eSign Application Service Provider (ASP) Audit

An application service provider is any vendor that provides with software that will contain data but is managed and operated in the vendor’s data center and is not controlled or secured by Information Technology. This includes third party software and services vendors.

Compliance review

Analysis

Audit checklist

eSign Application Service Provider (ASP) Audit

contact us

An application service provider is any vendor that provides with software that will contain data but is managed and operated in the vendor’s data centre and is not controlled or secured by Information Technology. This includes third party software and services vendors.

 Audit Requirements:

  • The communication between ASP and ESP(E-sign Service provider) should be digitally signed and encrypted.
  • Communication line between ASP and ESP should be secured. It is strongly recommended to have leased line or similar secure private lines between ASP and ESP. If a public network is used, a secure channel such as SSL should be deployed.
  • ASP should have a documented Information Security policy in line with security standards such as ISO 27001
  • Compliance review of controls as per Information security policy
  • ASPs should follow standards such as ISO 27001 to maintain Information Security
  • Compliance to prevailing laws such as IT Act 2000 and applicable Rules and Regulations thereunder should be ensured
  • Software to prevent malware/virus attacks may be put in place and anti-virus software installed to protect against viruses. Additional networks security controls and endpoint authentication schemes may be put in place
  • Resident consent process must be implemented to obtain consent for every transaction carried out. The user must be asked for willingness to sign it and the consent form should be stored.
  • Application Security Assessment of the ASP by Cert-in empanelled auditor
  • ASP data logging for audit purposes provisioned
  • ASP should not delegate any obligation to external organizations or applications
  • Refer the Stakeholders involved in eSign services like end-user, ASP, ESP, CA, e-KYC Provider, and CCA.
  • Audit checklist provided under these guidelines.
  • Demonstration and analysis of the production-ready application, with regard to eSign
  • Verification of Production environment for its security requirements, compliance and location