By Siham Boutayeb, Sr Principal Solutions Engineer & Olivier Michel, Compliance Officer 

DORA will be enforced in the European Union starting on January 17, 2025. Starting then, financial entities and critical third-party service providers will need to comply with the new regulations regarding operational resilience, cybersecurity, and ICT risk management.

In our previous article, Strengthening SaaS Data Protection Under DORA: Best Practices & Strategies, we outlined key strategies for safeguarding your SaaS data to comply with the Digital Operational Resilience Act (DORA).

In this article, we will focus on the ICT (Information and Communications Technology) risk management applicable to Salesforce as mandated by DORA.

What does DORA enforce?

Through Articles 5 to 16, DORA requires ICT to follow strict risk management protocols, covering:

• Governance and Risk Management (Articles 5 & 6)
• Incident Reporting and Management (Articles 7 & 11)
• Digital Resilience Testing (Articles 8 & 9)
• Third-Party Risk Management (Articles 10 & 16)

While some of these requirements are not specific to managing your Salesforce organization, others directly impact it, especially in your change management process, which must address the associated risks. The following articles are particularly relevant:

• Article 7: In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are […] (b) reliable;
• Article 9(4): As part of the ICT risk management framework referred to in Article 6(1), financial entities shall: […] implement documented policies, procedures and controls for ICT change management, including changes to software

Securing Your Change Management

Securing your change management is always critical, especially when dealing with SaaS environments. Salesforce is no exception, given that large enterprises often have complex data models within Salesforce and/or Large Data Volumes (LDV). Moreover, in the realm of digital customer relations, the Salesforce data involved is often sensitive, requiring compliance with regulations like GDPR.

A robust solution must be implemented to secure the release process. Such a solution should enable you to:

• Test your changes in realistic conditions: The test environment should closely mimic production conditions to detect inherent issues that wouldn’t appear in a new environment.
• Test your changes in production-like conditions: The environment must highlight potential performance bottlenecks or degradation, which can only be achieved with a representative load on the test environment.
• Test your changes with coherent data: Certain functionalities or business rules depend on coherent data usage. A test environment must have sufficient and coherent data to validate all implemented rules.
• Be able to repeat the above steps: Securing changes is a continuous task. Each iteration of the change cycle must be tested to control risks, which requires a resettable test environment to enable automation.

Challenges with Sandbox Creation

To meet these needs, sandboxes are often created, but several issues may arise:

• Manual processes: Depending on the chosen solution (even the default one), manual time-consuming steps can cause delays and errors.
• Complex data: Seeding sandboxes with intricate data models, including custom objects and managed packages, can be challenging due to data relationships and dependencies.
• Sensitive data: Protecting sensitive data in sandboxes is essential to comply with regulations and prevent unauthorized access.

How Odaseva’s Solution Meets These Challenges

Odaseva offers a solution to address these challenges. Odaseva Sandbox Seeding allows you to:

• Boost Developer Productivity: Automate sandbox seeding while ensuring data consistency, maintaining object hierarchies, and leveraging our comprehensive API, which can be integrated into CI/CD pipelines to manage users, create new jobs, connect new orgs, and more.
• Test with Confidence: Handle complex data models, including unlimited parent-child relationships and custom objects.
• Maintain Compliance and Security: Protect sensitive data through anonymization, field-level targeting, and our dataset designer.

Odaseva Sandbox Seeding is a solution recognized for its:

• Performance: Fuels sandboxes of any size, uses AI prediction to optimize API consumption, automates the sandbox seeding and refresh process, and creates reusable data automations.
• Advanced Complexity Management: Seeds sandboxes with unlimited parent-child relationship models, and visualizes and targets data across the full depth of relationships.  
• Commitment to Security and Compliance: Our commitment to data security exceeds the requirements of even the most complex, highly regulated businesses in the world.

Regarding security, the Article 28 of DORA gives general principles about ICT third-party risk management, which require a proportionate approach to vendor management. By selecting Odaseva for Sandbox Seeding, you address these requirements without increasing the confidentiality risks on your data. That’s because Odaseva is a “no-view” provider, which means that the data handled by Odaseva is encrypted with a key only accessed by you. This guarantees no one, including our engineers, can see your data. 

Additional Benefits of Sandbox Seeding

Beyond securing change management for Salesforce, ICT teams can use Odaseva Sandbox Seeding to address other DORA requirements.

• Training: Article 13(6) states: “Financial entities shall develop ICT security awareness programs and digital operational resilience training as compulsory modules in their staff training schemes.” By using sandboxes that closely replicate production environments, realistic training scenarios can be provided.
• Incident Response Exercises: Articles 10 and 11 focus on cyber threat detection, protection, and response measures. By simulating cyber-attack scenarios and testing detection mechanisms in a sandbox, organizations can train teams to detect and respond to incidents, thus enhancing cybersecurity.

The Bottom Line

Odaseva’s Sandbox Seeding not only supports DORA compliance but also enhances overall operational resilience, becoming the Swiss Army knife of your change management process. By providing a secure, isolated environment for testing, training, and risk assessment, you can ensure your systems are robust and capable of withstanding disruptions.

As the enforcement of DORA approaches, it is crucial for you to implement comprehensive data protection strategies. Odaseva’s Sandbox Seeding offers an effective solution for meeting DORA’s stringent requirements.

For more information on how Odaseva can help you comply with DORA, contact us today.