Digital Signature Acceptance Policy

1.0 Purpose

As electronic communication and documentation become standard practice, digital signatures provide a mechanism for verifying the identity of a sender or signatory and ensuring message/document integrity. The purpose of this policy is to ~~provide guidance on~~define when digital signatures are considered ~~accepted~~an ~~means~~acceptable ofand ~~validating~~trusted ~~the~~substitute ~~identity~~for oftraditional ahandwritten ~~signer~~("wet") insignatures ~~<Company~~for ~~Name>~~internal ~~electronic~~organizational documents and correspondence, ~~and~~thereby ~~thus a substitute for traditional “wet” signatures, within the organization.~~ ~~Because communication has become primarily electronic, the goal is to reduce~~reducing confusion ~~about~~and ~~when~~standardizing ~~a digital signature is trusted.~~practice.

2.0 Scope

This policy applies to all ~~<Company Name> employees and affiliates.~~

~~This policy applies to all <Company Name>~~ employees, contractors, consultants, and other agents conducting ~~<Company Name>~~ business ~~with~~on abehalf ~~<Company~~of ~~Name>-provided~~the organization using organization-issued digital identities (key ~~pair.~~pairs). This policy ~~applies~~specifically ~~only~~governs tothe use and acceptance of digital signatures on *intra-~~organization digitally signed~~organizational* documents and correspondence (i.e., communications and documents shared solely within the organization). It does not tocover electronic materials sent to or received from ~~non-<Company~~external ~~Name>~~parties ~~affiliated~~unless ~~persons~~explicitly stated otherwise in separate agreements or ~~organizations.~~policies.

3.0 Policy Statements

3.1 Acceptance of Digital Signatures

* A digital signature applied using the organization's approved infrastructure and tools is considered an acceptable substitute for a wet signature on any intra-~~organization~~organizational document or correspondence, ~~with~~**except** for specific document types explicitly excluded by the ~~exception~~organization.
* ofAn ~~those noted on the site of the Chief Financial Officer (CFO) on the organization’s intranet:~~ ~~<CFO’s Office URL>~~

~~The CFO’s office will maintain an organization-wide~~official list of ~~the~~document types ofrequiring ~~documents~~traditional ~~and~~wet ~~correspondence~~signatures ~~that are~~ (not covered by this ~~policy.~~policy) will be maintained by the designated financial or administrative authority (e.g., the Chief Financial Officer's office) and made available through designated internal resources (e.g., the organization's intranet).

3.2 Signature Validity

* Digital signatures must ~~apply~~be toassociated ~~individuals~~with ~~only.~~an individual user's identity. Digital signatures ~~for~~purporting ~~roles,~~to ~~positions,~~represent a role, position, or ~~titles~~title (e.g., ~~the~~"Finance ~~CFO)~~Department," "Project Manager") without being tied to a specific individual's key pair are not considered ~~valid.~~valid under this policy for authentication purposes.

3.3 Responsibilities

~~Responsibilities~~

The

~~Digital~~effective ~~signature~~use and acceptance ~~requires~~of digital signatures rely on specific ~~action~~actions onby both the ~~part of the employee signing the document or correspondence~~signatory (~~hereafter the~~ signer), and the ~~employee~~relying ~~receiving/reading the document or correspondence~~party (~~hereafter the~~ recipient).

**Signer ~~Responsibilities~~

Responsibilities:**

* Signers must obtain aan official digital signing key pair ~~from~~issued ~~<Company~~through ~~Name~~the ~~identity~~organization's ~~management~~designated Identity Management group>. or process.
* This key pair ~~will~~must be generated ~~using~~and ~~<Company~~managed ~~Name>’~~within the organization's approved Public Key Infrastructure (PKI), ~~and~~with the public key ~~will be signed~~certified by the ~~<Company~~organization's ~~Name>’s~~designated Certificate Authority (CA),.
~~<CA~~ ~~Name>.~~

Signers must ~~sign~~use ~~documents~~only organization-approved software and ~~correspondence~~tools ~~using~~for ~~software~~applying ~~approved~~digital bysignatures.
~~<Company~~ ~~Name>~~* ~~IT organization.~~

Signers ~~must~~have a critical responsibility to protect their private key ~~and~~from ~~keep~~unauthorized itaccess, loss, or disclosure. The private key must remain secret.

* If a signer ~~believes~~suspects ~~that the signer’s~~their private key ~~was~~has ~~stolen~~been orcompromised ~~otherwise~~(e.g., ~~compromised,~~stolen, lost, accessed by an unauthorized person), they must *immediately* report the ~~signer~~compromise ~~must~~to ~~contact~~the ~~<Company Name>~~designated Identity Management ~~Group immediately~~group to ~~have the signer’s digital~~initiate key ~~pair~~revocation.
* ~~revoked.~~

**Recipient ~~Responsibilities~~

Responsibilities:**

* Recipients must ~~read~~use organization-approved software and tools to view digitally signed documents ~~and~~or correspondence ~~using~~and ~~software~~verify ~~approved~~the bysignatures.
~~<Company~~ ~~Name>~~* ~~IT department.~~

Recipients must verify the validity of a digital signature. This includes checking that the ~~signer’~~signature is cryptographically valid and that the signer's public key certificate was ~~signed~~issued by the ~~<Company Name>’~~organization's ~~Certificate~~designated ~~Authority (CA), <~~CA ~~Name>,~~and has not expired or been revoked. Verification is typically performed automatically by ~~viewing~~approved ~~the~~software, but recipients should understand how to check certificate details ~~about~~if ~~the~~needed.
~~signed~~ ~~key~~* ~~using the software they are using to read the document or correspondence.~~

If ~~the signer’s~~a digital signature ~~does~~appears ~~not~~invalid, ~~appear~~expired, ~~valid,~~revoked, or associated with an untrusted CA, the recipient must ~~not~~*not* trust the ~~source~~signature or the authenticity/integrity of the document based solely on that signature. Investigate further or ~~correspondence.~~

request

resubmission.
* If a recipient ~~believes~~suspects ~~that~~misuse or forgery of a digital ~~signature~~signature, ~~has been abused, the recipient~~they must report the ~~recipient’s~~ concern to ~~<Company~~the ~~Name>~~designated Identity Management ~~Group.~~group or Information Security team.

4.0 Compliance

4.1 Compliance Measurement

The designated IT authority (e.g., Precision Computer ~~team~~team, Information Security, Internal Audit) will verify compliance towith this policy through various methods, including ~~but~~audits ~~not~~of ~~limited~~the ~~to,~~PKI ~~business~~infrastructure, ~~tool~~review ~~reports,~~of ~~internal~~approved software lists, investigation of reported incidents, and ~~external~~user ~~audits,~~awareness ~~and feedback to the policy owner.~~ checks.

4.2 Exceptions

Any exception to ~~the~~this policy ~~must~~(e.g., betemporary ~~approved~~use byof alternative methods under specific circumstances) requires formal, documented justification and advance approval from the designated IT authority (e.g., Precision Computer team inor ~~advance.~~Information Security).

An4.3 ~~employee~~Enforcement

~~found~~

Failure to ~~have~~comply ~~violated~~with this ~~policy~~policy, particularly regarding the protection of private keys or reporting compromises, may beresult ~~subject to~~in disciplinary action, up to and including termination of ~~employment.~~employment or contract. Misuse of digital signatures may lead to revocation of signing privileges and other sanctions.

5.0 Definitions

~~Note~~* ~~that~~**Digital ~~these~~Signature:** ~~references~~A ~~were~~cryptographic mechanism used ~~only~~to ~~as guidance in~~verify the ~~creation of this policy template.~~ ~~We highly recommend that you consult with your organization’s legal counsel, since there may be federal, state, or local regulations to which you must comply.~~ ~~Any other PKI-related policies your organization has may also be cited here.~~

~~American Bar Association~~authenticity (~~ABA)~~originator ~~Digital Signature Guidelines http://www.abanet.org/scitech/ec/isc/dsgfree.html~~

~~Minnesota State Agency Digital Signature Implementation~~identity) and ~~Use~~

integrity

~~http://mn.gov/oet/policies-and-standards/business/policy-pages/standard_digital_signature.jsp~~

(unaltered

~~Minnesota Electronic Authentication Act https://www.revisor.leg.state.mn.us/statutes/?id=325K&view=chapter~~ ~~-stat.325K.001~~

~~City of Albuquerque E-Mail Encryption / Digital Signature Policy~~

~~http://mesa.cabq.gov/policy.nsf/WebApprovedX/4D4D4667D0A7953A87256E7B004F6720?OpenDocument~~

~~West Virginia Code §39A-3-2:~~ ~~Acceptance~~content) of electronic ~~signature~~data.
* **Public Key Infrastructure (PKI):** A set of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.
* **Certificate Authority (CA):** An entity trusted to issue, manage, and revoke digital certificates, which bind public keys to specific identities.
* **Key Pair:** In asymmetric cryptography, a pair of linked cryptographic keys: a public key (shared openly) and a private key (kept secret by ~~governmental~~the ~~entities~~owner).
* in**Private ~~satisfaction~~Key:** The secret component of a key pair used to create digital signatures and decrypt messages encrypted with the corresponding public key.
* **Public Key:** The publicly shared component of a key pair used to verify digital signatures created with the corresponding private key and encrypt messages for the private key holder.
* **Wet Signature:** A traditional, handwritten signature ~~requirement.~~on ~~http:~~a physical document.

* Password Policy /~~/law.justia.com/westvirginia/codes/39a/wvc39a-3-2.html~~ Credential Management Policy
* Information Handling Policy
* Acceptable Use Policy
* (Potentially) Key Management Policy