The New York Department of Financial Services introduced 23 new regulations for data encryption and security, which the client required to meet in a very short timeline. We adopted a four-pronged approach to solve this challenge, with an exhaustive approach involving discovery stage, careful analysis, out-of-the-box build for Salesforce encryptions, and a comprehensive testing stage.
About the Client
The client was major US financial major dealing in financial, retirement, insurance, and investment services, products, and solutions.
As a financial institution, the client needed to stay compliant with regional and national regulations at all times. However, the New York Department of Financial Services (NYDFS) introduced a new set of mandates under 23-NYCRR-500 cyber security regulation, which required an immediate overhaul of multiple data elements. Specifically, the following data housed in Salesforce had to be encrypted under Section500.03 of Cybersecurity Policy:
- Government-issued identification: SSN, Driving License Number, Federal Id Card Number
- Financial information: Financial or Benefit account number; Bank account number
- Demographic information: Date of birth or age, race or ethnicity
- Personal contact information: Home address, personal phone number, personal email
We recognized the client’s need to reassess cybersecurity risk, address encryption laws, and reinforce its compliance capabilities in a very short period. We adopted a four-pronged solution approach comprising:
1. Discovery: We held meetings and workshops with the client to identify which integrations would be core to the solution. The different fields to be encrypted were also determined. We gathered details on event monitoring and the field audit trail as well. Finally, the integration interface was designed.
2. Analysis: After evaluating the discovery results, our dedicated Salesforce team recommended custom encryption algorithm for fields that could not be directly encrypted using Salesforce Shield. All other fields were reviewed along with issues and conflicts. This included all the elements impacted but not validated by the encryption background service, such as List Views, Reports/Dashboards, Sharing Rules, and Dynamic Queries, among others. We carefully documented these findings after the analysis stage.
3. Build: Based on field usage, we applied the relevant encryption scheme, leveraging the Salesforce Shield Platform to garner the required compliance results. We also enabled direct collaboration with Salesforce Premier Support for historic data encryption. Any object with an active tenant key was mass encrypted, and Data Loader extracts and the Shield Analyzer Tool were deployed to detect the failures, thus ensuring 100% compliance with the new regulation
4. Test: A rigorous test strategy was implemented to verify the encryptions. We also conducted integration tests for upstream and downstream applications, as well as regression tests to ensure no adverse impacts.
Delivering More Value
The client was now better positioned to meet the new regulatory mandates, equipped with a compliant data landscape. We enabled the client to achieve the following key benefits:
- On-time encryption, keeping the client compliant with the 23 NYCRR 500 Cybersecurity Regulation rules
- Reduction in implementation costs powered by our out-of-the-box Salesforce Shield Encryption services, with minimum customization
- Robust security for end-customer data, boosting trust in the financial institution
- Seamless release upgraded, future-proofing the client’s data practice