IT BEST PRACTICES

Subscribe to
IT Best Practices.

STAY CONNECTED


    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    Subscribe to
    IT Best Practices.

    STAY CONNECTED


      ALL ARTICLES

      Blog

      Shining Light on Our Clients’ Biggest Areas of Vulnerability

      READ MORE
      Cloud Services

      How Cloud Services Can Improve Your Bottom Line

      READ MORE
      Cloud Services

      Does Moving to Cloud Services Mean Losing Control of My Data?

      READ MORE
      Cloud Services

      How Inefficient Data Center Management May be Crippling Your Business

      READ MORE
      Uncategorized

      Ariat Western Wear, Indonesia, and the Cloud: a Global IP Networks Update

      READ MORE
      Blog

      Employees are Going Back to the Office: Should Your Business Keep Cloud Services?

      READ MORE
      Blog

      3 Ways the Cloud Can Boost the Efficiency of Your Supply Chain

      READ MORE
      Uncategorized

      “Tenacious Technology”: Global IP Networks’ Approach to Five-Star Service Delivery

      READ MORE
      Blog

      3 Unexpected Ways NaaS Creates Business Value

      READ MORE
      Blog

      Why IT Assessments For Healthcare Organizations Are Vital

      READ MORE

      You Have The Momentum. We Help Keep It Going.

      At Global IP Networks, our mission is to keep your net working. Our team of dedicated, certified IT experts is 100% committed to your success. For over 20 years, we’ve relentlessly helped companies like yours tackle their IT challenges to maximize the security, uptime and performance of their networks.

      That’s tenacity. That’s Global IP Networks.

      wLearn More