Enjoy real-time and transparent centralised event logging with Docusign

The December 2022 release of the ACSC Information Security Manual (ISM) consolidates the Government's Cyber Security position on centralised event logging. As the leading e-signature and Agreement Cloud company, Docusign uniquely provides our Federal, State and Local Government customers with the capability to meet and maintain security compliance.

By Glenn Powell.

As the Government shifts more of its ICT into Cloud-based services, the ability of Cyber Operations teams to maintain visibility and control across multiple clouds becomes more challenging. Our investment in enabling our Government customers to deliver services securely is best demonstrated through being the first e-signature provider to undergo an IRAP assessment against the ISM in 2019, and the first to complete a Protected assessment in 2021.

The challenge with any ISM assessment is how you interpret the controls. The ISM has ~25 controls related to event logging. With our Government customers using multiple Cloud platforms to deliver services, a centralised Security Information and Event Management (SIEM) platform is required to collect, analyse and act upon activities occurring regardless of the platform being used. The key to meeting the event logging requirements in the ISM is to ensure that activities occurring on the Docusign platform are centrally logged to your SIEM, not just ours.

This is a position where we differ from every other e-signature provider. 

The question every cyber team and every purchaser of a platform like Docusign must ask is “do you log events related to my users, to my SIEM”’. If the answer is no, then move on. If the potential provider doesn't offer the transparency of allowing you to receive a real-time log of events occurring from your users, then how can you adequately provide assurances to your Executive that your data and your workflows are constantly secure?

The only people who can understand what constitutes risky user activity are your cyber operations team, not the cloud provider. As a cloud provider we defend against volumes of cyber attacks every day, that's our job. With over 1.1+ Billion agreements completed in the last year across 1+ Million customers, what constitutes a cyber risk in one customer, represents business as usual in another!

Consider for a moment the following scenario:

  • Administrator logs onto Docusign via Single sign-on
  • Creates a new user account
  • Removes Multi-Factor Authentication from the new user account
  • Adds the new user account to Administrator group
  • Logs on as the new user
  • Downloads 1,000 documents
  • Deletes new user account

Without centralised logging into your SIEM, the only event you would see is the original single sign-on event from Active Directory or Okta etc. And this isn't enough to alert your Cyber Operations team to act. 

Let's look at that same scenario when Docusign is logging events centrally into your SIEM

Administrator logs onto Docusign via Single sign-on ✅ Logged
Creates a new user account    ✅ Logged
Removes MFA from the new user account ✅ Logged
Adds the new user account to Administrator group  ✅ Logged
Logs on as the new user ✅ Logged
Downloads document 1 ✅ Logged
Downloads document 1,000  ✅ Logged
Deletes new user account ✅ Logged

With Docusign logging events to your SIEM, your cyber operations team would have observed the activity, responded, and blocked access, stopping a data breach in its tracks.

Of the ~25 ISM controls related to event logging, there are seven that are directly relevant to using Docusign. They are listed below, including how we help you comply with them.

ISM Control Description How Docusign helps you meet the requirement
ISM-1509 Privileged access events are logged. Administrator logins (success or failure) and administrative activities are centrally logged.
ISM-1650 Privileged account and group management events are logged. Changes to Administrator account settings, group settings, security policy, permission profile, account activation and deactivations are logged. 
ISM-1651 Privileged access event logs are stored centrally. Events from ISM-1509 are centrally logged in your log platform.
ISM-1652 Privileged account and group management event logs are stored centrally. Events from ISM-1650 are centrally logged in your log platform.
ISM-1683 Successful and unsuccessful multi-factor authentication events are logged. All logins (success or failure) are logged whether MFA is implemented or not.
ISM-1684 Multi-factor authentication event logs are stored centrally Enabling or disabling MFA on a user account are centrally logged in your log platform. 
ISM-1714 Unprivileged access event logs are stored centrally. User activities such as sending, signing, transferring, and downloading are centrally logged in your log platform.

At last count, there are 80+ events that Docusign will push to your SIEM. This extensive list of events provides our customers extraordinary insight as to how their users interact with Docusign and provides the best intelligence available to detect any deviation from normal behaviour.

To learn more about how we take an active interest in you securing your data and your workflows please get in touch. Across Australia and New Zealand, over 250 public sector agencies have already discovered how.

Glenn Powell is the Industry Lead in the ANZ Public Sector team at Docusign. He, along with his colleagues, focuses on delivering seamless agreement solutions using the Docusign Agreement Cloud to Federal, State & Local governments across Australia and New Zealand.

Glenn Powell head shot
Glenn Powell
Industry Lead - ANZ Public Sector