SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-1)
| Date Issued | Document | Reference ID | Current Phase |
|---|---|---|---|
| SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-1) | SAC074 | CLOSED |
Description:
The ICANN Compliance Department should publish data about the security breaches that registrars have reported in accordance with the 2013 RAA.
STATUS UPDATES
| Date | Phase | Type | Status Updates |
|---|---|---|---|
| Closed | Phase Change | SAC074 Recommendation 1 is Closed. |
| Phase 5 | Phase Update | Completion letter sent to Board on 12 June 2018 (https://www.icann.org/en/system/files/correspondence/namazi-to-chalaby-12jun18-en.pdf) [SAC074 Recommendation 1]: On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutionsimplementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org Contractual Compliance department will add the requested data to its existing public reporting. |
| Phase 3 | Board Update | Resolved (2018.02.04.07), the Board adopts the scorecard titled "Implementation Recommendations for SSAC Advice Document SAC074" [PDF, 49 KB], and directs the President and CEO, or his designee(s), to implement the advice as described in the scorecard. Rec 1 ICANN Organization Implementation Recommendation & proposed implementation plan: Implementation is recommended. The Contractual Compliance department will add the requested data to its existing public reporting. See full resolution at https://www.icann.org/resources/board-material/resolutions-2018-02-04-en#1.f. |
| Phase 5 | Phase Update | The ICANN org understands this recommendation to mean that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of security breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutions-implementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org will address the advice items as described in the adopted implementation recommendations and continue to provide updates to the SSAC and community on these advice items. |
| Phase 5 | Phase Change | SAC074 Recommendation 1 is Open in Phase 5: Close |
| Phase 3 | Phase Update | ICANN received SSAC's approval of understanding and is in the process of evaluating the advice. Updated 2 Aug 2017: Our understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of security breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. |
| Phase 3 | Phase Update | ICANN received SSAC's approval of understanding and is in the process of evaluating the advice. Our understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. |
| Phase 3 | Phase Change | SAC074 Recommendation 1 is Open in Phase 3: Evaluate & Consider |
| Phase 2 | AP Feedback | SSAC confirmed the understanding. |
| Phase 2 | Board Understanding | Our understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. The SSAC does not recommend at this time whether specific registrars' names should be published. Based on this understanding, ICANN staff notes that in consultation with a volunteer advisory panel, we are considering publishing, biannually, the total number of breach reports received as part of the gTLD Marketplace Health Index initiative. This process will require manual collection and tabulation of data. In the future, this effort could be simplified once registrar data is fully migrated to the new Salesforce platform, as the current data management system (RADAR) is not capable of storing or reporting on incidence of registrar security breach notices. |
| Phase 1 | Phase Update | SSAC published SAC074: SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle: https://www.icann.org/en/system/files/files/sac-074-en.pdf. |
