At Red Argyle, we’re a group of Salesforce consultants and champions. Salesforce and data security are things we take very seriously; it’s part of our regular conversations with customers, prospective customers, and the Salesforce community.
Security, privacy, and compliance in your Salesforce organization must be a conversation. No matter your industry, you’re never boring enough not to be a target for a security threat. (Or compliance or privacy issues).
Although Salesforce builds security, privacy, and compliance into its products, these features must be properly assessed and applied to be most effective. This three-part blog series covers the basics of assessing your security, privacy, and compliance needs: How to determine what you have, what you need, and what you should consider to be protected. We’ll follow up with a few quick tips so that any Salesforce administrator can progress on this front.
If this feels intimidating, you don’t have to go it alone! Security is complicated, and we’re here to help if you find things to be a little bit overwhelming.
Know Yourself. How to Assess Security Risks and Exposure.
The security and compliance landscape constantly changes between new threats, changing regulations, new business processes at your company, and new technology. Thinking about security and compliance isn’t a one-time thing–it needs to be part of an ongoing program and continually assessed.
Questions to assess your security and compliance risk:
Below are a few questions to assess your security and compliance risk.
Is your company subject to specific compliance requirements?
At this point, almost everyone needs to think about General Data Protection Regulation (GDPR) or The California Consumer Privacy Act (CCPA), but does your industry have specific needs such as HIPAA Privacy Rule or FINRA?
If so, here’s a good Salesforce resource to help you get familiar with compliance certifications, standards, and regulations.
What is your “attack surface” or areas where Salesforce could be available to other systems or actors?
- Internal Audience exposure
- External Audience exposure (Intentional or accidental)
- Integrations that propagate data to other systems
- Logging and Backups / Archives and associated data protection
In the next two posts of this blog series on data and Salesforce security, we dig deeper into what a Salesforce Admin can do and what an organization as a whole can do with this information. Here’s a valuable Salesforce Trailhead to help you understand why this exercise is important.
Do you understand what data you’re concerned with, and is it classified/inventoried to appropriately sized defenses vs. risk?
- If you have 1000 records vs. ten million in your database, there are different levels of risk.
- If your entire Salesforce instance is just inventory and part numbers, it’s a lower risk than a medical system with patient data.
Our next blog post will cover the technology behind supporting this knowledge. In the meantime, here’s a useful Salesforce Module on Data Privacy.
Begin Down The Path of a Security Program
From even a very high-level risk assessment, there are many ways to begin down the path of a security program. For the next two parts of this series, we’ll dive into the following:
- Some quick technical items to help remediate and improve your security posture.
- More strategic program-level thinking to aid in building out your ongoing security awareness and implementation strategy.
Need help making your data within Salesforce more secure? Let’s talk!