Introduction:
Recognizing organizations are increasingly moving away from wet ink signed paper documents for sustainability purposes and increased efficiency, it is the policy of the CSU to permit the use of electronic or digital signatures in lieu of handwritten signatures at the discretion of an individual campus provided they conform to the terms set forth in the CSU Policy on Electronic and Digital Signatures (formerly ICSUAM 8100) and the 8100.S01 Standards and Procedures (in PDF format). Accordingly, based on the risk assessment presented herein, CSU Channel Islands (CSUCI) has received authorization from the Vice President for Business & Financial Affairs (the responsible campus authority per policy) to execute both internal and external business transactions via electronic and/or digital signature where appropriate. This authorization and any subsequent approval shall in no way be construed to allow individuals to execute transactions outside of their delegated authority nor in a manner inconsistent with CSU policy or any additional guidance provided in this document or subsequent revisions.
Background:
The legal definition of electronic signatures was established in the US Federal Electronic Signatures in Global and National Commerce (ESIGN) Act of 2000. Similarly, in the State of California adopted the Uniform Electronic Transaction Act (UETA) in 1999 which also became effective in 2000. In both cases, where parties agree to do business electronically and demonstrate an "intent to sign", the result is as legal and binding as a traditional wet signature.
Types of Signature:
- An electronic signature is an electronic sound (e.g., audio files of a person's voice), symbol (e.g., a graphic
representation of a person in JPEG file), or process (e.g., a procedure that conveys
assent), attached to or logically associated with a record, and executed or adopted
by a person with the intent to sign the record.
- A digital signature is a specific type of electronic signature that uses cryptographic transformation
of data to provide authenticity, message integrity, and non-repudiation. For a digital
signature to be valid, it must be created by a technology accepted for use by the
State of California and conform to technologies capable of creating digital signatures
as set forth in California Government Code Section 16.5:
- It is unique to the person using it;
- It is capable of verification;
- It is under the sole control of the person using it;
- It is linked to data in such a manner that if the data are changed, the digital signature is invalidated;
- It conforms to Title 2, Division 7, Chapter 10, of the California Code of Regulations.
Approved Risk Assessment Methodology
Recommended Level of Identity Authentication (OMB 04-04):
- Level 1: Little or no confidence in the asserted identity's validity.
- Level 2: Some confidence in the asserted identity 's validity.
- Level 3: High confidence in the asserted identity's validity.
- Level 4: Very high confidence in the asserted identity's validity.
Potential impact categories for authentication errors (OMB 04-04):
- Inconvenience, distress, or damage to standing or reputation
- Financial loss or agency liability
- Harm to agency programs or public interests
- Unauthorized release of sensitive information
- Personal safety
Civil or criminal violations Impact Values (FIPS 199)
- Low (L): The loss of confidentiality, integrity and availability could be expected to have a limited adverse effect on organizational operations, organization assets or individuals.
- Moderate (M): The loss of confidentiality, integrity and availability could be expected to have a serious adverse effect on organizational operations, organization assets or individuals.
- High (H): The loss of confidentiality, integrity and availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organization assets or individuals .
Potential Impact of Financial Loss
- Low (L): at worst, an insignificant or inconsequential unrecoverable financial loss to any party, or at worst, an insignificant or inconsequential agency liability.
- Moderate (M): at worst, a serious unrecoverable financial loss to any party, or a serious agency liability.
- High (H): severe or catastrophic unrecoverable financial loss to any party; or severe or catastrophic agency liability.
Based on the previously described Recommended Level of Identity Authentication; Potential impact categories for authentication errors; Civil or criminal violations Impact Values; and the Potential Impact of Financial Loss, the following table summarizes maximum potential impacts for each assurance level:
Table 1 - Maximum Potential Impacts For Each Assurance Level
Potential Impact Categories for Authentication Errors | Assurance Level Impact Profiles | |||
---|---|---|---|---|
1 |
2 |
3 |
4 |
|
Inconvenience, distress or damage to standing or reputation | L | M | M | H |
Financial loss or agency liability | L | M | M | H |
Harm to agency programs or public interests | L | M | H | |
Unauthorized release of sensitive information | L | M | H | |
Personal safety | L | M-H | ||
Civil or criminal violations | L | M | H |
Risk Assessment per document type requested (denoted by the highest likely):
- Bilateral contractual and Legal documents (Level 4): For the vast majority of contracts the University engages in, Level 3 authentication
is sufficient. However, at the most sensitive level some transactions may have the potential to
be high risk in both impact value and financial loss and therefore a very high confidence
in the asserted identity's validity (Level 4) is a more prudent course of action.
Accordingly, as particular situations may dictate, and at the discretion of the Vice
President for Business & Financial Affairs, additional identification techniques or
methods including, but not limited to, multi-factor authentication (MFA), password
verification or submission of a facsimile of a valid state ID may be employed or required
in addition to the passive methods described below. More resources describing appropriate
information security practices (including MFA and password usage) are available in
the CSU Information Security Policy (link provided in the Appendix). CSUCI employees
may contact the Information Security team in CSUCI Information Technology Services
with any questions about University information security practices.
With the preceding stated, it is our opinion that any contract signed by digital signature [where not prohibited by policy or law] containing an encrypted certificate issued by a State of CA approved certification authority meets or exceeds the level of identity authentication provided for in a Level 4 risk case based on the following reasons:- Signing parties' names are verified by each party before signing
- Digital signatures are placed on the document by the parties with intent
- Email addresses [especially those issued by an employer] are captured and easily verified
- IP addresses of the parties are captured in the case of signatures captured through a digital signature service such as Digicert or other state of CA approved digital certificate issuer.
- Signing location is captured through Adobe Sign or an equivalent service via IP location or mobile device GPS capture
- Chain of custody [sent, viewed, signed, etc.] captured through a digital signature service
- Timestamps are recorded
- Documents are created with a tamper-evident encrypted certificate
- Signers’ digital signatures may be validated by the signing authority from which they were issued
Note: For a digital certificate to be valid, it must follow California State requirements
and be issued by a third party entity from an Approved List of Digital Signature Certification Authorities which are listed on the
Secretary of State's website. In addition, CSU Channel Islands is requesting approval to use Adobe Sign, DocuSign
or any other digital signature service which utilizes an approved certificate, as
CSU’s digital certificate service provider InCommon does not offer external party signature workflow as a service.
When considering whether Level 4 digital signature is required, consider the question:
“would this contractual or legal document require notarization?” If the answer is
yes, then Level 4 authentication should be followed. Digital signature should not
be treated as a substitute for notarization. If the answer is no, then Level 3 authentication
should be sufficient.
- Unilateral contracts and other University controlled documents (Level 3): The Chancellor’s Office has approved the use of electronic signature for approval of purchase orders. Typically, a purchase order begins as a unilateral contract which is only signed by the buyer and accepted by the other party through performance, making it bilateral and binding. There is very little risk to the University using electronic signature in lieu of a digital signature as the buyer is in control of the document until it is sent to the known supplier. Other documents where the University is the only signatory and is providing acknowledgements or approvals, electronic signatures are also appropriate.
- Internal (Campus) forms and approvals (Level 2): Internal forms and documents which will be validated by other methods such as campus
IP address, employee ID, Single Sign On, permission-based roles, etc. do not require
digital signature and may be collected via electronic signature. Electronic signatures
collected in a manner not validated by a manner described in this paragraph must be
approved by the CSUCI Information Security Officer and documented.
- External forms and approvals (Level 1): Only external forms soliciting non-protected or nonsensitive information for data gathering purposes and which are not intended to form a contract may be submitted with an electronic signature.
Tools for Electronic Signature
The use of Adobe Sign, when used in conjunction with email authentication, is an acceptable means of electronic signature for all documents and processes that fall into Risk Levels 1, 2 and 3. For CSUCI student and employee signers, the email address used for electronic signature must be the student or employee’s official CSUCI email address for the electronic signature to be acceptable.
Other tools are permissible to provide electronic signature and meet Risk Levels 1, 2 and 3, including:
- any systems or processes that require single-sign on (SSO) authentication through myCI (without or with Duo 2-factor authentication, with the latter preferred) before a document can be approved or electronically signed. Examples: an approval workflow in TeamDynamix; a routing workflow in InfoReady Review; a pre-approved CSUCI- or vendor-built custom web application which facilitates routing & approval.
- any systems or processes which utilize a student or employee’s official CSUCI email address for 2-factor or multi-factor authentication before a document can be approved or electronically signed. For example: student registers for an account with a system/process, and the system emails the student’s official CSUCI email address with a confirmation code or link to validate the student’s access before they can electronically sign an agreement or access the system/process.
All new tools supporting electronic signature shall be evaluated and approved by the Information Security Officer prior to being authorized for signature at any risk level.
Risk Level 4 documents may be signed using Adobe Sign, Docusign, or any other digital signature service, so long as all the following criteria are met:
- The service is authorized by the VP of Business and Financial Affairs and the Chief Information Officer
- The service utilizes an approved digital certificate from the “Approved List of Digital Signature Certification Authorities” which are listed on the Secretary of State's website.
- The service meets all the criteria described in California Government Code Section 16.5, the “Level 4” risk assessment section of this document, and all applicable CSU and CSU Channel Islands policies.
Conclusion:
CSU Channel Islands is authorized to utilize electronic and digital signatures in accordance with CSU policy based on the risk assessment provided herein.
Forms requiring more substantial authentication or relating to the formation of a contract (as described herein) must be collected with an authorized digital signature. For questions on the appropriate method one should consult the Director of Procurement & Contract Services, the Assistant Vice President of Financial Services or the CSUCI Information Security Officer. In the event of any uncertainty, the Information Security Officer has final discretion.
Approved by:
Carlos Miranda, Information Security Officer
James August, Chief Information Officer
Barbara Rex, AVP of Budget & Planning and Interim CFO
Approval Date: 7/7/2020 (executed via Adobe Sign; copies to all approvers)