Your search did not match any results.
We suggest you try the following to help find what you're looking for:
The Australian Prudential Regulation Authority (APRA) is the prudential regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. Oracle is not an APRA-regulated entity (ARE). However, Oracle recognizes that some of its customers must adhere to APRA standards, and will work with its customers in a transparent and engaging manner to understand their specific requirements.
Oracle has been committed to delivering on the needs of public and private sector organisations for over four decades. Oracle Cloud reinforces and extends this commitment by enabling regulated organisations as well as government agencies to move critical resources to an in-country cloud service, which has been designed for their needs and to facilitate their compliance objectives.
To help ARE customers with their APRA regulatory requirements, Oracle has consolidated and summarized frequently asked questions into one document. These questions have been identified as being critical in the mitigation of risks associated with information security incidents and customer confidentiality for AREs. For further information, see the APRA Regulated Entity Frequently Asked Questions (PDF).
For further assistance, submit your APRA inquires here.
The Cloud Computing Compliance Controls Catalog (C5) is produced by the German Ministry for Information Security (BSI), and is a set of minimum controls that cloud providers should have in place with the goal of establishing a baseline for cloud security. C5 is audited under ISAE 3000 rules, and Oracle has been evaluated by a third-party assessor against the C5 security requirements.
Oracle Cloud Infrastructure
The Communications and Information Technology Commission (CITC) in Saudi Arabia published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. Oracle has built its infrastructure to support and is Level-1 certified with CITC for Oracle Cloud Infrastructure.
The Criminal Justice Information Services (CJIS) Security Policy establishes guidelines for specific security precautions to protect criminal justice information (CJI), such as fingerprints and criminal backgrounds.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of Criminal Justice Information Services (CJIS) within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes best practices for providing security assurance in cloud computing. The organization also provides education on the uses of cloud computing to help secure other forms of computing. The controls are based on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum, and NERC CIP. Oracle has completed a CSA Star Level 1 self-assessment for Oracle Cloud Infrastructure.
Oracle Cloud Infrastructure
Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats. It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts. Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.
Oracle has obtained Cyber Essentials Plus certification for our London-based Commercial Cloud and UK Government Cloud offerings.
Oracle Cloud Infrastructure
Oracle has achieved Cyber Essentials Plus Certification for Oracle Cloud Infrastructure residing in the UK Commercial Cloud.
Oracle SaaS
Oracle has achieved Cyber Essentials Plus Certification for the following services for the UK Gov Cloud only:
The Privacy Act 1988 (Privacy Act) was passed to promote and protect privacy and to regulate how Australian Government agencies and certain organizations handle personal information. The Privacy Act includes 13 Australian Privacy Principles (APPs) that apply to some private sector organizations and most Australian government agencies. The Privacy Act also regulates privacy in consumer credit reporting, tax file numbers, and health and medical research. Oracle has designed and implemented security controls around its infrastructure technology stack to support the Privacy Act for Oracle Cloud Infrastructure.
The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.
All cloud computing is required to take place in the U.S and are based off of impact levels:
For select services Oracle has received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.
Oracle Cloud Infrastructure (IL2, 5)
Oracle SaaS
Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:
Oracle has achieved a DISA SRG Level 2 Authorization for the following services within the Gov Cloud:
The European Network and Information Security Agency (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur.
ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:
This framework is based on the broad classes of controls from the ISO27001/2 standard, alongside other industry frameworks such as the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).
Oracle’s SaaS have obtained CSA Star Level 2 certification for Fusion on OCI and a certified ISMS against the ISO27001:2013, 27017:2015 & 27018:2014 standard. These certifications can help consumers of cloud services to review Oracle security controls and the alignment of these Oracle cloud services to ENISA IAF, and how these controls compare to their requirements, and to other cloud providers, when conducting their assurance activities and/or risk assessments in migrating to the cloud.
Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with ISO/IEC 27001, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. Oracle has been evaluated by a third-party assessor against ENS High security controls.
Oracle Cloud Infrastructure
EU Model Clauses are contractual clauses established by the European Commission and used in agreements between cloud service providers and their customers that govern data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). Oracle has designed and implemented security controls around its infrastructure technology stack to support EU Model Clauses for Oracle Cloud Infrastructure.
The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.
FedRAMP uses the NIST Special Publication 800-53, which provides a catalog of security controls for all US Federal information systems. FedRAMP requires cloud service providers (CSP) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).
The following Oracle Cloud Services have received US Federal Risk and Authorization Management Program (FedRAMP) P-ATOs and ATOs up to the High baseline level defined by FedRAMP.
Oracle Cloud Infrastructure (FedRAMP High)
Oracle has achieved FedRAMP High Authorization for its U.S. Government Cloud regions. Oracle Cloud Infrastructure can provide government customers with the stringent standards of security necessary to protect the federal government's data. Services include:
Oracle SaaS
Oracle has achieved FedRAMP Low (baseline) Authorization to Operate for the following Oracle US Government Cloud offering:
Oracle has achieved FedRAMP Moderate (baseline) Authorizations to Operate for the following services within Oracle US Government Cloud:
Oracle has achieved FedRAMP High (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Federal Info Processing Standard (FIPS 140-2) within our Oracle Government Cloud environments.
The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. Cryptographic module protection within a security system is needed to maintain the confidentiality and integrity of the data protected by the module.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. Oracle has been evaluated by a third-party assessor against the Financial Industry Information Systems (FISC) v9 security guidelines.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
The UK Government G-Cloud is a procurement initiative to streamline cloud-computing procurement by public-sector bodies in departments of the United Kingdom Government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts through an online Digital Marketplace. Oracle has registered as part of G-Cloud 11 in order to streamline the ability of Her Majesty's Government to procure and deploy on Oracle's cloud, with pre-negotiated terms and pricing. Oracle has achieved enablement in this marketplace for Oracle Cloud Infrastructure.
Oracle Cloud Infrastructure
Oracle PaaS
Oracle offers a wide range of security solutions to help customers meet requirements of the GDPR, including services for administrative access controls, network security controls, logging, and encryption.
Oracle Cloud Infrastructure Security (PDF)
Oracle Cloud Infrastructure and European Union General Data Protection Regulation (GDPR) (PDF)
Oracle Cloud Infrastructure Security Capabilities and Services
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding Protected Health Information (PHI). HIPAA applies to covered entities and business associates.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.
Oracle has successfully completed third-party HIPAA assessments for the following services within commercial data centers located in the United States:
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Government data centers located in Chicago (Illinois) and Ashburn (Virginia):
Oracle PaaS
Oracle has successfully completed third party HIPAA assessments for the following services within both commercial and US Government data centers located in Chicago (Illinois) and Ashburn (Virginia):
Oracle SaaS
Oracle has successfully completed third party HIPAA assessments for the following services:
The Information Security Registered Assessor Program (IRAP) is a security compliance framework comprised of security assessment processes and a security assessor program. It was developed by the Australia Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) within the Australian government. IRAP supports Australian commonwealth government entities in maintaining their security assurance and risk management as well as assessing cloud service providers and their cloud services’ security controls against the Australian government security policies and guidelines.
Oracle SaaS
The following Oracle Cloud Applications have been assessed by an independent third-party assessor and qualified for IRAP’s PROTECTED level:
The following Oracle Cloud Applications were assessed by an independent third-party assessor and qualified for IRAP’s Official: Sensitive level:
The Internal Revenue Service Publication 1075 (IRS 1075) is a US government guideline to ensure effective security controls are in place to protect Federal Tax Information (FTI). The IRS 1075 assessment report provides information on the available technical safeguards intended to adequately protect the confidentiality and integrity of FTI.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of US Internal Revenue Service Publication 1075 within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
ISO/IEC 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing company and customer information based on periodic security risk assessments.
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Oracle Cloud Infrastructure
Services include:
Oracle Infrastructure Classic
Oracle PaaS
Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and Oracle Cloud Infrastructure Classic services, in all data centers where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.
Services include:
Oracle SaaS
Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 codes of practices have been included within scope of our ISO/IEC 27001:2013 certification.
Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27017:2015 audit examines cloud service specific controls, implementation guidance and other information that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This certification demonstrates Oracle’s ongoing commitment to align with globally recognized good practice for information security controls for cloud services.
Oracle Cloud Infrastructure:
Oracle Cloud Infrastructure Classic:
Oracle PaaS:
Conducted by EY/CertifyPoint, Oracle Cloud Infrastructure’s ISO/IEC 27018:2014 audit examines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. ISO/IEC 27018:2014 is based on the information security objectives and controls in ISO/IEC 27002. This certification demonstrates to Oracle customers that Oracle Cloud Infrastructure has implemented appropriate measures to protect Personally Identifiable Information (PII) for a public cloud computing environment.
Oracle Cloud Infrastructure:
Oracle Cloud Infrastructure Classic:
Oracle PaaS:
The International Traffic in Arms Regulations, or ITAR, is a set of government rules that control the export and import of defense-related articles, services and technology. ITAR compliance is required for customers that are subject to export regulations and that must ensure technical data is not inadvertently distributed to foreign persons or foreign nations. Oracle has been assessed by an independent auditor against ITAR for Oracle Cloud Infrastructure.
The Japan Act on Protection of Personal Information applies to businesses that handle the personal data of people in Japan. This applies to companies that offer goods and services in Japan and are located within the country as well as those with offices outside it. This Act is focused on the data controller and definitions of personal data. Oracle has designed and implemented security controls around its infrastructure technology stack to support the Japan Act on Protection of Personal Information for Oracle Cloud Infrastructure.
Oracle publishes this report to provide information regarding informational requests submitted to us by law enforcement agencies and governments globally.
The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) in Japan works to establish common standards for cybersecurity for government agencies. The NISC governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. NISC has designed a wide range of security guidelines to for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. Oracle has been evaluated by a third-party assessor against NISC guidelines for the following services:
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic:
Oracle PaaS
The Saudi Arabian National Cybersecurity Authority (NCA) was established by Royal Decree to guide national organizations “to effectively identify and address risks related to cyber security” for a defined set of sectors serving critical infrastructure for Saudi Arabia. Oracle’s implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. This allows Oracle to provide services in the region, including specific infrastructure security controls that customers can use to implement and operate their own platforms and applications, sharing responsibility to meet the requirements of the authority’s cybersecurity controls. Oracle has designed and implemented security controls around its infrastructure technology stack to support these controls for:
Oracle Cloud Infrastructure
The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a suite of documents assembled by the Centers for Medicare & Medicaid Services (CMS). The CMS has oversight responsibility of Exchange information technology (IT) systems. The suite of documents defines a risk-based Security and Privacy Framework for Exchange information technology (IT) system design and implementation. The document suite includes guidance, requirements, and templates that address the mandates of the Patient Protection and Affordable Care Act of 2010 (ACA).
Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Minimum Acceptable Risk Standards for Exchanges (MARS-E) within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
In Japan, My Number is a 12-digit ID number issued to all citizens and residents of Japan (even foreign residents). Similar to the US SSN, the number is used for taxation, social security, and disaster-response purposes. The numbers were first issued in late 2015, and the bill includes a provision about protection of specific personal information. The My Number Act is designed to improve efficiency and transparency of government systems in Japan and to protect personal information of each number holder. Oracle has designed and implemented security controls around its infrastructure technology stack; customers can architect, build, and maintain security for their own applications and workloads.
The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI.
Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of NIST 800-171 and DFARS 252.7012 within our Oracle Government Cloud environments.
Oracle Cloud Infrastructure Classic
Oracle PaaS
Oracle SaaS
The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.
Oracle has successfully completed a Payment Card Industry Data Security Standard (PCI DSS) audit and received an Attestation of Compliance (AoC) covering several Oracle Cloud Infrastructure services and the Oracle RightNow Service Cloud Service. As a PCI Level 1 Service Provider, customers can now use these services for workloads that store, process or transmit cardholder data.
Oracle Cloud Infrastructure
Oracle PaaS
Oracle SaaS
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that applies to many organizations based in Canada that collect and process the personal information of individuals.
Oracle Cloud Infrastructure Privacy and Security Features and PIPEDA (PDF)
Oracle provides a broad range of hosted, remote and on-site computer-based services to our customers, including cloud services, consulting services and advanced customer support services, technical support services and training services. Privacy Shield frameworks provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. In order to join a Privacy Shield Framework, US corporations must self-certify to the Department of Commerce and commit to the Framework’s requirements. Oracle has designed and implemented security controls around its infrastructure technology stack to support Privacy Shield obligations for Oracle Cloud Infrastructure.
Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose lose or damage could cause serious injury to an individual, organization or government. Oracle has designed and implemented security controls around its infrastructure technology stack to support Protected B.
Oracle Cloud Infrastructure
The Saudi Arabian Monetary Authority (SAMA) of the Kingdom of Saudi Arabia has established a Cyber Security Framework to enable financial institutions regulated by SAMA to effectively identify and address risks related to cyber security. SAMA states that “To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.” The SAMA Cyber Security Framework provides a baseline for security of information interchange between Member Organizations, and between Member Organizations and SAMA. The Framework consists of 32 control topics grouped into four areas. These controls generally map to either or both the ISO/IEC 27001 controls and the PCI-DSS controls, consistent with SAMA’s stated intent to facilitate financial operations, modernization, and information exchange. Oracle Cloud Infrastructure implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. Oracle has designed and implemented security controls around its infrastructure technology stack to support controls for:
Oracle Cloud Infrastructure
SOC 1 is a report on a service organization controls relevant to internal control over financial reporting. A “type 1” report focuses on the suitability of the system's design of its controls to achieve the control objectives. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s tests of the controls and results.
Oracle Cloud Services have been assessed using the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (System and Organization Controls (SOC) 1) and the International Auditing and Assurance Standards Board (IAASB) International Standard of Assurance Engagements (ISAE) 3402 standards for the suitability of the design and operating effectiveness of the specified controls.
Oracle Cloud Infrastructure—SOC 1 Type 2
Oracle Cloud Infrastructure Classic—SOC 1 Type 2
Oracle PaaS—SOC 1 Type 2
Oracle SaaS—SOC 1 Type 2
SOC 2 is a report on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy using up to five trust principles. A given SOC 2 report may be based on one or more trust principles. Similar to a SOC 1 report, SOC 2 also have type 1 or type 2 available.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles.
Oracle Cloud Infrastructure—SOC 2 Type 2
Oracle Cloud Infrastructure Classic—SOC 2 Type 2
Oracle PaaS—SOC 2 Type 2
Oracle SaaS—SOC 2 Type 2
SOC 3 is a report, like the SOC 2, on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy. However, a SOC 3 can be distributed for general use and only states whether the or not the entity has achieved the Trust Service criteria, without any description of tests, results or opinions.
Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles. The SOC 3 general use report for whether or not the Trust Service criteria was achieved is available for the following services.
Oracle Cloud Infrastructure
The Personal Information Protection Act of South Korea is a framework act on data protection for the public and private sectors. The Act regulates government agencies and private businesses in collection, use, processing, and destruction of personal information. The act makes no distinction between controllers and processors; both are considered “Personal information processors.” The Data protection framework is to be revised every three years. Oracle has built its infrastructure to support the Personal Information Protection Act for Oracle Cloud Infrastructure.
Three government ministries in Japan have developed guidelines to promote cloud security and the safeguarding of data for the medical institutions in Japan. These ministries include:
Oracle has been evaluated by a third-party assessor against the security requirements of Three Ministries. The report from Oracle Cloud Infrastructure’s independent assessor is designed to assist the customer in its own compliance efforts with respect to requirements outlined in the guidelines.
Oracle Cloud Infrastructure
Oracle Cloud Infrastructure Classic
Oracle PaaS
The Trusted Information Security Assessment Exchange (TISAX) is a German standard security assessment used by the automotive industry. TISAX is based on the Verband der Automobilindustrie (VDA) Information Security Assessment (ISA), which is an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes and by suppliers and service providers who process sensitive information from their respective companies. Oracle has been evaluated by a third-party assessor against TISAX security requirements for Oracle Cloud Infrastructure.
The Data Security and Protection Toolkit is a self-assessment tool that measures performance against the United Kingdom's National Health Service 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. Oracle has submitted their responses and has been rated as "Standards Exceeded".
The scope of the Oracle assessment includes the following Oracle SaaS services for UK Government Cloud only:
Oracle Cloud Infrastructure
The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service.
Oracle provides Assertion Statements which outline how UK Government Cloud offerings align with the UK National Cyber Security Centre (NCSC) Cloud Security Principles.
Oracle Cloud Infrastructure
National Cyber Security Centre (NCSC) guidance summarizes 14 essential security principles (the NCSC Cloud Security Principles) to consider when evaluating cloud services and provides context on why these may be important to an organization. Customers should decide which of the NCSC Cloud Security Principles are important and how much (if any) assurance they require in the implementation of these principles. Providers of cloud services should consider NCSC Cloud Security Principles when presenting their offerings to consumers. This will allow them to make informed choices about which services are appropriate for their needs. This technical paper is intended to provide the reader and customers with an understanding of:
Services include:
Oracle SaaS
Oracle has achieved HMG Cloud Security Principles Assertion for the following services for the UK Government Cloud only:
Read the technical paper: National Cyber Security Centre (NCSC) Cloud Security Principles (PDF)