The State of Security within Salesforce Orgs

How are organizations keeping their Salesforce secure?

We are collecting information on the status of security within Salesforce orgs. What are organizations doing (or not doing)? And how does that compare with typical behaviors?

This survey will be anonymous, but if you would like to see an early copy of the results (or if you're hoping to win a Trailblazer hoodie), please feel free to share your email address at the end of the survey.

There are 48 questions, and the survey should only take you about 10-15 minutes to complete. It would be useful to have your Salesforce org open while you're completing the survey.


Organization Demographics
1.What Industry is your organization in?
2.Where is your organization located?
3.What is the annual revenue of your organization?
4.How many employees does your organization have?
General Security
5.What edition of Salesforce does your org use?
6.Is your Salesforce org using Salesforce Lightning?
7.How many years has your organization been using Salesforce?
8.What Salesforce Clouds does your organization currently leverage? (Select all that apply)
9.What additional Salesforce features are you using? (CPQ, FSL, etc.) Select all that apply.
10.How many 'Salesforce' and 'Salesforce Platform' licenses are you allocated across all your Salesforce instance(s)? (In other words - how many internal users do you have?)
11.Do you back up your Salesforce data?
12.If yes, what solution(s) do you use for data backup? (Select all that apply)
13.What is the frequency that your org backs up your Salesforce Data?
14.How many Salesforce Admins does your org have? (These would be users with any of the following permissions: Modify All Data, Customize Application, Weekly Export, or Manage Users)
User Access & Permissions
15.Is your Salesforce Org integrated with an SSO?
16.Is MFA enabled for all Salesforce Users in your org?
17.What are the record-sharing methods used in your org to expand or restrict record visibility? (Select all that apply)
18.How often do you review and update user access and permissions based on changes in job roles or responsibilities?
19.Are there any active User accounts within your Salesforce org that belong to individuals who are no longer with your company?
20.Have IP restrictions been configured to control access to Salesforce from specific locations?
21.How often are the Sharing Settings per Object reviewed in your organization's Salesforce org?
Data Encryption & Protection
22.Is your org using encrypted fields to protect sensitive data stored in Salesforce?
23.Does your company have policies in place to ensure that sensitive data is not stored in plain text within Salesforce?
24.Does your company use Salesforce Shield or other encryption tools to enhance data security?
25.Does your organization have a data retention and deletion policy in place to manage the data lifecycle within Salesforce?
26.If the answer to the previous question is yes - is the process automated or manual?
Monitoring & Logging
27.What measures does your organization have in place for monitoring user activities and access logs within Salesforce? (Select all that apply)
28.Does your organization have alerts set up to alert Admins to any of the following activities? (Select all that apply)
29.Does your organization regularly review and analyze Salesforce audit logs for any unusual patterns or unauthorized access attempts?
30.Has your organization implemented measures to detect and prevent unauthorized data exports from Salesforce?
31.How do you handle incident response and investigation within Salesforce in the event of a security breach? (Select all that apply)
Integrations & Third-Party Apps
32.What user license and settings does your organization use to integrate external applications with Salesforce? (select all that apply)
33.What integrations does your org have with other systems?
34.How does your org ensure the security of data exchanged between Salesforce and these systems?
35.When was that last time that your organization conducted security assessments of the third-party Salesforce apps and integrations used within your Salesforce environment?
36.Are there any deprecated or unsupported integrations that need to be updated or removed for security reasons?
37.Does your organization have policies in place for reviewing and approving new third-party apps before integrating them with Salesforce?
Security Training & Awareness
38.Does your organization provide security awareness training to Salesforce users to educate them about best practices and potential threats?
39.Has your organization conducted phishing simulation exercises to assess the susceptibility of Salesforce users to social engineering attacks?
40.Are there specific security policies and guidelines in your organization that Salesforce users are expected to adhere to?
41.How does your organization communicate security updates and important notifications to Salesforce users?
42.What is your organization's process for reporting security incidents or concerns related to Salesforce? (Select all that apply)
Security Governance & Compliance
43.Who is responsible for overseeing security governance and compliance within your organization's Salesforce environment?
44.Have your organization established a security governance framework specific to Salesforce, outlining responsibilities and accountability?
45.How does your organization ensure that security controls and configurations within Salesforce align with your organization's overall security policies and standards? (Select all that apply.)
46.How often do you conduct regular reviews and assessments to ensure adherence to security governance guidelines within Salesforce?
47.Are there any upcoming changes in security regulations or standards that may impact your Salesforce security posture?
48.If you would like to receive the report once all anonymous responses have been analyzed, please share your email address.