The Ultimate E-Signature Security Checklist
No organization wants security scars. That’s why IT and Information Security departments generally conduct extensive due diligence on their cloud hosting and software providers to protect against data breaches, data loss, malware, viruses, phishing, and other security threats. To help defend your organization, we’ve compiled an e-signature security checklist specifically for evaluating e-signature services. This checklist takes a holistic approach to security. We recommend not only looking at the security of the service, but also how signers are authenticated, the vendor’s approach to document and signature security, and the audit trail associated with the digital transaction.
E-Signature laws don’t say much when it comes to security techniques and technology, but the legal definition of an electronic signature always includes language around signer identity. This means you need to:
- Authenticate users prior to e-signing
- Tie that authentication to the e-signature and the e-signed record
What to look for:
1. A solution that supports multiple authentication methods, such as:
- Remote user authentication through user ID / password
- Email address verification through e-sign session invitation
- Remote user authentication through secret Q&A (a.k.a. challenge-response)
- Ability to leverage existing credentials
- Dynamic KBA through third-party databases (e.g. Equifax)
- Support for digital certificates
- Ability to upload images as part of an e-sign transaction, e.g. photo of a driver’s license
2. The ability to configure different authentication methods within the same transaction;
3. Flexibility to adapt the authentication methods to the risk profile of your organization and to automate each process (e.g., customize the challenge-response questions and the number of questions based on your requirements);
4. Flexible options for in-person signature attribution, including hand-off affidavits and SMS password (PIN) sent to a personal mobile device (verify whether user authentication via SMS is included free of charge).
After evaluating user authentication capabilities, the next step will be to verify that the e-signature service captures the authentication as part of the document audit trail and embeds the audit trail into the e-signed document.
Embedded Audit Trail
E-Signed documents that can be verified and archived independently of the e-signature vendor provide an additional layer of security. Whether or not you maintain an account with the e-signature service in the future, your documents are not affected since you, your customers, and other stakeholders do not have to go online to access or verify the e-signed document.
The only way to achieve vendor independence is to have a solution that embeds the electronic signatures, time stamping, and audit trail directly in the document. This creates a self-contained, portable record.
What to look for:
- Ability to verify document authenticity independently of the e-signature service. Meaning, you do not need to worry if a verification link back to a server will be valid years from now or if it will give you a "page not found" 404 error message.
- Ability to index, store, and retrieve the e-signed document in the system of record of your choice, not in the service provider's cloud storage. This helps you to comply with your organization's long-term retention requirements.
Document and Signature Security
Look for an e-signature solution that packages and secures the final e-signed document using a digital signature. The e-signature solution should apply the digital signature at two levels:
- At the signature level to prevent tampering with the signature itself.
- At the document level to prevent tampering with the document’s contents.
Digital signature security ties together signing intent with the information that was agreed to at the time of signing. It also locks down and tamper proofs the e-signed document, so unauthorized changes can’t slip by unnoticed.
While vendors like DocuSign apply a digital signature as an envelope to a document (once all signatures have been captured), this is not a recommended practice. This approach leaves the document and signatures unprotected while the process is being completed and results in the wrong date and time stamp being placed on individual signatures. If a signer and a co-signer e-sign a record on two separate days, you want that history reflected in the audit trail. The best practice is to apply digital signature encryption as each e-signature is added to the document. This builds a comprehensive audit trail with the date and time that each signature was applied.
What to look for:
- The document must be secured with a digital signature
- Each signature must be secured with a digital signature
- A comprehensive audit trail should include the date and time of each signature
- The audit trail must be securely embedded in the document
- The audit trail must be linked to each signature
- Ability to verify the validity of the signed record offline, without going to a website
- One-click signature and document verification
- Ability to download a verifiable copy of the signed record with the audit trail
- The document must be accessible to all parties
Audit Trail of the Signing Process
When regulated companies undergo a compliance audit, they are often asked to prove the exact business process they followed. As part of this, auditors also look for a record of every time key documents were touched, when, and by whom.
We recommend capturing a comprehensive audit trail of the signing process, because it enables you to demonstrate exactly how a customer completed a transaction on the web or through a mobile device. Most e-signature solutions in the market fall short when proving compliance, because they don’t have the ability to capture a full record of the signer’s actions.
What to look for:
A solution that captures information about the process used to capture signatures, including:
- IP address
- Date and time stamp of all events
- All web pages, documents, disclosures, and other information presented
- The length of time spent reviewing each document
- What each party acknowledged, agreed to, and signed
- All other actions taken during the transaction
As part of this, verify whether you have the ability to search, find, and playback a specific transaction’s process audit trail for auditors or other business stakeholders in just a few clicks.
In addition to the criteria listed above, look at the protocols an e-signature vendor has in place to identify and prevent data breaches. It’s important to understand the vendor’s security practices, certifications, track record, and the frequency of their security audits. Performing due diligence around a vendor’s security practices and infrastructure could expose past privacy breaches, incidents of data loss/leakage, or other risks such as insufficient cloud security expertise.
What to look for:
- Verify that the e-signature platform utilizes strong data encryption in transit and at rest and stores data within an encrypted database volume to ensure an encrypted channel for all communications
- A vendor that partners with world-class cloud infrastructure service providers such as Amazon Web Services, IBM SoftLayer, or Microsoft Azure. These providers are designed and managed according to security best practices and comply with a variety of regulatory, industry, and IT standards for security and data protection, including: ISO 27001, SOC 1/2/3, HIPAA, FIPS 140-2, FISMA, and much more.
- In addition to leveraging cloud service providers that follow compliance programs and frameworks for security and data protection at the data center level, partner with a vendor that meets additional security control and compliance requirements at the application layer. This ensures that the e-signature solution is secure and customer data is protected.
- Global data centers to satisfy in-country data residency requirements
- User Authentication
- Embedded Audit Trail
- Document and Signature Security
- Audit Trail of the Signing Process
- Cloud Security
 Gartner, Inc., SOC Attestation Might Be Assurance of Security … or It Might Not