A Guide to Your Salesforce Security Progress Report

Own Company
No items found.

Breaking down how we analyze & score your real-time security posture

The Salesforce Security Progress Report is designed to provide easy access to deep insights about your real-time security posture. It is one of our Own Secure on-demand reports that gives you a clear picture of your security controls, so you can see and understand where there’s risk (at last!).

To help you fully understand the Progress Report, below you’ll find definitions of the 6 security “lenses” and details on how we methodically score your posture - and if you're not getting a Salesforce Security Progress report on a regular basis, let's talk about Own Secure!

Data Protection & Classification

How well is the information in the system being stored / accessed?

Data Classification

In order to align Salesforce to your organization's security posture, data classification levels should be defined and all fields in your Salesforce org should be assigned an appropriate classification level.

Potential High-Risk Fields

The fields listed in this graph within Security Insights are not classified as high-risk, but they contain words or phrases that are commonly referred to as high risk.

Seldom Used High Risk Fields

These are fields that are classified as high risk but are not used at all or very seldom used. The percentage of data classification completed is also taken into consideration in the scoring here.

Blocked by Configuration

These are fields that are on your encryption wish list but have configuration blockers that will prevent Shield Platform Encryption from being turned on or will cause loss of function if Shield Platform Encryption is turned on. These fields and their associated blockers should be reviewed to see if the blockers can be removed or remediated. The remediation plan will vary depending on the associated blocker(s). If the blockers can safely be remediated, the fields can then be encrypted.

Platform Encryption Analysis Jobs Per Month

It is recommended to run a Platform Encryption Analysis job within Own Secure® at least once every 30 days so you can keep track of field changes that naturally happen within Salesforce.

Access Control (Authentication)

Is the system accessible to the right users at the right times without compromising security of the org?

Non-Compliant Password Settings

Password settings are an important way to improve overall security within Salesforce. You can set password history, length, and complexity requirements and also specify what to do when a user forgets their password.

Users without IP Restrictions

Login IP restrictions are set at the profile level and limit unauthorized access to Salesforce by requiring users to login from designated IP addresses. By using Login IP Ranges, a defined range of addresses can be used to control access. Users who try to login from outside the specified IP address ranges will not be granted access.

Security Model (Authorization)

Is the Salesforce Security Model implemented in accordance with the organization’s needs?

Data Vulnerability

Users should have access to high risk fields and objects which contain those fields sparingly.

Report Access

Reports allow users to access large sets of data within Salesforce, only users who require access to reports should be assigned.

Users with Setup / Configuration

Users with the View Setup and Configuration system permission can view Setup pages which is generally reserved for System Admin type users. Security policies can vary but we generally recommend 20% or less of your total users have access to view Setup and Configuration.

Administrative Permissions

Administrative permissions include things like Modify All Data, Modify Metadata Through Metadata API Functions and View All Data.

Unused Custom Profiles

Custom profiles should only be created / maintained when users are identified who require them. Profile best practices call for the removal of unused profiles. Cleaning up unused profiles is an excellent way to keep profile proliferation to a minimum.


Are applicable integrations implemented in a fashion that is consistent with the organization’s stated goals?

Insecure Remote Site Settings

Remote Site Settings are used to register an access external website resources and should always be used securely (HTTPS).

Unencrypted Settings

These are fields from Custom Settings or Custom Metadata Types that appear to be both unencrypted and containing sensitive configuration information.

Data Loss Prevention

How well is the information in the system being protected against loss?

Data Egress

Data egress refers to data leaving a network and is important to manage to prevent sensitive data loss.

Data Tracking

Tracking the changes to field data is an important way to monitor the data changes that occur within Salesforce. It is especially important to track field history changes for fields that are classified as high risk. The percentage of data classification completed is also taken into consideration in the scoring here. By default, 20 fields per object can be tracked but this number increases to 60 or beyond with Salesforce Shield Field Audit Trail.

Data Vulnerability

Users should have access to high risk fields and objects which contain those fields sparingly.

Defined History Retention Policies

History Retention Policies are part of Shield Field Audit Trail and are used to define how long field history data is stored on an object-by-object basis. History Retention Policies are supported for all custom objects and a sub-set of standard objects.


If data were to be maliciously accessed, used or modified, are processes and technology in place to raise awareness or support research?

Non-Compliant Session Settings

When a user successfully logs into Salesforce, a session is established. Session settings are used to control things like session timeouts, caching, connections and more and should be aligned to your organization's security posture.

Non-Compliant Key Management

Certificate and key pairs are used to verify a request is coming from your Salesforce org and should be generated if you're working with an external website. The Certificate and Key Management settings are part of the Salesforce Health Check.

Untracked Event Types

If you are licensed for Event Monitoring, it is considered best practice to track all event types that support data storage.

Active Transaction Security Policies

Transaction Security Policies are part of Salesforce Shield Event Monitoring and can be used to intercept real-time Salesforce events and apply appropriate actions based on the security policies you create. Event types supported include API, List view, Login and Report events and actions that can be taken include things like a notification, requiring 2FA or blocking the event altogether.

Interested in learning more? Request a free Guided Risk Assessment for Salesforce today, or schedule a demo below.

Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Get started

Submit your details and we will contact you shortly to schedule a custom 25-minute demo.

Book a demo
Own Company


Get started

Share your details and we’ll contact you shortly to schedule a custom 25-minute demo.

Schedule a Demo