If you want to have control over security, you need to know where to look to identify risks
This article explains what standards and controls should be in place so Information Systems Security Officers (ISSO) or Risk Assessment Teams can monitor Salesforce Security
Salesforce is an Enterprise Application and Low Code platform that manages critical business processes, proprietary data, customer, and employee information. When there are no proper standards and controls in place, companies risk giving unauthorized access. Unintended and unauthorized access will result in increased security risks, data breaches, non-compliance, loss of trust with customers as well fines. The role of the Security Officers becomes even more critical to understand, manage and monitor Salesforce Security.
There are two areas that ISSO’s should oversee and audit the company’s Salesforce Orgs.
Salesforce being a Multi-tenant PaaS platform manages the Perimeter Security. The Salesforce trust website has the current and historical information of the network, data center Security, and availability issues.
- Distributed Denial of Service (DDOS) attacks
- Brute force attacks
- Application availability
For more information on how Salesforce manages Security, visit trust.salesforce.com
Company’s Application Production, Development, and support teams manage Application Security. These teams handle all aspects of Salesforce Security and just to name a few for example:
- Who sees what (Access Controls)
- What is being accessed (Visibility)
- How and when the users are created (Identity)
- How are external systems connecting to Salesforce and Salesforce connecting to external systems (Integrations)
ISSO should carefully monitor the Salesforce applications. Most of the security risks and breaches appear in the Application Security area.
The Application Development, production support teams, regularly update production, new features are continually introduced. The changes even though controlled have security implications that are difficult identify often.
What to monitor
ISSO have to track at a minimum 14 controls listed here
1. Security Health Risks
7. Field Security
9. Remote Site Settings
10. Single Sign-On
11. Login IP ranges
12. Connected Applications
13. Installed Applications
14. Apex Code
How to Monitor
Most organizations may not have a process for these 14 controls. Even if they have a process, it’s a manual process. The Application Support or development teams take screen captures from time to time and update the risk register like Archer. Manual processes are a good starting point, but they are error-prone and will not give accurate real-time information. The time and cost lost are also high because the development and support teams are not working on new features for the business. Fixing the issues will also take time, cost and resources.
The best way to implement controls is by automating the checks and let ISSO, Application Support and Development teams monitor these controls regularly. If risks identified, the ISSO and other stakeholders get alerted.
ComplianceSeal automates and monitors all the 14 controls and much more. It eliminates the manual and error-prone processes and automates Salesforce Security, Governance, Risk & Compliance (SGRC). ComplianceSeal proactively identifies and alert not just ISSO team, but also system administrators and Salesforce owners, before a risk becomes a non-compliance.