Security

Security Audit Guide

Comprehensive documentation for BuildForce security scans, compliance frameworks, and security best practices for your SaaS platforms.

What We Scan

BuildForce performs comprehensive security analysis across five key areas.

User Access & Permissions

Audit user permissions, profile settings, and role hierarchies for least-privilege compliance.

Overly permissive system admin profiles
Modify All Data permissions
View All Data permissions
API access without business need
Inactive users with access
Permission set sprawl

Authentication & Session

Review authentication settings, password policies, and session security configurations.

MFA enforcement status
Password complexity requirements
Session timeout settings
IP range restrictions
Login hours restrictions
Single sign-on configuration

Data Access & Sharing

Analyze sharing settings, field-level security, and data exposure risks.

Organization-wide defaults
Sharing rules on sensitive objects
Field-level security gaps
Record-level access patterns
Public groups membership
External sharing settings

API & Integration Security

Monitor connected apps, API usage, and external integrations for security compliance.

Connected app permissions
OAuth token management
API version security
Outbound message encryption
Named credentials usage
Certificate expiration

Audit Trail & Monitoring

Verify audit logging configuration and event monitoring settings.

Field audit trail coverage
Setup audit trail status
Event monitoring configuration
Login history retention
API usage monitoring
Sensitive data access logging

Compliance Frameworks

BuildForce maps security findings to major compliance frameworks for audit readiness.

SOC 2 Type II

Service Organization Control 2 - Trust Service Criteria for security, availability, and confidentiality.

Full Support

Controls Mapped:

Access controls (CC6.1-CC6.8)
Logical access security (CC6.1)
Change management (CC8.1)
Risk assessment (CC3.1)

HIPAA

Health Insurance Portability and Accountability Act - PHI protection requirements.

Full Support

Controls Mapped:

Access controls (164.312(a))
Audit controls (164.312(b))
Transmission security (164.312(e))
Integrity controls (164.312(c))

GDPR

General Data Protection Regulation - EU data protection and privacy requirements.

Partial Support

Controls Mapped:

Data minimization (Art. 5)
Access controls (Art. 32)
Data portability (Art. 20)
Right to erasure (Art. 17)

PCI DSS

Payment Card Industry Data Security Standard - Cardholder data protection.

Partial Support

Controls Mapped:

Access control (Req. 7)
Authentication (Req. 8)
Encryption (Req. 3, 4)
Monitoring (Req. 10)

Security Best Practices

Recommended security configurations based on industry standards.

Enforce MFA for All Users

Critical

Multi-factor authentication should be required for all users, especially those with admin access.

Review Permissions Quarterly

High

Conduct quarterly access reviews to ensure permissions align with current job responsibilities.

Restrict API Access

High

Only enable API access for users and integrations that require it. Remove unnecessary access.

Configure Session Timeouts

Medium

Set appropriate session timeout values based on data sensitivity. 15-30 minutes for sensitive orgs.

Enable Field Audit Trail

Medium

Track changes to sensitive fields for compliance and forensic purposes.

Review Sharing Rules

High

Ensure sharing rules follow least-privilege principles. Avoid org-wide public access.

Audit Reporting

Generate compliance-ready reports for auditors and stakeholders.

Executive Summary

High-level security posture overview with risk scores, trending data, and key recommendations for leadership.

Detailed Findings

Comprehensive listing of all security findings with severity, affected resources, and remediation guidance.

Compliance Mapping

Findings mapped to specific compliance controls for SOC2, HIPAA, GDPR, and other frameworks.

Remediation Tracker

Track remediation progress over time with evidence collection for audit documentation.

Ready to Assess Your Security Posture?

Run a comprehensive security audit on your org. Identify vulnerabilities and compliance gaps in minutes.

Run Security AuditLearn About Our Security