No organization wants security scars. That’s why IT and Information Security departments generally do extensive due diligence on their cloud hosting and software providers to protect against data breaches, data loss, malware, viruses, phishing and other security threats. To help defend your organization, we’ve compiled an e-signature security checklist specifically for evaluating e-signature services. This checklist takes a holistic approach to security. We recommend not only looking at the security of the service, but also how signers are authenticated, the vendor’s approach to document and signature security, and the audit trail associated with the digital transaction.
E-Signature laws don’t say much when it comes to security techniques and technology, but the legal definition of an electronic signature always includes language around signer identity. This means you need to:
- Authenticate users prior to e-signing
- Tie that authentication to the e-signature AND the e-signed record
What to look for:
- A solution that supports multiple authentication methods, such as:
– Remote user authentication through user ID / password
– Email address verification through e-sign session invitation
– Remote user authentication through secret Q&A (a.k.a. challenge-response)
– Ability to leverage existing credentials
– Dynamic KBA through third-party databases (e.g. Equifax)
– Support for digital certificates
– Ability to upload images as part of an e-sign transaction, e.g. photo of a driver’s license
- The ability to configure different authentication methods within the same transaction;
- Flexibility to adapt the authentication method(s) to the risk profile of your organization and EACH process being automated (e.g., customize the challenge-response questions and the number of questions based on your requirements);
- Flexible options for in-person signature attribution, including hand-off affidavits and SMS password (PIN) sent to a personal mobile device (verify whether user authentication via SMS is included free of charge).
After evaluating user authentication capabilities, the next step will be to verify that the e-signature service captures the authentication as part of the document audit trail and embeds the audit trail into the e-signed document.
Embedded Audit Trail
E-signed documents that can be verified and archived independently of the e-signature vendor provide an additional layer of security. Whether or not you maintain an account on the e-signature service in the future (or whether your vendor is even still in business), your documents are not affected since you, your customers and other stakeholders do not have to go online to access or verify the e-signed document.
The only way to achieve vendor independence is to have a solution that embeds the electronic signatures, time stamping and audit trail directly in the document. This creates a self-contained, portable record.
What to look for:
- Ability to verify document authenticity independently of the e-signature service (meaning you do not need to worry if a verification link back to a server will be valid years from now or if it will give you a “page not found” error message).
- Ability to index, store and retrieve the e-signed document in the system of record of your choice – not in the service provider’s cloud storage (allowing you to comply with your organization’s long-term retention requirements).
Document & Signature Security
Look for an e-signature solution that packages and secures the final e-signed document using a digital signature. The e-signature solution should apply the digital signature at two levels:
- At the signature level to prevent tampering with the signature itself.
- At the document level to prevent tampering with the document’s contents.
Digital signature security ties together signing intent with the information that was agreed to at the time of signing. It also locks down and tamper proofs the e-signed document so unauthorized changes can’t slip by unnoticed.
While vendors like DocuSign apply a digital signature as an envelope to a document (once all signatures have been captured), this is not a recommended practice. This approach leaves the document and signatures unprotected while the process is being completed and results in the wrong date and time stamp being place on individual signatures. If a signer and a co-signer e-sign a record on two separate days, you want that history reflected in the audit trail. The best practice is to apply digital signature encryption as each e-signature is added to the document. This builds a comprehensive audit trail with the date and time that each signature was applied.
What to look for:
- The document must be secured with a digital signature
- EACH signature must be secured with a digital signature
- A comprehensive audit trail should include the date and time of EACH signature
- The audit trail must be securely embedded in the document
- The audit trail must be linked to each signature
- Ability to verify the validity of the signed record offline, without going to a website
- One-click signature and document verification
- Ability to download a verifiable copy of the signed record with the audit trail
- The document must be accessible to all parties
Audit Trail of the Signing Process
When regulated companies undergo a compliance audit, they are often asked to prove the exact business process they followed. As part of this, auditors also look for a record of every time key documents were touched, when and by whom.
We recommend capturing a comprehensive audit trail of the signing process because it enables you to demonstrate exactly how a customer completed a transaction on the web or through a mobile device. Most e-signature solutions in the market fall short when proving compliance because they don’t have the ability to capture a full record of the signer’s actions.
What to look for:
A solution that captures information about the process used to capture signatures, including:
- IP address
- Date and time stamp of all events
- All web pages, documents, disclosures and other information presented
- The length of time spent reviewing each document
- What each party acknowledged, agreed to and signed
- All other actions taken during the transaction
As part of this, verify whether you have the ability to search, find and playback a specific transaction’s process audit trail for auditors or other business stakeholders, in just a few clicks.
In addition to the criteria listed above, look at the protocols an e-signature vendor has in place to identify and prevent data breaches. There are a number of compliance programs and frameworks in place to guide how such protocols are built and implemented, however it’s important to understand the differences between them.
|SSAE 16 / SOC 1||Best suited for financial processing systems such as payroll because it focuses on controls over financial reporting. SOC 1 does not look at technology, security, availability, processing integrity, confidentiality or privacy controls. Note that this standard does not provide you with insight into the technology and processes behind the security of the service.
|ISO 27001||Provides proof of an organization’s ability to maintain an effective Information Security Management System. The certification lasts for 3 years and comes with spot checks, providing “point-in-time” assurance. It does not however provide enough assurance that a system is secure every day over an extensive period of time.
|SOC 2||This attestation focuses on the technology and the processes behind the security of the service and ensures that controls are in place at all times. SOC 2 was introduced to assess technology, and is considered the most meaningful and relevant security standard in the market. SOC 2 has the added benefit of offering an independent assessment of a company’s control environment relevant to system security. Ask for a detailed SOC 2 report from your vendor which includes a description of the auditor’s tests of controls and results.|
Even experts like Gartner tell their customers to “not accept an SSAE 16 (SOC 1) report as assurance of a service provider’s security posture.”
Of the three compliance programs mentioned above, look for an e-signature vendor that has completed SOC 2 attestation at both the data center and service level, as it offers assurances on internal controls, policies and procedures for the security of the system. SOC 2 best assists companies to evaluate security controls and reliability of a vendor’s service under a consistent set of stringent processes and over a period of time, ensuring processes in place to secure data are consistently monitored.
 Gartner, Inc., SOC Attestation Might Be Assurance of Security … or It Might Not