1613 PR.01 Electronic Signatures

Revision Date: 
December 9, 2014

1.     Overview……………………………………………………………………………… 1

2.     Approved Electronic Signature Service for Legal Documents…………………… 1

3.     Process for Creating, Using and Verifying an Electronic Signature for Legal Documents. 1

4.     Process for Requesting ITS Approval of an Unapproved Electronic Signature System for Legal Documents. 2

5.     Electronic Signatures for Non-Legal, Internal Approvals…………………………. 3

1.Overview

Section 1 of Policy 1613 Electronic Signatures and Records states:

“Because those with signature authority are executing legal documents on behalf of the University, their electronic signatures must use a secure certificate-based electronic signature service that has been approved by Information Technology Services (ITS).  … This electronic signature service is available to only those with signature authority”.

Note:  To determine whether you have signature authority and, if so, the limits of your signature authority, check the Signature Authority Tool (link) or contact the Controller’s Office (see Section 8 Contacts below). 

This Procedure 1613 PR.01 describes the certificate-based electronic signature service that has been approved by ITS for signing legal documents and provides a step-by-step description of how it is used. 

In addition, this procedure discusses using electronic signatures for non-legal, internal “sign-off” or approval purposes.

This procedure does not cover the electronic workflow systems that use electronic signatures for legal and/or non-legal (internal) purposes (i.e.; SciQuest, Facilities Payment Approval Program).

2.Approved Electronic Signature Service for Legal Documents

Yale University employees who have signature authority and who want to sign legal documents using an electronic signature must use the following certificate-based electronic signature service:

  • Adobe® Acrobat™ Professional XI using GlobalSign® PersonalSign 2 Certificates

 The ITS Information Security Office has confirmed that this application provides robust authentication and integrity for electronic signatures, as well as the capability for properly designated University officials to verify and validate the electronic signatures. 

3.Process for Creating, Using and Verifying an Electronic Signature for Legal Documents

 If you are a Yale employee with signature authority and want to sign legal documents electronically, the following steps must be taken to create an electronic signature:

  • Contact the ITS Information Security Office via E-Mail (information.security@yale.edu) and request a GlobalSign electronic ‘signing’ certificate for creating legal signatures.  [DO NOT FILL OUT THE FORM AT:https://www.globalsign.com/personalsign/buy/us/consumer.html (Link 1)].
  • The ITS Information Security Office will confirm with the Controller’s Office that you have signature authority.
  • You will receive a separate e-mail describing how to create, install and save your GlobalSign certificate for ‘signing’.
  • You will be required to create a password for the certificate in order to use your ‘signing certificate’ to add a legal signature to a document.  Make certain that you can remember the password and secure it – don’t share it or write it down.

To use an electronic signature, the following steps must be taken:

  • Confirm that you have the required approval authority to sign the specific electronic document (see the Signature Authority tool (link) or check with the Office of the Controller).
  • Open the PDF electronic document to be signed in Adobe Acrobat.  (If you receive a soft-copy document in another format (e.g. in Microsoft Word), convert it to a PDF file before opening.  If you receive a hard-copy printed document, scan it to a PDF file before signing).
  • Follow the instructions you received when you obtained your GlobalSign digital certificate in Adobe Acrobat.  You will be required to enter the password you created earlier.
  • You should not have to enter your name or the date on the electronic signature – it should be inserted and visible automatically.   If this does not happen or if other problems occur while signing, please contact the Yale ITS Help Desk Office at 203-432-9000.
  • If you are to be the only signer of the PDF file you should ‘lock’ the document (you will need to set a password to prevent others from editing it) so that it cannot be updated (e.g. tampered with) after you’ve signed the specific version you are signing.

If you would like to verify an electronically signed document before accepting it, you should take the following steps:

  • Set your preferences in Adobe Acrobat XI Pro to automatically validate electronic signatures by selecting the ‘Preferences’ tab/pane (under Edit), then selecting the ‘Signatures’ category and clicking on the ‘More’ button adjacent to the ‘Verification’ option.  On the popup window labeled ‘Signature Verification Preferences’ enable the checkbox labeled ‘Verify signatures when the document is opened’. 
  • Open the executed document only in Adobe Acrobat and not another “PDF” viewer program.
  • Verify the signature (or signatures) in the document as follows by viewing the ‘signatures panel’ in Adobe Acrobat.  Clicking on the ‘signature’ logo (on the left) should expand details under ‘Rev 1: Signed by ‘.
    Neither the ‘Signature validity’ nor the ‘Signer’s identity’ should be listed as ‘unknown’. Also, you should see: ‘Document has not been modified since this signature was applied.
  • For even more advanced verification options please see:
    http://helpx.adobe.com/acrobat/using/validating-digital-signatures.html

 

4.Process for Requesting ITS Approval of an Unapproved Electronic Signature System for Legal Documents

Yale individuals who are required to use a non-ITS-approved electronic signature application or service provider on Yale IT Systems for use with Yale University business must submit a request for a Security Design Review (SDR) of their proposed electronic signature application or service provider to the Yale University ITS Information Security Office.  The proposal and Security Design Review request should include a rationale for the exception from the approved service; a description of the proposed method; and an assessment of the risk involved in the method as used in the business process (particularly if a lower standard of signature security is being asked for).

ITS will perform a formal risk assessment– (generally using the US Government Electronic Risk and Requirements Assessment (e-RA) Tool – http://www.idmanagement.gov/resource/electronic-risk-and-requirements-as… (Link 2))

5.Electronic Signatures for Non-Legal, Internal Approvals

If you are a Yale employee with approval authority and would like to sign documents electronically, your printed name and the date must appear with your signature.  Other than this requirement, the University does not have any University-wide requirements regarding the use of electronic signatures or specific electronic signature systems for non-legal, internal approvals.  Each unit may therefore set their own requirements, which may range from requiring handwritten approvals to using a specific method.

The ITS Information Security Office recommends the use of a free, non-certificate-based graphical file of your signature for internal “sign-offs” or approvals.  One suggested option is to use the electronic signatures provided by Adobe Reader and Adobe Acrobat.  For step-by-step instructions on creating and using these signatures, call the IT Help Desk (432-9000).

Note: It is recommended that your electronic signature be used only on Adobe PDF documents because Adobe PDF documents cannot be revised after signing whereas Microsoft Word documents can be.  Therefore, Microsoft Word documents should be converted to Adobe PDF documents before signing.