Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-1)


Date IssuedDocumentReference IDCurrent Phase

  

SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle (R-1)SAC074

Status
colourGreen
titleClosed



Description:

The ICANN Compliance Department should publish data about the security breaches that registrars have reported in accordance with the 2013 RAA.


STATUS UPDATES

DatePhaseTypeStatus Updates

 

Phase 5ClosedPhase ChangeSAC074 Recommendation 1 is Closed.

 

Phase 5Phase UpdateCompletion letter sent to Board on 12 June 2018 (https://www.icann.org/en/system/files/correspondence/namazi-to-chalaby-12jun18-en.pdf) [SAC074 Recommendation 1]: On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutionsimplementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org Contractual Compliance department will add the requested data to its existing public reporting.

 

Phase 3Board UpdateResolved (2018.02.04.07), the Board adopts the scorecard titled "Implementation Recommendations for SSAC Advice Document SAC074" [PDF, 49 KB], and directs the President and CEO, or his designee(s), to implement the advice as described in the scorecard. Rec 1 ICANN Organization Implementation Recommendation & proposed implementation plan: Implementation is recommended. The Contractual Compliance department will add the requested data to its existing public reporting. See full resolution at ​​https://www.icann.org/resources/board-material/resolutions-2018-02-04-en#1.f.

 

Phase 5Phase UpdateThe ICANN org understands this recommendation to mean that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of security breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. On 4 Feb 2018, the ICANN Board took a resolution directing the President and CEO, or his designee(s), to implement the advice as described in the scorecard: https://www.icann.org/en/system/files/files/resolutions-implementation-recs-ssac-advice-scorecard-04feb18-en.pdf. Per the direction from the ICANN Board, the ICANN org will address the advice items as described in the adopted implementation recommendations and continue to provide updates to the SSAC and community on these advice items.

 

Phase 5Phase ChangeSAC074 Recommendation 1 is Open in Phase 5: Close

 

Phase 3Phase UpdateICANN received SSAC's approval of understanding and is in the process of evaluating the advice. Updated 2 Aug 2017: Our understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of security breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches.

 

Phase 3Phase UpdateICANN received SSAC's approval of understanding and is in the process of evaluating the advice. Our understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches.

 

Phase 3Phase ChangeSAC074 Recommendation 1 is Open in Phase 3: Evaluate & Consider

 

Phase 2AP FeedbackSSAC confirmed the understanding.

 

Phase 2Board UnderstandingOur understanding of this advice is that ICANN should provide regularly updated data about security breaches reported in accordance with the 2013 Registrar Accreditation Agreement (RAA), paragraph 3.20. This data should include statistics about the number of breaches, the number of registrars affected, the aggregate number of registrants affected, and the high-level causes of the breaches. The SSAC does not recommend at this time whether specific registrars' names should be published.   Based on this understanding, ICANN staff notes that in consultation with a volunteer advisory panel, we are considering publishing, biannually, the total number of breach reports received as part of the gTLD Marketplace Health Index initiative.  This process will require manual collection and tabulation of data.  In the future, this effort could be simplified once registrar data is fully migrated to the new Salesforce platform, as the current data management system (RADAR) is not capable of storing or reporting on incidence of registrar security breach notices.