Overview

Reflecting the recommended practices in prevalent security standards issued by the International Organization for Standardization (ISO), the United States National Institute of Standards and Technology (NIST), and other industry sources, Oracle has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets.

Monitoring and Event Alerts

Alerts are sent to Oracle’s IT security and cloud security operations teams for review and response to potential threats. Oracle requires that these alerts are monitored within the Lines of Business (LoBs) 24x7x365.

Incident Response

Oracle will evaluate and respond to any event when Oracle suspects that Oracle-managed customer data has been unproperly handled or accessed. Oracle’s Information Security Incident Reporting and Response Policy defines requirements for reporting and responding to events and incidents. This policy authorizes the Global Information Security (GIS) organization to provide overall direction for incident prevention, identification, investigation, and resolution within Oracle’s Lines of Business (LoBs).

GIS defines roles and responsibilities for the incident response teams embedded within the Lines of Business (LoBs). All LoBs must comply with GIS incident response guidance about detecting events and timely corrective actions. Corporate requirements for LoB incident-response programs and operational teams are defined per incident type:

• Validating that an incident has occurred
• Communicating with relevant parties and notifications
• Preserving evidence
• Documenting an incident itself and related response activities
• Containing an incident
• Addressing the root cause of an incident
• Escalating an incident

Upon discovery of an incident, Oracle defines an incident-response plan for rapid and effective incident investigation, response, and recovery. Root-cause analysis is performed to identify opportunities for reasonable measures which improve security posture and defense in depth. Formal procedures and systems are utilized within the Lines of Business (LoBs) to collect information and maintain a chain of custody for evidence during incident investigation. Oracle is capable of supporting legally admissible forensic data collection when necessary.

Notifications

In the event that Oracle determines that a confirmed security incident involving Personal Information processed by Oracle has taken place, Oracle will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory responsibilities as defined in the Data Processing Agreement for Oracle Services. Information about malicious attempts or suspected incidents is Oracle Confidential and is not externally shared. Incident history is also Oracle Confidential and is not shared externally.

Security Vulnerabilities

Please refer to “How to report security vulnerabilities to Oracle” to find out how to report a security vulnerability to Oracle.