<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Dear Colleagues,<br>
<br>
As discussed yesterday during the call, regarding stress test #11, I
would like to suggest the following edit to the "proposed
accountability measure". <br>
<br>
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<script language="JavaScript"><!--
function msoCommentShow(anchor_id, com_id)
{
if(msoBrowserCheck())
{
c = document.all(com_id);
a = document.all(anchor_id);
if (null != c && null == c.length && null != a && null == a.length)
{
var cw = c.offsetWidth;
var ch = c.offsetHeight;
var aw = a.offsetWidth;
var ah = a.offsetHeight;
var x = a.offsetLeft;
var y = a.offsetTop;
var el = a;
while (el.tagName != "BODY")
{
el = el.offsetParent;
x = x + el.offsetLeft;
y = y + el.offsetTop;
}
var bw = document.body.clientWidth;
var bh = document.body.clientHeight;
var bsl = document.body.scrollLeft;
var bst = document.body.scrollTop;
if (x + cw + ah / 2 > bw + bsl && x + aw - ah / 2 - cw >= bsl )
{ c.style.left = x + aw - ah / 2 - cw; }
else
{ c.style.left = x + ah / 2; }
if (y + ch + ah / 2 > bh + bst && y + ah / 2 - ch >= bst )
{ c.style.top = y + ah / 2 - ch; }
else
{ c.style.top = y + ah / 2; }
c.style.visibility = "visible";
} } }
function msoCommentHide(com_id)
{
if(msoBrowserCheck())
{
c = document.all(com_id);
if (null != c && null == c.length)
{
c.style.visibility = "hidden";
c.style.left = -1000;
c.style.top = -1000;
} }
}
function msoBrowserCheck()
{
ms = navigator.appVersion.indexOf("MSIE");
vers = navigator.appVersion.substring(ms + 5, ms + 6);
ie4 = (ms > 0) && (parseInt(vers) >= 4);
return ie4;
}
if (msoBrowserCheck())
{
document.styleSheets.dynCom.addRule(".msocomanchor","background: infobackground");
document.styleSheets.dynCom.addRule(".msocomoff","display: none");
document.styleSheets.dynCom.addRule(".msocomtxt","visibility: hidden");
document.styleSheets.dynCom.addRule(".msocomtxt","position: absolute");
document.styleSheets.dynCom.addRule(".msocomtxt","top: -1000");
document.styleSheets.dynCom.addRule(".msocomtxt","left: -1000");
document.styleSheets.dynCom.addRule(".msocomtxt","width: 33%");
document.styleSheets.dynCom.addRule(".msocomtxt","background: infobackground");
document.styleSheets.dynCom.addRule(".msocomtxt","color: infotext");
document.styleSheets.dynCom.addRule(".msocomtxt","border-top: 1pt solid threedlightshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-right: 2pt solid threedshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-bottom: 2pt solid threedshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","border-left: 1pt solid threedlightshadow");
document.styleSheets.dynCom.addRule(".msocomtxt","padding: 3pt 3pt 3pt 3pt");
document.styleSheets.dynCom.addRule(".msocomtxt","z-index: 100");
}
// --></script>
<p class="MsoNormal"><span
style="font-size:10.0pt;mso-bidi-font-size:
14.0pt;font-family:"Calibri","sans-serif";mso-ascii-theme-font:major-latin;
mso-hansi-theme-font:major-latin" lang="EN-US">No measures yet
suggested would force ICANN
management to execute its stated security procedures for
employees and
contractors.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:10.0pt;mso-bidi-font-size:
14.0pt;font-family:"Calibri","sans-serif";mso-ascii-theme-font:major-latin;
mso-hansi-theme-font:major-latin" lang="EN-US">One proposed
measure is to empower the
community to force ICANN’s board to implement a recommendation
arising from an
AoC Review – namely, <i style="mso-bidi-font-style:normal">Security
Stability
and Resiliency</i>. </span></p>
</blockquote>
Suggested addition ; best practice of accountability in terms of
information security could be added to the CCWG recommendations.
They include :<br>
- adoption of audit policies including the practice of regular (at
least once a year in terms of security) external audits, inclusion
of reports regarding audit policy compliance into annual reports. <br>
- certification according to security international standards (such
as ISO 27001), and publication of outcome of certification audits
summaries (these standards generally require regular, more focused
audits)<br>
<blockquote type="cite">
<p class="MsoNormal"><span
style="font-size:10.0pt;mso-bidi-font-size:
14.0pt;font-family:"Calibri","sans-serif";mso-ascii-theme-font:major-latin;
mso-hansi-theme-font:major-latin" lang="EN-US"><o:p></o:p></span></p>
<a
style="mso-comment-reference:SE_1;mso-comment-date:20150310T1555"><span
style="font-size:10.0pt;mso-bidi-font-size:14.0pt;font-family:"Calibri","sans-serif";
mso-ascii-theme-font:major-latin;mso-fareast-font-family:"Times
New Roman";
mso-hansi-theme-font:major-latin;mso-bidi-font-family:"Times
New Roman";
mso-ansi-language:EN-US;mso-fareast-language:EN-US;mso-bidi-language:AR-SA"
lang="EN-US">Another
possibility is to empower the community to force ICANN to
respond to security
recommendations from advisory committees such as SSAC.</span></a><br>
</blockquote>
<br>
While this is typically work stream 2, I guess we'd better record it
right away. <br>
<br>
I also believe this type of recommendation could be helpful with
regards to stress tests #1 and #2 and, more generally, to
demonstrate Icann's accountability to its purpose of excellence in
operations. Business excellence standards commitment, and external
assessments would certainly be appropriate, not only for IANA
operations but for all of Icann operations, from the most
technically oriented to the organisation of meetings or support of
policy decisions. I can testify of this first-hand since this is a
key reason why Afnic (other ccTLD managers did that as well) engaged
into both EFQM external assessments (to demonstrate the excellence
of our operations to our customers and stakeholders) and ISO27001
(for the security aspects). <br>
<br>
Best<br>
Mathieu<br>
<br>
<div class="moz-cite-prefix">Le 11/03/2015 02:28, Samantha Eisner a
écrit :<br>
</div>
<blockquote cite="mid:D124E808.24120%25samantha.eisner@icann.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div>Hi everyone, </div>
<div><br>
</div>
<div>In advance of our call later, here are some comments,
questions and proposed edits.</div>
<div><br>
</div>
<div>Best,</div>
<div><br>
</div>
<div>Sam</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family:Calibri; font-size:11pt;
text-align:left; color:black; BORDER-BOTTOM: medium none;
BORDER-LEFT: medium none; PADDING-BOTTOM: 0in; PADDING-LEFT:
0in; PADDING-RIGHT: 0in; BORDER-TOP: #b5c4df 1pt solid;
BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<span style="font-weight:bold">From: </span>Steve DelBianco
<<a moz-do-not-send="true"
href="mailto:sdelbianco@netchoice.org">sdelbianco@netchoice.org</a>><br>
<span style="font-weight:bold">Date: </span>Friday, March 6,
2015 at 8:19 PM<br>
<span style="font-weight:bold">To: </span>Cheryl Langdon-Orr
<<a moz-do-not-send="true"
href="mailto:langdonorr@gmail.com">langdonorr@gmail.com</a>>,
"<a moz-do-not-send="true"
href="mailto:ccwg-accountability4@icann.org">ccwg-accountability4@icann.org</a>"
<<a moz-do-not-send="true"
href="mailto:ccwg-accountability4@icann.org">ccwg-accountability4@icann.org</a>><br>
<span style="font-weight:bold">Cc: </span>ACCT-Staff <<a
moz-do-not-send="true" href="mailto:acct-staff@icann.org">acct-staff@icann.org</a>><br>
<span style="font-weight:bold">Subject: </span>[ST-WP] nearly
complete draft of Applying Stress Tests<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space; color: rgb(0, 0, 0);
font-size: 16px; font-family: Calibri, sans-serif;">
<div>Cheryl and team — the attached is a nearly-complete
draft of how we might apply those
<a moz-do-not-send="true"
href="https://community.icann.org/display/acctcrosscomm/ST-WP+--+Stress+Tests+Work+Party">25
Stress Tests</a> to what the CWG and CCWG are presently
considering. </div>
<div><br>
</div>
<div>As we’ve said, you can’t apply stress tests
definitively until you have a defined mechanism/structure
to test. </div>
<div><br>
</div>
<div>Nonetheless, we’ll do our best with the proposed
mechanisms at this point. </div>
<div><br>
</div>
<div>Please review over the weekend and provide edits. We
can discuss on our call Wednesday 11-March at 11:00 UTC.</div>
<div><br>
</div>
<div>Regards,</div>
<div>Steve</div>
<div><br>
</div>
<div>
<div id="MAC_OUTLOOK_SIGNATURE">
<div>—</div>
<div>
<div>Steve DelBianco</div>
<div>Executive Director</div>
<div>NetChoice</div>
<div><a moz-do-not-send="true"
href="http://www.netchoice.org/">http://www.NetChoice.org</a> and <a
moz-do-not-send="true"
href="http://blog.netchoice.org/">http://blog.netchoice.org</a></div>
<div>+1.703.615.6206</div>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
</div>
</div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ccwg-accountability4 mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ccwg-accountability4@icann.org">Ccwg-accountability4@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/ccwg-accountability4">https://mm.icann.org/mailman/listinfo/ccwg-accountability4</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
*****************************
Mathieu WEILL
AFNIC - directeur général
Tél: +33 1 39 30 83 06
<a class="moz-txt-link-abbreviated" href="mailto:mathieu.weill@afnic.fr">mathieu.weill@afnic.fr</a>
Twitter : @mathieuweill
*****************************
</pre>
</body>
</html>