Security Advisory: Meltdown & Spectre Vulnerabilities
At FinancialForce, trust is our number one value. We want to alert you to an important security issue and let you know how we are addressing it.
Earlier this week it was reported that most central processing units (CPUs) may contain two critical security vulnerabilities, dubbed "Meltdown” and "Spectre." Like most companies, FinancialForce uses systems that are impacted by these vulnerabilities.
Nothing is more important to us than the security of our customers’ data. As part of our Security and Trust Program, we continuously monitor our systems for threats and vulnerabilities, including attempts to exploit Meltdown and Spectre. So far, FinancialForce has not seen any indications of attempts to exploit these vulnerabilities against our systems.
We are also actively monitoring for updates by chip makers and operating system providers, and applying security patches to our systems as they become available. In addition, we are communicating with key vendors - including Salesforce, which hosts our products - on their progress in patching their systems and monitoring for potential attacks.
Thank you for putting your trust in FinancialForce.
Security Overview
Overview
FinancialForce applications were designed from the ground up using core information security principles:
- Confidentiality: Prevent the disclosure of information to unauthorized individuals or systems.
- Integrity: Maintain and assure the accuracy and consistency of data over its entire lifecycle.
- Availability: Ensure the information is available when needed.
FinancialForce is committed to achieving and maintaining these principles and the trust of our customers. Integral to this is providing a robust security and privacy program that carefully considers security and data protection across our services, including data submitted by customers to our services (“customer data”). Over 1000 customers in 34 countries trust FinancialForce applications. Our customers are in a wide range of verticals, some with stringent security requirements, including financial services, healthcare, technology, energy and government.
Security at FinancialForce
FinancialForce has a dedicated Security and Trust function that coordinates security policy, program and verification efforts, to ensure that customer and company information assets are protected in accordance with industry best practices. Our Information Security Program includes identifying, evaluating and reporting on security risks, compliance with security and privacy regulations and commitments, threat and vulnerability management, and security incident management and response.
Our Commitment to Security
At FinancialForce, we understand that security, availability and application processing integrity are critical for our customers. FinancialForce is dedicated to providing industry-leading security for our customers’ data assets through our Security and Trust program.
| People | Everyone at FinancialForce, from the research and development staff to the executive team, is committed to security excellence. FinancialForce has a cross-functional team of experts focused on security, privacy and compliance aspects. All employees receive regular information security awareness training that covers key security threats and risks and employee obligations to protect the security, confidentiality and privacy of customer and company data. |
| Processes | Security of our customer data is the prime concern of all key FinancialForce business processes, including development, support, operations, consulting, and monitoring processes. |
| Technology | We leverage industry-leading and proven secure platforms for our products and services. Each component of our technology infrastructure undergoes intensive scrutiny by multiple teams of security professionals. |
| Customers | We consider our customers, partners, developers and internal users that interact with our systems to be within our security scope. Our security program is designed both to provide them a high degree of security assurance and to protect ourselves from threats they might present. |
Salesforce ISV Partner
Built on the Salesforce Platform
To support our security principles, FinancialForce applications were developed on Force.com, an industry-leading and mature platform for cloud applications provided by Salesforce. FinancialForce applications listed on AppExchange go through a qualitative and quantitative security review process with Salesforce to ensure applications meet a set of security standards and best practices. By leveraging an industry-leading cloud platform for business applications, FinancialForce applications and our customers’ data benefit from a variety of security features and controls in such areas as user management, access control, disaster recovery, backups, physical and network security. As a result, FinancialForce applications satisfy our customers’ most stringent data security requirements, and comply with major security, privacy and data protection laws and standards globally.
Certifications and Attestations
FinancialForce Applications
SSAE 16 SOC 1 Type II Report
As part of our commitment to trust and security, FinancialForce has invested in a Service Organization Control 1 (SOC 1) Type II report prepared by the global accounting firm Ernst & Young LLP. The report is prepared in accordance with Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization. The purpose of the report is to provide our customers assurance that the FinancialForce Description of Services is fairly presented in all material respects, that controls put in place by FinancialForce are suitably designed to meet their control objectives, and that those controls were tested and operated effectively during the audit period. Ernst & Young LLP created an Independent Service Auditors’ Report after testing and evaluating FinancialForce applications against the following objectives:
- Control Environment
- Risk Assessment
- Monitoring
- Information and Communication
- IT General Controls
- Change Management
- Development and Testing
- Information Security Aspects
- Incident Management
- Sub-Service Organizations
- Disaster Recovery and Business Continuity
The SOC 1 report provides FinancialForce customers with the additional assurance that our applications are developed and delivered in accordance with transparent standards to ensure high-quality and secure products are deployed to our customers’ environments.
HIPAA
The safety, security and availability of our customers' data is a top priority of FinancialForce. As part of this commitment, FinancialForce supports compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) by our customers that are covered entities or business associates under HIPAA.
FinancialForce complies with the requirements of the HIPAA Security Rule that apply to FinancialForce in its capacity as a business associate. In addition, FinancialForce applications provide configurable security features that can help our customers address their security and compliance requirements under HIPAA.
FinancialForce customers that are subject to HIPAA and wish to use our applications for electronic Protected Health Information (ePHI) must first sign a business associate agreement with FinancialForce.
Please review our FinancialForce and the HIPAA Security Rule whitepaper for an overview of FinancialForce application features and controls relevant to the HIPAA Security Rule and how our customers can leverage those controls to meet HIPAA compliance requirements.
Salesforce Certifications
FinancialForce applications are developed and run natively on the Force.com platform, we benefit from the security controls designed and implemented by Salesforce. Salesforce undergoes comprehensive privacy and security assessments by, and has achieved certifications from, multiple auditors and certifying bodies. These include the following security- and privacy-related audits and certifications:
Geographical Recognition
- EU / EEA Binding Corporate Rules for Processors
- EU / EEA and Switzerland Safe Harbor self-certification through the U.S. Department of Commerce
- TRUSTe Certified Privacy Seal
Global Audit Compliance
- ISO 27001
- SSAE 16/ISAE 3402 SOC-1
- SOC 2
- SOC 3
- FedRAMP
- PCI-DSS
- TÜV Rheinland Certified Cloud Service
A current list of security and privacy assessments and certifications of the Salesforce platform can be found at https://trust.salesforce.com/en/compliance/.
Security Controls
Product Security
Product Security Measures
FinancialForce’s software development lifecycle incorporates a range of security measures, including:
- Code reviews designed to ensure adherence to FinancialForce development standards.
- Software security testing and code scanning to identify and address security vulnerabilities.
- Release reviews and approvals designed to ensure product releases comply with internal process requirements.
- Vulnerability testing and remediation for infrastructure and tools supporting our source code management platform.
- Development and changes to production application systems are authorized, tested, approved and documented.
Salesforce AppExchange Security Review
FinancialForce applications are submitted to Salesforce as part of the AppExchange Security Review process. Salesforce provides the AppExchange Security Review program to assess the security posture of ISV applications published on the AppExchange against industry best practices for security.
Application Controls
FinancialForce provides rigorous application controls that ensure your financial transactions have been correctly validated and reviewed prior to posting, have comprehensive audit trails and cannot subsequently be modified via “back door” manipulation of object data.
These application controls include:
- Comprehensive audit trails for transactions, master data modifications and security setup changes.
- Multi-level approval processes for transactions and master file data changes
- Segregation of duties
- Highly granular control of company, object, record and field level access by role
Disaster Recovery
Because FinancialForce applications are 100% Force.com-native, all data processed by FinancialForce applications resides on the Salesforce cloud platform owned, operated and managed by Salesforce.
Change Management
FinancialForce follows fully documented change management procedures for all aspects of its software lifecycle, including application development, release management, service management and enhancement.
Incident Management
FinancialForce maintains security incident management policies and procedures, which include prompt notification of customers in the event FinancialForce becomes aware of an actual or reasonably suspected unauthorized use or disclosure of customer data.
Data Encryption
FinancialForce relies on Salesforce platform capabilities for encryption of data in transit. Salesforce uses industry-accepted encryption products to protect customer data and communications during transmissions between a customer's network and the FinancialForce applications, including 128-bit TLS Certificates and 2048-bit RSA public keys at a minimum. Additionally, customer data is encrypted during transmission between data centers for replication purposes.
Additional Security Resources
- FinancialForce Privacy and Data Protection
- FinancialForce Privacy Statement
- FinancialForce Trust and Compliance Documentation
- Salesforce Security and Trust Resources
- Salesforce Administrator Security Best Practices
- Salesforce Security Implementation Guide
Security & Compliance Whitepapers
Security Contacts
If you believe you have discovered a vulnerability in FinancialForce applications or have a security related question please contact security@financialforce.com
If you have questions or complaints regarding FinancialForce’s Privacy Statement or associated practices, please contact us at privacy@financialforce.com