To increase the efficiency of University operations that require authorization and/or signature, the University may require the use of electronic signatures to conduct certain transactions that previously required handwritten signatures and approvals on paper documents.
State and Federal Regulations eliminate legal barriers to using technology to create and sign contracts and other records, collect and store electronic records, and conduct everyday transactions electronically.
When using electronic signatures, Stewards and IT professionals need to be aware that signatures and the associated data to validate the signature are an integral part of a record. The signature and all necessary verification records need to be maintained for the full records life cycle. The records life cycle is the life span of the record from its creation or receipt to its final disposition. It is usually described in three stages: creation, maintenance and use, and final disposition. Final disposition can mean permanent deletion or destruction. Therefore, the electronic signature must remain accessible for the full retention period of the record to which it is associated.
For the purposes of this procedure, a signature is defined in the same manner as in the State of Illinois Electronic Commerce Security Act (5 ILCS 175/5-105) as any symbol executed or adopted, or any security procedure employed or adopted, using electronic means or otherwise, by or on behalf of a person with intent to authenticate a record. An electronic signature is defined as a signature in electronic form attached to or logically associated with an electronic record.
This procedure identifies Illinois State University's requirements for the use of electronic signatures (hereafter "e-signatures"), electronic transactions (hereafter "e-transactions"), and electronic records (hereafter "e-records") in conducting the University's business, teaching, research, and service operations. This procedure requires that members of the University community do business electronically and use e-signatures to conduct University transactions that previously required handwritten signatures and approvals on paper documents. This procedure establishes the process for designating transactions requiring e-signatures and how the University accepts and verifies e-signatures. This procedure augments, and does not replace, University Information Security policies and procedures, that apply to all University services.
This procedure covers University operations that use e-signatures, e-transactions, or e-records.
To the fullest extent permitted by law, the University accepts e-signatures as legally binding and equivalent to handwritten signatures to signify an agreement.
Regardless of the method for implementing e-signatures, each method should support the following functions:
E-signatures may be implemented using various methodologies depending upon the risks associated with the transaction. Items to examine The following will be evaluated to identify risks associated with the proposed e-signature method:
The quality and security of the e-signature method should be commensurate with the risk and need to assure of the authenticity of the signer. These can be classified into one of the following three risk (impact and probability) categories:
Each data steward is responsible for selecting the appropriate e-signature Implementation Method outlined below based upon an assessment of the risk to the institution. The data steward will then work with the appropriate data custodian to select and implement the appropriate e-signature method.
The following three methods are recommended for e-signatures for University documents.
Level 1: The first level of implementation does not require that the signer's identity be authenticated through a University system. The signer's identity should be authenticated using physical documents such as a government issued identification document. On the electronic document the signer will indicate agreement with the document by clicking on a check box. This method should be used for low-risk and impact transactions, especially those that involve individuals that have an external relationship with the University.
Level 2: The second level of implementation requires the validation of the signer's identity through single factor authentication against a University system. This level of authentication includes the use of a ULID/password challenge and response. This implementation method should be used with individuals possessing an internal relationship with the University.
Level 3: The third level of implementation requires the validation of the signer's identity through multi-step or multi-factor authentication against a University system depending upon risk. This level of authentication includes the use of a ULID/password challenge and response, along with another step sufficient to uniquely identify the signer – such as, a PIN or cryptographic certificate. This implementation method should be used with individuals possessing an internal relationship with the University and where the risk or impact of the transaction to the institution is high.
Level 4: Multi-factor including the use of two categories of authentication such as password plus token, password plus biometric, password plus cryptographic certificate
The Data Steward, in consultation with the Chief Technology Officer, is responsible for identifying the appropriate risk level and selecting the appropriate implementation methods for enterprise-level transactions. For non-enterprise transactions, the unit will, in consultation with the appropriate data custodian and the Information Security Officer, determine the appropriate implementation method.
The data custodian will be responsible for ensuring that the implementation method complies with University security procedures, including password, transmission, access control, and auditing requirements.
When designing an e-signature process, all applicable laws, rules, regulations, and University policies and procedures must be followed. The e-signature implementation process will be monitored by the AT Information Security Officer. In addition, the transaction should meet the following principles:
An individual that uses e-signatures, e-transactions, or e-records for University operations in violation of this procedure or any other University policies, procedures or applicable state and federal laws may be subject to appropriate sanctions including but not limited to disciplinary actions up to and including termination. Any adopted divisional/departmental rules and regulations may not reduce full compliance with applicable state and federal laws or the policies and procedures of the University.
Last Review: July 2013