Oracle’s corporate security programs are designed to protect the confidentiality, integrity, and availability of both Oracle and customer data. Oracle continually works to strengthen and improve the company’s security controls and practices for its internal operations and services.
Oracle has formal requirements for use of the Oracle corporate network, computer systems, telephony systems, messaging technologies, internet access, and other company resources available to Oracle employees, contractors and visitors.
Communications to and from the Oracle corporate network must pass through network-security devices at the network boundary. Access to the Oracle corporate network by third parties is subject to prior approval. Remote connections to the Oracle corporate network must exclusively use approved virtual private network (VPN) solutions. To learn more about Oracle’s network management practices, please see Network Communications Security.
Oracle enforces well-defined roles, allowing for segregation of duties among operations staff. Operations are organized into functional groups, where each function is performed by separate groups of employees. Examples of functional groups include database administrators, system administrators, and network engineers. Learn more about Oracle Access Controls.
The Oracle Critical Patch Update (CPU) and Security Alert Implementation Policy require the deployment of the Oracle CPU and Security Alert patches as well as associated recommendations within a reasonable time of their release. Additional policies require remediation of vulnerabilities in non-Oracle technology.
The Oracle Server Security Policy requires servers (both physical and virtual) owned and managed by Oracle and servers managed by third parties for Oracle to be physically and logically secured in order to prevent unauthorized access to the servers and associated information assets.
Oracle logs certain security-related activities on operating systems, applications, databases, and network devices. Systems are configured to log access to Oracle programs, as well as system alerts, console messages, and system errors. Oracle implements controls designed to protect against operational problems, including log file media becoming exhausted, failing to record events, and/or logs being overwritten.
Oracle reviews logs for forensic purposes and incidents, and identified anomalous activities feed into the security-incident management process. Access to security logs is provided on the basis of need-to-know and least privilege. Where possible, log files are protected by strong cryptography in addition to other security controls, and access is monitored. Logs generated by internet-accessible systems are relocated to systems that are not internet-accessible.
The Oracle Information Systems Inventory Policy requires an accurate inventory of all information systems and devices holding critical and highly critical information assets throughout their lifecycle through an Oracle Security Oversight Committee (OSOC)-approved inventory system. This policy defines required identifying attributes to be recorded for server hardware, software, data held on information systems, and information needed for disaster recovery and business continuity purposes.
Oracle IT manages corporate solutions for collaboration and communication within Oracle and with external parties. Oracle policies require that employees utilize these approved corporate tools when handling confidential information. Each of these solutions leverages preventive and detective security controls such as anti-malware and anti-virus technologies.
Oracle has defined standards for securely exchanging information with suppliers and other third parties.