[Ssr2-review] Recent SSR2 status

Mohamad Amin hasbini ma at mahasbini.org
Thu Oct 5 22:45:18 UTC 2017


Hi all,

I’ve been monitoring and mostly silent, nevertheless I feel i should share
few thought about recent occurrences.

While people dived into the deep processes of ICANN and the dozens of ICANN
documents, history, trying to define a feasible scope, I do not think this
should be the SSR2 main role.
We are experts in the infosec field, that is why we were selected. We
should help ICANN do the SSR evaluation in the best possible manner.

Observations:
1- We do not have full visibility on what is happening at ICANN and partner
organizations (we do not work inside, we do not live inside, at least
myself)
2- We will not be able to fully grasp what is happening at ICANN and
partner organizations, this is not a small organizations being examined.

What I think we should do as SSR2:
1- We are not supposed to get hold of all that happens at ICANN. Not even
ICANN staff are able to do that and they frequently referred us to
different people/employees when we had different questions
2- We should establish a solid evaluation process where we as SSR2 members
are not essential. Our main role is to offer our expertise and develop an
evaluation process which guarantees integrity and transparency for the
community we represent. The process should be repeatable and
self-sustainable, our follow-up meetings should be to assure the process is
being executed and followed accurately, keeping the ICANN board in full
visibility, until ending results are achieved.

How should the SSR2 do the above mentioned:
One of the main things we need to initiate asap is supporting ICANN to
contract an IT/IS risk specialized firm to handle the field work phase,
part of the SSR2 roadmap.
Why do that?
Such an organization will:
1- will be onsite(s) at ICANN, with solid previous experience from hundreds
of large clients, structured dedicated staff and a large toolset
2- will be able to consolidate and sharpen the scope of the SSR2 evaluation
(including this phase budget)
3- will be able to execute the negotiated scope while reporting to the SSR2
and answering its experts questions and concerns
4- will be accountable to deadlines and integrity issues
5- NDA issues solved? If we’re not doing the field work (we can’t anyway
afaik), we have no need to sign any NDAs, the engaged firm would need to do
so and that would be absolute standard behavior.

What would the SSR2 role be here?
As SSR2 members and experts in the field:
1- we would help ICANN negotiate the most efficient and authentic offering
2- we shall be directing the engaged firm into what we think should be
prioritized (agreed as a concern with the ICANN board part of the scope)
3- we shall do our best to guarantee the objectivity and integrity of the
field work, while continuously reporting results to the ICANN board

Final thoughts:
The need for SSR2 to hire and monitor for the ICANN SSR evaluation is
something i personally mentioned times before, though it did not get much
attention, i do not believe the SSR2 members are able to deliver quality
Security Stability and Reliability evaluation by themselves for ICANN, not
with any of our conditions anyway(different locations, timezones, all have
job/family priorities…). Nevertheless i believe the SSR2 group of experts
(or what is left of it) will have a much better chance to efficient
success, overseeing/guiding the SSR evaluation field execution. Also please
do not misunderstand me, SSR2 people are doing very hard work already.

While my comments are mainly targeting the SSR2 team, I also hope they are
relayed to the board, i represent myself and could be mistaken, apologies
for the long message.

Regards,
Amin
KL
SSC
Brunel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20171006/c7db2b4c/attachment.html>


More information about the Ssr2-review mailing list