This is a public Blog  publicRSS

Entry

    Laurie Buxton
    Don't Let Your Configuration Un-Do Your Compliance
    Entry posted May 24, 2017 by Laurie BuxtonRegular, tagged Best Practices, Product / Product Release 
    251 Views, 1 Comment
    Title:
    Don't Let Your Configuration Un-Do Your Compliance
    Entry:

    briCWyk.jpg

    How many of you cringe or panic at the sight of regulation acronyms? It’s easy to get overwhelmed with what compliance entails, the confusing lingo and the changing landscape. As the Product Manager focused on regulatory compliance, I spend a lot of time keeping up with these rulings and laws to determine if/how they impact the current Oracle Service Cloud solution as well as upcoming enhancements and new functionality.

    In this blog post, I would like to introduce you to a little primer on regulations that many of you encounter as you manage customer data in your Oracle Service Cloud instances. While there are government related offerings for the Service Cloud, today I’d like to share some valuable pointers on how you can administer your site in retail, financial services, and health care regulated environments.

    Layman’s Overview

    First, three regulatory acronyms you should be familiar with:

    • PCI DSS - Payment Card Industry Data Security Standard
    • HIPAA - Health Insurance Protection and Accountability Act
    • HITECH - Health Information Technology for Economic and Clinical Health Act

    PCI DSS defines the technical and operational requirements for organizations that store, process or transmit cardholder data. For more official information: https://www.pcisecuritystandards.org/

    HIPAA is a U.S law that the Health & Human Services Department uses to ensure an individual's health information is kept private and secure.  It includes standards for electronic health care transactions, unique health identifiers, and security (incorporated from HITECH Act). For more official information: https://www.hhs.gov/hipaa

    Oracle Service Cloud Enables, But Doesn’t Guarantee, Your Compliance

    In case you were not aware, Oracle Service Cloud offers a Payment Card Industry (PCI) attested environment as a Service Provider Level 1 and environments that met the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules as a Business Associate. Oracle is assessed annually by a third party for PCI and HIPAA compliance for our infrastructure and specifically Service Cloud software.

    By the way, the terms “Service Provider” and “Business Associate” clarify Oracle’s role in providing a compliant service and how our audit is conducted. Special attention is given to certain requirements that would be more important or only available by a provider of a cloud service.

    Our Attestation of Compliance confirms that the services we offer have been deemed PCI compliant. The HIPAA accreditation we receive also ensures we have met the required guidelines for safeguarding protected health information. However, with the endless possibilities for customizing your Oracle Service Cloud site, you must consult with your PCI assessor or HIPAA auditor to ensure your compliance. For example, if you diverge from the default data model by creating custom fields, be sure to validate that proper controls are put in place.

    When purchasing our specialized offerings with Service Cloud, you can also include a Technical Account Manager or Oracle Cloud Priority Support. The technical assistance these services offer include assessing your customizations for suspicious and vulnerable code and offer best practices in a regulated environment.

    Oracle operates on a shared responsibility model, which means that you share responsibility for ensuring PCI or HIPAA compliance. Purchasing the PCI or HIPAA compliance packages doesn’t automatically guarantee your organization is in compliance with these regulations! Make sure that you review the Oracle Service Cloud Restricted Environment Deployment Guide to learn what specific considerations and controls to pay special attention to when deploying Oracle Service Cloud.  It offers guidance on securing and protecting your data, giving you the ability to configure a compliant environment. You can also get to this guide through the Support Knowledge base, specifically Answer 9570: Guidance for Implementing in PCI or HIPAA Service Cloud Environment.

    Want More?

    If you have questions about these regulations, what they mean for your organization or about how to ensure your site is in compliance, please leave a comment and let us know. Also, if you have experience or advice with keeping your site compliant, leave a comment and share your experience!

    Comment

     

    • Ryan Schofield

      When discussing compliance, one should not overlook Section 508 (https://www.section508.gov/) regarding Accessibility. Whether it's a requirement of your work or you just want to ensure you're providing fully-functional access to those customers using accessibility tools, this is an issue that should be considered. We went through a larger effort to update our site to be fully compliant as it's required for our client contract. As stated above: "Oracle Service Cloud Enables, But Doesn’t Guarantee, Your Compliance." Luckily we have an expert in-house team to assess our system and they were able to work with us, and Oracle developers, to identify and fix upwards of 100 issues. Some of those included core product enhancements which Oracle was relatively quick to implement. Many others were CSS-related items which Oracle had implemented at our original go-live or that we had customized over the years. It all boils down to making sure you understand your requirements as a customer using the OSC product, then working very closely with Oracle to ensure you understand what gaps may exist and what your responsibilities are as the customer.