Overview

Reflecting prevalent security standards issued by the International Organization for Standardization (ISO), the United States National Institute of Standards and Technology (NIST), and other industry sources, Oracle has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets.

Monitoring and Event Alerts

Oracle has formal monitoring requirements for security events and incidents. Alerts are sent to the relevant IT security and cloud security operations teams for review. Oracle requires that these alerts be monitored within the Lines of Business 24x7x365.

Incident Response

Oracle will evaluate and respond to any event when Oracle suspects that Oracle-managed data has been accessed by an unauthorized entity. Note that cloud customers are responsible for controlling user access and monitoring their cloud service tenancies via available logs and other tooling.

Oracle’s Information Security Incident Reporting and Response Policy defines requirements for reporting and responding to security events and incidents. This policy authorizes the Global Information Security organization to provide overall direction for security event and incident preparation, detection, investigation, and resolution within Oracle’s Lines of Business.

Global Information Security further defines roles and responsibilities for the incident response teams embedded within the Lines of Business (LoBs). All LoBs must comply with GIS guidance for detecting security events and taking timely corrective actions. Corporate requirements for LoB incident response programs and operational teams are defined per incident type and include the following activities:

• Validating that a security event or incident has occurred
• Communicating with relevant parties and notifications
• Preserving evidence
• Documenting a security event or incident and related response activities
• Containing a security event or incident
• Addressing the root cause of a security event or incident
• Escalating a security event or incident

Upon discovery of an incident, Oracle defines an incident response plan for rapid and effective incident investigation, response, and recovery. GIS recommends post-incident analysis to identify opportunities for reasonable measures which improve security posture and defense in depth. Formal procedures and systems are utilized within the Lines of Business to collect information and maintain a chain of custody for evidence during incident investigation. Oracle can support legally admissible forensic data collection when necessary.

Notifications

In the event that Oracle determines that a confirmed security incident involving information processed by Oracle has taken place, Oracle will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory responsibilities as defined in the Data Processing Agreement for Oracle Services. Information about malicious attempts or suspected incidents and incident history are not shared externally.

Security Vulnerabilities

Please refer to “How to report security vulnerabilities to Oracle” to find out how to report a security vulnerability to Oracle.