Oracle’s formal Information Protection Policy sets forth the requirements for classifying and handling public and confidential information.
Oracle categorizes information into four classes—Public, Internal, Restricted, and Highly Restricted—with each classification requiring corresponding levels of security controls, such as encryption requirements for non-Public data:
Oracle’s mandatory training instructs employees about the company’s Information Protection Policy. This training also tests employee understanding of information asset classifications and handling requirements. Employees must complete this training when joining Oracle and must periodically repeat it thereafter. Reports enable managers to track course completion for their organizations.
Oracle has formal requirements for managing data retention. These operational policies define requirements per data type and category, including examples of records in various Oracle departments.
Developing and maintaining accurate system inventory is a necessary element for effective general information systems management and operational security. Oracle’s Information Systems Asset Inventory Policy requires that Line of Business (LoB) maintain accurate and comprehensive inventories of information systems, hardware and software. This policy applies to all information assets held on any Oracle system, including both enterprise systems and cloud services.
Oracle policy specifies the data (or fields) which must be maintained about these information systems in the approved system inventory. The required technical and business information fall in the following categories: