<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=iso-8859-1"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
h1
{mso-style-priority:9;
mso-style-link:"Titre 1 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:24.0pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
h3
{mso-style-priority:9;
mso-style-link:"Titre 3 Car";
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:13.5pt;
font-family:"Times New Roman","serif";
font-weight:bold;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.Titre1Car
{mso-style-name:"Titre 1 Car";
mso-style-priority:9;
mso-style-link:"Titre 1";
font-family:"Times New Roman","serif";
mso-fareast-language:FR;
font-weight:bold;}
span.Titre3Car
{mso-style-name:"Titre 3 Car";
mso-style-priority:9;
mso-style-link:"Titre 3";
font-family:"Times New Roman","serif";
mso-fareast-language:FR;
font-weight:bold;}
span.date-display-single
{mso-style-name:date-display-single;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 70.85pt 70.85pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:544024918;
mso-list-template-ids:-166068206;}
@list l0:level1
{mso-level-start-at:10;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l1
{mso-list-id:1038815210;
mso-list-template-ids:-2123601206;}
@list l1:level1
{mso-level-start-at:9;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l2
{mso-list-id:1927762317;
mso-list-template-ids:-1564161402;}
@list l3
{mso-list-id:1995641149;
mso-list-template-ids:96924626;}
@list l3:level1
{mso-level-start-at:6;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l4
{mso-list-id:2085449225;
mso-list-template-ids:1086647150;}
@list l4:level1
{mso-level-start-at:27;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l5
{mso-list-id:2119180314;
mso-list-template-ids:2019429084;}
@list l5:level1
{mso-level-start-at:2;
mso-level-tab-stop:36.0pt;
mso-level-number-position:left;
text-indent:-18.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=FR link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><a href="http://www.icann.org/en/news/announcements/announcement-20aug12-en.htm">http://www.icann.org/en/news/announcements/announcement-20aug12-en.htm</a><o:p></o:p></span></p><h1><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Update to DNS Risk Management Framework Consultant RFP – Responses to Questions Received<o:p></o:p></span></h1><p class=MsoNormal><span class=date-display-single><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'>20 August 2012</span></span><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p><p><span lang=EN-US style='font-family:"Arial","sans-serif"'>On 16 July, ICANN published a </span><span style='font-family:"Arial","sans-serif"'><a href="http://www.icann.org/en/news/announcements/announcement-16jul12-en.htm"><span lang=EN-US>request for proposals</span></a></span><span lang=EN-US style='font-family:"Arial","sans-serif"'> for an expert consultant to assist ICANN with the development of a DNS Risk Management Framework. The announcement indicated that questions on the RFP could be submitted between 1-16 August 23:59 UTC. The period to submit questions on the RFP is now closed. ICANN is providing the questions received and responses in this update so all parties interested in responding to the call for proposals may have the same information.<o:p></o:p></span></p><p><span lang=EN-US style='font-family:"Arial","sans-serif"'>The deadline for responses to the call for proposals is <strong><span style='font-family:"Arial","sans-serif"'>31 August 2012, 23:59 UTC</span></strong>. Responses should be sent to </span><span style='font-family:"Arial","sans-serif"'><a href="mailto:drmf-rfi@icann.org"><span lang=EN-US>drmf-rfi@icann.org</span></a></span><span lang=EN-US style='font-family:"Arial","sans-serif"'> to the attention of Patrick Jones in the ICANN Security team.<o:p></o:p></span></p><h3><strong><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Questions</span></strong><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></h3><h3><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Proposal Submission<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l2 level1 lfo1'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>1.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>We would like to know if you will accept proposals for this assignment from a consortium (two consulting firms) or if you are looking for a single consultant.<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Proposals from a consortium would be welcomed. The proposal should include a description of how the parties in the consortium would work together and interact with ICANN.<o:p></o:p></span></p><h3><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Timing<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l5 level1 lfo2'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>2.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the anticipated time span of the project, in terms of ICANN meetings elapsed, given the the required times for internal and public comment?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Ideally, ICANN would be able to retain a consultant to begin work on this project in late September, and participate in an open community panel at the ICANN meeting in October in Toronto, Ontario. Specific timing deliverables will be set once the consultant is retained, but it the expectation from the Board-level working group that a draft DNS Risk Management Framework be available for discussion in early December 2012, and following relevant public comment periods for the ICANN Board at the ICANN meeting in Beijing, China in April 2013.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l5 level1 lfo2'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>3.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the anticipated duration of the transition plan to complete the launch in terms of ICANN staff availability?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN staff will be available and following the work of the consultant throughout the project. This should reduce any delays between the start of the project and the implementation phase to operational risk management at ICANN.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l5 level1 lfo2'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>4.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the anticipated start date to execute on the RFP activities?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – The consultant should be available to begin as soon as possible after the completion of the contracting process. Ideally this work should commence in late September so that there is sufficient time to start in advance of the ICANN meeting in Toronto. The Board-level working group will have a open community session at the ICANN meeting on Thursday 18 October, participation from the consultant in this session would be expected in order to use this time to interact with the community.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l5 level1 lfo2'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>5.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>When will ICANN state its decision on the winning bidder?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN intends to make its decision quickly, based on the quality of the responses received and the internal selection process. ICANN is aiming for early September to make this decision.<o:p></o:p></span></p><h3><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Staff Support<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l3 level1 lfo3'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>6.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the anticipated size of ICANN's internal team to implement the methodology and geographical location and diversity of designated staff?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Implementation of the DNS Risk Management Framework will be led by ICANN's Security team but will involve expertise from staff in other departments, including Legal, DNS Operations, IT, Finance, IANA, among others. ICANN's staff are globally distributed, although the Security team is currently split between the East Coast and West Coast US.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l3 level1 lfo3'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>7.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the makeup of the ICANN staff dedicated to executing risk management activities (number of staff, hierarchy, etc.)?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN's Security team provides staff support to the Board Risk Committee and Board-level DNS Risk Management Framework Working Group. There are ICANN staff from the Legal team providing both Board support and Executive team participation by ICANN's General Counsel. The Executive team follows risk management activities, and individual department staff track department risks.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l3 level1 lfo3'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>8.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What is the commitment of FTEs in regards to ICANN's availability to contribute to the project efforts?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – The ICANN Security team will provide staff support to engage with the consultant on this project.<o:p></o:p></span></p><h3><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>Preparation of Materials<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l1 level1 lfo4'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>9.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>The RFP indicates that the expert consultant will deliver a report to the Board DNS Risk Management Framework Working Group and the ICANN community. Will the deliverables that the expert consultant produces be shared verbatim with the community as public documents, or will ICANN or the expert consultant prepare summaries to be shared publically?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – The consultant should assume that the deliverables produced for the this project will be shared verbatim with the community as public documents. The consultant should also provide executive summaries where appropriate to support community comprehension of the risk framework once it is developed.<o:p></o:p></span></p><h3><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'>List of Tasks for a DNS Risk Management Framework<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>10.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 2 – Risk Framework – Has ICANN previously adopted a risk management framework? </span><span style='font-family:"Arial","sans-serif"'>Which framework is it?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Yes, ICANN has an internal enterprise risk management framework.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>11.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 2 – Risk Framework – Does ICANN have any frameworks that it is considering for adoption into their organization?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN would be receptive to practical and implementable approaches to DNS risk management.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>12.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 2 – Risk Framework – Does ICANN have an Enterprise Risk Management (ERM) framework with which this security risk management framework should align?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN has an internal enterprise risk management framework. ICANN would be receptive to practical and implementable approaches to DNS risk management.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>13.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 2 – Risk Framework – Would ICANN consider basing their risk management framework on leading practices and globally accepted frameworks such as Risk IT and COBIT5 for Security?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – COBIT is primarily an information technology process framework. The consultant should take into account the focus of the risk management framework is not entirely on information technology, but broadly on DNS risks for ICANN as an organization. COBIT5 and Risk IT can serve as examples but should not be the sole basis of the consultant's proposed framework.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>14.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 2 – Risk Framework – The list of deliverables does not clearly articulate the requirement of risk governance (e.g., risk appetite and tolerance, responsibilities and accountability for IT risk management, awareness and communication, risk culture). </span><span style='font-family:"Arial","sans-serif"'>Is this also a desired deliverable?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Recommendations from the consultant on mechanisms for clearly articulating the requirement of risk governance would be welcomed within the context of DNS risks.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>15.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 3 – Build Consensus – How long is the public comment cycle expected to last?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>The process for ICANN's public comment cycle is described at </span><span style='font-family:"Arial","sans-serif"'><a href="http://www.icann.org/en/news/public-comment"><span lang=EN-US>http://www.icann.org/en/news/public-comment</span></a></span><span lang=EN-US style='font-family:"Arial","sans-serif"'>. The total length of the public comment cycle will depend on whether comments are received in the initial comment period, requiring a reply comment period. The Working Group envisioned public comment being conducted in the early part of 2013, although this is subject to change depending on a variety of factors.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>16.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 3 – Build Consensus – Will the Working Group provide review and comment prior to the public comment cycle? Will there be opportunity to make revisions to the framework prior to release for public comment, based on feedback from the Working Group?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span style='font-family:"Arial","sans-serif"'>Response – Yes<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>17.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 3 – Build Consensus – What measure will the Working Group utilize to gauge if consensus has been achieved?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – The Working Group seeks a DNS Risk Management Framework that will be implementable and is generally accepted by the community as meeting the deliverables in this tender.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>18.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 3 – Build Consensus – The RFP indicates that the expert consultant will "assist staff and the working group to build consensus in support of the risk management framework within ICANN (the organization and the community)." Will the expert consultant be interacting directly with the community, or will the expert consultant interact with the community only through ICANN staff?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – From a starting point, it is desired by the Board-level Working Group to have the consultant participate in the open session of the Working Group at the ICANN meeting in Toronto on 18 October 2012. This meeting will provide an opportunity for interested participants in the community to ask questions, and for the consultant to engage with those attending the meeting. It is also expected that the consultant will interact directly with experts in the community in development of the risk framework.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>19.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – The RFP indicates that Task 4 is part of a "Potential Phase II". What are the determinants for whether "Phase II" will occur?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>The Board and ICANN senior management will determine next steps in the process after the delivery of the Phase 1 DNS risk management framework, including the timing and feasibility of Phase II as described in the RFP. The response to the RFP can include a description of how the consultant would consider deliverables in Phase II.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>20.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – Should the proposal include estimates for potential Phase II activities?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Yes, although this could be presented at a high level, granular detail on steps in Phase II is not required for Phase I but may be helpful for ICANN to understand the methodology that the consultant proposes to use.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>21.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – What tools is ICANN utilizing today to identify, document, manage and monitor risks?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN tracks risks within its departments and also provides regular updates on key program risk areas through the relevant Board Committee, such as the Board Risk Committee, Board Finance Committee, Board IANA Committee, among others. The new gTLD program has a separate risk reporting mechanism through the Board New gTLD Committee.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>22.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Does ICANN leverage any Governance, Risk Management and Compliance (GRC) technology solutions?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN's Compliance team is in the process of developing tools to assist its efforts in managing compliance risks. ICANN would be receptive to suggestions for technology solutions that assist in making the DNS risk management framework practical and implementable once delivered by the consultant.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>23.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – Does ICANN leverage previously identified and documented risks in their organization? Are there other risk activities occurring in the organization? What are they?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN conducts regular meetings of its Board Risk Committee and utilizes its previously identified and documented risks in managing risk within the organization.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>24.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – Would ICANN like to include in the deliverable a baseline process, risk and control library for their key security risks?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – The primary tasks for this contract are described in the RFP. Additional information should support the delivery of a DNS risk management framework for the organization.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>25.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – In addressing the risk plan (risk response strategy), does ICANN want sample test procedures included to validate the effectiveness of the risk plan in addition to monitoring procedures of key indicators?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Yes, these can be included if they support the framework.<o:p></o:p></span></p><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l0 level1 lfo5'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>26.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>Task 4 – Risk Cycle – Would ICANN like assistance in the design and development of monitoring and dashboard reports?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – Design and development of monitoring and dashboard reporting would go toward implementation and execution of an initial cycle of the framework as part of Phase II. These suggestions could be included in the RFP but are not required at this stage.<o:p></o:p></span></p><h3><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'>General<o:p></o:p></span></h3><p style='margin-left:36.0pt;text-indent:-18.0pt;mso-list:l4 level1 lfo6'><![if !supportLists]><span lang=EN-US style='font-family:"Arial","sans-serif"'><span style='mso-list:Ignore'>27.<span style='font:7.0pt "Times New Roman"'> </span></span></span><![endif]><span lang=EN-US style='font-family:"Arial","sans-serif"'>What are the key selection criteria ICANN is using to award this RFP?<o:p></o:p></span></p><p style='margin-left:36.0pt'><span lang=EN-US style='font-family:"Arial","sans-serif"'>Response – ICANN will evaluate the responses received to identify an expert consultant that can apply risk methodologies to the unique aspects of the Domain Name System, including its international nature and multistakeholder participation. ICANN needs a consultant who can deliver a quality product in a relatively narrow period of time, that will hold up to community scrutiny and analysis.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif";mso-fareast-language:FR'>Glen de Saint Géry <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif";mso-fareast-language:FR'>GNSO Secretariat <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif";mso-fareast-language:FR'>gnso.secretariat@gnso.icann.org <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif";mso-fareast-language:FR'>http://gnso.icann.org<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:12.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p></div></body></html>