You are using an older browser that might negatively affect how this site is displayed. Please update to a modern browser to have a better experience. Sorry for the inconvenience!

How to meet Salesforce standard security in your organization with Custom Baseline


Some of you already might know that last year Salesforce released a new feature both in Lightning Experience and Salesforce Classic that allows admins to run a Health Check to recognize and settle potential vulnerabilities in your security settings, all from a single page. A summary score demonstrates how your organization measures against a security baseline, like the Salesforce Baseline Standard.

Normally we used to compare the Salesforce standard base line for the Session Settings, Password Policies, and Network Access setting groups. If you change all groups’ settings to be less restrictive than what’s in the Salesforce Baseline standard, your health check score will be low.

Since the new element was introduced- Import Custom Baseline in the Summer 17‘release with GA, now you can customize the Health Check security baseline to compare your org’s security settings with industry standards. With Custom baseline, it is so easy to check if your security settings with industry standards are as tight as Salesforce prescribes. You can upload maximum of five custom baselines to use.

How to create Custom Baseline for Health Check 

You can import up to five custom baselines to contrast your organization’s security settings and your own baseline, rather than utilizing Salesforce suggested standards. For instance, in case you’re a financial industry business, you can create a custom security benchmark utilizing FINRA models. To create a custom baseline, you should start with the Salesforce Baseline Standard.

From the Setup [Symbol] Enter Health Check in the Quick Find box, then select the Health Check.

Steps: 

  1. Export the Salesforce Baseline Standard record by choosing Export XML from the Baseline Controls menu.

  1. Open the XML File, and change the developerName field to an extraordinary value. You can utilize letters and numbers; however, the name must start with a letter. It can’t contain spaces or unique characters.

  1. Change the name field from “SFDCRecommended” to a clear value. This field is the baseline name that displays in Salesforce. Spaces and some exceptional characters are permitted. If the name field contains “SFDC recommended ” or “Salesforce Baseline Standard,” your file fails to import.
  1. Change the hazard classifications to modify your scoring. The hazard classification that each setting is in impacts your Health Check score. A setting in a higher hazard class is weighted as more essential than a lower one. Moving a setting to the Informational classification expels it from the Health Check score estimation.
  1. Alter the settings values by taking after the Custom Baseline File Requirements. Not all value can be changed, and a few settings have confined value option. Try not to include or delete risk categories, setting names, or quotes. If you do, your imports fail.
  1. Save your file, and import it by selecting Import XML from the Baseline Controls menu.

  1. To confirm that your file was uploaded, click the baseline dropdown and then select your file. So, that the score will be calculated based on your custom baseline.

How the scores get calculated?

A proprietary formula calculates the Health Check score by measuring how well your security settings meet the Salesforce baseline standard or Custom Baseline. Some settings might meet or exceed the standard causing your score to be raised while settings not meeting the standard requirement will lower your score.

According to the Salesforce Security Implementation Guide – “some settings like Minimum Password Length have a heavier weight, so they have a higher impact on your score”. If you have changed your password to be less restrictive, the Health Check will list this as a risk.

The cool feature is that you can address any deficiencies as you see fit, with only a couple of clicks, right from the dashboard!

Note 

You can only use Fix Risks button to change security setting like the Login Access Policies, Password Policies, and Session Settings groups. If a setting you need to modify does not show up on the Fix Risks screen, then you need change them manually utilizing the Edit link on the Health Check page.

By default, Salesforce provides the option for Admin to run health check. Other than Admin, if any users need to run Health check, they must be enabled with the following user permission.  To view Health Check and Export custom baseline View Health Check should be enabled and to import custom baselines Manage Health Check user permission should be enabled.

Conclusion 

Every organization needs to maintain the highest level of security for their working environments. The higher the security standard in Health Check, the lower the risks from vulnerable attacks. Thus, for an optimal SF environment of your business, it is best to remain aware of and keep up these security norms to limit chance.