Social Icons

twitterfacebookgoogle pluslinkedinrss feedemail


Thursday, July 11, 2013

ISACA, Barcelona, electronic signature and an audit guide, part 1

Yes, I admit that at first view it may seem like a very local interest post, but I develop some views on the electronic signature market fully exportable. Judge for yourselves.

On 4 June (yesterday afternoon, c'mon) Barcelona chapter of ISACA (ES), in its line of organizing continuing education seminars, conducted the session "electronic signature" in the premises of the Caixa Forum.

The day was most interesting, with four presentations and a very rich subsequent discussion. Presentations: CoBIT5 pill, electronic signatures from a  Public Certification Services Provider (CSP) point of view, electronic signatures from a  Private CSP point of view and presentation of the "Guide for auditing Systems that have been deployed electronic signature".

Barcelona chapter ISACA's electronic signature audit guide authors and some of the speakers
From left to right, Xavier Rubiralta, myself, Gemma Deler, Joaquim Altafaja, Mercè Mestre and Marta Cruellas. Can you guess who are the authors of the guide?

Joaquim Altafaja started the day with the presentation of the agenda. Then Albert Lladó, presented a pill on CoBIT5, from the series of ten (10) that Barcelona ISACA pills will present in the ten days of continuous training ISACA Barcelona held every year.

Later, Marta Cruellas, representing l'Agència Catalana de Certificació - CATCert (ES), gave her views on the state of the electronic signature(s) and its use, with a large presentation in numbers and statistics of which highlight her emphasis on the plural of electronic signatures, ie to identify all types of electronic signature (and not just from certificates and digital signature) and their low use in Spain in the C2G relationships, perhaps because we are at the bottom middle of Europe eGovernment.

At least Catalunya is above the Spanish average in use of electronic signatures in the C2G relationships, in my opinion thanks to the excellent work of CATCert and the AOC Consortium (ES-CA).

After, I, representing Firmaprofesional, presented the market of electronic signatures from the point of view of a Private CSP Certification Service Providers (ES).

Isaca ws-bcn-130604 from Chema López

Following Marta's approach, I consider "electronic signatures" in its broadest sense, which can include technologies such as user and password, coordinates cards, handwritten signature capture (with or without biometrics) and, obviously, the digital certificate-based .

Market trends are clear: go for certificates "WITH" attributes and timestamps.

Timestamps provide integrity and a reliable date when a given document, with specific content existed or when there was a transaction, without the need to use personal certificates with their lifecycle management associated heavy procedures.

Certificates WITH attributes

It is not the same attribute certificates (certificates that identifies a quality, state or condition and that are associated - linked - to an identity certificate) than certificates WITH attributes (certificates of identity - identification data of a natural person or entity bound to a public key - which also contain attributes of the person identified.)

It is not the purpose of this post to make a comparative analysis of identity certificates versus attribute ones but to identify the advantages of a certificate WITH attributes (for example those issued by Firmaprofesional) in front of a plain identity certificate (eg the Spanish ID - DNI electrónico (ES), DNIe  -)

In the end, the electronic signature is efficiency, and cost savings, including and especially TIME saving. When an organization implements electronic signature is not investing in technology, it is buying TIME.

When a certificate is issued with an attribute, such as "Doctor referee", it is needed to invest a little more time and paperwork in the issuance of the certificate, but from that moment, we are guaranteed that a document (eg, a prescription) is signed by a "Medical referee", without having to make database queries or other checks to validate if that person is a doctor and if she can make prescriptions. Multiply the savings for each of the documents signed and for each time they are validated. This is efficiency.

To be continued ...

Do you think this is an interesting post? Just help me sharing it by clicking one of the buttons below.