Salesforce Security Advocate Superbadge Unit
Encourage and facilitate the adoption of security best practices in your Salesforce org.
Salesforce Security Advocate Superbadge Unit
この Superbadge を獲得するための実習内容
- Automate permission set expiration dates based on related training.
- Use In-App Guidance to increase user awareness for common cybersecurity risks.
- Import a custom baseline in Health Check to gauge an org’s security health.
- Explain Salesforce security best practices and critical concepts.
この Superbadge でテストされる概念
- Cybersecurity
Prework and Notes
Sign Up for a Developer Edition Org with Special Configuration
To complete this superbadge unit, you need a special Developer Edition org that contains special configuration and sample data. Note that this Developer Edition org is designed to work with the challenges in this superbadge unit.
-
Sign up for a free Developer Edition org with special configuration.
Fill out the form. For Email address, enter an active email address.
After you fill out the form, click Sign me up.
When you receive the activation email (this might take a few minutes), open it and click Verify Account.
Complete your registration by setting your password and challenge question. Tip: Save your username, password, and login URL in a secure place—such as a password manager—for easy access later.
You are logged in to your superbadge Developer Edition org.
Now, connect your new Developer Edition org to Trailhead.
Make sure you’re logged in to your Trailhead account.
In the Challenge section at the bottom of this page, select Connect Org from the picklist.
On the login screen, enter the username and password for the Developer Edition org you just set up.
On the Allow Access? page, click Allow.
On the Want to connect this org for hands-on challenges? page, click Yes! Save it. You are redirected back to the Challenge page and ready to use your new Developer Edition org to earn this superbadge unit.
Now that you have a Salesforce org with special configuration for this superbadge unit, you’re good to go.
Tips
Complete all steps in this superbadge in Salesforce Lightning Experience.
Some of the terminology used in this superbadge is descriptive and may not match the name as it appears in the user interface (UI). This is to test your knowledge of Salesforce features and ability to select the correct feature to satisfy a business need.
Where possible, formulas will be evaluated based on the expected outcome instead of specific formula syntax. We recommend using sample data to test and validate your formulas.
Descriptions must be set for all new fields, permission sets, and so on in order to pass the challenges.
Use Case
The leadership at Cloud & Proud Industries (CPI) takes security very seriously. CPI knows it’s critical that all members of the organization are active participants in the CPI cybersecurity program. This is why CPI has implemented targeted security awareness initiatives to promote a culture of cybersecurity across the organization.
As a Salesforce Security Advocate at CPI, your job is to understand the threats and security risks that your Salesforce org faces and advocate for the best ways to protect against them. You collaborate with the rest of the Salesforce team to enforce security best practices, like the principle of least privilege. You help maintain the security of your Salesforce data by minimizing user access when possible and utilizing the most up-to-date tools and resources available. Most importantly, you advocate for the health of your org by keeping cybersecurity top of mind for all users.
Business Requirements
The CPI cybersecurity program is well-established, but every Salesforce Security Advocate knows that the threat landscape is constantly evolving. It’s critical to continue monitoring the threats, vulnerabilities, and risks that are most relevant to CPI. This section represents the requirements for your security advocate tasks this week.
Automate Permission Expiration
CPI requires employees to complete trainings focused on topics that range from specific Salesforce features and products to web accessibility to, you guessed it, security. CPI tracks training assignments and progress for each user in Salesforce with the help of two custom objects.
- Training: This object contains a record for each training CPI leadership assigns to its users. It records the training name, description, type, etc. It also lists any related permissions where assignment is dependent on training completion.
- User Training: A junction object between the custom Training object and the User object, each User Training record tracks an individual’s information related to an assigned training.
The custom training architecture in the CPI Salesforce org has been great for assigning trainings and reporting on user progress. The Salesforce team also built the User Training Permission Set Assignment flow to automatically assign the related permission set once a user completes the required training associated with the permission.
But the current configuration doesn’t account for training that needs to be completed annually or at other regular cadences. For example, the Reports & Dashboards Security Training, which grants users the permission to export reports, is part of CPI’s annual security training program.
Your task is to build in the functionality required to determine when a user’s training and any related permissions expire. To start, create two new fields.
Object | Data Type | Field Label | Field Name | Description |
---|---|---|---|---|
Training | Number | Valid For (Months) |
Valid_For_Months |
This field lists the number of months the training is valid for. CPI doesn’t have any training valid for more than 24 months (Field Length = 2, Decimal Places = 0). |
User Training | Formula* | Expiration Date |
Expiration_Date |
This field returns the date and time the user’s training will expire based on the training’s Valid For (Months) field and the user training’s Completion Date field. |
Next, update the User Training Permission Set Assignment flow to make sure any assigned permission sets expire when the training expires. Use the existing Permission Set Assignment Creation element to build your solution. Be sure to save and activate the new version of the flow.
Mitigate Data Export and Manual Sharing Risk
Between required security trainings, you strive to keep security hygiene at the forefront of your users’ day-to-day activities. After interviewing users and consulting with the rest of the Salesforce team, you’ve decided to try In-App Guidance to provide just-in-time security reminders where needed most.
You’ve identified the first two use cases for In-App Guidance. Use the information below to build the prompts according to the requirements.
Report Export Warning
As mentioned earlier, CPI only grants the permission required to export report data after the required security training is completed. As a security advocate, you understand the risks and vulnerabilities associated with exporting data but you trust your trained users to export responsibly. A friendly in-app reminder will help maintain awareness.
Create an In-app Guidance Prompt with the following requirements. Make sure the prompt is active and has a description. Note: Settings that are not outlined below will not be checked but may be required to save the prompts.
Name | Report Export Warning |
---|---|
Location | Report record page in any app |
Type | Floating Prompt |
Prompt Body | For the security of our clients and staff, do not export reports that contain personally identifiable information. |
Media (Optional) | To grab users’ attention, include this image of Security Astro. Be sure to add alt text for the image. |
Action | Include a button that links to https://trailhead.salesforce.com/cybersecurity with the label, Trailhead: Cybersecurity |
Frequency | Starting today, show this prompt 10 total times with 1 day between. |
Restrictions | Only show this prompt to users who have the ability to export reports. |
Case Manual Sharing Reminder
Because the case object contains personally identifiable information (PII), it's critical that records are only shared with users who need access. While case record access is already locked down for the org, you would like to remind users who may need to manually share a case record with another user.
Create an In-App Guidance prompt with the following requirements. Make sure the prompt is active and has a description. Note: Settings that are not outlined below will not be checked but may be required to save the prompts.
Name | Case Manual Sharing Reminder |
---|---|
Location | Case record page in any app |
Type | Targeted Prompt, targeted to the Sharing button on the case record |
Prompt Body | For data security purposes, only share records with users as necessary based on work requirements. |
Media (Optional) | To grab users’ attention, include this image of Security Astro. Be sure to add alt text for the image. |
Action | Include a button that links to https://trailhead.salesforce.com/cybersecurity with the label, Trailhead: Cybersecurity |
Frequency | Starting today, show this prompt 5 total times with 1 day between. |
Restrictions | None |
Customize Your Org’s Security Standards
As the official Salesforce Security Advocate for a large and established org, you work with the security team to establish and adhere to standards that are customized to CPI. The standards recommended by Salesforce in the Health Check tool are mostly aligned with CPI’s standards, but with a couple key differences.
Import a custom baseline for Health Check with the updated values listed below. No other settings require custom standards. Give your custom baseline the API name Cloud_and_Proud_Custom_Baseline
and set it as the org’s default baseline.
Minimum Password Length
- Compliant Value(s):
16.0
- Warning Value(s):
12.0
- Critical Value(s): Not Applicable
Session Timeout
- Compliant Value(s):
FifteenMinutes,ThirtyMinutes,SixtyMinutes,NinetyMinutes
- Warning Value(s):
TwoHours,FourHours,EightHours,TwelveHours
- Critical Value(s):
TwentyFourHours