At StarCompliance, we prioritize security with DRAD, data visibility, PAM systems, and ISO 27001 and SOC2 audits. Here's Star's Director of Technical Operations Dale Sanders to explain the process in-depth
As is the trend with much of the software industry, vendors are increasingly delivering compliance software as an on-demand service hosted not on a company’s physical servers but from the cloud. In the traditional model of compliance software, data was dispersed across multiple silos to fulfill various compliance initiatives, such as monitoring for personal trading, gifts and entertainment spending, or political donations activity. Different security controls protected each silo, making it difficult to maintain consistency.
But security needn't be so complex. Today, the right cloud compliance software can unify security controls for a simpler, more streamlined approach. At Star, we prioritize security for our clients via the following four features:
1. DRAD: DATA RETENTION, ARCHIVING, AND DESTRUCTION
Star’s employee conflicts of interest monitoring platform, a.k.a., the STAR Platform, gives clients control: control to manage their own data retention policies within the system. This architectural feature, applicable to certain product lines, will delete data that exceeds the client’s data retention requirements, as driven by firm policy and regulations such as GDPR. For example, STAR's personal trading product can be configured to delete employee trade confirmations older than a specified period for a specific group of employees. The STAR Platform is smart enough to ensure any active or open holdings automatically stay in sync with the broker-dealer at all times.
2. DATA VISIBILITY
Data visibility is a core component of the STAR Platform, and is available across all products. In short, it enables clients to implement data visibility walls between lines of business, offices, and groups of users within the organization. Clients can tailor these data visibility walls to their specific business environment to ensure compliance with internal and regulatory requirements from a data-access perspective. For example, an authorized administrator located in North America may be allowed to view and manage employees located in North America, but not Europe. Thus, a virtual wall is put in place to ensure the administrator in North America can access only the data she is authorized to view, and not the European data.
3. PAM: PRIVILEGED ACCESS MANAGEMENT SYSTEMS
With the STAR Platform, clients have complete oversight over who outside their organization can access company data. Before a Star team member can access client data for support purposes, they must receive permission via an access approval workflow within the PAM system itself. Our PAM system also keeps track of all access activity by creating audit reports and video session recordings. With these materials, clients can always have definitive proof of who accessed their database and when and why they accessed it.
4. ISO 27001 AND SOC2 TYPE2 AUDITS
Finally, we ensure the STAR Platform maintains a strong information security framework through two important audits: the ISO 27001 and the SOC2 Type 2. The first is an annual point-in-time audit performed by an independent third party. Outside experts review the platform yearly to ensure it’s in line with internationally recognized standards. The second audit, SOC2 Type 2, is a period-of-time audit that must be performed by a CPA. This audit evaluates the operational effectiveness of technical, physical, and administrative security controls on a recurring basis throughout the year. The SOC2 Type 2 audit by the CPA firm is typically done once every 12 months. Investing in third-party audits and willingly sharing audit documentation with our clients demonstrates our commitment to security on an ongoing basis.
With the STAR Platform, there’s no need to sacrifice security for convenience. Information security best practices are part and parcel of our cloud compliance software, and the interface is intuitive and sensible. We take the complexity out of security to help you streamline controls across all areas of compliance.