Additional Resources

Salesforce Help

Salesforce Trust

This is the primary hub for transparency and security updates. It provides real-time information on system performance and security incidents.

trust.salesforce.com — View live status updates, planned maintenance, and security alerts
Compliance — Detailed documentation on global certifications (ISO, SOC, HIPAA, etc.)

Salesforce Shield

Shield Data Sheet | Shield Demo | Webinar: Implement Shield in 20 Minutes | Trailhead: Secure your Apps with Salesforce Shield

Shield is a suite of advanced security and compliance tools designed for organizations in highly regulated industries or those that store critical or sensitive data. It includes four main components:

Platform Encryption: Encrypt sensitive data at rest (fields, files, and attachments) while still maintaining platform functionality like search and workflow.
Event Monitoring: Track who is accessing what data, from which IP, and even when someone downloads a report. New for 2026: Automated Transaction Security Policies now proactively block suspicious report exports or logins based on AI-driven risk scores.
Field Audit Trail: Extends your data retention capabilities — while standard Salesforce tracks field changes for 18 months, Field Audit Trail can store up to 10 years of history for up to 60 fields per object.
Data Detect: Uses managed data discovery to scan your org for sensitive information (like PII or credit card numbers) that might be stored in the wrong places.

Security Center

Datasheet | Demo | Trailhead | Web

If Shield is about securing the data, Security Center is about managing the posture across your entire ecosystem.

Single Pane of Glass: View security health, configuration changes, and user permissions across all your production and sandbox environments in one dashboard.
Agentforce Integration (2026): Security Center now includes AI-powered agents that flag unusual activity — such as a sudden spike in admin permissions or a login from a restricted geography — and suggest immediate remediation plans.
Policy Management: Create a security blueprint and push it to all your orgs to ensure they all meet the same standards.

Trailhead

Protect Your Salesforce Data — Covers the basics of visibility and access
Security Specialist Superbadge — A real-world business case where you must implement complex security requirements
User Authentication — Focused on MFA, SSO, and My Domain

Community & Best Practices

Salesforce Admins - Security Page — Blog posts and webinars specifically for admins
Trailblazer Community — Groups like "Security Group-Public" allow you to ask questions to Salesforce employees and experienced MVPs

Appendix: Standard Baseline XML

Use this XML if you are unable to download or open the exported baseline file during Exercise 4. Copy the content below, paste it into a plain text editor, make the required change, and save it as Custom Baseline.xml.

Change to make: In <mediumRiskSecuritySettings>, find the PasswordPolicies.minPasswordLength line and update compliant="8.0" to compliant="11.0".

On a Mac, open TextEdit and click Format → Make Plain Text before pasting. On Windows, use Notepad.

xml

<!--
     Please read Custom Baseline File Requirements for information about making changes in this file:
     https://help.salesforce.com/articleView?id=security_custom_baseline_file_requirements.htm
-->
<baseline xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="SFDC recommended" developerName="SFDCRecommended" xsi:noNamespaceSchemaLocation="security-risk-baseline.xsd">
<highRiskSecuritySettings>
<booleanSetting name="SessionSettings.lockSessionsToDomain" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.enableSmsIdentity" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.clickjackSetup" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.clickjackNonSetup" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.clickjackVisualForceHeaders" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.clickjackVisualForceNoHeaders" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.csrfGet" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.csrfPost" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.requireHttpOnly" compliant="true" nonCompliant="critical"/>
<booleanSetting name="Identity.mfaEnabled" compliant="true" nonCompliant="critical"/>
<booleanSetting name="ExternalClientApps.metadataApiAccess" compliant="false" nonCompliant="critical"/>
<numericRangeSetting name="FileUploadAndDownloadSecurity.hybridSecurityRiskFileTypes" compliant="0.0" warning="0.5"/>
<enumSetting name="PasswordPolicies.maxLoginAttempts" compliant="ThreeAttempts" warning="FiveAttempts,TenAttempts" critical="NoLimit"/>
<numericRangeSetting name="CertificateAndKeyManagement.expiredCert" compliant="0.0" warning="1.0"/>
<numericRangeSetting name="SharingSettings.orgWideDefaults" compliant="0.0" warning="1.0"/>
<numericRangeSetting name="NetworkSecurity.trustedIpRangesConfigured" compliant="1.0" warning="0.5"/>
</highRiskSecuritySettings>
<mediumRiskSecuritySettings>
<booleanSetting name="PasswordPolicies.minOneDayPasswordLifetime" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.forceRelogin" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.enforceLoginIp" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.terminateSessionsOnPasswordReset" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.cspOnEmail" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.contentSniffingProtection" compliant="true" nonCompliant="critical"/>
<booleanSetting name="LoginAccessPolicies.adminLoginAsAnyUser" compliant="false" nonCompliant="critical"/>
<numericRangeSetting name="PasswordPolicies.history" compliant="3.0" warning="1.0"/>
<numericRangeSetting name="PasswordPolicies.minPasswordLength" compliant="11.0" warning="6.0"/>
<enumSetting name="PasswordPolicies.expiration" compliant="ThirtyDays,SixtyDays,NinetyDays" warning="SixMonths" critical="OneYear,Never"/>
<enumSetting name="PasswordPolicies.complexity" compliant="SpecialCharacters,UpperLowerCaseNumeric,UpperLowerCaseNumericSpecialCharacters,Any3UpperLowerCaseNumericSpecialCharacters" warning="AlphaNumeric" critical="NoRestriction"/>
</mediumRiskSecuritySettings>
<lowRiskSecuritySettings>
<booleanSetting name="PasswordPolicies.obscureSecretAnswer" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.forceLogoutOnTimeout" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.icOn2faRegistration" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.icOnEmailChange" compliant="true" nonCompliant="critical"/>
<numericRangeSetting name="RemoteSiteSettings.remoteSiteSettings" compliant="0.0" warning="1.0"/>
<enumSetting name="PasswordPolicies.questionRestriction" compliant="DoesNotContainPassword" warning="None"/>
<enumSetting name="PasswordPolicies.lockoutInterval" compliant="ThirtyMinutes,SixtyMinutes,Forever" warning="FifteenMinutes"/>
<enumSetting name="SessionSettings.timeout" compliant="FifteenMinutes,ThirtyMinutes,SixtyMinutes,NinetyMinutes,TwoHours" warning="FourHours,EightHours,TwelveHours" critical="TwentyFourHours"/>
</lowRiskSecuritySettings>
<informationalSecuritySettings>
<numericRangeSetting name="CertificateAndKeyManagement.keySize" compliant="4096.0" warning="2048.0"/>
<numericRangeSetting name="CertificateAndKeyManagement.certExpiration" compliant="180.0" warning="1.0"/>
<booleanSetting name="UserPIISettings.enforceNameVisibility" compliant="true" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.redirectionAllowUntrusted" compliant="false" nonCompliant="critical"/>
<booleanSetting name="SessionSettings.lockSessionsToIp" compliant="true" nonCompliant="warning"/>
<booleanSetting name="Identity.samlEnabled" compliant="true" nonCompliant="critical"/>
<numericRangeSetting name="GuestUserAccess.guestEditAccess" compliant="4.0" warning="9.0"/>
<numericRangeSetting name="GuestUserAccess.guestReadAccess" compliant="4.0" warning="9.0"/>
<numericRangeSetting name="GuestUserAccess.guestAccessSharingRules" compliant="0.0" warning="4.0"/>
<numericRangeSetting name="AdminUsers.activeSystemAdministratorCount" compliant="5.0" warning="10.0"/>
</informationalSecuritySettings>
</baseline>

Additional Resources ​

Salesforce Help ​

Salesforce Trust ​

Salesforce Shield ​

Security Center ​

Trailhead ​

Community & Best Practices ​

Appendix: Standard Baseline XML ​