|
|
|
Features
< Back
Sarbanes Oxley : Technology : Document Management
Securing High-Value Business Agreements
The Paperless Enterprise
By
Vijay Takanti
|
|
Vijay Takanti
VP and Security Program Director
Exostar
|
Business agreements are the lifeblood of any company. From negotiating a contract and executing a purchase to submitting a vacation approval request, everyday transactions are conducted with customers, suppliers, employees, departments and even government entities.
In the traditional paper-based world, these interactions rely on forms and documents with manual sign-off and signature approvals. Processes tend to be static and outdated as business requirements evolve because changing legacy processes proves difficult and costly.
Automating previously manual, paper-based processes is hampered by security concerns especially related to higher-value business activities. Issues such as data protection, information privacy, version control, non-repudiation and auditability are critically important when “going digital.” The question is how to achieve process integrity and enforceable agreements without adding burdensome process layers that hinder efficiency and slow productivity gains.
The effective utilization of digital signatures can deliver significant efficiency improvements – driving automation of processes, including high-value agreements, faster and much more cost effectively, while delivering the desired levels of security.
Because business agreements are dynamic by nature and typically involve multiple event-based interactions over the life of the process, they are vulnerable to compromise. To ensure compliance with corporate requirements including Sarbanes Oxley, a digitally signed agreement or transaction should include three components: a verified and validated user; a process that presents what the agreement binds the user to; and a tamper-proof archive for non-repudiation and audit.
Implementing the right digital signature solution simply requires planning – and the right tool.
Creating a Risk Profile
Business agreements usually fall into one of four classes: no risk, low risk, medium risk, and high risk. To define a risk hierarchy, companies need to weigh 3 key requirements: security, compliance, and intelligence. Based on these factors, business agreements generally fall into one of four levels of risk:
• No risk business agreements don’t have to account for security, compliance, or intelligence requirements. Downloading white papers, product fact sheets, and publicly available investor information are examples of this type of transaction.
• Low risk business agreements including software licensing agreements and view-only access to online banking systems, only need minimal security, with relatively weak authentication and authorization capabilities based on user-id and password or PIN number. Compliance requirements can be satisfied by obtaining a click-thru signature when users select a mandatory acknowledgement (“I Agree”) button and by maintaining an audit journal record for these events – no verification integrity is necessary.
• Medium risk business agreements include purchase order submissions or SOX regulatory filings that span multiple levels of approvals and represent inherent liability for the company. These types of agreements require strong authentication and authorization. With respect to compliance, click-thru signatures or approvals are no longer sufficient with these types of agreements. Because multiple signature events involving multiple parties are likely to be part of the process, acceptable integrity must accompany these ceremony signatures, and an audit journal that records all actions still must be maintained.
• High risk business agreements, such as wire transfers or redemption of funds from a financial account, must be performed in the most trusted of environments, and therefore have by far the most aggressive security, compliance, and intelligence requirements. For compliance, because multiple signatures will be part of the process, ceremony signature capabilities are needed.
Next Stop: Fully Automated – and Compliant -- Business Processes
Once a risk hierarchy is defined, the next step is to determine the best approach for automating the process.
Mimicking paper-based processes or taking a document-centric approach is very common. While this one-way communication model is perfectly suitable for no-risk and low-risk agreements, if a recipient edits the document, a new version must be created because changing the original document invalidates the sender’s signature.
In contrast, an event-driven approach that incorporates digital signatures offers companies the best of all worlds. This approach separates data from the confines of paper-based documents. In turn, this supports the definition and enforcement of rules that capture the strong security, compliance, and intelligence requirements for medium and high risk business agreements involving multiple parties. Event-driven digital signatures allow high-value business agreements to be modified electronically, without any exposure to falling out of compliance.
Companies have a great deal to gain if they complete the migration to a paperless enterprise by replacing original, paper-based signatures with digital signatures. They’ll run leaner, eliminate costly manual processes and administrative burdens, and improve the quality of business communications internally, with partners, and with customers. Compliance will propagate across the organization, and information will consistently be held to the appropriate confidential and privacy standards required.
Vijay Takanti
VP and Security Program Director
Exostar
Vijay Takanti is Vice President and Security Program Director at Exostar.
He can be reached at vijay.takanti@exostar.com.
|
|
|
|
|
