Org Scoring Approaches in Secure

    This article discusses how an organization would define a scoring policy and which scoring approach to use when securing their data.

     

    Define a Policy

    • First fine tune a scoring policy in a full sandbox environment.
    • Import the scoring policy into a production environment using the Secure Policy Migration Wizard.

     

    Scoring Approach

    • Run at 100
      • Goal(s) 
        • Scores should equal 100% across lenses, unless something new has been introduced and decreases the lens score(s).
      • Benefits
        • It is very easy to detect when something risky has been introduced to the Org.  
        • Lens score alerts provide valuable proactive notifications and should justify periodic SI job runs.
        • Collaboration on scoring configuration between InfoSec & Salesforce COE better informs both parties on what the ideal configuration looks like.
      • Downsides
        • More time is spent on exclusions and discussions in the beginning.
        • More setup work is required.
      • Configuration Guidelines
        • Set “Max” thresholds at 0 in most cases.
        • Leverage exclusions for accepted risks (e.g. 5 Insecure Remote Site Settings).
        • Ensure risk ratings reflect how the Customer feels about the risk of the information in an insight.
    • Reflect Residual Risk
      • Goal(s)
        • Org scores reflect the actual risk of the Org.
        • There are few, if any, exclusions or accepted risks.
      • Benefit(s)
        • The Org does not obtain a false sense of security from all SI lens scores = 100%.
        • Vulnerabilities are clearer and accurately influence investment decisions.
        • Easier initial setup.
      • Downsides
        • Can be more difficult to immediately identify that something risky has been introduced to the Org. Lens score alerts and Action Plans can alleviate this.
        • Goes against human nature which desires 100% scores.
      • Configuration Guidelines
        • Utilize Max values above 0 more often and more limited use of exclusions.
        • For example, users without IP Restrictions are never implemented and are not practical. Two admins have profile-based IP restrictions while no one else does. Set Max > 0. Score will be < 1%, as it should be, to represent the risk of the scenario. The only way to achieve 100% is to set Max to 0 and Exclude both admins with IP Restrictions.
    For information on how the Insight Scoring algorithm works, a table has been made available here.
    « Previous ArticleNext Article »