Home |
For many businesses, managing the risks associated with third-party vendors is a top priority, and for good reason. So, what are the crucial elements we need to consider from a third-party risk perspective? Classification and compliance would be considered at the forefront.
Understandably, one of the top priorities for many businesses is third-party vendor risk management. eSign and other electronic signature providers are considered tier 1 suppliers, and with this comes increased scrutiny and security assessment requirements.
eSign provides a world-leading security and compliance program, including being ISO 27001, Cyber Essentials Plus, and SOC compliant. As a business or individual, you can rest assured that any potential risks are being addressed by the eSign security and compliance team. Compliance is a top priority for our dedicated team. We continuously demonstrate how our policies and procedures meet or exceed industry standards. This is achieved by industry best practices, annual independent third-party audits of eSign’s controls, certifications from accreditation bodies including UKAS ISO 27001, ITHC, and attestations of compliance.
Let’s explore the issues most important to you when assessing security and compliance risks and how they are addressed by eSign. The subjects to evaluate for potential risk are listed below, each focusing on a different area of security, privacy, and legal compliance:
Information classification is a process in which organizations or individuals assess the data they hold and the level of protection it should be assigned.
Information classification helps ensure that individuals involved within an organization have the knowledge and are aware of the type of data they are working with and its value, as well as their obligations and responsibilities in protecting it and preventing data breaches or loss. It’s important for eSign customers to know how the data is flowing through the system and that its access is protected so that only the sender and the recipients can view the envelopes, with an audit trail tracking in place for the whole process.
• Confidential (only senior management has access)
• Restricted (most employees have access)
• Internal (all employees have access)
• Public information (everyone has access)
The safety of our customer’s data is ensured by restricting employee access to the eSign production environment. Employees with access must undertake additional information security training and checks.
There are two types of data encryption: at rest and in transit. ‘Data at rest’ refers to data being housed physically on computer data storage, in any digital form. On the other hand, data ‘in transit’ is moving between devices or two network points.
Why is this important?
Data encryption, which prevents data visibility in the event of its unauthorized access or theft, is commonly used to protect data in motion and is increasingly promoted for protecting data at rest.
eSign’s security protocol includes the following:
256-bit encryption
• Security protocols for SSL certificates, logging into servers, and tunneling
• Data/documents encryption
• Data disposal and reuse policy
• Processes for equipment management and secure media disposal
Data privacy is typically associated with the following elements:
Legal framework – The core component of the legislation itself applied to data issues, such as data privacy laws.
Data protection policy – A statement that sets out how your organization protects personal data. It is a set of principles, rules, and guidelines that inform how you will ensure ongoing compliance with data protection laws.
Best practices are put in place to guide IT infrastructure, data privacy, and protection.
Third-party organization – Any entity outside of your company that provides services or products to your organization or acts on behalf of your business.
Data governance – Setting internal standards and data policies that apply to how data is gathered, stored, processed, and disposed of. It governs who can access what kinds of data and what kinds of data are under governance.
Global requirements – Global legislation to secure the protection of data and privacy.
Keeping customers’ private data and sensitive information safe is paramount. It can create a dangerous situation and consequences if financial data, healthcare information, and other personal consumer or user data are exposed to the wrong people.
Access control is critical regarding personal information. Individuals can be at risk of fraud and identity theft if controls are not put in place. eSign is compliant with the General Data Protection Regulation (GDPR), the most important data protection regulation in over 20 years, which is important when transferring data between countries, especially in and out of the European Union. Cybersecurity is an ever-growing concern, as an increasingly large portion of our lives and activities occur online.
How does eSign comply?
E-Sign has data management and privacy practices in place around the following:
• Privacy notices
• Data subject rights
• Data deletion and retention
• Data access
• GDPR and other privacy regulations
• Data residency
• Sub-processors
• Training and Awareness
• Governance and accountability
Users can be verified by various login credentials, which determine the access control identifier. They can include security tokens, PINs, usernames and passwords, and biometric scans. Multi-Factor authentication (MFA) is also a common feature in access control systems.
Access control is the process of:
• Granting a person only the key to the computer, file, or software that they need access to and nothing more
• Identifying a person for doing a specific job
• Looking at their identification to authenticate them
Access controls limit access to information and information processing systems so that people have enough information to carry out their job but nothing more, and there are processes in place such as access control registers, to remove that access when the employee changes jobs or leaves the company. It’s also crucial that envelopes can only be accessed by authorized parties.
When implemented effectively, access controls mitigate the risk of information being accessed without the appropriate authorization, unlawfully, and the risk of a data breach.
eSign addresses access control requirements with the following:
• User permissions and groups
• Centralized provisions for controlling access via multi-factor authentication
• Password policy
• Compliance visibility: Who has access to what
• A network management system, complete with anti-virus software and malware detectors
• A key management and encryption program
• Automatic processes for detecting potentially harmful code
Sustainability is important now than ever to companies and individuals worldwide. Companies are now called upon to have sustainable processes in place and also produce products that contribute to a more sustainable society.
Why is this important?
A business that fails to make sustainable development one of its top priorities may potentially receive bad PR, public criticism, and market legitimacy. Businesses with solid sustainability policies are likely to attract younger talent, win more tenders (which increasingly ask for proof of ESG credentials), and win more awards and certifications.
eSign’s approach to sustainability:
• We take a precautionary approach to protecting the environment
• We consume minimum resources and energy across the supply chain
• We foster environmental responsibility with programs that help replenish the ecosystems such as reducing paper
• We create long-lasting software that meets the needs of users whilst reducing negative environmental and economic impacts
• We create jobs and economic growth by investing in recruitment and new technologies
• We contribute to innovation in environmentally friendly technologies such as clean energy
• We enable businesses to contribute to a sustainable future by going paperless
“Legal” and “ethical” aren’t necessarily the same thing. Business ethics outlines acceptable behaviors beyond government control. Ethical behaviors include forced labor and human trafficking, fair pay, and more. While the U.K. has the Modern Slavery Act, it’s important from a third-party risk perspective to ensure this is extended to everybody in the supply chain.
Why are Ethical Behaviors Important?
Ethical behaviors are key impact to a business’s reputation; consumers are more likely to buy goods or services from you if you act responsibly. There are also legal implications to consider in many industries, and ensuring you comply with regulations set by the government is mandatory. Acting ethically reduces the risk of committing fraud, engaging in bribery and corruption.
How eSign conforms:
• Company policies and procedures in place for all staff
• Regular staff training
• Third-party vendors assessments
Business continuity (BC) and disaster recovery (DR) are closely related practices that support an organization’s ability to stay operational during or after a disaster. From natural disasters to cyber-attacks, organizations must remain resilient to these types of threats.
Why is this important?
In the event of an adverse event, organizations need to continue business operations with little or no disruptions and minimize any potential risks.
What does eSign have in place?
• Regularly reviewed policies and procedures
• Business continuity and disaster recovery plans
• Regular testing of the plan
• Geo-dispersed data centers with built-in redundancy measures
• Elimination of single points of failure
• Near real-time secure data replication
To assess, monitor, and manage risk exposure from third-party suppliers (TPSs) providing IT products and services.
eSign’s risk management process includes:
• Vendors are required to follow the same protocols that the company has internally
• Identify risk types
• Regular audits/assessments are done to ensure sub-processors are conforming to internal protocols
• Using a risk appetite statement
• Reporting on important vendor-related metrics
