Oracle SaaS Compliance

 

Oracle SaaS Compliance

Oracle has been engaging with external assessment entities and independent auditors to meet a broad set of international and industry-specific compliance standards for SaaS deployments in Oracle Cloud such as ISO 27001, SOC1, SOC2, PCI DSS, HIPAA/HITECH, and FedRAMP to add to its already impressive portfolio for Oracle Managed (closed or private) Cloud and On-premise SaaS deployments.

Global Compliance

ISO 27001:2013

ISO 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing information based on periodic security risk assessments.

Oracle has achieved an ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) used by current SaaS, PaaS, and OCI Classic services, in all datacenters where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

 
HMG Cloud Security Principles Assertion and Cyber Essentials Plus Certification

The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyber attacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication and secure use of the service.

Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats.  It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts.  Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.

Oracle has obtained both the HMG Cloud Security Principles Assertion and Cyber Essentials Plus Certification for the following services:

Oracle SaaS
Enterprise Performance Management (EPM): Account Reconciliation
EPM: Dimension Management
EPM: Enterprise Performance Reporting
EPM: Enterprise Planning and Budgeting
EPM: Financial Consolidation and Close
EPM: Planning and Budgeting
EPM: Profitability and Cost
EPM: Tax Reporting
Fusion (HCM, CRM, ERP)
Service Cloud (OPA & RightNow CX)
Oracle Talent Acquisition Cloud (Taleo)
 
 
SOC 1 and SOC 2 Reports

SaaS Services for Oracle Cloud have been evaluated using the American Institute of Certified Public Accountants (AICPA) Service Organization Controls (SOC) SOC 1 and SOC 2 standards for design and operational security.  Oracle has obtained SOC 1 and SOC 2 reports for the following SaaS services:

Oracle SaaS
Enterprise Performance Management (EPM): Account Reconciliation
EPM: Enterprise Performance Reporting
EPM: Enterprise Planning and Budgeting
EPM: Financial Consolidation and Close
EPM: Planning and Budgeting
Oracle CPQ Cloud Service (BigMachines)
Oracle Cobrowse Cloud Service
Oracle Eloqua Content Marketing Cloud Service
Field Service Cloud Service (TOA)
Fusion (HCM, CRM, ERP)
Maxymiser
Responsys Marketing Platform
Service Cloud (OPA & RightNow CX)
Oracle Social Cloud
Oracle Talent Acquisition Cloud (Taleo)
Oracle Transportation Management Cloud Service
Oracle Warehouse Management Cloud Service (LogFire)
 
 

Healthcare

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is United States legislation that provides data privacy and security provisions for safeguarding Protected Health Information.

Oracle has successfully completed third party HIPAA assessments for the following services:

Oracle SaaS
Fusion (HCM, CRM, ERP, SCM)
Service Cloud (OPA & RightNow CX)
 

US Public Sector

FedRAMP

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standard approach to the security assessment, authorization and continuous monitoring for cloud products and services. U.S. Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to verify security is in place when accessing cloud products and services.

Oracle has achieved FedRAMP Moderate (baseline) Authorizations to Operate for the following services within the Oracle US Gov Cloud:

Oracle SaaS
Service Cloud (OPA & RightNow CX)
Oracle Talent Acquisition Cloud (Taleo)

Oracle has achieved FedRAMP High (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:

Oracle SaaS
Oracle Government Cloud – Common Controls

Oracle has achieved FedRAMP Ready Status for the following service:

Oracle SaaS
Fusion (HCM, CRM, ERP, SCM)
 
DISA SRG

The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.

All cloud computing is required to take place in the U.S and are based off of impact levels:

  • Impact Level 2 - data cleared for public release (note: Level 1 was combined with Level 2)
  • Impact Level 4 – controlled unclassified information (CUI) over NIPRNet. CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)
  • Impact Level 5 – higher sensitivity CUI, mission critical information, or NSS over NIPERNet
  • Impact Level 6 – Classified data over SIPRNet

Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:

Oracle SaaS
Service Cloud (OPA & RightNow CX)
 
MARS-E, CJIS, IRS-1075, NIST 800-171, and FIPS 140-2

Oracle has obtained a third party assessment of available service security controls against the technical requirements of MARS-E, CJIS, IRS-1075, NIST 800-171, and FIPS 140-2 compliance frameworks. The assessments completed and associated services are as follows:

Oracle SaaS
Fusion (HCM, CRM, ERP, SCM): CJIS, NIST-800-171, IRS 1075
Service Cloud (OPA & RightNow CX): All Frameworks
Oracle Talent Acquisition Cloud (Taleo): NIST 800-171 & FIPS 140-2
 

Financial

PCI DSS 3.2

The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.

Oracle has achieved a PCI DSS 3.2 Attestation of Compliance for the following service:

Oracle SaaS
Service Cloud (OPA & RightNow CX)
Oracle Commerce Cloud
×
Call us now
1-800-633-0738 (United States)

Contact
×
Call us now
1-800-633-0738 (United States)

Technical Support

Oracle Cloud Discussion Forums

Chat
×
Considering a purchase? Let one of our Sales Representatives guide you through the process and connect you to a product specialist.

Live Cloud Chat
Contact cloud advocacy team for Oracle Cloud clarifications, trial assistance, technical and functional help or any non-sales related questions. You may also find answers to common questions in FAQ of selected product.