Enforce record-level access control through sharing rules
6
Setup field-level data visibility according to user roles
7
Task: Password strength and expiration policy settings
8
Ensure audit trails are enabled
9
Configure login hours for different roles
10
Set up IP whitelisting
11
Task: Enable two-factor authentication for users with sensitive access
12
Monitor data usage and storage limits
13
Schedule regular data back-ups
14
Establish a disaster recovery plan
15
Approval: Setup of managed packages for advanced security features
16
Ensure software builds and patches are up to date
17
Secure third-party integration points
18
Ensure all communication is SSL encrypted
19
Prepare a response plan for security incidents
20
Approval: Final Security Checklist Process
Review existing security protocols
Review and evaluate the current security protocols in place for Salesforce. Determine the effectiveness and adequacy of these protocols to ensure the security of user data and system integrity. Identify any vulnerabilities or weaknesses that need to be addressed. What are the current security protocols being used? Are they up to industry standards? Are there any known vulnerabilities or weaknesses? Resources/Tools: Salesforce documentation, security monitoring software
1
Yes
2
No
Identify users and their roles
Identify all users who have access to Salesforce and their respective roles. Understand the level of access each user currently has and review if it aligns with their role and responsibilities. Who are the current users of Salesforce? What are their roles and responsibilities? Is their access level appropriate for their role? Resources/Tools: Salesforce user management, organizational chart
1
Yes
2
No
Task: Determine appropriate user access levels
Set the appropriate access levels for each user based on their role and responsibilities. Determine the necessary permissions and restrictions to ensure data security and system integrity. What are the required access levels for each user based on their roles and responsibilities? Resources/Tools: Salesforce user management, organizational chart
1
Full access
2
Read-only access
3
Restricted access
4
Custom access
Implement role-based object-level access control
Configure role-based object-level access control to restrict user access to specific Salesforce objects based on their roles and responsibilities. What Salesforce objects should be restricted for each user role? Resources/Tools: Salesforce object-level access control, organizational chart
1
Accounts
2
Contacts
3
Opportunities
4
Cases
5
Leads
Enforce record-level access control through sharing rules
Set up record-level access control through sharing rules to restrict user access to specific records in Salesforce. Which records should be restricted for each user role? Resources/Tools: Salesforce sharing rules, organizational chart
1
All records
2
Owned records
3
Public records
4
Custom records
Setup field-level data visibility according to user roles
Configure field-level data visibility to determine which fields users can view and edit based on their roles and responsibilities. What fields should be visible/editable for each user role? Resources/Tools: Salesforce field-level security, organizational chart
1
All fields
2
Specific fields
3
Custom fields
Task: Password strength and expiration policy settings
Implement password strength and expiration policies to ensure the security of user accounts in Salesforce. Set requirements for password complexity, length, expiration, and locking after failed login attempts. What are the password requirements for user accounts in Salesforce? How often should passwords expire? How many failed login attempts should trigger an account lock? Resources/Tools: Salesforce user management, password policy settings
1
Complexity (e.g., uppercase, lowercase, numbers, special characters)
2
Length (minimum number of characters)
3
Expiration period (e.g., 30 days, 60 days)
4
Account lock after failed login attempts
Ensure audit trails are enabled
Enable audit trails to track and monitor user activity in Salesforce. This helps identify any unauthorized access or suspicious activity. Are audit trails enabled in Salesforce? How long should audit trail logs be retained? Resources/Tools: Salesforce audit trail settings, compliance regulations
1
Yes
2
No
Configure login hours for different roles
Set login hour restrictions for different user roles to control access to Salesforce during specific time periods. What are the allowed login hours for each user role? Resources/Tools: Salesforce login hour settings, organizational chart
1
24/7 access
2
Restricted hours
3
Custom hours
Set up IP whitelisting
Configure IP whitelisting to restrict access to Salesforce only from authorized IP addresses. This adds an additional layer of security to prevent unauthorized access. Which IP addresses should be whitelisted? Resources/Tools: Salesforce IP whitelisting settings, network security policies
1
Specific IP addresses
2
IP ranges
Task: Enable two-factor authentication for users with sensitive access
Enable two-factor authentication for users with sensitive access to Salesforce. This adds an extra layer of security by requiring users to provide a second form of authentication, such as a code sent to their mobile device. Which users should have two-factor authentication enabled? Resources/Tools: Salesforce two-factor authentication settings, user access level classification
1
All users with sensitive access
2
Only specific users with sensitive access
Monitor data usage and storage limits
Monitor data usage and storage limits to ensure that Salesforce stays within the allocated limits. This helps prevent data loss and maintain system performance. How often should data usage and storage limits be monitored? What actions need to be taken if the limits are exceeded? Resources/Tools: Salesforce data usage and storage monitoring tools, storage allocation information
1
Daily
2
Weekly
3
Monthly
Schedule regular data back-ups
Set up a regular schedule to back up Salesforce data to ensure data can be recovered in case of accidental deletion, data corruption, or system failure. How often should data backups be scheduled? Where should the data be stored? Resources/Tools: Salesforce data backup settings, data storage options
1
Daily
2
Weekly
3
Monthly
Establish a disaster recovery plan
Create and document a disaster recovery plan for Salesforce to ensure business continuity in the event of a natural disaster, system failure, or other unforeseen events. What are the key components of the disaster recovery plan? Who should be involved in the plan execution? Resources/Tools: Salesforce disaster recovery planning guidelines, communication tools
Approval: Setup of managed packages for advanced security features
Will be submitted for approval:
Setup field-level data visibility according to user roles
Will be submitted
Configure login hours for different roles
Will be submitted
Set up IP whitelisting
Will be submitted
Monitor data usage and storage limits
Will be submitted
Schedule regular data back-ups
Will be submitted
Establish a disaster recovery plan
Will be submitted
Ensure software builds and patches are up to date
Regularly check for software updates, bug fixes, and security patches for Salesforce to ensure that the system is running on the latest stable version. How often should software builds and patches be checked for updates? Who is responsible for applying these updates? Resources/Tools: Salesforce release notes, software update management tools
1
Monthly
2
Quarterly
3
Annually
Secure third-party integration points
Review and secure all third-party integrations with Salesforce to ensure that data transfer between systems is secure and protected. What third-party integrations exist with Salesforce? How is the data transfer secured? Resources/Tools: Salesforce integrations documentation, third-party security guidelines
Ensure all communication is SSL encrypted
Ensure that all communication between users and Salesforce is encrypted using SSL (Secure Sockets Layer) to protect data transmission. Is SSL encryption enabled for all communication? How is SSL encryption enforced? Resources/Tools: Salesforce security settings, SSL certificate management
1
Yes
2
No
Prepare a response plan for security incidents
Create a response plan to effectively and efficiently handle security incidents in Salesforce. Define the steps to be taken in case of a security breach or unauthorized access. What are the key steps in the response plan? Who should be notified in case of a security incident? Resources/Tools: Salesforce incident response guidelines, communication tools
Approval: Final Security Checklist Process
Will be submitted for approval:
Review existing security protocols
Will be submitted
Identify users and their roles
Will be submitted
Implement role-based object-level access control
Will be submitted
Enforce record-level access control through sharing rules