<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mv="http://macVmlSchemaUri" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Source Sans Pro";
panose-1:2 11 5 3 3 4 3 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:"Courier",serif;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:"Courier",serif;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:230383928;
mso-list-template-ids:-64180342;}
@list l0:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New",serif;
mso-bidi-font-family:"Times New Roman";}
@list l0:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l0:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1
{mso-list-id:240532659;
mso-list-template-ids:-812625242;}
@list l1:level1
{mso-level-start-at:3;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New",serif;
mso-bidi-font-family:"Times New Roman";}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Dear all,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Below are some ICANN SSR workstream answers. The complete list of questions and answers is here: <a href="https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit">https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">Russ</span></span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Workstream: ICANN SSR</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Topic: Perform an assessment of internal security, stability and resiliency of ICANN's operation processes and services. </span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Subtopic: DAAR<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt"> </span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: What curated data is now considered publishable? Is there documentation with version control, is there a permanent link? <o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A: ICANN has started to publish monthly reports to the public. Those can be found at <a href="https://www.icann.org/octo-ssr/daar">https://www.icann.org/octo-ssr/daar</a>. ICANN currently also have plans
to report the data behind these reports, number of names in zone, number of names on reputation lists by abuse type to the specific registry operators for each TLD that they manage.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> ----<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Previous question to ICANN org
<i>“We’ve been told that this particular contract that supported ICANN’s gathering of this data does not allow it to display all of this data. Once ICANN understands what can and cannot be displayed, will they come back to the Board and community with the cost
to report on everything? What would a new contract with a new provider potentially, or the same provider, need to look like in order to display more of that particular data publicly, and what would it cost?”</i><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><br>
Previous answer from ICANN org <i>“There are two things conflated here. One is the cost of curating and validating the data. This is the major cost and is covered by ICANN's budget transparency. The other is the cost of then defining which of the curated data
we can publish and presenting that to the public. It is ICANN's intention to publish as much data that our licensing allows via ODI. This cost is not yet certain as we have not finalized the possible output but it is likely to be minimal.”</i><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: What steps are taken to provide this crucial information? What methodology is ICANN following? Is there documentation with version control, is there a permanent link?
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A: The steps for curating data are published in the DAAR methodology paper, posted to ICANN.org here:
<a href="https://www.icann.org/octo-ssr/daar">https://www.icann.org/octo-ssr/daar</a>. The direct link is here:
<a href="https://www.icann.org/en/system/files/files/daar-methodology-paper-30nov17-en.pdf">
https://www.icann.org/en/system/files/files/daar-methodology-paper-30nov17-en.pdf</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Outstanding questions in this topic: Yes
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">----<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">Denise, Kerry-Ann</span><o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Workstream: ICANN SSR<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Topic: Perform an assessment how effectively ICANN has implemented its processes to ensure compliance regarding registrar agreements and the consensus policies.
<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Subtopic: OCTO, open data initiative, and GDPR<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: Is OCTO going to provide public information on DAAR and its findings and how much will that cost?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A: ICANN started in February 2019, by publishing monthly reports from DAAR. We also intend to publish back dated reports. (Currently published back to June 2018.
<a href="https://www.icann.org/octo-ssr/daar">https://www.icann.org/octo-ssr/daar</a>). Further publications may be possible and will be part of discussions with the community. Note, the answer to the cost part of this question is outstanding.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Outstanding questions in this topic: Yes
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">---<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">Matogoro, Alain, Noorul</span>
<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Workstream: ICANN SSR<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Topic: Perform an assessment of ICANN's Information Security Management System<o:p></o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: Please also provide information related to lines of communications in the event of a digital incident (e.g. who is ‘first responder’?)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A: The lines of communication for digital incidents are simple and efficient and are always dependent on the incident and potential risk (encompassing impact and likelihood). Generally, and Generically, the
first responder will be the ICANN Org internal InfoSec team’s CSIRT, comprised of the ICANN Org InfoSec team. Should triage reveal that a situation should be escalated to the Senior Director of Security and Network Engineering (SaNE). Should that person be
unavailable for any reason the issue is escalated to the Chief Information Officer. In either case, upon advice from the InfoSec CSIRT, the Snr Dir of SaNE or the CIO may stand up the ICANN CIRT. The ICANN CIRT is comprised of (or their delegates): ICANN General
Counsel, VP of Communications, Director of Security Operations (Physical security), The Snr Director of Security and Network Engineering, the CIO, the responsible business owner of the impacted system, and any other Ad-Hoc subject matter experts as deemed
appropriate and relevant by the ICANN CIRT. The ICANN CIRT may/will advise the ICANN CEO at the appropriate time.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: Are there any changes in the organization regarding security management since October 2017?<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">A: In late 2017, the ICANN Engineering and Information Technology went through a reorg and as a part of that the ICANN Cybersecurity Team was moved under the Snr Director of Security and Network Engineering.
The Distributed Information Security Management Model (DISMM) was also adopted at that time. In June 2018 the Director of Cybersecurity (Geoff Bickers) left the ICANN organisation. Those responsibilities were transferred to the Snr Director of Security and
Network Engineering (Terry Manderson)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: Per ICANN org answer to a previous question, “<i>The ICANN org uses a suite of continuous improvement frameworks to drive improvement across the organization. This includes the use of audit and certification
frameworks for Engineering and IT, and IANA functions, and EFQM as a holistic framework for assessing and improving the whole organization.”</i><o:p></o:p></span></p>
<ol style="margin-top:0in" start="3" type="1">
<ul style="margin-top:0in" type="circle">
<li class="MsoNormal" style="margin-left:0in;mso-list:l0 level2 lfo3"><span style="font-size:11.0pt">Are the topics within ISM covered by these frameworks and/or standards? (ICANN should follow an organizational information security management standard like
ISO/IEC 27001 or NIST 800-xx to be sure to cover all relevant topics related to an information management security system).<o:p></o:p></span></li></ul>
</ol>
<p class="MsoNormal"><span style="font-size:11.0pt">A: Until the end of 2017 ICANN was using ISM Controls covered by Center for Internet Security Critical Security Controls (CIS 20), on evaluation it was deemed and accepted that the NIST Cybersecurity Framework
(CSF) was (by far) more applicable to ICANN and its business. It is expected that the migration from CIS 20 to NIST CSF will be completed by June 2020 with current resources.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Outstanding questions in this topic: Yes
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">---<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">Scott, Noorul</span>
<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Workstream: ICANN SSR<o:p></o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Topic: Perform an assessment of how effectively ICANN has implemented its Security Incident Management and Response Processes to reduce (pro-active and reactive) the probability of DNS-related incidents.
</span></b><span style="font-size:11.0pt"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline">Q: <span style="color:black">
ICANN has engaged HackerOne to run their Vulnerability Disclosure Policy (VDP) and Bug Bounty Program (BBP). However, it appears the onboarding and deployment of such program is still in progress and not complete. (<a href="https://www.icann.org/vulnerabilities"><span style="color:blue">https://www.icann.org/vulnerabilities</span></a>;
<a href="https://hackerone.com/icann)"><span style="color:blue">https://hackerone.com/icann)</span></a>. What is the timeline for completing, implementing and public launch of the VDP and BBP? Is there resourcing or budget reasons for the delay? Are reports
on incidents required? How are they released, and on what schedule? <o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:11.0pt;color:black;background:white">A: The HackerOne engagement has been completed (as of November 2018). Public reports, by ICANN, are only required if there is a resulting compromise
and operational impact on systems or data.</span><span style="font-size:11.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Q: This vulnerability disclosure doc dates back to 2013.
<a href="https://www.icann.org/en/system/files/files/vulnerability-disclosure-05aug13-en.pdf">
https://www.icann.org/en/system/files/files/vulnerability-disclosure-05aug13-en.pdf</a>. Why have there been no obvious updates since 2013, is the process as outlined in the PDF still followed?<o:p></o:p></span></p>
<p style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline">A: <span style="color:black;background:white">
The vulnerability disclosure published in 2013 has been redacted. A new internal document “InfoSec Best Practice: Vulnerability Reporting“ is used.
<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Outstanding questions in this topic: Yes<o:p></o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt"><o:p> </o:p></span></b></p>
<p class="MsoNormal"><b><span style="font-size:11.0pt">Subtopic: Security Incident Management Process (ICANN Internal)
<o:p></o:p></span></b></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Q: Is there periodic reporting? How are incidents reported on? Is there version control, is there a permanent link?
<br>
A: Public reports are based on the ICANN Transparency Guidelines and reported here:
<a href="https://www.icann.org/cybersecurityincidentlog">https://www.icann.org/cybersecurityincidentlog</a> (as per above, note that 2013 document vulnerability-disclosure-05aug13-en.pdf has been deprecated and needs to be removed)<o:p></o:p></span></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Q: Are there formal procedures for SIMP at ICANN, can you provide a document that outlines them? Is there version control, is there a permanent link?
<br>
A: The public facing portion of incident reporting can be found here: <a href="https://www.icann.org/resources/pages/report-security-issues-2018-05-24-en">
https://www.icann.org/resources/pages/report-security-issues-2018-05-24-en</a> ( a direct link is available from the ICANN Homepage
<a href="https://www.icann.org/">https://www.icann.org/</a> under ‘contact us’)<o:p></o:p></span></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Q: Were there only incidents in 2017, nothing available about 2018 for example? Has an updated report been published?<br>
A: Please see <a href="https://www.icann.org/cybersecurityincidentlog">https://www.icann.org/cybersecurityincidentlog</a><o:p></o:p></span></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Q: Where is the “single page” you mentioned 15 months ago (see transcript) about the SIMP process? Is there a permanent link?
<br>
A: Please see : <a href="https://www.icann.org/resources/pages/report-security-issues-2018-05-24-en">
https://www.icann.org/resources/pages/report-security-issues-2018-05-24-en</a> and
<a href="https://www.icann.org/cybersecurityincidentlog">https://www.icann.org/cybersecurityincidentlog</a><o:p></o:p></span></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Q: Where is that policy that was said to be updated 15 months ago (see transcript)? Is there version control, is there a permanent link?
<br>
A: ICANN Org has a new simpler more efficient guideline. “InfoSec Best Practice: Vulnerability Reporting.” (internal doc)<o:p></o:p></span></p>
<p style="vertical-align:baseline"><span style="color:black;background:white">Outstanding questions in this topic: No<o:p></o:p></span></p>
<p><b><span style="color:black;background:white">Subtopic:</span></b><span style="color:black;background:white">
<b>Security Incident Response Process relating to a global, IANA incident (DNS-related)<o:p></o:p></b></span></p>
<p><span style="color:black;background:white">Q: How is this being done, is there a structure and process? Is there version control, is there a permanent link?
<br>
A: The same processes and best practises used at ICANN apply for the systems for IANA. However, a global issue may result in the executive Global Crisis Management Team being convened.<o:p></o:p></span></p>
<p><span style="color:black;background:white">Q: Is there periodic reporting, if so, where? Is there version control, is there a permanent link?<br>
A: The same processes and best practises used at ICANN apply for the systems for IANA. However, a global issue may result in the executive Global Crisis Management Team being convened.<o:p></o:p></span></p>
<p><span style="color:black;background:white">Outstanding questions in this topic: No<o:p></o:p></span></p>
<p><b><span style="color:black;background:white">Subtopic:</span></b><span style="color:black;background:white">
<b>ICANN operational responsibilities (L-Root)<o:p></o:p></b></span></p>
<p><span style="color:black;background:white">Q: What are the processes to secure L-Root, are they being published? As it is the “best practice” case, this appears sensible. Is there version control, is there a permanent link?<br>
A: The ICANN Managed Root Server [IMRS] publishes responses to the appropriate RSSAC publications. (<a href="https://www.dns.icann.org/rssac">https://www.dns.icann.org/rssac</a>) to date those are: RSSAC001, RSSAC002, RSSAC0024, RSSAC0037<o:p></o:p></span></p>
<p><span style="color:black;background:white">Outstanding questions in this topic: Yes<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black">-- <o:p></o:p></span></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">Jennifer Bryce</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">Senior Reviews Coordinator </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">Internet Corporation for Assigned Names and Numbers (ICANN)</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:black"> </span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">Email: jennifer.bryce@icann.org</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">Skype: jennifer.bryce.icann</span><span style="color:black"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Source Sans Pro";color:#595959">www.icann.org</span><o:p></o:p></p>
</div>
</body>
</html>