Your search did not match any results.
The Criminal Justice Information Services (CJIS) Security Policy establishes guidelines for specific security precautions to protect criminal justice information (CJI), e.g. fingerprints and criminal backgrounds.
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of Criminal Justice Information Services (CJIS) within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats. It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts. Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.
Oracle has obtained Cyber Essentials Plus certification for our London-based Commercial Cloud and UK Gov Cloud offerings.
Oracle Cloud Infrastructure
Oracle has achieved Cyber Essentials Plus Certification for Oracle Cloud Infrastructure residing in the UK Commercial Cloud.
Oracle SaaS
Oracle has achieved Cyber Essentials Plus Certification for the following services for the UK Gov Cloud only:
The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.
All cloud computing is required to take place in the U.S and are based off of impact levels:
For select services Oracle has received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.
Oracle SaaS
Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:
Oracle has achieved a DISA SRG Level 2 Authorization for the following services within the Gov Cloud:
The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. U.S. Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.
FedRAMP uses the NIST Special Publication 800-53, which provides a catalog of security controls for all U.S. Federal information systems. FedRAMP requires cloud service providers (CSP) to receive an independent security review performed by a third party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).
The following Oracle Cloud Services have received US Federal Risk and Authorization Management Program (FedRAMP) P-ATOs and ATOs up to the High baseline level defined by FedRAMP.
Oracle SaaS
Oracle has achieved FedRAMP Low (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:
Oracle has achieved FedRAMP Moderate (baseline) Authorizations to Operate for the following services within the Oracle US Gov Cloud:
Oracle has achieved FedRAMP High (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Federal Info Processing Standard (FIPS 140-2) within our Oracle Government Cloud environments.
The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. Cryptographic module protection within a security system is needed to maintain the confidentiality and integrity of the data protected by the module.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions.
Oracle has obtained a third-party assessment against the Financial Industry Information Systems (FISC) v8 security guidelines in select facilities in Japan.
Oracle offers a wide range of security solutions to help customers meet requirements of the GDPR, including services for administrative access controls, network security controls, logging, and encryption.
Oracle Cloud Infrastructure Security (PDF)
Oracle Cloud Infrastructure and European Union General Data Protection Regulation (GDPR) (PDF)
Oracle Cloud Infrastructure Security Capabilities and Services
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding Protected Health Information (PHI). HIPAA applies to covered entities and business associates.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.
Oracle has successfully completed third-party HIPAA assessments for the following services within commercial datacenters located in the United States:
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Gov datacenters located in Chicago (Illinois) and Ashburn (Virginia):
Oracle PaaS
Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Gov datacenters located in Chicago (Illinois) and Ashburn (Virginia):
Oracle SaaS
Oracle has successfully completed third party HIPAA assessments for the following services:
The Internal Revenue Service Publication 1075 (IRS 1075) is a US government guideline to ensure effective security controls are in place to protect Federal Tax Information (FTI). The IRS 1075 assessment report provides information on the available technical safeguards intended to adequately protect the confidentiality and integrity of FTI.
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Internal Revenue Service Publication 1075 within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
ISO 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing company and customer information based on periodic security risk assessments.
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Oracle Cloud Infrastructure
Oracle PaaS
Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and Oracle Cloud Infrastructure Classic services, in all datacenters where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Oracle SaaS
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 codes of practices have been included within scope of our ISO/IEC 27001:2013 certification.
Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27017:2015 audit examines cloud service specific controls, implementation guidance and other information that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This certification demonstrates Oracle’s ongoing commitment to align with globally recognized good practice for information security controls for cloud services.
Conducted by EY/CertifyPoint, Oracle Cloud Infrastructure’s ISO/IEC 27018:2014 audit examines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. ISO/IEC 27018:2014 is based on the information security objectives and controls in ISO/IEC 27002. This certification demonstrates to Oracle customers that Oracle Cloud Infrastructure has implemented appropriate measures to protect Personally Identifiable Information (PII) for a public cloud computing environment.
The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a suite of documents assembled by the Centers for Medicare & Medicaid Services (CMS). The CMS has oversight responsibility of Exchange information technology (IT) systems. The suite of documents defines a risk-based Security and Privacy Framework for Exchange information technology (IT) system design and implementation. The document suite includes guidance, requirements, and templates that address the mandates of the Patient Protection and Affordable Care Act of 2010 (ACA).
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Minimum Acceptable Risk Standards for Exchanges (MARS-E) within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI.
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of NIST 800-171 and DFARS 252.7012 within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.
Oracle has successfully completed a Payment Card Industry Data Security Standard (PCI DSS) audit and received an Attestation of Compliance (AoC) covering several Oracle Cloud Infrastructure services and the Oracle RightNow Service Cloud Service. As a PCI Level 1 Service Provider, customers can now use these services for workloads that store, process or transmit cardholder data.
Oracle Cloud Infrastructure
Oracle SaaS
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that applies to many organizations based in Canada that collect and process the personal information of individuals.
Oracle Cloud Infrastructure Privacy and Security Features and PIPEDA (PDF)
SOC 1 is a report on a service organization controls relevant to internal control over financial reporting. A “type 1” report focuses on the suitability of the system's design of its controls to achieve the control objectives. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s tests of the controls and results.
Oracle Cloud Services have been assessed using the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (System and Organization Controls (SOC) 1) and the International Auditing and Assurance Standards Board (IAASB) International Standard of Assurance Engagements (ISAE) 3402 standards for the suitability of the design and operating effectiveness of the specified controls.
Oracle Cloud Infrastructure - SOC 1 Type 2
Oracle Cloud Infrastructure Classic - SOC 1 Type 2
Oracle PaaS - SOC 1 Type 1
Oracle PaaS - SOC 1 Type 2
Oracle SaaS - SOC 1 Type 2
SOC 2 is a report on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy using up to five trust principles. A given SOC 2 report may be based on one or more trust principles. Similar to a SOC 1 report, SOC 2 also have type 1 or type 2 available.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles.
Oracle SaaS - SOC 1 Type 2
Oracle Cloud Infrastructure Classic - SOC 2 Type 2
Oracle PaaS - SOC 2 Type 1
Oracle PaaS - SOC 2 Type 2
Oracle SaaS - SOC 2 Type 2
SOC 3 is a report, like the SOC 2, on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy. However, a SOC 3 can be distributed for general use and only states whether the or not the entity has achieved the Trust Service criteria, without any description of tests, results or opinions.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles. The SOC 3 general use report for whether or not the Trust Service criteria was achieved is available for the following services.
Oracle Cloud Infrastructure
The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyber attacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication and secure use of the service.
Oracle provides Assertion Statements which outline how UK Gov Cloud offerings align with the UK National Cyber Security Centre (NCSC) Cloud Security Principles.
Oracle Cloud Infrastructure
National Cyber Security Centre (NCSC) guidance summarises 14 essential security principles (the NCSC Cloud Security Principles) to consider when evaluating cloud services and provides context on why these may be important to an organisation. Customers should decide which of the NCSC Cloud Security Principles are important and how much (if any) assurance they require in the implementation of these principles. Providers of cloud services should consider NCSC Cloud Security Principles when presenting their offerings to consumers. This will allow them to make informed choices about which services are appropriate for their needs. This whitepaper is intended to provide the reader and customers with an understanding of:
Oracle SaaS
Oracle has achieved HMG Cloud Security Principles Assertion for the following services for the UK Gov Cloud only:
Read the white paper: National Cyber Security Centre (NCSC) Cloud Security Principles (PDF)