Transcription

Consensus AssessmentInitiative Questionnaire(CAIQ)for Oracle Fusion CloudApplicationsDecember, 2020 Version 1.01Copyright 2020, Oracle and/or its affiliates

PURPOSE STATEMENTDeveloped by the Cloud Security Alliance, the Cloud Assessment Initiative Questionnaire (CAIQ) provides a standardtemplate for cloud services provider to accurately describe their security practices. The CAIQ format is largely based on theCloud Controls Matrix (CCM), which lists a set of fundamental cloud controls. The use of CAIQs allow customers to reviewthe security practices of their cloud services providers to determine the risks associated with the use of these services.Additional information about the CCM and CAIQ can be found on the Cloud Security Alliance site and downloaded acts/.The answers contained in this CAIQ version 3.1 are related to specific Oracle cloud services as listed in the “Oracle CloudServices in Scope” section below.The Oracle Corporate Security site provides additional information and is referenced in the CAIQ answers throughout thisdocument. This site is available to the public: s/.If you have specific questions about this document, please engage with your Oracle account representative.DISCLAIMERThis document (including responses related to the specified Oracle services) is provided on an “AS IS” basis withoutwarranty of any kind and is subject to change without notice at Oracle's discretion. You may use this document (includingresponses related to the specified Oracle services) for informational purposes only to assist in your internal evaluation of thespecified Oracle services. This document does not create, nor form part of or modify, any agreement or contractualrepresentation between you and Oracle, or the Oracle authorized reseller, as applicable. In the event you purchase Oracleservices, the relevant contract(s) between you and Oracle, or the Oracle authorized reseller, as applicable, will determine thescope of services provided and the related governing terms and conditions. Oracle and its licensors retain all ownership andintellectual property rights in and to this document and its contents, and you may not remove or modify any markings orany notices included herein of Oracle’s or its licensors’ proprietary rights.It remains solely your obligation to determine whether the controls provided by the Oracle services meet your requirements.Please also note that any Yes/No responses, and any computed "In Place" indicators, must be read in the context of thesupplied comments and qualifications, and, given the diversity and complexity of the services, will not be absolute orapplicable in all instances. The explanation and/or supporting documentation comprise Oracle’s response and controlregardless of the scoring or any Yes/No response. The responses provided in this document apply solely to the servicesspecifically listed and other products or services may have different controls.ORACLE CLOUD SERVICES IN SCOPEThis document applies to the following Oracle Fusion Cloud Applications delivered as a SaaS service deployed at Oracle datacenters or third-party data centers retained by Oracle, with the exception of Oracle Cloud at Customer Services: Enterprise Resource Planning: https://www.oracle.com/erp/ (Excluding Enterprise Performance Management (EPM))Human Capital Management: pply Chain & Manufacturing: https://www.oracle.com/scm/ (Excluding Logistics, Blockchain and IOT)Sales: https://www.oracle.com/cx/sales/ (Excluding Commerce, Configure-Price-Quote and Subscription Management)Service and Marketing cloud services are also excluded from the scope of this document.1CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01

TABLE OF CONTENTSPurpose Statement1Disclaimer1Oracle Cloud Services in Scope1Consensus Assessment Initiative Questionnaire (CAIQ)32CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01

CONSENSUS ASSESSMENT INITIATIVE QUESTIONNAIRE (CAIQ)3Control DomainQuestion IDConsensus Assessment QuestionOracle ResponseApplication & InterfaceSecurity:Application SecurityAIS-01.1Do you use industry standards (i.e.OWASP Software AssuranceMaturity Model, ISO 27034) tobuild in security for yourSystems/Software DevelopmentLifecycle (SDLC)?AIS-01.2Do you use an automated sourcecode analysis tool to detectsecurity defects in code prior toproduction?AIS-01.3Do you use manual source-codeanalysis to detect security defectsin code prior to production?AIS-01.4Do you verify that all of yoursoftware suppliers adhere toindustry standards forSystems/Software DevelopmentLifecycle (SDLC) security?Encompassing every phase of the product development lifecycle, Oracle SoftwareSecurity Assurance (OSSA) is Oracle’s methodology for building security into thedesign, build, testing, and maintenance of its products, whether they are used onpremises by customers, or delivered through Oracle Cloud. Oracle’s goal is to ensurethat Oracle’s products help customers meet their security requirements whileproviding for the most cost-effective ownership experience.To ensure that Oracle products are developed with consistently high securityassurance, and to help developers avoid common coding mistakes, Oracle employsformal secure coding standards.For more information, see /assurance/Security testing of Oracle code includes both functional and non-functional activitiesfor verification of product features and quality. Although these types of tests oftentarget overlapping product features, they have orthogonal goals and are carried outby different teams. Functional and non-functional security tests complement eachother to provide security coverage of Oracle products.Static security analysis of source code is the initial line of defense used during theproduct development cycle. Oracle uses a static code analyzer from Fortify Software,an HP company, as well a variety of internally developed tools, to catch problemswhile code is being written. Products developed in most modern programminglanguages (such as C/C , Java, C#) and platforms (J2EE, .NET) are scanned toidentify possible security issues.For more information, see /assurance/development/analysis-testing.htmlOracle Developers use static and dynamic analysis tools to detect security defects inOracle code prior to production. Identified issues are evaluated and addressed inorder of priority and severity. Oracle management tracks metrics regarding issueidentification and resolution.For more information, see /assurance/development/analysis-testing.htmlOracle Software Security Assurance (OSSA) policies require that third-partycomponents (e.g., open source components used in the Oracle Clouds or distributedin traditional Oracle product distributions) be appropriately assessed for securitypurposes. Additionally, Oracle has formal policies and procedures which definerequirements for managing the safety of its supply chain, including how Oracle selectsthird-party hardware and software that may be embedded in Oracle products, as wellas how Oracle assesses third-party technology used in Oracle’s corporate and cloudenvironments.CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01

Control DomainApplication & InterfaceSecurity:Customer AccessRequirementsQuestion IDAIS-01.5(SaaS only) Do you review yourapplications for securityvulnerabilities and address anyissues prior to deployment toproduction?AIS-02.1Are all identified security,contractual, and regulatoryrequirements for customer accesscontractually addressed andremediated prior to grantingcustomers access to data, assets,and information systems?Are all requirements and trustlevels for customers’ accessdefined and documented?Does your data managementpolicies and procedures requireaudits to verify data input andoutput integrity routines?AIS- 02.2Application & InterfaceSecurity:Data IntegrityAIS-03.1AIS-03.24Consensus Assessment QuestionAre data input and output integrityroutines (i.e. MD5/SHACAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01Oracle ResponseFor more information, see /corporate/supply-chain/Corporate Security Architecture manages a variety of programs and leveragesmultiple methods of engaging with leadership and operational security teamsresponsible for Oracle operations, services, cloud, and all other lines of business. Anexample program for managing the security of Oracle’s architecture is the CorporateSecurity Solution Assurance Process (CSSAP). CSSAP helps to accelerate the deliveryof innovative cloud solutions and corporate applications by requiring appropriatereviews to be carried out throughout the project lifecycle, so that projects are alignedwith: Pre-review: the risk management teams in each line of business mustperform a pre-assessment of each project using the approved template CSSAP review: the security architecture team reviews the submitted plansand performs a technical security design review Security assessment review: based on risk level, systems and applicationsundergo security verification testing before production useSee Oracle Cloud Hosting and Delivery Policies and Pillar documents to understandhow Oracle will deliver Cloud omer remains solely responsible for its regulatory compliance in its use of anyOracle Cloud services. Customer must make Oracle aware of any requirements thatresult from its regulatory obligations prior to contract signing.Customer remains solely responsible for its regulatory compliance in its use of anyOracle Cloud services. Customer must make Oracle aware of any requirements thatresult from its regulatory obligations prior to contract signing.Oracle Secure Coding Standards are a roadmap and guide for developers in theirefforts to produce secure code. They discuss general security knowledge areas suchas design principles, cryptography and communications security, commonvulnerabilities, etc. The Standards provide specific guidance on topics such as datavalidation, CGI, user management, and more.All Oracle developers must be familiar with these standards and apply them whendesigning and building products. The coding standards have been developed over anumber of years and incorporate best practices as well as lessons learned fromcontinued vulnerability testing by Oracle’s internal product assessment team.For more information, see /assurance/development/Data input and output validation occurs on form fields to sanitize unsafe andunpermitted characters and commands.

Control DomainApplication & InterfaceSecurity:Data Security /IntegrityQuestion IDAIS-04.1Consensus Assessment QuestionOracle Responsechecksums) implemented forapplication interfaces anddatabases to prevent manual orsystematic processing errors orcorruption of data?Data input and output validation requirements are documented in Oracle’s SecureCoding Standards. SaaS applications are tested throughout the application’sdevelopment phases to help ensure these validation techniques are applied.Is your Data Security Architecturedesigned using an industrystandard (e.g., CDSA, MULITSAFE,CSA Trusted Cloud ArchitecturalStandard, FedRAMP, CAESARS)?For more information, see Oracle’s Secure Coding elopment/analysis-testing.htmlThe Oracle corporate security architect helps set internal information-securitytechnical direction and guides Oracle’s IT departments and lines of business towardsdeploying information security and identity management solutions that advanceOracle's Information Security goals. An example program for managing the security ofOracle’s architecture is the Corporate Security Solution Assurance Process (CSSAP).CSSAP is a security review process developed by Corporate Security Architecture,Global Information Security, Global Product Security, Oracle Global IT, and Oracle's ITorganizations to provide comprehensive information-security management review.CSSAP helps to accelerate the delivery of innovative cloud solutions and corporateapplications by requiring appropriate reviews to be carried out throughout the projectlifecycle, so that projects are aligned with: Pre-review: the risk management teams in each line of business mustperform a pre-assessment of each project using the approved template CSSAP review: the security architecture team reviews the submitted plansand performs a technical security design review Security assessment review: based on risk level, systems and applicationsundergo security verification testing before production useAdditional Comments for Control Domain above:Audit Assurance &Compliance:Audit PlanningAAC-01.1AAC-01.25Do you develop and maintain anagreed upon audit plan (e.g.,scope, objective, frequency,resources, etc.) for reviewing theefficiency and effectiveness ofimplemented security controls?Does your audit program take intoaccount effectiveness ofCAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01Oracle Fusion Cloud Applications develop and maintain an agreed upon audit planwith SOC 2 auditors for reviewing the efficiency and effectiveness of implementedsecurity controls.Oracle leverages third-party audits for SOC 2 reporting, which covers effectiveness ofimplementation of security operations.

Control DomainAudit Assurance &Compliance:Independent AuditsQuestion IDConsensus Assessment QuestionAAC-02.1implementation of securityoperations?Do you allow tenants to view yourSOC2/ISO 27001 or similar thirdparty audit or certification reports?AAC-02.2Do you conduct networkpenetration tests of your cloudservice infrastructure at leastannually?Oracle ResponseAudit reports about Oracle Cloud Services are periodically published by Oracle’s thirdparty auditors. Reports may not be available for all services or all audit types or at alltimes. Customer may request access to available audit reports for a particular OracleCloud service via Sales.Customer remains solely responsible for its regulatory compliance in its use of anyOracle Cloud services. Customer must make Oracle aware of any requirements thatresult from its regulatory obligations prior to contract signing.Oracle maintains teams of specialized security professionals for the purpose ofassessing the security strength of the company’s infrastructure, products, andservices. These teams perform various levels of complementary security testing:Operational security scanning is performed as part of the normal systemsadministration of all Oracle’s systems and services. This kind of assessment largelyleverages tools including commercial scanning tools as well as Oracle’s own products(such as Oracle Enterprise Manager). The purpose of operational security scanning isprimarily to detect unauthorized and insecure security configurations.Penetration testing is also routinely performed to check that systems have been setup in accordance with Oracle’s corporate standards and that these systems canwithstand their operational threat environment and resist hostile scans that permeatethe Internet. Penetration testing can take two forms:Passive-penetration testing is performed using commercial scanning toolsand manual steps. It is usually performed via the Internet and usually withthe minimum of insider knowledge. Passive testing is used to confirm thepresence of known types of vulnerabilities with sufficient confidence andaccuracy to create a test case that can then be used by development or cloudoperations to validate the presence of the reported issue. During passivepenetration testing, no exploitation is performed on productionenvironments, other than that minimally required to confirm the issue. Forexample, a SQL injection will not be exploited to exfiltrate data.Active-penetration testing is more intrusive than passive-penetrationtesting and allows for the exploitation of discovered vulnerabilities. It is alsobroader in scope than passive penetration testing as the security teams aretypically allowed to pivot from one system to another. Active penetrationtesting is closely controlled so as to avoid unintentional impacts onproduction systems.6CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01

Control DomainQuestion IDConsensus Assessment QuestionOracle ResponseAAC-02.3Do you conduct applicationpenetration tests of your cloudinfrastructure regularly asprescribed by industry bestpractices and guidance?Oracle requires that external facing systems and cloud services undergo penetrationtesting performed by independent security teams. Global Information Security’sPenetration Testing Team performs penetration tests and provides oversight to alllines of business in instances where other internal security teams or an approvedthird-party perform penetration testing activities. This oversight is designed to drivequality, accuracy, and consistency of penetration testing activities and their associatedmethodology. Oracle has formal penetration testing requirements which include testscope and environment definition, approved tools, findings classification, categoriesof exploits to attempt via automation and manual steps, and procedures for reportingresults.All penetration test results and reports are reviewed by Oracle’s corporate securityteams to validate that an independent and thorough test has been performed. Beforea line of business is allowed to bring a new system or cloud service into production,Oracle requires that the remediation of significant penetration test findings becompleted.AAC-02.4AAC-02.5AAC-02.6AAC-02.7Audit Assurance &Compliance:Information SystemRegulatory Mapping7AAC-03.1Do you conduct internal audits atleast annually?Do you conduct independentaudits at least annually?Are the results of the penetrationtests available to tenants at theirrequest?Are the results of internal andexternal audits available to tenantsat their request?Do you have a program in placethat includes the ability to monitorchanges to the regulatoryrequirements in relevantjurisdictions, adjust your securityprogram for changes to legalrequirements, and ensurecompliance with relevantregulatory requirements?CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01Information about penetration tests of Oracle’s corporate systems and cloud servicesis Oracle Confidential and is not shared externally.Internal audits are performed annually to confirm compliance with security andoperational procedures.Audit reports about Oracle Cloud Services are periodically published by Oracle’s thirdparty auditors. Reports may not be available for all services or all audit types or at alltimes. Customer may request access to available audit reports for a particular OracleCloud service via Sales.Third-party security assessment/penetration test summary reports are available tocustomers. Customers can request access to the reports for a particular Oracle FusionCloud service via available customer support tools or via Oracle Sales.Audit reports about Oracle Cloud Services are periodically published by Oracle’s thirdparty auditors. Reports may not be available for all services or all audit types or at alltimes. Customer may request access to available audit reports for a particular OracleCloud service via Sales.Oracle Legal closely monitors the global regulatory landscape to identify legislationapplicable to Oracle, including regional and local teams monitoring changes inrelevant jurisdictions. Oracle Legal partners with Corporate Security and otherorganizations to manage Oracle’s compliance to regulatory obligations across all linesof business. For more information, see https://www.oracle.com/legal/In addition, Oracle Global Trade Compliance (GTC) is responsible for import andexport oversight, guidance, and enforcement to enable worldwide trade compliantprocesses across Oracle. For more information, see

Control DomainQuestion IDConsensus Assessment QuestionOracle nce.htmlCustomer remains solely responsible for its regulatory compliance in its use of anyOracle Cloud services. Customer must make Oracle aware of any requirements thatresult from its regulatory obligations prior to contract signing.Additional Comments for Control Domain above:Business ContinuityManagement &Operational Resilience:Business ContinuityPlanningBCR-01.1The Risk Management Resiliency Program (RMRP) objective is to establish a businessresiliency framework to help provide an efficient response to business interruptionevents affecting Oracle’s operations.The RMRP approach is comprised of several sub-programs: Information TechnologyDisaster Recovery, initial emergency response to unplanned and emergent events,crisis management of serious incidents, and business-continuity management. Thegoal of the program is to minimize negative impacts to Oracle and maintain criticalbusiness processes until regular operating conditions are restored.Each of these sub-programs is a uniquely diverse discipline. However, byconsolidating emergency response, crisis management, business continuity, anddisaster recovery, they can become a robust collaborative and communicative system.BCR-01.2BCR-01.38Does your organization have aplan or framework for businesscontinuity management ordisaster recovery management?Do you have more than oneprovider for each service youdepend on?Do you provide a disaster recoverycapability?CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01Oracle’s RMRP is designed to engage multiple aspects of emergency managementand business continuity from the onset of an event and to leverage them based onthe needs of the situation. The RMRP is implemented and managed locally, regionally,and globally.For more information, see /corporate/resilience-management/Oracle Cloud data centers align with Uptime Institute and TelecommunicationsIndustry Association (TIA) ANSI/TIA-942-A Tier 3 or Tier 4 standards and follow a N2redundancy methodology for critical equipment operation. Data centers housingOracle Cloud Infrastructure services use redundant power sources and maintaingenerator backups in case of widespread electrical outage. Server rooms are closelymonitored for air temperature and humidity, and fire-suppression systems are inplace. Data center staff are trained in incident response and escalation procedures toaddress security and availability events that may arise.Oracle Cloud Hosting and Delivery Policies describe the Oracle Cloud ServiceContinuity Policy, Oracle Cloud Services High Availability Strategy, Oracle CloudServices Backup Strategy and Oracle Cloud Service Level Agreement. Service-specificPillar documents provide additional information about specific cloud services:

Control Domain9Question IDConsensus Assessment QuestionOracle ResponseBCR-01.4Do you monitor service continuitywith upstream providers in theevent of provider e Supplier Information and Physical Security Standards requires that suppliersmaintain Disaster Recovery and Business Continuity Plan (BCP) plans whichencompass the scope of products and services provided to Oracle. Suppliers arerequired to test these plans at least annually and notify Oracle of any potential orrealized business interruptions which impact services to Oracle.BCR-01.5Do you provide access tooperational redundancy reports,including the services you rely on?BCR-01.6Do you provide a tenant-triggeredfailover option?BCR-01.7Do you share your businesscontinuity and redundancy planswith your tenants?CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01For more information, see https://www.oracle.com/corporate/suppliers.htmlThe Risk Management Resiliency Program (RMRP) objective is to establish a businessresiliency framework to help provide an efficient response to business-interruptionevents affecting Oracle’s operations. The RMRP is implemented and managed locally,regionally, and globally.The RMRP program Is comprised of four Risk Management functions:1. Emergency Response, managed by Facilities Environment, Health and SafetyProgram2. Crisis Management, managed by Global Physical Security3. Business Continuity Management, managed by the corporate RMRPProgram Management Office4. Disaster Recovery, managed by Global Information TechnologyOracle’s Information Technology organization conducts an annual DR exercisedesigned to assess our DR plans. Lessons learned from the exercise are implementedas deemed appropriate into standard operations and DR procedures as appropriate.These reports are Oracle Confidential.Oracle Cloud Hosting and Delivery Policies describe the Oracle Cloud ServiceContinuity Policy, Oracle Cloud Services High Availability Strategy, Oracle CloudServices Backup Strategy and Oracle Cloud Service Level cle’s corporate Disaster Recovery (DR) plan focuses on the resiliency of computinginfrastructure supporting Oracle’s internal operations. Oracle’s production datacenters are geographically separated and have component and power redundancy,with backup generators in place for availability of data center resources in case of animpacting event. Oracle’s DR plan leverages this separation of data centers inconjunction with other recovery strategies to both protect against disruption andenable recovery of services. This plan is Oracle Confidential.Oracle’s Information Technology organization conducts an annual DR exercisedesigned to assess our DR plans. Lessons learned from the exercise are implementedas deemed appropriate into standard operations and DR procedures as appropriate.

Control DomainQuestion IDConsensus Assessment QuestionOracle ResponseBusiness ContinuityManagement &Operational Resilience:Business ContinuityTestingBCR-02.1Are business continuity planssubject to testing at plannedintervals or upon significantorganizational or environmentalchanges to ensure continuingeffectiveness?Functional business continuity planning is managed by the Risk Manager within eachLine of Business (LoB). The critical LoBs are required to conduct an annual review oftheir business continuity plan with the objective of maintaining operational recoverycapability, reflecting changes to the risk environment as well as new or revisedbusiness processes. The RMRP program requires that identified LoBs: Review and update a Risk Assessment Write a Business Impact Analysis that includes identification ofinterdependent resources and internal customers, and the determination of aRecovery Time Objective and Recovery Point Objective Define a business continuity strategy Review and update a Business Continuity Plan Train employees in Business Continuity Plan execution Conduct an exercise to test the efficacy of the plan within the LoB, as well asparticipate in a cross-functional annual exercise assessing the capability ofmultiple organizations to collaborate effectively in response to events Implement lessons learned for plan improvement Obtain approval attestation from the LoB’s Vice President ApproverBusiness ContinuityManagement &Operational Resilience:Power /TelecommunicationsBCR-03.1BCR-03.210Does your organization adhere toany international or industrystandards when it comes tosecuring, monitoring, maintainingand testing of datacenter utilitiesservices and environmentalconditions?Has your organizationimplemented environmentalcontrols, fail-over mechanisms orother redundancies to secureutility services and mitigateenvironmental conditions?CAIQ for Oracle Fusion Cloud Applications December 2020 Version 1.01In addition, all LoBs are required to: Identify relevant business interruption scenarios, including essential people,resources, facilities and technology Define a business continuity plan and procedures to effectively manage andrespond to these risk scenarios, including emergency contact information. Obtain approval from the LoB’s executiveCorporate business continuity policy, standards, and practices are governed by theRMRP Program Management Office (PMO) and are generally aligned withInternational Standards Organization (ISO) 22301 Business Continuity ManagementSystems guidance.For more information about the centralized RMRP program and the risk managementactivities within geographies and lines of business, ices/corporate/resiliencemanagement/Oracle data centers are designed to help protect the security and availability ofcustomer data. This approach begins with Oracle’s site selection process. Candidatebuild sites and provider locations undergo an extensive risk evaluation by Oracle thatconsiders environmental threats, power availability and stability, vendor reputationand history, neighboring facility functions (for example, high-risk manufacturing orhigh-threat targets), and geopolitical considerations among other criteria.

Control Domain11Question IDConsensus Assessment QuestionBusiness ContinuityManagement &Operational Resilience:DocumentationBCR-04.1Are information systemdocuments (e.g., administratorand user guides, architecturediagrams, etc.) made available toauthorized personnel to ensureconfiguration, installation andoperation of the informationsystem?Is physical dam

Static security analysis of source code is the initial line of defense used during the product development cycle. Oracle uses a static code analyzer from Fortify Software, an HP company, as well a variety of internally developed tools, to catch problems while code is bei