No results found

Your search did not match any results.

Compliance

Open all Close all
  • CJIS - Criminal Justice Information Services

    The Criminal Justice Information Services (CJIS) Security Policy establishes guidelines for specific security precautions to protect criminal justice information (CJI), e.g. fingerprints and criminal backgrounds.

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of Criminal Justice Information Services (CJIS) within our Oracle Government Cloud environments.

    Oracle Cloud Infrastructure Classic

    • Compute Classic
    • Object Storage Classic

    Oracle PaaS

    • Big Data Cloud Service - Compute Edition
    • Database Backup Cloud Service
    • Database Cloud Service
    • Exadata Cloud Service
    • Golden Gate Cloud Service
    • Java Cloud Service

    Oracle SaaS

    • Fusion (HCM, CRM, ERP, SCM)
    • Service Cloud (OPA & RightNow CX)
  • Cyber Essentials Plus

    Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats. It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts. Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.

    Oracle has obtained Cyber Essentials Plus certification for our London-based Commercial Cloud and UK Gov Cloud offerings.

    Oracle Cloud Infrastructure

    Oracle has achieved Cyber Essentials Plus Certification for Oracle Cloud Infrastructure residing in the UK Commercial Cloud.

    Oracle SaaS

    Oracle has achieved Cyber Essentials Plus Certification for the following services for the UK Gov Cloud only:

    • Enterprise Performance Management (EPM): Account Reconciliation
    • EPM: Enterprise Performance Reporting
    • EPM: Enterprise Planning and Budgeting
    • EPM: Financial Consolidation and Close
    • EPM: Planning and Budgeting
    • EPM: Profitability and Cost
    • EPM: Tax Reporting
    • Fusion (HCM, CRM, ERP)
    • Service Cloud (OPA & RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
  • DISA SRG - Defense Information Systems Agency, Security Requirements Guide

    The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.

    All cloud computing is required to take place in the U.S and are based off of impact levels:

    • Impact Level 2 - data cleared for public release (note: Level 1 was combined with Level 2)
    • Impact Level 4 – controlled unclassified information (CUI) over NIPRNet. CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)
    • Impact Level 5 – higher sensitivity CUI, mission critical information, or NSS over NIPRNet
    • Impact Level 6 – Classified data over SIPRNet

    For select services Oracle has received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.

    Oracle SaaS

    Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:

    • Service Cloud (OPA & RightNow CX)

    Oracle has achieved a DISA SRG Level 2 Authorization for the following services within the Gov Cloud:

    • Service Cloud (OPA & RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
  • FedRAMP - Federal Risk and Authorization Management Program

    The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. U.S. Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.

    FedRAMP uses the NIST Special Publication 800-53, which provides a catalog of security controls for all U.S. Federal information systems. FedRAMP requires cloud service providers (CSP) to receive an independent security review performed by a third party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).

    The following Oracle Cloud Services have received US Federal Risk and Authorization Management Program (FedRAMP) P-ATOs and ATOs up to the High baseline level defined by FedRAMP.

    Oracle SaaS

    Oracle has achieved FedRAMP Low (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:

    • Oracle Enterprise Performance Management (EPM)

    Oracle has achieved FedRAMP Moderate (baseline) Authorizations to Operate for the following services within the Oracle US Gov Cloud:

    • Service Cloud (OPA & RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)

    Oracle has achieved FedRAMP High (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:

    • Oracle Government Cloud – Common Controls
  • FIPS 140-2 - Federal Information Processing Standards Publication 140-2

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Federal Info Processing Standard (FIPS 140-2) within our Oracle Government Cloud environments.

    The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. Cryptographic module protection within a security system is needed to maintain the confidentiality and integrity of the data protected by the module.

    Oracle Cloud Infrastructure Classic

      Compute Classic
    • Object Storage Classic

    Oracle PaaS

      Big Data Cloud Service - Compute Edition
    • Database Backup Cloud Service
    • Database Cloud Service
    • Exadata Cloud Service
    • Golden Gate Cloud Service
    • Java Cloud Service

    Oracle SaaS

      Oracle Talent Acquisition Cloud (Taleo)
    • Service Cloud (OPA & RightNow CX)
  • FISC - Financial Industry Information Systems

    The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions.

    Oracle has obtained a third-party assessment against the Financial Industry Information Systems (FISC) v8 security guidelines in select facilities in Japan.

    • Application Container Cloud Service
    • Database Backup Service
    • Database Cloud Service (DBCS)
    • Java Cloud Service (JCS / JaaS)
    • SOA Suite Cloud Service
  • GDPR - General Data Protection Regulation
  • HIPAA - Health Insurance Portability and Accountability Act

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding Protected Health Information (PHI). HIPAA applies to covered entities and business associates.

    The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.

    Oracle has successfully completed third-party HIPAA assessments for the following services within commercial datacenters located in the United States:

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volumes
    • Bulk Data Upload
    • Compute
    • Database
    • Database – Exadata
    • Database 2-Node RAC
    • FastConnect
    • File Storage Service
    • Identity and Access Management
    • Load Balancing
    • Networking
    • Object Storage
    • Virtual Cloud Networks (VCN)

    Oracle Cloud Infrastructure Classic

    Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Gov datacenters located in Chicago (Illinois) and Ashburn (Virginia):

    • Compute Classic
    • Storage Classic
    • Container Service Classic

    Oracle PaaS

    Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Gov datacenters located in Chicago (Illinois) and Ashburn (Virginia):

    • Oracle API Platform Cloud Service
    • Oracle Analytics Cloud (OAC)
    • Oracle Big Data Cloud Service - Compute Edition
    • Oracle Database Backup Cloud Service
    • Oracle Database Cloud Service
    • Oracle Event Hub Cloud
    • Oracle Exadata Cloud Service (OEDCS)
    • Oracle Golden Gate Cloud Service
    • Oracle Identity Cloud Service (IDCS)
    • Oracle Internet of Things (IoT) Cloud
    • Oracle Java Cloud Service
    • MySQL Cloud Service
    • Oracle Data Integrator Cloud Service
    • Service-Oriented Architecture (SOA) Suite

    Oracle SaaS

    Oracle has successfully completed third party HIPAA assessments for the following services:

    • Eloqua Marketing Cloud Service
    • Fusion ERP/HCM/CRM/SCM
    • Service Cloud (OPA & RightNow CX)
  • IRS 1075 - Internal Revenue Service Publication 1075

    The Internal Revenue Service Publication 1075 (IRS 1075) is a US government guideline to ensure effective security controls are in place to protect Federal Tax Information (FTI). The IRS 1075 assessment report provides information on the available technical safeguards intended to adequately protect the confidentiality and integrity of FTI.

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Internal Revenue Service Publication 1075 within our Oracle Government Cloud environments.

    Oracle Cloud Infrastructure Classic

    • Compute Classic
    • Object Storage Classic

    Oracle PaaS

    • Big Data Cloud Service - Compute Edition
    • Database Backup Cloud Service
    • Database Cloud Service
    • Exadata Cloud Service
    • Golden Gate Cloud Service
    • Java Cloud Service

    Oracle SaaS

    • Fusion (HCM, CRM, ERP, SCM)
    • Service Cloud (OPA & RightNow CX)
  • ISO/IEC 27001:2013 - International Organization for Standardization 27001

    ISO/IEC 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing company and customer information based on periodic security risk assessments.

    Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

    Oracle Cloud Infrastructure

    • Oracle has successfully completed an ISO/IEC 27001:2013 audit for Oracle Cloud Infrastructure.
    • Additionally, Oracle Cloud Infrastructure Edge Services successfully completed an ISO/ IEC 27001:2013 audit
    • Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27001:2013 audit provides assurance that Oracle Cloud Infrastructure has designed and implemented an Information Security Management System (ISMS) in accordance with information security standard ISO 27002:2013 (Information technology – Security techniques – Code of practice for information security management).

    Oracle PaaS

    Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and Oracle Cloud Infrastructure Classic services, in all datacenters where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

    Oracle SaaS

    Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 codes of practices have been included within scope of our ISO/IEC 27001:2013 certification.

  • ISO/IEC 27017:2015 - Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services

    Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27017:2015 audit examines cloud service specific controls, implementation guidance and other information that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This certification demonstrates Oracle’s ongoing commitment to align with globally recognized good practice for information security controls for cloud services.

  • ISO/IEC 27018:2014 - Code of Practice for Protection of Personally Identifiable Information (PII) In Public Clouds Acting as PII Processors

    Conducted by EY/CertifyPoint, Oracle Cloud Infrastructure’s ISO/IEC 27018:2014 audit examines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. ISO/IEC 27018:2014 is based on the information security objectives and controls in ISO/IEC 27002. This certification demonstrates to Oracle customers that Oracle Cloud Infrastructure has implemented appropriate measures to protect Personally Identifiable Information (PII) for a public cloud computing environment.

  • MARS-E - Minimum Acceptable Risk Standards for Exchanges

    The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a suite of documents assembled by the Centers for Medicare & Medicaid Services (CMS). The CMS has oversight responsibility of Exchange information technology (IT) systems. The suite of documents defines a risk-based Security and Privacy Framework for Exchange information technology (IT) system design and implementation. The document suite includes guidance, requirements, and templates that address the mandates of the Patient Protection and Affordable Care Act of 2010 (ACA).

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Minimum Acceptable Risk Standards for Exchanges (MARS-E) within our Oracle Government Cloud environments.

    Oracle Cloud Infrastructure Classic

    • Compute Classic
    • Object Storage Classic

    Oracle PaaS

    • Big Data Cloud Service - Compute Edition
    • Database Backup Cloud Service
    • Database Cloud Service
    • Exadata Cloud Service
    • Golden Gate Cloud Service
    • Java Cloud Service

    Oracle SaaS

    • Service Cloud (OPA & RightNow CX)
  • NIST 800-171/DFARS 252.7012 - National Institute of Standards and Technology Special Publication 800-171 / Defense Federal Acquisition Regulation Supplement 252.7012

    The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI.

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of NIST 800-171 and DFARS 252.7012 within our Oracle Government Cloud environments.

    Oracle Cloud Infrastructure Classic

    • Compute Classic
    • Object Storage Classic

    Oracle PaaS

    • Big Data Cloud Service - Compute Edition
    • Database Backup Cloud Service
    • Database Cloud Service
    • Exadata Cloud Service
    • Golden Gate Cloud Service
    • Java Cloud Service

    Oracle SaaS

    • Fusion (HCM, CRM, ERP, SCM)
    • Oracle Talent Acquisition Cloud (Taleo)
    • Service Cloud (OPA & RightNow CX)
    • Oracle Enterprise Performance Management (EPM)
  • PCI DSS - Payment Card Industry Data Security Standard

    The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.

    Oracle has successfully completed a Payment Card Industry Data Security Standard (PCI DSS) audit and received an Attestation of Compliance (AoC) covering several Oracle Cloud Infrastructure services and the Oracle RightNow Service Cloud Service. As a PCI Level 1 Service Provider, customers can now use these services for workloads that store, process or transmit cardholder data.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Block Volumes
    • Compute
    • Containers
    • Data Transfer Service
    • Database
    • Database – Exadata
    • Database 2-Node RAC
    • FastConnect
    • File Storage Service
    • Governance
    • Key Management
    • Load Balancing
    • Networking
    • Object Storage
    • Registry

    Oracle SaaS

    • Commerce Cloud
    • Service Cloud (OPA & RightNow CX)
  • PIPEDA - Canadian Personal Information Protection and Electronic Documents Act

    The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that applies to many organizations based in Canada that collect and process the personal information of individuals.

    Oracle Cloud Infrastructure Privacy and Security Features and PIPEDA (PDF)

  • SOC 1 - System and Organization Controls 1

    SOC 1 is a report on a service organization controls relevant to internal control over financial reporting. A “type 1” report focuses on the suitability of the system's design of its controls to achieve the control objectives. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s tests of the controls and results.

    Oracle Cloud Services have been assessed using the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (System and Organization Controls (SOC) 1) and the International Auditing and Assurance Standards Board (IAASB) International Standard of Assurance Engagements (ISAE) 3402 standards for the suitability of the design and operating effectiveness of the specified controls.

    Oracle Cloud Infrastructure - SOC 1 Type 2

    • Archive Storage
    • Audit
    • Block Volumes
    • Bulk Data Upload
    • Cloud Analytics (Edge Services)
    • Compute
    • Database
    • Database – Exadata
    • Database 2-Node RAC
    • Data Transfer Service
    • DNS (Edge Services)
    • Email Delivery (Edge Services)
    • FastConnect
    • File Storage Service
    • Identity and Access Management
    • Internet Intelligence (Edge Services)
    • Key Management
    • Load Balancing
    • Networking
    • Object Storage
    • Virtual Cloud Networks (VCN)

    Oracle Cloud Infrastructure Classic - SOC 1 Type 2

    • Compute Classic
    • Storage Classic

    Oracle PaaS - SOC 1 Type 1

    • Oracle API Platform Cloud Service
    • Oracle Data Integrator Cloud Service (ODICS)

    Oracle PaaS - SOC 1 Type 2

    • MySQL Cloud Service
    • Oracle Analytics Cloud (OAC)
    • Oracle API Catalog Cloud Service
    • Oracle API Platform Cloud Service
    • Oracle Application Container Cloud Service
    • Oracle Autonomous Data Warehouse
    • Oracle Autonomous Transaction Processing
    • Oracle Big Data Cloud Service - Compute Edition
    • Oracle Big Data Cloud Service (OBDCS)
    • Oracle Big Data Discovery Cloud Service (OBDDCS)
    • Oracle Big Data Preparation Cloud Service (OBDPCS)
    • Oracle Business Intelligence Cloud Service
    • Oracle Cloud Infrastructure - VPN Classic for Engineered Systems
    • Oracle Content and Experience Cloud Service
    • Oracle Data Integrator Cloud Service
    • Oracle Data Visualization Cloud Service
    • Oracle Database Backup Cloud Service
    • Oracle Database Cloud Service
    • Oracle Database Exadata Cloud Service
    • Oracle Database Schema Service
    • Oracle Event Hub Cloud Service
    • Oracle Exadata Express Cloud Service
    • Oracle GoldenGate Cloud Service
    • Oracle Identity Cloud Service (IDCS)
    • Oracle Integration Cloud Service
    • Oracle Internet of Things (IoT) Cloud Service
    • Oracle Java Cloud Service
    • Oracle Java Cloud Service for Software as a Service Extensions
    • Oracle Management Cloud Service
    • Oracle Messaging Cloud Service
    • Oracle Mobile Cloud Service
    • Oracle Process Cloud Service
    • Oracle Service Oriented Architecture Cloud Service
    • Oracle Visual Builder Cloud Service
    • Oracle WebCenter Portal Cloud Service

    Oracle SaaS - SOC 1 Type 2

    • BigMachines CPQ Cloud Service
    • Cobrowse Cloud Service (LiveLook)
    • Eloqua Marketing Cloud Service
    • Enterprise Performance Management (EPM): Account Reconciliation
    • EPM: Enterprise Performance Reporting
    • EPM: Enterprise Planning and Budgeting
    • EPM: Financial Consolidation and Close
    • EPM: Planning and Budgeting
    • EPM: Profitability and Cost
    • EPM: Tax Reporting
    • Field Service Cloud Service (TOA)
    • Fusion ERP/HCM/CRM/SCM
    • Maxymiser
    • Responsys Marketing Platform Cloud Service
    • Service Cloud (OPA & RightNow CX)
    • Social Relationship Management Cloud Service (SRM)
    • Oracle Talent Acquisition Cloud (Taleo)
    • Oracle Talent Cloud for Midsize (TBE)
    • Taleo Learn Cloud Service
    • Transportation Management Cloud Service (OTM)
    • Warehouse Management Cloud (LogFire)
  • SOC 2 - System and Organization Controls 2

    SOC 2 is a report on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy using up to five trust principles. A given SOC 2 report may be based on one or more trust principles. Similar to a SOC 1 report, SOC 2 also have type 1 or type 2 available.

    Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles.

    Oracle SaaS - SOC 1 Type 2

    • Archive Storage
    • Audit
    • Block Volumes
    • Bulk Data Upload
    • Compute
    • Database
    • Database – Exadata
    • Database 2-Node RAC
    • DNS (Edge Services)
    • Email Delivery (Edge Services)
    • FastConnect
    • File Storage Service
    • Identity and Access Management
    • Internet Intelligence (Edge Services)
    • Key Management
    • Load Balancing
    • Networking
    • Object Storage
    • Virtual Cloud Networks (VCN)

    Oracle Cloud Infrastructure Classic - SOC 2 Type 2

    • Oracle Block Storage Classic Service
    • Oracle Archive Storage Classic Service
    • Oracle Compute Classic
    • Oracle Container Classic Service
    • Oracle Network Cloud Service
    • Oracle Object Storage Classic Service
    • Oracle Dedicate Compute Classic Service
    • Oracle Load Balancer Classic Service

    Oracle PaaS - SOC 2 Type 1

    • Oracle API Platform Cloud Service
    • Oracle Data Integrator Cloud Service (ODICS)

    Oracle PaaS - SOC 2 Type 2

    • MySQL Cloud Service
    • Oracle Analytics Cloud (OAC)
    • Oracle API Catalog Cloud Service
    • Oracle API Platform Cloud Service
    • Oracle Application Builder Cloud Service (OABCS)
    • Oracle Application Container Cloud Service
    • Oracle Autonomous Data Warehouse
    • Oracle Autonomous Transaction Processing
    • Oracle Big Data Cloud Service - Compute Edition
    • Oracle Big Data Cloud Service (OBDCS)
    • Oracle Big Data Discovery Cloud Service (OBDDCS)
    • Oracle Big Data Preparation Cloud Service (OBDPCS)
    • Oracle Business Intelligence Cloud Service
    • Oracle Cloud Access Security Broker (CASB) Cloud Service
    • Oracle Cloud Infrastructure - VPN Classic for Engineered Systems
    • Oracle Content and Experience Cloud Service
    • Oracle Data Integrator Cloud Service
    • Oracle Data Visualization Cloud Service
    • Oracle Database Backup Cloud Service
    • Oracle Database Cloud Service
    • Oracle Database Exadata Cloud Service
    • Oracle Database Schema Service
    • Oracle Event Hub Cloud Service
    • Oracle Exadata Express Cloud Service
    • Oracle GoldenGate Cloud Service
    • Oracle Identity Cloud Service (IDCS)
    • Oracle Integration Cloud Service
    • Oracle Internet of Things (IoT) Cloud Service
    • Oracle Java Cloud Service
    • Oracle Java Cloud Service for Software as a Service Extensions
    • Oracle Management Cloud Service
    • Oracle Messaging Cloud Service
    • Oracle Mobile Cloud Service
    • Oracle Process Cloud Service
    • Oracle Service Oriented Architecture Cloud Service
    • Oracle Visual Builder Cloud Service
    • Oracle WebCenter Portal Cloud Service
    • Service-Oriented Architecture (SOA) Suite

    Oracle SaaS - SOC 2 Type 2

    • BigMachines CPQ Cloud Service
    • Cobrowse Cloud Service (LiveLook)
    • Eloqua Marketing Cloud Service
    • Enterprise Performance Management (EPM): Account Reconciliation
    • EPM: Enterprise Performance Reporting
    • EPM: Enterprise Planning and Budgeting
    • EPM: Financial Consolidation and Close
    • EPM: Planning and Budgeting
    • EPM: Profitability and Cost
    • EPM: Tax Reporting
    • Field Service Cloud Service (TOA)
    • Fusion ERP/HCM/CRM/SCM
    • Maxymiser
    • Responsys Marketing Platform Cloud Service
    • Service Cloud (OPA & RightNow CX)
    • Social Relationship Management Cloud Service (SRM)
    • Oracle Talent Acquisition Cloud (Taleo)
    • Oracle Talent Cloud for Midsize (TBE)
    • Taleo Learn Cloud Service
    • Transportation Management Cloud Service (OTM)
    • Warehouse Management Cloud (LogFire)
  • SOC 3 - System and Organization Controls 3

    SOC 3 is a report, like the SOC 2, on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy. However, a SOC 3 can be distributed for general use and only states whether the or not the entity has achieved the Trust Service criteria, without any description of tests, results or opinions.

    Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles. The SOC 3 general use report for whether or not the Trust Service criteria was achieved is available for the following services.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volumes
    • Bulk Data Upload
    • Compute
    • Database
    • Database – Exadata
    • Database 2-Node RAC
    • Data Transfer Service
    • DNS (Edge Services)
    • Email Delivery (Edge Services)
    • FastConnect
    • File Storage Service
    • Identity and Access Management
    • Internet Intelligence (Edge Services)
    • Key Management
    • Load Balancing
    • Networking
    • Object Storage
    • Virtual Cloud Networks (VCN)

    Read the report (PDF)

  • United Kingdom Cloud Security Principles

    The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyber attacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication and secure use of the service.

    Oracle provides Assertion Statements which outline how UK Gov Cloud offerings align with the UK National Cyber Security Centre (NCSC) Cloud Security Principles.

    Oracle Cloud Infrastructure

    National Cyber Security Centre (NCSC) guidance summarises 14 essential security principles (the NCSC Cloud Security Principles) to consider when evaluating cloud services and provides context on why these may be important to an organisation. Customers should decide which of the NCSC Cloud Security Principles are important and how much (if any) assurance they require in the implementation of these principles. Providers of cloud services should consider NCSC Cloud Security Principles when presenting their offerings to consumers. This will allow them to make informed choices about which services are appropriate for their needs. This whitepaper is intended to provide the reader and customers with an understanding of:

    • How Oracle Cloud Infrastructure’s administrative, physical and technical safeguards relevant to security, confidentiality and availability align with NCSC Cloud Security Principles.
    • How the responsibilities for security and implementation of the NCSC guidance are shared between Oracle Cloud Infrastructure (provider of cloud services) and the customer (consumer of cloud services).
    • How the customer can approach information security risk management and implementation of the NCSC Cloud Security Principles guidance using Oracle Cloud Infrastructure services.

    Oracle SaaS

    Oracle has achieved HMG Cloud Security Principles Assertion for the following services for the UK Gov Cloud only:

    • Enterprise Performance Management (EPM): Account Reconciliation
    • EPM: Enterprise Performance Reporting
    • EPM: Enterprise Planning and Budgeting
    • EPM: Financial Consolidation and Close
    • EPM: Planning and Budgeting
    • EPM: Profitability and Cost
    • EPM: Tax Reporting
    • Fusion (HCM, CRM, ERP)
    • Service Cloud (OPA & RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)

    Read the white paper: National Cyber Security Centre (NCSC) Cloud Security Principles (PDF)