Oracle Corporate Security Program

Objectives

Oracle’s Corporate Security programs are designed to protect Oracle and customer information assets, such as:

  • The mission-critical systems that customers rely upon for cloud, technical support and other services
  • Oracle source code and other sensitive data against theft and malicious alteration
  • Personal and other sensitive information that Oracle collects in the course of its business, including customer, partner, supplier and employee data in Oracle’s systems

Industry Standards and Certifications

Oracle’s security policies cover the management of security for both Oracle’s internal operations and the services Oracle provides to its customers, and apply to all Oracle personnel, such as employees and contractors. These policies are aligned with the ISO/IEC 27001:2022 (formerly known as ISO/IEC 17799:2005) and ISO/IEC 27002:2022 standards.

Some Oracle products and services are certified per specific industry and government standards such as ISO/IEC 27001:2013, AICPA SSAE Number 18 (SOC), Payment Card Industry Data Security Standards (PCI DSS) and other standards.

Line of Business Security Organizations

Lines of Business (LoB) have security teams which oversee their products, systems and cloud services managed by that organization. LoBs are required to define technical standards in accordance with Oracle’s information security policies, as well as drive compliance to Oracle policies and standards within their organization and cloud service teams. LoBs are also required to comply with Corporate Security program requirements and directions.

Global Corporate Security Oversight Organizations

The Chief Corporate Architect, who reports directly to the Executive Chairman and Chief Technology Officer (CTO), is one of the directors of the Oracle Security Oversight Committee (OSOC). The Chief Corporate Architect manages the Corporate Security departments which guide security at Oracle. These departments drive the corporate security programs, define corporate security policies, and provide global oversight for Oracle’s security policies and requirements:

Global Information Security

Global Physical Security

Global Product Security

Corporate Security Architecture

Global Trade Compliance