Explain the various organization security controls (e.g., passwords, IP restrictions, identity confirmation, network settings).
Salesforce provides several security measures to limit and control access to an org. Password policies and identify confirmation help to secure user logins, and IP restrictions and network settings to limit org access.
Org-wide security controls can such as password policies, identity verification, and IP ranges are defined on org-level and apply to all users.
The password policy allows to configure password restrictions and login lockout settings for all users in a Salesforce org.
Salesforce also provides a feature to expire all passwords at once. Every user will then be prompted in the next login to set a new password.
The identity verification settings allow to configure when and how users need to verify their identify in a Salesforce org. By default, users receive an email or SMS when logging in from unknown locations or user clients.
Trusted IP ranges defined in the network access settings of a Salesforce org specify from which IP addresses users can log in without receiving a login challenge to verify their identity. This feature does not prevent users from logging in to Salesforce outside the trusted IP ranges.
User based security controls such as login IP ranges and login hours can be defined on profile or permission set level. They can therefore vary for different users or user groups.
Similarly to trusted IP ranges defined in the network access settings of a Salesforce org, login IP ranges can be defined on a profile or permission set level to control access to Salesforce for specific users.
Login hours can be configured on profile level, to define during which times users associated with a profile can login to a Salesforce org.