[Ssr2-review] ICANN SSR answers

Jennifer Bryce jennifer.bryce at icann.org
Tue Apr 30 08:02:30 UTC 2019 

Dear Scott, dear Noorul,

The below answer in highlight has been added to the Q&A Google doc: https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing [docs.google.com]<https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=>. Please let us know if you have any questions.

Review Team volunteers: Scott, Noorul
Workstream: ICANN SSR
Topic 4: Perform an assessment of how effectively ICANN has implemented its Security Incident Management and Response Processes to reduce (pro-active and reactive) the probability of DNS-related incidents.

Outstanding questions: 0

Q: Which certifications is ICANN pursuing for the organisation and staff?
A: The certifications undertaken in ICANN are dependent on job function, and on a needs basis. For instance, InfoSec team members and all operations members complete and maintain GIAC SANS security modules. Software engineers are incentivised to undertake Secure Software Development Lifecycle training. ICANN Managed Root Server Team members have and maintain ITIL certifications. And all staff undergo mandatory yearly end user security training that encompasses infosec hygiene practices for end users, and awareness on phishing, spear-phishing, and other social engineering attempts.

Q: Which certifications and compliance frameworks has ICANN completed?
A: ICANN was following the Center for Internet Security (CIS) controls framework, after selecting 20 controls that best applied to ICANN business and operations. Recently the decision was made to move aware from CIS as it has shortcoming for the type of environment in which ICANN exists. The future framework of choice will be the NIST Cyber Security Framework (CSF) which is a better fit for ICANN and has a higher propensity for increasing the security posture to meaningful levels, inclusive of reviewing processes, for the entire ICANN Org. Work has commenced on building the ICANN Org CSF profile.

Q: Who are ICANN’s auditors, what audits are completed regularly?
A: Until recently ICANN used Leidos to complete its annual CIS audit. This has now been paused until the CSF work is done within ICANN, and an evaluation on auditors (for the ability to audit against CSF profiles) has been completed.

--
Jennifer Bryce
Senior Reviews Coordinator
Internet Corporation for Assigned Names and Numbers (ICANN)

Email: jennifer.bryce at icann.org
Skype: jennifer.bryce.icann
www.icann.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190430/848b5880/attachment.html>

More information about the Ssr2-review mailing list