Introduction

Access control refers to the policies, procedures, and tools that govern access to and use of resources. Examples of resources include a physical server, a file, a directory, a service running on an operating system, a table in a database, or a network protocol.

• Least privilege is a system-oriented approach in which user permissions and system functionality are carefully evaluated and access is restricted to the resources required for users or systems to perform their duties.
• Default-deny is a network-oriented approach that implicitly denies the transmission of all traffic, and then specifically allows only required traffic based on protocol, port, source, and destination.

Oracle’s Access Control Policies and Practices

The Oracle Logical Access Control Policy is applicable to access control decisions for all Oracle employees and any information-processing facility for which Oracle has administrative authority. This policy does not apply to publicly accessible, internet-facing Oracle systems or end users.

User Access Management

Oracle user access is provisioned through an account-provisioning system that is integrated with Oracle's Human Resources database. Access privileges are granted based on job roles and require management approval.

Privilege Management

Authorization is dependent on successful authentication, since controlling access to specific resources depends upon establishing an entity or individual's identity. All Oracle authorization decisions for granting, approval, and review of access are based on the following principles:

• Need to know: Does the user require this access for his job function?
• Segregation of duties: Will the access result in a conflict of interest?
• Least privilege: Is access restricted to only those resources and information required for a legitimate business purpose?

User Password Management

Oracle enforces strong password policies for the Oracle network, operating system, and database accounts to reduce the chances of intruders gaining access to systems or environments through exploitation of user accounts and associated passwords. When Oracle compliance organizations determine that a password is not in compliance with strong password standards, they work with the applicable employee and line of business to bring the password into compliance with the standards.

Periodic Review of Access Rights

Oracle regularly reviews network and operating system accounts with regard to the appropriate employee access levels. In the event of employee terminations, deaths, or resignations, Oracle takes appropriate actions to promptly terminate network, telephony, and physical access.

Password Policy

The use of passwords is addressed in the Oracle Password Policy. Oracle employees are obligated to follow rules for password length and complexity, and to keep their passwords confidential and secured at all times. Passwords may not be disclosed to unauthorized persons. Under certain circumstances, authorized Oracle employees may share passwords for the purpose of providing support services.

Network Access Controls

Oracle has implemented and maintains strong network controls to for the protection and control of customer data during its transmission. Oracle’s Network Security Policy establishes requirements for network management, network access and network device management, including authentication and authorization requirements for both physical devices and software-based systems.