ToCs#2

Legal and Security/check_a_difital_cerificate.markdown

@@ -9,20 +9,12 @@ Now that we are eSigning documents and receiving eSigned documents, it is import
 
 **Please note that the steps below to verify a digital certificate are the same for a document signed using iSign or any other valid platform to electronically sign (DocuSign for instance). You might be interested to check a certificate that has been signed by a partner using another solution.**
 
-**Table of contents:**
-- [Responsability](#item-one)
-- [Key Points](#item-two)
-- [Advanced eSignature - How to verify a Digital signature?](#item-three)
-
-<!--headings-->
-<a id="item-one></a>
 # Responsibility
 
 The person representing ICRC in a contract, has to ensure the signatories (External party) identify and has all power of signature for this external party (Register of Commerce). If unsure contact OCLA.
 
 When ICRC Staff signs a contract with an electronic signature software different from ICRC's iSign, it is ICRC Staff who signs the contract to ensure the contract complies with legal aspect, with support of OCLA.
 
-<a id="item-two></a>
 # Key points
 
 - Digital signing is a cryptographic process. A timestamp and a unique number are assigned to a document, once signed.
@@ -34,7 +26,6 @@ When ICRC Staff signs a contract with an electronic signature software different
 - The process to verify the Digital signature is the same when the document is signed using our internal platform (iSign/OneSpan Sign) or if the document is issued from another platform proposed by an external partner (DocuSign, Swiss Sign, Adobe...).
 - Duration of the validity of the Digital certificate is not a point/ a signature has to be valid at the moment of the signing process (a person's role in a company might change/what matters are the responsibilities of the person at the time of the signature).
 
-<a id="item-three></a>
 # Advanced eSignature - How to verify a Digital signature?
 
 To make sure the Advanced Signature applied on the document is valid, you need to:

Legal and Security/legal_considerations.markdown

@@ -15,21 +15,12 @@ In Switzerland, the validity and legality is governed by  *ZertES* which is a Sw
 
 ICRC contracts have been adapted in 2020 or 2021 to recognize eSignature. The SoW was updated at that time with the following sentence *“The Parties also recognize as legally valid and binding the electronic execution/signature of this agreement and any amendment thereto through (i) digital signature module or tool or (ii) captioning the signature and inserting it electronically in the appropriate field/s"*. A review of our general terms and conditions (T&Cs) to include a similar clause in it is also planned.
 
-**Table of contents:**
-- [EIDAS](item-one)
-- [GDPR](item-two)
-- [ZertES](item-three)
-- [Criteria for legally binding signatures](item-four)
-- [Information security](item-five)
-- [Data Protection considerations](item-six)
-
-<!--Headings-->
-<a id="item-one></a>
+{:toc}
+
 # EIDAS
 
 The eIDAS(electronic Identification, Authentication, and trust Services), which became an established EU regulation in July 2014, extensively covers laws around electronic identification, digital certificates, electronic seals, timestamps, and the legality of electronic signatures. The idea behind eIDAS is to create a uniform law that applies to every member state within the EU so that electronic identification information could be accepted from every EU member state. Regarding electronic signatures, eIDAS segments digital signatures into three separate categories, each more secure than the last.
 
-<a id="item-two></a>
 # GDPR
 
 The EU’s General Data Protection Regulation (GDPR) aims to harmonize data privacy laws across Europe.
@@ -43,14 +34,12 @@ While the regulation doesn’t take aim at electronic signatures specifically, i
 
 Organizations seeking to utilize an electronic signature solution should understand the EU’s stance on these topics since they will be responsible for capturing and maintaining private information over an extended period in the form of contracts and digital agreements.
 
-<a id="item-three></a>
 # ZertES
 
 Organizations seeking to utilize an electronic signature solution should understand the EU’s stance on these topics since they will be responsible for capturing and maintaining private information over an extended period in the form of contracts and digital agreements.
 
 On December 19, 2003, ZertES, the Swiss Federal law regarding the use of certification services with electronic signatures was approved into law. This legislation regulates the conditions in which trust service providers may use certification services with electronic signatures. Additionally, ZertES, provides a framework that specifies the provider’s rights and obligations when providing certification services. An electronic signature in the understanding of ZertES refers to data in electronic form, attached to or associated with other data in electronic form , serving to authenticate the former. So far, ZertES does not further specify how electronic signatures shall be technically implemented. However, to facilitate the international use of electronic signatures and their legal recognition, the Swiss Federal Council made international agreements and notably accepts electronic signatures, technically implemented as digital signatures following the following standards: XAdES, PAdES, CAdES.
 
-<a id="item-four></a>
 # Criteria for legally binding signatures
 
 As a general rule, legally binding e-signatures must:
@@ -60,12 +49,10 @@ As a general rule, legally binding e-signatures must:
 - The signer’s willingness to sign is demonstrated (e.g. an option to not agree is also present, such as a “cancel” button).
 - The signer’s authenticity can be verified independently. This often means the presence of an email trail, timestamp, mobile phone number, and IP address. Two-step identification may also be helpful here for the purpose of attribution.
 
-<a id="item-five></a>
 # Information security
 
 Information security incidents can have other far-reaching consequences for the organization, such as the disruption of operations and support functions affecting business continuity, financial losses in case of fraud, lawsuits brought against the ICRC by individuals or entities, failure to comply with the ICRC's legal obligations and reputation damage and loss of trust by staff, beneficiaries, interlocutors and donors. The rationale and institutional basis for protecting information at the ICRC is formally established in the ICRC Information Security Framework (ISF) (including the Information Handling Typology), the Rules on Personal Data Protection and the ICRC Code of Conduct.
 
-<a id="item-six></a>
 # Data Protection considerations
 
 **Strictly confidential documents cannot be uploaded nor signed on iSign (Cloud platform).**