Your search did not match any results.
We suggest you try the following to help find what you’re looking for:
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. Oracle is not an APRA-regulated entity (ARE). However, Oracle recognizes that some of its customers must adhere to APRA standards, and will work with its customers in a transparent and engaging manner to understand their specific requirements.
Oracle has been committed to delivering on the needs of public and private sector organisations for over four decades. Oracle Cloud reinforces and extends this commitment by enabling regulated organisations as well as government agencies to move critical resources to an in-country cloud service, which has been designed for their needs and to facilitate their compliance objectives.
To help ARE customers with their APRA regulatory requirements, Oracle has consolidated and summarized frequently asked questions into one document. These questions have been identified as being critical in the mitigation of risks associated with information security incidents and customer confidentiality for AREs. For further information, see the APRA Regulated Entity Frequently Asked Questions (PDF).
For further assistance, submit your APRA inquires here.
The Broad-Based Black Economic Empowerment (B-BBEE) Act established that South Africa needs a focused Black Economic Empowerment (BEE) strategy to achieve the broad-based economic empowerment of black persons—a generic term, which means indigenous Africans, Coloureds and Indians—in the country.
The Act provides a legislative framework for the promotion of BEE, empowering the Minister of Trade and Industry to issue Codes of Good Practice. The latest Codes of Good Practice on Black Economic Empowerment were published in the Government Gazette No. 36928, 11 October 2013, and provide the framework for companies to be rated. “The South African Government’s approach is that BEE must be an inclusive process and not an exclusive process. No economy can grow by excluding any part of its people and an economy that is not growing cannot integrate all of its citizens in a meaningful way”.
Oracle Corporation in South Africa has achieved Level 2 B-BBEE Contributor Status for the second consecutive year. Level 2 status demonstration Oracle’s commitment and investment in the South African economy. For more information regarding the B-BBEE Act, read the B-BBEE Strategy published by the Department of Trade, Industry and Competition of South Africa.
The Cloud Computing Compliance Controls Catalog (C5) is produced by the German Ministry for Information Security (BSI). C5 provides cloud providers with a framework with a minimum set of cloud security controls that are audited under ISAE 3000 rules by an independent, third party assessor. Oracle has been successfully evaluated against the C5 security requirements for the following services.
Oracle Cloud Infrastructure
Oracle Cloud Applications
The Central Bank of Brazil (BACEN) was passed in April 2018 to establish a series of digital security requirements for financial institutions that are regulated by the bank authority. The legislation covers all financial institutions that offer services or have operations involving data handling in Brazil. OCI has implemented security controls supporting its infrastructure that aligns with the BACEN framework.
The Cloud Security Alliance (CSA) is a non-profit organization that promotes best practices for providing security assurance in cloud computing.
Oracle Cloud Infrastructure has been assessed by an independent auditor against the CSA Security, Trust, Assurance, and Risk (STAR) Cloud Control Matrix (CCM). This assessment is based on the CSA CCM control framework and controls from SOC 2 and ISO 27001. Oracle Cloud Infrastructure has implemented the necessary security controls and has received a CSA STAR Level 2 Attestation report from our third-party auditor. In addition, Oracle has a completed Consensus Assessments Initiative Questionnaire (CAIQ) CSA STAR Level 1 Self-Assessment that is publicly available, providing security control transparency.
Oracle Cloud Infrastructure
Oracle Cloud Applications
The Communications and Information Technology Commission (CITC) in Saudi Arabia published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. Oracle has built its infrastructure to support and is Level-1 certified with CITC for Oracle Cloud Infrastructure.
The Criminal Justice Information Services (CJIS) Security Policy establishes guidelines for specific security precautions to protect criminal justice information (CJI), such as fingerprints and criminal backgrounds.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of Criminal Justice Information Services (CJIS) within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure
Oracle Cloud Applications
Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats. It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts. Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.
Oracle has obtained Cyber Essentials Plus certification for our London-based Commercial Cloud and UK Government Cloud offerings.
Oracle Cloud Infrastructure
Oracle has achieved Cyber Essentials Plus Certification for Oracle Cloud Infrastructure residing in the UK Commercial Cloud.
Oracle Cloud Applications
Oracle has achieved Cyber Essentials Plus Certification for the following services for the UK Gov Cloud only:
The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.
All cloud computing is required to take place in the U.S and are based off of impact levels:
For select services Oracle has received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.
Oracle Cloud Infrastructure (IL2 and IL5)
Oracle Cloud Applications
Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:
Oracle has achieved a DISA SRG Level 2 Authorization for the following services within the Gov Cloud:
The European Banking Authority (EBA), an EU financial supervisory authority, produces the EBA Guidelines on outsourcing arrangements (PDF) to provide financial institutions guidance for outsourcing arrangements such as cloud services.
Oracle supports our customers by providing transparency around security controls, policies, and documentation. Please go here to learn more about how banks benefit from adopting Oracle Cloud Infrastructure to address the EBA Guidelines.
Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with ISO/IEC 27001, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. Oracle has been evaluated by a third-party assessor against ENS High security controls.
Oracle Cloud Infrastructure
Oracle Cloud Applications
EU Model Clauses are contractual clauses established by the European Commission and used in agreements between cloud service providers and their customers that govern data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). OCI has implemented security controls supporting its infrastructure that align with EU Model Clauses for Oracle Cloud Infrastructure.
The European Network and Information Security Agency (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur.
ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:
This framework is based on the broad classes of controls from the ISO27001/2 standard, alongside other industry frameworks such as the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).
Oracle’s SaaS have obtained CSA Star Level 2 certification for Fusion on OCI and a certified ISMS against the ISO27001:2013, 27017:2015 & 27018:2014 standard. These certifications can help consumers of cloud services to review Oracle security controls and the alignment of these Oracle cloud services to ENISA IAF, and how these controls compare to their requirements, and to other cloud providers, when conducting their assurance activities and/or risk assessments in migrating to the cloud.
The Federal Financial Institutions Examination Council (FFIEC) is a formal interagency body that is responsible for the federal examination of financial institutions in the United States. The FFIEC developed the Cybersecurity Assessment Tool (Assessment) to help institutions identify their risks and determine their cybersecurity preparedness. Oracle Cloud Infrastructure (OCI) evaluated the Federal Financial Institutions Examination Council (FFIEC) framework against OCI’s secure environment and control structure to produce our ratings per the FFIEC’s Cybersecurity Assessment Tool. This provides customer visibility into OCI’s inherent risk and cybersecurity maturity levels.
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Federal Info Processing Standard (FIPS 140-2) within our Oracle Government Cloud environments.
The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. Cryptographic module protection within a security system is needed to maintain the confidentiality and integrity of the data protected by the module.
Oracle Cloud Applications
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.
FedRAMP uses the NIST Special Publication 800-53, which provides a catalog of security controls for all US Federal information systems. FedRAMP requires cloud service providers (CSP) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).
The following Oracle Cloud Services have received US Federal Risk and Authorization Management Program (FedRAMP) Provisional Authority to Operate (P-ATOs) and Authority to Operate (ATOs) defined by FedRAMP.
Visit FedRAMP Marketplace for more details.
Oracle Cloud Infrastructure (FedRAMP High JAB P-ATO)
Oracle Cloud Infrastructure can provide government customers with the stringent standards of security necessary to protect the federal government's data. Oracle has obtained a P-ATO from the Joint Authorization Board (JAB) for FedRAMP High in its U.S. Government Cloud regions.
Oracle Cloud Applications
Oracle has achieved FedRAMP Low (baseline) ATO for the following Oracle US Government Cloud offering:
Oracle has achieved FedRAMP Moderate (baseline) ATO for the following services within Oracle US Government Cloud offering:
Oracle has achieved FedRAMP High (baseline) ATO for the following Oracle US Government Cloud offering:
The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. Oracle has been evaluated by a third-party assessor against the Financial Industry Information Systems (FISC) v9 security guidelines.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle Cloud Applications
The UK Government G-Cloud is a procurement initiative to streamline cloud-computing procurement by public-sector bodies in departments of the United Kingdom Government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts through an online Digital Marketplace. Oracle has registered as part of G-Cloud 12 in order to streamline the ability of Her Majesty's Government to procure and deploy on Oracle's cloud, with pre-negotiated terms and pricing. Oracle has achieved enablement in this marketplace for Oracle Cloud Infrastructure.
Oracle Cloud Infrastructure
Oracle PaaS
Oracle offers a wide range of security solutions to help customers meet requirements of the GDPR, including services for administrative access controls, network security controls, logging, and encryption.
Oracle Cloud Infrastructure and European Union General Data Protection Regulation (GDPR) (PDF)
GxP refers to the “good practice” guidelines and regulations developed to ensure the safety and efficacy of food, medical devices, drugs and other Life Science products. The “x” can refer to a number of different disciplines: Good Manufacturing Practice (GMP), Good Clinical Practice (GCP), Good Laboratory Practice (GLP), and others. The American Food and Drug Administration (FDA), the European Medicines Agency (EMA), and other organizations around the world oversee and enforce GxP regulatory requirements.
Oracle Cloud Infrastructure (OCI) has implemented an effective integrated management system of security, quality and service management controls that supports Life Science customers use of OCI services to develop, validate and maintain their critical GxP workloads.
The French Public Health Code requires healthcare organizations that control, process, or store health or medical data to use infrastructure, hosting, and platform service providers that are Hébergeur de Données de Santé (HDS) accredited and certified. HDS certification demonstrates that Oracle Cloud Infrastructure (OCI) has implemented corporate governance and security controls to ensure the confidentiality, integrity, and availability of personal health data. The security and privacy of French healthcare information are governed by French law and the EU General Data Protection Regulation (GDPR).
Oracle Cloud Infrastructure is listed on the Agence du Numerique en Sante’s (ASIP) website as an HDS certified host: https://esante.gouv.fr/labels-certifications/hds/liste-des-herbergeurs-certifies
Oracle Cloud Infrastructure
Oracle Cloud Applications
The Health Information Trust Alliance (HITRUST®) was established in 2007 by leaders in the healthcare industry to provide an integrated approach to risk management and compliance program reporting. The HITRUST Common Security Framework (CSF) Assurance Program is a prescriptive set of controls that harmonize data protection and privacy requirements from regulations and many authoritative sources such as ISO/IEC, NIST, PCI, GDPR, and HIPAA.
A HITRUST Authorized External Assessor has examined Oracle Cloud Infrastructure (OCI) policies, procedures, and controls against the HITRUST CSF v 9.3 framework. Based upon the results of the Validated Assessment, HITRUST has issued a Letter of Certification to Oracle Cloud Infrastructure.
Customers across multiple industries can rely on OCI’s HITRUST certification to demonstrate that security and privacy controls have been implemented and assessed against a comprehensive set of standards.
Oracle Cloud Infrastructure
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding Protected Health Information (PHI). HIPAA applies to covered entities and business associates.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.
Oracle has successfully completed third-party HIPAA assessments for the following services within commercial and government data centers located both inside and outside the United States.
Oracle Cloud Infrastructure
PaaS Built on Oracle Cloud Infrastructure
Oracle has successfully completed third-party HIPAA assessments for the following services within commercial and government data centers located both inside and outside the United States:
Oracle Cloud Applications
Oracle has successfully completed third party HIPAA assessments for the following services:
The Information Security Management System is a Korea-specific set of control requirements developed from proven security standards to ensure consistent and secure cloud operations. Cloud service providers in South Korea are required to obtain the ISMS certification upon reaching a revenue threshold that OCI already exceeds. Oracle has achieved ISMS certification for the Oracle Cloud Infrastructure.
The Insurance Regulatory and Development Authority of India (IRDAI) has established directives that include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data within the financial services sector. Oracle Cloud Infrastructure services offer controls which can help support the IRDAI compliance needs of finance and insurance customers in India.
The Information Security Registered Assessor Program (IRAP) is a security compliance framework comprised of security assessment processes and a security assessor program. It was developed by the Australia Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) within the Australian government. IRAP supports Australian commonwealth government entities in maintaining their security assurance and risk management as well as assessing cloud service providers and their cloud services’ security controls against the Australian government security policies and guidelines.
Oracle Cloud Applications
The following Oracle Cloud Applications have been assessed by an independent third-party assessor and qualified for IRAP’s PROTECTED level:
The following Oracle Cloud Applications were assessed by an independent third-party assessor and qualified for IRAP’s Official: Sensitive level:
The Internal Revenue Service Publication 1075 (IRS 1075) is a US government guideline to ensure effective security controls are in place to protect Federal Tax Information (FTI). The IRS 1075 assessment report provides information on the available technical safeguards intended to adequately protect the confidentiality and integrity of FTI.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of US Internal Revenue Service Publication 1075 within our Oracle Government Cloud environments.
Oracle Cloud Applications
International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 20000-1:2018 specifies requirements for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services. Oracle has achieved ISO/IEC 20000-1:2018 certification for Oracle Cloud Infrastructure.
ISO/IEC 9001:2015 is an international standard for an organization to establish, implement, maintain, and continually improve a Quality Management System. This widely adopted global quality standard sets out requirements and best practices for a systematic approach to manage the security, availability, confidentiality, and integrity of products and services.
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 9001:2015 certification for the following Oracle Cloud Infrastructure services:
ISO/IEC 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing company and customer information based on periodic security risk assessments.
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Oracle Cloud Infrastructure
Oracle has successfully completed ISO/IEC 27001:2013 audits for Oracle Cloud Infrastructure and Oracle Edge Services.
Oracle Infrastructure Classic
Oracle PaaS
Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and Oracle Cloud Infrastructure Classic services, in all data centers where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Services include:
Oracle Cloud Applications
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS). Additionally, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 codes of practices have been included within scope of our ISO/IEC 27001:2013 certification.
Oracle Gen 2 Exadata Cloud at Customer
Oracle has successfully completed an ISO/IEC 27001:2013 audit for Oracle Gen 2 Exadata Cloud at Customer.
Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27017:2015 audit examines cloud service specific controls, implementation guidance and other information that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This certification demonstrates Oracle’s ongoing commitment to align with globally recognized good practice for information security controls for cloud services.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle Cloud Applications
Conducted by EY/CertifyPoint, Oracle Cloud Infrastructure’s ISO/IEC 27018:2014 audit examines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. ISO/IEC 27018:2014 is based on the information security objectives and controls in ISO/IEC 27002. This certification demonstrates to Oracle customers that Oracle Cloud Infrastructure has implemented appropriate measures to protect Personally Identifiable Information (PII) for a public cloud computing environment.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle Cloud Applications
ISO/IEC 27701:2019 is an international standard for data privacy that provides a framework for organizations to establish, implement, maintain and continuously improve a Privacy Information Management System (PIMS). ISO 27701 is an extension of Oracle’s ISO 27001 Information Security Management System (ISMS) certification and includes specific guidance and controls to support an effective PIMS.
This certification demonstrates that Oracle Cloud Infrastructure (OCI) has implemented the required controls to protect customers’ data privacy and personally identifiable information processed on OCI.
Oracle Cloud Infrastructure
The International Traffic in Arms Regulations, or ITAR, is a set of government rules that control the export and import of defense-related articles, services and technology. ITAR compliance is required for customers that are subject to export regulations and that must ensure technical data is not inadvertently distributed to foreign persons or foreign nations. Oracle is aligned with ITAR requirements.
The Financial Service Committee (FSC) of Korea is responsible for monitoring and assessing the security of all Korean Financial Institutions to ensure compliance with the Korean FSI Framework. OCI has been evaluated by the FSC of Korea against the Korean FSI security controls. This certification enables Korean financial sector customers to leverage OCI as their cloud services provider within the region.
Oracle publishes this report to provide information regarding informational requests submitted to us by law enforcement agencies and governments globally.
Brazil’s Lei Geral de Proteção de Dados (LGPD) was passed in August 2018 to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. OCI has implemented security controls supporting its infrastructure that aligns with the LGPD framework.
The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a suite of documents assembled by the Centers for Medicare & Medicaid Services (CMS). The CMS has oversight responsibility of Exchange information technology (IT) systems. The suite of documents defines a risk-based Security and Privacy Framework for Exchange information technology (IT) system design and implementation. The document suite includes guidance, requirements, and templates that address the mandates of the Patient Protection and Affordable Care Act of 2010 (ACA).
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Minimum Acceptable Risk Standards for Exchanges (MARS-E) within our Oracle Government Cloud environments.
Oracle Cloud Applications
The Ministry of Electronics and Information Technology (MeitY) has empaneled Oracle India for Oracle Cloud Infrastructure's Mumbai availability domain.
The MeitY agency provides policy guidelines to all government and state public sector organizations. Its guidelines are frequently adopted by India's private sector organizations in regulated industries, such as financial services and telecommunications. After a successful audit, MeitY empanels cloud service providers and lists them in a government cloud services directory where public sector organizations can compare and procure accredited cloud services.
In Japan, My Number is a 12-digit ID number issued to all citizens and residents of Japan (even foreign residents). Similar to the US SSN, the number is used for taxation, social security, and disaster-response purposes. The numbers were first issued in late 2015, and the bill includes a provision about protection of specific personal information. The My Number Act is designed to improve efficiency and transparency of government systems in Japan and to protect personal information of each number holder. Oracle has designed and implemented security controls around its infrastructure technology stack; customers can architect, build, and maintain security for their own applications and workloads.
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) in Japan works to establish common standards for cybersecurity for government agencies. The NISC governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. NISC has designed a wide range of security guidelines to for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. Oracle has been evaluated by a third-party assessor against NISC guidelines for the following services:
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle Cloud Applications
The Saudi Arabian National Cybersecurity Authority (NCA) was established by Royal Decree to guide national organizations “to effectively identify and address risks related to cyber security” for a defined set of sectors serving critical infrastructure for Saudi Arabia. Oracle’s implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. This allows Oracle to provide services in the region, including specific infrastructure security controls that customers can use to implement and operate their own platforms and applications, sharing responsibility to meet the requirements of the authority’s cybersecurity controls. OCI has implemented security controls supporting its infrastructure that align with NCA for:
Oracle Cloud Infrastructure
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of NIST 800-171 and DFARS 252.7012 within our Oracle Government Cloud environments.
Oracle Cloud Applications
NERC is a not-for-profit international regulatory authority whose aim is to ensure effective and efficient reduction of risks to the reliability and security of the bulk power grid. NERC develops and enforces reliability standards and is subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada. NERC CIP cybersecurity standards mandate a range of security programs for the power industry within the United States and Canada.
Oracle Cloud Infrastructure (OCI) enables enterprises to maximize workloads migrated to the cloud while maintaining a strong security posture. With OCI, power industry customers receive control of non-mission critical applications and transparency into their data in the cloud. OCI’s security solutions help bulk power companies (registered entities) to meet the standards within the NERC CIP framework.
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.
Oracle Cloud Infrastructure has successfully achieved an Attestation of Compliance (AoC) through successful Payment Card Industry Data Security Standard (PCI DSS) third party audits to cover the following:
Oracle Cloud Infrastructure
*The Fusion Cloud Service uses CyberSource iframe to ensure that all cardholder data flows between the customer end-user’s browser and CyberSource. The Fusion Cloud Service only receives PAN truncated to the last four digits and tokenized cardholder data from CyberSource.
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that applies to many organizations based in Canada that collect and process the personal information of individuals.
Oracle Cloud Infrastructure Privacy Features (PDF)
Oracle Cloud Infrastructure Privacy and Security Features and PIPEDA (PDF)
Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. OCI has implemented security controls supporting its infrastructure that aligns with Protected B.
View the Canada Protected B Marketplace.
Oracle Cloud Infrastructure
The Reserve Bank of India (RBI) has established directives that include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data within the financial services sector. Oracle Cloud Infrastructure (OCI) services offers controls which can help support the RBI and IRDAI compliance needs of finance and insurance customers in India.
The Saudi Arabian Monetary Authority (SAMA) of the Kingdom of Saudi Arabia has established a Cyber Security Framework to enable financial institutions regulated by SAMA to effectively identify and address risks related to cyber security. SAMA states that “To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.” The SAMA Cyber Security Framework provides a baseline for security of information interchange between Member Organizations, and between Member Organizations and SAMA. The Framework consists of 32 control topics grouped into four areas. These controls generally map to either or both the ISO/IEC 27001 controls and the PCI-DSS controls, consistent with SAMA’s stated intent to facilitate financial operations, modernization, and information exchange. Oracle Cloud Infrastructure implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. OCI has implemented security controls supporting its infrastructure that align with SAMA:
Oracle Cloud Infrastructure
Oracle Cloud Applications
At the customer’s request, Oracle can provide a mapping of the SAMA CSP section that details how OCA adheres to the SAMA cybersecurity framework and its requirements.
Financial institutions based in the United States and the European Union are subject to regulatory requirements for electronic records retention. These requirements include SEC Rule 17a-4(f), FINRA Rule 4511(c), CFTC Regulation 1.31(c)-(d), and the Markets in Financial Instruments Directive II (MiFID II) requirements. Oracle Cloud Infrastructure’s (OCI) Object Storage has been assessed by Cohasset Associates, an independent third-party assessor, to verify that OCI’s Storage Retention Rules can be configured to support customers in addressing their regulatory requirements.
OCI’s Storage Retention Rules provide immutable write once read many (WORM)-compliant storage options for data written to Object Storage.
SOC 1 provides assurance over a service organization’s internal financial reporting controls. A “type 1” report focuses on the suitability of the system's design of its controls to achieve the control objectives. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s control test results.
Oracle Cloud Infrastructure has been assessed using the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (System and Organization Controls (SOC) 1) and the International Auditing and Assurance Standards Board’s (IAASB) International Standard of Assurance Engagements (ISAE) 3402 standards for the suitability of the design and operating effectiveness of the specified controls.
Oracle Cloud Infrastructure—SOC 1 Type 2
SOC 2 is a report on service organization controls, which includes the relevant trust principles (security, availability, processing integrity, confidentiality, or privacy). Similar to a SOC 1 report, SOC 2 also has two types: type 1 or type 2. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s control test results.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles.
Oracle Cloud Infrastructure—SOC 2 Type 2
PaaS Built on Oracle Cloud Infrastructure—SOC 2 Type 2
Oracle Cloud Applications—SOC 2 Type 2
SOC 3 is a report, like the SOC 2, on a service organization controls relevant trust principles (security, availability, processing integrity, confidentiality, or privacy). However, a SOC 3 can be distributed for general use and only states whether the entity has achieved the Trust Service criteria, without any description of tests, results, or opinions.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles. The SOC 3 general use report for the relevant Trust Service criteria is available for the following services.
Download Oracle Cloud Infrastructure’s SOC 3 report
Oracle Cloud Infrastructure
The Swiss Financial Market Supervisory Authority (FINMA) is responsible for the supervision and regulation of Swiss banks, insurance companies, and securities dealers. FINMA published Circular 2018/3 Outsourcing-banks and insurers to define the requirements financial services organizations to consider when they outsource any significant business activity. The Swiss Banking Association (SBA) has developed further guidance for the secure use of cloud services by banks and securities dealers.
Oracle Cloud Infrastructure’s (OCI) alignment with FINMA guidelines provides the customer with confidence that they can meet all of FINMA's requirements on OCI. Our mapping to FINMA Circular 2018/3 demonstrates OCI privacy and security controls or service features as a source of guidance for Oracle customers to adhere with FINMA compliance requirements.
Three government ministries in Japan have developed guidelines to promote cloud security and the safeguarding of data for the medical institutions in Japan. These ministries include:
Oracle has been evaluated by a third-party assessor against the security requirements of Three Ministries. The report from Oracle Cloud Infrastructure’s independent assessor is designed to assist the customer in its own compliance efforts with respect to requirements outlined in the guidelines.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
The Trusted Information Security Assessment Exchange (TISAX) is a German standard security assessment used by the automotive industry. TISAX is based on the Verband der Automobilindustrie (VDA) Information Security Assessment (ISA), which is an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes and by suppliers and service providers who process sensitive information from their respective companies. Oracle has been evaluated by a third-party assessor against TISAX security requirements for Oracle Cloud Infrastructure and Oracle Cloud Applications (Fusion).
The Data Security and Protection Toolkit is a self-assessment tool that measures performance against the United Kingdom's National Health Service 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. Oracle has submitted their responses and has been rated as "Standards Exceeded".
The scope of the Oracle assessment includes the following Oracle SaaS services for UK Government Cloud only:
Oracle Cloud Infrastructure
The UAE Telecommunication Regulatory Authority (TRA) issued the Information Assurance Regulation (IAR) to provide minimum cybersecurity requirements for the critical infrastructure sectors in UAE. TRA-designated entities are required to implement the IAR framework and apply its requirements to the use, processing, storage, and transmission of information or data. Oracle Cloud Infrastructure (OCI) was formally audited by a third-party assessor against the requirements of the IAR framework and was found to have met the necessary IAR requirements. The completion of this assessment enables UAE critical infrastructure customers to move workloads to OCI.
The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service.
Oracle provides Assertion Statements which outline how UK Government Cloud offerings align with the UK National Cyber Security Centre (NCSC) Cloud Security Principles.
Oracle Cloud Infrastructure
National Cyber Security Centre (NCSC) guidance summarizes 14 essential security principles (the NCSC Cloud Security Principles) to consider when evaluating cloud services and provides context on why these may be important to an organization. Customers should decide which of the NCSC Cloud Security Principles are important and how much (if any) assurance they require in the implementation of these principles. Providers of cloud services should consider NCSC Cloud Security Principles when presenting their offerings to consumers. This will allow them to make informed choices about which services are appropriate for their needs. This technical paper is intended to provide the reader and customers with an understanding of:
Read the technical paper: National Cyber Security Centre (NCSC) Cloud Security Principles (PDF)