Shamun,
So whereas vendor documents like these may be a good starting point, they (any vendor supplied document) only address the question to which they have good answers! The challenge is to find the comprehensive list of "nasty questions" - in this case I'd be asking "what happens if I want to use my own encryption key?", "what happens if the US government requests may data on your servers?", "where do you stand on the US DOJ cloud act?".
We saw this (in spades) when editing Guidance v3; with vendors objecting to specific parts because (guess what) their product could not do that, or it put their product in a dark light.
My 2 cents
Paul
------------------------------
Paul Simmonds
CSA UK Chapter
------------------------------
Original Message:
Sent: Jul 10, 2020 04:32:45 PM
From: Shamun Mahmud
Subject: Salesforce (SFDC) and Security
Many enterprises ask, "How secure is my data in Salesforce (SFDC)? SFDC has compiled a good baseline of documents for such Q&A. The repository is located here https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/salesforce_security_guide.htm
"Salesforce is built with security to protect your data and applications. You can also implement your own security scheme to reflect the structure and needs of your organization. Protecting your data is a joint responsibility between you and Salesforce. The Salesforce security features enable you to empower your users to do their jobs safely and efficiently."
Some questions to ponder:
1) How many enterprises are using SDFC's guidance repository?
2) How are they leveraging the repository?
3) Do enterprises consider the repository to be complete?
4) If not, which other sources are enterprises seeking out for security best practices?
------------------------------
Shamun Mahmud
Standards Officer, Sr. Research Analyst
Cloud Security Alliance
WA
------------------------------