validation, allowed file type restrictions

PR.PT-3

The principle of least functionality is incorporated

Prova:

Secure Development Policy.md), Git Commit History, Isolated Production Environment.

PR.PT-4

Communications and control networks are protected

Prova:

Network Security Protocol.md), SSL Labs A+ Report, Cloud Firewall Configuration.

PR.PT-5

Mechanisms are implemented to achieve resilience requirements

Prova:

ErrorController, maintenance mode, service_status monitoring, Hetzner backups

Anomalie ed Eventi

DE.AE-1

A baseline of network operations and expected data flows is established

Prova:

Service status monitoring, normal operation baselines

DE.AE-2

Detected events are analyzed to understand attack targets and methods

Prova:

Error logs, admin notification system, support ticket analysis

DE.AE-3

Event data are collected and correlated from multiple sources

Prova:

Logging Auditing Policy.md), MariaDB Binary Logs, Application Error Logs.

DE.AE-4

Impact of events is determined

Prova:

Service status levels, impact assessment in monitoring

DE.AE-5

Incident alert thresholds are established

Prova:

PasswordResetLimiter.php, rate_limits table, API rate limiting

Monitoraggio Continuo della Sicurezza

DE.CM-1

The network is monitored to detect potential cybersecurity events

Prova:

Hetzner infrastructure monitoring, rate_limits table, authentication logs, service status dashboard, admin alerts for suspicious activity

DE.CM-2

The physical environment is monitored to detect cybersecurity events

Prova:

Hetzner data center monitoring, environmental controls

DE.CM-3

Personnel activity is monitored to detect cybersecurity events

Prova:

Login logs, session tracking, admin activity logs, rate_limits enforcement, email usage patterns, anomaly detection for bulk sending

DE.CM-4

Malicious code is detected

Prova:

File upload validation, MIME type checking, input sanitization

DE.CM-5

Unauthorized mobile code is detected

Prova:

Code Integrity Detection.md), Restrictive CSP Implementation In Init.php, File Upload MIME Validation Logic.

DE.CM-6

External service provider activity is monitored

Prova:

Stripe webhook monitoring, email service status tracking

DE.CM-7

Monitoring for unauthorized personnel, connections, devices, and software

Prova:

Session tracking, authentication logs, rate limiting system

DE.CM-8

Vulnerability scans are performed

Prova:

Vulnerability Management Policy.md), Composer.lock Security Scan History.

Processi di Rilevamento

DE.DP-1

Roles and responsibilities for detection are well defined

Prova:

Admin role system, automated monitoring, alert notifications

DE.DP-2

Detection activities comply with all applicable requirements

Prova:

GDPR compliance, privacy policy, data protection measures

DE.DP-3

Detection processes are tested

Prova:

Detection Testing Procedures.md), Security Testing Log (admin Records), Rate Limits Table History.

DE.DP-4

Event detection information is communicated

Prova:

Admin email notifications, user notification system, service status dashboard (/service-status), error notification emails, automated monitoring alerts

DE.DP-5

Detection processes are continuously improved

Prova:

NIST compliance dashboard, continuous improvement process

Pianificazione della Risposta

RS.RP-1

Response plan is executed during or after an incident

Prova:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

Comunicazioni

RS.CO-1

Personnel know their roles and order of operations

Prova:

Cybersecurity personnel identified (ID.AM-6), admin role documentation, incident response procedures, escalation contacts

RS.CO-2

Incidents are reported consistent with established criteria

Prova:

Support ticket system, admin alert mechanisms, service_status table, incident classification system, automated notification triggers

RS.CO-3

Information is shared consistent with response plans

Prova:

Service status page, notification system, user communication channels

RS.CO-4

Coordination with stakeholders occurs

Prova:

Support ticket system, admin dashboard, stakeholder communication

RS.CO-5

Voluntary information sharing occurs with external stakeholders

Prova:

Internal incident communication, public status page

Analisi

RS.AN-1

Notifications from detection systems are investigated

Prova:

Error logging system, admin monitoring dashboard, support ticket investigation

RS.AN-2

The impact of the incident is understood

Prova:

Service status levels (operational/degraded/outage), impact tracking

RS.AN-3

Forensics are performed

Prova:

Digital Forensics Protocol.md), Admin Activity Logs, Forensic Archival Records.

RS.AN-4

Incidents are categorized consistent with response plans

Prova:

Service status categories, support ticket types, incident classification

RS.AN-5

Processes are established to receive, analyze and respond to vulnerabilities

Prova:

Composer security advisories, dependency update workflow, security patch deployment, audit findings implementation, NIST compliance continuous improvement

Mitigazione

RS.MI-1

Incidents are contained

Prova:

Maintenance mode, rate limiting system, authentication controls

RS.MI-2

Incidents are mitigated

Prova:

ErrorController, automatic error recovery, admin tools

RS.MI-3

Newly identified vulnerabilities are mitigated or documented as accepted risks

Prova:

Security update history, dependency version upgrades, code fix commits, NIST compliance status tracking, risk acceptance documentation in compliance notes

Miglioramenti

RS.IM-1

Response plans incorporate lessons learned

Prova:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RS.IM-2

Response strategies are updated

Prova:

NIST compliance updates, continuous security enhancements

Pianificazione del Recupero

RC.RP-1

Recovery plan is executed during or after a cybersecurity incident

Prova:

Incident Response Disaster Recovery.md), Hetzner Backup Logs.

Miglioramenti

RC.IM-1

Recovery plans incorporate lessons learned

Prova:

Post Incident Review Protocol.md), Internal Security Testing Logs.

RC.IM-2

Recovery strategies are updated

Prova:

NIST compliance monitoring, recovery process updates

Comunicazioni

RC.CO-1

Public relations are managed

Prova:

Public status page at /status, user notification system

RC.CO-2

Reputation is repaired after an incident

Prova:

Service Status), Automated Incident Notification Templates.

RC.CO-3

Recovery activities are communicated to stakeholders

Prova:

Internal communication channels, user notification system, service_status table and dashboard, vendor contact procedures, stakeholder communication templates, public recovery announcements

Centro di Fiducia e Sicurezza
LegallyMail

Impegnati per la tua Sicurezza

La Nostra Postura di Sicurezza

Identificare

Proteggere

Rilevare

Rispondere

Recuperare

Controlli Implementati

Gestione Asset

Business Environment

Governance

Valutazione del Rischio

Strategia di Gestione del Rischio

Controllo Accessi

Consapevolezza e Formazione

Sicurezza dei Dati

Processi e Procedure di Protezione delle Informazioni

Manutenzione

Tecnologia di Protezione

Anomalie ed Eventi

Monitoraggio Continuo della Sicurezza

Processi di Rilevamento

Pianificazione della Risposta

Comunicazioni

Analisi

Mitigazione

Miglioramenti

Pianificazione del Recupero

Miglioramenti

Comunicazioni

Hai domande sulla nostra sicurezza?

Centro di Fiducia e Sicurezza LegallyMail

Impegnati per la tua Sicurezza

La Nostra Postura di Sicurezza

Identificare

Proteggere

Rilevare

Rispondere

Recuperare

Controlli Implementati

🎯 ID - Identificare

Gestione Asset

Business Environment

Governance

Valutazione del Rischio

Strategia di Gestione del Rischio

🛡️ PR - Proteggere

Controllo Accessi

Consapevolezza e Formazione

Sicurezza dei Dati

Processi e Procedure di Protezione delle Informazioni

Manutenzione

Tecnologia di Protezione

🔍 DE - Rilevare

Anomalie ed Eventi

Monitoraggio Continuo della Sicurezza

Processi di Rilevamento

⚡ RS - Rispondere

Pianificazione della Risposta

Comunicazioni

Analisi

Mitigazione

Miglioramenti

♻️ RC - Recuperare

Pianificazione del Recupero

Miglioramenti

Comunicazioni

Hai domande sulla nostra sicurezza?

Centro di Fiducia e Sicurezza
LegallyMail