IT BEST PRACTICES

Subscribe to
IT Best Practices.

STAY CONNECTED

    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    SANS Policy Templates: Digital Signature Acceptance Policy

    The SANS Institute has published several information security policy templates describing best data security practices in template format. This largely means that you can ‘fill in the blanks’ when developing a security policy (although some modification will be in order for your specific circumstances). In this post we’ll look at the SANS template for digital signature acceptance as part of email and network security.

    In this SANS policy template, purpose and scope are very important. External customers sign for products and services, and these signing mechanisms have a variety of rapidly changing requirements and standards. The SANS digital signature policy explicitly does not address these signing transactions. The scope of the policy is limited to signatures for communications internal to the company. Since the scope is thus limited, the template policy also distinguishes that it refers specifically to keys issued by the company for employee use; your company scope in this regard may be different.

    Policy specifics consider whether keys are assigned to titles like a Chief Information Officer or to individuals (John Doe, CIO), software which uses the keys (whether employees can use Thunderbird’s digital key Enigma plug-in for example), the controlling certificate authority (CA), how to address communications which appear to be improperly signed, etc. Since the SANS template is only a template, additional policy elements may be added if needed such as revocation of keys, or control of or access to systems which generate keys, distribution methods and more.

    The digital signature policy needs not only to exist, but must be trustworthy. Trust is created and maintained through compliance and auditing sections in the digital signature policy. This section contains expectations and restrictions on key usage and penalties for lack of compliance.

    For more information on digital signatures and implementation, please contact us.

    Subscribe to
    IT Best Practices.

    STAY CONNECTED

      ALL ARTICLES

      Cloud Services

      Component Highlight: Palo Alto Firewalls and Edge Security Services

      READ MORE
      Cloud Services

      How the right cloud platform can reduce your RTO and RPO

      READ MORE
      Cloud Services

      The Military Recognizes the Advantages of Cloud Computing

      READ MORE
      Cloud Services

      Don’t Gamble on Hyperscale Providers

      READ MORE
      Cloud Services

      Meet the team: Q&A with Jared Villalobos, VP of Operations

      READ MORE
      Cloud Services

      CloudKey, paired with our enterprise-class data centers, creates the ideal platform to grow and develop your business

      READ MORE
      Cloud Services

      The paradox of how a bespoke cloud platform can save you money

      READ MORE
      Cloud Services

      Cloud platforms are providing the key to the future of network computing

      READ MORE
      Cloud Services

      Industry Focus: Why the Cloud means “more green” to the financial industry

      READ MORE
      Cloud Services

      These companies are unaware of the inevitable shift the Cloud is making for their business

      READ MORE

      You Have The Momentum. We Help Keep It Going.

      At Global IP Networks, our mission is to keep your net working. Our team of dedicated, certified IT experts is 100% committed to your success. For over 20 years, we’ve relentlessly helped companies like yours tackle their IT challenges to maximize the security, uptime and performance of their networks.

      That’s tenacity. That’s Global IP Networks.

      wLearn More