The 27 DocuSign security checks Black Cat runs
Black Cat SSPM evaluates 27 security policies against your DocuSign configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Increase the minimum password length to at least 12 characters
Set password strength requirement to Strong in DocuSign password rules
Enable password expiration and set maximum age to 90 days or fewer
Enable account lockout policy with a lockout duration of at least 1 minute
Reduce web session timeout to 30 minutes or less in Security Settings
Reduce signing session timeout to 30 minutes or less in Security Settings
Reduce mobile session timeout to 30 minutes or less in Security Settings
Reduce the number of admin users by reassigning non-essential admins to least-privilege profiles
Remove or deactivate inactive users who have not logged in recently
Create a restricted permission profile without account management for general users
Assign ungrouped users to appropriate groups for consistent permission management
Configure SAML or OIDC SSO in DocuSign to enforce centralized authentication
Verify and claim your organization's email domain to enforce SSO and prevent unauthorized accounts
Enforce SSO for all users and enable automatic provisioning via the configured identity provider
Remove empty groups that have no members to reduce administrative clutter
Remove user management permission from profiles that do not require full account administration
Remove or disable unused permission profiles that have account management enabled
Remove admin privileges from disabled or closed user accounts
Link the reserved domain to an identity provider to enforce SSO for that domain
Disable security questions as a recovery mechanism in favor of stronger authentication methods
configuration
Disable sign-on-paper to enforce electronic-only signatures
Disable signer reassignment to prevent envelope forwarding to unintended recipients
Disable PowerForms to prevent publicly accessible signing URLs
Enable digital certificate requirement for signers to strengthen document integrity
Enable recipient domain validation to restrict which email domains can receive envelopes
Configure IP address filtering to restrict API and web access to known corporate IP ranges
Disable bulk recipients in Sending Settings unless required for documented business operations