<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><br class=""></div><div class=""><div class="">Hi All,</div><div class=""><br class=""></div><div class="">Thanks Kaveh.</div><div class=""><br class=""></div><div class="">I fully agree with the board. </div><div class=""><br class=""></div><div class="">I noticed that despite our previous discussions on the scope of the ICANN SSR  work, the sub-group  did not take into considerations  the comments and suggestions and is trying an  in-depth audit as proposed initially. </div><div class=""><br class=""></div><div class="">See the URLs below</div><div class=""><br class=""></div><div class=""><a href="http://mm.icann.org/pipermail/ssr2-review/2017-June/000352.html" class="">http://mm.icann.org/pipermail/ssr2-review/2017-June/000352.html</a></div><div class=""><a href="http://mm.icann.org/pipermail/ssr2-review/2017-June/000347.html" class="">http://mm.icann.org/pipermail/ssr2-review/2017-June/000347.html</a></div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">We need to address this  as soon as possible.</div><div class=""><br class=""></div><div class="">Hope this helps</div><div class=""><br class=""></div><div class="">—Alain</div></div><div class=""><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div></div><div class=""><br class=""></div><div class=""><br class=""></div><br class=""><div><blockquote type="cite" class=""><div class="">On 3 Oct 2017, at 20:57, Kaveh Ranjbar <<a href="mailto:kaveh.ranjbar@board.icann.org" class="">kaveh.ranjbar@board.icann.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><div class="">Dear SSR2 Team,</div><div class=""><br class=""></div><div class="">Please find below a letter from the ICANN Board, indicating our concern on scope of Subgroup 2’s audit plan.</div><div class="">SSR2 will receive this letter through the standard board communication channel shortly, but in the meantime I thought it is good to share the text with you, since time is of essence.</div><div class=""><br class=""></div><div class="">Please let me know if you have any questions or comments.</div><div class=""><br class=""></div><div class="">All the best,</div><div class="">Kaveh.</div></div><div class=""><br class=""></div><div class="">=====</div><div class=""><span lang="EN-US" style="font-family: Calibri, sans-serif;" class="">To: SSR2 Team Members</span></div><div class=""><span lang="EN-US" style="font-family: Calibri, sans-serif;" class=""><br class=""></span></div><div class=""><span lang="EN-US" style="font-family: Calibri, sans-serif;" class="">The ICANN Board recently examined the proposed
work plan for SSR2’s Subteam 2 on ICANN SSR, and has identified some areas of
concern to flag for the broader Review Team. 
The mandate of the SSR2, from the Bylaws, is to perform a review of </span><span style="font-family: Calibri, sans-serif; color: rgb(51, 51, 51); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">“</span><span style="font-family: Calibri, sans-serif;" class="">ICANN<span style="color:#333333;background:white" class="">'s
execution of its commitment to enhance the operational stability, reliability,
resiliency, security, and global interoperability of the systems and processes,
both internal and external, that directly affect and/or are affected by the
Internet's system of unique identifiers that </span>ICANN<span style="color:#333333;background:white" class=""> coordinates.” The SSR2’s working
definitions, set out in the Terms of Reference, also affirms the focus of the
SSR2’s work on the Internet’s unique identifiers:</span></span></div><div class=""><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:63.0pt;
mso-margin-bottom-alt:auto;margin-left:45.0pt;text-indent:-13.5pt;mso-list:
l0 level1 lfo1;tab-stops:list 36.0pt;background:white"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol;
mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:#333333;
mso-ansi-language:#047F" class="">·</span><!--[endif]--><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;color:#333333;mso-ansi-language:#047F" class="">Security –
The capacity to protect and prevent misuse of Internet unique identifiers;<o:p class=""></o:p></span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:63.0pt;
mso-margin-bottom-alt:auto;margin-left:45.0pt;text-indent:-13.5pt;mso-list:
l0 level1 lfo1;tab-stops:list 36.0pt;background:white"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol;
mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:#333333;
mso-ansi-language:#047F" class="">·</span><!--[endif]--><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;color:#333333;mso-ansi-language:#047F" class="">Stability –
The capacity to ensure that the Identifier System operates as expected and that
users of unique identifiers have confidence that the system operates as
expected;<o:p class=""></o:p></span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:63.0pt;
mso-margin-bottom-alt:auto;margin-left:45.0pt;text-indent:-13.5pt;mso-list:
l0 level1 lfo1;tab-stops:list 36.0pt;background:white"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol;
mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:#333333;
mso-ansi-language:#047F" class="">·</span><!--[endif]--><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;color:#333333;mso-ansi-language:#047F" class="">Resiliency –
The capacity of the Identifier System to effectively withstand, tolerate and
survive malicious attacks and other disruptive events without disruption or
cessation of service.<o:p class=""></o:p></span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;margin-right:63.0pt;
mso-margin-bottom-alt:auto;margin-left:45.0pt;text-indent:-13.5pt;mso-list:
l0 level1 lfo1;tab-stops:list 36.0pt;background:white"><!--[if !supportLists]--><span style="font-size:10.0pt;mso-bidi-font-size:12.0pt;font-family:Symbol;
mso-fareast-font-family:Symbol;mso-bidi-font-family:Symbol;color:#333333;
mso-ansi-language:#047F" class="">·</span><!--[endif]--><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:"Times New Roman";
mso-bidi-font-family:Arial;color:#333333;mso-ansi-language:#047F" class="">Unique
Identifiers - ICANN’s technical mission includes helping to coordinate, at the
overall level, the allocation of the Internet’s system of unique identifiers:
specifically, top-level domain names, blocks of Internet Protocol (IP)
addresses and autonomous system (AS) numbers allocated to the Regional Internet
Registries, and protocol parameters as directed by the IETF.<o:p class=""></o:p></span></p><p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
background:white"><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times New Roman";mso-bidi-font-family:Arial;color:#333333;mso-ansi-language:
#047F" class="">As the Board noted in its 23 June 2017 response to the Terms of
Reference, the Board looks forward to providing further input once the SSR2’s
work plan is finalized and adopted. 
While the Board has not yet seen a final work plan for the review as a whole,
our examination of the Subgroup 2 work plan on the performance of an audit over
general ICANN security issues raised some scope concerns. <o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times New Roman";mso-ansi-language:#047F" class="">While we support the community in
receiving information necessary to perform a full and meaningful review over
ICANN’s SSR commitments, there are portions of the more detailed “audit” plan
that do not seem appropriate for in-depth investigation by the subgroup.  Maintaining a plan to proceed with detailed
assessments of these areas is likely to result in recommendations that are not
tethered to the scope of the SSR review, and as such, may not be appropriate
for Board acceptance when recommendations are issued.  This also can expand the time and resources
needed to perform this part of the review.</span></p><p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times New Roman";mso-ansi-language:#047F" class="">The areas the Board is concerned
with are areas that indeed raise important organizational information security
and organizational oversigh</span><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman"" class="">t</span><span style="font-family:
"Calibri",sans-serif;mso-fareast-font-family:"Times New Roman";mso-ansi-language:
#047F" class=""> questions.  However, these are
also areas that are not segregated for community review, and are the
responsibility of the ICANN Organization (through the CEO) to perform under the
oversight of the ICANN Board.<o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;mso-fareast-font-family:
"Times New Roman";mso-ansi-language:#047F" class=""> </span><span style="font-family: Calibri, sans-serif;" class="">Specifically, we are concerned with</span></p><p class="MsoNormal" style="margin-left:18.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">1- Perform an assessment of ICANN's Information
Security Management System;<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin-left:18.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">3- Perform a comprehensive assessment of ICANN's
Risk Management Methodology and Framework;<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin-left:18.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">5- Perform a comprehensive assessment of
internal security, stability and resiliency of ICANN's operation processes and
services; and<o:p class=""></o:p></span></p><p class="MsoNormal" style="margin-left:18.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">7- Perform an assessment how effectively ICANN
has implemented its processes to ensure compliance regarding REGISTRAR
agreement and the consensus policies.<o:p class=""></o:p></span></p><p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class=""> </span><span style="font-family: Calibri, sans-serif;" class="">The Board also has concerns with two sub-questions
under section two:</span></p><p class="MsoNormal" style="text-indent:36.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">2.7       Business
Continuity Plans (BCP)<o:p class=""></o:p></span></p><p class="MsoNormal" style="text-indent:36.0pt;mso-pagination:none;mso-layout-grid-align:
none;text-autospace:none"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">2.8       Evaluation
of Business Continuity Procedures</span><span style="font-family: Calibri, sans-serif;" class=""> </span></p><p class="MsoNormal"><span lang="EN-US" style="font-family:"Calibri",sans-serif;
mso-bidi-font-family:Consolas" class="">Understanding, at a high level, the work that
ICANN does on many of these fronts could be helpful to give the RT a full
picture of ICANN’s work.  That is much
different from performing detailed assessments or audits of these items. <o:p class=""></o:p></span></p><p class="MsoNormal"><span style="font-family: Calibri, sans-serif;" class="">In advance of the Subteam’s visit to the ICANN
office in Los Angeles in October 2017, the Subteam is encouraged to focus on
narrowing the areas scheduled for fuller assessment to those that are more
reasonably tethered to the expected mandate of the SSR2 team.</span><span style="font-family: Calibri, sans-serif;" class="">  </span><span style="font-family: Calibri, sans-serif;" class="">The Board supports an agenda that provides a
high-level overview of multiple topics, while also focusing the Subteam’s
face-to-face time primarily on those areas which are likely to lead to
recommendations that are within the scope of the SSR2’s mandate.</span></p><p class="MsoNormal"><span style="font-family: Calibri, sans-serif;" class="">The Board requests the SSR2 to revisit the Subteam
2 audit plan, as well as work plans across all the SSR2 Subteams, and provide
updates on those plans.</span><span style="font-family: Calibri, sans-serif;" class="">  </span><span style="font-family: Calibri, sans-serif;" class="">For Subteam 2,
the Board requests confirmation of the restructuring of its work plan prior to
the October 2017 face-to-face meeting.</span></p><div class="">=====</div><div class=""><span lang="EN-US" style="font-family:"Calibri",sans-serif" class=""> </span><br class="webkit-block-placeholder"></div>

<!--EndFragment--></div></div>_______________________________________________<br class="">Ssr2-review mailing list<br class=""><a href="mailto:Ssr2-review@icann.org" class="">Ssr2-review@icann.org</a><br class="">https://mm.icann.org/mailman/listinfo/ssr2-review<br class=""></div></blockquote></div><br class=""></body></html>