Five Minutes Well Spent: Set Up Security Notifications Today and Be Grateful Tomorrow

In the beginning of each school year, my daughter’s school requires that we fill out a pile of forms, including an emergency contact form and contact numbers for an automated phone contact system. The school also sends weekly email bulletins that provide parents with updates on various happenings at the school. No parent wants to hear that those contacts or phone numbers will be used for an emergency, but we all know it’s imperative that the school can reach us if something does happen.

Did you know there is a similar system in place at Salesforce? Once you sign up for Security Notifications in Help & Training, Salesforce can easily provide you and/or a security contact at your company with information about security-related issues involving the platform or a specific customer instance. This will also give you the peace of mind that in the case that Salesforce is trying to reach your company, that the right person or team gets the information.

There are three types of Security Notifications sent by Salesforce:

• Security Advisory – A broadly distributed notification about a security issue relevant to all Salesforce customers. These non-customer-specific advisories will include our statement on things like Heartbleed and POODLE.
• Security Alert – A customer-specific notification about possible suspicious activity involving your Salesforce instance that requires further investigation by your organization.
• Security Incident – A customer-specific notification about a confirmed or reasonably suspected breach of data hosted on Salesforce.

Any Salesforce user can sign up to receive Security Advisories, while only administrators can sign up for Security Alert and Security Incident notifications. An administrator is defined by Salesforce as any user with a profile that has the “Manage Users” and “Modify all Data” permissions enabled. An Admin can also provide an email address for Salesforce to contact, such as a distribution list for their security team. We recommend reviewing periodically who in your organization has these two permissions enabled. Take the example of Security Alerts and Incidents. There are very few individuals who should be privy to this information at your company. Limiting the number of people with the “Manage Users” and “Modify all Data” is, therefore, the most prudent approach.

If a person or team without a Salesforce user license would like to receive these notifications, such as your security or IT department, you can work with your AE or Customer Support to create a new contact in the Salesforce database and set the Notification Preferences for this contact. This contact’s email address can be anything the customer wants to define, including an email distribution list.
Once an Admin or user signs up for Security Notifications, we recommend the individual also checks the box for Product & Service Notifications, which include:

• Product Behavior Changes
• Service Maintenance
• Feature Retirements
• End-of-Support & End-of-Pilot
• Major Release Reminders
• Off-Cycle Release Notifications (outside of the 24-hr standard release window)

So how do I do this?

To manage your security notifications, just log into the Help & Training portal, click on My Settings, and look for the Notification Preferences tab. Click the corresponding check box to select which notifications you’d like to receive.

Learn more

For more information on the type of information included in these notifications, please see the What are Product and Service Notifications? Knowledge article. If you have more questions about how to manage your Notification Preferences in Help & Training, please see the How to Manage your Notification Preferences in Help & Training Knowledge article or open a case via the Help & Training portal.