Oracle has formal requirements for use of the Oracle corporate network, computer systems, telephony systems, messaging technologies, internet access, enterprise data, customer data, and other company resources available to Oracle employees, contractors and visitors.
Communications to and from the Oracle corporate network must pass through network-security devices at the network boundary. Access to the Oracle corporate network by third parties is subject to prior approval. Remote connections to the Oracle corporate network must exclusively use approved virtual private network (VPN) solutions. To learn more about Oracle’s network management practices, please see Network Communications Security.
Operations are organized into functional groups, where each function is performed by separate groups of employees. Examples of functional groups include developers, database administrators, system administrators, and network engineers. Learn more about Oracle Access Controls.
The Oracle Patching and Security Alerts Implementation Policy requires the deployment of the Oracle Critical Patch Update and Security Alert updates as well as associated recommendations. This policy also includes requirements for remediating vulnerabilities in non-Oracle technology using a risk-based approach.
The Oracle Server Security Policy requires servers (both physical and virtual) managed by Oracle or third-parties on behalf of Oracle to be physically and logically secured in order to prevent unauthorized access to the servers and associated information assets.
Oracle logs certain security-related activities on operating systems, applications, databases, and network devices. Systems are configured to log access to Oracle programs, as well as system alerts, console messages, and system errors. Oracle implements controls designed to protect against operational problems, including log file media becoming exhausted, failing to record events, and/or logs being overwritten.
Oracle reviews logs for forensic purposes and incidents, and identified anomalous activities feed into the security-incident management process. Access to security logs is provided on the basis of need-to-know and least privilege. Where possible, log files are protected by strong cryptography in addition to other security controls, and access is monitored. Logs generated by internet-accessible systems are relocated to systems that are not internet-accessible.
The Oracle Information Systems Asset Inventory Policy requires an accurate inventory of all information systems and devices holding information assets throughout their lifecycle through a Corporate-approved inventory system. This policy defines required identifying attributes to be recorded for server hardware, software, data held on information systems, and information needed for disaster recovery and business continuity purposes.
Oracle IT manages corporate solutions for collaboration and communication within Oracle and with external parties. Oracle policies require that employees utilize these approved corporate tools when handling confidential information. Each of these solutions leverages preventive and detective security controls such as anti-malware and anti-virus technologies.
Oracle has defined standards for securely exchanging information with suppliers and other third parties.