Page History

Progress of requests is available on the SSR1 Subgroup page.

Provide additional information about soliciting consultants with a budget under $50k (no RFP needed), and the difference between engaging a consultant and an “independent expert.”

Provide feedback to the IANA subgroup team on how quickly team can expect access to documents requested once NDAs are finalized and signed.

Break out IANA subteam document requests in order of priority to help expedite access to documents, once NDAs have been finalized and signed.

Determine appropriate person to ask for training documentation for processes and procedures for PTI staff.

• SME is on vacation until 11 September.

• SME is on vacation until 11 September.

• Edits provided on list. Further updates may be provided based on ICANN's response to action item 145.

11

14 May 2017

Updated Per meeting 24: James and Kerry-Ann will provide briefing to Review Team on Non-Disclosure Agreement (NDA) and associated documents, when available. 

Review non-disclosure form with ICANN Legal and report back to RT on any updates or edits to the circulated form.

James Gannon, Kerry-Ann Barrett

• Revised draft NDA and Confidential Disclosure Agreement circulated to review team via email.
• James provided update to team via email.
• Meeting to review revised documents scheduled with ICANN Legal Friday 18th August 2017.
• Discussion with ICANN Legal took place on 5 June 2017. Kerry-Ann and James to follow-up with redline edits to document.

Respond to ICANN Travel ASAP & make flight reservations to travel to Abu Dhabi for the face-to-face meeeting.

Report to Team on potential room availability at ICANN meeting for sub-group meetings during week.

Send calendar invites for Team meeting days in Abu Dhabi and additional invites as meetings are scheduled.

• Calendar invites for face-to-face confirmed meetings sent to team.

Try www.trello.com and give your feedback on email list. Co-Chairs will assume Team members are comfortable using this unless otherwise informed.

• Access granted and request sent via Trello for all team members to access the SSR2 Review Team boards.

Sub-team realignment: Reply on email list to Eric’s Aug 14 note about folding sub-group calls into Tuesday Team call to increase engagement and visibility

Finalize questions for ICANN subject-matter experts during potential ICANN SSR subgroup meeting in LA. Distribute to staff so they can identify appropriate resources.

Request ICANN Legal to be present at ICANN SSR face-to-face meeting, October 9-10 to rule on availability of documents.

• Intermediate email response sent to Review Team.

Circulate outline of detailed work items and proposed next steps after face-to-face meeting.

Žarko, Boban

Outline in writing a request to meet with ICANN staff responsible for Information Security Management, Auditing, Risk Management and Business Continuity Management. Request to include details of expected goals and outcomes of the meeting.

Team to provide feedback on the structure of the 9 work items, including identifying items which staff may be able to provide more information or help build out.

Provide responses to questions on SSR1 briefing: Recommendations 11, 12.

Recommendation 11:

1.     What was happening in the 5 years between when the recommendation was approved by the Board and when a draft consultant report was posted in April 2017?

2.    On the status and deliverables of Rec 11 it says that ICANN has implemented measures of success for the gTLDs, but we haven’t seen how you’ve implemented measures of success for new gTLDs and IDNs. That’s the first check mark, but what we’ve been provided with is a draft report of some ideas that you could do. How is that considered full implementation of this recommendation?

3.     Do you think it is ICANN staff’s responsibility to gather, analyze and publish this data or do you feel that it’s ICANN’s responsibility to facilitate others to do that?

4.     In a commercialized world of DNS service provision where data is considered to be a corporate asset, do you feel that either ICANN or the community at large have access to meaningful metrics? I cite the barriers that exist on information on root servers. Is this a barrier to the entire objective, that access to data appears to be challenging?

5.     The SSR1 review team called out a number of activities that were operational and within staff’s purview and contained in the SSR framework and called for implementation of measurements and metrics.  Was that work done and is it captured anywhere? To clarify, as part of the SSR1 report related to rec 11, the SSR1 review team noted ICANN administration of the new gTLD Program, IDN program, significant SSR related issues that are in the framework. They called for more specific goals, measurements and impact assessment. Was that work done and is it captured somewhere else?

6.     Is there more information on the steps that ICANN has taken in the past five years to facilitate data access and activities that involved other entities that had ownership or responsibilities on related activities?

7.     Broadly, in looking at the dashboard for rec 11 and all the checkmarks including operational items, it’s really unclear how staff defined and measured success related to SSR. It’s hard to see how the basic sprit of this recommendation was implementation, especially with an idea paper from a consultant. But in terms of the last 5 years and what staff did to implement, it’s unclear. Can you gather more information and provide more clarity and facts?

Recommendation 12:  

8.With regards to establishing best practices and integrating these into agreements to which ICANN enters: It’s linked to a paper that raises a whole host of issues and addresses proposed activities but it’s unclear how that then relates to integrating those into agreements into which ICANN has entered over the past 5 years. Can you provide more specific information on how best practices are reflected in agreements that ICANN has entered into?

9.  ‘Addressing SSR practices in MOUs’ links to a page that holds all of the MOUs. Can you provide some quantification of SSR-related practices in MOUs and more information on which ones contain SSR-related practices, which practices they contain, and how all that’s tracked or the implementation is assessed?

10.  Is there any quantification or more detailed information on what the working relationship with the APWG has yielded?

11. Which sections of the revised new gTLD registry agreement does OCTO staff feel advance SSR best practices and objectives?

12. What has changed after the implementation of Rec#12 as compared with the past?

1. In progress

2. In progress

3. Question answered during the call. See meeting record.

4. Geoff Huston (asker) clarified that he feels this is a question for the review team to answer, not ICANN Org.

5. Clarity requested via email. Awaiting input from Denise.

6. Clarity requested via email. Awaiting input from Denise.

7. In progress

8. In progress

9. Clarity requested via email. Awaiting input from Denise.

10. Question answered via email.

11. In progress

12. Question answered during the call. See meeting record.

• ICANN staff working to schedule webinars for the community.
• Briefing confirmed for 25 June 2017. Postponed per Co-Chairs.

• Briefing scheduled for 5 September 2017.
• Briefing confirmed for 25 July 2017. Postponed per Co-Chairs
• Briefing confirmed for 26 June 2017. Postponed per Co-Chairs.

13 June 2017

• 68. b. Follow-up via email: Please provide a written explanation as to how the original question was felt to be objectionable.
  
  
• 68. a. ICANN DNS Engineering team to reframe the following question and provide an answer (Q3 from SSR2 Plenary 14, 6 June GSE presentation) so as to better align with the RT mandate: Regarding L-root operations and hosting: What is the planning process vs. passive response? Is there a master plan for anyone who operates, in terms of Anycast? And how is that overall process implemented? (GH) 

• 68. a. Question reframe response circulated via email 11 July 2017.
• 68. a. ICANN DNS Engineering team provided proposed reframe of the question: "What measures are undertaken by ICANN for the anycast deployment for L-Root to ensure physical and network security and stability?"

68.a. 11 July 2017

11

14 May 2017

• 43. b. Follow-up via email: Could you please clarify when ITHI will start regularly publishing (or giving the public access to) data? It seems that the “schedule” below is about discussions rather than production, or am I misunderstanding?

• 43. a. Provide the SSR2 RT a timeline of the ITHI project, when they have clarity on next steps and schedules.

• 43. a. Email circulated to Review Team 26 June 2017.

43. a. 26 June 2017

The ICANN security team (now OCTO/SSR) developed a framework that provided a definition for "security".  The SSR2 team used that definition. The Board response to the Terms of Reference expressed that this definition is too broad for the Review Team’s use. Is Board asking staff to redefine definition of “security”?

Provide responses to questions from SSR1 briefings (Ops + Finance)

1. To what extent do you work with the relevant standards bodies (UNICODE and the IETF) over the issues with the use of IDNs and longer label TLDs?
2. There are many challenges in IDN WHOIS lookups.  How do we get an accurate IDN WHOIS database for the Incident Handling process?
   

3. How is the expansion of the name space with more gTLDs contributing to the security and stability of the Internet?

4. What metric is being used to ensure a "healthy" DNS marketplace?

5. How does ICANN proactively make sure to implement policy (eg. New gTLD Program expansion) in a secure and stable manner?

6. New gTLD contract has a lot on New gTLDs to make sure they are secure and stable. To clarify, the main means you see to do that in implementation is through contracts, vs.  that as an aspect? Is that the primary means for ICANN to push the SSR remit?

7. Can GDD comment on the failures of both SLAM and EBERO where they apply to RSP failure scenarios, also implementation of EBERO testing took 3 years from implementation of the first new gTLD delegation, no security review of the EBERO’s has ever taken place, what is the justification for that?

8. Can Francisco to brief us on both systems (EBERO and SLAM) from an SSR2 perspective (Rather than the SSR1 implementation perspective)?

9. I’m also looking for not how much departments are spending but how much their spending on EBERO.

10. Who will be the contracting entity for future SOC2/3 audits of PTI?
    

ICANN Org

1. In progress

2. In progress

3. In progress

8. In progress

4. Question answered during the meeting. See meeting record.

5. Question answered during the meeting. See meeting record.

6. Question answered during the meeting. See meeting record.

7. Question answered during the meeting. See meeting record.

9. Question answered via email.

10. Question answered via email

75, b. Provide responses to draft questions for ICANN Chief Innovation & Information Officer (CIO).

75. a. Prepare draft questions for ICANN Chief Innovation & Information Officer (CIO). Questions will be sent to the CIO in preparation for holding a briefing for the RT.

75.b. ICANN Org

75. a. SSR2-RT

75. b. 9 October 2017

75. a. 25 July 2017

• Staff from the ICANN CIO office will be available during the ICANN SSR subteam meeting 9-10 October to answer the questions.
• 75.a. Questions sent to ICANN CIO.

75. a. 25 July 2017

11

Draft note and summary of SSR1 implementation for ICANN to send to SSR1 team members and invite them to share their assessment with the SSR2-RT.