sf-agent-framework/sf-core/checklists/security-checklist.md

AI Agent Orchestration Framework for Salesforce Development - Two-phase architecture with 70% context reduction

# Salesforce Security Checklist

## Overview

This comprehensive checklist ensures all security aspects are addressed in
Salesforce implementations.

## Access Control

### Organization-Wide Defaults (OWD)

- [ ] OWD settings reviewed for all objects
- [ ] Private access set where appropriate
- [ ] Public Read Only used judiciously
- [ ] Public Read/Write avoided unless necessary
- [ ] Controlled by Parent configured correctly
- [ ] Grant Access Using Hierarchies reviewed
- [ ] External OWD settings configured
- [ ] Portal user access restricted
- [ ] Guest user access minimized
- [ ] Default settings documented

### Profiles and Permission Sets

- [ ] Principle of least privilege applied
- [ ] Standard profiles cloned, not modified
- [ ] Custom profiles minimized
- [ ] Permission sets used for extensions
- [ ] Object permissions reviewed
- [ ] Field-level security implemented
- [ ] Tab visibility configured
- [ ] App access restricted
- [ ] System permissions audited
- [ ] API access controlled

## Data Security

### Field-Level Security

- [ ] Sensitive fields protected
- [ ] PII fields restricted
- [ ] Financial data secured
- [ ] Health information protected
- [ ] Read-only fields enforced
- [ ] Hidden fields justified
- [ ] Formula fields secured
- [ ] Encrypted fields identified
- [ ] Masking implemented where needed
- [ ] Audit fields protected

### Record-Level Security

- [ ] Sharing rules implemented
- [ ] Criteria-based sharing used
- [ ] Manual sharing monitored
- [ ] Apex sharing controlled
- [ ] Teams functionality secured
- [ ] Territory management reviewed
- [ ] Role hierarchy validated
- [ ] Public groups managed
- [ ] Queue membership controlled
- [ ] Sharing recalculation planned

## Authentication and Authorization

### Login Security

- [ ] Password policies enforced
- [ ] Password complexity required
- [ ] Password history enabled
- [ ] Account lockout configured
- [ ] Login hours restricted
- [ ] IP restrictions implemented
- [ ] Two-factor authentication enabled
- [ ] SSO implemented where applicable
- [ ] Session timeout configured
- [ ] Login forensics enabled

### Identity Management

- [ ] User provisioning automated
- [ ] Deprovisioning process defined
- [ ] Regular access reviews scheduled
- [ ] Orphaned accounts identified
- [ ] Service accounts documented
- [ ] External user access controlled
- [ ] Portal users managed
- [ ] Community users restricted
- [ ] Integration users isolated
- [ ] Admin accounts monitored

## Platform Security

### Security Settings

- [ ] Shield Platform Encryption evaluated
- [ ] Classic Encryption implemented
- [ ] Event Monitoring enabled
- [ ] Field Audit Trail activated
- [ ] Setup Audit Trail reviewed
- [ ] Login Forensics monitored
- [ ] Security Health Check run
- [ ] Critical updates applied
- [ ] Security patches installed
- [ ] Clickjack protection enabled

### Network Security

- [ ] Trusted IP ranges configured
- [ ] Network access restricted
- [ ] VPN requirements defined
- [ ] API access controlled
- [ ] Connected app policies set
- [ ] OAuth policies configured
- [ ] CORS settings reviewed
- [ ] Content Security Policy set
- [ ] Remote site settings audited
- [ ] Named credentials used

## Code Security

### Apex Security

- [ ] CRUD permissions checked
- [ ] FLS enforced in code
- [ ] Sharing rules respected
- [ ] WITH SECURITY_ENFORCED used
- [ ] System mode usage justified
- [ ] SOQL injection prevented
- [ ] Dynamic SOQL secured
- [ ] Input validation implemented
- [ ] Output encoding applied
- [ ] Error messages sanitized

### Lightning Security

- [ ] CSP compliance verified
- [ ] LockerService enabled
- [ ] Lightning Security Scanner run
- [ ] Component access controlled
- [ ] Client-side storage secured
- [ ] Event handling secured
- [ ] Third-party libraries vetted
- [ ] API calls authenticated
- [ ] Data binding secured
- [ ] Navigation controlled

## Integration Security

### API Security

- [ ] API access authenticated
- [ ] OAuth implemented correctly
- [ ] API limits enforced
- [ ] Rate limiting configured
- [ ] API versioning managed
- [ ] Endpoints documented
- [ ] Error responses sanitized
- [ ] Logging implemented
- [ ] Monitoring active
- [ ] Certificate management defined

### External Integration

- [ ] Named credentials used
- [ ] Certificates managed
- [ ] Secrets stored securely
- [ ] Connection pooling configured
- [ ] Timeout values set
- [ ] Retry logic implemented
- [ ] Error handling robust
- [ ] Data validation enforced
- [ ] Audit trail maintained
- [ ] Compliance verified

## Data Protection

### Encryption

- [ ] Encryption at rest configured
- [ ] Encryption in transit enforced
- [ ] Key management defined
- [ ] Encrypted fields identified
- [ ] File encryption enabled
- [ ] Attachment security configured
- [ ] Email encryption available
- [ ] Backup encryption verified
- [ ] Archive encryption implemented
- [ ] Compliance requirements met

### Data Loss Prevention

- [ ] DLP policies configured
- [ ] Sensitive data classified
- [ ] Export controls implemented
- [ ] Print restrictions set
- [ ] Copy/paste controls enabled
- [ ] Screenshot prevention active
- [ ] Download monitoring enabled
- [ ] Email controls configured
- [ ] Mobile access restricted
- [ ] Audit logging comprehensive

## Compliance and Privacy

### Regulatory Compliance

- [ ] GDPR requirements met
- [ ] CCPA compliance verified
- [ ] HIPAA controls implemented
- [ ] PCI DSS requirements addressed
- [ ] SOX controls in place
- [ ] Industry standards followed
- [ ] Data residency compliant
- [ ] Privacy policies updated
- [ ] Consent management active
- [ ] Right to be forgotten enabled

### Audit and Monitoring

- [ ] Audit trail comprehensive
- [ ] Log retention configured
- [ ] Real-time monitoring active
- [ ] Alerting configured
- [ ] Incident response ready
- [ ] Forensics capability enabled
- [ ] Compliance reporting automated
- [ ] Regular reviews scheduled
- [ ] Remediation tracked
- [ ] Continuous improvement active

## Security Testing

### Vulnerability Assessment

- [ ] Security scanner run
- [ ] Penetration testing completed
- [ ] Code review performed
- [ ] Configuration review done
- [ ] Access review completed
- [ ] Third-party assessment done
- [ ] Remediation plan created
- [ ] Fixes implemented
- [ ] Retesting completed
- [ ] Sign-off obtained

### Security Validation

- [ ] Authentication tested
- [ ] Authorization verified
- [ ] Data access validated
- [ ] Encryption confirmed
- [ ] Input validation tested
- [ ] Output encoding verified
- [ ] Session management tested
- [ ] Error handling reviewed
- [ ] Logging validated
- [ ] Monitoring confirmed

## Incident Response

### Preparation

- [ ] Incident response plan documented
- [ ] Response team identified
- [ ] Contact list maintained
- [ ] Escalation procedures defined
- [ ] Communication plan ready
- [ ] Tools and access verified
- [ ] Playbooks created
- [ ] Training completed
- [ ] Drills conducted
- [ ] Lessons learned incorporated

### Response Procedures

- [ ] Detection mechanisms active
- [ ] Classification criteria defined
- [ ] Containment procedures ready
- [ ] Investigation process documented
- [ ] Evidence collection defined
- [ ] Remediation steps prepared
- [ ] Recovery procedures tested
- [ ] Communication templates ready
- [ ] Reporting requirements known
- [ ] Post-incident review planned

## Security Governance

### Policies and Procedures

- [ ] Security policy documented
- [ ] Access control policy defined
- [ ] Data classification policy set
- [ ] Incident response policy ready
- [ ] Change management policy active
- [ ] Vulnerability management defined
- [ ] Compliance policy documented
- [ ] Training policy established
- [ ] Review cycle defined
- [ ] Enforcement mechanisms active

### Security Operations

- [ ] Security team roles defined
- [ ] Responsibilities documented
- [ ] Processes established
- [ ] Tools implemented
- [ ] Metrics defined
- [ ] Reporting active
- [ ] Continuous monitoring enabled
- [ ] Threat intelligence integrated
- [ ] Risk management active
- [ ] Improvement process defined

## Mobile Security

### Mobile Device Management

- [ ] MDM solution implemented
- [ ] Device policies configured
- [ ] App wrapping enabled
- [ ] Data containerization active
- [ ] Remote wipe capability ready
- [ ] Compliance checking enabled
- [ ] Jailbreak detection active
- [ ] VPN requirements defined
- [ ] Certificate management ready
- [ ] Update management active

### Mobile App Security

- [ ] App security reviewed
- [ ] Data storage encrypted
- [ ] Authentication required
- [ ] Session management secure
- [ ] API calls protected
- [ ] Offline data secured
- [ ] Code obfuscation applied
- [ ] Certificate pinning enabled
- [ ] Update mechanism secure
- [ ] Privacy controls implemented

## Third-Party Security

### AppExchange Security

- [ ] Security review completed
- [ ] Permissions reviewed
- [ ] Data access evaluated
- [ ] Integration points assessed
- [ ] Update process defined
- [ ] Vendor assessment done
- [ ] Contract terms reviewed
- [ ] SLA defined
- [ ] Support process clear
- [ ] Exit strategy planned

### Vendor Management

- [ ] Security assessments completed
- [ ] Contracts reviewed
- [ ] Compliance verified
- [ ] Access controls defined
- [ ] Monitoring implemented
- [ ] Incident response coordinated
- [ ] Performance tracked
- [ ] Risk assessed
- [ ] Relationships managed
- [ ] Continuous review active