Oracle Data Cloud ( ODC ) Inbound Security Policies

Similar documents
Data Security and Privacy Principles IBM Cloud Services

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

The Common Controls Framework BY ADOBE

Cyber Risks in the Boardroom Conference

SECURITY & PRIVACY DOCUMENTATION

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

QuickBooks Online Security White Paper July 2017

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Employee Security Awareness Training Program

A company built on security

Information Security Policy

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Version 1/2018. GDPR Processor Security Controls

Trust Services Principles and Criteria

Corporate Information Security Policy

Introduction. Deployment Models. IBM Watson on the IBM Cloud Security Overview

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

Google Cloud & the General Data Protection Regulation (GDPR)

Baseline Information Security and Privacy Requirements for Suppliers

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Information Technology General Control Review

General Data Protection Regulation

Access to University Data Policy

VMware vcloud Air SOC 1 Control Matrix

Checklist: Credit Union Information Security and Privacy Policies

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Juniper Vendor Security Requirements

Red Flags/Identity Theft Prevention Policy: Purpose

Cyber Security Program

Watson Developer Cloud Security Overview

An Introduction to the ISO Security Standards

WHITE PAPER. Title. Managed Services for SAS Technology

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

WHITE PAPER- Managed Services Security Practices

RAPID7 INFORMATION SECURITY. An Overview of Rapid7 s Internal Security Practices and Procedures

Data Processing Agreement for Oracle Cloud Services

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

01.0 Policy Responsibilities and Oversight

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Security Architecture

Lakeshore Technical College Official Policy

Data Processing Amendment to Google Apps Enterprise Agreement

HIPAA Security and Privacy Policies & Procedures

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Layer Security White Paper

NYDFS Cybersecurity Regulations

Eco Web Hosting Security and Data Processing Agreement

Putting It All Together:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

External Supplier Control Obligations. Cyber Security

WORKSHARE SECURITY OVERVIEW

CYBER SECURITY POLICY REVISION: 12

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

HP Standard for Information Protection and Security for Suppliers/Partners

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Table of Contents. PCI Information Security Policy

WELCOME ISO/IEC 27001:2017 Information Briefing

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

the SWIFT Customer Security

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

COMPLIANCE BRIEF: HOW VARONIS HELPS WITH PCI DSS 3.1

Education Network Security

ADIENT VENDOR SECURITY STANDARD

Certified Information Security Manager (CISM) Course Overview

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

This document provides a general overview of information security at Aegon UK for existing and prospective clients.

Twilio cloud communications SECURITY

MEETING ISO STANDARDS

Moat Analytics MSA Data Processing Addendum

FRAMEWORK MAPPING HITRUST CSF V9 TO ISO 27001/27002:2013. Visit us online at Flank.org to learn more.

Security & Privacy Guide

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

SYSTEMKARAN ADVISER & INFORMATION CENTER. Information technology- security techniques information security management systems-requirement

Standard CIP Cyber Security Critical Cyber Asset Identification

Data Protection and GDPR

Rev.1 Solution Brief

SDR Guide to Complete the SDR

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Standard CIP Cyber Security Critical Cyber Asset Identification

Virginia Commonwealth University School of Medicine Information Security Standard

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Privacy Breach Policy

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

FDIC InTREx What Documentation Are You Expected to Have?

Protecting your data. EY s approach to data privacy and information security

TRACKVIA SECURITY OVERVIEW

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Continuous protection to reduce risk and maintain production availability

Security Incident Management in Microsoft Dynamics 365

Sage Data Security Services Directory

Transcription:

Oracle Data Cloud ( ODC ) Inbound Security Policies Contents Contents... 1 Overview... 2 Oracle Data Cloud Security Policy... 2 Oracle Information Security Practices - General... 2 Security Standards... 2 Security Organization... 3 Vulnerability Assessment... 3 Penetration Test... 3 Incident Management... 4 Account and Access Management... 4 User Accounts... 4 Security Awareness... 5 Password Requirements... 5 Account Deactivation... 5 Data Access and Encryption... 6 Data Access Controls... 6 Remote Access via VPN... 6 Encrypted Communication Channels... 6 Encryption at Rest... 6 Inbound Data Controls... 6 Data File Encryption... 6 File Format Specifications... 6 Prohibited Data Types... 6 Data Retention and Deletion... 7 Oracle Data Cloud Inbound Security Policies v051418 pg. 1

Overview The Oracle Data Cloud Inbound Security Policy ( ISP ) describes the security measures Oracle uses to protect ODC Supplier Data. ODC Supplier Data is data provided to ODC by ODC partners and data suppliers which ODC uses to power Oracle technologies, products, and services. In your agreement with Oracle, ODC Supplier Data may be referred to as Company Data or Your Data or some other term describing the data you make available to ODC. The ISP only applies when incorporated by reference in your supplier or partner agreement with Oracle. The ISP may reference other Oracle documents. Capitalized terms that are not defined in the ISP have the meaning given to them in such other Oracle documents or in any agreement between you and Oracle that references the ISP. Oracle may update the ISP to reflect changes in, among other things, laws, regulations, rules, technology, industry practices, and patterns of system use, but updates to the ISP will not materially reduce the level of security that Oracle uses to protect ODC Supplier Data. Oracle Data Cloud Security Policy Oracle Information Security Practices - General Oracle has security controls and practices designed to protect the confidentiality, integrity, and availability of ODC Supplier Data. Oracle continually works to strengthen and improve those security controls and practices. Oracle s practices are generally aligned with the ISO/IEC 27002 Code of Practice, from which Oracle selects a comprehensive set of controls for implementation. Oracle personnel (including employees, contractors, and temporary employees) must comply with the Oracle information security practices and other Oracle policies that govern their employment or the services they provide to Oracle. Oracle takes a holistic approach to information security, implementing a multilayered defense security strategy where network, operating system, database, and software security practices and procedures complement one another with strong internal controls, governance, and oversight. Security Standards Oracle's corporate security policies are aligned with the ISO 27001 controls. These include the following: organizational security; organizational security infrastructure; asset classification and control; personnel security; physical and environmental security; communications and operations management; access control; systems development and maintenance; business continuity management; and compliance. Oracle Data Cloud Inbound Security Policies v051418 pg. 2

Security Organization The Oracle Security Oversight Committee ( OSOC ) is responsible for approving the implementation of security programs, including security and privacy policies. Oracle Corporate Security, comprised of several teams including Global Information Security, Global Product Security, Global Physical Security, Corporate Security Architecture, and Global Trade Compliance, is responsible for security oversight, compliance and enforcement of regulatory and legal security requirements. Oracle's Chief Privacy Officer provides oversight and management of privacyrelated regulatory issues. Oracle's Business Audit and Assessment organization is responsible to Oracle's Board of Directors to audit compliance of all these functions and to report audit results. Oracle's Global Information Security ( GIS ) is the organization that is responsible for corporate-wide security oversight, compliance, and enforcement. This includes leading the development and management of information security policy and strategy, information security assessments, and training and awareness. ODC has its own internal security organization responsible for line-of-business security management, including service-specific and data-supplier-specific security initiatives. Vulnerability Assessment Security vulnerability tests are performed regularly (but no less than once annually) on Oracle systems. There are multiple ongoing security checks, threat and risk assessments, vulnerability scanning, and penetration testing used to validate system controls. Audit and compliance checks are also frequently conducted to identify changes to the known-good posture and to take corrective or improvement actions as needed. Oracle subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other related information. Oracle takes actions on the notification of a threat or risk once it has the opportunity to confirm that both a valid risk exists and that the recommended changes are applicable to the particular system or environment. Oracle GIS conducts periodic security reviews, assessments, and audits to confirm compliance with Oracle information security policies, procedures, and practices. Penetration Test Penetration tests are periodically performed on Oracle systems including upon release of a new Internet-facing application or service when major changes are made to an Internet facing application or service, or as required to comply with regulatory requirements. Oracle Data Cloud Inbound Security Policies v051418 pg. 3

Incident Management Oracle evaluates and responds to incidents of suspicious activity or unauthorized access to or handling of ODC Supplier Data. When Oracle GIS learns of such incidents, GIS evaluates the incident and defines escalation paths and response teams. GIS will work with you and law enforcement (if necessary) to address or respond to incidents. The goal of Oracle incident response is to maintain the confidentiality, integrity, and availability of ODC Supplier Data and to establish root causes of incidents and implement remediation. Oracle maintains documented procedures for addressing incidents including prompt and reasonable reporting, escalation procedures, and chain of custody controls and practices. If Oracle determines that any ODC Supplier Data has been misappropriated, Oracle will notify the supplier of such misappropriation within twenty-four (24) hours, unless prohibited by law. Oracle internal policies describe the requirements for Oracle personnel to report and respond to incidents. Oracle s response plan procedures include detailed directions and procedures for designated personnel performing relevant functions during an incident. This plan is reviewed and tested at least annually. Oracle logs certain audit and security related activities on operating systems, applications, databases, and network devices. Systems are configured to log access to the environment or Oracle applications, as well as system alerts, console messages, and system errors. Oracle implements controls to protect against operational problems, including exhaustion of the log file media, failure to record events, or logs being overwritten. Security logs are currently kept for 1 year. Oracle reviews logs for forensic purposes and incidents, and identified anomalous activities feed into the security incident management process. Account and Access Management User Accounts Oracle maintains policies that describe the principles for development, executive approval, implementation and maintenance of information security policies and practices at Oracle. In these policies, Oracle describes governing principles for user accounts including need to know least privilege access controls and segregation of duties. All employees, contractors, and temporary employees are subject to these policies. Oracle s Logical Access Controls Policy describes access control requirements for Oracle resources, including needto-know, least privilege and authorization rules. Users are assigned predefined roles based on segregation of duty and limit access, as appropriate. System administrators that require root or administration privileges are also assigned separate accounts with privileged Oracle Data Cloud Inbound Security Policies v051418 pg. 4

access necessary to perform administrative responsibilities. Analysts, developers and others who may have access to systems that store or process ODC Supplier Data must explicitly request access to such systems or data, and these requests are approved by Oracle security and the requestor s manager. Security Awareness Oracle conducts mandatory security and privacy awareness training for all employees when they are hired and no less than once every two years thereafter. Frequency and scope of additional security training depends on employee roles. Oracle requires employees, prior to accessing any data or Oracle systems, to undergo security awareness training that addresses data privacy, customer data segregation, appropriate use of Oracle systems, data loss prevention, and other security-related topics. Oracle employees and contractors who may have access to ODC Supplier Data are subject to a written confidentiality agreement. Before performing services for Oracle and before accessing any Oracle system or resource, service providers must sign agreements defining the services to be provided and the service providers confidentiality obligations. Password Requirements Access to Oracle systems is restricted to authorized personnel only. Oracle enforces strong password policies on infrastructure components and production systems used to operate the Oracle environment. This includes requiring a minimum password length, password complexity, and regular password changes. Strong passwords or multi-factor authentication are used throughout the infrastructure to reduce the risk of intruders gaining access through exploitation of user accounts. System access controls include system authentication, authorization, access approval, provisioning, and revocation for employees and other Oracle-defined users. Network, operating system, database and application accounts for Oracle employees are reviewed regularly to ensure employee access levels. When employees or personnel leave the company or are no longer under contract, Oracle takes prompt actions to terminate network, system, application, telephony, and physical access for such former employees. Account Deactivation Oracle has a process for employment terminations. Terminations are processed automatically through the Oracle Human Resources Management System. Human Resources processes both voluntary and involuntary terminations. After a termination is processed, automated notifications are issued for terminations (regardless of type) based on the effective date of the termination. The recipient list for the notifications includes Oracle security Oracle Data Cloud Inbound Security Policies v051418 pg. 5

and all necessary parties. Oracle then creates an exit ticket for the off-boarding employee, and access to systems is noted and terminated at this time. Data Access and Encryption Data Access Controls Oracle maintains a Logical Access Controls Policy that specifies access control requirements for Oracle resources, including need-to-know, least privilege and authorization rules. Account provisioning and management standards and procedures are in place to review and approve account requests. There is no direct access to Production systems via the administrator or root accounts. Remote Access via VPN Access to Oracle services environments is over Virtual Private Network ( VPN ), thus establishing a private and encrypted connection for the network session. Additionally, remote administrative activities are conducted over the Oracle VPN. Encrypted Communication Channels Remote access for Oracle personnel from a non-oracle location to the Oracle network requires connection either an IPSec or SSL encrypted VPN. Administrative access to Oracle Production environments requires two-factor authentication over a VPN. Encryption at Rest Personal Data provided to Oracle by its data suppliers is encrypted at rest using the symmetric AES algorithm with a 256-bit key length. ODC Supplier Data delivered via an encrypted container (.GPG,.PGP or encrypted.zip files) retains the original encrypted container, and is decrypted into ephemeral memory for such functions as generating match keys. Inbound Data Controls Data File Encryption Oracle only accepts PGP encrypted data files. Data files must be transmitted via an Oracle-approved encrypted protocol, such as SFTP or HTTPS (TLS 1.2+). Oracle stores data files on an AES-256 encrypted storage resource. File Format Specifications Oracle does not accept data files in a content or format that is not approved by Oracle before such transfer. Prohibited Data Types Currently, Oracle does not accept files which include: Oracle Data Cloud Inbound Security Policies v051418 pg. 6

Social Security Numbers PCI/PAN (such as credit card or debit card information) HIPAA-protected information Drivers License numbers Information on minors (under sixteen (16) years) old Other data that your agreement with Oracle prohibits you to transmit to Oracle Oracle will perform manual and automated quality and content control checks on ingested files, and any file with unapproved content or which deviates from agree upon formatting will be rejected. Data Retention and Deletion Oracle will only store and process ODC Supplier Data for as long as necessary to fulfill a business purpose. Upon your written request, Oracle will delete or render permanently inaccessible data provided by any of ODC s data suppliers within thirty (30) business days or receiving the request. Oracle Data Cloud Inbound Security Policies v051418 pg. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback