Best Practices for Electronic Document Management and Security - Part Two
Security is always top of mind at DocuSign, just as it is for our customers. In the second part of our three part series we will be sharing best practices on how to protect your electronic documents and the digital information you exchange with others through layered security controls, staying aware of live document links, and protecting the copy of record:
Layer security controls
For private and confidential data, many industries require several layers of security, which increases the difficulty for non-authorized access to your data. Even if one layer is broken, there are plenty more ways to stop “the bad guys.”
What to do:
- Use industry-standard authentication that is hashed and/or encrypted.
- In addition to strong authentication, require an additional measure for sensitive information such as a digital access code that can be sent to the person directly over other forms of communication, such as phone or text.
- Ensure only the sender can specify who can view or sign documents to maintain control over the transaction.
- Only use secure Internet sessions (SSL/HTTPS) that provide privacy with secure authentication. Be sure the URL (universal resource locator) specifies https:// and don’t connect to sites with invalid certificates.
- Be aware of rogue, or “phishing” sites that attempt to impersonate legitimate sites with a slightly different URL for the sole purpose of having you enter your authentication data or obtain other private information.
- Utilize industry-standard anti-virus and anti-malware controls on all computing devices you use to access data. Malicious code can perform actions on computers by capturing and sending out information and negatively impacting the integrity of your data without your ready knowledge.
- Don’t allow remote access to access or manage your Internet-available systems holding data without industry-standard controls, such as two-factor encrypted authentication to validate the remote access.
- Use intrusion detection systems (IDS) that can systematically monitor a network and alert personnel about potential unauthorized access attempts.
- Documents and other stored sensitive information–such as research and development, financial data, and personally identifiable information (PII) requiring industry and regulatory standards (i.e., HIPAA for health information, PCI DSS for credit card information)—need to be protected with specific security controls and behind firewalls configured to further restrict access.
Beware of live document links
Internet technology makes it possible to access documents over the Internet with a URL link. While this provides ease of use to access public documents, these links can also lend themselves towards unintended data exposure if they are used for documents that are private or confidential.
What to do:
- Do not use or forward links to documents without requiring user authentication to access the documents (over a secure session) if documents are private or confidential.
- Ensure that any link you receive and act on is legitimate and comes from a validated source. Rather than act on an unvalidated, forwarded link, confirm the URL and type it into your browser as a safeguard action or further validate the link as legitimate.
- If you are able to access documents that contain private or confidential information by merely selecting the link, inform the sender of the industry-standard practice to require appropriate, secure authentication.
Protect the copy of record
If you rely on the integrity of a singular copy of record, ensure that you have confidence in a reliable version that can be validated so you can answer any challenge to the copy of record.
What to do:
- Utilize a service that provides a computational checksum that validates the integrity of the document after each interaction.
- Route the authenticated and authorized access to the document for data entry and signature in an order that provides visibility to the signing process completion – you’ll obtain efficiencies and conduct business faster and with greater satisfaction from all involved parties.
- Ensure a digital audit trail exists that records who has accessed and transacted with the document. Digital audit trails denote accountable actions with the data.
- Transacting business electronically means people are often able to enter data as part of the signing process. Ensure that your service provides anti-tampering controls so that only where specified, data can be entered and validated by the signing parties.
- Greater assurance results when transacting data with valid integrity and anti-tampering mechanisms designed into the service - DocuSign is designed with these controls essential to our eSignature service.
As information security is ever-important, keeping up-to-date with the latest best practices can reduce risk and give you peace of mind that your data and documents are protected to the highest means possible. Read more about DocuSign’s Security & Trust.