SBS

Appearance

CCPA/CPRA Controls

This page lists SBS controls tagged for this regulation or framework. The mappings are indicative only and help readers identify controls that directly support demonstrating compliance.

These entries are an index into the benchmark. The canonical control content remains on the benchmark pages.

  • Total tagged controls: 21
  • Benchmark sections represented: 9

Controls By Benchmark Section

Access Controls

3 control(s) in this benchmark section.

SBS-ACS-003: Documented Justification for Approve Uninstalled Connected Apps Permission

Critical Source page

Control Statement: The Approve Uninstalled Connected Apps permission must only be assigned to highly trusted users with documented justification and must not be granted to end-users.

Why tagged: Reasonable security requires preventing unauthorized applications from accessing personal information.

SBS-ACS-004: Documented Justification for All Super Admin–Equivalent Users

High Source page

Control Statement: All users with simultaneous View All Data, Modify All Data, and Manage Users permissions must be documented in a system of record with clear business or technical justification.

Why tagged: Reasonable security requires knowing and justifying who has full access to personal information.

SBS-ACS-006: Documented Justification for Use Any API Client Permission

Critical Source page

Control Statement: The Use Any API Client permission, which bypasses default behavior in orgs with "API Access Control" enabled, must only be assigned to highly trusted users with documented justification and must not be granted to end-users.

Why tagged: Reasonable security requires preventing unrestricted API access to personal information.

Authentication

2 control(s) in this benchmark section.

SBS-AUTH-001: Enable Organization-Wide SSO Enforcement Setting

Critical Source page

Control Statement: Salesforce production orgs must enable the org-level setting that disables Salesforce credential logins for all users.

Why tagged: Reasonable security requires strong authentication and access control for personal information.

SBS-AUTH-004: Enforce Strong Multi-Factor Authentication for External Users with Substantial Access to Sensitive Data

Critical Source page

Control Statement: All Salesforce interactive authentication flows for external human users with substantial access to sensitive data must enforce multi-factor authentication that includes at least one strong authentication factor.

Why tagged: Reasonable security for personal information requires strong authentication where access is substantial.

Code Security

1 control(s) in this benchmark section.

SBS-CODE-004: Prevent Sensitive Data in Application Logs

Critical Source page

Control Statement: Custom application logging frameworks and Salesforce system logging mechanisms must not capture, store, or transmit credentials, authentication tokens, personally identifiable information (PII), regulated data, or other sensitive values in log messages or structured log fields.

Why tagged: Reasonable security requires preventing exposure of personal information in log storage.

Customer Portals

3 control(s) in this benchmark section.

SBS-CPORTAL-001: Prevent Insecure Direct Object Reference (IDOR) in Portal Apex

Critical Source page

Control Statement: All Apex methods exposed to Experience Cloud or customer portal users must enforce server-side authorization for every record accessed or modified. User-supplied parameters (including record IDs, filters, field names, or relationship references) must not be trusted as the basis for access control and must be validated against the running user's sharing, CRUD, and FLS permissions before use.

Why tagged: Reasonable security requires preventing unauthorized access to personal information.

SBS-CPORTAL-002: Restrict Guest User Record Access

Critical Source page

Control Statement: Unauthenticated guest users in customer portals must be restricted to authentication and registration flows only, with no direct access to business objects or custom Apex methods that query organizational data.

Why tagged: Reasonable security requires no unauthenticated access to personal information.

SBS-CPORTAL-004: Prevent Parameter-Based Record Access in Portal-Exposed Flows

Critical Source page

Control Statement: Autolaunched Flows exposed to customer portal users must not accept user-supplied input variables that directly determine which records are accessed.

Why tagged: Reasonable security requires preventing IDOR and unauthorized access to personal information.

Data Security

2 control(s) in this benchmark section.

SBS-DATA-001: Implement Mechanisms to Detect Regulated Data in Long Text Area Fields

High Source page

Control Statement: The organization must implement a mechanism that continuously or periodically analyzes the contents of all Long Text Area fields to identify the presence of regulated or personal data.

Why tagged: Reasonable security and privacy-response obligations require knowing where California personal information is stored.

SBS-DATA-002: Maintain an Inventory of Long Text Area Fields Containing Regulated Data

Moderate Source page

Control Statement: The organization must maintain an up-to-date inventory of all Long Text Area fields that are known or detected to contain regulated or personal data.

Why tagged: Deletion and disclosure response depend on knowing where California personal information resides.

Event Monitoring

2 control(s) in this benchmark section.

SBS-MON-003: Monitor for Suspicious Logins

High Source page

Control Statement: Organizations must continuously monitor and alert on anomalous login patterns to promptly detect and mitigate compromised accounts and application credentials.

Why tagged: Reasonable security for personal information includes detecting anomalous and potentially compromised login activity.

SBS-MON-004: Monitor for Suspicious API Activity

High Source page

Control Statement: Organizations must continuously monitor and alert on all API activity to establish a baseline, detect anomalous and malicious activity, and identify potential application and integration abuse in a timely manner.

Why tagged: Reasonable security for personal information includes monitoring for suspicious API-based access and exfiltration patterns.

File Security

3 control(s) in this benchmark section.

SBS-FILE-001: Require Expiry Dates on Public Content Links

Moderate Source page

Control Statement: Organizations must ensure that Public Content links have an appropriate expiry date.

Why tagged: Reasonable security for California personal information includes limiting indefinite public exposure through shared links.

SBS-FILE-002: Require Passwords on Public Content Links for Sensitive Content

High Source page

Control Statement: Organizations must ensure that Public Content links to sensitive content have a password.

Why tagged: Reasonable security for personal information includes password-protecting sensitive public file links.

SBS-FILE-003: Periodic Review and Cleanup of Public Content Links

Moderate Source page

Control Statement: Organizations must implement a recurring process to review all active Public Content links and remove or remediate links that are no longer required, lack appropriate controls, or were created outside of current policy.

Why tagged: Reasonable security includes reviewing and removing stale public links that may expose personal information.

Integrations

1 control(s) in this benchmark section.

SBS-INT-004: Retain API Total Usage Event Logs for 30 Days

High Source page

Control Statement: The organization must retain API Total Usage event log data (EventLogFile EventType=ApiTotalUsage) for at least the immediately preceding 30 days using Salesforce-native retention or automated external export and storage.

Description:

If the organization’s Salesforce does not provide at least 30 days of ApiTotalUsage EventLogFile availability in Salesforce, the organization must automatically export newly available ApiTotalUsage event log files at least once every 24 hours to an external log store that retains a minimum of 30 days of data.

Why tagged: Reasonable security for personal information includes retaining API access logs needed to investigate misuse and exposure.

OAuth Security

4 control(s) in this benchmark section.

SBS-OAUTH-001: Require Formal Installation of Connected Apps

Critical Source page

Control Statement: Organizations must formally install all connected apps used for OAuth authentication rather than relying on user-authorized OAuth connections.

Why tagged: Reasonable security for personal information includes centrally controlling OAuth integrations rather than unmanaged user-authorized access.

SBS-OAUTH-002: Require Profile or Permission Set Access Control for Connected Apps

Critical Source page

Control Statement: Organizations must control access to each formally installed connected app exclusively through assigned profiles or permission sets.

Why tagged: Reasonable security for personal information includes limiting connected app use to authorized users only.

SBS-OAUTH-003: Add Criticality Classification of OAuth-Enabled Connected Apps

High Source page

Control Statement: All OAuth-enabled Connected Apps must be recorded in an authoritative system of record and assigned a documented vendor criticality rating reflecting integration importance and data sensitivity.

Why tagged: Reasonable security for personal information includes maintaining visibility into which third-party applications can access Salesforce data.

SBS-OAUTH-004: Due Diligence Documentation for High-Risk Connected App Vendors

Moderate Source page

Control Statement: Organizations must review and retain available security documentation for all high-risk Connected App vendors and explicitly record any missing documentation as part of the vendor assessment.

Why tagged: Reasonable security for personal information includes documented review of high-risk vendors that may access Salesforce data.