Digital Signature Acceptance Policy

1. Overview

See Purpose.

2. Purpose

The purpose of this policy is to guide on when digital signatures are considered accepted means of validating the identity of a signer in eCuras electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organization.  Because communication has become primarily electronic, the goal is to reduce confusion when a digital signature is trusted.

3. Scope

This policy applies to all eCuras employees and affiliates.

This policy applies to all eCuras employees, contractors, and other agents conducting eCuras business with a eCuras-provided digital key pair.  This policy applies only to intra-organization digitally signed documents and correspondence and not to electronic materials sent to or received from non-eCuras affiliated persons or organizations.

4. Policy

A digital signature is an acceptable substitute for a wet signature on any intra-organization document or correspondence, except for those noted on the site of the Chief Financial Officer (CFO) on the organization’s intranet:  <CFO’s Office URL>

The CFO’s office will maintain an organization-wide list of the types of documents and correspondence not covered by this policy.

Digital signatures must apply to individuals only.  Digital signatures for roles, positions, or titles (e.g., the CFO) are not considered valid.

4.1  Responsibilities

Digital signature acceptance requires specific action on both the employee signing the document or correspondence (hereafter the signer) and the employee receiving/reading the document or correspondence (hereafter the recipient).

4.2  Signer Responsibilities

4.2.1        Signers must obtain a signing key pair from eCuras.  This key pair will be generated using eCuras’s Public Key Infrastructure (PKI), and the public key will be signed by the eCuras’s Certificate Authority (CA), <CA Name>.

4.2.2        Signers must sign documents and correspondence using software approved by eCuras IT organization.

4.2.3        Signers must protect their private key and keep it secret.

4.2.4        If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer must contact eCuras Identity Management Group immediately to have the signer’s digital key pair revoked.

4.3  Recipient Responsibilities

4.3.1        Recipients must read documents and correspondence using software approved by eCuras IT department.

4.3.2        Recipients must verify that the signer’s public key was signed by the eCuras’s Certificate Authority (CA), <CA Name>, by viewing the details about the signed key using the software they are using to read the document or correspondence.

4.3.3        If the signer’s digital signature does not appear valid, the recipient must not trust the document’s source or correspondence.

4.3.4        If a recipient believes that a digital signature has been abused, the recipient must report its concern to eCuras Identity Management Group.

5. Policy Compliance

5.1  Compliance Measurement

The Infosec team will verify compliance with this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.

5.2  Exceptions

The Infosec team must approve any exception to the policy in advance.

5.3  Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. References

Note that these references were used only as guidance in the creation of this policy template.  We highly recommend that you consult with your organization’s legal counsel since there may be federal, state, or local regulations to which you must comply.  Any other PKI-related policies your organization has may also be cited here.

American Bar Association (ABA) Digital Signature Guidelines http://www.abanet.org/scitech/ec/isc/dsgfree.html

Minnesota State Agency Digital Signature Implementation and Use

http://mn.gov/oet/policies-and-standards/business/policy-pages/standard_digital_signature.jsp

Minnesota Electronic Authentication Act https://www.revisor.leg.state.mn.us/statutes/?id=325K&view=chapter -stat.325K.001

City of Albuquerque EMail Encryption / Digital Signature Policy

http://mesa.cabq.gov/policy.nsf/WebApprovedX/4D4D4667D0A7953A87256E7B004F6720?OpenDocument

West Virginia Code §39A-3-2:  Acceptance of electronic signature by governmental entities in satisfaction of signature requirement.   http://law.justia.com/westvirginia/codes/39a/wvc39a-3-2.html

Revised: March 14th, 2018

Table of Content

  1. Acceptable Encryption Policy
  2. Acceptable Use Policy
  3. Clean Desc Policy
  4. Data Breach Response Policy
  5. Disaster Recovery Plan Policy
  6. Digital Signature Acceptance Policy
  7. Email Policy
  8. Ethics Policy
  9. Pandemic Response Planning Policy
  10. Password Construction Guidelines
  11. Password Protection Policy
  12. Security Response Plan Policy
  13. End User Encryption Key Protection Policy
  14. Acquisition Assessment Policy
  15. Bluetooth Baseline Requirements Policy
  16. Remote Access Policy
  17. Remote Access Tools Policy
  18. Router and Switch Security Policy
  19. Wireless Communication Policy
  20. Wireless Communication Standard
  21. Database Credentials Policy
  22. Technology Equipment Disposal Policy
  23. Information Logging Standard
  24. Lab Security Policy
  25. Server Security Policy 
  26. Software Installation Policy
  27. Workstation Security (For HIPAA) Policy
  28. Web Application Security Policy
  29.  Analog/ISDN Line Security Policy
  30. Anti-Virus Guidelines
  31. Server Audit Policy
  32. Automatically Forwarded Email Policy
  33. Communications Equipment Policy
  34. Dial In Access Policy
  35. Extranet Policy
  36. Internet DMZ Equipment Policy
  37. Internet Usage Policy
  38. Mobile Device Encryption Policy
  39. Personal Communication Devices and Voicemail Policy
  40. Removable Media Policy
  41. Risk Assessment Policy
  42. Server Malware Protection Policy
  43. Social Engineering Awareness Policy
  44. DMZ Lab Security Policy
  45. Email Retention Policy
  46. Employee Internet Use Monitoring and Filtering Policy
  47. Lab Anti Virus Policy
  48. Mobile Employee Endpoint Responsibility Policy
  49. Remote Access Mobile Computing Storage
  50. Virtual Private Network Policy