Compliance & security requirements for Oracle ERP Cloud

sunhux
sunhux used Ask the Experts™
on
What are the security & compliance requirements we can safely
demand/expect from Oracle ERP (Enterprise Resrc Planng) Cloud.

Likely Finance, HR, Procurement modules will be used in this
cloud ERP.

a) Data sovereignty: DC must be local?

b) BCP/DR drills done yearly with DR centre also hosted locally?

c) this is an SaaS?  So we can apply all  the SaaS compliance
    requirements on them including returning data to us &
    secure erasure of data when exiting?

d) ... any other ... ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Author

Commented:
Does Oracle has any hardening doc or guide for their ERP on cloud?
There's something for on-prem SAP tho it's not from CIS.
btanExec Consultant
Distinguished Expert 2018

Commented:
SaaS based.

Data sovereignty: regardless hosting environment as long as the PII or classified data retained locally.


Risk assessments and management regime : These are expected activities and completed in conjunction with the initial cloud ERP rollout cycles, as well as with the subsequent quarterly ERP solution releases—i.e., to help identify changes between the pre-patch and post-patch versions. In particular, you want to ensure you have the assurance from provider that the regime is present, exercised with an appropriate risk mitigation solutions in place at go-live and then examine the impact on controls and shared risks as the platform evolves.


Service-level agreement (SLA) :  A clearly defined SLA can also offer protection between an organization and a cloud ERP vendor should a dispute arise. Set a standard expected level of performance  clear metrics for accountability. This can include the RTO, TPO from the BCP and DRP that the provider will have to articulate.


Regulatory requirements : Include sufficient compliance standards, such as with the Payment Card Industry Data Security Standard or the Health Insurance Portability and Accountability Act, that protect sensitive data stored in the cloud. Often, internal business rules establish policies that the company already maintains, such as software pricing and hardware compatibility
particularly SaaS, is limited, organizations should remain open to adopting the software's best practices out of the box.


Audit ability: It is not just about compliance as from the traditional system environment, you cannot see even the actual system or hardware. The financial and HR data are moving around. To make sure the provider protect your information diligently, at best they need to show there are regular audit done and produce the SOC2 report (for example) with review oversight by their CISO and CXO.


Longer-term viability : Pay attention to the research of ERP vendors by analyst firms and consulting companies. It is also important to be aware of vendor details, including how much a company invests in research and development for its products and services. Ask what modules or applications are available and then determine if the vendor offers the functionality you need.


Integration : This can be a major concern depending on which systems that your company wants to retain or purchase in conjunction with a cloud ERP system. For areas that aren't being integrated, there should be a plan to migrate data to the new system. The cloud ERP vendor should discuss the integration protocols and data migration tools available. You can also ask vendors to see examples of similar integrations or migrations prior to choosing an ERP platform.


Without proper balance between functionality and adoption, implementation time frames and costs could suffer. So engage early on the discovery and have them walk through the policies and understanding as detailed possibly.

Author

Commented:
Sorry, I did miscommunicated what's needed:

What's needed is actually to write a brief justification paper why
Oracle ERP Cloud meets compliance & cybersecurity requirements
& is safe to adopt for HR, Finance & Procurement purposes.

There's no credit card information but there's PII & payroll info.

Was looking thru the attached doc but the content is more for
techie than for senior management.

I could contact Oracle for this but it's going to take a while.

Possibly will need to add a bit of reason why MS Dynamics
(Cloud also) is not as good in terms of compliance requirements
SecuringOraclERPcloudV10y2015.pdf

Author

Commented:
>Possibly will need to add a bit of reason why MS Dynamics
>(Cloud also) is not as good

I guess Oracle will be hosted in AWS or their Oracle Cloud
while MS Dynamics'  SaaS will be hosted in MS Azure: so
some comparison betw what's in Oracle Cloud vs Azure
Exec Consultant
Distinguished Expert 2018
Commented:
It seems like you are doing product evaluation which is off the question asked.

I suggest you go back to basic to ask what is your cybersecurity requirements. What are the standard and policy mandate for adopting SaaS. If you have none or unsure, the previous post on the list of criteria serves that purpose to help you keep start. You would ask the vendor to advise their compliance or means to achieve that. You are still back to ensuring CIA are achieved even in SaaS but focus on the data security and access control as well as audibility.

For comparing the competitors, it need to be beyond just security factors.

Oracle

-An established market leader.
Offers better customer support
Support integration with MS Office, Gmail, IBM Notes, etc.

- Sales Force Automation
This feature helps users perform a myriad of tasks simultaneously. For instance, you can manage sales opportunities, partner relationships, and task and activity management together. Beyond this, it enables you to sync email, contact tools, and calendars with your CRM system.

- Oracle Sales Cloud
It makes reporting and analytics exceptionally easy. You can even forecast your sales revenue by using market surveys, the latest marketing trends, and historical sales data.


Dynamics 365

- Easy to Learn & Quick integration of CRM
Users can find the full state of their business including sales, purchasing, cash flow data, etc. on the CFO overview workspace.

- Support by advanced Microsoft assets such as Azure, Cortana Intelligence, BI tools, etc.

Account Receivable (AR) automation helps users minimize turnaround time and enables the supply, inventory, purchase, customer service, and other processes to be easy and transparent.

That said, cloud hosting may be more secure than on-premise hosting if your internal IT department is not large enough, skilled enough or prepared enough to manage the full security of an on-premise ERP system.

However, a cloud environment still requires internal security responsibilities, so a strong internal team and clearly defined processes are still essential.

Best to draw out the criteria and put side by side the two candidate. The native cloud security services integrated or leverage by the SaaS will demonstrate the interoperability or vendor lock down tendency. Having it to have its indepenedent built in controls in regardless of the CSP is a plus point which not many SaaS provider possesses, hence most of time, it is back to CSP vs CSP comparison.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial