Solution 03: SafeCity Public Safety

AI-Generated Content — Use for Reference Only

This content is AI-generated and has only been validated by AI review processes. It has NOT been reviewed or validated by certified Salesforce CTAs or human subject matter experts. Do not rely on this content as authoritative or completely accurate. Use it solely as a reference point for your own study and preparation. Always verify architectural recommendations against official Salesforce documentation.

AI-Assisted Reference Solution

This page is the spoiler side of the mini-scenario package. Use it to compare architecture choices, trade-offs, and artifact quality only after your own attempt.

Solution Snapshot

Field	Detail
Start here	Question page
Difficulty	Intermediate
Heavy domains	System Architecture and Security
Page role	Worked reference solution
Best used for	Comparing your own answer against a complete architecture recommendation
Coverage available	Question page + this solution page

Why This Solution Matters

Use this page to compare your own approach against a full reference answer without losing the context of what the scenario was testing.

Only Open After Your Own Attempt

If you have not yet worked through the question page, stop here. Finish your timed mini-board attempt first, then use this solution with the 9 Essential Artifacts as your comparison checklist.

Assumptions

CJIS Security Policy v5.9.5 applies; all CJI access requires Advanced Authentication (MFA) and FIPS 140-2 encryption at rest. A CJIS Security Addendum must be executed between the agency and Salesforce (FedRAMP alone is insufficient)
Salesforce Government Cloud (GovCloud) meets FedRAMP Moderate baseline
The 14M mainframe records average ~2 KB each; only active records (last 5 years, ~3-4M) will be migrated into Salesforce
Budget $4.2M/24 months supports GovCloud licensing, Experience Cloud, and SI engagement
Microsoft Entra ID supports SAML 2.0 federation with conditional access policies for CJIS MFA
CAD systems (GPD and GFEMS) remain untouched; integration is read-only inbound for reporting
311 replacement is the Phase 1 deliverable on the mayor’s 9-month timeline

Key Architectural Decisions

Decision 1: Single Org (GovCloud) with Security Boundaries (D1 + D2 — HEAVY)

Single org because cross-department citizen view and unified reporting are core requirements. Multi-org would synchronize citizen records across 3 orgs, increase cost 2.5-3x, and make the unified dashboard architecturally painful.

The police union’s concern is valid but solvable — not through separate orgs, but through provable, auditable data isolation: profiles, permission sets, sharing rules, and Shield encryption. Offer an independent security audit as a confidence measure.

4-tier data classification model:

Tier	Classification	Examples	Access Control
T1	Public	Fire inspection results, 311 status	Unauthenticated portal
T2	Internal	311 case details, OEM plans	Authenticated employees
T3	Confidential (PHI)	EMS patient care records	GFEMS medical staff + HIPAA controls
T4	Restricted (CJI)	Criminal records, IA cases	CJIS-cleared + hardware MFA + encryption

Decision 2: Mainframe Tiered Migration (D3 — MEDIUM)

Tiered approach because migrating all 14M records is cost-prohibitive and the data quality issues (15% bad addresses, 8% invalid cross-references) make big-bang migration extremely risky.

Migrate (into Salesforce): Last 5 years (~3-4M records), cleaned and deduplicated
Virtual (Salesforce Connect / OData): 5-15 years old, read-only on-demand lookups. Requires a translation layer (e.g., IBM DataGate) to bridge COBOL/DB2 to OData
Archive (mainframe with REST API): 15+ years, legal lookup only

This reduces active mainframe dependency immediately and provides a decommission path as records age past retention requirements.

Decision 3: CJIS Authentication + Citizen Portal (D2 + D4)

Entra ID federation with CJIS-specific conditional access policies. Step-up MFA (hardware token or FIDO2 key, not SMS) for CJI-classified object access. Non-CJI sessions use standard Entra MFA. Rejected a separate IdP for CJIS users because maintaining two IdPs increases admin burden.

Experience Cloud for the citizen portal — supports unauthenticated public access (fire inspections under FOIA), authenticated citizen self-service (311 tracking), and integrates directly with Service Cloud case management. The 9-month Phase 1 deadline leaves no room for custom portal development.

Critical Diagrams

System Landscape

graph TB
    subgraph GovCloud["🟢 Salesforce GovCloud — Single Org"]
        SC["🟢 Service Cloud — 311 + Cases"]
        EC["🟢 Experience Cloud — Citizen Portal"]
        SHIELD["🟢 Shield Encryption + Event Monitoring"]
        subgraph Depts["Department Boundaries"]
            GPD["🟢 GPD: Police Records + IA"]
            GFEMS["🟢 GFEMS: Inspections + ePCR"]
            OEM["🟢 OEM: Emergency Mgmt"]
        end
    end

    subgraph Integration["🟠 MuleSoft — Integration Layer"]
        API["🟠 API Gateway + Orchestration"]
    end

    subgraph Retained["Retained Systems"]
        CAD["⚪ CAD Systems x2"]
        MUNIS["⚪ Tyler Munis HR/ERP"]
        EPCR["⚪ ePCR — NEMSIS Patient Care"]
        PROPEV["⚪ Property/Evidence Mgmt"]
    end

    subgraph Retiring["Retiring Systems"]
        MF["🔴 IBM Mainframe RMS"]
        IADB["🔴 Internal Affairs — MS Access"]
        PAPER["🔴 Paper Fire Inspections"]
        SP["🔴 SharePoint — OEM Plans"]
        C311["🔴 City 311 — Java On-Prem"]
    end

    ENTRA["⚪ Entra ID — SAML + MFA"]

    subgraph Legend
        direction LR
        NEW["🟢 NEW - Being Built"]
        KEEP["⚪ KEEPING - No Changes"]
        RETIRE["🔴 RETIRING - Decommissioning"]
        INT["🟠 INTEGRATION LAYER"]
    end

    ENTRA -->|SAML 2.0 SSO| SC
    WEB[Citizens] -->|Unauthenticated + Auth| EC
    CAD -->|Read-only REST| API
    API -->|CDC events| GPD
    MF -.->|Salesforce Connect OData| API
    API -->|Batch migration| GPD
    MUNIS -->|Nightly CSV batch| API
    API -->|REST sync| SC
    EPCR -->|HL7/REST read-only| API
    C311 -.->|REST JSON bidirectional| API
    IADB -.->|One-time migration| GPD
    SP -.->|One-time migration| OEM
    PAPER -.->|Manual data entry| GFEMS

Role Hierarchy and Security

graph TB
    MAYOR["Mayor / Council<br/>Aggregate Dashboards Only"]
    CM["City Manager<br/>Cross-Dept Dashboards"]
    MAYOR --> CM
    CM --> CHIEF_P["Police Chief<br/>All GPD Data"]
    CM --> CHIEF_F["Fire Chief<br/>All GFEMS Data"]
    CM --> OEM_D["OEM Director<br/>Emergency Mgmt"]

    CHIEF_P --> IA["Internal Affairs<br/>Restricted PS — IA + Chief + City Atty"]
    CHIEF_P --> CAPT["Division Captains<br/>Overtime Final Approval"]
    CAPT --> CMD["Watch Commanders<br/>Overtime Step 2"]
    CMD --> SGT["Sergeants<br/>Overtime Step 1"]
    SGT --> OFF["Officers<br/>Own Cases Only"]

    CHIEF_F --> INSP["Inspection Mgr<br/>All Zones"]
    CHIEF_F --> EMS["EMS Medical Staff<br/>PHI Access PS"]
    INSP --> FI["Inspectors<br/>Assigned Zone + Offline"]

    OEM_D --> OEMC["OEM Coordinators<br/>Plans + Resources"]
    OEM_D -.->|Emergency activation<br/>temporary access| EMACT["Emergency Personnel<br/>Time-Limited PS"]

    CATTY["City Attorney<br/>IA Cases PS"]
    CRB["Civilian Review Board<br/>IA Cases PS"]

OWD Summary:

Object	OWD	Sharing Mechanism
Police Cases / Investigations	Private	Role hierarchy (GPD branch only); no cross-department visibility
Internal Affairs Cases	Private	Permission set to IA investigators, Police Chief, City Attorney, Civilian Review Board; chain of command excluded during active investigations
Fire Inspections	Public Read Only	FOIA requirement (Req 28); unauthenticated portal access for commercial property results
EMS Patient Care Records	Private	Permission set to authorized GFEMS medical personnel only; HIPAA controls
311 Service Requests	Public Read/Write	All authenticated employees can view and reassign cross-department
Emergency Incidents	Private	OEM sharing rules + temporary permission set grants during activations; auto-revoke on deactivation (Req 24)
Citizen Profiles	Private	Portal users see only own records via Experience Cloud sharing sets
Neighborhood Events	Public Read Only	All departments can view; OEM manages scheduling

Data Model

erDiagram
    CITIZEN ||--o{ SERVICE_REQUEST : "Lookup"
    CITIZEN ||--o{ FIRE_INSPECTION : "Lookup (property owner)"
    CITIZEN ||--o{ NEIGHBORHOOD_EVENT : "Lookup (attendee)"
    CITIZEN {
        string OWD "Private"
        string Volume "850K"
        string Note "Unified profile across 311 fire and community"
    }
    SERVICE_REQUEST ||--|{ SR_ASSIGNMENT : "M-D"
    SERVICE_REQUEST {
        string OWD "Public Read-Write"
        string Volume "234K per year"
        string Note "Replaces 311 Java app"
    }
    SR_ASSIGNMENT {
        string OWD "Parent"
        string Note "Cross-dept reassignment tracking"
    }
    POLICE_CASE ||--|{ CASE_NARRATIVE : "M-D"
    POLICE_CASE ||--o{ EVIDENCE_RECORD : "Lookup"
    POLICE_CASE {
        string OWD "Private"
        string Volume "3-4M migrated"
        string LDV "LDV"
        string Note "CJIS-classified - Shield encrypted"
    }
    CASE_NARRATIVE {
        string OWD "Parent"
        string Note "Arrest reports and incident narratives"
    }
    EVIDENCE_RECORD {
        string OWD "Private"
        string Note "Links to Property-Evidence system"
    }
    IA_CASE ||--|{ IA_REVIEW : "M-D"
    IA_CASE {
        string OWD "Private"
        string Note "IA plus Chief plus City Attorney only"
    }
    IA_REVIEW {
        string OWD "Parent"
        string Note "Review board hearing and disposition"
    }
    FIRE_INSPECTION ||--|{ VIOLATION : "M-D"
    FIRE_INSPECTION ||--|{ INSPECTION_PHOTO : "M-D"
    FIRE_INSPECTION {
        string OWD "Public Read Only"
        string Volume "18K per year"
        string Note "FOIA public - 7yr retention"
    }
    VIOLATION {
        string OWD "Parent"
        string Note "Compliance tracking and overdue notices"
    }
    INSPECTION_PHOTO {
        string OWD "Parent"
        string Note "Captured via mobile offline"
    }
    EMS_PATIENT_RECORD {
        string OWD "Private"
        string Volume "400K per year"
        string Note "PHI - HIPAA - NEMSIS compliant"
    }
    EMERGENCY_INCIDENT ||--|{ RESOURCE_DEPLOYMENT : "M-D"
    EMERGENCY_INCIDENT ||--|{ SITUATION_REPORT : "M-D"
    EMERGENCY_INCIDENT {
        string OWD "Private"
        string Volume "200 activations per year"
        string Note "Temporary cross-dept sharing during activation"
    }
    RESOURCE_DEPLOYMENT {
        string OWD "Parent"
        string Note "Personnel and equipment staging"
    }
    SITUATION_REPORT {
        string OWD "Parent"
        string Note "Generated every 2 hours during active emergencies"
    }
    EMPLOYEE ||--o{ POLICE_CASE : "Lookup (assigned officer)"
    EMPLOYEE ||--o{ FIRE_INSPECTION : "Lookup (assigned inspector)"
    EMPLOYEE ||--|{ OVERTIME_REQUEST : "M-D"
    EMPLOYEE {
        string OWD "Private"
        string Volume "3500"
        string Note "Synced nightly from Tyler Munis"
    }
    OVERTIME_REQUEST {
        string OWD "Parent"
        string Note "3-step approval - SGT then WC then Captain"
    }
    MAINFRAME_RECORD {
        string OWD "Private"
        string Volume "10M virtual"
        string LDV "LDV"
        string Note "Salesforce Connect OData - read only"
    }

Integration Architecture

graph TB
    subgraph Sources["Source Systems"]
        CAD_G["⚪ GPD CAD<br/>~2800 events/day"]
        CAD_F["⚪ GFEMS CAD<br/>~1100 events/day"]
        MF["🔴 IBM Mainframe<br/>14M records"]
        MUNIS["⚪ Tyler Munis HR<br/>3500 employees"]
        EPCR["⚪ ePCR System<br/>12 hospitals"]
        C311["🔴 City 311<br/>4500 req/week"]
    end

    subgraph Mule["🟠 MuleSoft — Integration Layer"]
        APIGW["API Gateway"]
        ORCH["Orchestration Engine"]
        TRANS["Data Transformation"]
    end

    subgraph SF["🟢 Salesforce GovCloud"]
        SC["Service Cloud"]
        EC["Experience Cloud"]
        GPD_MOD["GPD Module"]
        GFEMS_MOD["GFEMS Module"]
        OEM_MOD["OEM Module"]
    end

    CAD_G -->|"REST read-only<br/>API key<br/>Near-real-time<br/>~2800/day"| APIGW
    CAD_F -->|"REST read-only<br/>API key<br/>Near-real-time<br/>~1100/day"| APIGW
    MF -->|"OData via IBM DataGate<br/>Service account<br/>On-demand query<br/>~10M virtual"| APIGW
    MF -->|"Batch flat-file extract<br/>SFTP<br/>Nightly<br/>~3-4M migration"| TRANS
    MUNIS -->|"CSV batch<br/>SFTP<br/>Nightly<br/>~3500 records"| TRANS
    EPCR -->|"HL7/REST<br/>mTLS<br/>Real-time<br/>PHI encrypted"| APIGW
    C311 -->|"REST JSON<br/>OAuth 2.0<br/>Bidirectional<br/>~4500/week"| APIGW

    APIGW --> ORCH
    ORCH --> TRANS
    TRANS -->|"REST / Platform Events"| SC
    TRANS -->|"Bulk API batch loads"| GPD_MOD
    TRANS -->|"REST sync"| GFEMS_MOD
    TRANS -->|"REST sync"| OEM_MOD

Migration Strategy

flowchart TB
    subgraph Phase0["Month 1-2: Preparation"]
        AUDIT["Data Quality Audit<br/>15% bad addresses<br/>8% invalid xrefs"]
        CJIS_AUDIT["CJIS Compliance Audit<br/>Engage independent auditor"]
        DEDUP["Duplicate Analysis<br/>28 years of manual entry"]
        AUDIT --> DEDUP
    end

    subgraph Phase1["Month 3-9: Phase 1 — 311 + Portal"]
        C311_MIG["Migrate 311 History<br/>~234K service requests"]
        CIT_MIG["Build Citizen Profiles<br/>Link 311 + fire + community"]
        PORTAL["Experience Cloud Portal<br/>Go-live Month 9"]
        C311_MIG --> CIT_MIG --> PORTAL
    end

    subgraph Phase2["Month 10-16: Phase 2 — Fire + Cross-Dept"]
        FIRE_MIG["Migrate Fire Inspection History<br/>7 years ~126K records"]
        IA_MIG["Migrate IA Cases<br/>from MS Access"]
        OEM_MIG["Migrate OEM Plans<br/>from SharePoint"]
        FIRE_MIG --> FIRE_LIVE["Fire Mobile Go-Live"]
        IA_MIG --> GPD_LIVE["GPD Module Go-Live"]
    end

    subgraph Phase3["Month 10-18: Phase 3 — Mainframe Tiered"]
        WAVE1["Wave 1: Migrate 0-5 yr<br/>~3-4M records<br/>Cleanest data first"]
        WAVE2["Wave 2: Virtual 5-15 yr<br/>Salesforce Connect OData<br/>IBM DataGate bridge"]
        WAVE3["Wave 3: Archive 15+ yr<br/>Read-only REST API<br/>Legal lookup only"]
        WAVE1 --> WAVE2 --> WAVE3
        WAVE3 --> DECOM["Mainframe Decommission Path<br/>Records age past retention"]
    end

    Phase0 --> Phase1
    Phase1 --> Phase2
    Phase2 --> Phase3

Identity & SSO Flow

sequenceDiagram
    participant Officer as GPD Officer<br/>(CJI Access)
    participant Browser as Browser / MDT
    participant Entra as Microsoft Entra ID
    participant SF as Salesforce GovCloud

    Officer->>Browser: Navigate to Salesforce
    Browser->>Entra: Redirect (SP-initiated SAML 2.0)
    Entra->>Entra: Primary Auth (password + MFA push)
    Entra->>Entra: Conditional Access: CJIS policy detected
    Entra->>Officer: Step-up: FIDO2 hardware key or PIV card
    Officer->>Entra: Hardware token response
    Entra->>Browser: SAML Assertion<br/>(includes CJIS_Cleared=true claim)
    Browser->>SF: POST SAML to ACS URL
    SF->>SF: Match Federation ID → User record
    SF->>SF: Verify CJIS permission set + active background check
    SF->>Browser: Session (CJI-enabled) + Redirect

sequenceDiagram
    participant Staff as City Employee<br/>(Non-CJI — Fire, OEM, Admin)
    participant Browser as Browser
    participant Entra as Microsoft Entra ID
    participant SF as Salesforce GovCloud

    Staff->>Browser: Navigate to Salesforce
    Browser->>Entra: Redirect (SP-initiated SAML 2.0)
    Entra->>Entra: Authenticate (password + standard MFA)
    Entra->>Browser: SAML Assertion (Federation ID = employee ID)
    Browser->>SF: POST SAML to ACS URL
    SF->>SF: Match Federation ID → User (no CJI access)
    SF->>Browser: Standard Session + Redirect

sequenceDiagram
    participant Citizen as Citizen
    participant Browser as Browser / Mobile
    participant SF as Experience Cloud Portal

    Citizen->>Browser: Navigate to City Portal
    Browser->>SF: Public page (fire inspections — FOIA, no auth)
    Note over SF: Unauthenticated: public fire inspection results only
    Citizen->>Browser: Click "Track My Request" (311)
    Browser->>SF: Login page (email + password)
    SF->>SF: Authenticate (optional MFA)
    SF->>SF: Apply sharing: citizen sees only own 311 requests
    SF->>Browser: Session Cookie + My Requests view

SSO Design Rationale

CJI-classified users (GPD officers, detectives, IA): SAML 2.0 via Microsoft Entra ID with CJIS-specific Conditional Access Policy. Standard Entra MFA (push notification) is the first factor; CJIS Advanced Authentication requires a SECOND factor via FIDO2 hardware security key or PIV card (not SMS — CJIS Security Policy v5.9.5 prohibits SMS as a sole second factor for CJI access). Entra Conditional Access triggers this step-up only when the user’s group membership or app assignment indicates CJI access, avoiding burdening non-CJI employees.

Non-CJI city employees (fire, OEM, admin): Same Entra ID SAML federation but standard MFA only. No hardware token required. Same IdP, different Conditional Access policy based on department group membership.

Citizens: Unauthenticated access for public fire inspection results (FOIA compliance, Req 28). Authenticated self-service for 311 request tracking. Username/password with optional MFA. No Entra integration — citizens do not have city AD accounts.

Governance & DevOps

Environment Strategy

flowchart LR
    DEV1[Developer Sandbox<br/>311 / Portal Team] --> QA[QA / Integration<br/>Partial Copy]
    DEV2[Developer Sandbox<br/>Fire Inspections] --> QA
    DEV3[Developer Sandbox<br/>GPD / Security] --> QA
    SI[SI Sandbox<br/>Developer Pro<br/>Integrator Work] --> QA
    QA --> UAT[UAT<br/>Full Copy]
    UAT --> CAB{Change Advisory<br/>Board<br/>Bi-Weekly}
    CAB -->|Approved| PROD[Production<br/>GovCloud]
    CAB -->|Deferred| DEV1

Sandbox Strategy

Sandbox	Type	Purpose	Data Policy
DEV-1	Developer	311 / citizen portal development	Synthetic data only; no CJI or citizen PII
DEV-2	Developer	Fire inspection mobile app, workflows	Synthetic inspection data; no real property addresses
DEV-3	Developer	GPD security model, IA workflows, CJIS controls	No CJI data — synthetic criminal records with realistic but fictional data
SI-DEV	Developer Pro	Systems integrator work (CAD, mainframe, Munis integration)	Mock API endpoints; no production system connections
QA	Partial Copy	Integration testing, regression, security validation	All CJI and PII fields masked; data classification labels preserved for security testing
UAT	Full Copy	Department representative acceptance testing	All CJI and PII fields masked; GPD’s 2 part-time testers validate security model with masked data

CJIS Data Handling in Sandboxes

CJIS Security Policy requires that Criminal Justice Information never exist in non-production environments without equivalent security controls. The pragmatic approach: use fully synthetic criminal records in all sandboxes. Data Mask applied immediately after every sandbox refresh. The CJIS Security Officer must verify masking before any sandbox is released for use. This is auditable and will be reviewed during the CJIS compliance audit (planned Month 2).

Branching Strategy

main — production-ready; deploys to Production GovCloud ONLY after CAB approval
develop — integration branch; deploys to QA sandbox after peer review
feature/phase-[1|2|3]/[ticket]-description — feature branches organized by phase
hotfix/[ticket]-description — emergency path bypassing normal CAB cycle (post-deployment CAB ratification required within 48 hours)
All merges require peer code review + CI-enforced Apex test pass
CAB meets bi-weekly (Req 38); changes submitted by Wednesday are reviewed the following Tuesday

Testing Strategy

Test Type	Environment	Scope	Criteria
Apex Unit Tests	Developer sandboxes	All custom Apex, triggers, Flows	>75% coverage; all assertions pass; no CJI references in test data
Integration Tests	QA	CAD read-only feeds, mainframe OData connector, Munis CSV batch	End-to-end with mock CAD data; validate OData bridge to mainframe staging
Security Model Tests	QA	Cross-department data isolation, IA case restrictions, CJIS controls	Dedicated test users per department; verify zero cross-department data leakage
UAT	Full Copy	Department-specific acceptance	GPD: 2 part-time testers (security-focused); GFEMS: mobile inspections (offline); OEM: emergency activation workflow
CJIS Compliance Audit	QA + UAT	Access logging, encryption, authentication, personnel security	Independent CJIS auditor engagement (Month 2); remediate findings before Phase 2
Phased Rollout Testing	UAT	Phase 1: 311 + portal within 9 months	Citizen-facing UAT with synthetic service requests; load test at 4,500 requests/week

CoE / Post-Go-Live Governance

Change Advisory Board (CAB): Bi-weekly meetings (Req 38) with representatives from IT, GPD, GFEMS, OEM, and City Manager’s office. All production changes require CAB approval. Emergency changes follow a hotfix path with post-deployment ratification.

Knowledge Transfer (Req 41): 6-month structured handover from SI to the 3 internal IT staff. Deliverables: system admin runbook, integration monitoring guide, security model documentation, and paired administration sessions. Monthly readiness assessments during the transfer period.

Release Cadence:

Standard releases: Bi-weekly, aligned with CAB meeting schedule
Phase 1 (Months 1-9): Accelerated cadence for 311 + portal to meet mayor’s 9-month commitment
Phase 2-3: Standard cadence with department-specific UAT windows
Emergency patches: Hotfix path with mandatory CAB ratification within 48 hours; CJIS-impacting changes require CJIS Security Officer sign-off before deployment regardless of urgency

Government Compliance:

Annual CJIS security audit with pre-audit self-assessment
All artifact changes (code, config, metadata) in version control (Req 42)
Automated deployment pipeline with audit trail of who deployed what, when, and which CAB approval authorized it

Integration Error Handling

SafeCity integrates with multiple retained systems. Each integration has error handling appropriate to its criticality and compliance requirements.

Integration	Pattern	Retry	DLQ	Monitor	Fallback
CAD Systems (GPD + GFEMS)	Read-only REST via MuleSoft	3x exponential (2s, 10s, 60s)	`Integration_Error__c` with CAD event ID and timestamp	Real-time alert to IT + department dispatch supervisor on any failure (dispatch data is life-safety critical)	CAD systems continue operating independently; Salesforce dashboards show stale-data indicator with last-sync timestamp
IBM Mainframe RMS (OData)	Salesforce Connect OData via IBM DataGate bridge	N/A (on-demand query)	Failed queries logged in `Integration_Error__c` with query parameters	Alert to IT when OData endpoint is unreachable for >15 minutes	Migrated records (last 5 years) available natively in Salesforce; only historical lookups (5-15 years) are affected; retry with manual mainframe terminal access
Tyler Munis HR/ERP	Nightly CSV batch via MuleSoft	1 automatic re-run at T+4 hours	Failed records flagged in `HR_Staging__c` with `Status__c = Error`	Morning alert to HR admin + IT if nightly sync fails entirely	Employee records in Salesforce remain unchanged until next successful sync; manual CSV upload available as emergency fallback
City 311 System (Phase 1)	REST JSON via MuleSoft (bidirectional)	3x exponential (1s, 5s, 30s)	`Integration_Error__c` with 311 request ID and payload	Citizen-facing: request accepted with pending-sync status; internal: alert to IT on >5 failures/hour	311 requests created directly in Salesforce if legacy system is down; backfill to legacy during transition period

Life-Safety Integration Priority

CAD integrations are classified as life-safety critical. Unlike other integrations where delayed processing is acceptable, CAD feed failures trigger immediate alerts to both IT and the relevant department’s dispatch supervisor. The architecture ensures CAD systems are never dependent on Salesforce — data flows are read-only inbound. If Salesforce is unavailable, dispatch operations continue unaffected.

Requirements Addressed

✅ Single citizen digital front door — Experience Cloud portal with unauthenticated (FOIA) and authenticated (311) access (Reqs 1, 22, 28)
✅ Cross-department incident coordination — Shared incident records with audit trail + temporary emergency access grants (Reqs 3, 24)
✅ CJIS compliance — GovCloud + Shield encryption (FIPS 140-2) + Entra step-up MFA + CJIS Security Addendum (Reqs 19, 25-26)
✅ Inter-department data isolation — 4-tier data classification model with profile/permission set/sharing enforcement (Reqs 20-21)
✅ Mobile fire inspections with offline — Salesforce Mobile + offline capability for basement/elevator shaft scenarios (Req 4)
✅ Mainframe tiered migration — Migrate (5 yr) / Virtual OData (5-15 yr) / Archive (15+ yr) approach (Reqs 11-12, 16)
✅ IA case isolation — Private OWD + dedicated IA permission set; chain of command excluded during active investigation (Req 21)
✅ Phase 1 within 9 months — 311 + citizen portal scoped for mayor’s commitment; fire inspections and police records deferred (Req 40)
✅ CAB-governed release process — Bi-weekly CAB with formal change approval; 6-month SI knowledge transfer (Reqs 38, 41-42)

Risk Assessment

Risk	Impact	Prob	Mitigation
CJIS audit failure blocks law enforcement access	Critical	Med	Engage CJIS auditor in Month 2; GovCloud + Shield; document controls early
Police union rejects single org	High	Med	Demonstrate provable isolation via security review with union reps; offer independent audit
Mainframe data quality causes migration delays	High	High	Migrate in waves starting with cleanest data; quality dashboard; 20% contingency time
Phase 1 misses 9-month deadline	High	Med	Limit Phase 1 to 311 + portal only; defer fire inspections and police records to Phase 2

Domain Scoring Notes

D1 System Architecture (HEAVY): Clear org strategy justification with trade-off analysis. GovCloud selection. Credible 9-month Phase 1 scope. Know what NOT to replace (CAD systems stay). Licensing: GovCloud + Service Cloud + Experience Cloud + Shield.
D2 Security (HEAVY): CJIS Security Policy specifics (Advanced Auth, FIPS 140-2, personnel security, audit logging). Tiered data classification mapping to real access controls. IA cases isolated from GPD role hierarchy. CJIS Security Addendum requirement. PHI treated separately from CJI (different compliance regime).
D3 Data (MED): Tiered migration (migrate/virtual/archive). Data quality remediation. Unified citizen profile linking across departments while keeping CJI invisible to non-GPD users.
D6 Dev Lifecycle (LIGHT): CAB bi-weekly cadence constrains releases. 2 part-time police UAT testers is a risk.

Reporting Approach

Standard Salesforce reports and dashboards cover most departmental needs: Fire Chief monthly inspection dashboard (Req 30), 311 volume/resolution reports, and council quarterly summaries (Req 32). The Police Chief daily dashboard (Req 29) with 15-minute refresh requires a near-real-time reporting approach — CRM Analytics with a dataflow scheduled every 15 minutes pulling from CAD integration staging records. OEM real-time situation reports during emergencies (Req 33) leverage CRM Analytics dashboards pulling cross-department data with emergency-activated sharing. Ad-hoc reporting (Req 36) uses standard report builder with row-level security enforced by the sharing model — report builders cannot expose data beyond their classification tier. NIBRS submissions (Req 34) require a scheduled Apex batch exporting police incident data in the mandated FBI format.

What Would Fail

Common Mistakes

1. Recommending multi-org without doing the math. Multi-org triples licensing, kills unified reporting, and makes the citizen portal a nightmare. Single org with provable security boundaries is the answer. If you cannot articulate WHY it works for CJIS, you lose both D1 and D2.

2. Ignoring CJIS or treating it as generic “security.” CJIS has specific requirements (Advanced Authentication, FIPS 140-2, background checks, audit logging). “We will use MFA and encryption” without referencing CJIS shows the board you have not done your homework.

3. Trying to migrate all 14M mainframe records. Data quality issues make this a deathtrap. Tiered strategy is the only credible approach within budget and timeline.

Self-Scoring Checklist

Did I justify single org with specific trade-offs (not just “it’s simpler”)?
Did I reference CJIS Security Policy requirements specifically?
Did I design a tiered data classification model with real access controls?
Did I limit Phase 1 scope to what is achievable in 9 months?
Did I address the police union concern with provable isolation?
Did I handle fire inspections as public (FOIA) and IA cases as restricted?

Scoring Rubric

Criterion	Weight	What Judges Look For
Security & Compliance Depth	30%	CJIS Security Policy specifics (Advanced Authentication, FIPS 140-2, background checks, audit logging). Tiered data classification (Public/Internal/PHI/CJI) mapped to real access controls. IA case isolation from GPD chain of command. FOIA handling for fire inspections
Org Strategy & Architecture	25%	Single-org justification with quantified trade-offs over multi-org. GovCloud selection rationale. Stakeholder objection handling (police union concern addressed with provable isolation). Phase 1 scoped realistically for 9 months
Data Architecture	20%	Tiered mainframe migration (migrate/virtual/archive). Data quality remediation for 15% bad addresses and 8% invalid cross-refs. Unified citizen profile that keeps CJI invisible to non-GPD. Retention strategy
Cross-Domain Thinking	15%	Connections between security, integration (CAD systems stay, read-only inbound), mobile (offline fire inspections), and governance (CAB bi-weekly cadence, CJIS audit engagement). Emergency access grant-and-revoke pattern
Communication Clarity	10%	Diagrams that clearly show department boundaries within a single org. Confident articulation of why isolation works without separate orgs. Logical presentation flow

This is a personal study site for Salesforce CTA exam preparation. Built with AI assistance. Not affiliated with Salesforce.