Having a Salesforce security plan is good, but it isn’t enough. If you want your cybersecurity program to be toothed and effective, you have to apply policy, manual, and automated controls to your infrastructure.
In fact, wealth management companies are required by regulations from FINRA, the SEC, and the Gramm Leach Bliley Act (GLBA) to maintain specific controls for data loss prevention (learn more about this in our Salesforce Security whitepaper).
In this article, we’ll cover how you can put Salesforce safeguards in place and maintain them to manage your risk of data loss. And while these tips are in the context of wealth-management companies, any company can benefit from the strategies below.
2 Phases for Employing Salesforce Safeguards
There are numerous strategies for employing safeguards within your Salesforce organization, and while we don’t have space to list them all here, they can be categorized generally into two cyclical phases.
1. Design and deploy safeguards.
In this phase, take any potential risks you identified during risk assessments and address them. You have a few options for this, including:
Self-Implemented Controls
You likely have some level of internal InfoSec/IT presence to manage your day-to-day implementation and maintain technical controls. At the right scale, this allows for the most consistent and cost effective approach for long term program success.
Partner Assistance
Salesforce partners are often used to bolster technical implementations of controls, since they bring unique experience in the niche activities you’ll need during these types of projects.
When you work with partners, they can assure minimal impact to business operations, a professional implementation of features, and a maintainable approach that doesn’t rely on a small number of internal employees eliminating single points of failure.
Tip: Collaboration is key.
Properly implementing any technical controls will require collaboration with your technical and business stakeholders. They’ll be a key part of executing any improvement and remediation programs.
For more guidance on implementing safeguards and six other core cybersecurity domains, download the whitepaper: Salesforce and Cybersecurity: A Roadmap for Regulatory Compliance in Wealth Management.
2. Regularly test and monitor the effectiveness of these safeguards.
Once you’ve implemented remediations, don’t stop—it’s back to testing. Conduct regular tests of the safeguards you’ve put in place.
Consider these rhythms for your risk assessments:
- Annual large audit. Focus on the overall program and key Salesforce infrastructure.
- Periodic check-in. Extend the work of the large audit with periodic check-ins. Evaluate risk quarterly, at a minimum. Validate that your active remediation efforts during this phase are working and that the security landscape hasn’t degraded from internal or external circumstances.
- Red team exercises. Have your red team conduct authenticated and unauthenticated penetration testing (this is when a team actively tests a live system’s defenses and ability to follow processes) against endpoints deemed worthy of testing properly. You can also have your red team run the following tests:
- Perform backup and restore drills and simulated data loss incidents.
- Validate that privacy and opt-out measures are maintained properly by simulating opt-out requests.
- Validate that other aspects of IT policy are followed, such as vendor management safeguards and staff onboarding/offboarding protocols.
10 Salesforce Technologies to Help You Implement Safeguards
Below is a list of Salesforce technology available to help you implement safeguards.
Logging, history tracking, platform encryption, and transaction security policies.
Industry leading encryption and key management. It offers the accepted encryption strength, ability to encrypt standard and custom fields, and ability to comply with key management strategies, which allows you to bring your own keys and manage keys accordingly.
Flags inappropriate insertion of Personally Identifiable Information (PII) or Sensitive Personally Identifiable Information (SPII).
Purpose-built environments for development and vendor interaction. Here, you give vendors an area to build while keeping them separate from your data. You can also add extra full or partial copy sandboxes to allow them to work efficiently.
Obfuscates and/or anonymizes any data classified as PII or SPII within sandboxes. This way you can create a realistic environment for vendors to work in, but provide no real data.
Get in-depth info on Salesforce security management for third-parties in Giving Service Providers Access? 4 Security Best Practices
Granular controls on data access with broader data protection capabilities.
Standard Salesforce row-based security to manage least privilege access.
Change management tracking and audit ability of metadata changes.
High level user access tracking capability.
Deep dive analytics and forensics. (This is actually required for multiple compliances that wealth management companies are subject to. The GLBA Safeguards rule specifically calls out user logging.)
Can’t Prioritize? Start by Classifying Data.
If you’re not sure where to begin applying safeguards, you might need to implement a data classification scheme. This can help you assess risk and determine your priority for applying mitigating controls.
Bonus: You may actually accomplish two things in one, because many of the statutes we mentioned above specifically reference their expectations around data classification.
Salesforce has a data classification feature which enables the appropriate inventory and tagging of data fields at the metadata level. This allows you to bake classification into your organizational configuration, and it’s auditable and easy to update as things change over time. But don’t go rogue: collaboration is needed once again. You should align these activities to your organization’s data classification policies.
Every organization has unique classification rules, but here’s a basic matrix:
| Class | Definition |
|---|---|
| Confidential | Data should not be shared outside of the organization. |
| Restricted | Data should be considered restricted and considered need-to-know within the organization, and shared only with a limited group of team members. |
| Public | Data is available to the public. |
| PII | Data such as names, emails, and addresses. Many policies require PII to be encrypted at rest and in transit. |
| SPII | Data such as bank account numbers and social security numbers. Many policies require SPII to be encrypted at rest and in transit. |
Empowering You to Navigate Compliance and Cybersecurity
Are you ready to get started on implementing the safeguards in your Salesforce security plan? If you want to learn more, we created a resource to empower financial and wealth management professionals and Salesforce administrators with the knowledge and insights they need to navigate the complex world of compliance in the industry: Salesforce and Cybersecurity: A Roadmap for Regulatory Compliance in Wealth Management.
Download Now
