Related Policies and Guidelines

TBR Policy 1.08.00.00 Information Technology Resources

TBR Policy 1.12.01.00 Records Retention and Disposal of Records

TBR Guideline B-095 Use of Electronic Signature and Stamp

Purpose

This policy applies to all forms of electronic signatures and electronic records used to conduct the official business of Northeast State Community College. Such business shall include, but not be limited to, electronic communications, procurements, contracts, and other official purposes.  It is not the intent of this policy to eliminate all risk but rather to provide a process that gives parties assurance that appropriate analysis was completed prior to implementation of an electronic signature and that the level of user authentication used is reasonable for the type of transaction conducted.

Scope

Electronic signatures may be used on electronic records for any signature required by Tennessee Board of Regents (TBR) policies or guidelines, institutional policy, or law as long as an approved electronic signature method is used which complies with applicable TBR/Institutional policy, Tennessee Law, and federal law and the transaction is between parties that have agreed to conduct transactions via electronic means.

Definitions

For the purposes of this policy:

1. AUTHENTICATION - To establish as genuine and verify the identity of a person providing an electronic signature.
   
   
2. ELECTRONIC RECORD - Any record created, used, or stored in a medium other than paper, such as: information processing systems, computer equipment and programs, electronic data interchange, electronic mail, voice mail, text messages, information in PDAs and similar technologies.  To the extent that facsimile, telex, and /or telecopying, and/or former hard copy documents are retained in electronic form, through a scanning process, they are also considered electronic records.
   
   
3. ELECTRONIC SIGNATURE - An electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.  An electronic signature must be attributable (or traceable) to a person who has the intent to sign the record with the use of adequate security and authentication measures that are contained in the method of capturing the electronic transaction (e.g., use of personal identification number or personal log-in identification username and password), and the recipient of the transaction must be able to permanently retain an electronic record of the transaction at the time of receipt.
   
   
4. ELECTRONIC TRANSACTION - A transaction conducted or performed, in whole or in part, by electronic means or electronic records.
   
   
5. APPROVED ELECTRONIC SIGNATURE METHOD - One that has been approved in accordance with this policy and applicable state and federal laws, and which specifies the form of electronic signature, the systems and procedures used with the electronic signature, and the significance of the use of the electronic signature.

Approval of Electronic Signature Methods

1. Approval Authority
    
   1. Electronic Signature Method Committee
      
      
      1. The committee will review new electronic signature methods and make recommendations to the president.
         
         
      2. Committee Chair – The Vice President for Finance and Administration shall serve as the Committee Chair.
         
         
      3. Committee Membership – Vice President for Finance and Administration, Vice President for Institutional Excellence and Student Success, Director of Fiscal Services, Director of Budgeting and Grants, Registrar, Dean of the Library, Dean of Enrollment Management and Executive Director of Recruitment, Chief Information Officer, Purchasing Coordinator
         
         
   2. The President of the College will be the final approval authority for all electronic signature methods.
      
      
2. Approval Method
    
   1. A written request for approval to proceed in developing a process for the application of electronic signatures must be submitted to the Campus Approval Authority. This request shall include:
      
      
      1. Identification of the specific transaction the institution proposes to conduct by electronic means and the form in which the process will take place. Any exceptions within that transaction which will not be conducted by electronic means must be clearly identified. Example transactions/methods include:
         
         
         1. Signature approval granted via authenticated (userid/password) access to an application system such as Banner/Luminis.
            
            
         2. Purchasing / Receiving using Banner.
            
            
         3. Signature approval granted via authenticated (username/password) access to an electronic message (i.e. e-mail).
            
            
         4. Signature approval granted via authenticated (username/password) access to the college network (i.e. Sharepoint applications).
            
            
      2. Identification of the department(s)/position(s) which will be authorized to use the proposed electronic process.
         
         
      3. Identification of the risks associated with using the proposed electronic process, and an assessment of the extent to which those risks are manageable. This assessment must include a clear description of the control processes and procedures that will ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of the electronic records.
         
         
      4. An analysis of the nature of a transaction or process to determine the level of protection needed and the level of risk that can be tolerated. The analysis shall include:
         
         
         1. The potential costs, quantifiable and unquantifiable, direct and indirect, by performing a cost/benefit analysis;
            
            
         2. A comprehensive plan for converting the non-electronic process to the proposed electronic process; and
            
            
         3. Any additional information relevant to the process.
            
            
      5. The Campus Approval Authority shall:
         
         
         1. Review the proposed process with the institutional internal auditor prior to approval.
            
            
         2. Upon approval, enter information related to the approved transaction in the institutional inventory of approved electronic signature methods.
            
            
   2. Upon written approval to proceed by the Campus Approval Authority, develop a step-by-step procedure for implementation of the process.
      
      
   3. Submit an electronic version of the proposal as approved by the Campus Approval Authority to the TBR Office of Information Technology. If not already prepared, the materials submitted to the TBR must include a brief summary of the transaction(s) involved in the process.
      
      
3. All approved methods must:
   
   comply with TBR Policy 1.12.01.00 and TBR Policy 1.08.00.00.
   
   
4. The Office of Information Technology:
   
   will be responsible for all electronic signature methods requiring the use of encryption technology as outlined in TBR Guideline B-095.
   
   
5. Use of an Electronic Signature
   
   
   1. An electronic signature method is only valid when used within its defined parameters.
      
      
   2. In the event that it is determined an electronic signature method is no longer trustworthy the approval authority must revoke approval of the electronic method. 
      
      
6. Inventory of Approved Electronic Signature Methods
   
   An inventory of approved electronic signature methods is maintained by the Electronic Signature Method Committee Chair.