Data Security: Physical and Environmental Controls

Risk-Based Approach

Oracle Global Physical Security uses a risk-based approach to physical and environmental security. The goal is to balance prevention, detection, protection, and response, while maintaining a positive work environment that fosters innovation and collaboration among Oracle employees and partners. Oracle regularly performs risk assessments to confirm that the correct and effective mitigation controls are in place and maintained.

Preventive Controls: Protecting Oracle Assets and Employees

Oracle has implemented the following protocols:

  • Physical access to facilities is limited to Oracle employees, contractors, and authorized visitors.
  • Oracle employees, subcontractors, and authorized visitors are issued identification cards that must be worn while on Oracle premises.
  • Visitors are required to sign a visitor’s register, be escorted and/or observed when they are on Oracle premises, and/or be bound by the terms of a confidentiality agreement with Oracle.
  • Security monitors the possession of keys/access cards and the ability to access facilities. Staff leaving Oracle’s employment must return keys/cards and key/cards are deactivated upon termination.
  • Security authorizes all repairs and modifications to the physical security barriers or entry controls at service locations.
  • Oracle use a mixture of 24/7 onsite security officers or patrol officers, depending on the risk/protection level of the facility. In all cases officers are responsible for patrols, alarm response, and recording of security incidents.
  • Oracle has implemented centrally managed electronic access control systems with integrated intruder alarm capability. The access logs are kept for a minimum of six months. Furthermore, the retention period for CCTV monitoring and recording ranges from 30-90 days minimum, depending on the facility’s functions and risk level.

Data Center Security

Oracle Cloud data centers are designed to help protect the security and availability of customer data. This approach begins with Oracle’s site selection process. Candidate build sites and provider locations undergo an extensive risk evaluation by Oracle that considers environmental threats, power availability and stability, vendor reputation and history, neighboring facility functions (for example, high-risk manufacturing or high-threat targets), and geopolitical considerations among other criteria.

Oracle Cloud data centers align with Uptime Institute and Telecommunications Industry Association (TIA) ANSI/TIA-942-A Tier 3 or Tier 4 standards and follow a N2 redundancy methodology for critical equipment operation. Data centers housing Oracle Cloud Infrastructure services use redundant power sources and maintain generator backups in case of widespread electrical outage. Server rooms are closely monitored for air temperature and humidity, and fire-suppression systems are in place. Data center staff are trained in incident response and escalation procedures to address security and availability events that may arise.