Overview

A security incident is a security event that Oracle, per its incident response process, has determined results in the actual or potential loss of confidentiality, integrity, or availability of Oracle managed assets (systems and data).

Oracle will respond to information security events when Oracle suspects unauthorized access to Oracle-managed assets. Cloud customers are responsible for controlling user access and monitoring their cloud service tenancies via available tooling and logging.

Security Incident Policy and Operations

Oracle’s Security Incident Management Policy defines requirements for reporting and responding to information security events and incidents. This policy authorizes the Oracle Global Information Security organization to provide overall direction for security event and incident preparation, detection, investigation, resolution and forensic evidence handling across Oracle’s Lines of Business (LoB). This policy does not apply to availability issues (outages) or to physical security events.

Global Information Security further defines roles and responsibilities for the incident response teams within the LoBs. All LoBs must comply with Global Information Security guidance for managing information security events and implementing timely corrective actions. LoB incident response programs must:

• Investigate and validate that a security event has occurred
• Communicate with relevant parties and provide appropriate notifications
• Preserve evidence and forensic artifacts
• Document security event or incident and related response activities
• Contain security events or incidents
• Address the root cause of security events or incidents
• Escalate security events

Upon discovery of a security event, Oracle incident response plans support rapid and effective event triage, including investigation, response, remediation, recovery, and post-incident analysis. LoB incident response teams, as required by the Security Incident Management Policy, conduct post-event analysis to identify opportunities for reasonable measures which improve security posture and defense in depth. Formal procedures and systems are utilized within the LoBs to collect information and maintain a chain of custody for evidence during event investigation. Oracle can support legally admissible forensic data collection when necessary.

Notifications

If Oracle determines a security incident involving assets managed by Oracle has occurred, Oracle will promptly notify impacted customers or other third parties in accordance with its contractual and regulatory responsibilities as defined in the Data Processing Agreement for Oracle Services. Information about malicious attempts or suspected incidents and incident history are not shared externally.

Security Vulnerabilities

Please refer to “How to report security vulnerabilities to Oracle” to find out how to report a security vulnerability to Oracle.