Step 5, Communication: If Oracle EBS is deployed in your environment, brief your CISO and relevant stakeholders on the campaign. If your organization processes personal data through EBS (HR, payroll), assess whether breach notification obligations apply under GDPR, CCPA, or applicable regulation, this assessment requires legal review.
Preparation
NIST 800-61r3 §2.3 (Communication and Information Sharing)
NIST 800-53 IR-4 (Incident Handling)
NIST 800-53 SA-9 (External Information System Services)
CIS v8 Control 19 (Incident Response Management)
Compensating Control
Without legal team on-call: document data inventory in EBS (query data dictionary to identify PII tables: select owner, table_name from dba_tables where table_name like '%PERSON%' or '%PAYROLL%' or '%EMPLOYEE%'; do not extract data, only count rows and note presence). Flag for legal review in writing with timestamp. Prepare internal incident report template documenting: affected EBS instance(s), affected modules (HR/Finance/Supply Chain), data types at risk (personal data yes/no), number of records affected (if known). Escalate to CISO with this summary and regulatory deadline calendar (GDPR: 72 hours, CCPA: without unreasonable delay per intent). Record escalation in writing.
Preserve Evidence
Preserve all communications (email, Slack, meeting notes) regarding the threat discovery and stakeholder briefing. Document data classification tags applied to EBS in your asset management system. Capture screenshots of EBS audit logs showing data access (before any deletion or retention policy purge). Maintain decision log showing legal review date and determination.
