Oracle Supply Chain Security and Assurance

Introduction

Oracle customers worldwide rely on Oracle solutions to help protect their computing environments and data in the cloud and on premises. As a global company, Oracle takes great care in the development, engineering, and distribution of its products.

Oracle has formal policies and procedures designed to ensure the safety of its supply chain. These policies and procedures explain how Oracle selects third-party hardware and software that may be embedded in Oracle products, as well as how Oracle assesses third-party technology used in Oracle’s corporate and cloud environments. Additionally, Oracle has policies and procedures governing the development, testing, maintenance, and distribution of Oracle software and hardware to mitigate the risks associated with the malicious alteration of these products before purchase and installation by customers.

Oracle America Inc. is a certified partner in the Customs-Trade Partnership Against Terrorism (C-TPAT) program. By participating in this program, Oracle helps to secure our nation’s borders and ensure the free flow of international trade. As a C-TPAT partner, we require that appropriate security measures, based upon risk analysis and consistent with C-TPAT security criteria, are maintained in a documented and verifiable format throughout our international supply chains.

Oracle also has formal requirements for its suppliers and partners to confirm they protect the Oracle and third-party data and assets entrusted to them. The Supplier Information and Physical Security Standards detail the security controls that Oracle’s suppliers and partners are required to adopt when:

  • Accessing Oracle and Oracle customers’ facilities, networks and/or information systems
  • Handling Oracle confidential information, and Oracle hardware assets placed in their custody

In addition, Oracle suppliers are required to adhere to the Oracle Supplier Code of Ethics and Business Conduct, which includes policies related to the security of confidential information and intellectual property of Oracle and third parties.

Overview

Oracle’s Supply Chain Risk Management practices focus on quality, availability, continuity of supply, and resiliency in Oracle’s direct hardware supply chain, and authenticity, and security across Oracle’s products and services.

Quality and reliability for Oracle’s hardware systems are addressed through a variety of practices, including:

  • Design, development, manufacturing and materials management processes
  • Inspection and testing processes
  • Requiring that hardware supply chain suppliers have quality control processes and measurement systems
  • Requiring that hardware supply chain suppliers comply with applicable Oracle requirements and specifications

Supply availability and continuity and resiliency in Oracle’s hardware supply chain are addressed through a variety of practices, including:

  • Multi-supplier and/or multi-location sourcing strategies where possible and reasonable
  • Review of supplier financial and business conditions
  • Requiring suppliers to meet minimum purchase periods and provide end-of-life (EOL)/end-of-support-life (EOSL) notice
  • Requesting advance notification of product changes from suppliers so that Oracle can assess and address any potential impact
  • Managing inventory availability due to changes in market conditions and due to natural disasters

Authenticity and the risk of counterfeit products are addressed throughout the product and service life cycle, including:

  • Oracle supplier selection and contracting practices for sourcing components and materials from original manufacturers or their reputable and authorized distributors
  • Inspection and testing processes

Additional security processes focus security and product protections during transport, shipping, and warehousing.