Implementing Electronic Signature Solutions 11/10/2015

Similar documents
Electronic Signature Policy

Development Authority of the North Country Governance Policies

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration

5. The technology risk evaluation need only be updated when significant changes or upgrades to systems are implemented.

User Authentication Best Practices for E-Signatures Wednesday February 25, 2015

REALTORS LEGAL ALERT

Red Flags/Identity Theft Prevention Policy: Purpose

Signer Authentication

ACCEPTANCE OF ELECTRONIC MAINTENANCE RECORDS

Customer Due Diligence, Using New Technology in the Customer for CDue Diligence Purposes Process

Leveraging the LincPass in USDA

MySign Electronic Signature

21 CFR PART 11 FREQUENTLY ASKED QUESTIONS (FAQS)

21 CFR Part 11 LIMS Requirements Electronic signatures and records

Publications. ACH Audit Requirements. A new approach to payments advising SM. Sound Practices Checklists

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

ECA Trusted Agent Handbook

Red Flag Policy and Identity Theft Prevention Program

Adobe Sign and 21 CFR Part 11

NDSU Lunchbytes. "Are They Really Who They Say They Are?" Digital or Electronic Signature Information. Rick Johnson, Theresa Semmens, Lorna Olsen

Security Using Digital Signatures & Encryption

Adopting the Electronic Credit Application

Prevention of Identity Theft in Student Financial Transactions AP 5800

Virginia Commonwealth University School of Medicine Information Security Standard

Sparta Systems Stratas Solution

WHITE PAPER AGILOFT COMPLIANCE WITH CFR 21 PART 11

The Impact of 21 CFR Part 11 on Product Development

( Utility Name ) Identity Theft Prevention Program

Standard CIP 005 2a Cyber Security Electronic Security Perimeter(s)

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

Xerox FreeFlow Print Server. Security White Paper. Secure solutions. for you and your customers

Standard CIP Cyber Security Electronic Security Perimeter(s)

Exhibitor Software and 21 CFR Part 11

Pharma IT ELECTRONIC RECORDS

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

AlphaTrust PRONTO - Transaction Processing Overview

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

E-CONSTRUCTION AN UPDATE ON STATE CONSTRUCTION OFFICE E-CONSTRUCTION SYSTEMS

COMPLIANCE. associates VALIDATOR WHITE PAPER. Addressing 21 cfr Part 11

Agilent ICP-MS ChemStation Complying with 21 CFR Part 11. Application Note. Overview

White Paper Assessment of Veriteq viewlinc Environmental Monitoring System Compliance to 21 CFR Part 11Requirements

Integration of Agilent UV-Visible ChemStation with OpenLAB ECM

Electronic Signature Systems

DIGITAL SIGNATURES WHAT WHY HOW? Ashley Anderson, PE State Construction Office

Standard CIP 004 3a Cyber Security Personnel and Training

City of New Haven Water, Sewer and Natural Gas Utilities Identity Theft Prevention Program

Part 11 Compliance SOP

Standard CIP 005 4a Cyber Security Electronic Security Perimeter(s)

CIP Cyber Security Systems Security Management

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Standard Development Timeline

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

CIP Cyber Security Electronic Security Perimeter(s)

IDENTITY THEFT PREVENTION Policy Statement

BCDC 2E, 2012 (On-line Bidding Document for Stipulated Price Bidding)

ELECTRONIC RECORDING MEMORANDUM OF UNDERSTANDING

Change Healthcare CLAIMS Provider Information Form *This form is to ensure accuracy in updating the appropriate account

You are signing up to use the Middlesex Savings Bank Person to Person Service powered by Acculynk that allows you to send funds to another person.

Add or remove a digital signature in Office files

Security Policies and Procedures Principles and Practices

Schools and Libraries (E-rate) Program FCC Form 473 User Guide

UDRP Pilot Project. 1. Simplified way of sending signed hardcopies of Complaints and/or Responses to the Provider (Par. 3(b), Par. 5(b) of the Rules)

CONNECT TRANSIT CARD Pilot Program - Privacy Policy Effective Date: April 18, 2014

CIP Cyber Security Security Management Controls. Standard Development Timeline

FDA 21 CFR Part 11 Compliance by Metrohm Raman

ELECTRONIC IMAGE AND TEXT DATA TRANSFER USING FILE TRANSFER PROTOCOL MEMORANDUM OF UNDERSTANDING

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

[Utility Name] Identity Theft Prevention Program

Margret Amatayakul, MBA, RHIA, CHPS, CPHIT, CPEHR, FHIMSS. Margret\A Consulting, LLC

Identity Theft Prevention Program. Effective beginning August 1, 2009

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Consideration of Issues and Directives Federal Energy Regulatory Commission Order No. 791 June 2, 2014

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

Integration of Agilent OpenLAB CDS EZChrom Edition with OpenLAB ECM Compliance with 21 CFR Part 11

REGULATION ASPECTS 21 CFR PART11. 57, av. Général de Croutte TOULOUSE (FRANCE) (0) Fax +33 (0)

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Assessment of Vaisala Veriteq viewlinc Continuous Monitoring System Compliance to 21 CFR Part 11 Requirements

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

21 CFR PART 11 COMPLIANCE

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Virginia Commonwealth University School of Medicine Information Security Standard

Privacy Policy. How we handle your information you provide to us. Updated: 14 March 2016

MEDICARE Texas (TRAILBLAZERS) PRE-ENROLLMENT INSTRUCTIONS 00900

CERTIFICATE POLICY CIGNA PKI Certificates

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Eagles Charitable Foundation Privacy Policy

TEXAS MEDICARE (TRAILBLAZERS) CHANGE FORM MR085

Access to University Data Policy

Keep the Door Open for Users and Closed to Hackers

Office Properties Income Trust Privacy Notice Last Updated: February 1, 2019

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

ELECTRONIC RECORDING MEMORANDUM OF UNDERSTANDING

EDI ENROLLMENT AGREEMENT INSTRUCTIONS

Standard CIP-006-3c Cyber Security Physical Security

SERVICE DESCRIPTION. Population Register Centre s online services

CompTIA Security+ (Exam SY0-401) Course 01 Security Fundamentals

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

Transcription:

Implementing Electronic Signature Solutions 11/10/2015

Agenda Methodology, Framework & Approach: High-Level Overarching Parameters Regarding Electronic Service Delivery Business Analysis & Risk Assessment Are Required Identifying Signature Type What Is An Electronic Signature Solution? Ensure Clarity & Capture Of Signer s Intent Electronic Signature Solutions Methodology, Framework & Approach: Detailed o Inventory Existing Wet Signatures o Analyze Existing Wet Signatures o Eliminate Any Unneeded Existing Wet Signatures o Determine Whether, Where, And How To Replace Remaining, Required Wet Signatures With Electronic Signature Solutions o Optimize Workflow For Any Remaining Wet Signatures 2

3 Methodology, Framework & Approach High-Level 1. Inventory existing wet signatures (+ initials and notarizations) required on forms / applications. 2. Analyze existing wet signatures (+ initials and notarizations). 3. Eliminate any unneeded existing wet signatures (+ initials and notarizations) without adding risk. 4. Determine whether, where, and how to replace remaining, required wet signatures (+ initials) with electronic solutions. 5. Optimize workflow in the case where an existing wet signature (+ initials and notarizations) can t be transformed into an electronic solution, for whatever reason(s).

4 Overarching Parameters Regarding The Development & Introduction Of Electronic Service Delivery According to ESRA (Electronic Signatures and Records Act), government entities must: Ensure that citizens can access records as permitted by law and receive copies of them in paper form. Accept hard copy documents for submission or filing, unless otherwise required by law. Not require someone to submit or file records electronically, unless otherwise provided by law.

5 Business Analysis & Risk Assessment Are Required It is extremely important to bear in mind that governmental entities must conduct and document a business analysis and risk assessment when electing to use or accept an electronic signature solution. Business analysis and risk assessment is defined by ESRA regulation as: identifying and evaluating various factors relevant to the selection of an electronic signature for use or acceptance in an electronic transaction. Such factors include, but are not limited to, relationships between parties to an electronic transaction, value of the transaction, risk of intrusion, risk of repudiation of an electronic signature, risk of fraud, functionality and convenience, business necessity and the cost of employing a particular electronic signature process.

6 Business Analysis & Risk Assessment Are Required Is there a business need for a wet signature? Signatures are often used on paper documents for authentication, security, or other purposes even if they are not legally mandated. For instance, it may be necessary or desirable to document through the use of a signature that a party to a transaction attested to the accuracy of the information provided, agreed to certain conditions, and / or read and understood related documents. In some cases, system security, audit, and program management issues may require an electronic signature. Higher risk transactions may also need the level of protection against fraud or repudiation provided by certain types of electronic signature solutions.

7 Business Analysis & Risk Assessment Are Required Is there a legal requirement for a wet signature? The law (statutes or regulations) can require that an application, form, document, etc. capture a signature. The Statute of Frauds requires certain contracts and other documents to be in writing and others to be in writing and signed to be enforceable. Specific federal, state, and local government laws and regulations require signatures for certain transactions.

8 Identifying Signature Type A signature can serve the following business and legal purposes: Demonstrate intent: A signature identifies the signer and signifies that the signer understands and intends to carry out whatever was stipulated in the document that is signed. Authentication and approval: A signature authenticates a document by linking the signer with the signed document. A signature may also express the signer s approval or authorization of the signed document and what it contains, and his or her intent that it has legal effect. The signature provides evidence that the signer really did something and actually saw and approved a particular document at the time of signing.

9 Identifying Signature Type A signature can serve the following business and legal purposes: Security: A signature is often used to protect against fraud, impersonation, or intrusion. For instance, to a limited degree the signature on a check is a form of security because drafting an unauthorized check often requires forging a signature. Ceremony: The act of signing warns or puts the signer on notice that he or she may be making a legally binding commitment. A signature should force the person to deliberate over the document and become aware of its significance before making it final.

10 What Is An Electronic Signature? What is an electronic signature? ESRA, at 302 (3), defines an electronic signature as: an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign the record. This definition affords the parties to an electronic transaction the greatest possible flexibility in selecting an appropriate electronic signature solution.

11 What Is An Electronic Signature? ESRA also sets some parameters on what constitutes an electronic signature: An electronic sound, symbol, or process... ESRA provides that a very wide range of digital objects may serve as an electronic signature. These objects can be as simple as a set of keyboarded characters or as sophisticated as an encrypted hash of a document s contents. ESRA also allows a process to serve as an electronic signature. A process can create an electronic signature when a system used to create a signed electronic record associates the recorded events of accessing an application with the content to be signed, thereby creating a virtual record of the signer s actions and intent. Often such signing processes also utilize a password, PIN, or other digital object for authenticating the signer.

12 What Is An Electronic Signature? Attached to or logically associated with... A wet, inked signature becomes part of the physical paper document and remains with it during transit and after it is filed. Under ESRA, an electronic signature is considered to be attached to or logically associated with an electronic record if the electronic signature is linked to the record during transmission and storage; a digital signature can be a discrete digital object that is part of the document in the same manner as an ink signature or it can be an object associated with the document through an embedded link, or maintained separately but logically associated with the record through a database, index, or other means. Under ESRA the attachment or logical association between the signed record and signature must be created at the point a record is signed, maintained during any transmission of the signed record, and retained as long as the signed record is needed and retained.

13 What Is An Electronic Signature? Executed or adopted by a person with intent to sign the record. A signature identifies the signer and signifies that he or she understood and intends to carry out whatever was stipulated in the signed document, warning the signer that he or she may be making a legally binding commitment. ESRA requires that an electronic signature be accompanied by the same intent as the use of a signature affixed by hand. ESRA does not require any specific level or method of signer identification or authentication. Therefore, governmental entities are free to select an identification and authentication method that meets their needs. The selection of an appropriate approach to identify and authenticate signers is one of the considerations in selecting an electronic signature solution.

14 Ensure Clarity & Capture Of Signer s Intent A signer s intent can be captured in a number of ways. A number of simple practices can help avoid confusion regarding a signer s intent: Afford the signer an opportunity to review the document, prior to signing. Make it impossible for an electronic signature to be applied to a document without the signer having been informed that a signature is being applied. Format an electronically signed record to contain the same accepted signature elements captured in a paper record (in the same general position). Allow the signer s intent to be expressed as part of the record or in a certification statement submitted with and linked to the signed record. Require the signer to act affirmatively to indicate assent to the document being signed. For example, deploy an "Accept" or Reject button. Record the date, time, and fact that the signer indicated his or her intent and retain this information for evidentiary purposes.

15 Ensure Clarity & Capture Of Signer s Intent Below is an example of a generic signature attestation / affirmation statement: I agree, and it is my intent, to sign this document by (describe the electronic signature solution used) and by electronically submitting this document to (name of recipient individual or entity). I understand that my signing and submitting this document in this fashion is the legal equivalent of having placed my handwritten signature on the submitted document and this affirmation. I understand and agree that by electronically signing and submitting this document in this fashion I am affirming to the truth of the information contained therein.

16 Electronic Signature Solutions Electronic signature solutions: Click through or click wrap Personal Identification Number (PIN) or password Digitized signature / signature dynamics Biometrics Shared private key (symmetric) cryptography Public / private key (asymmetric) cryptography Microchip devices Hybrid approaches (combining two or more of the above solutions)

17 Electronic Signature Solutions A range of solutions exist to enable electronic signing, most methods of creating an electronic signature involve one or more technologies, credentials or digital objects, and processes;. Different solutions provide varying levels of security, authentication, record integrity and protection against repudiation. The solutions on the previous slide are roughly organized from the lowest to the highest level of security, authentication, record integrity and non-repudiation Each solution can be implemented in various ways and can be combined with techniques from other solutions to increase the strength of desired attributes. The ultimate selection of an electronic signature solution or combination of solutions for use in a governmental transaction will involve the weighing of various factors, including public policy and legal concerns that might relate to the use of certain technologies or processes.

18 1. Inventory existing wet signatures required on forms / applications. Create a table to keep track of existing wet signatures (+ initials and notarizations) - keep focused on making the inventory complete and exhaustive rather than on coming up with solutions at this point! Name of form? Page of form? Where on form? Last revised? Inventory Existing Wet Signatures Part of what program? Is it signature only or signature and date? Initial notation only or signature? Is there a notarization requirement?

Inventory Existing Wet Signatures 19

20 Analyze Existing Wet Signatures 2. Analyze existing wet signatures (+ initials and notarizations). Determine actual business need / purpose of each existing wet signature (signature type). Determine current risk mitigation (if any) that each existing wet signature provides. Determine any legal basis for requiring existing wet signatures (or notarization). Is a signature legally required? Is there a law (local, state, federal) that requires a signature? If a signature is legally required, does the law specify that the signature needs to be a wet, ink signature on paper?

Analyze Existing Wet Signatures 21

22 Eliminate Any Unneeded Existing Wet Signatures 3. Eliminate any unneeded existing wet signatures (+ initials and notarizations) without adding risk. Where there is no business need and / or the wet signature is a hold-over artifact from when the form or program was first designed / last revised. Where the risk is nonexistent or acceptably low or where the signature had / has no connection to risk mitigation, i.e. good intentions (including a wet signature or a notarization requirement on a form thinking it is more official or secure - but there being no benefit / risk mitigation gotten from the wet signature or the notarization requirement). Where there exist no legal requirements for the existing signature and therefore by definition no legal requirements for the existing wet signature.

Determine Whether, Where, And How To Replace Remaining, Required Wet Signatures With Electronic Signature Solutions 23 4. Determine whether, where, and how to replace remaining, required wet signatures (+ initials) with electronic signature solutions. Categorize remaining, required wet signatures according to signature type. Perform thorough business / legal / risk / regulatory analyses of remaining, required wet signatures using electronic workflow / storage / security lenses. Determine best electronic signature solution(s) (if any) for remaining, required wet signatures.

Determine Whether, Where, And How To Replace Remaining, Required Wet Signatures With Electronic Signature Solutions 24

25 Optimize Workflow For Any Remaining Wet Signatures 5. Optimize workflow in the case where an existing wet signature (+ initials and notarizations) can t be transformed into an electronic signature solution, for whatever reason(s). - Combine the collecting of wet signature(s) (+ initials and notarizations) with other in-person steps that must be retained (like fingerprinting) so that all nonelectronic parts of the workflow are handled at the same time reducing the number of manual steps. - Allow wet signature(s) (+ initials and notarizations) to be collected through a mail-in step, rather than an in-person step.

26 Lessons Learned Review and analyze one signature at a time Include Program, Contracts, Legal and Information Technology in review process. Develop a set of off-the shelf technology solutions that can be used in combination as appropriate. Create a library of approved analysis / signatures

27 Useful Reference Materials Useful reference materials: Electronic Signature and Record Act (ESRA) Guidelines Executive Summary: Electronic Signature and Record Act (ESRA) Guidelines: http://www.its.ny.gov/document/revised-electronic-signatures-and-records-act-esraguidelines http://www.its.ny.gov/document/revised-electronic-signatures-and-records-act-esraguidelines

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback