Oracle Cloud Security Practices for Software as

a Service (SaaS) Cloud Services

JANUARY 2018
ORACLE CONFIDENTIAL

Terms of Use

The information in this document is confidential information under the terms of your contract with Oracle by which you
have acquired the product or services related to this document. In the absence of such a contract with Oracle, your
use and disclosure of the information in this document is protected by intellectual property laws. Notwithstanding
anything to the contrary, you are restricted from disclosing any information contained within this document to any third
party; however, you may disclose such information to your employees and external auditors only as necessary,
provided that such employees and auditors protect the confidentiality of the information.

By using this document, you are agreeing to the Terms of Use located at:

http://www.oracle.com/us/legal/terms/index.html.

For the purpose of such Terms of Use, the information in this document shall be treated as Content (as defined in the
Terms of Use) provided on or through an Oracle Web Site.

ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Table of Contents

Overview 1

Scope 1

Cloud Information Security Policies 3

Security Responsibilities of Oracle Cloud Customers 4

Enforcement 4

Review of Internal Information - Oracle Security Policies 4

Organizational Security 4

Current Internal Organization 4

Authorization Process for Data Centers Used to host Cloud Services 5

Confidentiality Agreements 5

Third Parties 5

Independent Review 6

Asset Management 6

Responsibility for Assets 6

Asset Control Responsibilities of Customers 7

Inventory of Assets 7

Information Classification and Handling 7

Physical and Environmental Security 7

Secure Areas 8

Equipment Security 8

Communications and Operations Management 8

Change Management 9

ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 Segregation of Duties 9

Service Delivery 9

Third-Party Service Delivery Management 9

System Planning and Acceptance 10

Capacity Management 10

Protection against Malicious Code 10

Backups 11

Network Security Management 11

Physical Media Handling, Secure Transit, and Disposal 12

Monitoring 12

Audit Logging 12

Monitoring System Use 13

Protection of Log Information 13

Clock Synchronization 13

Access Control 14

Oracle Users Access Management 14

Oracle Cloud Service Users, Privilege, and Password Management 14

User Responsibilities and Password Use 15

Unattended User Equipment 15

Clear Desk and Clear Screen Controls 15

Privilege Management 15

Administrative User Password Management 15

Review of User Access Rights 16

Network Access Control 16

ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 Segregation in Networks 16

Network Routing Control 17

Network Bandwidth and Latency 17

Network Intrusion Detection Systems 17

Operating System Access Control 17

Cloud Services Transfer Interfaces 17

Session Management and Timeouts 18

Limitation of Connection Time 18

Mobile Computing and Telecommuting 18

Information System Acquisition, Development, and Maintenance 18

Security Requirements of Information Systems 18

Key Management 19

Security of System Files 19

Security in Development and Support Processes 20

Technical Vulnerability Management 20

Information Security Incident Management 20

Reporting of Information Security Events and Vulnerabilities 20

Management of Information Security Events and Improvements 21

Collection of Evidence 21

Business Continuity Management and Disaster Recovery Services (Where Applicable to

the Cloud Service(s) under Your Order) 22

Scope 22

System Resilience 22

Disaster Recovery 22

ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 Disaster Recovery Plan Objectives 23

Plan Testing 23

Compliance (Where Applicable to the Cloud Service(s) under Your Order) 23

Compliance with Legal Requirements and the European Union Data Privacy

Directive 24

Internal Audits 24

Data Protection and Privacy 24

Risk Assessment 25

ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Overview
Oracle has adopted security practices for Oracle Cloud Services that are designed to protect the confidentiality,
integrity, and availability of customer information, defined as “Your Content” in your Cloud Service Agreement (CSA)
and related documentation. The purpose of this document is to provide a summary of these practices. Note that these
practices are subject to change.

Scope
This document discusses the security practices for Oracle’s Software as a Service (SaaS) Cloud. These security
practices reflect Oracle’s formal security policies, including:

Oracle Information Security

Oracle security policies cover the management of security for both its internal operations as well as the
services Oracle provides to its customers. The policies apply to Oracle employees and customers are
strongly encouraged to implement their own comprehensive system of policies, standards and procedures,
according to customer risk-based assessments and business requirements. Oracle Security policies are
Oracle confidential internal information however, brief summaries of Oracle security policies that may be
relevant to Oracle Cloud services are provided below.

Organization of Information Security

The Oracle Security Organization Policy describes the roles and responsibilities of various teams and
individuals involved in information security at Oracle, including the executive-level oversight committee,
corporate Information, Product, and Physical Security organizations, Information Technology (IT) and IT
Security organizations, Lines of Business (LoBs), and individual Information Security Managers (ISMs) who
are assigned by each LoB to represent the security leadership of each organization.

The Oracle Information Security Policy describes the principles for development, executive approval,
implementation, and maintenance of information security policies and practices at Oracle. This over-arching
information security policy also describes governing principles such as 'need-to-know', least privilege, and
segregation of duties. Employees, contractors and temporary employees are subject to Oracle security
policies.

Human Resource Security

The Oracle Code of Ethics and Business Conduct sets forth Oracle's high standards for moral ethics and
business conduct at every level of the company and at every location where Oracle does business
throughout the world. The standard applies to employees, independent contractors, and temporary
employees and it covers the areas of legal and regulatory compliance, business conduct and relationships.

Asset Management

The Oracle Information Protection Policy provides guidelines for all Oracle personnel regarding information
classification schemes and minimum handling requirements associated with those classifications, in an effort
to ensure proper protection of Oracle and customer information assets.

1 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 The Oracle Acceptable Use Policy for Company Resources sets requirements for use of the Oracle
corporate network, computer systems, telephony systems, messaging technologies, Internet access, and
other company resources.

The Oracle Information Management and Record Retention Policy is intended to provide guidance to ensure
that Oracle maintains its Information and Records in accordance with applicable legal, regulatory, and
business requirements.

Access Control

The Oracle Logical Access Controls Policy describes logical access control requirements for Oracle
systems, including authentication, authorization, access approval, provisioning, and revocation for
employees and any other Oracle-defined 'users' with access to Oracle systems that are not Internet facing
publicly accessible systems.

The Oracle Password Policy requires protection of information assets by Oracle employee use of strong
password controls where passwords are being used as a method of authentication. Password expiration
and reset requirements are enforced.

Physical and Environmental Security

The Oracle Identification and Access Badge Policy provides Data Center access control requirements for
employees and visitors, including access requests, physical screening, on-site behavior, and prohibited
items. Some of the prohibited items include cameras, recording devices (of any type), any wireless
communications devices and certain other items, materials, and substances. Various search and detection
measures and methodologies are employed to maintain compliance. Video monitoring is also in place
throughout the facility, in both interior and exterior areas. This section does not apply to Oracle Cloud at
Customer Services.

Operations Security

The Oracle Server Security Policy sets forth the physical and logical security requirements for Internet-facing
and production servers.

The Oracle Logging and Log Analysis Policy states corporate-level mandates for log retention, review, and
analysis. Areas covered include minimum log requirements, responsibilities for the configuration and
implementation of logging, alert review, problem management, retention, security and protection of logs, as
well as compliance review.

The Oracle Secure Socket / Transport Layer Policy requires TLS v1.1 or later SSL enablement for Web-
based applications.

Communications Security

The Oracle Network Security Policy states that computers, Servers, and other data devices connected to
the Oracle network must comply with security policies and standards for security, configuration, and access
methods.

2 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 The Oracle Network Scanning Request Procedure is required as Oracle Security policy prohibits
unauthorized network scanning and vulnerability testing of Oracle networks and systems. Scans and
vulnerability testing are to be performed only by authorized personnel, and only following written request
and approval from Global Information Security. No other Oracle employees or third-party companies are
authorized to approve the use of, or to use network scanners and vulnerability testing tools or systems
against any Oracle networks or systems.

System Acquisition, Development and Maintenance

The Oracle Critical Patch Update and Security Alert Implementation Policy requires implementation of
Critical Patch Updates (CPU) and Security Alert fixes, as well as associated recommendations, within a
reasonable time of their publication.

The Oracle Media Sanitization and Disposal Policy establishes guidelines for secure erasure of information
from electronic media, where current usage of the media is finished and a decision is made regarding
recycling or destruction. The policy is intended to protect Oracle resources and information from security
threats associated with the retrieval and recovery of information on electronic media.

Information Security aspects of Business Continuity Management

Oracle has a global Risk Management and Resiliency Program (RMRP) that serves to meet Oracle’s
corporate resiliency requirements. The RMRP comprises planning and testing of Oracle’s critical internal
operations.

Compliance

The Services Privacy Policy describes Oracle’s treatment of data that resides on Oracle, customer, or third-
party systems (including personally identifiable information or “PII”).

The Oracle Information Security Incident Reporting and Response Policy requires reporting of and response
to information security incidents in a timely and efficient manner. Oracle also maintains a detailed Information
Security Incident Response Plan to provide specific guidance for personnel involved in or supporting incident
response. This policy also provides requirements for Oracle employees to notify identified contacts internally
in the event of suspected unauthorized access to personal information or customer data.

Cloud Information Security Policies

Oracle Cloud information security policies establish and govern areas of security applicable to Oracle Cloud Services
and to its customers’ use of Oracle Cloud Services. Oracle personnel (including full time employees, temporary
employees and contractors) are subject to the Oracle information security policies and any additional policies that
govern their employment or the services they provide to Oracle.

Oracle Cloud takes a holistic approach to information security, implementing a layered defense security strategy where
network, operating system, database, and Oracle Programs security practices are intended to complement one
another with resilient internal controls, governance, and oversight.

3 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
This document is intended to provide an overview of the information security practices that Oracle follows when
delivering Oracle Cloud Services. Depending on the context as used in this document, the term “Oracle Cloud” refers
to the Oracle Cloud Services ordered by the customer under the applicable ordering document.

Security Responsibilities of Oracle Cloud Customers

Oracle Cloud customers are responsible for:

» Assessing their risk posture particularly as it relates to the use of Oracle Cloud services, and the hosting of
customers’ data on these systems.
» Activating appropriate configurations as proposed or available in the Cloud Services and accessible to them through
the available Cloud Services interfaces, according to their own comprehensive system of security and operational
policies, standards and procedures and according to their risk-based assessments and business requirements.
» Ensuring that end-user devices meet web browser requirements described in the published Cloud Hosting and
Delivery Policies and, where applicable, minimum network bandwidth requirements for access to Services
environment(s).
» Managing and enforcing end-user devices security controls, so that antivirus, malware and other malicious code
checks are performed on data and files before uploading data into Services environment(s) or downloading it these
from the Services environment(s).
» Maintaining customer-managed accounts according to its policies and security best practices.
» Additionally for Oracle Cloud at Customer Services, customers are responsible for ensuring physical security for
the physical environment in which the solution is deployed.
» Additionally for Oracle Cloud at Customer Services, customers are responsible for ensuring network security and
access control over networks provided and/or controlled by the Customer.

Enforcement
Oracle employees who fail to comply with the Oracle Information Security Policies, procedures, and practices may be
subject to disciplinary action, up to and including termination.

Review of Internal Information - Oracle Security Policies

Oracle Information Security Policies are periodically reviewed by Global Information Security annually or when
changes are required.

Oracle Cloud internal information security policies may be reviewed at the sole discretion of Oracle and according to
Section 10 (Audit Rights) of Oracle’s Data Protection Agreement.

Organizational Security

Current Internal Organization

The Oracle Security organization is composed of various teams and individuals involved in information security at
Oracle, including the following:

» Executive-level oversight committee

» Corporate information, product, and physical security organizations
» Oracle Cloud operations

4 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
» Oracle Cloud Security Engineering and Operations
» Oracle Cloud Security, Risk Management and Regulatory Compliance Security organizations in various lines of
business
» Individual Information Security Managers (ISMs), who are assigned by lines of business to represent the security
leadership of that organization
Management provides resources for third-party audits and a secured service environment.

Information security responsibilities and activities are defined and coordinated by personnel trained in information
security practices applicable to their role or job function. Cloud Operations personnel complete security training.
Security team members also maintain professional industry security certifications, such as Certified Information
Systems Security Professional (CISSP), and/or other efforts to stay current with emerging threats and security trends.

Authorization Process for Data Centers Used to host Cloud Services

Formal authorization must be obtained before establishing a new Oracle Cloud processing facility where Cloud
Services are hosted. New processing facilities must adhere to the security practices outlined in this document and
undergo a series of security reviews in order to receive the approval to operate.

Processing facilities may have unique controls specific to the region that they serve. Where applicable, these controls
are specified in the security practices document specific to that region. In addition, Oracle Cloud processing facilities
generally undergo an annual independent review to validate compliance.

Confidentiality Agreements
Oracle employees and external parties (such as a contractor, supplier, vendor or subprocessor as defined in the Data
Processing Agreement) performing services on or requiring access to any data center hosting Cloud Services, Oracle
Programs or Your Content must sign the following:

» Services Provider Agreement (SPA)

» Network Access Agreement (NAA), if network access is necessary
» Supplier Data Processing Agreement (SDPA)
» Where applicable, work order defining the services to be provided
Agreements in which a third-party may be given such access must also incorporate approved confidentiality terms
and supplier security provisions for applicable physical, logical, and administrative security controls as well as
requirements for privacy, security breach reporting, auditing, and destruction of data following completion of services.
Global Procurement and Oracle Cloud executive management review and approve these agreements before granting
access.

Third Parties
Third parties typically do not need nor require access to Your Content. However, if such access is required, then an
access request process is initiated. The access request process is intended to:

» Validate business justification for the access.

» Limit access to only the intended purpose and to expire access when no longer needed.
In addition, access is monitored and audited as part of access management compliance procedures.

5 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Independent Review
Oracle Cloud may employ third parties to conduct independent reviews of Cloud Services in the following areas (the
availability and scope of reports may vary by service and country.):

» Statement on Standards for Attestation Engagements (SSAE) No 16 and Service Organization Control (SOC) 1
and/or SOC 2 reports or equivalent.
» Independent third-party security testing to review the effectiveness of administrative and technical controls.

Available reports are accessible to Oracle Cloud customers through My Oracle Support (MOS) or upon written request.
Customers may only use the reports to evaluate Oracle’s security controls. The reports are Oracle Confidential
Information under the terms of the agreement between Oracle and the customer under which the customer has
acquired the Cloud Service related to the report. The customer may not copy or distribute these reports to their
personnel except as necessary. The customer may share these reports with their external auditor, provided that the
auditor is bound by confidentiality terms consistent with the customer’s agreement with Oracle, as described
previously, and that the auditor uses the report solely to assist the customer in evaluating the controls addressed
therein.

Oracle provides these reports “AS IS” without any warranty. Oracle retains all rights in these reports, and the customer
must properly destroy and dispose of any copies of a report when it is no longer needed.

Asset Management
Oracle Cloud assets located at Oracle data centers or that are deployed at customer data center or a third-party data
center retained by the customer are owned or leased and operated by Oracle or authorized third parties (where
applicable). Authorized individuals are assigned and accountable with the ownership, custodianship, operational
usage, and support of these assets.

Responsibility for Assets

Assets located at Oracle data centers hosting Cloud Services have an owner, who is responsible for the protection
and inventory of assets based on the business criticality, sensitivity, and data classification of information hosted on
these assets. Ownership includes maintenance of operation guides and other documentation describing the Cloud
Services. Additional responsibilities include:

» Maintaining information about assets in the central asset inventory register.

» Listing inventory by status of each asset throughout its lifecycle (for example, ordered, deployed, retired, and so
on).
» Identifying the classification level of an information asset.
» Maintaining the confidentiality, integrity, and availability of the asset.
» Reporting unauthorized additions, modifications, or removal of assets.
» Assigning an owner for reviewing and authorizing access requests to those who have a business need.
» Removing VPN access from those who no longer have a business need.

6 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Asset Control Responsibilities of Customers
Oracle Cloud customers are responsible for the assets they control that utilize or integrate with the Oracle Cloud
services. At a minimum, customer responsibilities include:

» Determining the appropriate classification for Your Content.

» Determining whether the existing and documented controls provided by Oracle Cloud Services are appropriate
controls for Your Content, based on standards, laws or regulations that apply to it.
» Providing any appropriate notices and/or obtaining any required consents related to the collection and use of
information provided by data subjects, including any such consents necessary for Oracle to provide the Cloud
Services.
» Identifying and periodically reviewing list of customers’ employees with access to Oracle Cloud systems.

Inventory of Assets
Oracle Programs are registered in inventory management-tracking tools used for lifecycle management, software
license compliance tracking, change management controls, and business approvals for access. Oracle Cloud network
provisioning rules and processes require security review and approval before a new resource is placed into a Services
environment. Internal Oracle policies require resources to be placed in proper network zones depending on their
classification as part of deployment criteria. Reviews and approvals are performed before changes are implemented.
Asset management tracking tools track changes.

Information Classification and Handling

In accordance with Oracle’s Information Protection policy, Oracle classifies Customer Cloud data as one of the two
highest classes of confidential information and place restrictions on access, distribution, and handling of this data.

As specified in the ordering document for your Cloud Services, Oracle Cloud may provide management and support
services as well as storage of Your Content. Oracle limits its accesses to Your Content only to provide the Cloud
Services, according to the terms of the Cloud Services Agreement or as otherwise required by law. Oracle does not
and will not:

» Otherwise modify Your Content without the express and documented consent of the customer.
» Have any role or responsibility in determining or maintaining the accuracy of data.
» Limit the customer's access to Your Content, except to the extent that access is restricted via physical and/or logical
access controls as part of the Cloud Services configurations.
» Monitor the customer’s use of, or access to, Your Content except as necessary to provide the Cloud Services.
Oracle will not disclose Your Content except in accordance with the Cloud Service Agreement and the Data
Processing Agreement, subsequent written instructions by the customer, or as required by law.

Physical and Environmental Security

For data centers hosting Cloud Services, Oracle leverages an integrated security management system with electronic
photo ID badges, cardholder access control, biometrics, recorded digital video surveillance, and alarm monitoring.
Main entrances are staffed 24 hours a day, 365 days a year by equipped and trained security guards who perform
visual identity recognition and visitor escort management. Intrusion detection alarm systems and a 24x7 security
protection unit secure the building perimeter.

7 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Secure Areas
The following physical security procedures are also in place intended to prevent unauthorized physical access at the
Oracle Cloud service locations where customer data is handled:

» Physical access is limited to authorized Oracle personnel, subcontractors, and visitors.

» Authorized Oracle personnel, subcontractors, and visitors are issued identification cards that must be worn while
on the premises.
» Physical Security staff monitors the possession of keys or access cards, and the ability to access data centers.
Employees leaving Oracle employment must return their keys or cards.
» Any changes to physical security are reviewed periodically, according to Oracle’s change management process.
» Contracted physical security personnel are required to pass a criminal background check as well as a drug screen.
Outside of the United States, Oracle conducts background screening subject to local laws and Oracle policy.

Equipment Security
Physical and environmental controls that exist at Oracle Cloud data centers are designed to protect equipment from
interruptions and unauthorized intrusions. These data centers have a continuous power system, climate control, and
a central backup and recovery system to address equipment security, such as the following:

» Environmental hazards (for example, heat, fire, smoke, water, dust, and vibration).
» Control any physical movement of equipment by hand-delivered receipts and other authorized change control
procedures.
» Secure cables that carry data or support key information services are protected from interception or damage.
» Network cables are protected by conduits and, where possible, avoid routes through public areas.

This section does not apply to Oracle Cloud at Customer Services. You must provide secured computing facilities for
the hosting and operation of the Service related hardware, including the gateway hardware required for Oracle to
access the Services.

Communications and Operations Management

Oracle Cloud may provide customers with both a production environment and a nonproduction environment,
depending on the Cloud Services ordered. However, Oracle Cloud conducts development and testing activities on
environments outside of, and physically separated from, the production and nonproduction environments that are
provided by Oracle Cloud as part of the service. Your Content is not used within these development and testing
environments as per Oracle’s internal security policies, except that Oracle may periodically refresh the corresponding
non-production infrastructure from the production environment, to support upgrade, patching, and release testing.

» The Services environments include servers set up in a multi-tiered configuration that typically includes virtualized
web servers, application servers, and database servers.
» Certain shared services, such backup systems, monitoring, and security are provided by secured servers.
Customers do not have direct access to these shared services.

Access to Your Content and related configurations is strictly limited to Your Cloud Service instance and enforced by
access control and identity management measures. Your Content and related configurations are designed so that

8 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
they are not shared with other Cloud Services customers. Your Content resides in a unique database schema or
instance.

Customer environments for single tenant services are logically isolated from other customers using one or more of
technologies such as: dedicated application instances, dedicated virtual servers, and dedicated VLAN's. Access
controls are multi-tiered, consisting of the network, system, database and application layers, operational procedures
and responsibilities

Oracle Cloud Services maintain a comprehensive set of security-focused Standard Operating Procedures (SOPs).
The SOPs provide direction and describe activities and tasks undertaken by Oracle personnel when delivering
services to customers. SOPs are managed centrally and are available to authorized personnel through Oracle’s
intranet on a need-to-know basis.

Change Management
During the Cloud Services term, Oracle tracks the release levels of various components within the customer’s Services
environment (for example, hardware, associated device drivers, operating system, and Oracle virtualization software).
Oracle will periodically deploy Oracle patches, maintenance releases, and updates to the customer’s Services
environment to keep the Oracle Programs provided by Oracle as part of the Cloud Services at a current release
version or to enhance service performance. Software upgrade to the customer’s Services environment is governed
by Oracle’s change control procedures, as described in the Oracle Cloud Hosting and Delivery Policies.

For security patch bundles that Oracle deploys for designated Oracle Cloud Services, Oracle will apply the security
patch bundle to the production environment of the Cloud Service after Oracle successfully completes testing on the
non-production environment where available.

Changes to Cloud environments are performed following documented change control procedures.

Segregation of Duties
Oracle Cloud establishes segregation of duties through a set of roles and responsibilities based on job duties. The
roles are segregated to disseminate tasks and associated privileges. Business processes and technical controls are
in place to support the roles and associated privileges to allow certain functions only to authorized individuals or teams.
Access controls are also established on a “least-privilege” model, so that the appropriate level of access is granted to
perform the job function. Policy-based access controls are in place throughout the Cloud Service application tier to
limit runtime functions to authorized roles and user credentials. Noncompliance issues are investigated and handled
in accordance with incident management procedures or legal mandates, and can result in adverse actions or penalties,
up to and including termination of employment, depending on the incident.

Service Delivery
The Oracle Cloud Services Descriptions describe the offerings as ordered by the customer under their ordering
document.

Third-Party Service Delivery Management

Oracle maintains master service agreements with various vendors for services and products. In these agreements,
specific security and privacy controls are defined and agreed upon for the service. For example, Oracle Cloud currently

9 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
maintains contracts with third‐party vendors for the transportation and storage of encrypted customer backup tapes,
wherever used, to an off-site storage facility, and for some data center functions such as physical security guards and
facility building operations and maintenance.

System-level access to customer environments is managed by Oracle Cloud personnel and is currently not outsourced
to a third party.

System Planning and Acceptance

The Oracle Cloud quality assurance process includes security-specific test plans. These test plans include the review
of data visibility, access control, password control, administrative privileges, end-user role privileges, and data access
rules. In addition, if applicable, cross-customer data security (visibility) is tested. Security-specific testing focuses on
correct operation and processing according to the Oracle Cloud design and specifications.

Capacity Management
Oracle Cloud Services capacities are monitored and adjustments are made to maintain optimal availability. Monitoring
tools are used to collect data and analyze capacity trends. Capacity is evaluated as part of periodic reviews that
currently include, but are not limited to, the following:

» Central Processing Unit (CPU)

» Data storage
» I/O throughput
» Memory
» Network bandwidth
» Page access timings

Sizing and capacity planning is performed on a per customer and Cloud Service basis, and is sized for a specified
workload based on customer input. The customer must not make any workload changes beyond the amount permitted
under the ordering document. Oracle may supplement the provisioning and capacity associated with the customer’s
Services environment, and such changes may result in additional fees for the services. Examples of workload changes
include:

» Merging a new company

» Enabling new users
» Increasing web services utilization
» Loading new data in bulk

Protection against Malicious Code

Oracle may deploy some protections against malicious code. If applicable, memory and file systems are then scanned
regularly. Viruses and malware that are detected are blocked from entering the Services environments, removed or
quarantined automatically and an alert generated that initiates a response from Oracle. Virus and malware definitions
are configured to be updated frequently and Oracle Cloud performs ongoing scans, and full disk scans.

10 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Oracle Cloud keeps antivirus and malware products and server update services up to date with virus and malware
definitions and security updates. Oracle Cloud notifies its user community of any known credible virus or malware
threats, and when security updates are available.

Oracle personnel are responsible for promptly reporting any virus or malware or suspected virus or malware known
to be in the customer’s Services environment that cannot be addressed by Oracle Cloud Service antivirus and malware
protections.

Oracle personnel are prohibited from altering, disabling, or removing antivirus and malware software from any Oracle
computer used to operate Oracle Cloud Services. Any person who is found to have violated this prohibition may be
subject to disciplinary action, up to and including termination of employment.

Oracle Cloud personnel with access to Your Content are required to comply with the Oracle Desktop & Laptop Security
Policy that requires the installation of anti-virus and personal firewall software, and strongly recommends the use of
both Windows Server Update Service (WSUS) and Oracle's asset management software on desktop and Global
Desktop Strategy (GDS) organization keeps anti-virus products and Microsoft WSUS servers up to date with the latest
virus definitions and security updates. GDS notifies the user community of any credible virus threats, and when new
WSUS security updates are available.

Oracle has also licensed and installed third-party email antivirus, malware, and anti-spam products to scan Oracle
corporate emails and attachments.

Backups
Oracle Cloud uses disk-to-disk, replication or tape backups to help protect against the loss of Your Content. Backups
are exclusively performed by Oracle for Services environments, and are for Oracle's sole use where disaster recovery
services are offered for the Cloud Service(s) or when there is loss of Your Content due to a component under Oracle’s
control.

Where applicable, Oracle Cloud uses dedicated backup servers and tape libraries to perform backup services.
Backups are encrypted, using protocols that comply with applicable NIST standards.

Available backups may in some instances be used to restore customer data that the customer may have deleted or
overwritten, at an additional charge.

Network Security Management

A centralized system is used for managing the access and integrity of Services environments device configurations.
Change controls are also in place designed to ensure that only approved changes are applied.

Network Architecture/Logical Security incorporates the following safeguards:

» Integrity of the data-in-transit (in transmission) is protected through the use of strong encryption (for example,
TLS/SSL or IPSEC).
» All network ingress to Oracle Cloud is limited to methods that have been approved by Oracle’s internal security
processes.

Oracle hardens Services environments device configurations by:

11 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
» Restricting remote access to approved connections by authorized Oracle personnel.
» Locking down Simple Network Management Protocol (SNMP) access to devices.
» Controlling access to devices through the use of centralized access control systems by:
» Turning off unnecessary services.
» Logging
» Authenticating routing

Physical Media Handling, Secure Transit, and Disposal

Where applicable, designated Oracle personnel handle tape media and prepare it for transportation according to
defined procedures. Digital media is logged, securely transported, and vaulted by a third‐party off‐site vendor. The
vendor is contractually obligated to comply with Oracle’s terms for media protection.

Upon termination of services or at the customer’s request, Oracle deletes the Services environments and Your Content
residing therein in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a
legal obligation imposed on Oracle, preventing it from deleting all or part of the Services environments. Unless
otherwise specified in writing, Oracle will make Your Content available for download via secure protocols for 60 days
following termination of the Cloud Service Agreement.

Monitoring
Oracle monitors the performance and availability of Services environments through various toolsets. Oracle may
provide a redacted subset of this information to customers, upon request. Monitoring information is used to tune the
Services environment and improve Cloud Services performances through maintenance activities. Monitoring systems
and data are accessed only by authorized individuals with the operational responsibility for monitoring.

Audit Logging
Oracle logs selected security-related activities on Services environments. Oracle monitoring and auditing systems are
configured to log access to the Services environments, as well as system alerts, console messages, and system
errors. Oracle implements controls to protect against operational problems, including the log file media becoming
exhausted, failing to record events, or logs being overwritten.

At a minimum and where technically practical, security-related log entries currently capture the following information:

» Date
» Time
» Time zone
» User account name, IP address, or both
» Source IP address information, software or configuration changed, identity of operation
» Original value (when applicable)
» New value (other than for changes such as a password change) (when applicable)
» Location of change (host name, file name, or table name)

Logs with security-related information are generally retained for three (3) months, and may be kept online or offline.
Oracle may choose to expand the retention period, particularly if an anomalous system event or series of events occur
that could constitute an information security incident.

12 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Monitoring System Use
Key access logs are reviewed for unauthorized access attempts, use, security incidents, forensic purposes, and
identified anomalous activities. Oracle Cloud utilizes a Security Information and Event Management (SIEM) system
to consolidate and alert on Intrusion Detection System security events, firewall log events, and network events. The
SIEM system is monitored 24 hours per day, seven days per week, and 365 days per year.

Oracle reviews logs for forensic purposes and incidents; and identified anomalous activities feed into the incident
management process. Security incidents are investigated and tracked to closure.

Protection of Log Information

Oracle employs mechanisms intended to protect logging from being deactivated and to protect audit logs against
modification, deletion, and unauthorized access. Access to logs is provided on the basis of “need-to-know” and “least
privilege.” Where practical, Integrity of log files is protected with integrity controls by cryptographic hash functions.
Logs on Internet-accessible systems are relocated daily to systems that are not Internet-accessible.

Clock Synchronization
Where technically practical, Services environments are set to Universal Time Clock (UTC) and are synchronized via
network time protocol (NTP) with a central time server.

13 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Access Control
Access Control generally involves the following:

» End-User Access Management

» Oracle Cloud Service User, Privilege, and Password Management
» User Responsibilities and Password Use
» Unattended User Equipment
» Clear Desk and Clear Screen Controls
» Privilege Management
» Review of User Access Rights
» Network Access Control
» Segregation in Networks
» Network Routing Control
» Network Bandwidth and Latency
» Network Intrusion Detection Systems
» Operating System Access Control
» Oracle Cloud Service and Information Access Control
» Session Management and Timeouts
» Limitation of Connection Time
» Mobile Computing and Telecommuting

For Oracle Cloud at Customer Services, customer is responsible for providing adequate network security (e.g.
intrusion detection systems, access controls, firewalls, etc.) to prevent unauthorized access to customer Oracle Cloud
Service networks.

Oracle Users Access Management

Access to Services environments is controlled by restricting access to authorized personnel. Oracle enforces strong
password policies on infrastructure components and cloud management systems used to operate the Services
environments. This includes requiring a minimum password length, password complexity, and regular password
changes. Strong passwords or multi-factor authentication are used throughout the infrastructure to reduce the risk of
intruders gaining access through exploitation of user accounts.

Customers are responsible for all end-user administration within the Cloud Services. Oracle does not maintain
customers’ end-user accounts. Customers can configure the Cloud Services to address their business or compliance
needs, including auditing, and various security-related options.

Oracle Cloud Service Users, Privilege, and Password Management

Where supported by the Cloud Service, access to Oracle Cloud systems is controlled by restricting access to
authorized personnel. Oracle enforces strong password policies on infrastructure components and cloud management
systems used to operate the Oracle Cloud environment. This includes requiring a minimum password length,
password complexity, and regular password changes. Strong passwords or multi-factor authentication are used
throughout the infrastructure to reduce the risk of intruders gaining access through exploitation of user accounts.

14 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
System access controls include system authentication, authorization, access approval, provisioning, and revocation.

Oracle’s Cloud Administrator creates the customer’s initial Administrator Sign-In ID. The customer’s Cloud
Administrator receives an email to their registered email address with the User Sign-In ID and a randomly generated
temporary password.

Oracle Cloud requires that the customer’s Cloud Administrator set application program user password restrictions
consistent with the customer’s requirements. Available password settings vary by service. Documentation should be
consulted to evaluate which settings are appropriate.

User Responsibilities and Password Use

It is the customer’s responsibility to maintain access control to Your Content. Where available, the Cloud Services
give customers the ability to manage their end-users and password policies, to set up roles for their users, and to
grant specific visibility and data access privileges to the roles. The customer’s security administrators can change
roles or inactivate users to revoke access.

Unattended User Equipment

Server and device consoles and workstations are required to be configured with technical controls, such as password-
protected screen savers, that automatically lock access based on defined session inactivity thresholds.

Clear Desk and Clear Screen Controls

Clear desk and clear screen controls are a combination of end-user awareness, manual procedures, and technical
controls designed to prevent inadvertent visual disclosure, and unauthorized access, and to ensure confidential
information is not left unattended or unsecured in any location when it is not in use.

Privilege Management
Privilege management is control of any account that allows privileged operations. For Oracle Cloud operations, these
accounts are used by authorized individuals and teams only where there is a business requirement to do so as part
of system management or maintenance functions. To manage this access, authorized individuals and teams use the
following controls:

» Set policy-based configurations and security programs to restrict the use of privilege accounts. This is achieved at
various layers of the Oracle Cloud architecture (network, program, mid-tier, database, and shared services).
» Where technically practical, allow only named user accounts to “run as” or execute commands as a privileged user
based on policy controls that allow them to do so. Deny-by-default all other users.
» Monitor use of privileged access for adherence to access and acceptable use policies. Monitoring is done by
security operations as part of ongoing compliance measures and segregation of duties.
» Separate duty assignments for management of policy configuration settings and access controls.
» Regularly change privileged account passwords.
» Where applicable, Oracle Administrative access to the Cloud environment is through a “bastion host” in the local
data centers where the systems reside. The “bastion hosts” are running antivirus software.

Administrative User Password Management

Administrative user passwords exhibit the following characteristics, at a minimum, for any system allowing access to
Cloud environments:

15 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
» Passwords are a minimum of eight characters long
» Passwords must contain at least one upper case character, and at least either one number or special character
(any character not defined as a letter or number)
» Passwords are aged every ninety-days
» Passwords cannot be a common word or name and cannot contain any part of a username

Review of User Access Rights

Network and operating system accounts for Oracle personnel are reviewed to confirm the assignment of appropriate
access levels. The customer is responsible for managing and reviewing access for its own user accounts.

Network Access Control

Oracle’s data centers contain an isolated network environment used to deliver Cloud Services. Networking
technologies are deployed in a layered approach designed to protect Your Content at the physical, data link, network,
transport, and Cloud Service levels. Access policies are based on a deny- by-default configuration, and only authorized
traffic is allowed.

For selected Cloud Services, server load balancers are deployed in redundant pairs to offload processor intensive
transactions from servers, and are configured as a secure reverse proxy with the goal to prevent direct unmonitored
access.

Wireless access points are not permitted in the service environments.

Oracle Cloud operations teams access Services environments through a DMZ environment inside a dedicated
extranet isolated from Oracle's internal corporate networks. It functions as a secure access gateway between support
systems, the target Services environments, and database servers. Regional gateways are synchronized to provide
continuity of support operations if any one of the gateways fails. Authentication, authorization, and accounting are
implemented through standard security mechanisms designed to ensure that only approved operations and support
engineers with a valid account can access a customer environment using multi-factor authentication through a virtual
private network (VPN). Named accounts are mapped to individual users. Cryptographic controls are implemented to
provide Cloud operations and support teams with secure, easily configured access to Services environments.

Segregation in Networks
Network controls implemented for Oracle Cloud Services address the protection and control of Your Content during
its transmission from a customer’s system to the Oracle Cloud Services. The network security infrastructure is
designed to secure the servers from a network‐based attack. Redundant, managed firewalls, using stateful packet
inspection, provide barriers between tiers of the architecture. Traffic is filtered to allow only valid web connections into
the network. Traffic within each tier is restricted and controlled via firewalls to control access between Oracle Cloud
service tiers by allowing only authorized traffic. Firewalls are deployed in a layered approach to perform packet
inspection with security policies configured to filter packets based on the protocol, port, source, and destination IP
address to authorized sources, destinations, and traffic types.

Customer environments for single tenant services are logically isolated from other customers using one or more of
technologies such as: dedicated application instances, dedicated virtual servers, and dedicated VLAN's. Access
controls are multi-tiered, consisting of the network, system, database and application layers.

16 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Network Routing Control
Network routers provide the connection point between the Oracle Cloud Services and the Internet service providers
(ISPs). Border routers are deployed in a fully redundant, fault tolerant configuration connecting to different ISPs.
Border Gateway Protocol (BGP) is configured to provide route convergence in an ISP link failure. Routers are also
used to enforce traffic policies at the perimeter.

Network Bandwidth and Latency

Oracle is not responsible for the customer’s network connections, or for conditions or problems arising from or related
to the customer’s network connections (for example, bandwidth issues, excessive latency, network outages) or caused
by the Internet. Oracle monitors its own networks and will work to address internal issues that may affect availability.

Network Intrusion Detection Systems

Where available, Oracle Cloud uses a Network Intrusion Detection System (NIDS) to protect the Services
environments. NIDS sensors are deployed in IDS (Intrusion Detection Mode) to monitor suspicious network traffic
from reaching the Services environments. Intrusion Detection policies are based on the combination of three vectors:

» Signatures
» Protocol anomalies
» Statistical anomalies of the network traffic being monitored

NIDS alerts are routed to a centralized monitoring system that is managed by the Oracle Cloud security operations
teams 24x7x365.

Operating System Access Control

Operating System Access is controlled as follows:

» Access approvals that are centrally managed and recorded for audit verification.
» VPN access with multi-factor authentication.
» Individual named account.
» Account management procedures to revoke VPN access when it is no longer needed.
» Audit and monitoring procedures to validate appropriate access, as specified in the Monitoring System Use section
of this document.
Outside of the OS level, access controls are also in place, such as role based access controls (RBAC). In addition,
advanced data security options may also be available for selected Cloud Services.

Cloud Services Transfer Interfaces

Oracle Cloud Services support a variety of standard interfaces and layered access controls to manage information
flows. Import and export mechanisms are available for selected Cloud Services, to transport Your Content to and from
customers’ Services environments. These data transport services are accessible through application programmable
interfaces (APIs), web services, or other secure network protocols such as secure file transfer protocol (SFTP).

17 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Session Management and Timeouts
To initiate and maintain an application Cloud Services session, the sign-in process establishes a session between the
user’s browser and the Cloud Service and tracks the session via a unique Session ID.

Session IDs are generated by the Cloud Services and are designed to be opaque and unique in order to inhibit session
prediction and guessing attacks. Session IDs consist of a single hard to predict, highly entropic section that is encoded
within a number of bytes.

Oracle Cloud Services enforce session timeouts for inactive sessions. If an end-user is inactive for longer than the
timeout setting, then their session is terminated, and they must sign in again to continue using the service. This practice
applies to both interactive and non-interactive sessions.

Limitation of Connection Time

There are no settings that limit active connection time to customers’ Services environments. The only time that
connections may be limited is during maintenance windows.

Mobile Computing and Telecommuting

Remote access to Services environments for Oracle personnel requires all connections to use either an IPSec or
encrypted VPN. Furthermore, access to Services environments requires multi-factor authentication over an encrypted
VPN, thus establishing a private and encrypted connection for the entire network session.

Oracle's policies for use of portable/mobile devices are detailed in the Oracle Acceptable Use Policy and the Wireless
LAN Policy and apply to all Oracle employees.

Information System Acquisition, Development, and Maintenance

This section includes the following:

» Security Requirements of Information Systems

» Key Management
» Security of System Files
» Security in Development and Support Processes
» Technical Vulnerability Management

Security Requirements of Information Systems

Oracle’s Corporate Security Solution Assurance Process (CSSAP) is a corporate security methodology designed to
provide consistent and proactive information security guidance on projects and initiatives. The process helps projects
and initiatives align with:

» Oracle Corporate Security Architecture strategy, direction, and intent.

» Oracle Corporate Information Security policies and procedures.
» Oracle IT Security standards and operational processes.
» Oracle privacy, security and legal requirements.

18 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
CSSAP is a comprehensive information security risk management and multi-tiered review process that consists of
three types of reviews:

» The Corporate Security Architecture Review Board (CSARB)

» IT Security Technical Review (STR)
» Prerelease security assessments

New Oracle Cloud architecture and changes to deployed environments undergo these reviews, and a record is kept
of conditional and non-conditional actions and recommendations. Pre-deployment and post deployment security
requirements are also established as part of Oracle’s software assurance process, secure coding standards, build or
release criteria, enterprise deployment guidelines, and configuration and change management controls.

Oracle Cloud Security teams also regularly test security requirements with code scanning, vulnerability scanning and
methods to identify new or existing vulnerabilities not previously detected. Any findings or issues are formally
assessed, prioritized, and tracked to remediation.

Key Management
Securing data in transit over public and untrustworthy networks, or at rest on writable media, is a vital protection
strategy that not only incorporates layered controls throughout Oracle’s service stack, but also involves a strong
encryption key management strategy. Oracle’s process of key management includes key distribution, access control,
backup, and recovery.

Encryption keys are centrally managed and backed up. They are further protected by a master key that is also backed
up to separate media to eliminate single‐points of failure. Keys are distributed to a secondary site, separate from the
location where the data is vaulted.

Security of System Files

Cloud Services use a multi-pronged approach to secure system files. This approach uses steps such as the following:

» A certified system build to ensure reliability of the operating system with the necessary components
» Patching and updates on an ongoing basis
» Policy-based access and authorization controls
» File permission settings
» Hardening measures to eliminate unnecessary services, ports, protocols, libraries, compilers, and programs
» Component isolation in virtualized environments
» Configuration and change management controls
» Event-based automation of job scheduling and process handling
» Encryption methods where they are technically feasible
» Integrity monitoring and audit checks

As described throughout this document, Oracle Cloud uses multiple levels of security checks, testing, threat and risk
assessments, vulnerability scanning to validate controls, including file integrity. Audit and compliance checks are
conducted to identify and remediate changes to the “known-good” posture.

19 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Security in Development and Support Processes
The aim of Oracle is to deploy Cloud Services that are secure, and minimize risk. Oracle addresses this goal through
secure deployment configurations and Oracle’s software assurance process and secure coding standards. For more
information, see the following resources at oracle.com under Software Security Assurance:
http://www.oracle.com/us/support/assurance/index.html.

The Oracle Global Support organization follows security practices that apply to standard technical support services.
The Global Customer Support Security Practices document describes Oracle’s overall approach to information
security as well as the specific security controls applied to standard technical support services. Topics addressed
include security of Cloud Customer Support Portal designated by Oracle for the specific service ordered (e.g., the My
Oracle Support portal) and of technologies used to perform standard technical support services, data management
and protection, network security, physical security, breach reporting, and personnel training and development. This
document can be accessed at http://www.oracle.com/us/support/policies/index.html.

Technical Vulnerability Management

Vulnerability assessment tools are used to identify security threats and vulnerabilities in the Cloud Services and
Services environments. Formal procedures are in place to assess, validate, prioritize, and remediate identified issues.
Oracle subscribes to vulnerability notification systems to stay apprised of security incidents, advisories, and other
related information. Oracle acts on the notification of a threat or risk once it has confirmed that, both, a valid risk exists
and that the recommended changes are applicable to Services environments.

Information Security Incident Management

Oracle evaluates and responds to incidents that create suspicions of unauthorized access to, or handling of Your
Content.

When Oracle's Global Information Security (GIS) organization is informed of such incidents and, depending on the
nature of the activity, it defines escalation paths and response teams to address those incidents. GIS will work with
the customer, the appropriate technical teams, and law enforcement where necessary to respond to the incident. The
goal of the incident response is to restore the confidentiality, integrity, and availability of the Services environments,
and to establish root causes and remediation steps. IT operations staff has documented procedures for addressing
incidents in which handling of Your Content may have been unauthorized, including prompt and reasonable reporting,
escalation procedures, and chain of custody practices.

Reporting of Information Security Events and Vulnerabilities

Oracle evaluates and responds to incidents that create suspicions of unauthorized access to or handling of customer
data whether the data is held on Oracle hardware assets or on the personal hardware assets of Oracle employees
and contingent workers. When Oracle's GIS organization is informed of such incidents and, depending on the nature
of the activity, it defines escalation paths and response teams to address those incidents. GIS will work with the
Customer, internal LoBs, the appropriate technical teams, and law enforcement where necessary to respond to the
incident. The goal of the incident response will be to restore the confidentiality, integrity, and availability of the
Customer's environment, and to establish root causes and remediation steps.

20 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Oracle employees are required report suspected incidents in accordance with the Oracle Information Security Incident
Reporting and Response Policy.

Every Cloud Service user is responsible for reporting information security issues. Customers can formally report
security concerns according to the terms specified in the ordering document and according to the following information:

» Oracle Security Vulnerability Disclosure Policy: To prevent undue risks to its customers, Oracle will not provide
additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update (or
Security Alert) advisory and prerelease note, the pre-installation notes, the readme files, and FAQs. Oracle does
not provide advance notification to individual customers. Finally, Oracle does not develop or distribute active exploit
code (or proof of concept code) for vulnerabilities in our products. To learn more, see “Security Fixing Policies” at
http://www.oracle.com/us/support/assurance/fixing-policies/index.html.
» Reporting security vulnerabilities: An Oracle Cloud Services customer can use the Cloud Customer Support Portal
designated by Oracle for the specific service ordered (e.g., the My Oracle Support portal) to submit a service request
for any security vulnerability that they believe exists in Oracle Cloud Services. For more information about this
process, see http://www.oracle.com/us/support/assurance/reporting/index.html.
» Report privacy concerns to Oracle’s Privacy office at [email protected].

Oracle personnel have similar reporting responsibilities and are made aware of their reporting responsibilities through
security awareness bulletins and training.

Management of Information Security Events and Improvements

The Oracle Cloud Security Operations team is responsible for ongoing security management and improvements.
Team members assess and prioritize risk and make recommendations for continuous improvements. Senior
management reviews these recommendations and provides resources to implement priorities.

As described above, planned IT initiatives undergo a Corporate Security Solution Assurance Process (CSSAP) review
to formally evaluate the architecture and security controls of new, upgrade or replacement technologies and
outsourced services. In addition, as part of annual planning, the product and service roadmap is also reviewed to
proactively plan for IT and security investments, to align them with the service delivery strategy, continuous service
performance, and regulatory compliance.

Collection of Evidence
If Oracle needs to collect evidence as part of an investigation or to comply with legal requirements, formal procedures
are used to maintain the integrity and reliability of that evidence. A chain of custody process is used to maintain and
document the chronological history of the evidence. Evidence is kept physically secure during its use and storage, to
prevent tampering. In addition, stringent access controls are in place to safeguard both physical and logical evidence.
Oracle may be required to disclose the customer’s personal information to comply with legally mandated reporting,
disclosure, or other legal process requirements. Oracle uses reasonable efforts to limit the personal information that
it provides for these purposes.

If Your Content is involved in the collection of evidence, then Oracle provides the customer with written notification
according to the legal and contractual requirements. While Oracle may have to share the customer’s information with
agents and contractors to perform the functions previously listed, these parties are required to treat Your Content, and
limit its use, in accordance with Oracle’s Data Processing Agreement.

21 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
Business Continuity Management and Disaster Recovery Services
(Where Applicable to the Cloud Service(s) under Your Order)

Scope
This Policy applies only to SaaS Cloud Services that offer Disaster Recovery Services and where Customer has
procured the Disaster Recovery Services.

Oracle has a global Risk Management and Resiliency Program (RMRP) that serves to meet Oracle’s corporate
resiliency requirements. The RMRP comprises planning and testing of Oracle’s critical internal operations, in the areas
of personal safety, crisis management, business continuity via manual workarounds, technology recovery, and due
diligence toward continuity of the Oracle supply chain, as applicable.

The activities described in this Policy do not apply to Customer’s own disaster recovery, business continuity or backup
plans or activities, and Customer is responsible for archiving and recovering any non-Oracle software. Disaster
Recovery services are intended to provide service restoration capability in the case of a major disaster, as declared
by Oracle, that leads to loss of a data center and corresponding service unavailability. For the purposes of this Policy,
a “disaster” means an unplanned event or condition that Oracle has determined causes a complete loss of access to
the primary site used to provide the Oracle Cloud Services such that the Customer production environments at the
primary site are not available.

System Resilience
Oracle Cloud Services maintains a redundant and resilient infrastructure designed to maintain high levels of availability
and to recover services in the event of a significant disaster or disruption. Oracle designs its cloud services using
principles of redundancy and fault-tolerance.

Oracle Cloud Services provide an infrastructure that incorporates a comprehensive data backup strategy. The Oracle
Cloud includes redundant capabilities such as power sources, cooling systems, telecommunications services,
networking, application domains, data storage, physical and virtual servers, and databases.

For covered Cloud Services, Oracle has two separate data centers that function as primary and secondary sites.
Customer’s production standby (secondary site) environment will reside in a data center separate from Customer’s
primary site. Oracle will commence the disaster recovery plan under this Policy upon its declaration of a disaster, and
will target to recover the production data and use reasonable efforts to re-establish the production environment at the
secondary site. For a major regional jurisdictional area (e.g., the United States or the European Union), Oracle
operates both a production and secondary site within that region. Customer data is replicated in physically separate
facilities in order to restore services in the event of a disaster at a primary site. Backups are for Oracle's sole use in
the event of a disaster.

Disaster Recovery
For selected Cloud Services, Oracle provides for the recovery and reconstitution of its production Cloud Services to
the most recent available state following a disaster. Oracle has established alternate processing sites to achieve
operating capabilities in the event of loss of service at a primary facility. Oracle maintains a Disaster Recovery Plan
that describes recovery procedures. Disaster recovery operations apply to the physical loss of infrastructure at Oracle

22 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
facilities. Oracle reserves the right to determine when to activate the Disaster Recovery Plan. During the execution of
the Disaster Recovery Plan, Oracle provides regular status updates to Customers.

Disaster Recovery Plan Objectives

The following are the objectives of Oracle’s Disaster Recovery Plan for Oracle Cloud Services:

» In an emergency, Oracle’s top priority and objective is human health and safety.
» Maximize the effectiveness of contingency operations through the established Disaster Recovery Plan that consists
of the following phases:
» Phase 1 - Disaster Recovery Launch Authorization phase - to detect service disruption or outage at the primary
site, determine the extent of the damage and activate the plan.
» Phase 2 - Recovery phase - to restore temporary IT operations at the secondary site.
» Phase 3 - Reconstitution phase - to restore processing capabilities and resume operations at the primary site.
» Identify the activities, resources, and procedures to carry out processing requirements during prolonged
interruptions.
» Assign responsibilities to designated personnel and provide guidance for recovery, during prolonged periods of
interruption.
» Ensure coordination with other personnel responsible for disaster recovery planning strategies. Ensure coordination
with external points of contact and vendors and execution of this plan.

Plan Testing
The Cloud Services Disaster Recovery Plan is tested, as a live exercise or a table-top test, on an annual basis. The
tests are used for training hosting personnel and are coordinated with personnel responsible for contingency planning
and execution. The tests verify that online backups can be recovered and the procedures for shifting a service to the
alternate processing site are adequate and effective. Results of the testing are used to improve the process and initiate
corrective actions.

Compliance
(Where Applicable to the Cloud Service(s) under Your Order)
Oracle Cloud Services operate under Policies which are aligned with the ISO/IEC 27002 Code of Practice for
information security controls, from which a set of controls are selected.

The Information Security Management System Family of Standards are a comprehensive reference for information
security management, data protection and risk management for organizations of all types and sizes.

The internal controls of selected Oracle Cloud Services are subject to periodic testing by independent third-party audit
organizations. Such audits may be based on the Statement on Standards for Attestation Engagements (SSAE) No.
16, Reporting on Controls at a Service Organization (“SSAE 16”), the International Standard on Assurance
Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization (“ISAE 3402”), or such
other third-party auditing standard or procedure applicable to the specific Oracle Cloud Service. Audit reports of Oracle
Cloud Services are periodically published by Oracle’s third-party auditors. Reports may not be available for all services
or at all times. Customer may request to receive a copy of the current published audit report available for a particular
Oracle Cloud Service.

23 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
The audit reports of Oracle Cloud Services, and the information they contain, are Oracle confidential information, and
must be handled by Customer accordingly. Such reports may be used solely by Customer to evaluate the design and
operating effectiveness of defined controls applicable to Oracle Cloud Services and are provided without any warranty.

Customer remains solely responsible for its regulatory compliance in its use of any Oracle Cloud Service. Customer
must make Oracle aware of any requirements that result from its regulatory obligations prior to contract signing. Some
Oracle Cloud services are audited to PCI DSS, HIPAA or FISMA/NIST standards and additional certifications and
attestations to specific regulatory frameworks for the Oracle Cloud Service may be available for specific Cloud
Services or additional fees. Unless otherwise specified in Customer’s ordering document (including in the Service
Specifications), Customer may not provide Oracle access to any content or information that imposes security or
regulatory obligations greater than those specified in the Service Specifications. However, where available for certain
Cloud Services, Oracle may offer for purchase by Cloud Customers additional services designed for the processing
of regulated data within the Services environment. Note that such additional services are not available for all Cloud
Services.

Oracle understands that some Customers may have regulatory audit requirements and Oracle will cooperate with
Customer as described in the Data Processing Agreement in those cases.

Compliance with Legal Requirements and the European Union Data Privacy Directive
Oracle complies with all applicable data protection laws to the extent that such laws by their terms impose obligations
directly on Oracle as a data processor in connection with the Cloud services specified in the ordering document.

Oracle may store the customer's contact information, such as names, phone numbers, and email addresses, in any
country where Oracle does business and may use such information internally and to communicate with the customer.

Your Content may be maintained in one of several data centers globally and accessed by Oracle’s personnel as
required for business purposes.

The customer is responsible for all aspects of the collection of Personal Data found in Your Content, including
determining and controlling the scope and purpose of collection. The customer is responsible for providing any notices
and obtaining any required consents (for example, from data subjects or regulatory bodies) related to the collection
and use of such Personal Data, including any such consents necessary for Oracle to provide the services. Oracle
does not and will not collect or use Personal Data from data subjects or communicate with data subjects about their
Personal Data.

Internal Audits
Oracle conducts internal security reviews, assessments, and audits to confirm compliance with Oracle information
security policies, procedures, and practices. Personnel who fail to comply with these security policies, procedures,
and practices may be subject to disciplinary action, up to and including termination.

Data Protection and Privacy

The Oracle Chief Privacy Officer and Legal Department, working in conjunction with Oracle security organizations,
develop and manage the implementation of and compliance with Oracle's data privacy policies. The Oracle GIS
organization develops and manages the implementation of and compliance with Oracle's information security policies.

24 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
During the use of Oracle Cloud Services, Oracle Cloud Customers maintain responsibility for their data residing in the
Services environments. Selected Cloud Services provide configurable information protection services.

Oracle’s Data Processing Agreement for Oracle Cloud Services (“Data Processing Agreement”) and the Oracle
Services Privacy Policy describe Oracle’s treatment of Personal Data that resides in Services environments to which
Oracle is provided access in connection with the provision of Cloud Services.

Risk Assessment
The Security and Risk Management teams execute internal risk assessments for Cloud Services on a periodic basis.
The risk assessment has been modeled on the National Institute of Standards and Technology (NIST) Special
Provision 800-30 guidelines and ISO 27005:2011 International Standard for Information Security Risk Management
control framework.

25 | ORACLE CLOUD SECURITY PRACTICES FOR SOFTWARE AS A SERVICE (SAAS) CLOUD SERVICES
 Oracle Corporation, World Headquarters Worldwide Inquiries
500 Oracle Parkway Phone: +1.650.506.7000
Redwood Shores, CA 94065, USA Fax: +1.650.506.7200

CONNECT W ITH US

blogs.oracle.com/oracle
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
facebook.com/oracle warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means,
twitter.com/oracle
electronic or mechanical, for any purpose, without our prior written permission.

oracle.com Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0116