Skip to main content

We’ve said it before and we will say it again— Salesforce Data Security is an all-hands on deck job. Both InfoSec and Ops must be aligned to ensure data governance within your instance. 

But let’s say for a second that this isn’t the case for your organization… and through the numerous ways Salesforce data can be leaked, you’re faced with a data loss emergency. What do you do next?

In moments like this, having an incident response plan can make all the difference between maintaining customer trust and loyalty or losing them, facing revenue loss, and dealing with compliance issues

In this guide, we’ll show you how to develop a robust Salesforce Incident Response Plan. This plan will ensure that data security is always a priority for your organization and that everyone knows their role and actions to take if something goes wrong.

Preparing Your Salesforce Incident Response Plan

As you begin to think about the structure of your data loss response plan, it’s important to identify three things first:

  • Who is going to be responsible for it?
  • What data creates the most risk and where is it being stored?
  • How do we keep inventory of our data regularly? 

Let’s break each down. 

1. Assembling a Response Team

This team will be your go-to group of experts who can act swiftly and effectively in case of a data loss incident. Here’s who should be on your team and what they’ll do:

  • Salesforce Ops/Admin: The frontline defense when it comes to Salesforce. In-house experts that know the system inside and out and can aid in the speedy investigation and remediation of security incidents.
  • CISO/CIO: The one ultimately responsible for the businesses information security, creating and enforcing policies and procedures to preemptively avoid incidents.
  • CTO: The head of IT, responsible for overseeing internal technologies – including the integrated technology stack for Salesforce and the management of third party databases.
  • CDO: The internal data protection office charged with adhering to data governance and compliance frameworks and advocating for the security of those whose information is being stored.

It’s essential that these teams are aligned. Ensure you have clear contact information with one another and communication protocols in place. Everyone should know who to contact and how to communicate during an incident. 

Pro tip: Consider creating a contact list with phone numbers, email addresses, and backup contacts, and establish a communication protocol—like a specific Slack channel or an email group—to streamline discussions during an incident.

2. Identifying Critical Data

Now that we know who’s managing the data loss prevention strategy, we need to identify which data puts your Org at risk and take inventory of where it’s being stored. 

Begin by identifying the data that is crucial for your business operations. This includes:

  • Customer information
  • Sales data
  • Financial records
  • And any other data essential to your workflows 

Classify this data based on its importance and sensitivity. For example, customer personal information would be classified as highly sensitive, while internal project timelines might be less critical. Salesforce provides field-level options for classifying:

  • Data sensitivity level
  • Compliance categories (such as GDPR, PCI, HIPAA, etc.)
  • Field Usage

Next, identify where your data is stored. Salesforce often integrates with various third-party tools and systems, and understanding these storage locations is vital to mitigating risk. Mapping out where your data resides across these platforms gives you a comprehensive view of your data environment. This isn’t just important for security and compliance– but in the event of data loss, you can quickly pinpoint where to retrieve backups and how to restore affected data.

Sonar’s always-on data classification software captures every change in your Salesforce metadata, providing an easy to use framework for classifying fields, monitoring where and how third party apps are accessing your data, and even assigning stakeholders to be notified in case of emergency.

3. Regularly Update Data Inventory 

Your data landscape isn’t static— it evolves over time. Make it a habit to regularly update your data inventories. Schedule periodic reviews to ensure new data assets are accounted for and outdated ones are archived or deleted as necessary. This will keep your inventory accurate and up-to-date.

Pro tip: We get it… categorizing your data isn’t as simple as snapping your fingers. It can easily take hours upon hours to do on a regular basis. Consider investing in a Data Dictionary. It will automatically classify your data for you and tell you where it’s being stored at all times. 

Tools & Resources for Data Protection 

Your Org is a living organism with a variety of teams updating its infrastructure on a daily basis. Without a crystal ball, it’s impossible for you to know what’s going on at all times. Worse, if a leak or break happens it could take hours or even days until someone notices.

Luckily, there are numerous tools– both built within Salesforce and third-party, that can help you quickly activate your recovery plan in the case data loss occurs. 

Salesforce Backup and Recovery Options 

Salesforce, being the industry leader that they are, is hyper-focused on providing you tools and resources that will facilitate your data governance strategy and help you recover data. It does this with out-of-the-box features like:

  • Weekly data export service: This feature allows you to export your data on a weekly or monthly basis. It’s a simple way to have a copy of your data that you can restore if needed.

  • Recycle bin: Just like on your computer, Salesforce has a Recycle Bin where deleted records are stored for 15 days before permanent deletion. It’s a quick way to recover recently deleted data.

  • Data recovery service: Salesforce offers a paid service to recover data that has been permanently deleted. While this service can be costly and time-consuming, it’s an option if other recovery methods fail.

Third-Party Backup Solutions and Their Integration with Salesforce

We like to think we’re Salesforce’s biggest fan… but even we can’t deny that the built-in recovery features don’t provide all the comprehensive and flexible solutions of some third-party tools. That being said, we’d suggest implementing these types of tools to ensure a more robust recovery plan:

  • Automated daily backups: Use an automated daily backup tool to ensure you always have up-to-date copies of your data.

  • Change management software: Utilize your change management software to track and manage changes in your Salesforce environment. This ensures that all changes are documented and can be reversed if necessary.

  • Data monitoring and alerting: Implement monitoring and alerting tools to get real-time insights and alerts on data anomalies. This allows for quicker detection of potential data issues.

  • Event monitoring: Upgrade to Salesforce Shield and use event monitoring tools to maintain detailed audit trails. These tools provide crucial information during a post-incident analysis.

  • Data migration: Have data migration tools in place for bulk data operations, which can be essential for data recovery efforts.

  • Version control: Implement version control systems like GitHub or Bitbucket to manage and rollback metadata and configuration changes, ensuring a clear path to revert any unwanted changes.

  • Disaster recovery planning: Use these platforms to plan and execute your disaster recovery and business continuity strategies effectively.

Immediate Response Steps 

Now that you have the right people and the right tools in place, it’s important to build an action plan so your team knows the correct steps to take should a data loss incident occur. 

Step 1: Identify the Source of Data Loss 

During this step, your Salesforce admins or InfoSec teams should quickly go into identification mode. Each team member will have a valuable role in determining where the data loss originated and how it occurred. This process will involve:

  • Reviewing audit logs: Your Salesforce admins and/or InfoSec team should examine Salesforce audit logs to track recent activities. Look for anomalies such as mass deletions, unexpected data exports, or unauthorized access attempts.

  • Checking recent changes and deployments: Salesforce admins should review recent changes in the system, including deployments, updates, and configuration changes.

  • Investigating third-party integrations: Your integration user should examine logs and activities of third-party applications that integrate with Salesforce. Ensure that none of these integrations have malfunctioned or caused unexpected data alterations.

  • Conducting internal interviews: Your incident response lead should speak with users who might have been working with the affected data at the time of the incident. Gather information on what actions they were performing to understand if human error might be the cause.

  • Analyzing security alerts: InfoSec should check for any security alerts that could indicate a breach or unauthorized access. 

This can be a long process and time is of the essence. But With Sonar’s Data Loss Prevention software, IT Ops and Security teams can quickly investigate change logs, review real-time event access logs and instantly revoke access when a security incident occurs.

Step 2: Implement Containment Measures

Now that you know the where and how, it’s time to prevent continued data loss by:

  • Isolating affected systems or users:  Your InfoSec team should immediately isolate the systems or user accounts that are involved. This could mean revoking access, shutting down specific services, or disconnecting from the network to prevent further data alteration or loss.

  • Stop ongoing processes: Ops leaders should have admins and GTM teams halt any ongoing processes that might contribute to the data loss, such as integrations, automated workflows, or batch updates. This prevents further data corruption or deletion.

  • Secure backup copies: Your data management team should work quickly to ensure that backup copies of your data are secured and untouched. They should verify the integrity of these backups to prepare for potential recovery.

Step 3: Develop a Communication Plan 

Next, it’s important to communicate to all the necessary parties what is going on and what is being done to fix it. This allows other members of your organization to communicate action plans to their departments, shareholders and customers. Here’s who to involve and the necessary chain of communications:

  • Notify stakeholders and affected users: You or your incident response lead should inform all relevant stakeholders about the incident. This includes internal teams (Sales, Marketing, Customer Support), executives, and affected external users or customers. Provide clear and concise information about what happened, the scope of the data loss, and immediate steps being taken.
  • Provide transparent communication to customers to ensure trust: Your marketing, PR or communications team should be notified to develop a communication strategy to maintain transparency. Prepare FAQs, email templates, and scripts for customer service teams to address concerns and provide updates. Ensure that all communications emphasize the steps being taken to resolve the issue and prevent future occurrences.
  • Provide stakeholders regular updates: Both you and your communications teams should provide regular updates to all stakeholders throughout the incident response process. Keep everyone informed about the progress of containment, recovery efforts, and any discovered impacts. This level of transparency will help maintain trust and demonstrates your commitment to resolving the issue.

Step 4: Root Cause Analysis 

After containing the incident and communicating with stakeholders, conduct a thorough root cause analysis to understand what led to the data loss. Here’s how:

  • Detailed log review: Your admins and InfoSec team should conduct a more in-depth review of all relevant logs to identify the precise actions that led to the data loss.
    With Sonar’s integration monitoring and detection software, your security teams can quickly export logs and gain quick access to anomalies such as unauthorized access, unusual activity patterns, mass deletions, data exports, and specific user actions around the time of the data leak
  • System and application review: The company integration user and InfoSec should work together to evaluate the configurations and security settings of all systems and applications involved in the incident.
  • Process and procedure evaluation: You should assess the processes and procedures that were in place at the time of the incident. Identify any gaps or weaknesses that may have contributed to the data loss and build out processes to mitigate future risk.

Post-Incident Analysis and Reporting

Following data loss, it’s critical to evaluate the impact on the organization and document the incident not just for compliance reasons, but for future improvement. 

Impact analysis

You and the business systems team should thoroughly assess the impact of the data loss on business operations, customer relations, and any other affected areas. Quantify the extent of the damage in terms of data records lost, downtime, financial loss, and reputational impact.


There’s numerous types of documentation and reports you will want to develop to thoroughly understand the cause of the data loss, and meet compliance requirements.

  • Incident report creation: Compile a comprehensive incident report that includes:

    • Overview of the incident
    • Detailed timeline of events
    • Root cause analysis findings
    • Immediate response actions taken
    • Impact assessment results

  • Response effectiveness evaluation: Evaluate the effectiveness of the response actions. Identify what worked well and what didn’t. Note areas for improvement in the incident response process.
  • Lessons learned: Document key lessons learned from the incident. Include changes to processes, new tools or training required, and improvements to the incident response plan.
  • Action plan for improvements: Develop an action plan to implement improvements based on the lessons learned. Assign responsibilities and set timelines for these improvements.


  • Internal reporting: You and your communications team should prepare a detailed internal report for executives and other key stakeholders. Ensure the report covers the incident, response, impact, and steps being taken to prevent future incidents. Hold a debriefing meeting to discuss the report and answer any questions.
  • Customer and public communication: Your public relations/communications team should prepare transparent communications to inform customers or the public of what happened, how it was addressed, and what measures are being taken to prevent recurrence. Use emails, press releases, or social media as appropriate.
  • Regulatory reporting: Your compliance officer and legal team should determine if the data loss incident needs to be reported to regulatory bodies based on the nature of the data and applicable laws (e.g., GDPR, CCPA). Prepare and submit the required reports, ensuring all regulatory requirements are met.
  • Follow up actions: Schedule follow-up actions to ensure the implementation of improvements and compliance with any regulatory obligations. Conduct periodic reviews to verify that the changes have been effective.

Incident Remediation to Prevent Future Data Breaches

Clearly, data loss isn’t ideal. These steps require involvement from numerous areas of your organization and could take months to complete. The best policy is to have a data loss mitigation plan. And when you have that plan in place, making sure you do the following to keep it top of mind for everyone within your organization:

  • Reviewing and updating the response plan regularly: Schedule regular reviews of the data loss response plan. This involves assessing the plan’s effectiveness, incorporating new best practices, and updating contact information and protocols. Make it a habit to review and revise the plan at least annually or after any major incident.

  • Implementing additional security measures based on lessons learned: Work with your InfoSec team to analyze the lessons learned from past incidents and implement additional security measures accordingly. This could include enhancing access controls, improving data encryption, and updating firewall rules. Regularly perform security audits and vulnerability assessments to identify and address potential weaknesses.

  • Training and awareness programs for staff: Work with your HR and security teams to develop ongoing training and awareness programs for all staff. These programs should cover best practices for data security, how to recognize phishing attempts, and the proper procedures to follow in the event of a data loss incident. Regular training sessions and refreshers help ensure that all employees are prepared and vigilant.

  • Leverage scope and change management tools: Your Salesforce admins and project managers should use Salesforce-specific scope and change management tools to manage and track ongoing improvement projects. They help you:

    • Organize tasks
    • Set deadlines
    • Monitor progress

This will ensure all improvements are implemented effectively and on time. Additionally, you can use them to document security enhancements, process changes, and training programs, providing a centralized view of your continuous improvement efforts.

Conclusion: Expedite Your Response Plan

Data loss is never an ideal situation for any organization. But if it occurs, time is of the essence. Ops and Security teams need to be prepared to identify where the loss came from, who made the error, and how to fix it as quickly as possible. And while Salesforce’s features can absolutely help, hunting down the issue and fixing it is still a very manual, time consuming process. 

But third-party tools can help speed up your response plan. Sonar significantly speeds up data loss incident response by providing real-time monitoring, automated tracking, and detailed visualizations of data changes, enabling quick identification and recovery of lost data. Its centralized management and instant alerts streamline communication and coordination, ensuring efficient and effective resolution of incidents. Try Sonar free today to start building a stronger governance framework for your Org.