Several components of the Oracle Fusion Cloud Applications suite have been granted ‘protected’ clearance by a third-party assessor under the federal government’s Information Security Registered Assessors Program (IRAP).
The software-as-a-service applications to be certified as ‘protected’ include Oracle Fusion Cloud Enterprise Resource Planning (ERP), Oracle Fusion Cloud Supply Chain Management (SCM) and Oracle Fusion Cloud Human Capital Management (HCM).
At the same time, Oracle Fusion Cloud Customer Experience (CX) and Oracle Fusion Cloud Enterprise Performance Management (EPM) have been certified at the ‘sensitive’ level under the IRAP regime.
The certification has been granted to the applications when they are running on Oracle cloud infrastructure in the vendor’s Sydney and Melbourne data centre regions, and gives those services the ability to handle classified government and highly sensitive data.
Developed by the Australia Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), IRAP is a security compliance framework involving security assessment processes and a security assessor program.
Broadly, it supports the country’s federal government entities in maintaining their security assurance and risk management as well as assessing cloud service providers and their cloud services’ security controls against the Commonwealth security policies and guidelines.
For Malini Nambiar, Oracle’s federal and ACT government cloud platform director, the certification opens up a new potential public sector client base for the cloud-based Oracle services in question.
“Leading companies and governments around the world already trust Oracle to protect their data and run their mission-critical business functions,” she said. “Now, Australian federal government entities can take advantage of the benefits of running their applications in the cloud, and can remain confident about the security of their data.”
The certification is one of a series of recent such awards granted by third-party assessors under the relatively new IRAP regime.
The ASD’s Cloud Services Certification Program (CSCP), which previously was responsible for granting IRAP certification to cloud services providers for consumption by government agencies, ceased operation earlier this year, with all ASD certifications and re-certifications for secure cloud services becoming void from July.
In late July, the ACSC unveiled new guidelines for allowing cloud service providers to sell to the federal government, handing more responsibility over to individual agencies themselves.
The move meant that cloud service providers (CSPs) would no longer need certification from the ACSC and instead would need reviews from the information security registered assessors program every two years.
In October, Citrix was also awarded the federal government’s “protected” status, giving it the ability to handle classified and highly sensitive data.
The virtualisation vendor earned the protected certification for its Citrix Virtual Apps and Desktops service, which includes its Workspace platform, Citrix Gateway service for HDX Proxy and Citrix Identity.