Managing risks in a Salesforce environment

Similar documents
Moving your enterprise systems to the cloud? What do you need to know to manage the risks? Jamie Levitt, Director

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Microsoft s Compliance Framework for Online Services

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Service Organization Control (SOC) Reports Focus on SOC 2 Reporting Standard

Anypoint Platform Cloud Security and Compliance. Whitepaper

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

Can You be HIPAA/HITECH Compliant in the Cloud?

HIPAA and HITECH Compliance for Cloud Applications

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

The Impact of HIPAA and HITECH

9/14/2015. Before we begin. Learning Objectives. Kevin Secrest IT Audit Manager, University of Pennsylvania

PCI Compliance for Cloud Applications

Securing the Microsoft Cloud

HITRUST CSF Assurance Program

Weighing in on the Benefits of a SAS 70 Audit for Payroll Service Providers

FormFire Application and IT Security. White Paper

Orchestrating the New Paradigm Cloud Assurance

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Cloud Security and Managing Use Risks

123Compliance Medical Device Tracking Datasheet Page 1

APIs The Next Hacker Target Or a Business and Security Opportunity?

Virtualization Impact on Compliance and Audit

Securing the Microsoft Cloud

Securing Content: The Core Currency of Your Business. Brian Davis President, Net Generation

WHITEPAPER. Compliance: what it means for databases

CHIS, Inc. Privacy General Guidelines

Security Considerations

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

How can Content Aware Identity and Access Management give me the control I need to confidently move my business forward?

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Whitepaper: 7 Steps to Developing a Cloud Security Plan

CloudCheck Compliance Certification Program

PCI Solution for Retail: Addressing Compliance and Security Best Practices

Compliance Management, made easy

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Security Practices, Architecture and Technologies

Security Controls What Works. Southside Virginia Community College: Security Awareness

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Business-Driven, Compliant Identity Management

Design of Database Security Policy In Enterprise Systems

Hans Bos Microsoft Nederland.

Cloud Security Trust Cisco to Protect Your Data

How Safe are you in your Cloud?

Weighing in on the Benefits of a SAS 70 Audit for Third Party Data Centers

The Netskope Active Platform

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

HIPAA/HITECH Act Implementation Guidance for Microsoft Office 365 and Microsoft Dynamics CRM Online

IT Cloud / Data Security Vendor Risk Management Associated with Data Security. September 9, 2014

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

Information Security Services

Effectively using SOC 1, SOC 2, and SOC 3 reports for increased assurance over outsourced operations. kpmg.com

efolder White Paper: HIPAA Compliance

HIPAA in the Cloud. How to Effectively Collaborate with Cloud Providers

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

A COALFIRE PERSPECTIVE. Moving to the Cloud. NCHELP Spring Convention Panel May 2012

Third Party Risk Management 12 April 2012

Information Security Program CHARTER

Information Security Management System for Microsoft s Cloud Infrastructure

Automating Cloud Security Control and Compliance Enforcement for PCI DSS 3.0

Securing Oracle E-Business Suite in the Cloud

Cloud Security Implications for Financial Institutions By Scott Galyk Director of Software Development FIMAC Solutions, LLC

CFPB Readiness Series: Compliant Vendor Management Overview

The Education Fellowship Finance Centralisation IT Security Strategy

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Well-Documented Controls Reduce Risk and Support Compliance Initiatives

Compliance, Audits and Fire Drills: In the Way of Real Security?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Clever Security Overview

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA/HITECH Compliance Using VMware vcloud Air

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

White Paper How Noah Mobile uses Microsoft Azure Core Services

Preparing for the HIPAA Security Rule

Contact Center Security: Moving to the True Cloud

Consolidated Audit Program (CAP) A multi-compliance approach

HyTrust Logging Solution Brief: Gain Virtualization Compliance by Filling Log Data Gaps

Salesforce & HIPAA Compliance

DMZ Gateways: Secret Weapons for Data Security

White Paper Achieving HIPAA Compliance through Security Information Management. White Paper / HIPAA

ENCRYPTION KEY MANAGEMENT SIMPLIFIED A BEGINNER S GUIDE TO ENCRYPTION KEY MANAGEMENT

Transcription:

Managing risks in a Salesforce environment

Managing risks in a Salesforce environment In today s rapidly changing world of business, only companies that understand and anticipate customer needs and consistently deliver unique, tailored experiences will be able to attract and retain loyal customers. Across industries, many companies are turning to the cloud by implementing Salesforce sales, marketing and service solutions to enable them to be more agile and more customer-responsive in order to create unique value for customers. These changes may come with challenges to internal controls as well as governance, risk and compliance (GRC) processes. Companies are rethinking and redesigning the way they identify new customers and opportunities. They are doing so by updating and modernizing sales and after-sales processes, and increasing their reliance on technology to drive customer interactions, behaviors, relationships and sales. As a result, companies should also consider reassessing their risk profile. Through proper attention to internal controls, companies can effectively utilize the features and functionality within Salesforce, such as Salesforce Shield, to implement customer-centric processes that are well controlled and governed. Managing risks in a Salesforce environment 1

The need to reexamine controls The implementation of new Salesforce solutions can involve significant business transformation as companies redefine processes to take advantage of the technology s benefits, as well as integrate Salesforce with other enterprise systems to create efficient end-to-end processes. As companies reexamine their marketing, sales and service processes including such areas as the definition of prices, discounts, customer claims and return of faulty goods previously defined internal controls and GRC processes also require reexamination to help establish an effective, efficient and controlled execution of business processes (Figure 1). Companies should consider questions in the following areas: Privacy. Are we collecting personal data that subjects us to regulatory requirements or contractual commitments? Health Insurance Portability and Accountability Act (HIPAA). Are we a covered entity or are our business associates processing protected health information (ephi)? Sarbanes Oxley (SOX). How do we help establish that the prices and discounts sales agents use are properly authorized? Can the sales agents sign sales orders with any account? Figure 1: Potential risks Customer is not authorized Sales order prices are inaccurate and not authorized Sales order price overrides and price master file changes are not accurately recorded Sales orders are not valid Sales order discounts are not authorized Inappropriate information is collected Claims are not authorized Good returns are inaccurate or not authorized Communications with customers are inaccurate or not authorized Case responses do not respect Service Level Agreements with customers Communications with customers are inaccurate or not authorized Documents shared with customers/partners are not authorized Inappropriate employee use Collision with other internal communication and collaboration tools Periodic review of accounts and contacts Approval of pricing Approval of discounts by account Automatic block of sales price overrides Increased governance over the design of the system Review and approval of claims Review of cases and approval of good returns Automatic escalation of cases inside specific times within Service Level Agreements Document file limits are configured to reduce the risk that unauthorized documents are shared Chatter is configured to limit the types of documents that users can share User Policies Increased governance over chatter communications Controls Managing risks in a Salesforce environment 2

To adopt an agile and responsive customer-centric model, companies are investing in tools and processes to address a variety of compliance requirements in a more efficient manner. These requirements come from regulatory entities, auditors, and other stakeholders, and are key for managing internal risks. No matter what stage of the Salesforce implementation journey a company is in, a reevaluation of internal controls will help confirm that GRC processes and controls are designed and implemented to properly address requirements and other potential risks (Figure 2). Figure 2: 01 Will this change? Impact compliance to external/ internal requirements Impact the way you manage your financial data Impact your controls Impact the way users access to your data 04 Can you do it better? Governance Process improvement leveraging Salesforce functionalities Integration with other systems Control optimization Security design 02 How are you? Controlling the execution of your processes Managing compliance Managing the access to client s data Creating efficiencies Integrating Salesforce with other enterprise systems 03 What are you doing to? Meet increasing regulatory requirements Manage internal control systems Maintain Salesforce apps in a controlled way Achieve the right level of governance over SFDC Managing risks in a Salesforce environment 3

Salesforce functionality to help manage internal controls In conjunction with the implementation of internal controls, companies can effectively utilize Salesforce Shield and other built-in Salesforce functionalities to implement customer-centric processes that accomplish business objectives. These tools can help companies develop innovative ways to manage user access, compliance, and operational risks while improving the overall customer experience. Three such functionalities are Salesforce Event Monitoring, Field Audit Trail and Encryption. Event Monitoring. For companies that need to know who is accessing which systems and which data, and what they are doing with them, Salesforce Event Monitoring delivers event log files that can be imported into a visualization application, allowing management to monitor the correct execution of their CRM processes and related controls. Field Audit Trail. Field Audit Trail allows companies to confirm that data is accurate and complete, and that business processes have been followed correctly. Within Salesforce, Field Audit Trail tracks field history of up to 60 fields per object and retains it for up to 10 years. Encryption. Encryption of data at rest can be a useful tool that adds an additional layer of protection to help mitigate risks of sensitive data. Salesforce Encryption helps protect an organization s data by offering native platform encryption and key management features. Salesforce Encryption allows companies to protect data at a more granular level while still preserving business functionality and permitting users to perform necessary tasks. Organizations can encrypt files, attachments and certain standard and custom fields through the use of an advanced security key management system. Other functionalities include user authentication (single-factor or two-factor authentication), customization of the level of access to objects and records based on a company needs, and the ability to define approval workflows. Managing risks in a Salesforce environment 4

Leveraging the available tools Companies are responsible for the definition and implementation of controls, and areas that often require specific attention include control integration, security design, data privacy and overall control governance. Control integration. Companies may develop process inefficiencies if they don t adequately reexamine their internal control systems during a Salesforce implementation. As organizations move to an agile, customer-centric business model, they will want to anticipate these controls so that once a customer interaction is complete, any issues get identified and addressed. This helps to support customers and creates the efficiencies desired from a control standpoint. When marketing or sales agents enter data gathered from customers into the relevant enterprise systems, numerous verifications take place, such as whether business interactions with a customer are allowed, what key information is required, and what level of authorization the agent has for determining pricing or discounts. These areas require a transfer of controls from back-end systems to Salesforce in order to efficiently execute business processes. If controls are not implemented during the customer-facing phase of the process, the company sets a customer expectation by introducing an agile process but fails to deliver because of necessary rework and process inefficiency. For example, consider a situation wherein a sales agent gathers data from a customer, and subsequently, controls within the company s ERP system determine that the business interactions with the customer were not allowed. The sales agent has lost valuable time by discovering too late that the time spent interacting with the customer will not bring business to the company. Further, consider a scenario where a sales agent uses mobile technology to acquire a customer s signature for a contract. Once this data is interfaced to the company s enterprise system, the system may indicate that the sales agent perhaps used non-authorized pricing, applied non-authorized discounts, or even omitted required information. The sales agent must initiate further customer interaction to correct these issues. A thorough analysis of the way internal controls should be integrated with new customer-facing business processes helps to facilitate the desired efficiencies and business outcomes. Case study: Establishing efficient controls over financial reporting Issue: A large public company implemented Sales Cloud and created an interface between Salesforce and its ERP system. New customers and new sales orders were created directly in Salesforce and uploaded to the ERP system. Prices were entered into the ERP system and were uploaded to Salesforce. As part of financial reporting controls, the company had to make sure that customers were valid and approved by an adequate level of management prior to conducting business with them. Solution: PwC helped the company design and implement approval workflows within Salesforce and helped confirm that prices updated within the ERP system were accurately transmitted to Salesforce. This helped confirm that no user was able to modify prices in Salesforce to bypass controls present within the ERP system. Finally, PwC assessed user security in order to identify segregation of duty issues. As a result of these actions, the organization can be more confident that it has appropriate controls over these areas for financial reporting, as well as benefit from more efficient execution of business processes. Managing risks in a Salesforce environment 5

Security design. Secure applications can be built using standard Salesforce capabilities, but in many organizations security design may be complex. Companies may not have the proper segregation of duties in place and therefore need to rethink the design of the processes that enforce security, and leverage Salesforce access controls. Access to data within Salesforce is granted by a combination of multiple elements that define which kinds of information users can access, as well as which records users can share between themselves. Profiles and Organization Wide Defaults (OWD) constitute the basic security. Other elements such as Role Hierarchy and Sharing Rules are used to manage access at the record level. When determining the level of user access, it is not sufficient to assess profiles, OWD, and roles assigned to users. For example, it is important to recognize that a level of security gets transmitted to higher levels of the hierarchy. This allows a user to access records with the same level of access rights as other users who report to him or her. Attention to security design in the context of process and organization is paramount to establishing effective internal controls. Data privacy. Based on the industry and jurisdictions in which they operate, companies may have to meet stringent requirements regarding the processing of sensitive information. Even though there is generally no regulatory requirement to encrypt data, a company may decide to pursue such an additional level of protection as a way to further secure their data and manage risk. An organization should perform a risk assessment to determine the criticality and sensitivity of the information being processed, stored, and transmitted by Salesforce in order to effectively use Salesforce data protection functionalities. Case study: Establishing confidence in data privacy Issue: A healthcare company implemented Salesforce Sales Cloud and Service Cloud. Based on the design, the company stored some electronic protected health information (ephi) in Salesforce. Solution: PwC helped the company perform a risk assessment to classify protected data and select the proper countermeasures. PwC then helped to protect the confidentiality of ephi via encryption, and set relevant audit trails to track changes to data. Because of these efforts, the company is able to better leverage advanced functionality in new customer-facing processes, as well as have more confidence that they are remaining HIPAA compliant and appropriately protecting the privacy of patients. Control governance. Salesforce recognizes that many companies are subject to multiple regulations that govern the handling of information, and therefore provides a security program that addresses certifications, policies, practices, people, and technology. However, there is a significant part of the internal control systems that still needs to be addressed by companies, such as the way companies design and implement their business processes. For example, Salesforce is certified ISO 27001 for information security, but companies are responsible for the security profiles they define for their own purposes and the related assignment to users (Figure 3). Managing risks in a Salesforce environment 6

Figure 3: Salesforce Trust Services ISO 27001 Information security SSAE 16/ISAE 3402 soc-1 Reports on Controls at a Service Organization Relevant to User Entities Internal Control Over Financial Reporting SOC 2 Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy SOC 3 (SysTrust) Trust Services Report for Service Organization FISMA Federal Information Security Management Act PCI-DSS Payment Card Industry (PCI) Data Security Standard (DSS) Company s Responsibility Information security of companies data managed outside SFDC cloud Financial controls over custom development apps and interactions with other enterprise systems End user control considerations. End user considerations together with the control activities at the service organization work in conjunction to achieve the related control objective Access by unauthorized individuals given by SFDC administrators Companies need to specify which fields need to be encrypted; SFDC does not encrypt data by default The encryption of data and the management of logs are other areas that carry significant responsibility for companies. Based on specific regulations (e.g. HIPAA/HITECH, FISMA, etc.), organizations must build infrastructure and create strategies to protect against threats to the security of their information, including strategies that investigate potential security breaches. While Salesforce allows organizations to encrypt data and manage logs, it is the responsibility of the company to determine which data needs to be encrypted and/or logged. Ultimately, end user considerations together with the control activities at the service organization have to work in conjunction to achieve control objectives and GRC management. Managing risks in a Salesforce environment 7

The end result Salesforce cloud-based solutions enable companies to operate with the flexibility and speed they need to create unique customer value. However, as with any transformational change, implementation can introduce new risks. Salesforce offers both core and advanced features that can be very effective at ensuring controls are in place, but these features don t stand on their own. They must be aligned and tailored to the individual organization s specific needs. Whether a company is just considering a Salesforce implementation or is already operational and striving for continuous improvement, an evaluation of internal controls will help company management enable an effective, efficient and controlled execution of business processes. Managing risks in a Salesforce environment 8

pwc.com/us/riskassurance salesforce.com Contact us: Bob Clark Principal at PwC Enterprise Systems Solutions U.S. Leader robert.h.clark@pwc.com Andrea Acciarri Director at PwC Enterprise Systems Solutions Salesforce Leader andrea.x.acciarri@pwc.com Jim Rivera VP, Product Manager, Salesforce Shield jrivera@salesforce.com The information provided in this white paper is strictly for the convenience of our customers and is for general informational purposes only. Publication bysalesforce.com, inc. does not constitute an endorsement. Salesforce.com, inc. does not warrant the accuracy or completeness of any information, text, graphics, links or other items contained within this white paper. Salesforce.com, inc. does not guarantee you will achieve any specific results if you follow any advice in the white paper. It may be advisable for you to consult with a professional such as a lawyer, accountant, architect, business advisor or professional engineer to get specific advice that applies to your specific situation. 2015 salesforce.com, inc. All rights reserved. 2016 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information