1 The Cloud Industry Forum Cloud Service Provider Code of Practice: Guidance for Cloud Service Providers
2 Table of Contents Purpose of this Document 3 Process Stages Covered Within this Document 3 supported by Prepare Guidance 4 Preparation Checklist 4 Project Charter Template (MS Word Document) 4 Project Plan Template (MS Excel Spreadsheet) 4 Assess, Improve and Declare Guidance 5 Assessment Spreadsheet (MS Excel Spreadsheet) 5 Guidance for Presentation of Information for sections A and B of the Code 5 Format for Public Disclosure Requirements (Section A.1) 7 Format and Naming Conventions for Supporting Documentation 8 Documentation Requirements for All Applications 8 Demonstrating Capability (Section B) 9 Signing Documents Electronically 11 Creating a digital signature 12 Digitally signing a document 15 Creating the FDF document 17 Guidance for Other Information Required for Application 20 Professional Reference Guidance and Template 20 Management Declaration Guidance and Template 20 Publish Guidance 21 Updating Public Disclosure Information 21 Using the CIF Certified Logo 21 Further information 21 Governance of The Code Of Practice 21 About the Cloud Industry Forum (CIF) 21 The CIF and The APM Group Limited (APMG) 22 Code Governance Board 22 Development and Maintenance of the Code 22 Audit and Appeal 23 Collaboration with Standards organizations and related Bodies 23 Contact Us 23 The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. Cloud Forum IP Limited All rights reserved NOTICE: This document is intended to provide general information in relation to the Cloud Industry Forum s Code of Practice journey for Certification. It is not intended to be comprehensive and should not be acted or relied upon as being so. Professional advice appropriate to specific circumstances should always be obtained.
3 Purpose of this Document This document (Document 3) is aimed at organizations undertaking the Cloud Industry Forum (CIF) Cloud Service Provider (CSP) Code of Practice (Code) Self-Certification process. It is also relevant to any organization that may be considering Self-Certification against the Code. This document provides instructional and informational guidance for organizations going through the Self-Certification process, and includes templates and resources, which will need to be referenced during various stages of the process, from initial preparation through to publishing certified status. Organizations should also download and refer to the following information provided by the CIF, downloadable from the CIF website Document 1: An Executive Briefing Document 2: Conducting the Self-Certification Terms and Conditions for Self-Certification Cloud Service Provider Code of Practice Further information or guidance can also be sought directly from the CIF or APM Group, CIF s Independent Certification Partner Process Stages Covered Within this Document This document covers the following stages of the Self Certification process: Prepare Assess Improve Declare Publish The following additional documents are accessible to download by organizations registered for Self-Certification from once registered. Project Charter (MS Word) Assessment Spreadsheet (MS Excel) Project Plan Template (MS Excel) Professional Reference template (MS Word) Management Declaration (pdf) For information on earlier stages of the process, refer to the following documents: Document 1: An Executive Briefing Document 2: Conducting the Self-Certification RECOGNIZE NEED DETERMINE REQUIREMENTS REGISTER PREPARE To achieve optimum results, a formal project should be established to perform the self-assessment and achieve Certification ASSESS the organisation must conduct an Assessment of its compliance with Code requirements IMPROVE If any non-conformances are noted in the Assessment step, then improvement actions are undertaken DECLARE The organization completes the Application and required declarations which are submitted to CIF via the online system VALIDATE AUTHORIZE PUBLISH The organization displays the Code Certification Mark on its website,together with hyperlinks to the CIF website 3
4 Prepare Guidance Preparation Checklist The following Preparation Checklist has been created to aid Self- Certification registrants in the initial set-up activities involved in the Self-Certification process. A version of this table can also be found in the Assessment Spreadsheet (see Assess and Improve section). Preparation tasks do not have to be done in this precise sequence, but all should be done. Task Done? When complete? Who? Guidance 1 Download: Doc.1: Executive Briefing Doc.2: Conducting the Self-Certification Doc.3: Guidance for Self-Certification Cloud Service Provider Code of Practice 2 Read: Doc.1: Executive Briefing Doc.2: Conducting the Self-Certification Doc.3: Guidance for Self-Certification Cloud Service Provider Code of Practice Terms and Conditions (available on-line) 3 Register https://selfcert.cloudindustryforum.org All Information can be sourced from:-http://www. cloudindustryforum.org/code-ofpractice/cloud-service-providerinfo-pack OR, only once registered via https://selfcert. cloudindustryforum.org for specific templates 4 Identify Team Leader/Project Manager 5 Identify the Executive Sponsor 6 Download / Review Additional Templates 7 Establish detailed plan with assigned responsibilities, estimated timeline and estimated costs 8 Review plan with APMG and clarify what additional help/guidance may be available Contact APMG via Project Charter Template (MS Word Document) The Project Charter will serve as an internal document that captures high level planning information (scope deliverables assumptions etc) about the Code of Practice Project. The Project Manager or Team leader creates the Project Charter in the Initiation Phase of the Project, in consultation with the Executive Sponsor. Its purpose is to recognize the existence of the project and to begin the planning process required to accomplish the Project goals. It does not need to be shared with external parties as a formal contract of legal document. The completed Project Charter does not need to be shared with the CIF or submitted with the final application. Project Plan Template (MS Excel Spreadsheet) The Project Plan Template is provided in Excel format to facilitate practical use in conducting a Self-Certification. The Excel file includes the following tabs/worksheets: Example Diagram (Gantt Chart) Example task table Example resource table Example assignment table To access and download the Project Plan Template, log into the Self-Certification website. To access and download the Project Charter Template, log into the self-certificate website 4
5 Assess, Improve and Declare Guidance Assessment Spreadsheet (MS Excel Spreadsheet) The Assessment Spreadsheet is provided in Excel format and is for preparatory work during an assessment. It is particularly suited for use as a control tool to track corrective actions needed to achieve conformance with the Code but can also be used to collect information. The final results demonstrating full conformance as entered into or tracked via the Assessment Spreadsheet must be transferred into the required presentation formats (webpage, documentation and entered or uploaded via the online system) prior to submitting an application for validation of Self- Certification. The Excel file includes the following tabs/worksheets: Overview Preparation Checklist Registration (ID and Scop) Transparency Capability Other Information Requirements for Online Presentation of Information To comply with section A.1, information must be presented in the following way:- The information must be available on a free-standing web page or web pages where more than one website is used to support provision of services covered by the Code. The link to the free-standing web page must be called CIF Code of Practice Disclosures. The link must be hyperlinked at a minimum from the home page of the organization s website and should be situated on the home page in a similar location to legal-type notices, disclaimers or site terms and conditions (usually found in menus which appear at the very bottom or top of standard web page designs). POST CERTIFICATION ONLY: The link must be displayed alongside the Certification Mark after the Mark has been granted. Organization of Page Content All information shall be presented sequentially on the web page and should be identifiable by the relevant code sub section e.g. A.1.1, A.1.2 etc. Information can be presented on the webpage in free text or table format. Notes FAQs Feedback To access and download the Assessment spreadsheet log into the Self-Certification website Guidance for Presentation of Information for sections A and B of the Code Format for Public Disclosure Requirements (Section A.1) To meet the requirements of section A.1 of the Code, applicant organizations must disclose information publically via means of a published, online webpage. In addition to including all relevant information and evidence required by section A.1 of the Code, the online Public Disclosure content should conform to certain requirements in terms of format and, in some cases content to facilitate comparison by end users between different organizations. 5
6 Mandatory Content for Section A.1.1. Post registration Content (Pre-application) The following text must be included against section A1.1 on the disclosure web page (where Xxx is the organization s name) at the time that an application has been submitted but prior to award of certification: Post Self-Certification Content (NOTE: this section is repeated in the Publish guidance within this document) Once the organization has had its Self-Certification recognized by the CIF, i.e. once the organization has received formal notification that it is authorized to display the Code Certification Mark, the following text shall be added to the web page in place of the text above (Post Registration text): NOTICE: While Xxx has made the commitment to the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. Xxx has completed the Self-Certification against the Code of Practice for Cloud Service Providers (the Code ) of the Cloud Industry Forum ( CIF, at org), which the mark above demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available. Xxx is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business decisions based on this information. The information on this page addresses the public disclosure requirements of the Code. NOTICE: While Xxx has made the commitment to the Code and has been self-certified as compliant with the Code, customers/ third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. The Certification Mark may also be shown in other places, as specified in the Logo Pack supplied when the organization is formally informed that it is authorized to display it. 6
7 Example Public Disclosure Content The following is an example public disclosure for a self-certified organization Cloud Service Provider Example Limited using the required structure. A.1.1. Compliance with Code Cloud Service Provider Example Limited is committed to the principles of Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing. Cloud Service Provider Example Limited is committed to complying with the specific requirements of the Cloud Industry Forum s Code of Practice for the period of Certification, for the scope defined below in A.1.3.The CLOUD INDUSTRY FORUM and Cloud Service Provider Example Limited has completed the Self-Certification against the Code of Practice for Cloud Service Providers (the Code ) of the Cloud Industry Forum ( CIF, at which the Self-Certification mark demonstrates. Clicking on the mark will take you to the CIF website where supporting information for this Certification is available. Cloud Service Provider Example Limited is committed to the Code. One of the main objectives of the Code is to help ensure disclosure of essential information so that consumers of Cloud Services can make better business decisions based on this information. The information on this page addresses the public disclosure requirements of the Code. NOTICE: While Cloud Service Provider Example Limited has made the commitment to the Code and has been self-certified as compliant with the Code, customers/third parties shall note that information or certification provided by the Cloud Industry Forum does not constitute advice from or endorsement by the Cloud Industry Forum. The Cloud Industry Forum disclaims any and all liability arising out of the use of services or otherwise of certified organizations. Where disclosed information or capabilities as specified by the Code of Practice are essential in purchasing cloud services from a certified organization, it/these should be cited contractually. Professional advice appropriate to specific circumstances should always be obtained. Cloud Service Provider Example Limited s website page where publicly disclosed information is available is at ExampleLimited.com/CIF-Code-of-Practice-Disclosures A.1.2. Corporate Identity and Responsibilities Corporate name: Cloud Service Provider Example Limited Legal status: Private Limited Company Date of formation: 01 January 2012 Location of registration: England Registration number: Ownership (major shareholders): Cloud Service Provider Venture Capital Investments John Henry Adams Luke Howard Members of board of directors John Henry Adams Luke Howard Charles Thomson Wilson Executive management Luke Howard (CEO) Charles Thomson Wilson (CFO) Corporate fixed address: 123 High Street, Anycity, Anycounty, UK XX1 2YY A.1.3. Scope Covered by the Code Scope of services: web archiving services Geographical scope: Countries with local sales and/or support: UK Countries where customer data may be held or processed: UK Customer data will only be held in the UK. No other options are available. A.1.4. Public Branding Alternative trading name(s): Storage Rainbows Unlimited Website address(es): A.1.5. Third-Party Coverage Transparency Cloud Service Provider Example Limited does not accept any indirect responsibility for our suppliers. Cloud Service Provider Example Limited s suppliers do not accept indirect responsibility to Cloud Service Provider Example Limited s customers. Cloud Service Provider Example Limited does not accepts indirect responsibility to customers of customers 7
8 A.1.6. Security Control Transparency with the Cloud Security Alliance Cloud Service Provider Example Limited has not completed the Consensus Assessments Initiative Questionnaire from the Cloud Security Alliance A.1.7. Other Extended Commitments to Code of Practice Principles Cloud Service Provider Example Limited does not commit to any additional transparency, capability, or accountability requirements in addition to those contained directly in this Code of Practice. A.1.8. Technological Commitments* Cloud Service Provider Example Limited does not publicly commit to supporting any specific technologies, standards, or inter-operabilities. Any such support must be separately negotiated. A.1.9. Existing Certifications* Cloud Service Provider Example Limited does not have any other certifications. A Industry Association Memberships (Optional) ** Cloud Service Provider Example Limited is a member of the Cloud Industry Forum, in addition to being self-certified under its Code of Practice. *In this example, the disclosure of information relating to sections A.1.8 and A.1.9 has been included on the pubic web page. If an organization chooses instead to disclose this information under section A.2, this information does not need to appear on the web page. ** information has been disclosed against section A.10, which is fully optional e.g. it does not need to be disclosed. Format and Naming Conventions for Supporting Documentation CSPs are required to provide documented evidence that they meet the specific requirements of the Code. CIF require documentation to be submitted in specific formats and according to specific filename conventions to:- Be assured that requirements are being met by applicant CSPs specifically and not broadly; and To enable information to be sourced easily for the purposes of audit or complaint resolution. Documentation uploaded to the online system as part of a CSP s application is likely to include: SECTION A SECTION B OTHER INFORMATION Code of Practice Requirement A.1. Information for public disclosure (a print screen of the online web page) A.2. Information for contracting disclosure Management system documentation for required capability areas OR Evidence of existing certification including a document outlining the scope of the certification Professional Reference In addition to the files uploaded as part of the application, a self-certified organization shall maintain auditable records of its disclosure information as specified in the Accountability section of the Code. Such records shall be accessible both chronologically, and also by potential customer, when provided to potential customers on an individual basis. Documentation requirements for all Applications General The documentation shall be created exclusively using PDFs. The documentation shall be supplied to CIF via the online application system. The documentation shall be electronically signed using Adobe Acrobat. For information and instructions on electronically signing documentation, see the Signing Documents Electronically section of this document. 8
9 File Naming Conventions All files shall include the prefix reference issued by the CIF at the time of registration. This prefix can be found on confirmation of registration or payment details issued by the CIF and is a combination of alpha-numeric characters e.g. CFW Examples of Acceptable Document filenames PROFESSIONAL REFERENCE CFW0000_ProfRef.pdf STANDARD TERMS AND CONDITIONS CFW0000CloudOrgT&Cs2012.pdf ORGANIZATION CHART CFW0000_CloudOrg_ OrgChart_2012.pdf Document references (when entered into online system) When entered into the online system all references to supporting documentation shall include a filename and an explicit reference within the file to a page or paragraph number, or a clause reference where the information can be found. A file name alone is not acceptable. If the amount of information to be put into an online reference field exceeds the character limit, which may be the case if multiple files are used in support of one Code requirement or area, it is acceptable for an applicant to do either of the following: Remove the prefix reference from the filename when entering the name into the online form field for a particular requirement; or, Create and submit an additional supporting document or page which contains all references mapping Code areas to submitted documentation. In this case, the online field can be completed with a reference to this new document/page instead. Examples of acceptable online references CFW0000DocFile p17 CFW0000DocFile 17-19,36 DocFile p17 para 5 DocFile1 pp17-19; TsAndCs clause 14 Demonstrating Capability (Section B) There are two ways of demonstrating capability at the time of application for Self-Certification: Using Existing Certifications: Providing evidence of appropriate existing certifications against relevant standards covering the same capability requirements; or, Using Primary Documentation: Providing primary documentation of required capabilities, including key policy and procedure-type documentation. Using Existing Certifications There are two types of certifications upon which reliance may be placed for demonstrating capability: International and national standards with prefixes like ISO, ISO/IEC, BS, ANSI, etc. The CIF Code of Practice Self-Certification, relevant if a CSP is relying in its application on another CSP which is already self-certified, e.g. for the provision of infrastructure services. Scope. The organizational scope and scope of services of the existing certification must be directly relevant to the scope covered by the intended CIF Code of Practice Self- Certification. In order to use an existing certification to meet 100% of the requirements of any specific Code of Practice capability area, the scope of the existing certification must include 100% of the scope being self-certified under the CIF Code of Practice. If this is not the case, then there are two other alternatives that may be considered: o Alternative one is that it is possible to use the certificate for the part of scope which is relevant, and provide primary documentation for the rest of scope. In this case the application needs to clearly differentiate between the two sub-scopes. For applicants relying on the Self-Certification of another CSP, this would typically be the case, as there will almost always be some internal capability requirement which cannot be outsourced or subcontracted. o Alternative two is that it should be possible to use supporting materials for the existing certification as part of primary documentation, but not cite the certification itself. 9
10 Period of Validity. The certification must be valid on the date of the application. In the event that the period of validity for the certification does not include the entire period, i.e. in the event that the certification will end during the Code of Practice Self-Certification period, no further supporting documentation is required during the period of the CIF Code of Practice Self-Certification. Nonetheless, the self-certified CSP is committed to complying with the Code of Practice s capability requirements for the entire period, regardless of what supporting documentation was supplied at the time of application Internationally Recognized Certification. For certifications other than the CIF Code of Practice Self-Certification, the certification must have been performed by an organization which is accredited for that standard by an accreditation body which is a signatory to the Multilateral Recognition Arrangement (MLA) of the International Accreditation Forum. This includes most of the major certification companies in the world, but may not include smaller companies, or companies whose primary business is not certifications. The following should be submitted to the CIF as supporting documentation for any capabilities to be demonstrated through such certifications: For certifications against international and national standards: a scanned copy of the certification certificate including scope and validity dates, and clarification of the accreditation body if it is not shown on the certificate. For reliance on other CIF Self-Certifications: a letter from the self-certified CSP which states the scope of their Self- Certification, the validity dates, and an acknowledgement that they know the applicant CSP is placing reliance on their capabilities and that a contract is in place between them to justify this reliance. A statement from the applicant CSP affirming that all criteria required for the acceptance of the certification are met. Furthermore, if a reseller CSP seeking Self-Certification is relying on a supplier CSP s Code of Practice Self-Certification (e.g. if a reseller is relying on an infrastructure provider CSP, such as for IT security management capability), then the reseller s Self- Certification scope statement must clearly state that it is for services provided by the named supplier CSP. If the reseller changes its supplier for these services to another supplier, then the reseller cannot continue to claim to be certified itself. It may therefore be more practical for the reseller simply to market the fact that it is reselling services from a Code of Practice self- certified CSP, rather than to have its own Self-Certification under these circumstances. However, this is a business decision and not one driven by the Code of Practice itself. See also Leveraging Considerations for Subcontracted Cloud Service Providers. The following are examples of international and national standards for which certifications could provide all necessary support for the CIF Code of Practice capability requirements, assuming that the scopes cover the relevant CIF capabilities: Capability Information Security Management (Including Data Protection) Service Continuity Management BS Using Primary Documentation In principle it should be relatively straightforward to demonstrate capability as required by section B of the Code by using primary documentation, except for the first capability area, which is Information Security Management. Primary documentation must be documentation actually in use within the CSP, and not something that exists solely for the Code of Practice Self-Certification application. One of the benefits cited by CSPs that have been self-certified to the Code is that it has helped them to identify gaps in their existing policies and procedures and to fill them, strengthening the business in the process. It is therefore expected, especially in smaller or younger organizations which may not have any existing certifications, that it will be necessary to improve or at least document some existing informal practices. Copies of this documentation, reflecting actual implemented practices, should then be included as primary supporting documentation for the Self-Certification application. Primary documentation does not need to be extensive, but it must exist even if limited in detail. For example, the complaint handling capability for a very small CSP could be supported with two documents; one could be a half-page long, consisting of a policy statement (e.g. a requirement to respond to all complaints within x time, and to track and analyze for underlying root causes) and a procedure with assigned responsibilities (e.g. all complaints are handled initially by x, with appeals to be handled by y). The second document could be evidence of a course attended external or internal which includes this area to demonstrate the provision for competence/training. The general requirements for primary documentation are as follows, which may be covered in multiple ways, in individual or combined documents: Policy Procedures (or work instructions) Assignment of responsibilities Competence (or training) Standard ISO/IEC Service Level Management ISO/IEC Supplier Management ISO/IEC ; ISO 9001 Software License Compliance ISO/IEC Complaint Handling ISO 9001 Environmental Impact Management ISO
11 There is also a requirement for Awareness for people besides those directly responsible for task execution, e.g. for awareness about security issues. In a CSP with a small number of employees (5 or less) it may not be realistic to expect documentation for awareness building, but for larger CSPs it is considered realistic. Awareness building can be accomplished In many ways, but one of the easiest to document is via an internal annual training session to ensure that everyone is aware of overall policies, procedures, and assigned responsibilities. It can also provide an excellent opportunity for feedback and self-improvement. As indicated above, additional guidance is appropriate for the capability area of Information Security Management (Including Data Protection). It is recommended that primary documentation be provided to demonstrate that the CSP is competently addressing the following areas: Security policy/data protection policy Responsibility for security management within the organization How security is built into the personnel processes (joining checks in terms of experience/qualifications/right to work, leaving procedures including revoking permissions/access) Guidance provided to staff on security best practice including training and awareness Examples of security methods in use in relation to premises, equipment, network and backups Approach to information classification to reduce risk of information slipping into the wrong hands How the above are monitored and reported on (could be internal audits, spot checks, monthly reports and analysis etc) Data Protection Act Registration (or the equivalent requirement in different jurisdictions) and/or processes implemented to ensure compliance. Leveraging Considerations for Subcontracted CSPs The guidance above addresses one way that CSPs working together can leverage the benefits of a self-certified supplier CSP helping a reseller CSP become self-certified. There are two further ways for a reseller CSP to obtain significant benefits from working together with a self-certified supplier CSP. Mentoring Partnership If the reseller CSP wants to obtain its own Code of Practice Self- Certification, it may be possible for the reseller CSP to be mentored by the supplier CSP, including through the sharing of policy and procedure documentation which the reseller CSP can adopt with suitable modifications. This will expedite the process of the reseller developing its own internal capabilities which can then be selfcertified on a freestanding basis without reference to the supplier CSP s Self-Certification. Marketing Partnership Instead of obtaining its own Code of Practice Self-Certification, the reseller CSP can simply market the fact that it is reselling services from a self-certified supplier CSP. This should already provide a significant level of reassurance to the reseller CSP s potential customers. Note, however, that the supplier CSP must formally accept responsibility towards the customers of its own customers (i.e. towards the customers of the reseller CSP) for there to be any clear basis on which the ultimate customers can place reliance. This type of responsibility information should be available in the supplier CSP s public disclosures in the third sub-point of section A.1.5 of the Code Signing Documents Electronically Although the CIF Code of Practice scheme is based on Self- Certification, it needs to be enforceable, and therefore the supporting documentation on which it is based needs to be verifiable. The CIF has chosen, as its preferred method of achieving this, to use features of Adobe Standard/Professional (version 8 or later), which provide strong authentication capabilities. The screenshots in this HowTo guide have been produced using Adobe Professional v8. All materials should be saved as Adobe PDF documents, including the Professional Reference, and the full Documentation File of supporting documentation. The documents should be signed and certified with no fields being left as modifiable. The signature used should be for the person officially signing. Additionally, the CIF reserves the right to require the following, which are not shown in this HowTo guide: The signature used should be certified by a major publicly recognized certification authority. Long-Term Validation (LTV) should be used, which ensures the ability to validate a document s authenticity in the future in spite of whether the certificate has expired or has been revoked, or even if the issuing authority has gone out of business. A secure time stamp should be added to the digital signature, to confirm the time of the original signing. Fonts should be embedded and the RGB color scheme used when the documents are created, to avoid possible incompatibilities between originator and recipient systems. (The PDF/A option does this.) The remainder of this document is a how-to for digitally signing documents as required for the CIF Code of Practice scheme. In order to digitally sign a document using Adobe, a digital signature must already exist. There are various desktop applications that can be used to create a digital signature, including Adobe Professional. Irrespective of the application used to create a digital signature, for the purpose of this HowTo guide, the format of the resulting signature must be compatible with Adobe applications. Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, Distiller and Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. 11
12 Sign on a blank sheet of paper Scan the paper Creating a Digital Signature Save the resulting image as a.jpg or.tiff image file A digital signature is used to approve a document much like a hand-written signature does. A digital signature can, optionally, include an image of your hand-written signature (and computer text setting out your contact details). This HowTo guide includes Crop details and about tidy encapsulating the image an as image necessary of your hand-written signature. For the purpose of this HowTo guide, a fictitious signature has been created for TestSample. The image that you have created will need to be converted into a.pdf fo The image that you have created will need to be converted into There are several ways to do this. a.pdf format. Hand-written signature This section assumes that you have the technical knowledge to scan, crop, tidy up and publish an image of your signature in the format of either a.jpg or.tiff file. As this HowTo guide makes use of logical Adobe to use the Professional, same application to perform it is the logical conversion. to use application to perform the conversion. If you wish to include an image of your handwritten signature in the digital signature, then please do so by: Sign on a blank sheet of paper Scan the paper Save the resulting image as a.jpg or.tiff image file There are several ways to do this. As this HowTo guide makes use of Adobe Professional, it is Converting Crop and tidy the image as a necessary.jpe or.tiff image to a.pdf file With Adobe Professional open in the foreground, open Windows Explore The CLOUD INDUSTRY FORUM and CIF words and associated logos are trade marks. Cloud Forum IP Limited All rights reser Converting NOTICE: This document a.jpeg is intended or.tiff to provide image general information When in the relation left-button to the on Cloud the mouse Industry is released, Forum s the Code image of file Practice journey intended to be comprehensive and should not be acted or relied will upon appear as in being Adobe, so. and Professional the Adobe advice Professional appropriate will appear to specific as circum to a.pdf file obtained. the foreground application. With Adobe Professional open in the foreground, open Windows Explorer. With the Adobe application in the foreground, select the AP11-v6.1 following from the pull down menu: File/Save As Shift+Ctrl+S, With Windows Explorer open in the foreground and Adobe and save the file as a.pdf format. Professional immediately behind, navigate to the location where your image file is stored. With relevant the file name highlighted, simply click and drag the image file into the (currently empty) work area of the Adobe application. 12
13 Adding Time/Date stamp and other attributes In order to make your digital signature fit for purpose, it will need to be capable of capturing adequate metadata for the purpose of future validation. Adobe Professional can be used to add additional functionality to your digital signature file as described below: With the.pdf signature image file open, open the Preferences window by choosing Edit/Preferences Ctrl+K from the pull down menu. Once the Preferences window has opened, using the left pane, scroll down and highlight [Security]. Next, click the [New ] button.. All rights reserved imited ractice journey All for rights Certification. reserved It is not specific s Code circumstances of Practice journey should for always Certification. be It is not propriate to specific circumstances should always be
14 n mported graphic] Configure Graphic section and navigate  Click the radio to the button .PDF Click the [File ] button and navigate to the.pdf [Imported graphic] ature in it. image file with your signature in it.  Click the [File ] button and navigate to the.pdf image d Date options, checkmarks. file with your signature in it. Configure Graphic section  Click the radio button [Imported graphic] Configure Text section  Leaving the Name, and Date options, remove all of the other checkmarks.  Click [OK] to finish. lection Click [OK] to commit your selection Click [OK] to finish Configure Text section  Leaving the Name, and Date options, remove all of the other checkmarks.  Click [OK] to finish.click [OK] to commit your selection Click [OK] to finish ent Digitally signing a document ant to digitally sign. Open the.pdf file that you want to digitally sign. select: ignature From the pull down options, select: Sign/Certify with Visible Signature 14
15 gitally sign. Digitally signing a document Open the.pdf file that you want to digitally sign. From the pull down options, select: Sign/Certify with Visible Signature ease read the notes in this dialogue box, and then ck [OK] to continue. Click [OK] to continue.please read the notes in this dialogue box, and then click [OK] to continue re trade marks. Cloud Forum IP Limited All rights reserved relation to the Cloud Industry Forum s Code of Practice journey for Certification. It is not n as being so. Professional advice appropriate to specific circumstances should always be nce you have clicked [OK] above, the mouse pointer 4 ll change to a crosshair. orum IP Limited All rights reserved try Forum s Code of Practice journey for Certification. It is not advice appropriate to specific circumstances should always be ick and drag out an area on the page to indicate ere the image of your signature will appear. 4 nce you release the left mouse button, another alogue box, Certify Document, will appear. Once you have clicked [OK] above, the mouse pointer will change to a crosshair. the area that you indicate is quite small, then alternative your signature dialogue will appear. will appear, inviting you to rt over. Once In you either release the case, left mouse please button, follow another the dialogue onscreen box, Certify Document, will appear. ompt. Click and drag out an area on the page to indicate where the image of If the area that you indicate is quite small, then an alternative dialogue will appear, inviting you to start over. In either case, please follow the onscreen prompt. the Certify Document dialogue box, you will see any of The the Cloud details Industry Forum that Cloud Service you Provider elected Code of Practice: in the 04/2013 Configure V1.0 15
16 In the Certify Document dialogue box, you will see many of the details that you elected In the Certify Document dialogue box, you will see many of the details that you elected in the Configure Signature Appearance section. In the Appearance pull down menu, select the file name that features a scanned copy of your signature and Time/Date stamp details, as selected in the Configure Signature Appearance section. When selected, you will note that a copy of your scanned hand written signature will appear here Next, click on [Sign] You will be prompted to save the resulting file. Enter the new file name as required. When the digitally signed file is saved, notice the additional security marks 16
17 Creating the FDF document In order for the recipient to authenticate the digitally signed document, you will need to export and send (via ) the key (Adobe FDF file) associated with the document that you have created. To export and the Adobe FDF file, please follow the steps below: With the relevant document open, click on the Signature Properties button. When the Signature Properties dialogue box appears, select (from the Summary or Signer tab) Show Certificate. When the Certificate Viewer dialogue box appears, select [Export...] In the Data Exchange File dialogue box, note the Destination section. Change the selection to the exported data, and click [Next >] And click [Next >] again in the next window. Next, click [Sign...] to sign the outgoing message, and select [Sign...] again in the dialogue box that follows 17
18 Clicking [Next >] will prompt you to enter the address of the intended recipient. In the next dialogue box, please enter the following address into the [To:] field 18
19 Click [Next >] to proceed. Click [Finish] to accept and continue. Adobe will now automatically send the FDF file associated with you digital signature to the Cloud Industry Forum address that you have entered. When the Finish button is clicked, the first of the Certificate Viewer dialogue boxes will re-appear. Click [OK], and then [Close] on the screen that follows to conclude this process. NOTE: this is just a test sample address 19
20 Guidance for Other Information Required for Application Professional Reference Guidance and Template The following is the letter template to be provide on professional advisor letterhead to accompany all Self-Certification applications, which must be reproduced as presented below. The signed Professional Reference must come from your registered accountant, solicitor, certification body auditor, or similar individual from an organization which provides professional services to you on an on-going basis. on the professional services organizations letter headed paper I hereby: 1. acknowledge that this Declaration will be submitted together with our client s application for the Cloud Industry Forum s Self-Certification, and in so doing, 2. declare: a. My organization s details are as follows: i. Name, address and contact of firm/practice ii. These details may be found in public at [URL]. b. My professional qualifications may be validated as follows: i. Name of accrediting organization ii. These details may be found in public at [URL]. c. The capacity of the professional relationship is [state]. d. We have advised the organization for [state time] in this firm s professional capacity as stated above. Signed by: duly authorized for and on behalf of: Date: The Professional Reference should also be electronically signed and provided in pdf, electronically signed with all other documentation. To access and download a Word version of the Professional Reference, log into the Self-Certification website. Management Declaration Guidance and Template The Management Declaration is made on-line, as part of the application process. Because it is not realistic to expect a senior executive to physically perform part of an on-line application process, reliance is placed on the organization s internal procedures and communications to ensure that the relevant member of management has properly approved the Management Declaration. When the on-line application is formally submitted, an will be sent to the named senior executive to confirm the Management Declaration which has been recorded in his/her name, and a confirming response is required to complete the application. The confirming response should include sufficient information to identify the individual, including name and position. The Management Declaration will be available on the CIF website together with other publicly available information about the certified organization, showing the executive s name and position, but not the . The on-line Management Declaration contains the following wording: I declare that: a. [Organization Name] is committed to the principles of Transparency, Capability and Accountability which are embodied in the Cloud Industry Forum s Code of Practice, because these help create a more trustworthy business environment for cloud-based processing. b. [Organization Name] is committed to complying with the specific requirements of the Cloud Industry Forum s Code of Practice for the period of Certification, for the scope defined in the application. c. [Organization Name] is willing to submit any customer disputes to formal external dispute resolution. d. The information provided in this application for Self- Certification is a true and accurate reflection of the business and practices of [Organization Name] e. I am authorized to commit [Organization Name] to the contents of this Management Declaration. I also acknowledge that: a. This Management Declaration is a part of the full application for Self-Certification b. The Cloud Industry Forum s Terms and Conditions (IP14) apply to this application for Self-Certification c. An audit may be conducted by the CIF to ensure compliance with the Code of Practice d. Any non-conformance with the Code of Practice, at the sole determination of the CIF, as confirmed after the conclusion of appeal procedures, will result in the withdrawal of the Code of Practice certification in accordance with the General Cloud Industry Forum Terms and Conditions. e. Any withdrawal of the Code of Practice certification may be publicized including on the CIF web site, and other ways in the press. To access and download a pdf copy of the Management Declaration to circulate to the named senior executive, log into the Self-Certification website. 20
dobe Acrobat XI Pro Digital Signatures Intermediate Adobe Acrobat XI Pro is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. To view a copy of this
Adobe Acrobat X Pro Forms Course objectives: Create interactive forms Manage form fields and properties Use forms in Adobe Reader Use PDF Actions Digital Signatures This course does not cover LiveCycle.
August 2013 EMA/264709/2013 EMA esignature capabilities: frequently asked questions relating to practical and technical aspects of the implementation This question and answer document aims to address the
Entrust Managed Services PKI Using Entrust certificates with Adobe PDF files and forms Document issue: 1.0 Date of issue: May 2009 Copyright 2009 Entrust. All rights reserved. Entrust is a trademark or
Adobe Digital Signatures in Adobe Acrobat X Pro Setting up a digital signature with Adobe Acrobat X Pro: 1. Open the PDF file you wish to sign digitally. 2. Click on the Tools menu in the upper right corner.
Assigning a Digital Signature to Electronic Documents Guide This guide provides instructions on how to add/view and remove a digital signature from electronic documents. The most common types of document
Entrust Certificate Services Entrust Certificate Services for Adobe CDS Getting Started Guide Entrust SafeNet Authentication Client: 8.3 Date of issue: July 2015 Document issue: 3.0 Revisions Issue and
National Institute for Health Research Coordinated System for gaining NHS Permission (NIHR CSP) Operating Manual Please check the CRN Website for the latest version. Version: 6.0 Status: Consultation in
Application Version 3.7.5 Confidentiality This document contains confidential material that is proprietary WatchDox. The information and ideas herein may not be disclosed to any unauthorized individuals
Exporting/Importing Certificates with Adobe Acrobat This tutorial was designed to help you learn how to export and import digital signature certificates with Adobe Acrobat so that you can verify the identity
Digital Signatures This tutorial was designed to help you learn to use digital signatures for signing PDF forms with Adobe Acrobat. This tutorial covers: how to create a digital signature, how to customize
Copyright, Language, and Version Notice The official language of this [Certification Protocol] is English. The current version of the [Certification Protocol] is maintained on the Bonsucro website: www.bonsucro.com.
ProSystem fx Document (On-Premise) Release Bulletin Release 2011-3.5 May 2012 Welcome to ProSystem fx Document (On-Premise) 2011-3.5 This bulletin provides important information about the 2011-3.5 release
: 1 of 19 Table of Contents 1. Purpose 2. Scope 3. Unit of Certification 3.1 Identity Preserved, Segregation, Mass Balance, 3.2. Book and Claim 4. Definitions 5. Responsibilities 5.1 Head of the Certification
Mentor Online IRB System IRB s require lots of documentation and managing this process can get to be a burden for both investigators and the IRB committee and administrator. The Mentor IRB system is designed
DocuSign Quick Start Guide Using Templates Overview This guide provides an overview of how to use a template when creating and sending an envelope. Templates help streamline the sending process when you
HOW IT WORKS E-SIGNLIVE 1 INTRODUCTION With e-signlive, Silanis hosted service, you can invite other people to conveniently and securely sign documents over the web. Your documents can be easily signed
TRANSITIONAL GUIDELINES FOR ISO/IEC 17021-1:2015, ISO 9001:2015 and ISO 14001:2015 CERTIFICATION BODIES Approved By: Senior Manager: Mpho Phaloane Created By: Field Manager: John Ndalamo Date of Approval:
Cloud (educational apps) software services and the Data Protection Act Departmental advice for local authorities, school leaders, school staff and governing bodies October 2014 Contents 1. Summary 3 About
ARIBA Contract Management System User Guide to Accompany Training Technical Training Team 6/29/2010 Table of Contents How to use this Guide... 4 Contract Management Process... 5 ARIBA- Getting Started...
New and Improved DocuSign Signing Experience Information Guide On December 5th, as part of the DocuSign Winter 15 Release, DocuSign will launch a new and improved version of the signing experience. The
Electronic Docket Filings Michigan Public Service Commission Department of Licensing and Regulatory Affairs How to Electronically File Documents in Cases Before the Michigan Public Service Commission (E-Dockets
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
HDAccess Administrators User Manual Help Desk Authority 9.0 2011ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks
Strategic Asset Tracking System User Guide Contents 1 Overview 2 Web Application 2.1 Logging In 2.2 Navigation 2.3 Assets 2.3.1 Favorites 2.3.3 Purchasing 2.3.4 User Fields 2.3.5 History 2.3.6 Import Data
Date(s) of Evaluation: CHECKLIST ISO/IEC 17021:2011 Conformity Assessment Requirements for Bodies Providing Audit and Certification of Management Systems Assessor(s) & Observer(s): Organization: Area/Field
PDF/A A standard for document archiving Dipl. Inf. Reinhold Müller-Meernach Röttenbach Dr. Uwe Wächter Roßdorf No. 2/2006 SEAL Systems email@example.com www.sealsystems.com PDF/A A standard for document
Expat Tracker User Manual Expat Tracker Assignee Management Software HR Systems Limited Expat Tracker All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic,
Ref. Ares(2015)2346168-04/06/2015 Project Grants (HP-PJ) Administrative forms (Part A) Project proposal (Part B) Version 2.0 05 June 2015 Disclaimer This document is aimed at informing potential applicants
Adobe Acrobat X: Forms Part 1: Designing the Form Connect session 9/2012 Do You Need a PDF Form? You might be locked into using PDFs However. Google Docs Forms is a much easier way to do this Form is online,
GFI LANguard 9.0 ReportPack Manual By GFI Software Ltd. http://www.gfi.com E-mail: firstname.lastname@example.org Information in this document is subject to change without notice. Companies, names, and data used in examples
Howard University version 1 created: 11/2014 R e s e a r c h A d m i n i s t r a t i v e S e r v i c e s CONTENTS DocuSign Overview... 2 Account Setup... 2 Getting Started... 2 The Submission Routing Structure...
GOOGLE DOCS APPLICATION WORK WITH GOOGLE DOCUMENTS Last Edited: 2012-07-09 1 Navigate the document interface... 4 Create and Name a new document... 5 Create a new Google document... 5 Name Google documents...
OWA - Outlook Web App Olathe Public Schools 0 Page MS Outlook Web App OPS Technology Department Last Revised: May 1, 2011 Table of Contents MS Outlook Web App... 1 How to Access the MS Outlook Web App...
Adobe Acrobat 9 Pro Accessibility Guide: Creating Accessible PDF from Microsoft Word Adobe, the Adobe logo, Acrobat, Acrobat Connect, the Adobe PDF logo, Creative Suite, LiveCycle, and Reader are either
#108 Guidance for Industry How to Register with the CVM Electronic Submission System To Submit Information in Electronic Format Using the FDA Electronic Submissions Gateway This version of the guidance
Salesforce CRM Content Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: December 8, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered
Adobe Acrobat Electronic Signatures Creating a custom signature stamp 1. Sign your name on a piece of paper (a marker style pen works well) 2. Scan the paper 3. Save to the desktop (or anywhere you like)
SCS Green Squared SM Certification Manual 2011. Scientific Certification Systems Environmental Certification Services: Certification Manual for Green Squared SM Tile and Installation Material Sustainability
NYS OCFS CMS Contractor Manual C O N T E N T S CHAPTER 1... 1-1 Chapter 1: Introduction to the Contract Management System... 1-2 CHAPTER 2... 2-1 Accessing the Contract Management System... 2-2 Shortcuts
Aloaha Sign! (English Version) Aloaha Sign! (English Version) All rights reserved. No parts of this work may be reproduced in any form or by any means - graphic, electronic, or mechanical, including photocopying,
Generating a Certificate User Guide For the Reliance Assessment Database Contents Creating a Certificate... 2 Mail Activity... 16 Creating a Certificate EXAMPLE SQFI RELIANCE USERS Robin Goode Stephanie
proposalcentral Prepare and Submit a Proposal. If you need assistance, contact Customer Service by email at email@example.com or by phone at 1-800-875-2562 1 Recommended Software proposalcentral Recommends
Instructions for Conflict of Interest Adobe Forms Please note that these are specific to the Division of Research (DOR) Conflict of Interest requirements for investigators and do not replace the disclosures
CA Nimsoft Service Desk Rapid Workflow Implementation Guide 7.13.7 Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and is subject
Getting Started Guide Chapter 12 Creating Web Pages Saving Documents as HTML Files This PDF is designed to be read onscreen, two pages at a time. If you want to print a copy, your PDF viewer should have
OVERVIEW This User Guide is an overview to understand how to access the isupplier Portal, navigate through the system and understand the notification sent from the automatic system email notification to
Adobe Writer Version 7 and 8 Instructions Version requirements and applicability: To add Signature Fields To Design Exception/Design Waiver/Deviation from Standards Form (Adobe Writer Pro Version 8 only)
Integrated Cloud Environment Google Drive User s Guide 2012-2015 Ricoh Americas Corporation It is the reader's responsibility when discussing the information contained this document to maintain a level
TrueFiling Law Firm User Guide 1.0.130 ImageSoft, Inc. Copyright 2013 ImageSoft, Inc. All rights reserved. No part of this document may be reproduced, stored in or introduced into a retrieval system, or
Creating a New Digital ID or Signature for Adobe Acrobat If you are not using a third-party digital ID, you can create your own in Adobe Acrobat Professional or in Adobe Reader 9, 10 or X. Follow these
The global standard for esignature Quick Start User Guide Using Templates Overview This guide provides an overview of how to use a template when creating and sending an envelope. Templates help streamline
Your First App Store Submission Contents About Your First App Store Submission 4 At a Glance 5 Enroll in the Program 5 Provision Devices 5 Create an App Record in itunes Connect 5 Submit the App 6 Solve
GRANTS AND CONTRIBUTIONS ONLINE SERVICES: USER GUIDE (AGREEMENT E-SIGNATURE) AUGUST 2015 TABLE OF CONTENTS Important Things to Remember... 3 A. TIME OUT FEATURE... 3 B. SAVING... 3 C. REQUIRED FIELDS...
C. Create and Add a Signature to a PDF File Use of a digital signature is preferred for signing a PDF file. If for some reason this cannot be done, a scanned signature page can be added to the PDF file.
This document illustrates how to digitally sign PDF documents using Acrobat Reader 11. The illustrations assume that the user already has a digital certificate. You will need the latest version of Adobe
Queensland Government etendering website Government buyer user manual System Requirements and Administration Version 2.0 July 2011 etender Help Desk phone 07 3836 0141 Table of contents 1 Introduction...
Business 360 Online - Product concepts and features Version November 2014 Business 360 Online from Software Innovation is a cloud-based tool for information management. It helps you to work smarter with
TOGAF Certification for People Training Course Accreditation Policy January 2009 Version 1.0 Copyright, 2009, The Open Group All rights reserved. No part of this publication may be reproduced, stored in
Information technology service management Requirements for bodies providing audit and certification of IT service management systems under the APMG Certification Scheme Document Reference APMG 15/015 Introduction
Quickstart Tutorial A ClickFORMS Tutorial Page 2 Bradford Technologies. All Rights Reserved. No part of this document may be reproduced in any form or by any means without the written permission of Bradford
Rensselaer County Contract Management System VENDOR REFERENCE MANUAL Version 2.0 Table of Contents Getting Started and Logging In...4 The Contract Dashboard Tab...6 Vendor Profile Tab...9 Contract Overview
PUR1308/12 - Service Tool Minimum Requirements No. General Requirements The Supplier organisation must have 10 years or more experience in 1. developing Service software. 2. 3. 4. 5. 6. 7. 8. The Supplier
How To... Set Up Compliance Checking Criteria Contents Scope... 1 Setting Up Case Checking At Advisor Level... 1 Setting Up Case Checking At Product Level... 3 Mortgage Scoring... 5 Compliance Prompts...
Guidelines to assist with electronically registering, submitting, receiving and viewing applications for QFES Referral Agency Advice under the Sustainable Planning Act 2009. State of Queensland (Queensland
Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions
Litigation Support connector installation and integration guide for Summation For AccuRoute v2.3 July 28, 2009 Omtool, Ltd. 6 Riverside Drive Andover, MA 01810 Phone: +1/1 978 327 5700 Toll-free in the
Contract Management System VENDOR REFERENCE MANUAL Version 2.0 Dear County Vendor: As County Executive one of my primary goals is to leverage state-of-the art technology to increase productivity and efficiency
Extension Course -9006 Notes, Attachments, and Document Management Version 9.0 Information in this document is subject to change without notice and does not represent a commitment on the part of Technical
Plug-In How-To Guide Microsoft Word 2007-2010 Copyright Topaz Systems Inc. All rights reserved. For Topaz Systems, Inc. trademarks and patents, visit www.topazsystems.com/legal. Table of Contents Overview...
Taleo Enterprise Taleo Reporting XI3.1 - User Guide Feature Pack 12A January 27, 2012 Confidential Information and Notices Confidential Information The recipient of this document (hereafter referred to
RSPO Supply Chain Certification Systems November 2009 Approved by RSPO Executive Board 5 November 2009 1 History of Document These RSPO Supply Chain Certification Systems are based on the outcome of the
esignature FAQ s Table of Contents Getting Started:... 3 How do I sign-up to be a Sender?... 3 How do I sign-up to be an Author?... 3 Do people who sign documents need an esignature account?... 3 Where
Regulations for the certification of environmental management systems in conformity with UNI EN ISO 14001:2004 00 24/04/2013 Annulla e sostituisce il documento Regulations for the certification of environmental
ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000 Version 3.2 ArcMail Technology 401 Edwards Street, Suite 1601 Shreveport, LA 71101 Support: (888) 790-9252
Digital Signature Certification Workflow This document goes through a workflow of how to create a set of plans that contain an Adobe CDS digital signature using Adobe Acrobat X Pro. There are several variances
ADP Workforce Now Security Guide Version 2.0-1 ADP Trademarks The ADP logo, ADP, and ADP Workforce Now are registered trademarks of ADP, Inc. Third-Party Trademarks Microsoft, Windows, and Windows NT are
Publication Reference EA IAF/ILAC-A4: 2004 EA IAF/ILAC Guidance on the Application of ISO/IEC 17020:1998 PURPOSE This guidance document is for ISO/IEC 17020: General Criteria for the operation of various
Integrated Cloud Environment Box User s Guide 2012-2015 Ricoh Americas Corporation It is the reader's responsibility when discussing the information contained this document to maintain a level of confidentiality
BU Digital Print Service High Resolution PDFs Introduction As part of the BU Digital Print service files can be uploaded to the Web to Print (W2P) portal for printing however the quality of the print is