Since Servitly is part of your digital supply chain, the obligations you have to fulfil under NIS 2 are also our responsibility, and already part of the way we work.
Below you will find how Servitly covers the NIS 2 obligations.
If needed we can share with you more information in a dedicated audit session.
Risk management and security measures
Implement risk analysis and security policies for information systems.
Periodically, we perform a system assessment on various aspects, including performance, privacy and security with the aim to identify potential threats (e.g. cyberattacks, data breaches) and system weaknesses.
Adopt incident management measures, ensuring business continuity through backups and disaster recovery plans.
We have defined procedures to deal with critical or disastrous events.
These procedures are periodically tested and improved, and this includes the creation and verification of data backups.
Ensure supply chain security, including supplier and partner relationship management.
We only use accredited third-party solutions (e.g. AWS, Azure, Google).
The presence of security problems in third-party software is constantly checked (CVE), as well as the presence of new updates to be installed in our system.
Ensure security in the acquisition, development and maintenance of computer and network systems, including vulnerability management.
At each release and periodically, we perform VA/PT tests, carried out both in-house and by third-party companies.
Any discovered issue is processed in order to define the risk of occurrence, define the impact and possible actions to mitigate (temporarily disabled service) or fix it (patches to the system).
Establish strategies and procedures to assess the effectiveness of cybersecurity risk management measures.
Periodically, we perform a self-assessment in order to check (KPI) and improve our internal processes.
Adopt basic digital hygiene practices and provide cybersecurity training to staff.
Privacy-by-design and Security-by-design guide our approach in defining, implementing, and testing each new feature that is added to Servitly.
Before any specific implementation, a security checklist is verified, and the issues discovered are addressed.
The development team is trained on privacy and security themes.
Establish policies and procedures related to the use of encryption and ensure the security of human resources, access control strategies and asset management.
Any access to a cloud resource is made through a secure channel. Certificates are managed through specific procedures and authorized personnel only.
Every access (authorized and not) is logged into the system.
Implement all necessary countermeasures to prevent security incidents.
This is achieved through our security-by-design approach, and you can read more about security countermeasures in the Security Framework article.
Incident reporting
Promptly report significant IT security incidents to the relevant authorities or to related NIS 2 organizations.
In the event of an accident, we will communicate this directly to our customers who have been involved.
Any incident is documented (history, causes, logs, actions, lesson learnt) in an internal repository.
File an early warning within 24 hours of identifying the incident and a full notification within 72 hours.
We will communicate the incident directly to our customers who have been involved, trying to respect the required timeframe according to the impact of the incident.