Introduction

Access control refers to the policies, procedures, and tools that govern access to and use of resources. Examples of resources include a cloud service, physical server, file, application, data in a database, and network device.

• Least privilege is a system-oriented approach in which user permissions and system functionality are carefully evaluated and access is restricted to the resources required for users or systems to perform their duties.
• Default—deny is a network-oriented configuration approach that denies the transmission of all traffic, and then specifically allows only required traffic based on protocol, port, source network address, and destination network address.

Oracle’s Access Control Policies and Practices

The Oracle Logical Access Control Policy is applicable to access control decisions for all Oracle employees and any information-processing facility for which Oracle has administrative authority. This policy does not apply to customer end user accounts for Oracle cloud services. Logical access controls for applications and systems must provide identification, authentication, authorization, accountability and auditing functionality.

User Access Management

Oracle user access is provisioned through an account-provisioning system that is integrated with Oracle's Human Resources database. Access privileges are granted based on job roles and require management approval.

Privilege Management

Authorization is dependent on successful authentication, since controlling access to specific resources depends upon establishing an entity or individual's identity. Oracle requires that authorization decisions for granting, approval, and review of access are based on the following principles:

• Need to know: Does the user require this access for his job function?
• Segregation of duties: Will the access result in a conflict of interest?
• Least privilege: Is access restricted to only those resources and information required for a legitimate business purpose?

Password Management

The use of passwords is addressed in the Oracle Password Policy. Oracle enforces strong password policies (including length and complexity requirements) for the Oracle network, operating system, email, database and other accounts to reduce the chances of intruders gaining access to systems or environments through exploitation of user accounts and associated passwords. System-generated and assigned passwords are required to be changed immediately on receipt.

Oracle personnel are obligated to follow rules for password length, complexity, and other password requirements. Employees must keep their authentication credentials, such as passwords, confidential and secured at all times and are prohibited from sharing their individual account passwords with anyone by any means. Employees are prohibited from using any Oracle system or applications passwords for non-Oracle applications or systems.

Access Review and Revocation

Oracle requires regular reviews of network and operating system accounts with regard to the appropriate employee access levels. In the event of employee terminations, deaths, or resignations, Oracle takes appropriate actions to promptly terminate network, and physical access.

Network Access Controls

Oracle requires strong network controls for the protection and control of both Oracle and customer data during its transmission. Oracle’s Network Security Policy establishes requirements for network management, network access and network device management, including authentication and authorization requirements for both physical devices and software-based systems. Unused network ports must be deactivated.