Digital Transaction & Process integrity (Creating certification & user confidence)

Digital Transaction & Process integrity (Creating certification & user confidence)

Personal & Business people carry out many of their daily functions on-line in this digital age, but how do suppliers of on-line information and services create greater confidence in the user so they can grow their business, create deeper engagement and increase the user confidence to carry out more critical transactions with your on-line service?  The answer is about creating more trust.

In the on-line world, how do we create this trust? The answer lies in ensuring there is a chain of authentic evidence in the process that delivers your service, and that the user of the service can independently verify this chain of evidence with an independent specialist in digital content assurance. OK so what does that mean for the user? On-line users of services are very familiar with the standard security processes and brands, e.g. passwords, user authentication emails, SSL, Norton, Secure payment systems such as Visa, Realex, etc. All these components go to building trust for the user. In addition some service providers go the extra mile and use more complex and expensive certified keys and encryption, though this often comes with an over-head for the user.

How can we improve that user trust & confidence?

There are three key areas that need to be addressed in a simple and cost effective manner:

1.       Source Identity Integrity & Authenticity

a.       Is this person, company or entity, who they represent themselves to be?

2.       Content Provenance & Integrity

a.       Is the content (Digital) the original, un-tampered and as issued?

3.       Verification of Identity & Integrity

a.       Can I confirm with one click 1 & 2 above?

For the supplier of on-line services & information whether they be process based or transaction based, the question is how can I build these characteristics into my software in a simple and cost effective manner?

For the User when using the on-line service, is it obvious and intuitive that any information and service I use on this web-site I can trust, and if I have a concern can I independently verify the provenance, Integrity & Authenticity with one click of the mouse?

How to build in trust and certification to your software?

Digiprove’s patented and certified technology is a unique way to quickly and cost effectively build in a traceable, certified and verifiable set of functionality. By use of one of the Digiprove products or quickly embedding the process using our software developers kit (SDK).

What can be achieved by embedding Digiprove in your solution?

The most important outcome is your on-line service and information is differentiated because it has independently verifiable credentials, enabled by Digiprove.

·         End user customers and embedded partners have independent verification of their identity and can use the ID-V logo on their digital certificates.

·         Each piece of digital content (Text, Image, Audio, Video, Data), can at any stage in the process be quickly certified by the Digiprove “Proof Engine” as an automated task. This creates an audit trail and independently verifiable certificate with the digital fingerprint, date, time and location which is undisputable evidence and proof of authenticity.

·         The ability for a user or receiver of the content to either on or off-line verify the provenance, integrity and authenticity of the digital content as well as the credentials of the originator.

The bottom line is by deploying Digiprove technology any Digital Asset which has a value whether financial, reputational, brand or compliance can have that value protected.

Protecting On-Line Reputation

On-Line Reputation Management

Whether you are a business, not-for profit organisation, band, or individual your reputation and brand is important to you. We often differentiate between the on-line and off-line brand and reputation but for most they are closely connected all bit it there may be some slightly different emphasis on-line.  The one common thing is that in the world of today, which is a digital world is that our reputation can be damaged in milliseconds either accidentally or maliciously. Digital technology brings huge benefits in the flexibility to create, change and mass communicate content and information, but this benefit comes with risks that have to be managed.

So what are the risks?

There are two main digital risks that expose your reputation:-

1.       Identity Fraud or Theft

2.       Message tampering

Identity Fraud relates to known or unknown persons or entities misrepresenting themselves as someone else, or some other entity (Band, Association, Company, Organisation). Having adopted a false identity they then communicate misinformation that, as a minimum may be misleading and disruptive and, at worst be libellous and cause serious if not fatal damage to a reputation. Regardless of the extent of the misrepresentation there is a cost to those that are misrepresented and many other related stakeholders.

Message Tampering is the situation where what is communicated and interpreted by the reader has been changed either accidentally or maliciously. The ability even for the amateur hacker to change digital content is strong, given the nature of digital content, and the professional hacker can make changes and leave no record or evidence.

The bottom line is it’s relatively easy to adopt a false identity and to change digital data, text and tweets as examples.

How can I protect my on-line reputation?

Identity Fraud

There are many solutions, Twitter for example provide an identity verification and mark for high profile individuals, however they choose who will get the benefit of this process and, it is only offered to a relatively small number of famous people/entities.

Digiprove have enabled their technology process in order that anyone can add a significant layer of protection to their identity. By becoming a paid user of Digiprove’s on-line digital content protection service your Identity will be verified using your credit card details and so long as you have a credit card in the same name as your account registration. Once you have Digiproved your content or issued a tweet from Digiprove we associate  your content/ tweet with your identity. Readers of your content/tweets will be able to quickly verify you have an identity verified mark on www.digiprove.com at the click of the mouse.

Content & Tweet Tampering

In addition to ensuring your personal identity remains authentic, you are also concerned that your content/tweet is received un- tampered and the reader sees it exactly as you intended. By using the Digiprove functionality all your content/messages will be certified. This means there is a digital certificate created, which includes the unique digital fingerprint of your message, the date, time and your identity at the time you create your message. Any readers of your content whether it be documents, images, web pages etc. can verify the integrity on-line and view the certificate.

Digiprove inserts a short link into your tweet that all readers can see. By clicking on that link any reader can view the certificate details and also they can cut and paste the text should they wish and have the Digiprove proof engine confirm its integrity and authenticity, any tampering will be evident.

 

 

Protect Digital content before Facebook, UTube and Flickr upload

Are your uploads and blogs important to you ?

Whether you are a frequent or occasional publisher of digital content to the Web , have you considered the consequences of unauthorised use of your content ? The answer we most frequently hear is either “ I never thought of that” or “How do I do that”.

Digital content whether it be text, images, photos, audio files or video files are extremely easy to copy, modify and re-use and therefore are open to abuse. The abuse can be malicious or inadvertent and cause reputational damage and/or financial loss.  Alternatively the published content may  just be personally important to you, your organisation, your family ,friends, members, customers, suppliers and colleagues.

So if you use Social Media such as Facebook, UTube, Flickr, and LinkedIn or publish to Websites, Blogs and Forums, you should consider protecting your content. You want to know if it has been accessed and interfered with and/or re used/republished.

Regardless of security systems, abuse still occurs with published and unpublished digital content. In the event your digital content has been misused you want to have evidence firstly that you own the content and also evidence that it has been tampered with. Ultimately whether it was erroneous or malicious that your important content was used you will require this evidence to persuade the party at fault to take action and correct the issue or you may need that evidence in the worst case to seek legal redress for reputational or financial damages.

Digiprove provides an effective solution to protecting your digital content before you publish

Digiprove provides the evidence to prove you own it, prove you sent it, and prove it has been tampered with in a secure and confidential manner. Digiproves patented “Proof Engine” technology is designed to create the provenance, authenticity & integrity of any type of Digital content without the need to send your content to us, so it always remains confidential to you. A unique digital fingerprint of your digital content is created, it is certified and logged as non repudiable proof of its existence and ownership at a point in time (and location on portable devises with GPS). Your content can be validated on-line or off-line at any time to confirm it provenance and integrity.

You only pay for what you need to protect through simple on-line value for money  subscriptions. But before you buy why don’t you try our free trail you will immediately gain confidence that this simple to use system protects your important digital content. You can use our Selfprotect on-line self-service to protect content and email communications, Autoprotect to automate the whole process as a background task in a matter of minutes or Webprotect if you are a user of Wordpress.

http://www.digiprove.com/

Digital Content & SOX compliance

SOX
The Sarbanes–Oxley Act of 2002 was put in place by the US government to protect investors in public companies following a series of corporate and accounting scandals perpetrated in the late 90’s and early 00’s which included Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

Much has been written about these scandals and also SOX and what is now required of Public Companies and their stakeholders to secure societies confidence in the Markets and keep corporate officers and employees out of jail. This piece concerns itself with a specific set of challenges relating to Digital Content used in a public company or for that matter any company.

Section 404, 802 & Digital Content

Section 404 of the Act “Assessment of Internal Controls” & Section 802 “Criminal Penalties for influencing US Agency Investigation” are key sections relating to the effectiveness of the act and the actions and processes public companies must take or put in place.

In particular section 404 is concerned with the prevention and detection of fraud and error and the adequacy of controls required. The integrity, authenticity and provenance of digital content (data, text, Audio, Video etc.) must be secured and be non repudiable. We know that digital content is much easier to change than paper based content and public companies must find cost effective solutions to assure trust and confidence in their management and control of Digital content. Section 404 focuses on content authenticity and integrity

Section 802: “ Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both”. This brings home the importance of being able to identify fraudulent, malicious or even just simple errors that may be part of an audit or evidential chain and required to establish trust and confidence in digital data/content. Section 802 in addition to the focus above in section 404 also brings attention to the history and flows of the digital content.

How can public companies identify and prevent fraud or error in their digital content cost effectively?

1.       Identify & List the company’s digital assets (versions, time lines etc.)

2.       Perform a Risk analysis and identify those critical digital assets

3.       Identify those critical digital content types and forms that must be protected and controlled through their life cycle.

Sample critical Digital Assets

·         Contractual documentation

·         Policy & Procedure documents and records

·         Intellectual Property

·         Trademarks and copyright

·         Financial reports

·         HR& employee  records

·         Performance Management records

·         Software applications

·         Software logs

·         Databases

·         Recorded telephone conversations

·         Recorded conference calls(Audio/Video)

·         Images, Photographs, Videos

Identify& implement appropriate software controls as a solution to the digital content/asset protection such as Digiprove.

What are the core features that a simple software solution must have?

·         Establish the authenticity and integrity of digital content on entry into the company’s digital world whether created within that world or entering externally whether it be via an electronic communications or scanned solution. (This can be achieved by creating a unique digital fingerprint of the content and meta data such as date, time, location, ownership)

·         Maintain full confidentiality of this digital content in that it does not get sent externally outside the companies own controlled digital world to be certified.

·         Create an audit trail for the defined digital content and any actions taken on that content.

·         Be able to verify the provenance of any digital content once it has been certified and verify if it has been tampered with.

Digiprove products tick all the boxes:

Selfprotect – a simple SaaS on-line service for content and communications

Autoprotect – a simple background utility that automatically protects the identified files and folders.

Completeprotect – includes digital log event certification and audit trail along with autoprotected content. (New Product)

Signasure – enables and protects documents with all types of digital signatures (New Product)

Brokerprove – A standalone solution for SME professional service providers

Embedprotect – A software developer’s kit that enables Digiprove technology to be quickly integrated into a company’s business applications

http://www.digiprove.com/

http://www.broherprove.com/

HR Digital Content & SOX compliance

SOX
The Sarbanes–Oxley Act of 2002 was put in place by the US government to protect investors in public companies following a series of corporate and accounting scandals perpetrated in the late 90’s and early 00’s which included Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom. These scandals, which cost investors billions of dollars when the share prices of affected companies collapsed, shook public confidence in the nation's securities markets.

Much has been written about these scandals and also SOX and what is now required of Public Companies and their stakeholders to secure societies confidence in the Markets and keep corporate officers and employees out of jail. This piece concerns itself with a specific set of challenges relating to HR  Digital Content used in a public company or for that matter any company, and the role of HR in ensuring best practice for digital content relating to the management of the primary asset of the company “It’s staff”

Section 404, 301,806 & Digital Content

Section 404 of the Act “Assessment of Internal Controls”

In particular section 404 is concerned with the protection of corporate assets. HR in the context of the overall goals of SOX “To protect investors in public companies” contribute to internal controls relating to people that could create significant financial risk for the organisation including employment law litigation and fraud. Employment contract clauses such as non-disclosure, non-solicit, non-compete, IPR & confidential information protection and performance standards are all critical as are the HR processes to control and manage any exposure. Training is another area of importance such as specific job skills, health & safety, and legal obligations the integrity of the training and training records are also central to avoiding potential litigation whether it be commercial, employment law or product/professional indemnity financial exposures. Add to this that rules and policies relating to procurement, expense reporting and commissions all create potential fraud opportunities then we can see HR their processes and digital content make a significant contribution to SOX compliance.

Section 301 & 806: are also key sections where HR digital content is fundamental to compliance and in fact may produce important digital evidence for internal or external scrutiny. The sections refer to the “Whistle-blower” requirements which are usually managed by HR. Creating a trusted Whistle-blower process with integrity may involve digital content of many types including databases, documents, audio and video records. HR must ensure that the process is fair and transparent, it protects the rights of all parties and that there is avoidance of retaliation litigation risk. Not only that but once whistle-blower reports an incident everything in the system becomes potential evidence so as ediscovery finds this evidence the digital forensic chain must be secured.

How can HR in public companies identify and prevent litigation & financial risk?

1.       Identify & List the company’s HR digital assets (versions, time lines etc.)

2.       Perform a Risk analysis and identify those critical digital assets

3.       Identify those critical digital content types and forms that must be protected and controlled through their life cycle.

4.       Ensure that whistle-blowers procedures are digital and evidential friendly

5.       Put in place adequate digital evident and asset authenticity and integrity controls

Identify& implement appropriate software controls as a solution to the digital content/asset protection such as Digiprove.

What are the core features that a simple software solution must have?

·         Establish the authenticity and integrity of digital content on entry into the company’s HR digital world whether created within that world or entering externally whether it be via an electronic communications or scanned solution. (This can be achieved by creating a unique digital fingerprint of the content and meta data such as date, time, location, ownership)

·         Maintain full confidentiality of this HR digital content in that it does not get sent externally outside the companies own controlled digital world to be certified.

·         Create an audit trail for the defined HR digital content and any actions taken on that content.

·         Be able to verify the provenance of any HR digital content once it has been certified and verify if it has been tampered with.

Digiprove products tick all the boxes:

Selfprotect – a simple SaaS on-line service for content and communications

Autoprotect – a simple background utility that automatically protects the identified files and folders.

Completeprotect – includes digital log event certification and audit trail along with autoprotected content. (New Product)

Signasure – enables and protects documents with all types of digital signatures (New Product)

Brokerprove – A standalone solution for SME professional service providers

Embedprotect – A software developer’s kit that enables Digiprove technology to be quickly integrated into a company’s business applications

Data Protection & Digital Content in HR: How To Draft A Policy

http://protect.digiprove.com/human-resources

We know that the aim of a data protection policy is to ensure that employees are aware of their own rights, and of their obligations concerning personal data processed by their employer.  The purpose of a data protection act is to enforce compliance from employers to make sure they carry out their obligations to the employee. So, who is a data protection policy for, and what exactly can it do that benefits a HR department?

A data protection policy is not only for the benefit of full time employees. It could be used to protect contract workers, agency staff and other kinds of workers too. In the HR department, it is particularly important that employee data is protected; especially considering it’s the department that all major employment decisions go through. This kind of data requires high security and proof of authenticity.

How do we go about formulating a data protection policy?

A lot goes into designing a data protection policy, but here are a couple of points to get you started. A general data protection policy should:

·         Identify a person within the organization who will have responsibility for ensuring that the employer complies with data protection regulations. This person will usually be a senior figure in the HR department.

·         It should ensure that employees are fully aware of any data held about them, and that they understand how this data could be used and disclosed. It is normal practice that an organization will use personal data like salary and pensions, and this will be held on an electronic device. The depth of this data could go further, for example employers may keep health records for reference.

It is vital that employee data held on organizational systems can be transparent and trustworthy. That’s where Autoprotect comes in as an asset to the HR department in maintaining legitimacy of files, and supporting their data protection policy.

The above are just two points about what a data protection policy should enforce. For further information, make sure to keep your eyes on our blog.

Compliance & Value of digital signatures

Under the Electronic Commerce Act 2000 of Ireland, electronic communications are equally valid with paper-based communications. Electronic signatures are valid if the receiving party consents to the use of an electronic signature.  The definition of an electronic signature in this legislation is very broad: "electronic signature, an advanced electronic signature, an electronic signature based on a qualified certificate, an electronic signature created by a secure signature creation device or other technological requirements relating to an electronic signature"

There is however one caveat - where there is a legal obligation to retain original documentation e.g. Financial Advisor needs to keep client instructions for 7 years, the electronic record can meet this requirement, provided that:

• there exists a reliable assurance as to the integrity of the information from the time when it was first generated in its final form, whether as an electronic communication or otherwise,
• where it is required or permitted that the information be presented— if the information is capable of being displayed in intelligible form to a person or public body to whom it is to be presented,
• if, at the time the information was generated in its final form, it was reasonable to expect that it would be readily accessible so as to be useable for subsequent reference,
• where the information is required or permitted to be presented to or retained for a public body or for a person acting on behalf of a public body, and the public body consents to the information being presented or retained in electronic form, whether as an electronic communication or otherwise, but requires that it be presented or retained in accordance with particular information technology and procedural requirements— if the public body's requirements have been met and those requirements have been made public and are objective, transparent, proportionate and non-discriminatory, and
• where the information is required or permitted to be presented to or retained for a person who is neither a public body nor acting on behalf of a public body— if the person to whom the information is required or permitted to be presented or for whom it is required or permitted to be retained consents to the information being presented or retained in that form.

However Digiproving does have the following real advantages:

1. When added to electronically signed document at the same time the document is signed, it meets any statutory obligation in relation to retention of original documents
2. Offers an irrefutable assurance that the document has not been altered either accidentally or deliberately since its creation
3. Offers an irrefutable timestamp certifying the time of creation of the document (And location information if it is available on the device)
4. It meets the requirements for retention of records (In digital format), thus creating less dependence on paper records.

Items 2 & 3 are important because not only do they provide comfort to the receiving party (who must after all consent to the use of e-communications) of the integrity of the document, they remove all reasonable doubt (whether in a court case or otherwise) that a document could have been altered.  Other safeguards such as archiving and time stamping logs may be circumvented by any software engineer or gifted amateur, or indeed by malicious design.

Finally the legislation describes an "advanced electronic signature based on a qualified certificate".  I am pretty certain this means what is usually referred to as a Digital Signature, based on PKI using CAs such as Verisign (such as what is implemented in Adobe and there are many examples like this I think An Post have something as well).  This has one particular legal advantage in that it is recognised as a witnessed signature, and appears to be a requirement in applying signatures to documents that require witnessing. Cryptographically it is a very secure solution.  However it comes with a major overhead - everyone who signs has to have a Digital ID (or digital certificate) from a recognised CA.  There is (as you would expect) a whole process involved in proving your identity to the CA, and of course an annual cost.  Despite massive promotion by companies like RSA and Baltimore in the late 90s this technology did not succeed.

For more information

http://www.digiprove.com/

http://www.brokerprove.com/ for financial advisors