Compliance

Learn the ways StaffCop Enterprise can be used for compliance with international standards. The software package can cover a number of articles, in case it's used as a part of your information security policy and configured appropriately.

Please, keep in mind that this article contains recommendations on the usage of StaffCop for compliance. Implementation of StaffCop doesn't automatically makes your company compliant with the standards mentioned in this article!

General notes on implementation

StaffCop has been designed as a software system for governmental and commercial organizations for employee efficiency evaluation, labor ethics ensuring and insider threat prevention. StaffCop is meant to be installed on devices belonging to an employer and can't be installed on a PC without the administrator rights, which means that it can not be secretly installed on a personal device of an employee without his (her) consent.

StaffCop sells worldwide and the monitoring configuration can be changed according with the legislature of a country. For example, if microphone recording is seem to be an excessive measure for employee efficiency evaluation, this function can be disabled in the monitoring configuration. We recommend employers to notify their employees about the usage of the monitoring software and add corresponding articles to their labor contracts.

StaffCop is installed on-premises and can be used in closed networks without an internet connection. We don't have any access to collected data.

ISO 27001

StaffCop Enterprise can significantly help you meet ISO 27001 demands. The flexibility of settings makes it perfect to fit any Information Security Management System (ISMS). PDCA (Plan-Do-Check-Act) cycle lies in the core of the standard, so let’s take it with StaffCop step-by-step.

  1. Plan. At this stage you should establish the internal policy of the company regulating creation and distribution of information (ISMS) within and beyond the company. The corporate information and access to it should be classified and divided with different access rights for different groups of employees. For example, your employees should work only with a limited number of web-sites and applications, the PC of the secretary is the only one which can print documents and the sales department is the only department with access to the customers’ database.
  2. Do. The implementation is done through creating a number of fully customized filters and policies. It’s all carried out in the administrative interface of StaffCop to be applied on the workstations. The policies and filters can be easily modified at any moment. StaffCop is deployed in your corporate network and it doesn’t send any data outside providing high level of information security. It can work in closed networks, the ones that don’t have internet connection.
  3. Check. The monitoring is carried out in the same administrative interface. A number of administrators can be assigned access right corresponding to the level of the responsibility they carry. For example, each head of a department can monitor information on PCs belonging to his or her department. The alerts on violations of ISMS will be sent to the specified e-mail addresses, be it a security officer or the company owner. Documents can be easily searched for classified information, and if it’s contained in images or PDF, the text will be recognized.
  4. Act. StaffCop Enterprise can track huge amount of information that can be used to analyze user behavior and estimate. Use pre-set and customized reports to analyze data and visualize the resulting output. There are quite handy embedded tools, such as heat map and anomalies detector that could help you track behavior trends and deviations. With experience gained and data collected the ISMS should be corrected in a corresponding way, which means both organizational means and configuring of StaffCop polices.

StaffCop helps you to meet demands on following articles:

  • A.8.1.1 Inventory of assets,
  • A.8.2.1 Classification of information,
  • A.13.2 Information transfer,
  • A.8.3 Media handling,
  • A.12.4 Logging and monitoring
  • A.16 Information security incident management.

GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all citizens of the European Union and the European Economic Area. To meet the demands of the regulation, business owners should employ both organizational and software means. StaffCop is a software system which helps you meet these demands, covering a number of important articles.

Data protection and design by default (GDPR Article 25)

After you have classified the data processed in your organization, you can configure StaffCop in the way so it could control different categories of data. For example, the files on employees’ details can be opened only by HR department and all the usage of it. If it’s required to exclude monitoring data on certain web-site which can contain personal data (like social networks or bank sites) it can be easily done in the configuration.

Record of processing activities (GDPR Article 30)

StaffCop is a perfect solution to suit this article as it logs all the details associated with events of access to data from the computers of the personal network, and if the data was passed, the logs contain details on that, including sender and recipient names and the context of the event. The data collected will serve as the forensic base in case of necessity.

Security of processing (GDPR Article 32)

To meet the demands of this article StaffCop process data through port 443 with encrypted protocols applied. The second important thing, that the software system is deployed within the corporate network of a customer which reduces risks of leaking personal data from third-parties’ storages, for example cloud services. The access to StaffCop can be classified in accordance to your company’s policies in order to reduce risks of unauthorized data processing.

Notification of a data breach (GDPR Article 33)

StaffCop features full-customized reports and polices with immediate notifications sent to e-mail address. So in case a breach of personal, sensitive or other classified data occurs, you will be immediately notified which will give you time to take necessary measures. As all the details of the event associated with the data breach is logged, you will possess significant evidence base.

Supporting the data protection officer (GDPR Article 38)

StaffCop Enterprise is a perfect tool for DPO as it has vast functionality necessary both for preventing data leaks, protecting both corporate and personal data, evaluate risks and their possible reasons, and to take time measures in case of necessity. For example, an insider intends to leak sensitive data from the corporate network. The DPO gets notified in accordance with the working policies and can take immediate actions, for example, block the target PC.

PCI DSS

PCI DSS is an information security standard regulating processing of data associated with users’ credit card information. The standard is mandatory for 53 countries.

StaffCop Enterprise is a great solution to comply with the standard on the software level. Let’s consider in details the standard requirements covered on this level:

“Restricting access to cardholder data to only authorized personnel. Systems and processes must be used to restrict access to cardholder data on a “need to know” basis.”

StaffCop can be used for diversifying access to the cardholders’ data, which means that only authorized users will be able to work with files containing this kind of information.

“Identifying and authenticating access to system components. Each person with access to system components should be assigned a unique identification (ID) that allows accountability of access to critical data systems.”

Each user with authorized access to cardholders’ data will have a unique identification represented by its name. This is also true for the users of StaffCop – they can be assigned unique IDs and unique range of permissions.

“Restricting physical access to cardholder data. Physical access to cardholder data or systems that hold this data must be secure to prevent the unauthorized access or removal of data. Prevention by blocking channels.”

StaffCop can protect cardholder data against leakage by blocking information channels through which it may leak. For example, the PC containing this type of information can have USB and CD drives or e-mail applications blocked.

“Tracking and monitoring all access to cardholder data and network resources. Logging mechanisms should be in place to track user activities that are critical to prevent, detect or minimize impact of data compromises.”

StaffCop keeps track of all information associated with cardholder data and network resources and possesses all the instruments which may be used to prevent this data leakage, including the ability to instantly block the targeted PC. The card numbers are identified with the implementation of Luhn algorithm, so the administrator of the system will be timely notified about the actions with this data which gives him time to take preventive measures.