Salesforce cannot be left out of your cybersecurity program. We repeat: cannot! There’s much you need to protect there, from the sensitivity of information to the sheer amount your database holds. Not to mention, various compliances require wealth management companies to have safeguards protecting this type of data. See the FTC on the Gramm Leach Bliley Act (GLBA) below:
“The safeguards set forth in the program must be appropriate to the size and complexity of the financial institution, the nature and scope of its activities, and the sensitivity of any customer information at issue.”
In this post, we explain why you need to make Salesforce part of your security program and what you can do to build a strong program.
Why Salesforce Needs to Be Part of Your Security Program
Due to the nature of information often stored in Salesforce, including Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII), it’s imperative to make sure it’s part of your security program. It also generally represents a large and often business-critical database of information. In addition, at most companies, all sorts of different groups can access Salesforce, from internal staff and integrations to third-party vendors (more on Salesforce vendor security management here) and public-facing portal access.
The bottom line: If Salesforce is a material and integral part of your business operations, it must be subject to and incorporated into the organizational security program.
Plus, like we mentioned above, multiple regulations require development of a comprehensive security program, including the GLBA, SEC, and FINRA. And comprehensive means comprehensive—Salesforce is a vital inclusion.
Failure to keep Salesforce out of scope increases your risk profile and potential for security or compliance issues in the future.
For more guidance on this and six other core cybersecurity domains, download the whitepaper: Salesforce and Cybersecurity: A Roadmap for Regulatory Compliance in Wealth Management.
How to Include Salesforce in Your Security Program Scope
In order to incorporate Salesforce into your program, you should be familiar with the lifecycle of a healthy security program. Below is a high level overview in eight steps and how to get Salesforce-specific.
1. Define cybersecurity team members and roles.
Identifying appropriate contacts is a critical component of an overall cybersecurity posture, and it’s considered a best practice, regardless of any compliance needs. Use these questions to help you properly identify and document key stakeholders:
- Who in Salesforce is aligned to be a champion and responsible party for development and implementation of the organization’s InfoSec program?
- Are they aware there’s a compliance relationship to the role and being “named”?
- Do you have communications set up so the Salesforce team can coordinate with key stakeholders? These stakeholders include IT, business, legal, privacy, compliance team, executive leadership (CIO/CTO) service providers, software vendors, partner security contacts (if partnership involves any form of systems overlap).
- Are there regular meetings with stakeholders to foster communications and assure accuracy in current roles?
2. Initial risk analysis and establishment of program.
Once the team is established, conduct an initial assessment of risk and establish your official program. Check out this article for questions you can ask to assess your Salesforce security and compliance risk.
For more detail on risk analysis, including more starter questions, check out our package of cybersecurity resources.
3. Classify data and risk levels.
Classifying your organization’s data is a critical part of any cybersecurity initiative, since an inventory helps you know the level of protection required by different data’s sensitivity.
Salesforce has a data classification feature which enables the appropriate inventory and tagging of data fields at the metadata level. This allows you to bake classification into your organizational configuration, and it’s auditable and easy to update as things change over time.
Note: If your company has an organizational data classification policy, make sure Salesforce data gets included in the classification process so that you have a risk analysis of your Salesforce data.. policies. This is to avoid a situation where Salesforce data gets forgotten
4. Conduct a risk assessment of your technology.
Conducting a risk assessment is crucial to identifying and prioritizing risks and maintaining multiple compliances. And it’s not just a one-time thing—you need to assess risk regularly.
Salesforce has features and functionality that can help with risk assessments at the platform level, and adding Salesforce Shield can also help you understand how the overall program is being executed.
Also, there’s a lot of third party software you can use to help with risk assessments and lower the burden of ongoing program management. Some of our favorites include:
- Vanta. This is a useful organizational wide tool to help provide measurable and definitive lists of actions (while Salesforce is not a focus, Vanta is still useful at the program level).
- Drata. An alternative to Vanta, Drata has a similar program focus, but emphasizes cloud technology.
- Org scanning, change management, and measuring improvement tools:
- Hubbl. A powerful org wide scanner.
- Elements.Cloud. Alternative to Hubbl.
- Varonis. A security-focused Salesforce tool.
Salesforce AppExchange also provides a number of tools serving other areas of InfoSec and compliance.
5. Design remediation plans.
Once you’ve identified the risks, implement a prioritized, actionable plan for remediation. For Salesforce, this includes designing and deploying safeguards to address potential risks. Check out this article for more on implementing Salesforce safeguards.
6. Review and adoption.
When you have reviewed and adopted the Salesforce security plan, keep in mind that continued collaboration is key. Implementing technical controls based on your security program and risk assessment is an exercise in collaborating with the overall technical and business stakeholders. You’ll need to work together to execute a program of improvement and remediation.
7. Periodic testing.
Regularly test and monitor the effectiveness of the safeguards you’ve implemented. This might include routine security audits, penetration testing, and vulnerability assessments, such as red team exercises.
You should also conduct regular Salesforce-specific drills and tabletop exercises, such as simulating a phishing attack targeting Salesforce credentials or a data corruption issue within Salesforce. Test the recovery of Salesforce data and the failover to sandbox environments. Validate communications paths are accurate and able to be followed.
8. Revision.
After each test or actual incident, review and update the Salesforce-specific components of your plans. Engage with Salesforce’s resources, such as its security center and customer support, for insights on best practices and updates.
Salesforce Security is Ongoing
Developing your Salesforce security program is not a one-and-done exercise or a simple program lifecycle. Remember, the ongoing care and feeding of the cybersecurity program is paramount for continued relevancy and compliance.
For more resources, check out the NIST Cybersecurity Framework and the Center for Internet Security Critical Security Controls Framework. Many of CIS’s controls map to SOC-2 or ISO standards.
If this type of work is more than your team can operationally support, remember that external partners can be instrumental in aiding in the long term care and feeding of your programs, offering outside experience and operational support to these efforts.
If you want to learn more about Red Argyle and the security services we offer, get in touch.