2. ISO & IEC
International Organization for
Standardization (ISO) founded on 23 February 1947
headquartered in Geneva, Switzerland.
It has 162 member countries, of which India is has
national bodies considered the most representative
standards body has voting rights.
ISO has formed joint committees with the International
Electrotechnical Commission (IEC)
Founded on 26 June 1906 headquartered in London, UK
having 82 members to develop standards and
terminology in the areas of electrical, electronic and
related technologies.
3. ISO/IEC 27001:2005
Its full name is – Information technology – Security techniques
– Information security management systems – Requirements.
Systematically examine the organization's information
security risks, taking account of the threats,
vulnerabilities, and impacts;
Design and implement a coherent and comprehensive
suite of information security controls and/or other forms
of risk treatment (such as risk avoidance or risk transfer)
to address those risks that are deemed unacceptable; and
Adopt an overarching management process to ensure that
the information security controls continue to meet the
organization's information security needs on an ongoing
basis.
4. ISO/IEC 27001:2005 Domains
Asset Management: software assets ( applications,
software code, development tools, operational software),
information (database information, legal documentation,
manuals, policies & procedures, organizational
documents also consider the asset which has been shared
by the client (client related document,H/w,S/w). For
each asset a designated owner who will define the scope
of the policy (which parts of the organization are covered
under the policy), responsibility (who is ultimately
responsible for the policy), compliance (is compliance
mandatory or not, what are the guidelines to follow),
waiver criteria (on what basis can someone ask for a
waiver) and effective date (from when to when is the
policy applicable).
5. Access Control:
It is the selective restriction of access to a place or other
resource. The typical organizational objectives of the access control
policy are to establish a procedure for user registration and de-
registration, establish a procedure to grant the correct level of
access privilege, establish a procedure to control password use,
password change and password removal, establish a procedure for
managements review of access rights, establish a procedure for
unattended equipment, maintain a clear desk policy, establish a
procedure to control network service access, establish a control
method for authentication of remote users, establish a procedure for
configuration ports, establish a procedure to segregate networks,
establish a procedure to use precise routing controls, establish a
procedure to control system utilities and to establish a procedure to
secure communications over mobile computing devices.
6. Network Security, Operating System &
Application Control
The primary objectives of a
network security policy should
be to ensure that access to
company’s network is only
provided to authorized users,
that adequate controls are in
place to manage remote users,
that all equipment can be
recognized uniquely, that
networks should be segregated
based on needs, and that
appropriate network routing
protocols are enabled.
Appropriate authentication
mechanisms for remote users.
Allocation of network access
rights business and security
requirements
Two-factor authentication used
for authenticating users using
mobile/remote systems
All users in the organization
shall have a unique ID, No
systems or application details
shall be displayed before log-in,
In the condition of log-in
failure, the error message shall
not indicate which part of the
credential is incorrect, The
number of unsuccessful log-in
attempts shall be limited to
3/5/6 attempts, During log-in
process, all password entries
shall be hidden by a symbol, All
operating systems and
application shall time out due
to inactivity in 5/10/15/30
minutes, All applications shall
have dedicated administrative
menus to control access rights
of users.
7. Implementation
Oracle's security policies and procedures are reviewed and overseen by
Oracle Global Information Security (GIS). GIS is responsible for security
oversight, compliance and enforcement, and for conducting information
security assessments and leading the development of information security
policy and strategy.
Oracle is also committed to reducing risks of human error, theft, fraud, and
misuse of Oracle facilities. Oracle's efforts include making personnel aware
of security policies and training employees to implement security policies.
Oracle employees are required to maintain the confidentiality of services
data. Employees' obligations include written confidentiality agreements,
regular training on information protection, and compliance with company
policies concerning protection of confidential information.
Oracle promptly evaluates and responds to incidents that create suspicions
of unauthorized handling of services data. Oracle GIS and Legal are
informed of such incidents and, depending on the nature of the activity,
define escalation paths and response teams to address the incidents.
8. TRUSTe Certification
Oracle has received TRUSTe's Privacy Seal
signifying that this privacy policy and practices have
been reviewed for compliance with the TRUSTe
program that is viewable on the validation page
available by clicking the TRUSTe seal. The TRUSTed
Data Collection certification only applies to the
Services Privacy Policy. It does not cover personal
information that may be collected through software
downloaded from the Oracle.com websites or Oracle
publications. Other Oracle products and services are
covered by other TRUSTe certifications.