Introduction

Oracle’s information-asset classification determines corporate data-security requirements for Oracle-managed systems. Oracle policies provide global guidance for appropriate controls designed to protect corporate, cloud and customer data in accordance with the data classification.

Oracle’s corporate security controls can be grouped into three categories: administrative, physical, and technical security controls.

• Administrative controls, including logical access control and human resource processes
• Physical controls designed to prevent unauthorized physical access to servers and data processing environments
• Technical controls, including secure configurations and encryption for data at rest and in transit.

Encryption

Encryption is the process of rendering data unreadable without the specific key to decrypt the data. Oracle’s Information Protection Policy defines high-level requirements for protecting data via encryption when data is at rest (in storage) on laptops, devices, and removable media.

Oracle has corporate standards that define the approved cryptographic algorithms and protocols. Oracle products and services are required to only use up-to-date versions of approved security-related implementations, as guided by industry practice. Oracle modifies these standards as the industry and technology evolve, to enforce, for example, the timely deprecation of weaker encryption algorithms.

Encrypting Data

Oracle implements a variety of technical security controls designed to protect information assets at rest and in transit. These controls are guided by industry standards and are deployed across the corporate infrastructure:

• Corporate systems such as applications and collaboration tools
• Removable storage media
• Laptops and mobile devices

Encryption Key Management

Solutions for managing encryption keys at Oracle must be approved per Corporate Security Solution Assurance Process (CSSAP). Oracle defines requirements for encryption, including cipher strengths, key management, generation, exchange/transmission, storage, use, and replacement. Specific requirements in this standard include:

• Locations and technologies for storing encryption keys
• Controls to provide confidentiality, availability, and integrity of transmitted encryption keys, such as digital signatures
• Changing default encryption keys
• Replacement schedule for various types of encryption keys

Decommissioning Servers and Other Computing Resources

Oracle’s Media Sanitization and Disposal Policy defines requirements for removal of information from electronic storage media (sanitization) and disposal of information which is no longer required to protect against unauthorized retrieval and reconstruction of confidential data. Electronic storage media include laptops, hard drives, storage devices, and removable media such as tape.