Re: Security Issues regarding an e-forms routing/management system[Message Scanned]

[Jack Suess <jack () UMBC EDU>]

Ben

Part of the question is related to state law and practices at your campus.
For example, in maryland we have somethign called UCITA, which specifies
that electronic authentication is equivalent to signed signatures. That
said, some states are just the opposite and place additional barriers on
electronic signatures. Your institutional legal counsel should be able to
answer this question.

Outside of those points is a more fundamental question. Most signatures at
work are "internal" signatures required by your university not necessarily
governed by state law. For example, signing a requisition is not
necessarily a legal requirement -- more than likely it is associated with
audit and focuses on proper internal controls. If your institution has
strong confidence in your LDAP authentication then you can make a case
that e-signatures still maintain proper internal control. In the end, for
those kind of functions e-signature becomes a risk management question.

When we discussed this here I raised the question of handling a forgery.
How would financial services validate a regular signature -- are they
pulling the forms and doing a comparison -- have the staff been trained to
do this kind of comparison?  We then discussed how we would deal with
e-signature, how would/could we deal with the issue that someone claimed
they didn't "e-sign" a document. This led to a discussion of log files and
determining what information we logged and how long we kept that
information. In the end we felt that we could at least identify the ip
address of the signer and use that information and cooraborating log files
for other services to identify if something was a forgery.

Bottom line, the question on e-signature is about thinking about risk
management and internal controls.


hope that helps.

jack suess, CIO, UMBC




On Tue, 14 Dec 2004, Parker, Ben C wrote:

> All:
>
>   Do any of your institutions use some sort of system to manage all the
> various forms that have to be filled out by multiple people on a daily
> basis?  Our main security concern is what qualifies as a valid
> e-signature.  Would something like authentication via LDAP to a secure
> website work, or do we have to add extra measures such as a pin number
> or another point of authentication.  If anyone can point me in the right
> direction or provide info on this type of thing, I would appreciate it.
>
>
>
>  Also for those who have it, was it something designed in house or do
> you use a product created by a vendor and if so what?
>
>
>
> Thanks,
>
>  Ben Parker
>
>  Mount Union College
>
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
> http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.