IT BEST PRACTICES

Subscribe to
IT Best Practices.

STAY CONNECTED

    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    Subscribe to
    IT Best Practices.

    STAY CONNECTED

      ALL ARTICLES

      Cloud Services

      Component Highlight: Veeam Data Protection and Backup

      READ MORE
      Cloud Services

      Meet the team – A word (or two) from our CEO, Reyner Natahamidjaja

      READ MORE
      Cloud Services

      Why you need a full cloud platform, and the pitfalls of going piecemeal

      READ MORE
      Cloud Services

      Component Highlight: IBM Flash Storage

      READ MORE
      Cloud Services

      Can You Trust Your Old Data with Hyperscale Providers?

      READ MORE
      Cloud Services

      Increasing Data Integrity & Security through multi-site replication with CloudKey

      READ MORE
      Cloud Services

      The Dissolution of AWS and their Cloud Monopoly

      READ MORE
      Cloud Services

      Meet the team – The Insights of Chris Martin

      READ MORE
      Cloud Services

      Component Highlight: Palo Alto Firewalls and Edge Security Services

      READ MORE
      Cloud Services

      How the right cloud platform can reduce your RTO and RPO

      READ MORE

      You Have The Momentum. We Help Keep It Going.

      At Global IP Networks, our mission is to keep your net working. Our team of dedicated, certified IT experts is 100% committed to your success. For over 20 years, we’ve relentlessly helped companies like yours tackle their IT challenges to maximize the security, uptime and performance of their networks.

      That’s tenacity. That’s Global IP Networks.

      wLearn More