Information Technology Services
Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / firstname.lastname@example.org
Tuesday, September 4, 2018
Thursday, May 20, 2021
This Policy will provide guidance to the campus on the appropriate use of electronic signatures. This guidance applies to all faculty and staff at San Francisco State University.
I. Appropriate Use of Electronic Signatures
San Francisco State University has elected to use electronic signatures for campus-approved University business processes. Per ICSUAM 8100.00, the campus has developed an Electronic Signature Risk Assessment procedure to identify, evaluate, and document where electronic signatures are permitted. Electronic signatures must only be used on documents that have been approved through the Electronic Signature Risk Assessment, with the exception that memoranda and departmental forms routed internally (i.e., forms owned by a department and only sent to individuals within the department) are not required to undergo a risk assessment.
DocuSign is the approved campuswide electronic signature solution. All faculty and staff will have access to a DocuSign account. The account shall only be utilized for University business purposes and must not be used for personal transactions. Future hires may use DocuSign to complete University transactions.
- Level 1 Data
- Electronic signatures may be used on forms containing certain Level 1 (Confidential) data. DocuSign is approved for use with Level 1 data and Personally Identifiable Information. DocuSign is not approved for use with PCI data (credit card information) or HIPAA data (medical records). Please refer to ITS' Confidential Data Practice Directive for more information about confidential data.
- External Parties
- Electronic signatures may be used for documents that are external (involve parties other than San Francisco State University faculty and staff) or that are considered to be high risk (see section III of this Practice Directive). DocuSign is the approved tool for all University related business processes that involve SF State employees and external parties (signers must operate within their delegation of signing authority). For processes that involve external parties, please refer to this Security Matrix and apply the recommended security control based on the risk level of your documents.
- Student Access
- Electronic signatures are appropriate for select student forms as well. Approved forms may be routed to students for signature.
- Contracts and Legal Documents
- Electronic signatures may be used for unilateral contracts, as well as for bilateral contractual and legal documents.
II. Business Process Ownership
Business processes and associated documents are managed by campus process owners. The department that owns a particular business process is the only entity that may modify or upload the document for use in DocuSign. Department business process owners are responsible for initiating an Electronic Signature Risk Assessment (see section III of this Practice Directive) for the use of electronic signatures.
III. Electronic Signature Risk Assessments
The business process owner initiates and is directly involved with the Electronic Signature Risk Assessment process. During the Electronic Signature Risk Assessment, the following topics will be considered:
- The purpose and intent of the document;
- The parties involved;
- The routing of the document; and
- The contents of the document and any other associated attachments.
The Electronic Signature Risk Assessment will determine whether the process and associated documents in question are considered to be low, moderate, or high risk. Six risk impact categories, along with the likelihood of occurrence and potential mitigating factors, are used to assess each form:
CSU Electronic and Digital Signatures Standards and Procedures, 8100.S01, Section 6.0, Table 1 - Maximum Potential Impacts for Each Assurance Level.
The campus has determined that, because faculty and staff will authenticate their identity through single sign-on, there is a “Level 3: high confidence in the asserted identity’s validity.” See CSU Electronic and Digital Signatures Standards and Procedures, 8100.S01, Section 6.0.
If, based on the Electronic Signatures Risk Assessment, the form is approved, the campus may then begin utilizing electronic signatures on that particular document.
IV. Record Storage and Maintenance
Departments shall continue to maintain their records in accordance with the appropriate record retention policy and ITS-recommended file storage solutions. DocuSign shall not be used as a file storage solution.
Upon the completion of the transaction, the responsible department(s) should download both the completed document and any supporting documents for storage in accordance with best practices and in a way that is easily auditable. It is also recommended that the department download the accompanying certificate of completion, which will act as a supporting document and provide a digital audit trail.
V. Account Access and Management
San Francisco State University staff and faculty will be able to utilize electronic signatures through DocuSign by logging in with their SF State ID and password.
As a best practice, users should set up their signature the first time they log in and should not alter their defined signature once it has been created.
For consistency, users should utilize the same name used for University business purposes.
Noncompliance with applicable policies and/or practices may result in removal of DocuSign account access. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.
Please visit the DocuSign @ San Francisco State website for more information and help guides.
Electronic signature, DocuSign, Digital signature.