Control Target | Measure |
(1) Access control The following measures are used to prevent unauthorized people from having physical access to the server infrastructure for data processing, and in particular to legitimize authorized people. | • Data center locked off from generally accessible areas
• Access only for authorized employees (visits are generally not permitted)
• Access control system (biometric) with logging
• Alarm system/locking system with code lock
• 24-hour security services with linked alarm system
• Video surveillance (exterior, doors and aisles)
• Separately locked racks with the ability to use custom locks and keys
• Cleaning only by authorized employees |
(2) Access Control (User Control) It must be prevented that data processing systems can be used by unauthorized persons. | • Use of firewalls and intrusion detection systems.
• For administrative purposes (e.g. maintenance of the infrastructure and systems), only a small group of internal administrators can access the data processing sys-tems via SSH and web interfaces. Only encrypted communication channels are used for this purpose. The connection is established via VPN, TLS and LDAP.
• Authentication is always done with username and password (internal pass-word policy)
• The user identification must be carried out with personal login data. Sharing login credentials with another person is prohibited.
• Secure password management (use of central device administration software with encryption).
• For emergencies, system administrators can access the servers with root logins if the usual user authentication does not work properly. The use of the root login is logged. |
(3) Access and Storage Control It must be ensured that those authorized to use a data processing system can only access the data that is necessary to perform their tasks (need-to-know) and that is subject to their access authorization, and that customer data (including personal data) are processed, used and after the cannot be read, copied, changed or removed without authorization. | • Protection against unauthorized internal and external access through firewalls, use of authentication and encryption processes.
• Secure password assignment according to internal password policy. Depending on the system or application, compulsory regular password changes and automatic blocking.
• Privileged administrative access for administrative purposes is never given to clients/customers or external parties.
• External access rights to systems and applications are assigned as needed and exclusively to the data subject to their access authorization (creation of user profiles and assignment of user rights). These must be contractually agreed or at least be recorded in the service design (authorization concept).
• Authorizations are only assigned by the person responsible for the service/application, unless otherwise agreed in the authorization concept for the respective service/application. The number of administrators is always reduced to the “necessary”. The granting of additional access rights at the request of the client/customer must be made in writing.
• At the system level, all accesses are always logged by default. In the case of particularly sensitive data, if required by law or at the request of the client/customer, access is also logged at the application level (entry, modification and deletion, as well as calling up the data).
• Safe storage of data carriers
• Secure destruction of data carriers by destroying them |
(4) Separation control It must be ensured that data collected for different purposes can be processed separately. | • Physical separation of functional and expedient different systems, databases and data carriers.
• Defined processes where and how systems, services or applications are in-stalled, delivered and operated (authorization concept at company level)
• Separation of productive and test environment
• Functional and logical client separation
• Defining database rights |
(5) Distribution control (disk control, transport control and disclosure control) It must be ensured that customer data (including personal data) cannot be read, copied, changed or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it can be checked and determined at which points a transmission of Customer data (including personal data) is provided by data transmission facilities. | • The transmission of data always takes place with secure encryption. This applies in particular to personal data.
• Privileged actions for administrative purposes, e.g. to carry out migrations, can only be carried out via VPN. Only a small group of employees has VPN access with such authorizations.
• All privileged actions at system level are logged (activity log), logging can also be done at application level.
• Documents worthy of protection may only be sent in encrypted form (e.g. compressed by e-mail with password protection, whereby the password must be communicated separately via another channel). |
(6) Input control and logging It must be ensured that it can be subsequently checked and established whether and by whom customer data (including personal data) has been entered, changed or removed in data processing systems. | • Assignment of access rights for entering, changing and deleting data based on the authorization concept
• Logging of the entry, modification and deletion of data is always given at the system level (activity log), at the service/application level if prescribed/required or desired (application purpose and sensitivity of the data).
• Traceability of entering, changing and deleting data through individual user names |
(7) Availability control and recovery It must be ensured that customer data (including personal data) is protected against accidental or willful destruction or loss. | • Uninterruptible power supply (diesel generator and redundant UPS)
• Air conditioning in server rooms
• Devices for monitoring temperature and humidity in server rooms
• Protective power strips in server rooms (PDUs)
• Comprehensive fire protection with gas-assisted fire extinguishing (Inergen)
• Creation of a backup and recovery concept
• Mirroring of hard disks, e.g. RAID method
• Contingency plans that describe in detail error scenarios, precautionary measures and availability measurements
• Server rooms not under sanitary facilities
• Complete data center infrastructure and services are monitored
• Redundant infrastructure |
(8) Order control Measures are taken to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the client. | • If, during maintenance work on the data processing systems, a possible change in personal data cannot be ruled out, NTH will inform the client about this maintenance window.
• Change and migration requests that contain personal data must be made in writing by the client.
• The data processing takes place in the data center of the NTH, unless the customer explicitly requests other locations (e.g. certain hosting providers).
• Ensuring the destruction of data after completion of the order |
(9) Organizational and implementation control Processes and workflows are defined for the processing of data, which effectively implement the data protection principles and security guarantees in order to meet the data protection requirements and to protect the rights of those affected. | • Regular training and sensitization of employees to the principles of data protection and IT security
• Duty of secrecy regarding trade and business secrets
• Proper and careful handling of data, files, data carriers and other documents
• Checking the implementation and effectiveness of the technical and organizational protective measures through controls and random samples
• Process for incident response management and documentation of security incidents in the ticket system
• Formalized process for processing re-quests for information from data subjects
• NTH guarantees that the provision of services takes place in compliance with data protection law |
