Organizations increasingly rely on cloud services in support of their essential business processes and for their technology infrastructure. Using cloud services enables organizations to leverage economies of scale, adopt the latest technology and enable their employees to focus on delivering value to their customers. Reliance on cloud services for daily operations can place cloud providers among an organization’s most important suppliers. This blog post will focus on one aspect of cloud supplier management – using existing compliance frameworks attestations to efficiently and effectively evaluate the security and privacy practices of cloud services. Focusing on the right compliance frameworks can reduce purchasing challenges.  Relying on third-party assessments from accredited independent auditors can not only accelerate your procurement of cloud services but also help you better manage supplier risk and reduce cloud services procurement costs.

What Are Compliance Frameworks?

In the context of this blog post, compliance framework refers to a set of information security and/or data privacy requirements to which a company’s operations, products and/or services are assessed. Typically, an accredited external auditor evaluates conformance to the control requirements using evidence provided by the company being assessed.

Oracle provides information about frameworks for which an Oracle line of business has achieved a third-party attestation or certification for one or more of its services in the form of “attestations.” These attestations can assist in your compliance and reporting, providing independent assessment of the security, privacy and compliance controls of the applicable Oracle cloud services. In reviewing these third-party attestations, it’s important to consider that attestations are generally specific to a set of cloud services and data centers.

Types of Compliance Frameworks

Some compliance frameworks broadly apply across a variety of organizations and industries, though some are specific to a type of product/service, an industry, or apply when handling particular categories of sensitive data (financial, health, personal information, etc.). Certain regulations require demonstrated conformity to compliance frameworks. Cloud service suppliers elect to conduct assessments to additional compliance frameworks to demonstrate trustworthiness to their customers.

Another way to categorize compliance frameworks is the source or organization issuing the set of requirements:

  • Governments and regulatory authorities issue compliance frameworks such as these examples:
    • US: National Institute of Standards and Technology (NIST) Special Publications 800-53 series
    • UK: National Cyber Security Centre (NCSC) Cyber Essentials
    • EU: Cloud Code of Conduct (CoC)
  • Global organizations issue compliance frameworks such as these examples:
    • ISO: 27001 Information security management systems standard
    • CSA: Cloud Controls Matrix (CCM)
    • PCI SSC: Payment Card Industry Data Security Standards (PCI DSS)
  • Commercial entities also issue proprietary compliance frameworks

Advantages of Government & Global Compliance Frameworks

When determining how your organization will evaluate cloud service suppliers, consider the many benefits of using compliance frameworks issued by governments and global organizations. These sets of information security and privacy controls are defined objectively and are developed with input from varied contributors representing both the supplier and purchaser perspectives. It is also typical that definitions are provided for important terms, enabling a more consistent interpretation of the requirements. This facilitates a fair comparison of competitors and offers a “level playing field”.

Attestations to these compliance frameworks are more readily available, making them a practical and efficient method of cloud service evaluation. It’s common for cloud services to be regularly assessed to popular information security frameworks such as ISO 27001 and SOC 2, so there’s no delay in obtaining attestations from independent third-party auditors.

Accreditation for auditors is a third advantage of government and industry compliance frameworks. To be eligible to conduct assessments to various compliance frameworks, auditors must complete rigorous training, periodic testing, ongoing education, and audit quality evaluations. Auditors are also required to uphold consistent accuracy and fairness standards as well as operate within codes of conduct.

Recommendations for Evaluating Oracle Cloud Service Compliance

Oracle offers the following resources and recommendations for organizations purchasing cloud services:

  1. Watch the “How to Evaluate Cloud Services” case study webinar on Oracle Cloud Customer Connect.
  2. Use the checklist in that webinar.
  3. Review Oracle’s Trust Center, including the Cloud Compliance site and Corporate Security Practices.
  4. Prioritize compliance frameworks from governments and industry organizations when evaluating suppliers, instead of relying on commercial/proprietary frameworks.
  5. Get Oracle cloud service attestations for various compliance frameworks by contacting Sales.

Cloud Provider Evaluation Checklist

Compliance isn’t the only consideration when choosing cloud services. To help organizations evaluate cloud services against their functional, financial, security and privacy requirements, Oracle recommends a 5-step checklist. This checklist is described in the How to Evaluate Cloud Services case study webinar about a global financial services company.

Keep watching this blog for a future series of posts diving into this 5-step checklist and the case study.