This blog was written by contributing guest author Nancy Kramer, senior director in the Oracle Information Security organization, a key partner to SaaS Cloud Security.
Organizations seeking to manage supplier risk in cloud environments often find it beneficial to review the cloud provider’s third-party audits to security and privacy standards. These audits compare the conformance of a cloud provider's systems and operations to the set of requirements defined in a standard. Attestations, also known as audit reports or certifications, are the outcome of an audit to a standard, describing the level of conformance to the requirements.
Oracle recommends that customers seeking to evaluate Oracle Cloud Applications consider which standards and compliance frameworks are best aligned to their own security and privacy objectives. You can use Oracle Trust Center’s dashboard for Cloud Compliance to see a list of available attestations.
As many customers find System and Organization Controls (SOC) relevant to their needs, this post provides some context for the SOC compliance frameworks and answers frequently asked questions about Oracle’s attestations for these standards.
SOC standards are defined by the Association of International Certified Professional Accountants (AICPA) to evaluate system-level controls of a service organization or entity-level controls of other organizations. While several types of SOC assessments exist, the following examples are the most common:
Assessments to SOC standards can result in two types of reports. Type 1 reports focus on the suitability of the design of an organization’s controls to achieve the control objectives. Type 2 reports include the full type 1 report contents, and an opinion on the operating effectiveness of the controls to achieve the objectives, along with a description of the auditor’s tests of the controls and their associated test results.
SOC 2 reports are intended to meet the needs of a broad range of organizations which seek detailed information and third-party assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems used to provide the service. The assessment includes evaluating the confidentiality and privacy of the information processed by these systems.
Fusion SOC 1 assessments are quarterly, resulting in four SOC 1 reports each year. However, each SOC 1 assessment encompasses a rolling annual reporting period to cover the entire year, not just the previous quarter. Fusion SOC 2 reports currently follow an annual cycle from October to the following September. The attestations for these reports are generally available about two (months after the end of each reporting period.
Customers can directly download attestations for Fusion Cloud applications. Many of Oracle’s cloud applications run on OCI, so you might also want to download OCI attestations from the Oracle Cloud Console. Alternatively, contact Sales to request third-party compliance attestations for Oracle Fusion Cloud.
SOC assessments evaluate evidence demonstrating how an organization’s controls have operated over a specified period. In other words, SOC assessors look backward and frame their observations of an organization’s conformance to the SOC’s requirements during a specific, already elapsed timeframe. As a result, after a SOC report is issued, some customers might perceive it to be outdated. So, monthly bridge letters are issued to cover the periods of time in between SOC report availability. These bridge letters serve to essentially state that the vendor believes they’re still meeting the controls observed in the most recent assessor’s report.
The blog post, How to Read Cloud Service Attestations offers guidance for evaluating the adequacy, scope, and outcome of an audit, as represented in the cloud service’s attestation. You can also watch the webinar video, How to Evaluate Cloud Service Attestations for a set of tips and areas to review.
Oracle recommends exploring the Trust Center, your one-stop shop for security, compliance, privacy, contracts, and cloud availability information. A tour video guides you through the sections of the site, including the following examples:
You can also get tips from the case study and checklist, How to Evaluate Cloud Providers, which was described in a previous webinar and blog series. The case study walks through each checklist step, offering helpful points to consider and Oracle resources to support your organization’s supplier management and procurement processes.
David is the Senior Vice President for the Oracle SaaS Cloud Security engineering and operations organization. Previously, David was the public Cloud Security Engineering Director in the Google Security and Privacy organization and his preceding 18 years were spent with Microsoft in numerous security cloud, product and engineering leadership roles. David holds a B.S. in Computer Information Systems as well as an MBA with a Management Information Systems concentration and is a longtime advocate of security application and technology stemming back to his US military service.
Nancy Kramer has over 20 years of experience managing risk, security, privacy, audit and compliance for complex business processes and computing environments. Nancy advises Legal and other teams making decisions about information security policy, customer commitments and obligation management. She also manages programs which seek to educate personnel and customers about Oracle's security and compliance posture in the Oracle Trust Center (oracle.com/trust). She offers actionable guidance to customers in blogs and webinars.
Previous Post
Next Post