STN-3200.01: Electronic Approvals and Signatures

e-Signature

An electronic signature is a legally binding, digital version of a handwritten signature.

Legally Binding Document

A legally binding document is a document that can be upheld in court, e.g., a contract. A signature is crucial to a legally binding document since it proves that an agreement exists and shows both parties agreed to identical terms.

Approval

To consent officially or formally to a request, decision, or action.

e-Approval

An electronic approval is a process that enables Western to quickly authorize, sign, and approve non-legally binding documents and transactions.

Adobe Sign

An e-signature service that is certified compliant with ISO 27001, SSAE SOC 2 Type 2, FedRAMP Tailored, and PCI DSS. Adobe Sign can be configured to allow Western to meet the other compliance requirements in section 2, Acronyms.

DocuSign

Another e-signature service that is certified compliant with FedRAMP, HIPAA, SOC 2, and GDPR. DocuSign can be customized to allow Western to meet compliance requirements.

FDA 21 CFR Part 11

U.S. Food and Drug Administration’s federal regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company's quality management system.

FedRAMP / FedRAMP Tailored

Federal Risk and Authorization Management Program: A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP Tailored will allow agencies to select a smaller set of controls, based on information types and use, allowing them to obtain authorization more easily for these types of services. This tailoring process is explicitly allowed within NIST SP 800-53 revision 4.

FERPA

Family Educational Rights and Privacy Act of 1974: A U.S. federal law that governs access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

GDPR

General Data Protection Regulation 2016/679: A regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas.

GLBA

Gramm–Leach–Bliley Act: Also known as the Financial Services Modernization Act of 1999 (U.S. Congress). It requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data.

HIPAA

Health Insurance Portability and Accountability Act of 1996: A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

ISO 27001

ISO/IEC 27001: An international standard on how to manage information security.

PCI DSS

Payment Card Industry Data Security Standard: An information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

SSAE SOC 2 Type 2

Statement on Standards for Attestation Engagements No. 16, System and Organizations Controls Report 2, Type 2: Developed by the American Institute of Certified Public Accountants, this auditing report assesses how well organizations handle data security, system privacy, data confidentiality, and data processing processes.

Revised

Version

Author

Approver

Change

06/18/2021

1.0

Wanna VanCuren

ITS Standards & Guidelines Committee

Original Version