Customer and commercial details have been generalised.
Context
An established Salesforce org had accumulated users, permissions, packages, custom code and integrations. Leadership needed an independent view of its security posture and technical debt before deciding where remediation budget should go.
The constraint
A generic health check would not be enough. The review needed to connect configuration and code evidence to business risk, cover both licensed and potential platform controls, and give technical teams and decision-makers different levels of usable detail.
Assessment design
EKWIS structured the review across identity and access, record and field security, encryption, custom code and user interfaces, installed packages, APIs, integrations, monitoring, audit trails and change governance. Findings were consolidated into a risk-ranked assessment rather than left as disconnected observations.
How the output stayed actionable
- Profiles, permission sets and elevated rights were assessed against least-privilege principles.
- Security-relevant technical debt was recorded with risk, priority and an effort band.
- Integration users, credentials, token handling and external interfaces were reviewed together.
- Monitoring recommendations included practical dashboards, alerts and audit coverage.
- Quick wins were separated from structural remediation requiring wider design or investment.
Acceptance definition
The agreed output combined a detailed assessment, access analysis, technical-debt register, monitoring recommendations and a remediation roadmap. Every high-risk finding required a clear recommended action and estimate, with lower-priority items retained in a usable backlog and an executive readout for leadership.
