Well-Architected Security Policy Template
Note that all italicized items in the sections below are examples. Remove or modify them and add your own as needed.
Add or modify sections as needed and remove any sections that are not relevant to your organization.
Overview and Scope
This document contains security policies to be followed for Salesforce Projects delivered by [Organization]. It specifically
covers Salesforce Security related topics. It does not cover [list any exclusions here (example: non-Salesforce systems)].
[Add any additional organization-specific overview text here].
Organizational Security
This section contains information about the policies you should set for overall organizational security, including passwords,
domains and IP ranges and login hours. Refer to Secure - Organizational Security for more information.
Password Policies
This section contains information about the password policies you should set within Salesforce to secure manual logins. Note
that these policies should be consistent across your organization and should also match the policies that are in use within any
third party Identity Provider / Single Sign-On systems. Refer to Secure- Authentication for more information.
Approved Domains and IP Ranges
This section contains a list of approved domains and IP ranges along with their associated descriptions and justification for
approval. Refer to Secure - Organizational Security for more information.
Login Hours
This section contains a list of days and hours when users are authorized to log into your system. Note that login hours may
not be applicable for all organizations (such as those offering 24/7 customer support). Refer to Secure - Organizational
Security for more information.
Policy Description Setting
Password Expiration Period How often do users need to reset their password? 90 Days
Passwords Remembered
How many passwords should the system remember to prevent
users from recycling their old passwords?
8
Minimum Password Length How long should passwords be? 12
Password Complexity
Combination of alphanumeric, special, upper case and lower case
characters
Must Include Numbers, Upper Case and Lower Case Letters
and Special Characters
Maximum Invalid Login Attempts How many login attempts before user is locked out? 10
Lockout Period
How long will a user be locked out after the maximum number of
password attempts is reached?
15 Minutes
Require minimum 1 day password lifetime Prevent users from changing passwords too frequently
Domain Name Inbound / Outbound Description
*.stripe.com Outbound Payment Gateway - Approved for [reason]
[Insert your own]