Comment Close
Date		Statement
Name 

Status

Assignee(s) and
RALO(s)

Call for
Comments		Call for
Comments
Close 		Vote
Announcement 		Vote OpenVote
Reminder		Vote CloseDate of SubmissionStaff Contact and EmailStatement Number
13.09.2013DNS Risk Management Framework Report  CommentingJulie Hammer (APRALO)TBCTBCTBCTBCTBCTBCTBCPatrick Jones
patrick.jones@icann.org		TBC
Comment / Reply Periods (*)
Comment Open Date: 
23 August 2013
Comment Close Date: 
13 September 2013 - 23:59 UTC
Reply Open Date: 
14 September 2013
Reply Close Date: 
5 October 2013 - 23:59 UTC
Important Information Links
Public Comment Announcement
To Submit Your Comments (Forum)
View Comments Submitted
Brief Overview
Originating Organization: 
DNS Risk Management Framework Working Group
Categories/Tags: 
  • DNS
  • Security/Stability
Purpose (Brief): 

The Board-level DNS Risk Management Framework Working Group (DNS RMF WG) has received a final report from Westlake Governance following the ICANN Durban meeting. The Working Group is initiating a public comment cycle on the DNS Risk Management Framework report prior to sending the Framework to the ICANNBoard and staff for implementation. Public comments are welcomed on the document and proposed approach to risk management for the areas described in the report.

Current Status: 

The draft Framework was presented at the ICANN Beijing meeting. A draft report was delivered for the ICANNDurban meeting, and the DNS RMF WG has opened the document to a public comment cycle.

Next Steps: 

Following public comment, the Framework report will be delivered to the ICANN Board and staff for implementation.

Staff Contact: 
Patrick Jones
Email Staff Contact
Detailed Information
Section I: Description, Explanation, and Purpose: 

The DNS Risk Management Framework Working Group (DNS RMF WG) has received the following report prepared by Westlake Governance on a DNS Risk Management Framework for ICANN. A draft of the report was presented to the community at the ICANN Durban meeting. The Framework report has been revised, and the Working Group is now initiating a public comment cycle on the DNS Risk Management Framework Report.

At the conclusion of the public comment cycle, the Working Group will recommend to the ICANN Board that theDNS Risk Management Framework be transitioned to ICANN staff for implementation. Ongoing oversight of theDNS Risk Management Framework will be handled by the Board Risk Committee.

Draft ICANN DNS Risk Management Framework [PDF, 2.88 MB]

Section II: Background: 

Background on the DNS RMF WG can be found at http://www.icann.org/en/groups/other/dns-risk-mgmt.

Section III: Document and Resource Links: 

None

Section IV: Additional Information: 

None

(*) Comments submitted after the posted Close Date/Time are not guaranteed to be considered in any final summary, analysis, reporting, or decision-making that takes place once this period lapses.

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 

FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

FIRST DRAFT SUBMITTED

The ALAC has considered the Final Report submitted by Westlake Governance on an ICANN DNS Risk Management Framework and offers the following comments.  The report provides a framework at a relatively high level, that draws on and combines several other frameworks (Mikes and Kaplan, Capability Maturity Model, ISO31000) and tailors them to some degree to the ICANN context of DNS risk.  While it may be highly open to debate whether the proposed framework is optimal for ICANN, and individuals will have very different views based on their own experience of risk management and their place within the ICANN Community, to some extent the fact that a risk management framework exists and is utilised to force rigour into the consideration of risk is an important outcome. 

The detail of the proposed Framework contained within the report would need to be further developed by ICANN Staff, with some input from the ICANN Community, before implementation would be feasible.  In particular, the establishment of the proposed Expert Panel (previously called the Risk Advisory Group in the 24 June 13 draft), as detailed in the Appendix 4 Terms of Reference,  constitutes a significant new permanent volunteer resource within ICANN.  The Risk Register Template (Appendix 6) and Risk Mitigation Schedule (Appendix 7) are highly simplistic, without any metrics, and require a great deal of expansion and adaptation for the assessment and mitigation of DNS risk. Furthermore, the estimation of resourcing required  (ie the information on the 'what, who and when' part of the process) seems to be pitched at what is required for the maintenance of an ongoing Risk Management system, but the ALAC considers that the initial implementation would need a much more concerted effort with considerable resourcing, both staff (ICANN the Organisation) and volunteer (ICANN the Community).  The ALAC recommends that ICANN Staff examine in greater detail the resource implications of initial implementation and ongoing maintenance of this specific Risk Management Framework before recommending to the ICANN Board whether it, or some variation of it, should be adopted.

On a more general note, the ALAC is extremely disappointed that the Framework as proposed in the Final Report has not built in any substantial way on the work undertaken by the DSSA Working Group.  Most disturbingly, the instigation of this study led to a suspension of the important work of the DSSA, and effectively caused that group to lose all momentum for the continuation of the security risk assessment tasks.