You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 10 Next »

Members:  

  • Boban Krsic
  • Denise Michel
  • Eric Osterweil
  • James Gannon
  • Kerry-Ann Barrett
  • Noorul Ameen


Mandate:  The sub team will be responsible for reviewing the completeness and effectiveness of ICANNs internal security processes and the effectiveness of the ICANN security framework.

Useful Links:
Where can I find sources and information?





Latest documents: 




Topic -  ICANN Internal Security Processes

Related Bylaw

4.6 (c)(ii)(A)

4.6 (c)(ii)(B)

4.6 (c)(iii)

Skillset

IT Security, Audit, Risk Management, Disaster Recovery

Work Items

  1. Scope of ICANN’s SSR responsibilities: action zone, influence zone, coordination zone.
  2. Effectiveness of ICANN’s SSR framework, SSR Plan and its implementation.
  3. Physical security requirements in place and enforcement of minimum security specification for DNSSEC key storage Facility.
  4. Level of compliance requirement for registrars agreements
  5. SLAM and performance indicators
  6. ICANN’s role in helping to mitigate DDoS 1. Operational 2. Other (Lroot, zone ICANN is resp for, domain name contractual obligations/compliance, security training)
  7. Measures and metrics (incorporate in all topics and subteams)

-   What are, and how can the community measure the relevant DNS abuses

-   The evidence base: DNS health index and abuse data. What the evidence tells us; access to information (risks and benefits)

  1. ICANN's internal security, stability and resiliency operations:

-   Allocation of resources and priority within the organisation (includes budget and staffing)

-   Outreach and public information role (training, vulnerability disclosure, system attack mitigation etc)

-   Risk management, compliance with relevant frameworks.

  1. White-hat operations  

-   What are the white-hat operations that are taken in ICANN space that may need exceptional handling (gratis for registering sink-holes, etc.) (can this be included in improving security of unique identifiers/threat mitigation?)

  1. The sub team will be responsible for reviewing the completeness and effectiveness of ICANNs internal security processes and the effectiveness of the ICANN security framework.
  2. Due to ICANN’s orientation to ISO/IEC 27001 (and ISO 22301? - BCMS) I would recommend to provide a gap-analysis to the normative requirements of the management part and Annex A of the ISO standard based on the SoA (Scope).
  3. Perform interviews and review descriptions and evidence of: * ISMS / BCMS Scope * Information security policy * Information risk assessment and risk treatment processes * Information security objectives * Information security roles and responsibilities * ISMS internal audit program and results of conducted audits * Operational planning and control documents * Evidence of top management reviews of the ISMS (Note: Gap assessment only)
  4. Various others from the Annex A like rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, etc. (Note: Gap assessment only)
  5. Categorize and prioritize the outcome of the analysis
  6. Develop a short-, medium- and long-term schedule to implement different controls in accordance to the requirements
  7. Define a set of metrics to measure the effectiveness of the implementation (Note: Items 12 – 16 linked)
  8. Analyze policies and procedures that are essential to ICANN identifier systems activities
  9. Analyze ICANN internal procedures essential for SSR of the organization and global operations
  10. Business continuity planning
  11. Security Framework
  12. Incident response planning
  13. Coordinated Vulnerability Disclosure Process
  14. Assess ICANNs ability to respond to strategic threats to the unique identifiers it coordinates.'
  15. Vetting process for EBERO operators.
  16. ICANN processes around vetting registry operators - Nick Shorey observer
  17. Corporate Data Security and/or Business Systems
  18. What is the scope of ICANN’s threat modeling?
  19. How effective it is ICANN risk management?
  20. If I how ICANNs security efforts related to the DNS?
  21. How ICANN measures the effectiveness as security efforts?
  22. What are ICANN’s security efforts? (x2)
  23. Review ICANN security procedures.
  24. How are we distinguishing operational stability and security from measures that stem from compliance issues?
  25. What does “interoperable security processes” mean?
  26. What is the current state of ICANN and disaster and operational recovery planning?
  27. What is the appropriate security contingency planning framework?
  28. What is ICANN doing in the area of interoperable security STDs to monitor? (ITHI)

Documents

Date

Document

(version in red are latest)

File




Templates

Date

Document

File




Archives

Date

Document

File




  • No labels