“We began our search to replace Workday and evaluated ADP, Ceridian, and Paychex applications. In the end, Oracle HCM Cloud had the most depth and breadth for functionality, flexibility, and security of all the solutions we assessed.”
Bernadette Sprawka, Managing Partner and CFO, MiPro Enterprises
3
FACT: Companies whose employees’ identities are stolen due to violations of the Fair and Accurate Credit Transactions Act (FACTA) may be held responsible for minimum statutory damages of up to US$2,500 per employee.
A recent data breach at a global beverage company compromised sensitive information—including social security and driver’s license numbers—of 70,000 employees because the data hadn’t been encrypted on some stolen company laptops.
You hear about security breaches all the time, but do
you really understand the implications? Unfortunately,
this is an issue that faces all companies, so if you
haven’t been thinking about it, you should be. What
happens if your critical HR data gets lost or stolen?
Data breaches are more common than you may realize.
According to Larry Ponemon, chairman of the Ponemon
Institute, more than 50 percent of Fortune 1000 firms
experience an annual breach of 1,000 to 100,000
confidential records, including those of employees.
1So, the critical question is this: How can you make sure
that your sensitive data is safe?
1
Why Should You Care About Cloud Security?
Obviously, security in the cloud is a top concern for most IT professionals, but what about line-of-business and HR managers? Why should you care? What implications could a security breach have on your day-to-day activities?
• Employee data privacy. Employee social security numbers, addresses, phone numbers, and other personally identifiable information (PII) must always be kept confidential. Many countries have regulatory requirements concerning this. Additionally, the risk of identity theft, among other potentially disastrous occurrences, becomes even more real when PII gets out into the world. • Compensation and payroll. You want to make sure that your compensation
and payroll data is secure, as a leak can result in employee morale issues as well as legal problems. And today, when many employees opt for direct deposit of their paychecks, you also store sensitive bank account information that must remain secure.
• Employee onboarding and offboarding. You collect a lot of data when onboarding and offboarding employees—information you wouldn’t want to get into the public domain. For example, when onboarding employees you often have interview notes, reference letters, and other data that should remain confidential. Likewise, when offboarding employees, you want to revoke their access to all company systems.
• Industry-based compliance. HIPAA and FISMA are just two of the many industry-specific regulations that you must strictly enforce to avoid potentially heavy fines and legal issues—not to mention the bad publicity that can accom-pany data breaches.
• Open enrollment and benefits. Employees’ healthcare choices and benefits, in addition to any data that reveals specific diagnoses or treatments, must remain absol utely confidential.
• Data residency. Because of the increasing number of countries that specify where data can or can’t be stored, global companies that trust their HR data to the cloud need to know where that cloud is located, and precisely where their data is stored.
• Access controls. You don’t want employees to have access to other employees’ sensitive information. You need an HR cloud solution that has extremely robust access controls in place, in addition to granular levels of control so that you can specify exactly who has access to what data.
WORLD-CLASS SECURITY AND COMPLIANCE
Oracle Human Capital Manage-ment Cloud (Oracle HCM Cloud) keeps your data safe and compli-ant with industry standards and regulations, including the following:
» European Union (EU) Data Protection Directive 95/46/EC » International Organization for Standardization (ISO) 27001 » Payment Card Industry (PMI)
data security standards » Statement on Standards for
Attestation Engagements (SSAE) 16 Service Organization Control 1 (SOC 1) and SOC 2 » US Department of Defense
(DoD) Information Assurance Certification and Accreditation Process (DIACAP)
» US Federal Information Processing Standards (FIPS) 140-2
» US Federal Information Security Management Act (FISMA)
» US Gramm Leach-Bliley Act (GLBA)
» US Health Insurance Portability and Accountability Act (HIPAA) » US National Institute of
Standards and Technology (NIST) SP 800-53
“Oracle [HCM Cloud] enables business flexibility and fast deployment of new functionality, while maintaining a high level of data protection and reducing IT costs.”
5
“The U.S. Department of Health and Human Services has investigated and resolved thousands of HIPAA data security incidents and complaints, but the agency imposed its first-ever civil monetary penalty for a HIPAA privacy rule violation in 2011, in the amount of $4.3 million.“
Scott E. Landau and Bradley A. Benedict, “Employee Data Privacy—An Overview of Employer Responsibilities,” Perspectives: An Executive Compensation, Benefits & Human Resources Law Update (Newsletter), Fall 2011
What Should You Look For in a Cloud Provider?
To protect your valuable data and avoid security breaches, look for a vendor that offers the following:
Vendor viability
The last thing you want is to have to go through the vendor-selection and solution-deployment process twice. Make sure your vendor has strong financials. You want your HR cloud provider to be around for years to come.
Secure data isolation
You need a cloud vendor that leverages shared resources across all of your cloud assets where it makes sense to keep costs low, and isolates them when it doesn’t to ensure privacy and performance. Choose a vendor that will never mix your data or applications with those of other customers, and that ensures complete data isolation and security at multiple technology layers.
Unified access controls
Much damage can be done if unauthorized users have access to business-critical HR data. A leading HR cloud vendor will ensure that
• When users join your company they have the right level of access, and when they leave, you revoke access to all relevant systems and data
• Only approved users have access to relevant HR data across clouds and on-premises through centralized identity management with federated single sign-on • Role-based access control (RBAC) is in place to prevent unauthorized access to
confidential HR information
• Users only see job-specific HR duties. Administrators configure job roles that map to job functions (duties) and data privileges
Data residency and compliance
Your HR cloud vendor should have multiple 24/7 global data centers for localized data residency while adhering to industry standards for compliance requirements.
Data center operations
Your HR cloud vendor should have state-of-the-art physical data center protection, logical data security, and data privacy protection policies in addition to proactive security engagement and monitoring, and leading-edge disaster recovery. Advanced data security
Also required is full data encryption to prevent unauthorized use of PII. Robust controls over data and administrator access should prevent unauthorized viewing or sharing of employee information. A VPN is also ideal for remote access.
CONTACT US
To learn more, please call
+1.800.ORACLE1 to speak to an Oracle representative or visit oracle.com/hcm. Outside North America, visit oracle.com/corporate/ contact/global.html to find the phone number for your local Oracle office.
2Christopher Sowa, “Four Best Practices for HCM in the Cloud,” Oracle’s Profit magazine, September 2013.
Oracle Cloud: Personalized, Connected, and Secure
Modern HR leaders enable a great employee experience that serves their customers and their businesses. HR organizations that don’t have a modern HR and talent strategy are missing out on creating real value. That’s why modern HR requires a modern solution: Oracle Cloud. Here’s what distinguishes Oracle Cloud.
Secure data isolation. With Oracle HCM Cloud, you get all the benefits of traditional software as a service (SaaS), but with more security and less risk because sensitive HR data from different companies is stored in separate databases. Minimized “noisy neighbor” syndrome speeds up performance, and you get to upgrade flexibly whenever it’s most convenient for your business.
Unified access controls. With Oracle, you get one unified strategy across your business for better control, ensuring that only approved users have access to relevant HR data across cloud and on-premises systems. Safeguards include centralized identity management with federated single sign-on (SSO), and RBAC that leverages industry best practices to prevent unauthorized access to confidential HR information. Localized data residency and compliance. With 19 data centers located across the globe, Oracle is located wherever you are. Oracle-badged cloud security experts safeguard your sensitive HR data, and you get best-in-class, industry-based compliance, including HIPAA, PCI, SSAE16, and more.
Data center operations. Oracle operates embassy-grade cloud data centers with highly redundant infrastructures and 99.5 percent availability.
Advanced data security. Oracle offers advanced data security options when your business dictates additional layers of security, including Oracle Secure Backup, Oracle Database Vault, VPN, federated SSO, and Oracle Identity Federation. ORACLE HCM CLOUD: FOR THE MODERN GLOBAL ENTERPRISE
HCM cloud offerings can radically lower costs and increase functionality. Based on Oracle’s customer experiences, as much as 30 percent to 60 percent of HR IT costs can be shed by leveraging cloud solutions.2 Oracle HCM Cloud helps you achieve these cost savings, along with many other significant benefits. Join the successful organizations that are relying on Oracle solutions to modernize their workforce. ORACLE: A CLOUD VENDOR
TO TRUST
Oracle has more than 35 years in secure data management, 14 years of experience in running enterprise clouds, and the broadest portfolio of integrated cloud services in the industry.
FACT: Oracle Cloud Platform Services help customers and partners develop and deploy new applications, extend and personalize Oracle SaaS applications, and migrate existing on-premises applications to Oracle Cloud.
7
When it comes to data security and other IT concerns, it pays to take a long-term view. Where will your HCM system be in five years? Do you want to make the same implementation decision all over again? That’s why it makes sense to choose a technology that is far ahead of other vendors in every category.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
CONNECT WITH US Oracle Corporation WORLDWIDE HEADQUARTERS 500 Oracle Parkway Redwood Shores CA 94065 USA WORLDWIDE INQUIRIES Phone: +1.650.506.7000 +1.800.ORACLE1 Fax: +1.650.506.7200 oracle.com
