FAQ-000847 - External Platform Security / External System Responsibility and Control

To handle security requirements for third-party managed infrastructure, follow these steps: 1. **Security Reports and Certifications**: Request and review security reports or certifications from the provider, such as penetration test reports or compliance certifications (e.g., ISO27001, SOC 2, PCI DSS). 2. **TLS/SSL Configuration**: Ensure the infrastructure supports secure protocols like TLS 1.2 or higher. If older versions (e.g., TLS 1.0 or 1.1) are in use, request an upgrade. 3. **Data Sharing and Storage**: Disclose any data sharing with the provider, ensure sensitive data is stored securely, and confirm compliance with regulations. 4. **Vulnerability Management**: Verify that the provider has a robust vulnerability management program, including regular updates and patches. 5. **Custom Settings**: For sensitive data in custom settings, set visibility to "Protected" instead of "Public." If changes aren't possible, create new protected settings and update references. 6. **Documentation**: Maintain detailed documentation, including architecture diagrams, data flows, and security controls. 7. **False Positives**: Justify any flagged security findings as false positives in a False Positive document during the security review. 8. **Communication**: Work with the provider to address flagged vulnerabilities and ensure compliance with security requirements. These steps will help ensure the third-party infrastructure meets security standards and mitigates risks.

The FAQ content is well-structured and accurate. The existing content doesn't contain any outdated information that conflicts with the security rules or guidelines. The answer covers all the essential aspects of handling third-party infrastructure security requirements. No changes to the content are needed as it properly addresses security best practices for external systems. Regarding the related security rules selected: - **AvoidHardcodedCredentialsInFieldDecls, AvoidHardcodedCredentialsInVarDecls, AvoidHardcodedCredentialsInVarAssign, AvoidHardcodedCredentialsInHttpHeader**: These rules relate to the FAQ's discussion of "Data Sharing and Storage" and general security requirements when integrating with third-party providers, as credentials management is a key concern when connecting to external systems. - **ApexSuggestUsingNamedCred**: This rule is relevant to the FAQ's emphasis on secure integration practices with third-party infrastructure, as Named Credentials are the recommended approach for external system authentication. - **ApexBadCrypto**: This rule relates to the FAQ's mention of "TLS/SSL Configuration" and ensuring secure protocols, as proper cryptographic practices are essential when communicating with third-party systems. - **ApexInsecureEndpoint**: This rule directly relates to the FAQ's discussion of "TLS/SSL Configuration" and ensuring secure communication protocols with third-party infrastructure. - **AvoidInsecureHttpRemoteSiteSetting, AvoidDisableProtocolSecurityRemoteSiteSetting**: These rules are directly relevant to the FAQ's emphasis on "TLS/SSL Configuration" and secure communication protocols when connecting to third-party managed infrastructure. - **AvoidChangeProtectionUnprotected**: This rule relates to the FAQ's specific guidance on "Custom Settings" visibility and the recommendation to set visibility to "Protected" instead of "Public." - **ProtectSensitiveData**: This rule is relevant to the FAQ's discussion of "Data Sharing and Storage" and ensuring sensitive data is stored securely when working with third-party providers.