Business Intel, February 2015 | Business Officer Magazine

RISK MANAGEMENT

When Digital Signatures Make a Debut at Colleges and Universities

In today’s world, innovations emerge at a stunning rate and are often sparked by technology advances or capabilities. Such is the case with electronic and digital signatures, which have made their way into the business world and hold potential to make higher education processes more efficient as well.

However, as with many new procedures, business officers must view the adoption of digital signatures against the canvas of overall risk and the level of authentication required for specific transactions.

At this point, there is still debate in many universities about whether to accept digital signatures, continue the status quo of “wet ink” signatures, or develop hybrid signature methods. Digital signature transaction-management platform solutions can streamline and automate document signing, validate signed documents within business processes, and securely archive all signed documents to help accelerate transactions and reduce costs.

The University System of Alaska Fairbanks has been researching and piloting the use of digital signatures in several areas, including the offices of bursars, admissions, procurement, and finance —with transactions ranging from internal approvals, tuition waivers, memos, and approvals on routine business communications. With our recent experiences in mind, we’ll share some advice on development and implementation of an effective digital signature process.

Definition and Differentiation

According to the Electronic Signatures in Global and National Commerce Act (ESIGN, 2000), an electronic signature is an electronic sound, symbol, or process attached to or logically associated with a record, and executed or adopted by a person with the intent to sign the record. A digital signature, on the other hand, refers to an encryption/decryption technology, on which an electronic signature solution is built.

A digital signature (a) achieves the collection of evidence of the document (via metadata, IP address, etc.), (b) verifies the identity of a signer/receiver, and (c) provides an audit trail of the transactions. Digital signatures are part of the process of electronic authentication that uses unique features called public or private key infrastructure. The private key is known only to the signer, while the public key is for anyone who receives the signed document. In the digital signature process, the document is encrypted with a private key by the signer and is decrypted by the receiver using a public key.

In layman’s terms, a digital signature, loosely referred to as an electronic signature, is a person’s electronic expression of his or her agreement to the terms of a particular document, with the intent to sign. Under the Uniform Electronics Transactions Act, the signatory is legally bound to the commitments made in the signed document. The electronic signature acts as an instrument of evidence regarding the authenticity of the electronic document in the same way as the handwritten signature does regarding paper-based documents.

Technical Details

While the technology requirements for creating the digital signature capability are fairly straightforward, it’s wise to conduct an infrastructure analysis and evaluation. The main areas to consider in the existing information technology environment include:

Overall IT system evaluation and strategy. The system evaluation includes servers, network security, and application platforms. An important factor is the qualitative and quantitative estimation of the ways the systems’ current benefits align with institutional goals. The office of information technology coordinates the IT evaluation team, which includes representatives from various departments, and conducts the initial evaluation of the technology environment. Based on the results, strategic decisions are made regarding the areas suitable for pilot testing and implementation.
Organizational structure. This assessment should include the nature of business processes in all functional areas, such as admissions, financial aid, human resources, facilities, athletics, and sponsored programs, that deal with financial transactions. There are areas where digital signature can be easily implemented, such as employee timesheets, timesheet approvals, human resource forms, employee benefits, and specific admissions and financial aid forms. However, the university policy needs to spell out clearly the business processes that can be conducted by digital signature approval methods.
Security policy. The organizational security policy is mandated by various government regulations, such as FERPA, HIPAA, Sarbanes-Oxley, and others. The university’s risk management, legal counsel, internal audit, information security, and records information management departments are pivotal in providing key inputs to the policy.

Strategy and Implementation Steps

The institution’s culture change and process implementation can be just as important as the technical details.

Before adopting a digital signature solution (or any technology solution), we considered four key steps (see figure above for details).

Support and sponsorship. Securing executive support and stakeholder buy-in is critical to the evolution and implementation of the new process. In addition, electronic transactions connect a variety of functional areas; and, hence, a comprehensive change management plan and fully engaged executive sponsorship are critical to the success of the project. The initial phase of stakeholder buy-in involves the drafting of the digital signature policy, in collaboration with the university’s legal counsel, internal audit, information security, and records information management.

The draft can then be shared with the administrative heads of admissions, finance, budget, human resources, sponsored programs, and the registrar. The final draft policy, after approval by the legal, internal audit, and information security departments can then be adopted as university policy and published on the university website.

At the University of Alaska, our policy guidelines are in final draft stage, with various stakeholder groups currently reviewing them. Since we are closely aligned with the Tennessee Board of Regents, much of our policy reflects key points included in its signature policies.

Assessment and feedback. In an effort to gauge support for the new signature process, it’s useful to develop a campuswide survey to assess the business need for digital signatures. The survey may include questions about the ways the digital signature aligns with the university’s goals, as well as legal and audit compliance.

A key factor to consider in implementing digital signatures is to identify the level of risk tolerance and the associated risk for a particular business process. University risks may involve financial, reputational, and other key administrative communications. Based on the various types of business processes and the level of severity, the assurance (which is a combination of authentication and validation) and trust levels have to be established. Functional area managers and organizations need to assess the level of risk, and to the extent to which one should secure the digital signature platform.

This correlation poses a trade-off challenge to business managers and organizations willing to accept digital signatures, thereby compelling them to identify those business processes that require optimum levels of authentication to offset risks.

Digital signature rollout. Based on the functional area needs for digital signatures, a quick assessment of the number of transactions and the level of approval(s) required for a particular business process will provide a fairly accurate notion of the nature of the digital signature. For example, at most universities, the human resources benefits and health plan add/modify forms require a “wet ink” signature on any change to benefits or changes in health plans.

Each functional area determines the type of process (or forms) that may be substituted with digital signatures, sometimes setting a threshold on the monetary value for financial transactions below which all approvals may be authorized by digital signatures. One way to pilot the plan is to conduct a phased implementation in low-risk functional areas in which transactions are monitored for proper usage, unauthorized access, and security breaches.

With electronic transactions evolving at a rapid pace, digital signatures will become more acceptable. While the technology genie of digital signatures cannot be recaptured into the bottle, colleges and universities can balance the technology solution with the level of risk of acceptance to arrive at the best solution for their processes and practices.

SUBMITTED BY Shiva Hullavarad, enterprise content and electronic records administrator; Russell O’Hare, chief records officer; and Ashok Roy, vice president for finance and administration and CFO, at the University System of Alaska Fairbanks.

INTERNATIONAL

Four-Pronged Approach to Travel Abroad Risks

A one-day conference hosted this month by the international office leadership of the University of Texas at Austin focused on the challenges of assessing, managing, and mitigating international travel risk associated with study abroad programs. “Uncertain political climates, natural disasters, and mental health issues create challenges for universities wanting to send students to all parts of the world,” said Janet Ellzey, vice provost for international programs and director of the UT-Austin international office. “In addition, we have a greater number of students studying abroad than ever before.”

Risk-related resources. The agenda for the Challenge of International Oversight conference, held February 13 at the UT-Austin campus, featured a combination of approaches to reducing risk and giving students the best possible global experience.

Underscoring UT’s significant work in this area is the recent development of a full-time risk analyst position within the international office. Former Peace Corps volunteer Erin Wolf fills the role and emphasizes the need to view travel-abroad risks as encompassing four major areas: mitigation, preparedness, response, and recovery. “As a university … we must consider our role during every step of a student’s journey—from promoting individual preparedness before a student gets on the plane, to the support we can provide in-country, to the resources we have available in the event of an emergency or crisis situation.”

Building on broad participation. The international conference is a logical outgrowth of UT-Austin’s priority to be a hub for international education. With more than 5,000 international students and close to 1,600 international faculty, scholars, and researchers on campus each year, the university was also recognized by the Open Doors 2014 report as one of the top 25 campuses with the most students studying abroad.

RESOURCE LINK For more information about the conference and the UT-Austin international office, go to https://world.utexas.edu/about.

Business Officer’s Business Intel department offers increased publishing opportunities for ideas and initiatives your college or university is exploring. Send us a brief description of a project, product, process, or repositioning plan that is working or gaining traction on your campus. Don’t hesitate to include insightful professional development tips your colleagues and peers may find useful.

Here are a few topics you might consider writing about:

Effective collaborations or shared services.
Succession plans for the institution as well as for your division or department.
Human resources initiatives that support faculty, staff, and students.
A conference or professional development idea that you were able to bring back and implement on campus.
A book that you’ve found particularly helpful.

Send your ideas to editor@nacubo.org, and you may see them in print!

“For many families, private loans are much cheaper than federal loans, which is a reversal from even a year ago.”
— Wall Street Journal blog, September 2014

Fast Fact

Quick Clicks

Report Card on Distance Learning

The 2014–15 National Online Learners Priorities Report shows three key ratings that illustrate student perceptions on the instruction they receive: importance, satisfaction, and gap (the difference between the importance and satisfaction scores). On instruction-related items, this year’s study indicated high gap scores in several areas. For example, students report significant gaps between importance and satisfaction in two related issues—faculty being responsive and faculty providing timely feedback. While also important to students in traditional programs, these issues take on even greater priority for students taking online courses. For instance, the nature of the 24/7 environment may create an expectation of constant availability of faculty, making it a priority for faculty to communicate responsiveness guidelines that manage expectations—and then sticking to the promised schedule.

Top Education Issues for 2015

The Council of State Governments published its series of “Top 5” issues in areas such as transportation, health, and workforce preparation, outlining related state activities in the coming year. For education, CSG identified these top five issues: school readiness for all; experiential and work-based learning; academic success for at-risk populations; innovative state accountability systems; and advance attainment of degrees, certificates, and high-quality credentials.