Category: Compliance
Introducing GxP Compliance on AWS
We’re happy to announce that customers now are enabled to bring the next generation of medical, health, and wellness solutions to their GxP systems by using AWS for their processing and storage needs. Compliance with healthcare and life sciences requirements is a key priority for us, and we are pleased to announce the availability of new compliance enablers for customers with GxP requirements.
The first key enabler is a first-of-its-kind GxP whitepaper, Considerations for Using AWS Products in GxP Systems, which details a comprehensive approach for using AWS in GxP systems. This whitepaper content has been developed in conjunction with AWS pharmaceutical and medical device customers, as well as software partners, who are currently using AWS products in their validated GxP systems. In order to ensure the suitability of the content, AWS took the additional step of engaging Lachman Consultant Services Inc. (Lachman Consultants) to review and contribute to the approach outlined in this whitepaper. Lachman Consultants is one of the most highly respected consulting firms on FDA and international regulatory compliance issues affecting the pharmaceutical and medical device industry today. Lachman Consultants has extensive experience working with companies, specifically on matters pertaining to the establishment and development of GxP systems, including GxP guidelines in support of maintaining regulated data in a cloud environment. For additional information about Lachman Consultants, go to lachmanconsultants.com. (more…)
AWS ISO 27001 Certification Increases Total In-Scope Services to 33
AWS has just completed our annual audit of ISO 27001, a certification we achieved back in 2010. 10 new services are now in scope under ISO 27001:
- Amazon CloudFront
- Amazon EC2 Container Service (ECS)
- Amazon Elastic File System (EFS)
- Amazon Simple Email Service (SES)
- Amazon WorkDocs
- Amazon WorkMail
- Amazon WorkSpaces
- AWS Directory Service
- AWS Key Management Service (KMS)
- AWS WAF – Web Application Firewall
For those just learning about the ISO 27001:2013 certification, the International Organization of Standardization (ISO) created the widely adopted global security standard that set out requirements and best practices for a systematic approach to managing company and customer information. This approach is based on periodic risk assessments appropriate to ever-changing threat scenarios. (more…)
AWS Certification Update – ISO 9001 Has 10 New Services in Scope
Today we’re happy to announce we’ve added 10 new services to our ISO 9001 certification:
- Amazon CloudFront
- Amazon EC2 Container Service (ECS)
- Amazon Elastic File System (EFS)
- Amazon Simple Email Service (SES)
- Amazon WorkDocs
- Amazon WorkMail
- Amazon WorkSpaces
- AWS Directory Service
- AWS Key Management Service (KMS)
- AWS WAF – Web Application Firewall
This increases the total number of AWS Services available for use under the certification to 33. The complete list can be found in our AWS ISO 9001 FAQs.
EU (Frankfurt) is now also available, bringing the regions available up to 10: US East (N. Virginia), US West (Oregon), US West (N. California), AWS GovCloud (US), South America (Sao Paulo), EU (Ireland), EU (Frankfurt), Asia Pacific (Singapore), Asia Pacific (Sydney), and Asia Pacific (Tokyo). (more…)
AWS Certification Update – ISO 27017
I am happy to announce that AWS has achieved ISO 27017 certification. This new criterion builds upon the ISO 27002 standard, with additional controls specifically applicable to cloud service providers. AWS is the first cloud provider to obtain this certification, which is available now for download on our AWS Cloud Compliance site. Additionally, we’ve posted an FAQ about ISO 27017, which explains more about the regions and services included in the certification.
To learn more about the new certification, see the AWS Official Blog.
– Chad
AWS Announces Successful SOC Assessment with 3 New Services in Scope
Today, I’m happy to announce the completion of another successful Service Organization Controls (SOC) assessment.
The AWS SOC program is an intense, period-in-time audit performed every six months. We have been releasing SOC Reports (or their SAS 70 predecessors) regularly since 2009, and we have, over the years, gradually built in more controls and added more services. These third-party assessments from Ernst & Young are mature and extensive, and attest to our alignment with the American Institute of Certified Public Accountants (AICPA) Security Trust Principles. The SOC programs continue to be a key component of our efforts to provide transparency to our customers in information security, confidentiality, and privacy. (more…)
Register to Attend an AWS Security Roadshow
Register to attend an AWS Security Roadshow, a free technical event where you can learn how to use AWS services—including those recently launched—to help improve the agility and maturity of your security and compliance programs. AWS Security Roadshow topics will include:
- AWS Security Overview
- What’s New
- Network Security and Access Control Within AWS
- Protecting Your Data in AWS
- Putting It All Together: Securing Systems at Cloud Scale
You can participate in anopen Q&A session at the end of the event, which will give you access to experienced AWS solutions architects and provide networking opportunities with other technical security professionals.
Seating for this event is limited and registration for each location will close when capacity is reached, so don’t delay. As of this writing, the AWS Security Roadshow has room left in Atlanta, Chicago, San Francisco, Boston, and Herndon (Virginia).
Who should attend
Technical security professionals—DevOps, engineers, and architects who have basic familiarity with cloud computing concepts and AWS services, and want to gain further insights and learn best practices for securing workloads in AWS.
– Paul
AWS Obtains ISO 27018 Privacy Certification
I am pleased to announce that AWS has successfully completed a new assessment, ISO/IEC 27018:2014, a code of practice regarding the protection of personally identifiable information (PII) in the cloud and our adherence to the commitments we make to our customers with regard to their content. This privacy code of practice is now an integral and permanent component of our ISO 27001 certification program.
ISO 27018 is the first international code of practice that focuses on protection of PII in the cloud. Alignment with ISO 27018 demonstrates that AWS has a system of controls in place that specifically addresses the privacy protection of AWS customers’ content.
Alignment with the ISO 27018 code of practice provides assurance that:
- Customers control their content.
- Customers’ content will not be used for any unauthorized purposes.
- Physical media is destroyed prior to leaving AWS data centers.
- AWS provides customers the means to delete their content.
- AWS doesn’t disclose customers’ content unless required to do so in order to comply with a legally valid and binding order.
All AWS regions and AWS Edge Locations are within the scope of this assessment. For the AWS services in scope, review AWS’s ISO/IEC 27018:2014 certificate. For further questions about this certification, see our ISO 27001 certificate and the FAQ page.
– Chad
Now Available: Videos and Slide Decks from the re:Invent 2015 Security and Compliance Track
Whether you want to review a Security and Compliance track session you attended at re:Invent 2015, or you want to experience a session for the first time, videos and slide decks from the Security and Compliance track are now available.
SEC201: AWS Security State of the Union: How Should We All Think About Security?
SEC202: If You Build It, They Will Come: Best Practices for Securely Leveraging the Cloud
SEC203: Journey to Securing Time Inc.’s Move to the Cloud
Customer Update—AWS and EU Safe Harbor
Recently, the European Court of Justice determined that the 15-year-old US-EU Safe Harbor framework is no longer valid for the transfer of personal data from the European Economic Area (EEA) to the US.
At AWS, we know customers care deeply about privacy and data security; we optimize our work to get these issues right for our customers around the world. Today, we’d like to confirm for customers and partners that they can continue to use AWS to transfer their customer content from the EEA to the US, without altering workloads, and in compliance with EU law. This is possible because AWS has already obtained approval from EU data protection authorities (known as the Article 29 Working Party) of the AWS Data Processing Addendum and Model Clauses to enable transfer of personal data outside Europe, including to the US with our EU-approved Data Processing Addendum and Model Clauses. AWS customers can continue to run their global operations using AWS in full compliance with the EU Data Protection Directive (Directive 95/46/EC). The AWS Data Processing Addendum is available to all AWS customers who are processing personal data whether they are established in Europe or a global company operating in the EEA. For additional information, please visit AWS EU Data Protection FAQ.
For customers not looking to transfer personal data out of the EEA, we continue to give them all of the security, privacy, and control they have always had with AWS, such as:
- Customers maintain ownership of their customer content and select which AWS services process, store, and host their customer content.
- Customers determine where their customer content will be stored, allowing them to deploy AWS services in the locations of their choice, in accordance with their specific geographic requirements, including in established AWS regions in Dublin and Frankfurt.
- Customers choose the secured state of their customer content in transit or at rest, and we provide customers with the option to manage their own encryption keys.
For additional information, please visit AWS Privacy and Data Security FAQ.
At AWS, customer trust is our top priority, and we will continue to work vigilantly to ensure that our customers are able to continue to enjoy the benefits of AWS securely, compliantly, and without disruption.
– Steve
Today’s Security and Compliance Sessions at re:Invent 2015
If you are attending re:Invent 2015 in Las Vegas, you can attend any of the following Security & Compliance track sessions taking place today.
Didn’t register before the conference sold out? All sessions are being recorded and will be made available on YouTube after the conference. Also, all slide decks from the sessions will be made available on SlideShare.net after the conference.
Click any of the following links to learn more about a breakout session. (more…)
