W H IT E P A P E R. Salesforce Security for the IT Executive
|
|
- Albert Summers
- 6 years ago
- Views:
Transcription
1 W HITEPAPER Salesforce Security for the IT Executive
2 Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login and Authentication Settings... 2 Time-of-Day Restrictions... 2 IP Address Restrictions... 2 Single Sign-On Options... 2 Identity Confirmation... 2 Data Privacy...3 Profiles... 3 Field-Level Security... 3 Sharing Settings... 3 Default Sharing Model... 3 Sharing Rules... 4 Roles... 4 Defaults and Recommendations... 4 Force.com Apex Code and Visualforce...4 Apex and Data Privacy... 5 Creation of Apex Classes... 5 Recommendations... 5 Force.com AppExchange...5 Audit Features...5
3 Introduction The Salesforce CRM applications include settings and features that work together to protect your data. As an information technology or information security executive responsible for data privacy, you need to understand how salesforce.com helps to secure your data. Several features and settings are enabled by default; others require specific actions from your Salesforce CRM administrator. If the administrator does not change the default configuration, every user has full access to all data. This paper is not a detailed how-to guide. Instead, it provides an overview of the most important security-related features and recommendations for enhancing your data security. For more detailed auditing and configuration guidance, see the auditing companion to this paper, the Salesforce CRM Security Audit Guide, and the Security Implementation Guide at Background Although this paper primarily focuses on application-specific features and configuration settings of Salesforce CRM, salesforce.com s overall security strategy includes a combination of technical infrastructure controls and a strong security governance framework. Our defense-in-depth strategy includes security policies and procedures, infrastructure controls, and secure application development and architectures. Information security at salesforce.com is governed by a comprehensive information security management system. Salesforce.com continues to undergo SAS/70 Type II and SysTrust audits, and it received an ISO27001 certification from BSI in April The company performs background checks on all employees; the entire company also completes regular security awareness training sessions. To ensure the highest level of data protection, salesforce.com s IT infrastructure includes a host of enhancements. All production servers use hardened UNIX/Linux operating systems; additional measures include centralized logging and alerting, intrusion detection, network access control, anti-virus/anti-malware, host-based firewalls, and data loss prevention tools. The core production servers are further protected by Juniper stateful firewalls, Cisco perimeter and core routers, and F5 load balancers. These servers are managed via bastion hosts that require two-factor authentication to access. The application development lifecycle was also designed with an emphasis on information security. Every salesforce.com developer is trained on secure coding techniques, and every feature requires a security review to be released into production. Both internal staff and third-party security experts regularly perform security assessments. Salesforce.com provides strong defense-in-depth strategies and technologies to protect our customers data. We also provide application-specific features and settings to further protect your Salesforce CRM deployment. You can ensure the ultimate security with a combination of your own security-related configuration settings and salesforce.com s features, policies, and technologies. The remainder of this paper focuses on the steps you can take to ensure the security of your Salesforce CRM deployment. Settings Related to Security and Compliance The Salesforce CRM application includes many security-related configuration settings. This section summarizes some of the most important, including password settings, session settings, and login and authorization settings. Consider the default settings as a baseline starting point for security. You can and should implement additional measures, as described in the Appendix of this document and in the Salesforce CRM Security Audit Guide. Note: Companies that have used Salesforce CRM for several years should be aware that previous default settings were much less restrictive than the current defaults. Moreover, your administrators may have modified several of the security-related parameters. Password Settings S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e 1
4 Password complexity and expiration settings within Salesforce CRM should be configured to comply with your internal policies. Note that the default settings may not be appropriate for companies with stronger security policies. These default settings also do not meet the requirements of the Payment Card Industry Data Security Standards (PCI-DSS). The available password settings include items such as expiration timers, history and complexity restrictions, invalid lockout attempts, and lockout timers. Session Settings Several settings can be used to place restrictions on active user sessions. These include configuring the idle session timeout, locking sessions to the IP address used at login, and requiring secure (HTTPS) connections. Many of the default settings should be modified to improve security. In particular, note that the default idle session timeout value is 2 hours and should be lowered for most customers. Login and Authentication Settings By default, all users can log in to Salesforce CRM from any IP address at any time of day, subject to the restrictions of the Identity Confirmation feature described below. You can restrict user login access to specific work hours and/or defined ranges of IP addresses. These restrictions are defined based on User Profiles (see Profiles below). Time-of-Day Restrictions User logins can be restricted to specific times of the day. Different time-of-day restrictions can be defined for different types of users. See Profiles below. IP Address Restrictions User logins can be restricted to specific IP addresses or ranges of IP addresses. IP range restrictions can be configured for the entire organization or for each particular class of user. Single Sign-On Options In addition to the standard username and password authentication, Salesforce CRM supports two types of single sign-on methods. To improve user account management, salesforce.com recommends enabling one of the following options: :: Delegated Authentication When delegated authentication is enabled, Salesforce CRM makes a Web services call to your organization to authenticate your users, rather than using the native Salesforce CRM passwords. :: Federated Authentication Federated authentication directs Salesforce CRM to use the Security Assertion Markup Language (SAML) for user authentication. Identity Confirmation The Identity Confirmation feature was developed in part to provide a defense against phishing attacks and/or stolen user credentials. This feature is enabled for all organizations. It cannot be disabled. When users attempt to log in to Salesforce CRM via the Web API or a client such as Force.com Connect for Microsoft Outlook, the user login is verified against time-of-day restrictions and IP address restrictions. If IP address restrictions are used, the Identity Confirmation feature, as described here, is not used because of the enhanced protection already provided by IP address restrictions. If IP address restrictions are not used, Salesforce CRM checks whether the user s browser or current IP address was previously used to log in to Salesforce CRM. This check is performed by looking for the presence of a certain cookie that is created during a successful login and by referencing an internally stored list of IP addresses from previous successful logins by this user. If the browser has the cookie or is using a previously known IP address, the login proceeds. If the cookie is not present and the connection is coming from a new IP address, the user is directed to a special screen and prompted to click a Send Activation Link button, which sends an activation S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e 2
5 to the address on record for the user s account. This contains a link for activating the browser. Data Privacy Data privacy, or access to your data, is controlled by several features. At the core of data privacy is your default sharing model, which consists of the default settings that control access to standard and custom objects. These default settings can be extended with custom sharing rules, profile settings, and role hierarchies. In addition, you can place restrictions on individual fields on a particular record. The following sections will provide an introduction to these parameters and highlight important considerations. Auditing for access to data within Salesforce CRM can become very confusing since several factors must be considered at once. Access to Salesforce CRM data is determined by a combination of Profiles, Field-Level Security, and Sharing Settings as described below. More details regarding auditing for data privacy can be found in the Salesforce CRM Security Audit Guide and in the sharing cheat sheet at Profiles A profile is similar to a role is many enterprise applications, except that each user must have one profile and cannot have more than one profile. Every profile includes one or more permissions that define what a user can do within Salesforce CRM, such as adding and removing users or creating custom fields and object types. In addition to detailed permissions, a profile defines the default access privileges to standard and custom objects, such as contacts, accounts, leads, opportunities, and more. Salesforce CRM defines several default profiles, referred to as standard profiles. The available standard profiles depend on the edition of Salesforce CRM in use, and the standard profiles cannot be modified. Reviewing standard profiles for data privacy is relatively simple since only the System Administrator profile has full administrative access. For larger companies, however, these standard profiles often do not provide enough fine-grained entitlements. Organizations using Salesforce CRM Enterprise or Unlimited Editions can define custom profiles using any combination of more than 60 individual permissions. Since profiles are the first step in determining data access rights, they should be reviewed closely. If custom profiles have been used, each profile should be examined to determine which privileges are included and which users have been assigned to the profile. Field-Level Security Field-level security provides granular control over specific fields related to Salesforce CRM objects. For example, the address is a field of the Contact object. Every field in every object can be assigned unique access privileges based on the user s profile. For example, the address of a contact could be restricted to read-only for one profile, not visible for another profile, and fully editable by yet a third profile. Field-level security rules should be reviewed periodically since they potentially override other types of data access settings. Sharing Settings The default sharing model and sharing rules are at the core of controlling access to Salesforce CRM data. The sharing settings define the access rights to each Salesforce CRM object and are often confusing if they have been customized over time. In summary, sharing permissions are based on the default permissions (the sharing model) and exception rules (the sharing rules). Note: Each object type (Account, Contact, Lead, etc ) can have independent sharing models and rules. Default Sharing Model S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e 3
6 Each standard and custom object can be assigned a default sharing rule/model. Some of the possible options include full read and write to all users, full read and limited write, fully private, or other similar combinations. When using a restrictive sharing model such as private or read-only, data access is restricted to the record owner with two exceptions. First, a sharing rule (described below) can be used to allow additional access. Second, a role hierarchy (described below) can be configured and then users higher in the role (organizational chart) will automatically inherit the privileges of the record owner. The salesforce.com security team recommends using a private default sharing model and defining an accurate role hierarchy to better protect sensitive data. Sharing Rules Depending on the edition of Salesforce CRM, you can set up rules to define exceptions to the default sharing settings of most objects. In general, a sharing rule consists of three components: the owner, the user with whom to share, and access permission. Roles Roles within Salesforce CRM do not completely relate to the traditional concept of a role in Role- Based Access Control (RBAC). Instead, a role in Salesforce CRM is more closely tied to the organizational chart and each user can only be assigned to a single role. Roles are used by the sharing settings to control access to records. By default, the role hierarchy is not used because the default sharing settings are Public Read/Write (See Sharing Settings below). Once more restrictive sharing settings are enabled (such as a private model) the roles and role hierarchies are the primary criteria used to control data access. To properly use role-based sharing, an accurate organization-based role hierarchy should be defined and all users assigned to a role. You can create up to 500 unique roles for your organization; the names of each role are fully customizable. The default sharing rules follow the role hierarchy and users higher in the hierarchy automatically inherit the privileges of the subordinate roles. Defaults and Recommendations The default settings within Salesforce CRM assign Public Read/Write permissions to nearly all records, including leads, contacts, accounts, and custom objects. As a result, all users have full access to every record. When different users require varying levels of data access, salesforce.com strongly recommends defining a role hierarchy that matches your company and specifying a private sharing model for sensitive object types. Restricting access to Salesforce CRM data requires advance planning and testing and involves the following steps. :: Defining a role hierarchy and assigning a role to every user. :: Modifying the organization-wide default sharing settings for sensitive object types by setting them to Private. :: Defining sharing rules to provide role-based exceptions to the default settings. Force.com Apex Code and Visualforce (Apex and Visualforce are only available in Force.com Developer Edition and the Salesforce CRM Enterprise and Unlimited Editions.) Apex is a programming language developers can use to create custom business logic or complete applications on Force.com platform server. Visualforce is a tag-based markup language (similar to HTML and JSP) to give developers a more powerful way to build applications and customize the Salesforce CRM user interface. A very typical use of Apex and Visualforce will be to create a customized Visualforce page that is supported by Apex code written by your developers. This powerful ability to customize Salesforce CRM also presents potential security risks that should be monitored. First, Apex and Visualforce S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e 4
7 pages can have many of the same security vulnerabilities as any web application might have and should be reviewed in the same way other internal web applications are reviewed. Second, Apex code can bypass all of the data privacy restrictions previously discussed in this paper. Apex and Data Privacy Apex classes are essentially custom code segments you can use to modify almost any data, business logic, or even outbound Web services and HTTP requests. One of the most important features of Apex is that, by default, it runs with full system privileges. That means that the user s profile-based permissions, field-level security, and sharing rules are not taken into account during script execution. Security must be enforced by the author of the Apex Code. For more information about Apex access controls, see the Data Access Control section of the Apex and Visualforce Security Tips article at Security Controls Creation of Apex Classes Apex classes can be created by any user with the Author Apex permission. By default, only the Administrator profile has this permission. However, users can be granted this permission or Salesforce CRM administrators can install code written by internal or external developers. Recommendations Because Apex classes are so powerful, review the code closely before deploying it. Developers writing Apex should be trained in secure coding practices. A brief summary of some of the more important Apex and Visualforce security concerns can be found in the Apex and Visualforce Security Tips article at Force.com AppExchange The Force.com AppExchange is an on-demand application-sharing service from salesforce.com. You can use the AppExchange to browse, install, and share apps and components stored in packages and built for the Force.com platform. You can review apps submitted by other salesforce.com customers, take a test drive, and install the apps. These apps work just like other custom apps within your Salesforce CRM organization. All AppExchange applications were checked for security flaws by salesforce.com. Salesforce.com reviews AppExchange applications annually. Patches and version upgrades since the last security review have not been reviewed by salesforce.com and you should review the application in the same manner you review any thirdparty product. The applications listed on the AppExchange are packaged in one of two ways native or composite. Native applications consist of only Salesforce CRM entities such as custom objects, reports, workflows, Apex classes, or Visualforce pages. When native applications are installed, no data is sent to a third-party site. Composite applications include a combination of native features as well as connections to and/or from a third-party data center. The details vary with each application, but data is typically shared between Salesforce CRM and the database of the company providing the application. The application uses the session ID of the currently authenticated user to make a Web services connection to the Force.com API. Because of the nature of this integration, composite applications have the same access rights as the user currently logged in. Audit Features The Salesforce CRM application provides several types of audit logs for monitoring logins and changes to your Salesforce CRM organization. All the audit features can be viewed by your Salesforce CRM administrator, including: :: User Login History All successful and failed login attempts are recorded and saved for 180 days. S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e 5
8 :: Setup Audit Trail Every configuration (Setup) change is logged and archived for 180 days. The Setup Audit Trail shows any change and who made the change. This audit log is especially helpful for organizations with multiple administrators. :: Object History Tracking You can select certain standard and custom fields to track the change history. Each time a user modifies one of the tracked fields, an entry is added to the History Related List on the object, showing the time, user, and the change made. By default, no specific fields are tracked until activated by the administrator. For More Information Contact your account executive to learn how we can help you accelerate your CRM success. 6 S al e sf o rc e CR M S ec u ri t y f o r t h e IT E xecutiv e
Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter
White Paper Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter Overcoming Security, Privacy & Compliance Concerns 333 W. San Carlos Street San Jose, CA 95110 Table of Contents
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationSalesforce Enterprise Edition Upgrade Guide
Salesforce Enterprise Edition Upgrade Guide Salesforce, Spring 16 @salesforcedocs Last updated: February 11, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered
More informationEnsuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard
Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure
More informationLiferay Security Features Overview. How Liferay Approaches Security
Liferay Security Features Overview How Liferay Approaches Security Table of Contents Executive Summary.......................................... 1 Transport Security............................................
More informationSalesforce Security Guide
Version 37.0, Summer 16 @salesforcedocs Last updated: August 11, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc., as are
More informationAccount Plan Pro Set Up Guide
Account Plan Pro Set Up Guide Version 7 PLAN2WIN SOFTWARE TABLE OF CONTENTS INSTALLING THE APPLICATION 4 SET UP CUSTOM PROFILE 4 SET PERMISSIONS 5 ENABLE VISUALFORCE PAGE ACCESS 7 MANAGE LICENSES/ SET
More informationSalesforce Security Guide
Version 43.0, Summer 18 @salesforcedocs Last updated: June 21, 2018 Copyright 2000 2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc., as are other
More informationSalesforce Security Guide
Version 41.0, Winter 18 @salesforcedocs Last updated: December 6, 2017 Copyright 2000 2017 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc., as are
More informationCertification Exam Guide SALESFORCE CERTIFIED SHARING AND VISIBILITY DESIGNER. Spring Salesforce.com, inc. All rights reserved.
Certification Exam Guide SALESFORCE CERTIFIED SHARING AND VISIBILITY DESIGNER Spring 18 2018 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED SHARING AND VISIBILITY DESIGNER CONTENTS About
More informationSalesforce Security Guide
Version 42.0, Spring 18 @salesforcedocs Last updated: April 19, 2018 Copyright 2000 2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc., as are other
More informationINCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS AKAMAI SOLUTIONS BRIEF INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.
INCREASE APPLICATION SECURITY FOR PCI DSS VERSION 3.1 SUCCESS Protect Critical Enterprise Applications and Cardholder Information with Enterprise Application Access Scope and Audience This guide is for
More informationSalesforce Security Guide
Version 42.0, Spring 18 @salesforcedocs Last updated: February 13, 2018 Copyright 2000 2018 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc., as are
More informationPCI DSS Compliance. White Paper Parallels Remote Application Server
PCI DSS Compliance White Paper Parallels Remote Application Server Table of Contents Introduction... 3 What Is PCI DSS?... 3 Why Businesses Need to Be PCI DSS Compliant... 3 What Is Parallels RAS?... 3
More informationWHITEPAPER. Security overview. podio.com
WHITEPAPER Security overview Podio security White Paper 2 Podio, a cloud service brought to you by Citrix, provides a secure collaborative work platform for team and project management. Podio features
More informationDaxko s PCI DSS Responsibilities
! Daxko s PCI DSS Responsibilities According to PCI DSS requirement 12.9, Daxko will maintain all applicable PCI DSS requirements to the extent the service prov ider handles, has access to, or otherwise
More informationQuickBooks Online Security White Paper July 2017
QuickBooks Online Security White Paper July 2017 Page 1 of 6 Introduction At Intuit QuickBooks Online (QBO), we consider the security of your information as well as your customers and employees data a
More informationSQL Server Solutions GETTING STARTED WITH. SQL Secure
SQL Server Solutions GETTING STARTED WITH SQL Secure Purpose of this document This document is intended to be a helpful guide to installing, using, and getting the most value from the Idera SQL Secure
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationPCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard
Introduction Verba provides a complete compliance solution for merchants and service providers who accept and/or process payment card data over the telephone. Secure and compliant handling of a customer
More informationSecurity Architecture
Security Architecture RDX s top priority is to safeguard our customers sensitive information. Introduction RDX understands that our customers have turned over the keys to their sensitive data stores to
More informationTRAINING & CERTIFICATION. Salesforce.com Certified Force.com Developer Study Guide
Salesforce.com Certified Force.com Developer Study Guide Contents About the Force.com Certification Program... 1 Section 1. Purpose of this Study Guide... 2 Section 2. Audience Description: Salesforce.com
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT
ArcGIS Enterprise Security: An Introduction Randall Williams Esri PSIRT Agenda ArcGIS Enterprise Security for *BEGINNING to INTERMIDIATE* users ArcGIS Enterprise Security Model Portal for ArcGIS Authentication
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationJuniper Vendor Security Requirements
Juniper Vendor Security Requirements INTRODUCTION This document describes measures and processes that the Vendor shall, at a minimum, implement and maintain in order to protect Juniper Data against risks
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationChatter Answers Implementation Guide
Chatter Answers Implementation Guide Salesforce, Spring 16 @salesforcedocs Last updated: April 27, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationCyber security tips and self-assessment for business
Cyber security tips and self-assessment for business Last year one in five New Zealand SMEs experienced a cyber-attack, so it s essential to be prepared. Our friends at Deloitte have put together this
More informationAdobe Document Cloud esign Services. for Salesforce Version 17 Installation and Customization Guide
Adobe Document Cloud esign Services for Salesforce Version 17 Installation and Customization Guide 2015 Adobe Systems Incorporated. All rights reserved. Last Updated: August 28, 2015 Table of Contents
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications
More informationSet Up and Manage Salesforce Communities
Set Up and Manage Salesforce Communities Salesforce, Spring 16 @salesforcedocs Last updated: April 28, 2016 Copyright 2000 2016 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationCertification Exam Guide SALESFORCE CERTIFIED A DVANCED ADMINISTRATOR. Winter Salesforce.com, inc. All rights reserved.
Certification Exam Guide SALESFORCE CERTIFIED A DVANCED ADMINISTRATOR Winter 19 2018 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED ADVANCED ADMINISTRATOR CONTENTS About the Salesforce
More informationCisco Meraki Privacy and Security Practices. List of Technical and Organizational Measures
Cisco Meraki Privacy and Security Practices List of Technical and Organizational Measures Introduction Meraki takes a systematic approach to data protection, privacy, and security. We believe a robust
More informationDreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com
DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com By Bill Appleton, CTO, DreamFactory Software billappleton@dreamfactory.com Introduction DreamFactory
More informationTECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES
TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES Contents Introduction... 3 The Technical and Organizational Data Security Measures... 3 Access Control of Processing Areas (Physical)... 3 Access Control
More informationHow-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018
How-to Guide: Tenable.io for Microsoft Azure Last Updated: November 16, 2018 Table of Contents How-to Guide: Tenable.io for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationSecurity and Privacy Overview
Security and Privacy Overview Cloud Application Security, Data Security and Privacy, and Password Management 1 Overview Security is a growing concern and should not be taken lightly across an organization.
More informationHALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD. Automated PCI compliance anytime, anywhere.
HALO IN ACTION COMPLIANCE DON T LET LEGACY SECURITY TOOLS HOLD UP PCI COMPLIANCE IN THE CLOUD Automated PCI compliance anytime, anywhere. THE PROBLEM Online commercial transactions will hit an estimated
More informationSOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management
SOLUTION BRIEF CA API MANAGEMENT Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management 2 SOLUTION BRIEF ENABLE AND PROTECT YOUR WEB APPLICATIONS WITH CA API MANAGEMENT ca.com
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationCSP & PCI DSS Compliance on HPE NonStop systems
CSP & PCI DSS Compliance on HPE NonStop systems March 27, 2017 For more information about Computer Security Products Inc., contact us at: 30 Eglinton Ave., West Suite 804 Mississauga, Ontario, Canada L5R
More informationCentrify for Dropbox Deployment Guide
CENTRIFY DEPLOYMENT GUIDE Centrify for Dropbox Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of
More informationGoogle Identity Services for work
INTRODUCING Google Identity Services for work One account. All of Google Enter your email Next Online safety made easy We all care about keeping our data safe and private. Google Identity brings a new
More informationMozy. Administrator Guide
Mozy Administrator Guide Preface 2017 Mozy, Inc. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationControl-M and Payment Card Industry Data Security Standard (PCI DSS)
Control-M and Payment Card Industry Data Security Standard (PCI DSS) White paper PAGE 1 OF 16 Copyright BMC Software, Inc. 2016 Contents Introduction...3 The Need...3 PCI DSS Related to Control-M...4 Control-M
More informationAppPulse Point of Presence (POP)
AppPulse Point of Presence Micro Focus AppPulse POP service is a remotely delivered solution that provides a managed environment of Application Performance Management. AppPulse POP service supplies real-time
More informationTotal Security Management PCI DSS Compliance Guide
Total Security Management PCI DSS Guide The Payment Card Industry Data Security Standard (PCI DSS) is a set of regulations to help protect the security of credit card holders. These regulations apply to
More informationCloud Security Whitepaper
Cloud Security Whitepaper Sep, 2018 1. Product Overview 3 2. Personally identifiable information (PII) 3 Using Lookback without saving any PII 3 3. Security and privacy policy 4 4. Personnel security 4
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationTIPS AND HINTS FOR SHARING DATA
TIPS AND HINTS FOR SHARING DATA Summary Salesforce provides many flexible options for you to control how records are shared within your organization. To specify the objects and tabs that a user can access,
More informationOracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016
Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E69079-01 June 2016 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationInstallation & Configuration Guide Enterprise/Unlimited Edition
Installation & Configuration Guide Enterprise/Unlimited Edition Version 2.3 Updated January 2014 Table of Contents Getting Started... 3 Introduction... 3 Requirements... 3 Support... 4 Recommended Browsers...
More informationSecuring Your Salesforce Org: The Human Factor. February 2016 User Group Meeting
Securing Your Salesforce Org: The Human Factor February 2016 User Group Meeting Safe Harbor Safe harbor statement under the Private Securities Litigation Reform Act of 1995: This presentation may contain
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationISO/IEC Solution Brief ISO/IEC EventTracker 8815 Centre Park Drive, Columbia MD 21045
Solution Brief 8815 Centre Park Drive, Columbia MD 21045 About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized intelligence that
More informationSALESFORCE CERTIFIED TECHNICAL ARCHITECT
Certification Exam Guide SALESFORCE CERTIFIED TECHNICAL ARCHITECT Winter 18 2017 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED TECHNICAL ARCHITECT CONTENTS About the Salesforce Certified
More informationOracle Payment Interface Token Proxy Service Security Guide Release 6.1 E November 2017
Oracle Payment Interface Token Proxy Service Security Guide Release 6.1 E87635-01 November 2017 Copyright 2017, Oracle and/or its affiliates. All rights reserved. This software and related documentation
More informationThe Value of Force.com as a GRC Platform
The Value of Force.com as a GRC Platform Andy Evans - Xactium Limited March 2009 Executive Summary The importance of governance, risk and compliance (GRC) activities to organizations has become increasingly
More informationSALESFORCE CERTIFIED TECHNICAL ARCHITECT
Certification Exam Guide SALESFORCE CERTIFIED TECHNICAL ARCHITECT Spring 18 2018 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED TECHNICAL ARCHITECT CONTENTS About the Salesforce Certified
More informationSalesforce1 Mobile Security White Paper. Revised: April 2014
Salesforce1 Mobile Security White Paper Revised: April 2014 Table of Contents Introduction Salesforce1 Architecture Overview Authorization and Permissions Communication Security Authentication OAuth Pairing
More informationHow-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018
How-to Guide: Tenable Nessus for Microsoft Azure Last Updated: April 03, 2018 Table of Contents How-to Guide: Tenable Nessus for Microsoft Azure 1 Introduction 3 Auditing the Microsoft Azure Cloud Environment
More informationSecurity and Compliance at Mavenlink
Security and Compliance at Mavenlink Table of Contents Introduction....3 Application Security....4....4....5 Infrastructure Security....8....8....8....9 Data Security.... 10....10....10 Infrastructure
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationSiebel CRM. Siebel Security Hardening Guide Siebel Innovation Pack 2015 E
Siebel CRM Siebel Security Hardening Guide Siebel Innovation Pack 2015 E24815-01 May 2015 Siebel Security Hardening Guide, Siebel Innovation Pack 2015 E24815-01 Copyright 2005, 2015 Oracle and/or its affiliates.
More informationPlatform Settings for Classic Devices
The following topics explain Firepower platform settings and how to configure them on Classic devices: Introduction to Firepower Platform Settings, page 1 Configuring Firepower Platform Settings, page
More informationCitiDirect BE SM Mobile
CitiDirect BE SM Mobile User Guide Treasury and Trade Solutions CitiDirect BE Mobile Table of Contents Table of Contents CitiDirect BE SM Mobile Introduction...2 How to use CitiDirect BE Mobile For Entitled
More informationCertification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.
Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER Winter 18 2017 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER
More informationThe Common Controls Framework BY ADOBE
The Controls Framework BY ADOBE The following table contains the baseline security subset of control activities (derived from the Controls Framework by Adobe) that apply to Adobe s enterprise offerings.
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationUniversity of Pittsburgh Security Assessment Questionnaire (v1.7)
Technology Help Desk 412 624-HELP [4357] technology.pitt.edu University of Pittsburgh Security Assessment Questionnaire (v1.7) Directions and Instructions for completing this assessment The answers provided
More informationSecure Access & SWIFT Customer Security Controls Framework
Secure Access & SWIFT Customer Security Controls Framework SWIFT Financial Messaging Services SWIFT is the world s leading provider of secure financial messaging services. Their services are used and trusted
More informationTRACKVIA SECURITY OVERVIEW
TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times
More informationSALESFORCE CERTIFIED PLATFORM APP BUILDER
Certification Exam Guide SALESFORCE CERTIFIED PLATFORM APP BUILDER Winter 18 2017 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED PLATFORM APP BUILDER CONTENTS About the Salesforce Certified
More informationBEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE
BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE OUR ORGANISATION AND SPECIALIST SKILLS Focused on delivery, integration and managed services around Identity and Access Management.
More informationNovell Access Manager 3.1
Technical White Paper IDENTITY AND SECURITY www.novell.com Novell Access Manager 3.1 Access Control, Policy Management and Compliance Assurance Novell Access Manager 3.1 Table of Contents: 2..... Complete
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationHikCentral V1.3 for Windows Hardening Guide
HikCentral V1.3 for Windows Hardening Guide Contents Introduction... 1 1. The Operating System - Microsoft Windows Security Configuration... 2 1.1Strict Password Policy... 2 1.2Turn Off Windows Remote
More informationS-Drive Installation Guide v1.18
S-Drive Installation Guide v1.18 Important Note This installation guide contains basic information about S-Drive installation. Refer to the S-Drive Advanced Configuration Guide for advanced installation/configuration
More informationSystem Security Features
System Security Features Overview Azeus Convene provides excellent user experience in holding meetings, as well as sharing, collaborating and accessing documents without compromising security. By using
More informationSecurity Readiness Assessment
Security Readiness Assessment Jackson Thomas Senior Manager, Sales Consulting Copyright 2015 Oracle and/or its affiliates. All rights reserved. Cloud Era Requires Identity-Centric Security SaaS PaaS IaaS
More informationSecurity Enhancements
OVERVIEW Security Enhancements February 9, 2009 Abstract This paper provides an introduction to the security enhancements in Microsoft Windows 7. Built upon the security foundations of Windows Vista, Windows
More informationSkyFormation for Salesforce. Cloud Connector
SkyFormation for Salesforce Cloud Connector Overview Salesforce provides a broad set of customers and sales automation and management services delivered as a cloud service. Salesforce helps organizations
More informationSalesforce.com Summer '10 Release Notes
Salesforce.com: Summer '10 Salesforce.com Summer '10 Release Notes Last updated: July 20, 2010 Copyright 2000-2010 salesforce.com, inc. All rights reserved. Salesforce.com is a registered trademark of
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationSALESFORCE CERTIFIED MOBILE SOLUTIONS ARCHITECTURE DESIGNER
Certification Exam Guide SALESFORCE CERTIFIED MOBILE SOLUTIONS ARCHITECTURE DESIGNER Winter 18 2017 Salesforce.com, inc. All rights reserved. S ALESFORCE CERTIFIED MOBILE SOLUTIONS ARCHITECTURE DESIGNER
More informationEvaluation Guide Host Access Management and Security Server 12.4 SP1 ( )
Evaluation Guide Host Access Management and Security Server 12.4 SP1 (12.4.10) Legal Notice For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions,
More informationBest practices with Snare Enterprise Agents
Best practices with Snare Enterprise Agents Snare Solutions About this document The Payment Card Industry Data Security Standard (PCI/DSS) documentation provides guidance on a set of baseline security
More informationPayment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1
Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide For XERA POS Version 1 2 XERA POS Payment Card Industry Data Security Standard (PCI-DSS) Implementation Guide XERA POS Version
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationitools Configuration Manager Configuration Guide
itools Configuration Manager Configuration Guide Last Revised: May 10, 2013 Copyright 2009-2013 Insitu Software LLC. All rights reserved. This document may be reprinted without permission. Salesforce.com
More informationSecurity Information & Policies
Security Information & Policies 01 Table of Contents OVERVIEW CHAPTER 1 : CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5: CHAPTER 6: CHAPTER 7: CHAPTER 8: CHAPTER 9: CHAPTER 10: CHAPTER 11: CHAPTER 12: CHAPTER
More informationAPPLICATION & INFRASTRUCTURE SECURITY CONTROLS
APPLICATION & INFRASTRUCTURE SECURITY CONTROLS ON THE KINVEY PLATFORM APPLICATION KINVEY PLATFORM SERVICES END-TO-END APPLICATION & INFRASTRUCTURE SERCURITY CONTROLS ENTERPRISE DATA & IDENTITY 2015 Kinvey,
More informationRSA Solution Brief. The RSA Solution for VMware. Key Manager RSA. RSA Solution Brief
RSA Solution Brief The RSA Solution for VMware View: Managing Securing the the Lifecycle Virtual of Desktop Encryption Environment Keys with RSA Key Manager RSA Solution Brief 1 According to the Open Security
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More information