Acceptable Use and Oracle Employees

Oracle has formal requirements for use of the Oracle corporate network, computer systems, telephony systems, messaging technologies, internet access, enterprise data, customer data, and other company resources available to Oracle employees, contractors and visitors.

General Security Principles for Communications

Communications to and from the Oracle corporate network must pass through network-security devices at the network boundary. Access to the Oracle corporate network by third parties is subject to prior approval. Remote connections to the Oracle corporate network must exclusively use approved virtual private network (VPN) solutions. To learn more about Oracle’s network management practices, please see Network Communications Security.

Access Controls

Operations are organized into functional groups, where each function is performed by separate groups of employees. Examples of functional groups include developers, database administrators, system administrators, and network engineers. Learn more about Oracle Access Controls.

Vulnerability Management

Oracle has formal practices designed to identify, analyze, and remediate the technical security vulnerabilities that may affect our enterprise systems and your Oracle Cloud Services environment.

The Oracle IT, security and development teams monitor relevant vendor and industry bulletins, including Oracle’s own security advisories, to identify and assess relevant security patches. Additionally, Oracle requires that vulnerability scanning using automated scanning systems be frequently performed against the internal and externally facing systems it manages. Oracle also requires that penetration testing activities be performed periodically in production environments.

Oracle’s strategic priority for the handling of discovered vulnerabilities in Oracle Cloud is to remediate these issues according to their severity and the potential impact to the Oracle Cloud Services. The Common Vulnerability Scoring System (CVSS) Base Score is one of the criteria used in assessing the relative severity of vulnerabilities. Oracle requires that identified security vulnerabilities be identified and tracked in a defect tracking system.

Oracle aims to complete all cloud service remediation activities, including testing, implementation, and reboot/reprovision (if required) within planned maintenance windows.  However, emergency maintenance will be performed as required to address severe security vulnerabilities, as described in the Oracle Cloud Hosting and Delivery Policies and, as applicable, associated Pillar documentation.

Oracle Software Security Assurance is Oracle’s methodology for building security into the design, build, testing, and maintenance of its products, whether they are used on-premises by customers, or delivered through Oracle Cloud.

Note that customers and security researchers can report suspected security vulnerabilities to Oracle: How to Report Security Vulnerabilities to Oracle or by submitting a Service Request in their designated support system.

Monitoring and Protection of Audit Log Information

Oracle logs certain security-related activities on operating systems, applications, databases, and network devices. Systems are configured to log access to Oracle programs, as well as system alerts, console messages, and system errors. Oracle implements controls designed to protect against operational problems, including log file media becoming exhausted, failing to record events, and/or logs being overwritten.

Oracle reviews logs for security event investigation and forensic purposes. Identified anomalous activities feed into the security event management processes. Access to security logs is provided on the basis of need-to-know and least privilege. Where possible, log files are protected by strong cryptography in addition to other security controls, and access is monitored. Logs generated by internet-accessible systems are relocated to systems that are not internet-accessible.

Asset Management

The Oracle Information Systems Asset Inventory Policy requires an accurate inventory of all information systems and devices holding information assets throughout their lifecycle through a Corporate-approved inventory system. This policy defines required identifying attributes to be recorded for server hardware, software, data held on information systems, and information needed for disaster recovery and business continuity purposes.

Communications Technology

Oracle IT manages corporate solutions for collaboration and communication within Oracle and with external parties. Oracle policies require that employees utilize these approved corporate tools when handling confidential information. Each of these solutions leverages preventive and detective security controls such as anti-malware and anti-virus technologies.

Oracle has defined standards for securely exchanging information with suppliers and other third parties.