Annex 3 - Technical and organizational measures

1. Confidentiality

Confidentiality Protection

AWS Inc. fulfills the following certifications (SOC1/SSAE 16/ISAE 3402 (formerly SAS 70), SOC2, SOC3, FISMA, DoD SRG, PCI DSS Level 1, ISO 9001 / ISO 27001, ITAR, FIPS 140-2, MCTS Tier3) and implements AWS Inc. the requirements catalog Cloud Computing (C5) of the Federal Office for Information Security.

Access

Unauthorized persons must be denied access to data processing systems.

Office level

– Alarm system – Security locks – Key regulation

Application level (including AWS)

– Video surveillance of the buildings – Electronic Intrusion Detection System – Chip card/transponder locking system – Employee and visitor badges – Wearing of badges in the data center – Reception with logging of visitors – Permanent accompaniment of the visitors by employees

It must be prevented that data processing systems can be used by unauthorised persons.

Office level

– Password rules – Key rules – Encryption of data carriers – Authentication with user + password

Application level (AWS)

– AWS Network: Firewalls – AWS Network: Authentication – Password rules – Authentication with user + password

It must be ensured that systemic data access is only possible to the extent authorized and required, e.g. through encryption.

– Encryption of data carriers – Authorization concept – Password rules – Reduce the number of administrators to the “essentials – Administration of user rights only through system administrator rights – Data transmission exclusively via HTTPS

Forwarding

It must be ensured that personal data is not accessed without authorization during transmission, transport or on data carriers and that it can be determined to which bodies the data has been disclosed, e.g. by means of encryption.

– Data transmission takes place exclusively via HTTPS

2. Integrity

Data separation

It must be ensured that data collected for different purposes can be processed separately.

– Storage of data from different systems on data carriers separated by virtualization – Determination of database rights – Logical Customer separation (on the software side) – Creation of an authorization concept

3. Availability

It must be ensured that personal data is protected against loss.

Application level

– Replication of data storage – Daily creation of encrypted back-ups of the data

PreviousAnnex 2 - Other processors NextSystem requirements

Last updated 1 year ago

Annex 3 - Technical and organizational measures

1. Confidentiality

Confidentiality Protection

Access

Unauthorized persons must be denied access to data processing systems.

Office level

– Alarm system – Security locks – Key regulation

Application level (including AWS)

It must be prevented that data processing systems can be used by unauthorised persons.

Office level

– Password rules – Key rules – Encryption of data carriers – Authentication with user + password

Application level (AWS)

– AWS Network: Firewalls – AWS Network: Authentication – Password rules – Authentication with user + password

It must be ensured that systemic data access is only possible to the extent authorized and required, e.g. through encryption.

Forwarding

It must be ensured that personal data is not accessed without authorization during transmission, transport or on data carriers and that it can be determined to which bodies the data has been disclosed, e.g. by means of encryption.

– Data transmission takes place exclusively via HTTPS

2. Integrity

Data separation

It must be ensured that data collected for different purposes can be processed separately.

3. Availability

It must be ensured that personal data is protected against loss.

Application level

– Replication of data storage – Daily creation of encrypted back-ups of the data

PreviousAnnex 2 - Other processors NextSystem requirements

Last updated 1 year ago