Oracle Corporate Security Program Governance
Objectives
Oracle’s Corporate Security programs are designed to protect Oracle and customer information assets, such as:
- The mission-critical systems that customers rely upon for cloud, technical support and other services
- Oracle source code and other sensitive data against theft and malicious alteration
- Personal and other sensitive information that Oracle collects in the course of its business, including customer, partner, supplier and employee data in Oracle’s internal IT systems
Industry Standards and Certifications
Oracle’s security policies cover the management of security for both Oracle’s internal operations and the services Oracle provides to its customers, and apply to all Oracle personnel, such as employees and contractors. These policies are aligned with the ISO/IEC 27001:2022 (formerly known as ISO/IEC 17799:2005) and ISO/IEC 27002:2022 standards and guide all areas of security within Oracle.
Reflecting the recommended practices in security standards issued by the International Organization for Standardization (ISO), the United States National Institute of Standards and Technology (NIST), and other industry sources, Oracle has implemented a wide variety of preventive, detective and corrective security controls with the objective of protecting information assets.
Learn more on the Cloud Compliance dashboard.
Line of Business Security Organizations
Lines of Business (LoB) have security teams, working under the leadership of Oracle’s Chief Security Office, which oversee their products, systems and cloud services managed by that organization. LoBs are required to define technical standards in accordance with Oracle’s information security policies, as well as drive compliance to Oracle policies and standards within their organization and cloud service teams. LoBs are also required to comply with Corporate Security program requirements and directions. This paper does not describe LoB’s specific security organizations, standards, and programs.
Organizational Security
Oracle’s overarching Organizational Security is described in the Oracle security organization policy and the Oracle information security policy.
The corporate security teams and programs define corporate policies and provide global direction to Lines of Business (LoB) security teams which are responsible for overseeing the products, systems and cloud services managed by their organization.
Oracle Security Oversight Committee
Oracle's Security Oversight Committee (OSOC) meets annually to discuss and review security initiatives and directions. The Committee brings together senior management from Lines of Business with corporate security organizations and provides an opportunity for executives to communicate security strategy across the global Oracle organization.
Corporate Security Organizations
- Chief Security Officer
- Global Product Security
- Global Physical Security
- Corporate Security Architecture
- Global Trade Compliance
Privacy & Security Legal
Privacy & Security Legal (P&SL) is responsible for providing legal advice to Oracle’s security organizations on data privacy and security matters, including security event and security incident response, compliance with data protection laws, contractual obligations and reporting requirements, as well as coordinating with other Oracle Legal teams as appropriate.
Oracle Information Technology Organizations
Oracle information technology (IT) and cloud DevOps organizations are responsible for IT security strategy, architectural design of security solutions, engineering, risk management, security infrastructure operations and support, standards and compliance, threat intelligence and remediation and security technical assessment for new infrastructure.