If your organization is preparing for SOX or IT audits while leveraging Salesforce as a CRM, one of the first things to do is to enforce IT general controls (ITGC) to mitigate risks in your CRM. If your organization has a mature CRM instance with development and support teams in place, or you are in the middle of a new implementation, the questions most CISOs should ask are whether their CRM is secure, what risks they need to control to prevent big audit challenges and how they enforce security as a culture across the enterprise.
Based on my work with different types of organizations dealing with security and compliance issues, I always advise organizations to start on the following core strategies, which will help them implement the right security framework and culture.
With ITGC spanning program changes, development, computer operations, access to programs and data and controls on governance and environment, it is very hard to choose an area of high risk and begin. So here are two strategies for you to consider, which are the most high-risk categories in your CRM.
1. User provisioning (joiners, movers and leavers [JML]) governance
2. Sensitive data access (PII, PCI and organization-level sensitive data based on contracts with customers)
User Provisioning Governance
Most organizations are moving toward single sign-on and multifactor authentication, which are good control mechanisms for provisioning new users and having them log in and verify their identities. The biggest gaps come into play when provisioning access to new users based on a service ticket, job role and title. Once a ticket is provisioned for a new user to access the CRM, IT organizations use manual or automated processes to assign users in the CRM with a specific profile, role or access. Here are some questions to identify high-risk gaps that many organizations are not looking at.
1. How do you provision superusers, system administrators and users who have access to sensitive data like PII, PCI and other organization-level sensitive data?
2. What is the process for giving more access to an existing user, such as granting superuser permissions or delegated admin rights for a period of time? How is the user provisioning and approval done?
3. How is user termination handled? What is the process to migrate all records owned by the terminated user to a new user, and how do you handle data risks, such as downloads or deletions, that may be caused by the user?
Here are some simple solutions organizations can utilize to manage the risks.
1. Have a global JML strategy for your organization and include a generic mapping of all job titles with HR that indicate who has system-level access in your CRM, ERP and financial systems.
2. Have exception reporting with tools and automation in place that can detect high-risk events like data downloads, mass data downloads and unwanted access to superuser privileges, and have support teams ready to handle these situations.
Data Categorization For Sensitive Data Access
With CRM data expanding to multiple systems, channels and devices, there is often a lack of IT teams to catalog data as "PII," "PCI" and "sensitive." With compliance rules like GDPR, CCPA and state-driven compliance rules to enforce data protection of the customer, millions of dollars are going to be paid to external auditors and penalties for violations. There is a real lack of ownership from IT and CRM teams regarding who is responsible for identifying data as "sensitive" and cataloging it, and this results in no action being taken at all. So the question is, "Where do we start and how can we identify concrete actions to enforce standards?"
If you are in the middle of a new implementation of CRM software, have a resource responsible for security and controls within your CRM team who is tasked with identifying sensitive data. If your team has a mature CRM that has been in existence for more than about five years, here are some tactics that you can implement to start in the right direction.
1. Create a sensitive data steward team that is composed of resources from your CRM, data warehouse and back-office systems like ERP; have them work on a solution to identify sensitive data in terms of PII and PCI; and flag data sources that will contain them.
2. Have your compliance and security teams create global sensitive data standards and templates that will help IT teams flag sensitive data like "PII sensitive," "PII core," "internal" and "public," and provide concrete definitions and examples for each category.
3. Leverage automated tools and solutions that can flag data as sensitive based on existing data and definitions to proactively monitor for new sensitive data fields and others.
4. If your organization has contracts with your customers and your team does third-party work for them, such as processing claims, handling services for your customers and billing your customers' customers on their behalf, it is time to work with legal teams on the contracts and identify a global sensitive data definition.
5. Have the enterprise architecture team create architectural reviews and solutions to handle sensitive data and third-party data and implement them as part of your change management strategies to approve releases.
By starting on user provisioning and sensitive data access strategies and solutions, organizations can reduce risks in their CRMs and save a lot of money and time on audits.