FAQ-000552 - Custom Settings and Configuration Security / Specific Use Cases and Implementation Patterns

To securely perform DML operations on protected custom settings: 1. **Verify Field-Level Security**: Use the `Schema.DescribeFieldResult.isAccessible()` method to check field-level security before performing any DML operations. 2. **Encrypt Sensitive Data**: If necessary, encrypt sensitive data using Apex Crypto calls, and store encryption keys securely in protected custom settings or metadata. 3. **Set Proper Permissions**: Ensure proper permissions are configured for fields containing sensitive information to prevent unauthorized access. These steps help maintain security and protect sensitive data during DML operations.

The FAQ provides solid security guidance but contains a technical inaccuracy in step 1. The current answer references `isAccessible()` as a method to check field-level security, but this is imprecise. The correct approach is to use `Schema.DescribeFieldResult.isAccessible()` which provides the proper context for field-level security checks. This correction improves technical accuracy while maintaining all existing content and structure. For the related security rules: 1. **ApexCRUDViolation** - This rule directly relates to the FAQ's core topic of securely performing DML operations. The FAQ's step 1 about verifying field-level security using accessibility checks is exactly what this rule enforces - ensuring proper CRUD (Create, Read, Update, Delete) permissions are validated before performing database operations. 2. **ApexBadCrypto** - This rule is relevant to step 2 of the FAQ answer, which discusses encrypting sensitive data using "Apex Crypto calls." The ApexBadCrypto rule helps identify insecure cryptographic practices in Apex code, making it directly applicable to the encryption guidance provided in the FAQ.