Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Whitepaper: Secure By Design


Published on

DocuSign’s Chief Security Officer, Joan Ross, provided this presentation to current and potential customers at DocuSign’s 2012 Momentum event held in San Francisco, California, on May 2, 2012.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Whitepaper: Secure By Design

  1. 1. Continued Share: DocuSign’s Chief Security Officer provided this presentation to current and potential customers at DocuSign’s 2012 Momentum event held in San Francisco, California, on May 2, 2012. Electronic signatures (eSignatures) have become instrumental in a competitive business strategy and essential to closing and transacting business faster than ever before. As more businesses contemplate the ease of use in moving to cloud-based solutions, security remains of paramount importance. More than ever, a globally available service needs to offer optimum levels of security and assurance that controls are consistent, reliable and resilient. An organization’s most valuable asset outside of their employees is their intellectual property around the data they transact. Protecting this IP related data is DocuSign’s specialty and number one mission. So important in fact, security was designed as an elemental and essential component into the DocuSign eSignature transaction management platform from the very beginning. DocuSign is the most continuously audited and highest certified global eSignature service to provide these optimum levels of security assurance. DocuSign is the world’s only eSignature service to achieve global ISO/IEC 27001:2005 certification as an information security management system (ISMS). DocuSign is also continuously SSAE 16 examined and tested, PCI DSS 2.0 compliant as both service provider and as a merchant, TRUSTe certified, and a member of the U.S. Department of Commerce Safe Harbor. DocuSign provides transparency by making these reports and certifications available upon request. DocuSign’s eSignature service distinguishes itself in the following secure and certified design. Security is DocuSign’s Core Differentiator: DocuSign’s approach to designing security within the eSignature service is unique. Layered and embedded controls provide defense in depth and a systematic reliability for ensuring the customer data owner is always in control of their transaction, and the data can only be transacted and signed by recipients authorized by the sender. The customer is always able to securely view who among their recipients has viewed and signed their documents as the transaction lifecycle process progresses and completes in record time. Dedicated and Isolated Production Environment: DocuSign’s eSignature service is physically and logically isolated away from any corporate network. The purpose was to provide a high-availability, critical service that was always available and protected from the common vulnerabilities associated with corporate networks with a minimal customer entry point via a secure protocol. This greatly reduces any potential attack vectors, and the condensed and restricted internet footprint is carefully monitored and protected. Secure transaction sessions: DocuSign protects viewing and signing transaction sessions over secure sockets layer (SSL) with 256 bit encryption anytime, anywhere, from static or mobile computing devices. Encrypted data in Transit and at Rest: DocuSign is the only eSignature service that provides application level encryption of data using the 256 bit American encryption standard (AES). This ensures that customer data remains confidential from the viewing session throughout the transaction lifecycle, including the signing process and for as long as the document is securely archived within the DocuSign service. DocuSign’s encryption and key management process is examined, tested, and certified by qualified third parties. Customers with high security requirements chose to store their documents within DocuSign because DocuSign’s certified encryption process ensures continued archival protections for sensitive data at rest. Authentication and Authorization: By choosing the preferred, required level of authentication, the customer sender at all times determines who is authorized to view and sign their documents. DocuSign offers a variety of industry standard authentication options as basic as email address to additional access codes, knowledge based authentication, directory service and federated integration. The full list of authentication options is available at: Visual Dashboard Monitoring and Alerting: DocuSign maintains continuous monitoring controls over any attempts to penetrate or execute malicious code within the DocuSign production environment. DocuSign visual dashboard display system alerts on attempts whether they are intentional or unintentional and DocuSign vigorously enacts procedures for continued service protections. These procedures are often onerous for protects viewing and signing transaction sessions over secure sockets layer (SSL) with 256 bit encryption anytime, anywhere, from static or mobile computing devices. Digital Audit Trail: DocuSign provides a systematically generated digital audit trail that records the signing activities associated with encrypted documents within the DocuSign service. This unalterable Secure by Design WHITE PAPER
  2. 2. WHITE PAPER About DocuSign DocuSign® is the global standard for electronic signature® . DocuSign accelerates transactions to increase speed to results, reduce costs, and delight customers with the easiest, fastest, most secure global network for sending, signing, tracking, and storing documents in the cloud. For U.S. inquiries: toll free 866.219.4318 | For European inquiries: free phone +44 (0) 800 098 8113 | Copyright © 2003-2012 DocuSign, Inc. All rights reserved. DocuSign, the DocuSign logo, “Close it in the Cloud”, SecureFields, Stick-eTabs, PowerForms, “The fastest way to get a signature”, The No-Paper logo, Smart Envelopes, SmartNav, “DocuSign It!”, “The World Works Better with DocuSign” and ForceFields are trademarks or registered trademarks of DocuSign, Inc. in the United States and or other countries. All other trademarks and registered trademarks are the property of their respective holders. Follow Us: logging feature verifies in real-time the associated document viewing and signing events necessary for transaction completion. Incident Response: DocuSign’s incident response program is ISO 27001 certified and aligns with the national incident management system. DocuSign is a critical service for our customers, and formal incident response and data breach notification procedures certified to international standards is an essential assurance for continued customer satisfaction. DocuSign Anti-Tampering Controls: Systematically generated hash values and digital signing against documents flattened to the ISO PDF standard are additional controls to protect against tampering attempts. Customer Configurable Data Retention: DocuSign enables customers to configure their own data retention requirements to meet their information security policy. Customers are always in control of their data and determine their own data retention policy for secure retention. For more information on DocuSign and eSignature service technology, please contact: or call toll free: 877.270.2040.