Overview

Reflecting the recommended practices in prevalent security standards issued by the International Organization for Standardization (ISO), the United States National Institute of Standards and Technology (NIST), and other industry sources, Oracle has implemented a wide variety of preventive, detective, and corrective security controls with the objective of protecting information assets.

Network Protection

Oracle’s network protections include solutions designed to provide continuity of service, defending against Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks.

Events are analyzed using signature detection, which is a pattern matching of environment settings and user activities against a database of known attacks. Oracle updates the signature database frequently.

Monitoring and Event Alerts

Alerts are sent to Oracle’s IT security and cloud security operations teams for review and response to potential threats. Oracle requires that these alerts are monitored within the Lines of Business (LoBs) 24x7x365.

Incident Response

Oracle evaluates and responds to events that create suspicion of unauthorized access to or handling of customer data, whether the data is held on Oracle hardware assets or on the personal hardware assets of Oracle employees and contingent workers. Oracle’s Information Security Incident Reporting and Response Policy defines requirements for reporting and responding to incidents. This policy authorizes Oracle Global Information Security (GIS) organization to provide overall direction for incident prevention, identification, investigation, and resolution within the Lines of Business (LoBs).

GIS defines roles and responsibilities for the incident response teams embedded within the Lines of Business (LoBs). All LoBs must comply with GIS incident response guidance about detecting events and timely corrective actions. Corporate requirements for LoB incident-response programs and operational teams are defined per incident type:

• Validating that an incident has occurred
• Communicating with relevant parties and notifications
• Preserving evidence
• Documenting an incident itself and related response activities
• Containing an incident
• Eradicating an incident
• Escalating an incident

Upon discovery of an incident, Oracle defines an incident-response plan for rapid and effective incident investigation, response, and recovery. Root-cause analysis is performed to identify opportunities for reasonable measures which improve security posture and defense in depth. Formal procedures and systems are utilized within the Lines of Business (LoBs) to collect information and maintain a chain of custody for evidence during incident investigation. Oracle is capable of supporting legally admissible forensic data collection when necessary.

Notifications

In the event that Oracle determines that a security incident has occurred, Oracle promptly notifies any impacted customers or other third parties in accordance with its contractual and regulatory responsibilities. Information about malicious attempts or suspected incidents is Oracle Confidential and is not externally shared. Incident history is also Oracle Confidential and is also not shared externally.

Security Vulnerabilities

Please refer to “How to report security vulnerabilities to Oracle” to find out how to report a security vulnerability to Oracle.