NIS2 compliance?

Moderator: crythias

Post Reply
zerszenyi
Znuny newbie
Posts: 29
Joined: 27 Sep 2021, 12:41
Znuny Version: 7.1
Real Name: Zoltan Erszenyi

NIS2 compliance?

Post by zerszenyi »

Hello,

I have a need to align a business that's using Znuny to the NIS2 directive, meaning that I must be able to log every access and activity, including username, source IP address, timestamp and actions.

These logs must be streamed to a SIEM also.

I also must be able to produce an activity report / audit trail such as:
- User X logged on from the IP address of z.z.z.z, he used MFA with this specific Identity Provider, on yyyy/mm/dd
- User X created ticket T... on yyyy/mm/dd
- User X updated ticket T... on yyyy/mm/dd
- User X performed administrative action blah.
...

My research indicates that due to the legacy software stack inherited from OTRS, and limited logging and reporting features, Znuny is the less preferred option for a business under NIS2 obligations. Yes, it can be integrated with various supporting systems and frameworks, and reports can be developed, however it requires significant manual configuration prone to human error, and must also enable debug-level logging forever to capture relevant data. Native support for compliance logging and reporting is limited compared to other options such as Zammad. At least that's what my research indicates.

Combine it with significant technical and usability challenges such as:
  • the lack of support for small screens such as field engineers with mobile phones
  • flexible and versatile, but convoluted configuration process leaves ample room for human error
  • incomplete / scattered documentation
it becomes clear that Znuny is lagging behind on many aspects. There is a big question mark hanging over its viability in the modern European enterprise regulated by strict compliance laws.

It's a great product from a functional point of view. However today that is insufficient. A software must also comply with legal requirements, as well as support the mobile workforce. A support technician on a long drive cannot stop and fire up his laptop to see his new tickets assigned while on the road. He should look them up on the phone without a heavily downscaled grid, endlessly zooming and scrolling left-right-up-down.

Where does Znuny stand on this specific topic? Are there any compliance-focused guides that can help navigate the legal aspects of the enterprise IT operations with regards to Znuny?


Thank you.
root
Administrator
Posts: 4337
Joined: 18 Dec 2007, 12:23
Znuny Version: Znuny and Znuny LTS
Real Name: Roy Kaldung
Company: Znuny
Contact:

Re: NIS2 compliance?

Post by root »

Hi,

Since Znuny is open-source and this is a community forum, have you ever considered asking the vendor directly? Your audit trail isn't this hard to create, and I do not see any other ITSM solution for feeding a SIEM. Do you know of an open-source ticket system that does this?

- root
Znuny and Znuny LTS running on CentOS / RHEL / Debian / SLES / MySQL / PostgreSQL / Oracle / OpenLDAP / Active Directory / SSO

Use a test system - always.

Do you need professional services? Check out https://www.znuny.com/

Do you want to contribute or want to know where it goes ?
Johannes
Moderator
Posts: 442
Joined: 30 Jan 2008, 02:26
Znuny Version: All of them ^^
Real Name: Hannes
Company: Znuny|OTTERHUB

Re: NIS2 compliance?

Post by Johannes »

Hi Zoltan,

just some feedback, maybe you got this wrong in your research, but this is the community forum. The Znuny commercial website is for business related context / prof. consulting.

You are complaining about a lack of Audit (where we - the vendor) - offer a plugin for business customers. Just ask at the right place.

We are also constantly improving the accessbility and the mobile views in every minor release.
There should be a signifcant change for mobile, until the end of the year.

The issue for the teams integrations is already fixed and will be part of either Znuny 7.3.4 or 7.3.5.
As the change in the webservice also lead to a change in the webservice backend - we did not support url params in post requests.

Regarding the documentation... I really do not see the point of a "scattered" and incomplete documentation. There is one source, so scattered is the wrong word in every way... and yes the documentation is not complete. It never is. It helps you to get started, it is growing all the time. But it will never be complete.

Regards and have a good weekend.
Johannes
Post Reply