1. Executive Invitation – Oracle Data Finder Service Oracle Corporation

2. Agenda Oracle Insight The Data Finder Tool The Oracle Data Finder Service Deliverables Next Steps Q & A

3. 3 Oracle Insight Objective Joint Collaboration – Oracle and Customer Customer Value and Customer Success Maximize Business Value of Oracle products Build Relationships Outcomes Professional Solution Presentation Achievable Set of Recommendations Deeper Relationship

4. Benefits of Oracle Insights Free Access to Oracle Expertise Develop Knowledge of Oracle Best Practices Low Risk (Time invested, not money) Best Case Outcome We jointly solve a problem with business value. Worst Case Outcome Oracle makes recommendations that are never adopted But you learn from them

5. Oracle confidential - For internal use only 20/10/2015 5 What is the Data Finder tool? Finds unprotected sensitive data Connects to target database and executes searches based on the patterns Results are returned, displayed and logged for further analysis

6. Oracle confidential - For internal use only 20/10/2015 6 How does it work? Patterns are defined at one of three levels: SCHEMA – looks for schema names that match the pattern OBJECT – looks for DB Object names (Tables, Views, Columns) that match the pattern DATA – looks for data within columns that match the pattern A search will apply the selected patterns to a particular database and retrieve matches

7. The Oracle Data Finder Service  Analyze and profile a subset of your data, to highlight potential problem areas for further investigation  Agree on appropriate trends and sophisticated patterns, based on industry experience, applicable laws and standards  Use our Data Finder tool to analyze and report on any potential information security issues SCOPE DELIVERABLE  Statement of Findings includes detailed outcomes, an analysis of our engagement findings, recommendations and next steps.  A single point of contact for co-ordination of the on-site activities, such as the CSO, Compliance Officer or Security Manager.  Access to appropriate business and technical stakeholders for initial discussions.  Privileged-user access to one or more database instances for the duration of the engagement KEY REQUIREMENTS

8. Example Finding Key Findings Personally identifiable information found in MS Access database Using SSN as primary key in inventory application ITAR protected documents not secured Bank account numbers not encrypted Credit card information encrypted in production but in the clear in test bed Other Issues Managers must manually ensure on-board/off-board process happens correctly – access to right data at right time Highly privileged users (e.g. DBA) have access to sensitive data in production Difficult to audit role based access and data changes Reporting on data changes/exposure not always available Recommendations Decommission homegrown MS Access applications and migrate to securable systems Replace SSN with another unique ID Implement encryption on bank account database rows Consider IRM solution for ITAR compliance Utilize masking in order to remove credit card data from test environment Implement holistic real-time audit aggregation strategy across all databases Overall Objective High MarginalStableTransformationalBest Practice Importance Information Protection

9. Prioritizing Recommendations MediumLow Level of Effort High Low Medium Impact High “Longer Term” “Tactical Targets” “Strategic Targets” Recommendation 1 Recommendation 2 Recommendation 3 Recommendation 4 The Oracle Insight identified 4 major recommendation categories that were evaluated for prioritization

10. 10 Next Steps Accept Invitation Nominate Exec Sponsor Name Participants Finalize Joint Execution Plan Schedule On-Site Discovery Begin Due Diligence Conduct Oracle Data Finder Service

11. Q & A