[Ssr2-review] Recent SSR2 status
denisemichel at fb.com
Thu Oct 5 23:22:33 UTC 2017
Thanks, Amin. Noted.
Domain Name System Strategy & Management
denisemichel at fb.com<mailto:denisemichel at fb.com>
From: <ssr2-review-bounces at icann.org> on behalf of Mohamad Amin hasbini <ma at mahasbini.org>
Date: Thursday, October 5, 2017 at 3:46 PM
To: SSR2 <ssr2-review at icann.org>
Subject: [Ssr2-review] Recent SSR2 status
I’ve been monitoring and mostly silent, nevertheless I feel i should share few thought about recent occurrences.
While people dived into the deep processes of ICANN and the dozens of ICANN documents, history, trying to define a feasible scope, I do not think this should be the SSR2 main role.
We are experts in the infosec field, that is why we were selected. We should help ICANN do the SSR evaluation in the best possible manner.
1- We do not have full visibility on what is happening at ICANN and partner organizations (we do not work inside, we do not live inside, at least myself)
2- We will not be able to fully grasp what is happening at ICANN and partner organizations, this is not a small organizations being examined.
What I think we should do as SSR2:
1- We are not supposed to get hold of all that happens at ICANN. Not even ICANN staff are able to do that and they frequently referred us to different people/employees when we had different questions
2- We should establish a solid evaluation process where we as SSR2 members are not essential. Our main role is to offer our expertise and develop an evaluation process which guarantees integrity and transparency for the community we represent. The process should be repeatable and self-sustainable, our follow-up meetings should be to assure the process is being executed and followed accurately, keeping the ICANN board in full visibility, until ending results are achieved.
How should the SSR2 do the above mentioned:
One of the main things we need to initiate asap is supporting ICANN to contract an IT/IS risk specialized firm to handle the field work phase, part of the SSR2 roadmap.
Why do that?
Such an organization will:
1- will be onsite(s) at ICANN, with solid previous experience from hundreds of large clients, structured dedicated staff and a large toolset
2- will be able to consolidate and sharpen the scope of the SSR2 evaluation (including this phase budget)
3- will be able to execute the negotiated scope while reporting to the SSR2 and answering its experts questions and concerns
4- will be accountable to deadlines and integrity issues
5- NDA issues solved? If we’re not doing the field work (we can’t anyway afaik), we have no need to sign any NDAs, the engaged firm would need to do so and that would be absolute standard behavior.
What would the SSR2 role be here?
As SSR2 members and experts in the field:
1- we would help ICANN negotiate the most efficient and authentic offering
2- we shall be directing the engaged firm into what we think should be prioritized (agreed as a concern with the ICANN board part of the scope)
3- we shall do our best to guarantee the objectivity and integrity of the field work, while continuously reporting results to the ICANN board
The need for SSR2 to hire and monitor for the ICANN SSR evaluation is something i personally mentioned times before, though it did not get much attention, i do not believe the SSR2 members are able to deliver quality Security Stability and Reliability evaluation by themselves for ICANN, not with any of our conditions anyway(different locations, timezones, all have job/family priorities…). Nevertheless i believe the SSR2 group of experts (or what is left of it) will have a much better chance to efficient success, overseeing/guiding the SSR evaluation field execution. Also please do not misunderstand me, SSR2 people are doing very hard work already.
While my comments are mainly targeting the SSR2 team, I also hope they are relayed to the board, i represent myself and could be mistaken, apologies for the long message.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Ssr2-review