EDA Security Model Considerations

Know the Basics of the Salesforce Security Model

If you're not familiar with concepts in the Salesforce security model such as org-wide sharing, permission sets, profiles, and sharing rules—at a minimum—we strongly recommend that you first learn the basics with these resources.

• Control Who Sees What in Salesforce Help

• Protect Your Salesforce Organization in Salesforce Help

• Trailhead: Data Security

Then rejoin us here for security considerations that can apply to some educational institutions.

Security Considerations for Educational Institutions

If your institution is subject to Family Educational Rights and Privacy Act (FERPA) requirements, consider those requirements as part of your security model. Account for the protection of Personally Identifiable Information (PII) in students' education records. Our product is preconfigured with a FERPA checkbox field on the Contact object to identify students whose records are subject to FERPA requirements. You can optionally use this field and apply your own business logic to it, as needed.

If your institution is a HIPAA-covered entity and is subject to HIPAA requirements, consider those requirements as part of your security model, including accounting for the protection of Protected Health Information (PHI) maintained outside of FERPA education records. Our product comes preconfigured with a HIPAA checkbox field to identify individuals whose records are subject to HIPAA requirements and a HIPAA Detail rich text field (intended for information about the student, such as the names of Contacts authorized to communicate about the student) on the Contact object. You can optionally use these fields and apply your own business logic to them, as needed.

To help secure your sensitive data, you can implement a host of security features that come with Salesforce. To name just a few examples:

• Set your org-wide default sharing settings to Private, which is the most restrictive access possible.

• Identify the data access requirements for users in your various departments. Create profiles for the roles in those areas, and permission sets to grant permissions to roles or individual users.

• Create a role hierarchy to give users above another user in the hierarchy the same level of access to records owned by or shared with users below.

• Set field-level security to control who can access and edit certain fields on specific records.

• Create sharing rules to open up record access to other users besides the record owners.

• Set up authentication and authorization methods to control who sees what data, when, and from which locations and devices.

For some institutions, data encryption can be an additional access control tool for securing sensitive data. Salesforce offers Shield Platform Encryption as a solution for encrypting data at rest, meaning that data is encrypted when it's being stored within Salesforce. Learn more at Strengthen Your Data's Security with Shield Platform Encryption in Salesforce Help.

As every institution has unique privacy policies and regulatory requirements, not to mention unique Salesforce.org configurations used in combination with other information systems, we encourage you to consult with your security, legal, and regulatory specialists.