The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.
In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.
Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.
The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.
For more information on digital signatures and implementation, please contact us.