Effective March 1, 2017, the New York State Department of Financial Services (NYDFS) proposed new cybersecurity regulations, which require “covered entities” (as defined in the regulation) such as banks, insurance companies, and financial services firms regulated by the NYDFS to maintain a cybersecurity program to protect the privacy of consumers’ sensitive information and ensure the safety of the New York’s financial services industry.
At Salesforce, trust is our number one value. To that end, we’ve built trust.salesforce.com as a transparent way to share our best practices with the Salesforce community. I’d also like to share some thoughts about the impact of this and similar rules, and discuss several steps Salesforce customers can take today to improve their cybersecurity posture. I’ve also included a few learning modules from Trailhead (our fun, free way to learn Salesforce) that allow you to learn about and try out the built-in security measures that Salesforce offers.
The NYDFS regulation imposes a number of requirements on covered entities, including maintaining a cybersecurity program and the corresponding written policies detailing the necessary steps that should be undertaken to ensure the protection of “nonpublic information” (as defined in the regulation). Covered entities will have 180 days from the effective date (March 1, 2017) to come into compliance with most requirements, though certain provisions allow up to two years after the effective date. Organizations should seek legal and compliance guidance to determine how to comply with the regulations in accordance with their respective compliance programs.
Salesforce provides a tool that can help assess your organization’s security compliance readiness: Salesforce Health Check. This tool scans your Salesforce security configurations and provides Salesforce best-practice recommendations. You can learn how to use Health Check by taking this Salesforce Trailhead learning module. (Note that this tool is not specific to NYDFS cybersecurity regulations.)
Beyond using this valuable tool as an initial measure, organizations should keep in mind the following five industry trends that tightly align with Salesforce’s view of best practices.
Designate a Chief Information Security Officer (CISO) — either an internal or third-party individual — who is responsible for overseeing the organization’s cybersecurity program. Reporting findings annually can help ensure accountability and confirm the cybersecurity program is implemented in accordance with the organization’s needs.
Implement effective controls such as multifactor authentication (or a “reasonably equivalent control”) for all users seeking access to your Salesforce org. This is a critical aspect of our best practices at Salesforce, and we provide several tools to make this easy for you. Our Security Best Practices page lays out our approach, and highlights the three most important practices:
Setting strong password policies (see how by taking the Trailhead Security Settings module)
Enabling two-factor authentication, which is even easier with Salesforce’s Lightning Login (Trailhead User Authentication module)
Limiting login IP ranges (Trailhead Control Access module)
Maintain audit trails designed to detect and respond to cybersecurity events. These records should be maintained for the time period designated under each firm’s compliance program. Salesforce Shield customers can enjoy this functionality with Field Audit Trail, a feature that allows companies to create forensic data-level audit trails with up to 10 years of history, and set triggers when data is deleted. (Learn more about our Field Audit Trail or try it out with our Trailhead module.)
Work to implement policies and procedures to monitor any unusual activity of authorized users and detect unauthorized access or use of non-public information. Salesforce provides Login Forensics, a feature that may help you identify suspicious login activity into your Salesforce org. It provides you key user access data, including unusual login patterns.
For Salesforce Shield customers, Event Monitoring allows companies to see who is accessing critical business data, when, and from where for both compliance and performance optimization. Salesforce also allows this data (via API) to be used in any data visualization Security Incident and Event Monitoring (SIEM), or other application monitoring tool. As a further step, Transaction Security is a framework that intercepts real-time Salesforce events and applies appropriate actions and notifications based on security policies your organization creates. When a policy is triggered, you can receive a notification and have an optional action taken. (Learn more about Event Monitoring or try it out by taking the Event Monitoring Trailhead module or the Transaction Security Trailhead module.)
NYDFS also directs organizations to implement controls to protect nonpublic information regardless if that data is in transit, at rest, or in use. As part of a larger security posture, and to meet compliance regulations, companies may look at a variety of options to de-identify and secure your data across the multiple places it may reside. Encryption can play an important role in securing data on mobile devices, in storage, and even on cloud platforms. Salesforce provides core security and controls settings, which include in-transit TLS encryption and encryption for the Salesforce1 Mobile app.
As an additional option, Salesforce Shield provides Platform Encryption, which allows you to selectively and natively encrypt PII data at rest across all your Salesforce apps while preserving key functionality. (Learn more about Platform Encryption or try it out by taking the Trailhead module.)
I hope to continue to share my insights, discuss security trends, and provide my suggestions on ways to improve your security posture over the coming months. In the meantime, please visit our central trust hub, at trust.salesforce.com to see the most up-to-date information on our System Status, Security, and Compliance.
About the Author
Jeffrey DiMuro joined Salesforce in 2014 as the Chief Security Architect. DiMuro formerly served as an Executive Director and Global Security Architect Lead at JPMorgan Chase & Co. He also served as a member of JPMC’s Intellectual Property and Patent Team. Prior to JPMC, DiMuro held senior roles at Citigroup, ABN Amro Bank, Nortel Networks, and PGi. He has been awarded two U.S. patents for his work in perimeter security and and secure credit-card processing.
Find Jeffrey on Twitter @jeffreydimuro.