Security is always top of mind at DocuSign, just as it is for our customers. In the final part of our three part series we will be sharing best practices on what to do for secure archival storage and device security, and how to choose business partners with security certifications:
Secure archival storage
Just as it’s necessary to protect your electronic documents during the active signing process, it’s just as important to make sure your documents are stored securely. Maintaining documents securely over their lifecycle while still allowing them to be viewed and transacted by authorized parties is essential to providing trust, reliability, and business efficiency.
What to do:
- Electronic documents should not be passed around over email – an insecure protocol where control over the document is unmanaged.
- Documents should always be accessed securely during the signing process within their secure repository to validate the integrity of the document, manage version control of the document, and ensure oversight of the process by the document sender.
- Require that your private and confidential documents be encrypted in storage so that no one can read them except those you’ve authorized. Don’t allow your documents to be stored in a manner that exposes the data to various personnel. Documents stored with application level of encryption provide confidentiality and assurance. While this is a significant engineering effort and is rarely provided, DocuSign designed and provides this essential layer of protection for our customers. This ensures that no unauthorized parties, including system administrators, can view documents.
- Your secure and authenticated view into this secure repository should also provide tools for you to manage the documents you send, and receive. A common method includes folders that you can create and name to manage, and store documents over time.
Computing Device Security
As computing devices become more mobile, the means at hand to access your data becomes more available, and transportable. It is not uncommon for people to access documents from a variety of places. This enables us to conduct our lives and business more efficiently by design, but it also introduces exposures and recommendations to apply awareness and diligence around your mobile computing activities:
What to do:
- Password- or PIN-protect your mobile device – oftentimes they are left behind in restaurants, taxis, and even airports and they are considered high-value targets for theft. Best practice is to PIN protect smart phone devices with the default setting at 1 minute or less.
- Develop a smart password management strategy so that you don’t re-use passwords from insecure sites that don’t require strong or secure authentication to online sites where private or confidential data is maintained. It’s important to protect your online credentials to prevent impersonation, fraud, and identity theft.
- Change your password or PIN on a regular basis, make it complex and hard to deduce, and never share your credentials with others.
- Store minimum information on your mobile device – know where your digital data resides and how it is protected.
Choose business partners with security certifications
Choose trustworthy business partners who have invested in security examinations by qualified third parties. DocuSign’s IEC/ISO 27001:2005 certification designates an information security management system (ISMS) certified to the most stringent global standards. DocuSign is the only eSignature provider that is ISO 27001 certified, covering all aspects of our organization and datacenters.
DocuSign is SSAE 16 examined and tested year after year with no noted exceptions across all aspects of our enterprise business and production operations, PCI DSS 2.0 compliant as both a service provider and a merchant, TRUSTe certified, and a member of the U.S. Dept. of Commerce Safe Harbor. DocuSign utilizes professional, commercial-grade datacenters that are PCI DSS compliant and SSAE 16 examined and tested to the highest quality of physical, environmental, and security access controls.
What to do:
- When selecting a business partner, ask what information security related certifications they have received, and ask to see the reports.
- Ask to view the last two years of reports to ensure the reliability and consistency of the business partner in protecting your information and if they align with industry standards.
- Determine if they are reviewed by more than one external auditor and the frequency of those audits on an ongoing basis. A variety of auditors helps to ensure that a wide range of testing and examination are performed by impartial and qualified third parties.
Store your signed documents in DocuSign
The cost of implementing industry standard security controls can be expensive to maintain and requires dedicated resources. As more people transact personal and professional business electronically, the more economical a certified third-party service becomes to ensure the highest levels of protection for your data.
- DocuSign’s high-availability service makes your documents readily available whether your’re at home, at work, or on the road.
- Customers can safely and securely save their DocuSigned documents on the DocuSign Global Network for password-protected access by all signing parties.
- As long as your documents are retained within DocuSign, you have a guaranteed copy of record and an ongoing digital audit trail to validate who has viewed and signed your documents up to and including the most recent activity on those documents.
- DocuSign is the only electronic signature and document archive storage service that is ISO 27001-certified to the highest global standards as an Information Security Management System (ISMS).
As information security is ever-important, keeping up-to-date with the latest best practices can reduce risk and give you peace of mind that your data and documents are protected to the highest means possible. Read more about DocuSign’s Security & Trust and follow us Twitter, Facebook and LinkedIn.
Have a great Monday!