SBS

Appearance

HIPAA Controls

This page lists SBS controls tagged for this regulation or framework. The mappings are indicative only and help readers identify controls that directly support demonstrating compliance.

These entries are an index into the benchmark. The canonical control content remains on the benchmark pages.

  • Total tagged controls: 16
  • Benchmark sections represented: 7

Controls By Benchmark Section

Access Controls

5 control(s) in this benchmark section.

SBS-ACS-003: Documented Justification for Approve Uninstalled Connected Apps Permission

Critical Source page

Control Statement: The Approve Uninstalled Connected Apps permission must only be assigned to highly trusted users with documented justification and must not be granted to end-users.

Why tagged: Access to ePHI via third-party applications must be controlled and limited to authorized use.

SBS-ACS-004: Documented Justification for All Super Admin–Equivalent Users

High Source page

Control Statement: All users with simultaneous View All Data, Modify All Data, and Manage Users permissions must be documented in a system of record with clear business or technical justification.

Why tagged: Requires identification and justification of who has unrestricted access to ePHI.

SBS-ACS-006: Documented Justification for Use Any API Client Permission

Critical Source page

Control Statement: The Use Any API Client permission, which bypasses default behavior in orgs with "API Access Control" enabled, must only be assigned to highly trusted users with documented justification and must not be granted to end-users.

Why tagged: Bypassing application allowlisting can expose ePHI to unauthorized applications; must be tightly controlled.

SBS-ACS-010: Enforce Periodic Access Review and Recertification

Moderate Source page

Control Statement: All user access and configuration influencing permissions and sharing must be formally reviewed and recertified at least annually by designated busines stakeholders, with documented approval and remediation of unauthorized or excessive access.

Why tagged: Requires evaluation and modification of access to ePHI; periodic review supports this obligation.

SBS-ACS-011: Enforce Governance of Access and Authorization Changes

High Source page

Control Statement: All changes to Salesforce user access and authorization must be governed through a documented process that requires approval, records business justification, and produces an auditable record of the change.

Why tagged: Access to ePHI must be granted through formal procedures and documented.

Authentication

3 control(s) in this benchmark section.

SBS-AUTH-001: Enable Organization-Wide SSO Enforcement Setting

Critical Source page

Control Statement: Salesforce production orgs must enable the org-level setting that disables Salesforce credential logins for all users.

Why tagged: Restricting who can authenticate to systems holding ePHI; SSO enforcement is a direct access control.

SBS-AUTH-002: Govern and Document All Users Permitted to Bypass Single Sign-On

Moderate Source page

Control Statement: All users who do not have the "Is Single Sign-On Enabled" permission must be explicitly authorized, documented in a system of record, and limited to approved administrative or break-glass use cases.

Why tagged: Documenting who can access ePHI outside standard SSO; inventory supports access control evidence.

SBS-AUTH-004: Enforce Strong Multi-Factor Authentication for External Users with Substantial Access to Sensitive Data

Critical Source page

Control Statement: All Salesforce interactive authentication flows for external human users with substantial access to sensitive data must enforce multi-factor authentication that includes at least one strong authentication factor.

Why tagged: Restricting and securing access to ePHI; MFA for sensitive access is a direct access control.

Code Security

1 control(s) in this benchmark section.

SBS-CODE-004: Prevent Sensitive Data in Application Logs

Critical Source page

Control Statement: Custom application logging frameworks and Salesforce system logging mechanisms must not capture, store, or transmit credentials, authentication tokens, personally identifiable information (PII), regulated data, or other sensitive values in log messages or structured log fields.

Why tagged: ePHI must not be exposed in logs; preventing sensitive data in logs is a direct safeguard.

Customer Portals

3 control(s) in this benchmark section.

SBS-CPORTAL-001: Prevent Insecure Direct Object Reference (IDOR) in Portal Apex

Critical Source page

Control Statement: All Apex methods exposed to Experience Cloud or customer portal users must enforce server-side authorization for every record accessed or modified. User-supplied parameters (including record IDs, filters, field names, or relationship references) must not be trusted as the basis for access control and must be validated against the running user's sharing, CRUD, and FLS permissions before use.

Why tagged: Restricting who can access ePHI; server-side authorization prevents unauthorized record access.

SBS-CPORTAL-002: Restrict Guest User Record Access

Critical Source page

Control Statement: Unauthenticated guest users in customer portals must be restricted to authentication and registration flows only, with no direct access to business objects or custom Apex methods that query organizational data.

Why tagged: Unauthenticated access to ePHI must be prohibited; guest restrictions enforce the access boundary.

SBS-CPORTAL-004: Prevent Parameter-Based Record Access in Portal-Exposed Flows

Critical Source page

Control Statement: Autolaunched Flows exposed to customer portal users must not accept user-supplied input variables that directly determine which records are accessed.

Why tagged: Preventing unauthorized access to ePHI via flow inputs; record access must be authorized.

File Security

1 control(s) in this benchmark section.

SBS-FILE-002: Require Passwords on Public Content Links for Sensitive Content

High Source page

Control Statement: Organizations must ensure that Public Content links to sensitive content have a password.

Why tagged: Restricting access to ePHI shared through external links requires an authentication layer before the content can be viewed.

Integrations

1 control(s) in this benchmark section.

SBS-INT-004: Retain API Total Usage Event Logs for 30 Days

High Source page

Control Statement: The organization must retain API Total Usage event log data (EventLogFile EventType=ApiTotalUsage) for at least the immediately preceding 30 days using Salesforce-native retention or automated external export and storage.

Description:

If the organization’s Salesforce does not provide at least 30 days of ApiTotalUsage EventLogFile availability in Salesforce, the organization must automatically export newly available ApiTotalUsage event log files at least once every 24 hours to an external log store that retains a minimum of 30 days of data.

Why tagged: Producing and retaining an audit trail of API access supports investigation of access to ePHI through integrations and applications.

OAuth Security

2 control(s) in this benchmark section.

SBS-OAUTH-001: Require Formal Installation of Connected Apps

Critical Source page

Control Statement: Organizations must formally install all connected apps used for OAuth authentication rather than relying on user-authorized OAuth connections.

Why tagged: Restricting and governing third-party OAuth access to systems holding ePHI requires centrally managed Connected App controls.

SBS-OAUTH-002: Require Profile or Permission Set Access Control for Connected Apps

Critical Source page

Control Statement: Organizations must control access to each formally installed connected app exclusively through assigned profiles or permission sets.

Why tagged: Restricting who may use OAuth-enabled applications is a direct access control for systems processing ePHI.