|Applies to: Lightning and Classic|
Recently I was asked to put together a list of best practices for setting up security within the Salesforce® platform. The list below is originally from Salesforce but I’ve added a bit to it help explain it and provide my personal recommendations.
Your employees are your highest level of risk for a security incident. As humans we’re going to make mistakes but education can go a long ways in keeping your systems secure. Teach your staff to always:
Salesforce will document your security contact’s information and keep them informed of security related communications.
Be sure to keep all your systems patched and updated.
I partially agree with this Salesforce recommendation. While it should be considered a best practice it may not always be practical in every situation. Every computer connected to a network or wifi will have an IP Address assigned to it. Within Salesforce you can restrict which IP Addresses are allowed to connect to your Salesforce system. Salesforce gives you two methods to restrict IP addresses.
The password settings within Salesforce can be found under the Setup menu | Security Controls | Password Policies.
Session Security controls are located under the Setup menu | Security Controls | Session Settings.
While I agree this is a best practice, it can be highly frustrating to the users as idle time will require them to log back in. I recommend finding an effective balance with this one. The default is two hours which I personally feel is a good compromise. This settings are found under the Setup menu | Session Settings.
Two factor authentication requires the person to know and/or have two pieces private information or device to gain access.
Security can be a complex topic so surround yourself with experts if you do not have them in house. Call Salesforce for guidance or work with a certified Salesforce® partner.