sunhux
asked on
Compliance & security requirements for Oracle ERP Cloud
What are the security & compliance requirements we can safely
demand/expect from Oracle ERP (Enterprise Resrc Planng) Cloud.
Likely Finance, HR, Procurement modules will be used in this
cloud ERP.
a) Data sovereignty: DC must be local?
b) BCP/DR drills done yearly with DR centre also hosted locally?
c) this is an SaaS? So we can apply all the SaaS compliance
requirements on them including returning data to us &
secure erasure of data when exiting?
d) ... any other ... ?
demand/expect from Oracle ERP (Enterprise Resrc Planng) Cloud.
Likely Finance, HR, Procurement modules will be used in this
cloud ERP.
a) Data sovereignty: DC must be local?
b) BCP/DR drills done yearly with DR centre also hosted locally?
c) this is an SaaS? So we can apply all the SaaS compliance
requirements on them including returning data to us &
secure erasure of data when exiting?
d) ... any other ... ?
SaaS based.
Data sovereignty: regardless hosting environment as long as the PII or classified data retained locally.
Risk assessments and management regime : These are expected activities and completed in conjunction with the initial cloud ERP rollout cycles, as well as with the subsequent quarterly ERP solution releases—i.e., to help identify changes between the pre-patch and post-patch versions. In particular, you want to ensure you have the assurance from provider that the regime is present, exercised with an appropriate risk mitigation solutions in place at go-live and then examine the impact on controls and shared risks as the platform evolves.
Service-level agreement (SLA) : A clearly defined SLA can also offer protection between an organization and a cloud ERP vendor should a dispute arise. Set a standard expected level of performance clear metrics for accountability. This can include the RTO, TPO from the BCP and DRP that the provider will have to articulate.
Regulatory requirements : Include sufficient compliance standards, such as with the Payment Card Industry Data Security Standard or the Health Insurance Portability and Accountability Act, that protect sensitive data stored in the cloud. Often, internal business rules establish policies that the company already maintains, such as software pricing and hardware compatibility
particularly SaaS, is limited, organizations should remain open to adopting the software's best practices out of the box.
Audit ability: It is not just about compliance as from the traditional system environment, you cannot see even the actual system or hardware. The financial and HR data are moving around. To make sure the provider protect your information diligently, at best they need to show there are regular audit done and produce the SOC2 report (for example) with review oversight by their CISO and CXO.
Longer-term viability : Pay attention to the research of ERP vendors by analyst firms and consulting companies. It is also important to be aware of vendor details, including how much a company invests in research and development for its products and services. Ask what modules or applications are available and then determine if the vendor offers the functionality you need.
Integration : This can be a major concern depending on which systems that your company wants to retain or purchase in conjunction with a cloud ERP system. For areas that aren't being integrated, there should be a plan to migrate data to the new system. The cloud ERP vendor should discuss the integration protocols and data migration tools available. You can also ask vendors to see examples of similar integrations or migrations prior to choosing an ERP platform.
Without proper balance between functionality and adoption, implementation time frames and costs could suffer. So engage early on the discovery and have them walk through the policies and understanding as detailed possibly.
Data sovereignty: regardless hosting environment as long as the PII or classified data retained locally.
Risk assessments and management regime : These are expected activities and completed in conjunction with the initial cloud ERP rollout cycles, as well as with the subsequent quarterly ERP solution releases—i.e., to help identify changes between the pre-patch and post-patch versions. In particular, you want to ensure you have the assurance from provider that the regime is present, exercised with an appropriate risk mitigation solutions in place at go-live and then examine the impact on controls and shared risks as the platform evolves.
Service-level agreement (SLA) : A clearly defined SLA can also offer protection between an organization and a cloud ERP vendor should a dispute arise. Set a standard expected level of performance clear metrics for accountability. This can include the RTO, TPO from the BCP and DRP that the provider will have to articulate.
Regulatory requirements : Include sufficient compliance standards, such as with the Payment Card Industry Data Security Standard or the Health Insurance Portability and Accountability Act, that protect sensitive data stored in the cloud. Often, internal business rules establish policies that the company already maintains, such as software pricing and hardware compatibility
particularly SaaS, is limited, organizations should remain open to adopting the software's best practices out of the box.
Audit ability: It is not just about compliance as from the traditional system environment, you cannot see even the actual system or hardware. The financial and HR data are moving around. To make sure the provider protect your information diligently, at best they need to show there are regular audit done and produce the SOC2 report (for example) with review oversight by their CISO and CXO.
Longer-term viability : Pay attention to the research of ERP vendors by analyst firms and consulting companies. It is also important to be aware of vendor details, including how much a company invests in research and development for its products and services. Ask what modules or applications are available and then determine if the vendor offers the functionality you need.
Integration : This can be a major concern depending on which systems that your company wants to retain or purchase in conjunction with a cloud ERP system. For areas that aren't being integrated, there should be a plan to migrate data to the new system. The cloud ERP vendor should discuss the integration protocols and data migration tools available. You can also ask vendors to see examples of similar integrations or migrations prior to choosing an ERP platform.
Without proper balance between functionality and adoption, implementation time frames and costs could suffer. So engage early on the discovery and have them walk through the policies and understanding as detailed possibly.
ASKER
Sorry, I did miscommunicated what's needed:
What's needed is actually to write a brief justification paper why
Oracle ERP Cloud meets compliance & cybersecurity requirements
& is safe to adopt for HR, Finance & Procurement purposes.
There's no credit card information but there's PII & payroll info.
Was looking thru the attached doc but the content is more for
techie than for senior management.
I could contact Oracle for this but it's going to take a while.
Possibly will need to add a bit of reason why MS Dynamics
(Cloud also) is not as good in terms of compliance requirements
SecuringOraclERPcloudV10y2015.pdf
What's needed is actually to write a brief justification paper why
Oracle ERP Cloud meets compliance & cybersecurity requirements
& is safe to adopt for HR, Finance & Procurement purposes.
There's no credit card information but there's PII & payroll info.
Was looking thru the attached doc but the content is more for
techie than for senior management.
I could contact Oracle for this but it's going to take a while.
Possibly will need to add a bit of reason why MS Dynamics
(Cloud also) is not as good in terms of compliance requirements
SecuringOraclERPcloudV10y2015.pdf
ASKER
>Possibly will need to add a bit of reason why MS Dynamics
>(Cloud also) is not as good
I guess Oracle will be hosted in AWS or their Oracle Cloud
while MS Dynamics' SaaS will be hosted in MS Azure: so
some comparison betw what's in Oracle Cloud vs Azure
>(Cloud also) is not as good
I guess Oracle will be hosted in AWS or their Oracle Cloud
while MS Dynamics' SaaS will be hosted in MS Azure: so
some comparison betw what's in Oracle Cloud vs Azure
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
There's something for on-prem SAP tho it's not from CIS.