COMPLIANCE GUIDE
complianceGuide to
in Salesforce
COMPLIANCE GUIDE
2 | Guide to Compliance in Salesforce
MEETING THE COMPLIANCE NEEDS OF BANKS
When it comes to regulatory compliance, banks face some of the most
stringent requirements of any industry. For example, banks must follow
strict retention regulations around data, emails and communications with
customers, system updates and more.
Given how specific these requirements get, it can be very easy for banks
to unknowingly violate them. However, doing so is simply not an option,
as it can not only put your bank in bad standing with the government (e.g.
Enron), but also with consumers (no one wants their identity stolen).
As a result, banks have dedicated compliance departments that go
through every process and technology with a fine-toothed comb. While
this oversight is necessary to ensure compliance, it often prevents or slows
down the adoption of new technology and processes that your bank needs
to stay modern and deliver the services that customers expect.
Against this backdrop, one of the most common questions posed by
banks is: Can we balance these two requirements? With Salesforce,
the answer is yes. A cloud-based CRM solution, Salesforce provides
advanced capabilities around sales, service, marketing and more while
also ensuring the level of compliance that banks require. Some of these
security safeguards come in the form of native Salesforce applications
and others come from third party solutions that integrate with
Salesforce. Whatever the setup, countless banks are using Salesforce
today to securely power their modern business models.
What do you need to know about compliance in Salesforce? This
comprehensive guide answers some of the most common questions
on this topic by providing information on different options, the pros
and cons of each option, the level of complexity of each option and our
recommendations on which options to implement.
CONTENTS
2 Meeting the Compliance Needs of Banks
3 Compliance Options in Salesforce
3 Achieving Your Bank’s CRM Goals with Salesforce
COMPLIANCE GUIDE
3 | Guide to Compliance in Salesforce
COMPLIANCE OPTIONS IN SALESFORCERequirement
Methodical process for tracking the addition of new fields and administrative
changes to the system so that they can be analyzed for compliance.
Solution Options Solution Pros Solution Cons Solution Complexity
Source Control Policy: Change management strategy and governance.
Ensures archival, comparisons, audit and rollback capabilities for Salesforce development.
Extra setup and maintenance required for Source Control system as well as increased effort during development.
High
Administrative Audit Log: Standard Excel-based audit logic of Admin system changes.
Provides a comprehensive overview of all changes and the ability to create your own pivot analysis.
Only covers a six month period.
Low
AppExchange SnapShot: Change and release management tool to track system changes.
Only requires a minimal setup, includes many features and receives regular improvements.
Involves additional licensing costs.
Low
Recommendations
• Implement the Source Control monitoring process and use the audit and compare functionality to monitor changes.
• Use the Salesforce Administrator Audit Logs to track changes on a more ad hoc basis.
• Examine the AppExchange products that provide “snapshot” management for a possible fit.
COMPLIANCE GUIDE
4 | Guide to Compliance in Salesforce
Requirement
Encrypted storage for PII data to prevent unauthorized access.
Solution Options Solution Pros Solution Cons Solution Complexity
Standard Salesforce Encryption options and Encryption roadmap
Native encryption capability for standard and custom fields and search. Continuously expanding with each release.
Includes field length limits, is not nearly as capable as encryption appliances and the roadmap is not fully released.
Low
Managed Cloud Sherpas Encryption application
Apex Classes for AES 256 encryption of data in the system. Packaged functionality provided as an accelerator by Cloud Sherpas.
Packaged accelerator for encrypting standard and custom data fields plus search capabilities.
Limited customization capabilities with managed package. Typically used as an interim solution while waiting for Salesforce roadmap.
Mashups Stores data in internal network and uses Visualforce UI to represent data. Nothing is stored at rest in the cloud.
No need for encryption as data never leaves the network. Allows you to maintain full control of the data.
On-premise functionality with a more complicated integration framework and design.
Encryption Appliance Appliance resides in internal network and all data transferred in/out is encrypted.
Data is fully encrypted in the cloud. Has the most full-fledged features and functionality.
License costs and increased development/support complexity.
Recommendations
• Analyze complexity and amount of data to be encrypted alongside compliance requirements.
• Attempt to implement Salesforce native encryption where possible.
• Implement Apex encryption as an interim solution while waiting for Salesforce
encryption roadmap to advance and eventually migrate to standard functionality.
• Use encryption appliance for more complex encryption requirements.
COMPLIANCE GUIDE
5 | Guide to Compliance in Salesforce
Requirement
Varied visibility into client information so that users can see detailed information for only the appropriate clients.
Solution Options Solution Pros Solution Cons Solution Complexity
Salesforce Security Model: Granular control of user permissions and visibility through the use of roles, profiles, teams, field level security sharing rules, groups, folders, Apex sharing, etc.
Extremely flexible solution that includes many sharing tools. This solution is standard functionality in Salesforce and is used by all Salesforce customers in the financial services industry.
Extremely complex requirements of financial services firms typically require an advanced role model, a complex team structure and Apex sharing capabilities.
High
Recommendations
• Implement a complex security model using roles, profiles, sharing rules, teams, Apex sharing, etc.
Requirement
Ability for administrators to filter within text fields to ensure that PII data is not stored in inappropriate areas of the system.
Solution Options Solution Pros Solution Cons Solution Complexity
Custom Development: Develop Apex triggers and pattern recognition capabilities to scan all fields for potential data violations and flag records for review.
Doesn’t require any additional tools and can be as flexible as required to identify data.
Requires extensive code because it’s difficult to prevent users from entering data in text area fields.
High
CipherCloud: Provides field scanning and analysis to identify data within other fields such as credit card numbers and sensitive data.
Offers out of the box functionality within an already utilized application as well as out of the box reporting capabilities.
Encrypting every field consumes more system resources and can impact performance.
Low
CloudLock: Provides field scanning for PII data patterns with options for alerts and reporting.
Lower cost alternative to encryption appliances that is also completely cloud-based.
Doesn’t provide real-time prevention of PII data insertion.
Medium
Recommendations
• Use CloudLock’s field analysis functionality to monitor field data for possible violations.
COMPLIANCE GUIDE
6 | Guide to Compliance in Salesforce
Requirement
Extract and store data from the CRM to on-premises systems for data retention purposes.
Solution Options Solution Pros Solution Cons Solution Complexity
On-Premise Data Retention: Use Informatica to perform full system extracts into the data warehouse.
Can reuse existing ETL tools and internal databases as well as standard replication procedures.
Requires integrations with on-premise Enterprise Data Warehouse.
Medium
Salesforce Scheduled Exports: Have Salesforce summarize all system data to be downloaded internally monthly.
Minimal effort to set up and doesn’t require any tools.
Requires manual effort to download/store data and is generally not sufficient for large enterprises.
Low
Recommendations
• Use an on-premise data replication solution for existing Salesforce instances. This functionality should be reused to
retain any data on-premise.
COMPLIANCE GUIDE
7 | Guide to Compliance in Salesforce
Requirement
Allow compliance to review communications within the solution to ensure that they are compliant with FINRA regulations.
Solution Options Solution Pros Solution Cons Solution Complexity
Salesforce BCC Email: Set compliance BCC emails to automatically send a hidden copy of each outbound email message to an email address that you specify (if your organization evaluates all outbound email messages for compliance). Enabling compliance BCC emails prevents users from editing the BCC field on any email and disables their Automatic BCC setting under “My Email Settings.”
Standard Salesforce function that requires minimal setup.
Need to create BCC mailbox that’s managed outside the Salesforce cloud platform.
Low
Email Relaying: Route all emails through internal email servers to store copies internally.
No need for email spoofing by Salesforce, internal routing, internal content filters, appending company-wide disclaimers, etc.
N/A Low
Recommendations
• Implement SMTP relay or BCC emailing for all email communications to allow for archiving.
• Implement data retention integrations to export all system data via ETL into EDW.
• Either turn off Chatter or remove restricted functionality and implement a free AppExchange archiving product.
COMPLIANCE GUIDE
8 | Guide to Compliance in Salesforce
Requirement
Allow compliance to store and retain client communications (call notes, emails, etc.) for data retention purposes.
Solution Options Solution Pros Solution Cons Solution Complexity
Chatter Archiving/Retention: Makes Chatter compliant by sending a copy of posts and related content to a journaling mailbox of your choice for long term retention. An ETL integration is also possible.
Third party AppExchange solutions are available (i.e. Archive for Chatter).
Possible licensing fees for third party applications, but many are free. Possible integration required.
Medium
Data Retention of Records to Internal EDW and Email Relaying: Use Informatica to retrieve all data related to communications and replicate to EDW.
Opportunity to reuse existing data retention integrations
Data reporting will need to be implemented off platform within BI reporting tools off of the EDW.
Medium
Turn Off/Modify Chatter: Many financial services organizations either turn off Chatter or remove many of its functions. See our Chatter Compliance for Financial Services Companies white paper for more details.
Less maintenance and monitoring required if users are not allowed to communicate via Chatter in all scenarios.
Losing critical social collaboration functionality within the system, possibly frustrated users, more complex Chatter implementation.
Medium
Recommendations
• Inbound communications will already be captured through Outlook and existing journal process.
• Outbound communications will be captured through the above process.
• Notes and activities will be captured via data retention process above.
COMPLIANCE GUIDE
9 | Guide to Compliance in Salesforce
Requirement
Allow compliance to control the amount of data that can be exported out of the
CRM system as well as who can export this data.
Solution Options Solution Pros Solution Cons Solution Complexity
Salesforce Profile Permission: Export data privileges can be assigned only to authorized User Profiles (note: usage policies should also be implemented).
Standard Salesforce functionality that requires minimal setup.
Most profile functions are “all or nothing” (e.g. users can not export ANY reports).
Low
Recommendations
• Use profile settings to prevent full export capabilities for specific groups of people.
Requirement
Allow compliance to audit data records with which users have viewed and interacted.
Solution Options Solution Pros Solution Cons Solution Complexity
CipherCloud Monitoring: Monitors system usage and “anomalous” activities, such as after-hours usage, and sends alerts about suspicious activities within the system.
Already used to support other functions.
Does not provide full-fledged functionality to detail every button click, action, etc.
Low
Splunk: Monitors user activities, including navigation and operational intelligence.
Provides simplified reporting not provided out of the box with Salesforce.
Requires add-on for Splunk to work with Salesforce. Includes additional license costs.
Medium
Recommendations
• Use the Splunk Operational Intelligence tool to monitor user activities.
COMPLIANCE GUIDE
10 | Guide to Compliance in Salesforce
Requirement
Allow compliance to track changes to all of the fields in the CRM system,
including the initiator of changes with date/time details.
Solution Options Solution Pros Solution Cons Solution Complexity
Field History Tracking: Select certain fields to track and display the field history in the “History Related List” of an object. You can track the field history of custom objects and most standard objects.
Standard Salesforce functionality.
Limitations for how many and which fields can be tracked.
Medium
Custom Auditing Solution: Apex trigger/workflow-based auditing.
Fully customized to meet your requirements. Allows for easy porting to an on-premise solution through an API.
Development costs, maintenance requirements and data storage impact.
Medium
Recommendations
• Configure Salesforce to push changes to auditing systems via ETL/ESB.
• Develop an advanced audit table for reporting on full system changes.
• Use out of the box Field Audit functionality for a visual representation of changes for users.
Requirement
Allow the certification and authentication of users in the system.
Solution Options Solution Pros Solution Cons Solution Complexity
Session Management: Set session timeouts, IP restrictions, working hour restrictions, etc.
Standard Salesforce functionality.
Users need to log in to each system separately.
Low
Single Sign On: Enforce login through corporate credentials with either one- or two-factor authentication and additional security restrictions.
Ability to reuse existing IDP, less user administration and ability to deactivate access in one place.
Requires single sign-on installation.
High
Recommendations
• Implement single sign-on with internal IDP and use standard Salesforce security mechanisms.
COMPLIANCE GUIDE
11 | Guide to Compliance in Salesforce
Requirement
Mobile encryption and device management.
Solution Options Solution Pros Solution Cons Solution Complexity
MobileIron: Provides full device management capabilities.
Integrates with Salesforce1.
Requires an additional toolset to manage and has a complex deployment.
Medium
Native Salesforce1: Uses SSL, AES-256 encryption and a SQLite database, which is double-encrypted (with Salesforce and the device’s encryption). Encrypts files and attachments on the device file system and temporarily de-encrypts file previews.
Standard Salesforce functionality that is constantly evolving.
Relatively new product with limited offline capabilities.
Low
Recommendations
• Use a combination of the new MobileIron MDM products, the standard Salesforce1 app and single sign-on.
COMPLIANCE GUIDE
12 | Top 3 Reasons Why the Manufacturing Industry is Going Google
3525 Piedmont RoadBuilding 8, Suite 710Atlanta, GA 30305
FIND OUT WHAT CLOUD SHERPAS CAN DO FOR YOU
Our focus is on helping organizations meet all their cloud needs, including running business applications
like messaging, collaboration and CRM in the cloud, developing custom cloud solutions using platforms and
infrastructure as a service and integrating existing cloud solutions with other clouds and business systems.
Let us help you leverage the cloud. Contact your sales representative or visit us online at
www.cloudsherpas.com or 888-260-7660.
2011-2014 Google for WorkGlobal Partner of the Year
ACHIEVING YOUR BANK’S CRM GOALS WITH SALESFORCEAs the above analysis illustrates, Cloud Sherpas understands the unique challenges that banks face as they seek
to balance security and compliance with technology. To help banks overcome these challenges, we’ve developed
implementation of cloud-based CRM solutions like Salesforce.
Our Banking Industry Framework encompasses everything from assessment and design to integration, deployment
and ongoing support while addressing key industry problems related to customer retention and loyalty, social
collaboration, revenue growth and data and systems integration. Throughout all of this, we place the highest
emphasis on compliance, ensuring that your bank has the tools it needs to power the modern customer experience
This dedicated, vertical solution aims to create a completely compliant cloud environment that helps your bank
increase revenue and close deals faster by taking a more personalized, modern approach to sales and service.