Oracle policy requires the use of antivirus intrusion protection and firewall software on laptops and mobile devices. Additionally, all computers running a Windows operating system that hold Oracle data must have automated Microsoft security updates enabled. Security updates for all other devices and operating systems must be installed upon notification of their availability. Desktops and laptops that process Oracle or customer information must be encrypted using approved software. Reports enable lines of business management to verify deployment of laptop encryption for their organization.
Antivirus software must be scheduled to perform daily threat-definition updates and virus scans.
Oracle’s Global Desktop Strategy (GDS) organization keeps anti-virus products and Windows Server Update Services (WSUS) up to date with virus definitions and security updates. GDS is responsible for notifying internal Oracle system users of both any credible virus threats and when security updates are available. GDS provides automation to verify anti-virus configuration.
Oracle employees are required to comply with email instructions from the GDS organization, and are responsible for promptly reporting to the Oracle employee helpdesk any virus or suspected virus infection that cannot be resolved by antivirus software.
Employees are prohibited from altering, disabling, or removing antivirus software and the security update service from any computer. Any Oracle employee who is discovered violating this standard may be subject to disciplinary action up to and including termination of employment.
To protect sensitive Oracle information, Oracle personnel are required to install Oracle-approved, full-disk encryption software on their laptops, except where approved for for justifiable business purposes. Data on the disk can only be accessed through the use of a private key stored as a password-protected file on the disk. A preboot login manager allows authorized users to login to unlock the key, boot the operating system, and access the data.
Oracle has a mobile-device management program and associated solutions for protecting data on employee-owned mobile devices. These solutions support all common mobile-device operating systems and platforms. Oracle IT and corporate security organizations regularly promote awareness of mobile device security and good practice.