How should Information Systems Security officer monitor Salesforce Security?

How Information Security Officer should Monitor Salesforce Security using ComplianceSeal

Salesforce Security with ComplianceSeal

If you want to have control over security, you need to know where to look to identify risks

This article explains what standards and controls should be in place so Information Systems Security Officers (ISSO) or Risk Assessment Teams can monitor Salesforce Security

Salesforce is an Enterprise Application and Low Code platform that manages critical business processes, proprietary data, customer, and employee information. When there are no proper standards and controls in place, companies risk giving unauthorized access. Unintended and unauthorized access will result in increased security risks, data breaches, non-compliance, loss of trust with customers as well fines. The role of the Security Officers becomes even more critical to understand, manage and monitor Salesforce Security.

There are two areas that ISSO’s should oversee and audit the company’s Salesforce Orgs.

Perimeter Security

Salesforce being a Multi-tenant PaaS platform manages the Perimeter Security. The Salesforce trust website has the current and historical information of the network, data center Security, and availability issues.

For example:

  • Distributed Denial of Service (DDOS) attacks
  • Brute force attacks
  • Application availability

For more information on how Salesforce manages Security, visit

Application Security

Company’s Application Production, Development, and support teams manage Application Security. These teams handle all aspects of Salesforce Security and just to name a few for example:

  • Who sees what (Access Controls)
  • What is being accessed (Visibility)
  • How and when the users are created (Identity)
  • How are external systems connecting to Salesforce and Salesforce connecting to external systems (Integrations)

ISSO should carefully monitor the Salesforce applications. Most of the security risks and breaches appear in the Application Security area.
The Application Development, production support teams, regularly update production, new features are continually introduced. The changes even though controlled have security implications that are difficult identify often.

What to monitor

ISSO have to track at a minimum 14 controls listed here
1. Security Health Risks
2. Users
3. Profiles
4. PermissionSets
5. Groups
6. Objects
7. Field Security
8. Encryption
9. Remote Site Settings
10. Single Sign-On
11. Login IP ranges
12. Connected Applications
13. Installed Applications
14. Apex Code

How to Monitor

Most organizations may not have a process for these 14 controls. Even if they have a process, it’s a manual process. The Application Support or development teams take screen captures from time to time and update the risk register like Archer. Manual processes are a good starting point, but they are error-prone and will not give accurate real-time information. The time and cost lost are also high because the development and support teams are not working on new features for the business. Fixing the issues will also take time, cost and resources.

The best way to implement controls is by automating the checks and let ISSO, Application Support and Development teams monitor these controls regularly. If risks identified, the ISSO and other stakeholders get alerted.

ComplianceSeal automates and monitors all the 14 controls and much more. It eliminates the manual and error-prone processes and automates Salesforce Security, Governance, Risk & Compliance (SGRC). ComplianceSeal proactively identifies and alert not just ISSO team, but also system administrators and Salesforce owners, before a risk becomes a non-compliance.

, , ,
Previous Post
Introducing ComplianceSeal
Next Post
Secure Salesforce data with Encryption Statistics

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

This site uses Akismet to reduce spam. Learn how your comment data is processed.