Transcription

Cloud OperationsISO27001 Statement of ApplicabilityORACLE CLOUD April 2019

ORACLE CLOUDDisclaimerThe following is intended to outline our general product direction. It is intended for informationpurposes only and may not be incorporated into any contract. It is not a commitment to deliver anymaterial, code, or functionality, and should not be relied upon in making purchasing decisions. Thedevelopment, release, and timing of any features or functionality described for Oracle’s productsremains at the sole discretion of Oracle.CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDTable of ContentsPurpose . 2Scope . 3Information Security Controls for 27001 . 5Additional Controls for ISO27017 based on ISO27002 Information Security Controls . 12Cloud Service Extended Control Set for ISO27017 . 15Additional Controls for ISO27018 based on ISO27002 Information Security Controls . 16Cloud Service Extended Control Set for ISO27018 . 181 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDPurposeThe Statement of Applicability is the central document that defines how Oracle Cloud implementsinformation security controls. It is the main link between the risk assessment & treatment process andthe implementation of information security – its purpose is to define which of the suggested 114controls (security measures) from ISO27001 are applicable to the Information Security ManagementSystem (ISMS). It also details the control set from ISO27017 and ISO270018 both of which have beenincorporated into the ISMS.2 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDScopeThe locations included within the ISO27001 certification scope are:LocationFunctionBangaloreOracle Cloud Service CenterBozemanOracle Cloud Service CenterThames Valley ParkOracle Cloud Service CenterOperational Areas Incorporated into the Information Security Management System:Cloud SecurityCloud ComplianceOracle Cloud Service CenterCloud Service OperationsCodes of Practice Incorporated into the Information Security Management System:ISO/IEC 27002:2017ISO/IEC 27017:2015ISO/IEC 27018:20143 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDOCI-C Services supported by the ISMS:Human CapitalManagement(HCM) CloudHCM Cloud SuiteTalentAcquisition CloudTalentManagementCloudHuman CapitalManagementPayroll andBenefitsLearning CloudEnterpriseResourcePlanning ntCloudEnterpriseResourcePlanning CX) CloudMarketing CloudSupply Chain Management(SCM) CloudSales andService CloudSupply ChainPlanning(SCP) CloudSoftwareManufacturingCloud ServiceConfigure, Price,Quote (CPQ)CommerceCloudSupply ChainCollaborationCloud ServiceLogistics CloudFinancial CloseOrderManagementGlobal ycleManagement(PLM) CloudSoftwareOracleTransportationManagementOracle FieldService CloudInventoryManagementCloudOCI Services for Fusion and its components supported by the ISMS:Human CapitalManagement(HCM) CloudTalentAcquisition ClTalentTalentManagementCloudHuman CapitalManagementPayroll andBenefitsEnterpriseResourcePlanning sourcePlanning mentCloud4 CONFIDENTIAL – ORACLE RESTRICTEDCustomerExperience(CX) CloudSales andService CloudEnterprisePerformanceManagement(EPM) CloudConnectedPlanningSupply Chain Management(SCM) CloudSupply ChainPlanning(SCP) ment(PLM) CloudSoftwareSupply ChainCollaborationCloud Service

ORACLE CLOUDInformation Security Controls for 27001Control NumberInformation Security ControlA.5Information Security PolicyA.5.1Management direction for information securityA.5.1.1Policies for information securityYesA.5.1.2Review of the policies for information securityYesA.6Organization of information securityA.6.1Internal OrganizationA.6.1.1Information security roles and responsibilitiesYesA.6.1.2Segregation of dutiesYesA.6.1.3Contact with authoritiesYesA.6.1.4Contact with special interest groupsYesA.6.1.5Information security in project managementYesA.6.2Mobile devices and teleworkingA.6.2.1Mobile device policyYesA.6.2.2TeleworkingYesA.7Human Resource SecurityA.7.1Prior to employmentA.7.1.1ScreeningYesA.7.1.2Terms and conditions of employmentYesA.7.2During employmentA.7.2.1Management responsibilitiesYesA.7.2.2Information security awareness, education and trainingYesA.7.2.3Disciplinary processYesA.7.3Termination and change of employment5 CONFIDENTIAL – ORACLE RESTRICTEDIn Scope

ORACLE CLOUDA.7.3.1Termination or change of employment responsibilitiesA.8Asset managementA.8.1Responsibility for assetsA.8.1.1Inventory of assetsYesA.8.1.2Ownership of assetsYesA.8.1.3Acceptable use of assetsYesA.8.1.4Return of assetsYesA.8.2Information classificationA.8.2.1Classification of informationYesA.8.2.2Labelling of informationYesA.8.2.3Handling of assetsYesA.8.3Media handlingA.8.3.1Management of removable mediaYesA.8.3.2Disposal of mediaYesA.8.3.3Physical media transferYesA.9Access controlA.9.1Business requirements of access controlA.9.1.1Access control policyYesA.9.1.2Access to networks and network servicesYesA.9.2User access managementA.9.2.1User registration and de-registrationYesA.9.2.2User access provisioningYesA.9.2.3Management of privileged access rightsYesA.9.2.4Management of secret authentication information ofYesusers6 CONFIDENTIAL – ORACLE RESTRICTEDYes

ORACLE CLOUDA.9.2.5Review of user access rightsYesA.9.2.6Removal or adjustment of access rightsYesA.9.3User responsibilitiesA.9.3.1Use of secret authentication informationA.9.4System and application access controlA.9.4.1Information access restrictionYesA.9.4.2Secure log-on proceduresYesA.9.4.3Password management systemYesA.9.4.4Use of privileged utility programsYesA.9.4.5Access control to program source codeNoA.10CryptographyA.10.1Cryptography controlsA.10.1.1Policy on the use of cryptographic controlsYesA.10.1.2Key managementYesA.11Physical and environmental securityA.11.1Secure areasA.11.1.1Physical security perimeterYesA.11.1.2Physical entry controlsYesA.11.1.3Securing offices, rooms and facilitiesYesA.11.1.4Protecting against external and environmental threatsYesA.11.1.5Working in secure areasYesA.11.1.6Delivery and loading areasYesA.11.2Equipment securityA.11.2.1Equipment siting and protectionYesA.11.2.2Supporting utilitiesYes7 CONFIDENTIAL – ORACLE RESTRICTEDYes

ORACLE CLOUDA.11.2.3Cabling securityYesA.11.2.4Equipment maintenanceYesA.11.2.5Removal of assetsYesA.11.2.6Security of equipment and assets off-premisesYesA.11.2.7Secure disposal or reuse of equipmentYesA.11.2.8Unattended user equipmentYesA.11.2.9Clear desk and clear screen policyYesA.12Operations securityA.12.1Operational procedures and responsibilitiesA.12.1.1Documented operating proceduresYesA.12.1.2Change managementYesA.12.1.3Capacity managementYesA.12.1.4Separation of development, testing and operatingYesenvironmentsA.12.2Protection from malwareA.12.2.1Controls against malwareA.12.3BackupA.12.3.1Information backupA.12.4Logging and monitoringA.12.4.1Event loggingYesA.12.4.2Protection of log informationYesA.12.4.3Administrator and operator logsYesA.12.4.4Clock synchronizationYesA.12.5Control of operational softwareA.12.5.1Installation of software on operational systems8 CONFIDENTIAL – ORACLE RESTRICTEDYesYesYes

ORACLE CLOUDA.12.6Technical vulnerability managementA.12.6.1Management of technical vulnerabilitiesYesA.12.6.2Restrictions on software installationYesA.12.7Information systems audit considerationsA.12.7.1Information systems audit controlsA.13Communications securityA.13.1Network security managementA.13.1.1Network controlsYesA.13.1.2Security of network servicesYesA.13.1.3Segregation in networksYesA.13.2Information transferA.13.2.1Information transfer policies and proceduresYesA.13.2.2Agreements on information transferYesA.13.2.3Electronic messagingYesA.13.2.4Confidentiality or nondisclosure agreementsYesA.14System acquisition, development & maintenanceA.14.1Security requirements of information systemsA.14.1.1Information security requirements analysis andYesNospecificationA.14.1.2Securing application services on public networksNoA.14.1.3Protecting application service transactionsNoA.14.2Security in development and support processesA.14.2.1Secure development policyNoA.14.2.2System change control proceduresNoA.14.2.3Technical review of applications after operating platform Nochanges9 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDA.14.2.4Restrictions on changes to software packagesNoA.14.2.5Secure system engineering principlesNoA.14.2.6Secure development environmentNoA.14.2.7Outsourced developmentNoA.14.2.8System security testingNoA.14.2.9System acceptance testingNoA.14.3Test dataA.14.3.1Protection of test dataA.15Supplier relationsA.15.1Information security in supplier relationshipsA.15.1.1Information security policy for supplier relationshipsYesA.15.1.2Addressing security within supplier agreementsYesA.15.1.3ICT supply chainYesA.15.2Supplier service delivery managementA.15.2.1Monitoring and review of supplier servicesYesA.15.2.2Managing changes to supplier servicesYesA.16Information security incident managementA.16.1Management of information security incidents & improvementsA.16.1.1Responsibilities and proceduresYesA.16.1.2Reporting information security eventsYesA.16.1.3Reporting information security weaknessesYesA.16.1.4Assessment of and decision on information securityYesNoeventsA.16.1.5Response to information security incidentsYesA.16.1.6Learning from information security incidentsYes10 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDA.16.1.7Collection of evidenceYesA.17Information security aspects of business continuity managementA.17.1Information security continuityA.17.1.1Planning information security continuityYesA.17.1.2Implementing information security continuityYesA.17.1.3Verify, review and evaluate information ilability of information processing facilitiesA.18ComplianceA.18.1Compliance with legal and contractual requirementsA.18.1.1Identification of applicable legislation and contractualYesYesrequirementsA.18.1.2Intellectual property rightsYesA.18.1.3Protection of recordsYesA.18.1.4Privacy and protection of personally identifiableYesinformationYesA.18.1.5Regulation of cryptographic controlsA.18.2Information security reviewsA.18.2.1Independent review of information securityYesA.18.2.2Compliance with security policies and standardsYesA.18.2.3Technical compliance reviewYes11 CONFIDENTIAL – ORACLE RESTRICTED

ORACLE CLOUDAdditional Controls for ISO27017 based on ISO27002 Information SecurityControlsControl NumberInformation Security ControlA.5Information Security PolicyA.5.1Management direction for information securityA.5.1.1Policies for information securityA.6Organization of information securityA.6.1Internal OrganizationA.6.1.1Information security roles and responsibilitiesYesA.6.1.3Contact with authoritiesYesA.7Human Resource SecurityA.7.2During employmentA.7.2.2Information security awareness, education and trainingA,8Asset managementA.8.1Responsibility for assetsA.8.1.1Inventory of assetsA.8.2Information classificationA.8.2.2Labeling of informationA.9Access controlA.9.2User access managementA.9.2.1User registration and de-registrationYesA.9.2.2User access provisioningYesA.9.2.3Management of privileged access rightsYesA.9.2.4Management of secret authentication information ofYesusersA.9.4System and application access control12 CONFIDENTIAL – ORACLE RESTRICTEDIn ScopeYesYesYesYes

ORACLE CLOUDA.9.4.1Information access restrictionYesA.9.4.4Use of privileged utility programsYesA.10CryptographyA.10.1Cryptography controlsA.10.1.1Policy on the use of cryptographic controlsA.11Physical and environmental securityA.11.2Equipment securityA.11.2.7Secure disposal or reuse of equipmentA.12Operations securityA.12.1Operational procedures and responsibilitiesA.12.1.2Change managementYesA.12.1.3Capacity managementYesA.12.3BackupA.12.3.1Information backupA.12.4Logging and monitoringA.12.4.1Event loggingYesA.12.4.4Clock synchronizationYesA.12.6Technical vulnerability managementA.12.6.1Management of technical vulnerabilitiesA.13Communications securityA.13.1Network security managementA.13.1.3Segregation in networksA.14System acquisition, development & maintenanceA.14.1Security requirements of information systems13 CONFIDENTIAL – ORACLE RESTRICTEDYesYesYesYesYes

ORACLE CLOUDA.14.1.1Information security requirements analysis andNospecificationA.14.2Security in development and support processesA.14.2.1Secure development policyNoA.14.2.5Secure system engineering principlesNoA.14.2.6Secure development environmentNoA.14.2.7Outsourced developmentNoA.14.2.9System acceptance testingNoA.15Supplier relationsA.15.1Information security in supplier relationshipsA.15.1.2Addressing security within supplier agreementsYesA.15.1.3ICT supply chainYesA.16Information security incident managementA.16.1Management of information security incidents & improvementsA.16.1.1Responsibilities and proceduresYesA.16.1.2Reporting information security eventsYesA.16.1.7Collection of evidenceYesA.18ComplianceA.18.1Compliance with legal and contractual requirementsA.18.1.1Identification of applicable legislation and contractualYesrequirementsA.18.1.2Intellectual property rightsYesA.18.1.3Protection of recordsYesA.18.1.5Regulation of cryptographic controlsYesA.18.2Information security reviewsA.18.2.1Independent review of information security14 CONFIDENTIAL – ORACLE RESTRICTEDYes

ORACLE CLOUDCloud Service Extended Control Set for ISO27017Control NumberInformation Security ControlIn ScopeCLD.6.3Relationship between cloud service customer and cloud service providerCLD.6.3.1Shared roles and responsibilities within a cloudYescomputing environmentCLD.8.1Responsibility for assetsCLD.8.1.5Removal of cloud service customer assetsCLD.9.5Access control of cloud service customer data in shared virtual environmentCLD.9.5.1Segregation in virtual computing environmentsYesCLD.9.5.2Virtual machine hardeningYesCLD.12.1Operational procedures and responsibilitiesCLD.12.1.5Administrator's operational securityCLD.12.4Logging and monitoringCLD.12.4.5Monitoring of Cloud ServicesCLD.13.1Network security managementCLD.13.1.4Alignment of security management for virtual andphysical networks15 CONFIDENTIAL – ORACLE RESTRICTEDYesYesYesYes

ORACLE CLOUDAdditional Controls for ISO27018 based on ISO27002 Information Security ControlsControl NumberInformation Security ControlA.5Information Security PolicyA.5.1Management direction for information securityA.5.1.1Policies for information securityA.6Organization of information securityA.6.1Internal OrganizationA.6.1.1Information security roles and responsibilitiesA.7Human Resource SecurityA.7.2During employmentA.7.2.2Information security awareness, education and trainingA.9Access controlA.9.2User access managementYesA.9.2.1User registration and de-registrationYesA.9.4System and application access controlA.9.4.2Secure log-on proceduresA.10CryptographyA.10.1Cryptography controlsA.10.1.1Policy on the use of cryptographic controlsA.11Physical and environmental securityA.11.2Equipment securityA.11.2.7Secure disposal or reuse of equipmentA.12Operations securityA.12.1Operational procedures and responsibilities16 CONFIDENTIAL – ORACLE RESTRICTEDIn ScopeYesYesYesYesYesYes

ORACLE CLOUDA.12.1.4Separation of development, testing and rmation backupA.12.4Logging and monitoringA.12.4.1Event loggingYesA.12.4.2Protection of log informationYesA.12.6Technical vulnerability managementA.13Communications securityA.13.2Information transferA.13.2.1.Information transfer policies and proceduresA.16Information security incident managementA.16.1Management of information security incidents &YesYesYesimprovementsA.16.1.1Responsibilities and proceduresA.18ComplianceA.18.2Information security reviewsA.18.2.1Independent review of information security17 CONFIDENTIAL – ORACLE RESTRICTEDYesYes

ORACLE CLOUDCloud Service Extended Control Set for ISO27018Control NumberInformation Security ControlIn ScopeA.1Consent and choiceA.1.1Obligation to co-operate regarding PII principals’ rightsA.2Responsibility for assetsA.2.1Public Cloud processor’s purposeYesA.2.2Public cloud PII processor’s commercial useYesA.3Collection limitationA.4Data MinimizationA.4.1Secure erasure of temporary filesA.5Operational procedures and responsibilitiesA.5.1PII disclosure notificationYesA.5.2Recording of PII disclosuresYesA.6Accuracy and qualityA.7Openness, transparency and noticeA.7.1Disclosure of subcontracted PII processingA.8Individual participation and accessA.9AccountabilityA.9.1Notification of a data breach involving PIIA.9.2Retention period for administrative security policies and YesYesYesYesYesguidelinesA.9.3PII return, transfer and disposalA.10Information securityA.10.1Confidentiality or non-disclosure agreementsYesA.10.2Restriction of the creation of hardcopy materialYes18 CONFIDENTIAL – ORACLE RESTRICTEDYes

ORACLE CLOUDA.10.3Control and logging of data restorationYesA.10.4Protecting data on storage media leaving the premisesYesA.10.5Use of unencrypted portable storage media and devices YesA.10.6Encryption of PII transmitted over public data-Yestransmission networksA.10.7Secure disposal of hardcopy materialsYesA.10.8Unique use of users IDsYesA.10.9Records of authorized usersYesA.10.10User ID managementYesA.10.11Contract measuresYesA.10.12Sub-contracted PII processingYesA.10.13Access to data on pre-used storage spaceYesA.11Privacy complianceA.11.1Geographical location of PIIYesA.11.2Intended destination of PIIYes19 CONFIDENTIAL – ORACLE RESTRICTED

Oracle Corporation, World HeadquartersWorldwide Inquiries500 Oracle ParkwayRedwood Shores, CA 94065, USAPhone: 1.650.506.7000Fax: 1.650.506.7200CO N N E CT W I T H r.com/oracleCopyright 2019, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and thecontents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warrantiesor conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for aparticular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations areformed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means,electronic or mechanical, for any purpose, without our prior written permission.oracle.comCloud Operations ISO27001 Statement of ApplicabilityApril 2019Author: Cloud Compliance

Oracle Field Service Cloud Inventory Management Cloud Procurement Cloud OCI Services for Fusion and its components supported by the ISMS: Human Capital Management (HCM) Cloud Enterprise Resource Planning (ERP) Cloud Customer Experience (CX) Cloud Supply Chain Mana