The definitive checklist on electronic signature security

User authentication

Electronic signature laws do not say much when it comes to security techniques and technology, but the legal definition of an electronic signature always includes language about the identity of the signer. This means that you need:

• Authenticate users before signing electronically.
• Associate this authentication with the electronic signature and the electronically signed record.

What to look for:

1. A solution that supports
   
   multiple authentication methods
   
   such as:

• Remote user authentication via user ID / password.
• Verification of e-mail address by invitation to electronic signature session.
• Authentication of remote users through secret questions and answers (also known as challenge-answer).
• Ability to leverage existing credentials.
• Dynamic KBA (Knowledge Based Authentication) through third party databases (e.g. Equifax).
• Support for digital certificates.
• Ability to upload images as part of an electronic signature transaction, e.g., driver’s license photo.

2. The ability to configure different authentication methods within the same transaction.
3. Flexibility to adapt the authentication methods to your organization’s risk profile and to automate each process (e.g. customize the challenge-answer questions and the number of questions according to your requirements).
4. Flexible options for face-to-face signature attribution, including affidavits and password in an SMS (PIN) sent to a personal mobile device (check if user authentication via SMS is included free of charge).

After assessing the user’s authentication capabilities, the next step will be to verify that the electronic signature service captures the authentication as part of the document’s audit trail and integrates the audit trail into the electronically signed document.

Integrated audit trail

Electronically signed documents that can be verified and archived independently of the electronic signature provider provide an additional layer of security. Whether or not you maintain an account with the electronic signature service in the future, your documents will not be affected, as you, your clients and other interested parties do not have to connect to the Internet to access or verify the electronically signed document.

The only way to achieve vendor independence is to have a solution that incorporates electronic signatures.

electronic signatures

time stamping and the audit trail directly into the document. This creates an autonomous and transferable record.

What to look for:

• Ability to verify the authenticity of the document independently of the electronic signature service. This means that you don’t need to worry about whether a verification link will still be valid several years from now or if it will give a 404 “page not found” error message.
• Ability to index, store and retrieve the electronically signed document in the system of record of your choice, not in the provider’s cloud storage service. This helps you meet your organization’s long-term retention requirements.

Document and signature security

You are looking for an electronic signature solution that packages and secures the final signed document through a digital signature.

digital signature

. The electronic signature solution must apply the digital signature at two levels:

1. At the signature level to avoid manipulation of the signature itself.
2. At document level to prevent manipulation of document content.

The security of the

digital signature

links the signature intent with the information agreed upon at the time of signing. It also locks and protects the electronically signed document from tampering, so unauthorized changes cannot go unnoticed.

While vendors such as DocuSign apply a digital signature that functions as the envelope of a document (once all signatures have been captured), this is not a recommended practice. This approach leaves the document and signatures unprotected while the process is completed and results in incorrect date and time stamping on individual signatures. If a signer and a co-signer electronically sign a record on two separate days, you need that fact to be reflected in the audit trail. Best practice is to apply digital signature encryption as each electronic signature is added to the document. This creates a comprehensive audit trail with the date and time each signature was made.

What to look for:

• The document must be protected with a digital signature.
• Each signature must be secured with a digital signature.
• A comprehensive audit trail should include the date and time of each signature.
• The audit trail must be securely integrated into the document.
• The audit trail must be linked to each firm.
• Possibility to check the validity of the signed record offline, without going to a website.
• One-click signature and document verification.
• Ability to download a verifiable copy of the signed record with the audit trail.
• The document must be accessible to all parties.

Audit trail of the signature process

When regulated companies undergo a compliance audit, they are

compliance audit, they are often

audit, they are often asked to prove the exact business process they followed. As part of this, auditors also seek a record of when key documents are touched, when and by whom.

We recommend capturing a comprehensive audit trail of the signing process, as it allows you to demonstrate exactly how a customer completed a transaction on the web or via a mobile device. Most electronic signature electronic signature solutions on the market solutions on the market fall short when demonstrating compliance because they do not have the ability to capture a complete record of the signer’s actions.

What to look for:

A solution that captures information about the process used to capture signatures includes:

• IP address.
• Date and time stamp of all events.
• All web pages, documents, disclosures and other information presented.
• The amount of time spent reviewing each document.
• What each party acknowledged, agreed and signed.
• All other actions taken during the transaction.

As part of this, check if you have the ability to search, find and replay the audit trail process of a specific transaction for auditors or other business stakeholders with just a few clicks.

Cloud security

In addition to the criteria listed above, it looks at the protocols that an electronic signature electronic signature provider has in place to identify and prevent data breaches. It is important to know the supplier’s safety practices, certifications, record keeping and the frequency of their safety audits. Failure to pay close attention to a provider’s security infrastructure and practices could expose us to security breaches, data loss / data leakage incidents or other risks, such as insufficient cloud security expertise.

What to look for:

• Verify that the e-signature platform uses strong data encryption in transit and at destination, and stores data within an encrypted database volume to ensure an encrypted channel for all communications.
• A provider that partners with cloud infrastructure service providers around the world, such as
  
  Amazon Web Services
  
  ,
  
  IBM SoftLayer
  
  o
  
  Microsoft Azure
  
  . These cloud providers are designed and managed in accordance with security best practices and comply with a variety of regulatory, industry, and IT standards for data security and protection, including: ISO 27001, SOC 1/2/3, HIPAA, FIPS 140-2, FISMA, and many more.
• In addition to leveraging cloud service providers that follow compliance programs and frameworks for security and data protection at the cloud level, we are also leveraging cloud service providers that follow compliance programs and frameworks for security and data protection at the cloud level. data centerIf you are a vendor, partner with a vendor that meets the additional requirements for security control and compliance at the application layer. This ensures that the electronic signature solution is secure and that customer data is protected.
• Global data centers to meet in-country data residency requirements.

For more information about our certifications and warranties, please visit the

Trust Center

of OneSpan, the electronic signature provider that MailTecK & Customer Comms works with, or download the technical document that will help you identify the

security requirements

for evaluating e-signature solutions.