9.8.8 Electronic Signature Procedures

I. Background

To increase the efficiency of University operations that require authorization and/or signature, the University may require the use of electronic signatures to conduct certain transactions that previously required handwritten signatures and approvals on paper documents.

State and Federal Regulations eliminate legal barriers to using technology to create and sign contracts and other records, collect and store electronic records, and conduct everyday transactions electronically.

When using electronic signatures, Stewards and IT professionals need to be aware that signatures and the associated data to validate the signature are an integral part of a record. The signature and all necessary verification records need to be maintained for the full records life cycle. The records life cycle is the life span of the record from its creation or receipt to its final disposition. It is usually described in three stages: creation, maintenance and use, and final disposition. Final disposition can mean permanent deletion or destruction. Therefore, the electronic signature must remain accessible for the full retention period of the record to which it is associated.

For the purposes of this procedure, a signature is defined in the same manner as in the State of Illinois Electronic Commerce Security Act (5 ILCS 175/5-105) as any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with intent to authenticate a record. An electronic signature is defined as a signature in electronic form attached to or logically associated with an electronic record.

II. Purpose and Scope

This procedure identifies Illinois State University's requirements for the use of electronic signatures (hereafter "e-signatures"), electronic transactions (hereafter "e-transactions"), and electronic records (hereafter "e-records") in conducting the University's business, teaching, research, and service operations. This procedure requires that members of the University community do business electronically and use e-signatures to conduct University transactions that previously required handwritten signatures and approvals on paper documents. This procedure establishes the process for designating transactions requiring e-signatures and how the University accepts and verifies e-signatures. This procedure augments, and does not replace, University Information Security policies and procedures, that apply to all University services.

This procedure covers University operations that use e-signatures, e-transactions, or e-records.

To the fullest extent permitted by law, the University accepts e-signatures as legally binding and equivalent to handwritten signatures to signify an agreement.

III. Risk Assessment and Selecting an Implementation Method

Regardless of the method for implementing e-signatures, each method should support the following functions:

• Confidentiality – protects content from unauthorized access, so that only the intended audience can view it
• Authenticity – Assures that the document truly comes from the signer
• Integrity – detects unintentional or malicious alteration Maintenance – maintains confidentiality, authenticity, and integrity of the record from origination through the entire business process
• Accessibility – allows access to the document across all platforms

E-signatures may be implemented using various methodologies depending upon the risks associated with the transaction. Items to examine The following will be evaluated to identify risks associated with the proposed e-signature method:

• Inconvenience, distress, or damage to the standing or reputation of the University
• Financial loss or liability of the University
• Harm to University programs or public interests
• Unauthorized release of sensitive information
• Civil or criminal violations
• Bodily or financial harm to individuals

The quality and security of the e-signature method should be commensurate with the risk and need to assure of the authenticity of the signer. These can be classified into one of the following three risk (impact and probability) categories:

• Low – at worst, limited, short-term inconvenience, distress, or embarrassment to any party
• Moderate – at worst, serious short term or limited long-term inconvenience, distress, or damage to the standing or reputation of any party
• High – severe or serious long-term inconvenience, distress, or damage to the standing or reputation of any party (ordinarily reserved for situations with particularly sever effects or that may affect many individuals)

Each data steward is responsible for selecting the appropriate e-signature Implementation Method outlined below based upon an assessment of the risk to the institution. The data steward will then work with the appropriate data custodian to select and implement the appropriate e-signature method.

IV. E-Signature Implementation Methods

The following three methods are recommended for e-signatures for University documents.

Level 1: The first level of implementation does not require that the signer's identity be authenticated through a University system. The signer's identity should be authenticated using physical documents such as a government issued identification document. On the electronic document the signer will indicate agreement with the document by clicking on a check box. This method should be used for low-risk and impact transactions, especially those that involve individuals that have an external relationship with the University.

Level 2: The second level of implementation requires the validation of the signer's identity through single factor authentication against a University system. This level of authentication includes the use of a ULID/password challenge and response. This implementation method should be used with individuals possessing an internal relationship with the University.

Level 3: The third level of implementation requires the validation of the signer's identity through multi-step or multi-factor authentication against a University system depending upon risk. This level of authentication includes the use of a ULID/password challenge and response, along with another step sufficient to uniquely identify the signer – such as, a PIN or cryptographic certificate. This implementation method should be used with individuals possessing an internal relationship with the University and where the risk or impact of the transaction to the institution is high.

Level 4: Multi-factor including the use of two categories of authentication such as password plus token, password plus biometric, password plus cryptographic certificate

V. Responsibilities

The Data Steward, in consultation with the Chief Technology Officer, is responsible for identifying the appropriate risk level and selecting the appropriate implementation methods for enterprise-level transactions. For non-enterprise transactions, the unit will, in consultation with the appropriate data custodian and the Information Security Officer, determine the appropriate implementation method.

The data custodian will be responsible for ensuring that the implementation method complies with University security procedures, including password, transmission, access control, and auditing requirements.

VI. Developing and Implementing an E-Signature Process

When designing an e-signature process, all applicable laws, rules, regulations, and University policies and procedures must be followed. The e-signature implementation process will be monitored by the AT Information Security Officer. In addition, the transaction should meet the following principles:

• Signer must perform a secondary action, such as clicking "I agree" or provide an e-signature through a mouse or some other input device
• Signer must input full name below e-signature
• The time and date of the e-signature must be captured, stored, and available for retrieval
• The contents of the document, the "I agree" check box, typed full name, time, and date of the transaction must be bound to the electronic record in perpetuity
• The stored document must indicate that it was electronically signed
• After signing, the document must be transmitted to all parties in a format acceptable to the applicable University system (e.g., a document management system or database)
• The document must be available for retrieval by appropriate University staff

VII. Compliance

An individual that uses e-signatures, e-transactions, or e-records for University operations in violation of this procedure or any other University policies, procedures or applicable state and federal laws may be subject to appropriate sanctions including but not limited to disciplinary actions up to and including termination. Any adopted divisional/departmental rules and regulations may not reduce full compliance with applicable state and federal laws or the policies and procedures of the University.

Last Review: July 2013