Security

Reporting of incidents and security events

Staffino takes security very seriously, and investigates all potential and reported vulnerabilities. Each employee is obliged to immediately report the observed security incident or suspicion of a security incident to Support. If incident happened, customer or employee can deliver information by email to [email protected] or by phone contact to support team (+421 951 619 551 or +421 948 082 282). Staffino team will respond in times described below to your email request (or phone call in urgent cases) and take care immediately after confirming request. Each request will be categorized by Security Manager to severity level and solved according guideline provided to that leve. In case of IT security incidents, every customer will be informed by email. On side of AWS, detailed overview, how AWS reports vulnerabilities is available on https://aws.amazon.com/security/vulnerability-reporting/. Status of Amazon services is available on https://status.aws.amazon.com/.

Basic duties and responsibilities of employees

1. The employee is obliged to report an observed security incident or security vulnerability.

2. After the observation of a security incident, it is prohibited to perform any activities that could lead to the invalidation of the evidence or the deterioration of its consequences.

3. After observing a security vulnerability, the employee is obliged to notify the SM.

4. Employees are obliged to cooperate with the recipient of the security incident report in verifying whether it is a security incident.

5. If a criminal offense may have been or has been committed in connection with the occurrence of a security incident, the employee must immediately inform the law enforcement authorities and his / her immediate superior or director.

6. Consequences could be drawn for employees who caused the security incident in accordance with the valid disciplinary proceedings.

Security incident classification

Regarding incidents, we distinguish three levels of issue urgency and priority (critical, serious, common):

  • Critical issues include the security incidents, in which there is a risk of personal data leakage or service failure.
  • Serious issues include incidents where there is a real risk of data leakage, but this risk is not immediate (eg using an email server to send spam), or there is a risk of damaging the company’s reputation
  • Common issues include standard security warnings from possible security incidents (informational warnings, warnings from suppliers side eg. Microsoft Security Notifications)

General incident classification

Regarding incidents, we distinguish five levels of issue urgency and priority (outage, critical, urgent, less urgent, nonurgent):

  • Outage issues include the unavailability of the service
  • Critical issues include unavailability of basic functionality (leaving feedback, displaying of key information etc.), unavailability of current data, IT security incidents or data leakage. In general, critical level include issues that disabling work with the application
  • Urgent issues are more visible bugs and unavailability of medium important functionality (managing profiles etc.)
  • Less urgent are less visible bugs, issues that can make it more difficult to work with the application, but application stays full-use
  • Nonurgent issues include not visible (or almost not visible) bugs and improvements.

Incident resolution times

Staffino guarantees following respond/resolution times:

  • Outage – respond time up to 1 hour, resolution time up to 6 hours
  • Critical – respond time up to 12 hours, resolution time up to 24 hours
  • Moderately urgent – respond time up to 24 hours, resolution time up to 72 hours
  • Less urgent – respond time up to 72 hours, resolution time up to next release
  • Nonurgent – respond time up to 72 hours, resolution time depending on development plan

Staffino provides technical support during working days in working hours (from 8:00 AM to 5:00 PM). If extended technical support is provided, all agreements are written in the technical support contract.