<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:595.0pt 842.0pt;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:24714284;
mso-list-template-ids:-181655300;}
@list l1
{mso-list-id:229079080;
mso-list-template-ids:-914689162;}
@list l2
{mso-list-id:428087875;
mso-list-template-ids:1445890194;}
@list l3
{mso-list-id:538709722;
mso-list-template-ids:-34031384;}
@list l4
{mso-list-id:566918000;
mso-list-template-ids:-1315548854;}
@list l4:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l5
{mso-list-id:605503011;
mso-list-template-ids:580656128;}
@list l5:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l6
{mso-list-id:855390846;
mso-list-template-ids:2050887026;}
@list l7
{mso-list-id:964845544;
mso-list-template-ids:519839958;}
@list l8
{mso-list-id:1236629685;
mso-list-template-ids:580656888;}
@list l8:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l9
{mso-list-id:1281108809;
mso-list-template-ids:-1610568206;}
@list l10
{mso-list-id:1339504875;
mso-list-template-ids:-1976805386;}
@list l11
{mso-list-id:1398938110;
mso-list-template-ids:-1787103018;}
@list l12
{mso-list-id:1549225067;
mso-list-template-ids:-1348853006;}
@list l13
{mso-list-id:1630167788;
mso-list-template-ids:-1635854158;}
@list l13:level1
{mso-level-start-at:4;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l13:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l14
{mso-list-id:1789667421;
mso-list-template-ids:1721789784;}
@list l15
{mso-list-id:1811290542;
mso-list-template-ids:-505119294;}
@list l15:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l16
{mso-list-id:1817644170;
mso-list-template-ids:-2112042302;}
@list l16:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l17
{mso-list-id:1830365747;
mso-list-template-ids:1426777740;}
@list l18
{mso-list-id:1852378274;
mso-list-template-ids:-1685962138;}
@list l19
{mso-list-id:1888834260;
mso-list-template-ids:-1335830074;}
@list l19:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l20
{mso-list-id:1894122540;
mso-list-template-ids:1559767038;}
@list l21
{mso-list-id:1912081680;
mso-list-template-ids:-2042484570;}
@list l22
{mso-list-id:1977029816;
mso-list-template-ids:393252746;}
@list l22:level1
{mso-level-start-at:13;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l20:level2 lfo2
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l16:level1 lfo4
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l16:level1 lfo5
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l16:level2 lfo5
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l5:level1 lfo6
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l5:level1 lfo7
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l5:level2 lfo7
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l15:level1 lfo8
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l22:level1 lfo9
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l22:level1 lfo10
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l22:level2 lfo10
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l19:level1 lfo11
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l19:level1 lfo12
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l19:level2 lfo12
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l8:level1 lfo13
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l8:level1 lfo14
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l8:level2 lfo14
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l4:level1 lfo15
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l4:level1 lfo16
{mso-level-start-at:0;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l4:level2 lfo16
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l9:level2 lfo18
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l17:level2 lfo20
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l2:level2 lfo22
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l0:level2 lfo24
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l11:level2 lfo26
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l12:level2 lfo28
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l1:level2 lfo30
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l10:level2 lfo32
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l21:level2 lfo34
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l7:level2 lfo36
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l6:level2 lfo38
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l3:level2 lfo40
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l18:level2 lfo42
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
@list l14:level2 lfo44
{mso-level-start-at:0;
mso-level-number-format:alpha-lower;
mso-level-numbering:continue;
mso-level-tab-stop:none;
mso-level-number-position:left;
margin-left:0in;
text-indent:0in;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Dear SSR2 RT members, <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The below answers has been added to the Q&A Google doc: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=">https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing
[docs.google.com]</a>. Please let us know if you have any questions.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal"><b>Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">
Boban, </span></b><span style="background:yellow;mso-highlight:yellow">Alain, Žarko</span><o:p></o:p></p>
<p class="MsoNormal"><b>Workstream: ICANN SSR </b><o:p></o:p></p>
<p class="MsoNormal"><b>Topic 2: Perform an assessment of ICANN's Business Continuity Management System.<o:p></o:p></b></p>
<p class="MsoNormal"><b>Outstanding questions: 1</b><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Q: What is the frequency of DR testing?<o:p></o:p></p>
<p class="MsoNormal">A: As it relates to systems, disaster recovery fail-over between data centers is tested annually.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Was an impact analysis done after PTI separation to asses needed for update to BC plans?<o:p></o:p></p>
<p class="MsoNormal">A: PTI, the affiliate with which ICANN contracts for the performance of the IANA Functions, is not separate from ICANN. As noted through the IANA Stewardship Transition process, a separate contracting entity was created in the event that
it was determined that the performance of the IANA Functions needed to be separated. As anticipated, there is little functional change in how the IANA Functions are actually performed, including the systems through which those services are performed. ICANN
and PTI entered into a shared services agreement (<a href="https://www.icann.org/iana_pti_docs/153-services-agreement-v-30sep16">https://www.icann.org/iana_pti_docs/153-services-agreement-v-30sep16</a>), which is common in affiliate and spin-off relationships,
through which ICANN commits to provide services to support the IANA activities, as well as commits ICANN to coordinate and maintain business continuity efforts. As a result, the IANA Stewardship Transition did not have an impact on ICANN’s business continuity
plans.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Has ICANN implement the recommendations of the following exercise:
<i>IANA Full‐Scale Business Continuity Exercise Conducted 19 January 2010 (</i><a href="https://www.icann.org/en/system/files/files/iana-business-continuity-exercise-aar-23feb10-en.pdf"><i>https://www.icann.org/en/system/files/files/iana-business-continuity-exercise-aar-23feb10-en.pdf</i></a><i>)
</i><o:p></o:p></p>
<p class="MsoNormal">A: Yes. Over time, IANA procedures have matured and evolved to incorporate the types of recommendations in that report.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN's top management and /or the responsible person) established and published a documented organization business continuity policy?<o:p></o:p></p>
<p class="MsoNormal">A: These documents are confidential and not published publicly for security reasons. There is an established Disaster Recovery plan for systems, a Continuity Plan for the IANA Functions, and a broader Continuity Plan under development
for the wider ICANN organization to be delivered in 2019.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have a documented Policy concerning the procurement, provision and management of outsourced good and services via its supply chain?<o:p></o:p></p>
<p class="MsoNormal">A: Yes. See<a href="https://www.icann.org/en/system/files/files/procurement-guidelines-21feb10-en.pdf"> https://www.icann.org/en/system/files/files/procurement-guidelines-21feb10-en.pdf</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have a documented business continuity operational planning and control process that enables it to determine, plan, implement and control those actions needed to fulfil its business continuity policy and objectives?<o:p></o:p></p>
<p class="MsoNormal">A: These documents are confidential and not published publicly for security reasons. There is an established Disaster Recovery plan for systems, a Continuity Plan for the IANA Functions, and a broader Continuity Plan under development
for the wider ICANN organization to be delivered in 2019.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have a formal documented standard procedure and evaluation process for conducting a Business Impact Analysis (BIA)?\<o:p></o:p></p>
<p class="MsoNormal">A: ICANN has carried out a BIA in the past. Providing detailed information on such results could highlight vulnerabilities to the organization. The revised Continuity Plan, discussed in response to other questions, will be more focused
on resource substitution until a disaster recovery is complete generally, rather than making scenario assumptions. BIA implies a certain speed of resource recovery which in practice may be much different than expected. That is, there should be contingency
plans for all important resources, dispensing with a detailed analysis based on recovery time assumptions which may not hold in a crisis.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Has ICANN carried out a BIA to identify its prioritized activities? If so, what was the results?<o:p></o:p></p>
<p class="MsoNormal">A: ICANN has carried out a BIA in the past. Providing detailed information on such results could highlight vulnerabilities to the organization. The revised Continuity Plan, discussed in response to other questions, will be more focused
on resource substitution until a disaster recovery is complete generally, rather than making scenario assumptions. BIA implies a certain speed of resource recovery which in practice may be much different than expected. That is, there should be contingency
plans for all important resources, dispensing with a detailed analysis based on recovery time assumptions which may not hold in a crisis.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Is there a documented Business Continuity Resumption/Recovery Strategy(ies) for the ICANN's prioritized activities their support resources and dependencies that has been signed off by top management?<o:p></o:p></p>
<p class="MsoNormal">A: These documents are confidential and not published publicly for security reasons. There is an established Disaster Recovery plan for systems, a Continuity Plan for the IANA Functions, and a broader Continuity Plan under development
for the wider ICANN organization to be delivered in 2019.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ICANN has carried out a BIA in the past. Providing detailed information on such results could highlight vulnerabilities to the organization. The revised Continuity Plan, discussed in response to other questions, will be more focused on
resource substitution until a disaster recovery is complete generally, rather than making scenario assumptions. BIA implies a certain speed of resource recovery which in practice may be much different than expected. That is, there should be contingency plans
for all important resources, dispensing with a detailed analysis based on recovery time assumptions which may not hold in a crisis.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Is there a documented Resource Recovery Strategy for critical business activities and their dependencies that has been signed off by top management, which includes the identification of critical assets on a scheduled basis? If so, is
the strategy based upon and consistent with the resource recovery requirements identified within the current BIA in respect to ICANN's prioritized activities their support services and dependencies recovery profile?<o:p></o:p></p>
<p class="MsoNormal">A: These documents are confidential and not published publicly for security reasons. There is an established Disaster Recovery plan for systems, a Continuity Plan for the IANA Functions, and a broader Continuity Plan under development
for the wider ICANN organization to be delivered in 2019.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ICANN has carried out a BIA in the past. Providing detailed information on such results could highlight vulnerabilities to the organization. The revised Continuity Plan, discussed in response to other questions, will be more focused on
resource substitution until a disaster recovery is complete generally, rather than making scenario assumptions. BIA implies a certain speed of resource recovery which in practice may be much different than expected. That is, there should be contingency plans
for all important resources, dispensing with a detailed analysis based on recovery time assumptions which may not hold in a crisis.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have documented business continuity plans in respect of each of the prioritized activities and their dependencies?<o:p></o:p></p>
<p class="MsoNormal">A: These documents are confidential and not published publicly for security reasons. There is an established Disaster Recovery plan for systems, a Continuity Plan for the IANA Functions, and a broader Continuity Plan under development
for the wider ICANN organization to be delivered in 2019.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">ICANN has carried out a BIA in the past. Providing detailed information on such results could highlight vulnerabilities to the organization. The revised Continuity Plan, discussed in response to other questions, will be more focused on
resource substitution until a disaster recovery is complete generally, rather than making scenario assumptions. BIA implies a certain speed of resource recovery which in practice may be much different than expected. That is, there should be contingency plans
for all important resources, dispensing with a detailed analysis based on recovery time assumptions which may not hold in a crisis.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does each plan contain predefined task checklists that includes mandatory and discretionary tasks together with individuals/roles/teams responsible for their completion and a process for tracking they're completion within an allocated
timeframes?<o:p></o:p></p>
<p class="MsoNormal">A: No, as previously stated, the plan will focus on resource recovery generally.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have a documented exercise/testing programme and process for business continuity procedures, plans and arrangements? The last available exercise is from 2009:
<a href="https://www.icann.org/en/system/files/files/gtld-registry-continuity-plan-25apr09-en.pdf">
https://www.icann.org/en/system/files/files/gtld-registry-continuity-plan-25apr09-en.pdf</a><o:p></o:p></p>
<p class="MsoNormal">A: The referenced document relates to backup registries, rather than continuity at ICANN itself. The continuity plan being developed for the organization will include testing. Systems disaster recovery testing is done annually.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Depth of testing of DR needs to be elaborated on (Table top vs power trip). Are there any results of power trip exercises?<o:p></o:p></p>
<p class="MsoNormal">A: Systems disaster recovery tests are actual failover tests. All systems were successfully recovered failing-over from primary to secondary.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN conduct performance evaluations of its business continuity procedures, arrangements and capabilities in order to verify their continued suitability, adequacy and effectiveness?<o:p></o:p></p>
<p class="MsoNormal">A: The continuity plan will be reviewed periodically, with testing, which would achieve what this question seems to be asking.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN have documented boundaries and processes that have inter-org dependencies? Are they relate back to BC plans?<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:0in;text-indent:0in;mso-list:l3 level2 lfo40">
<![if !supportLists]><i><span style="mso-list:Ignore">a.<span style="font:7.0pt "Times New Roman"">
</span></span></i><![endif]><i>Clarification requested from Boban, Alain, Zarko: What is meant by “inter-org” dependencies? Which orgs? What is meant by “boundaries.”<o:p></o:p></i></p>
<p class="MsoNormal" style="margin-left:0in;text-indent:0in;mso-list:l3 level2 lfo40">
<![if !supportLists]><span style="mso-list:Ignore">b.<span style="font:7.0pt "Times New Roman"">
</span></span><![endif]>ICANN org has asked for clarification as to the meaning of this question, and is awaiting a response. That said, based on current understanding, ICANN org thinks the answer is no, not beyond the shared services agreement between ICANN
and PTI.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Does ICANN conduct internal audits at planned intervals to provide information on whether the Business Continuity Management is effectively implemented and maintained?<o:p></o:p></p>
<p class="MsoNormal">A: Periodic testing and validation by the Risk Management function will be an important part of the Continuity Plan being developed this year.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b>Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">
Laurin, </span></b><span style="background:yellow;mso-highlight:yellow">Boban,<b>
</b>Žarko, Kerry-Ann</span><o:p></o:p></p>
<p class="MsoNormal"><b>Workstream: ICANN SSR </b><o:p></o:p></p>
<p class="MsoNormal"><b>Topic 3: Perform an assessment of ICANN's Risk Management Methodology and Framework.
<o:p></o:p></b></p>
<p class="MsoNormal"><b>Outstanding questions: 0<o:p></o:p></b></p>
<p class="MsoNormal"><b><o:p> </o:p></b></p>
<p class="MsoNormal">Q: As of Oct 2017, ICANN did not follow formal information security audit frameworks such as ISO 27001. Is that still the case?<o:p></o:p></p>
<p class="MsoNormal">A: That statement is incorrect. ICANN org has carried out assessments based on the CIS20 Cyber Security Framework starting in 2014. During 2018, ICANN transitioned to the NIST Cyber Security Framework. The benchmarking assessment has
been done annually by a consulting firm with expertise in such assessments. In addition, two annual information security audits are performed related to the IANA Functions. The IANA department has been performing SOC3 audits on the Root Zone Key Signing
Key Operator System since 2010, and SOC2 audits on the Registry Assignment and Maintenance System since 2013. Those audits are performed by external auditors.<o:p></o:p></p>
<p class="MsoNormal" style="vertical-align:baseline"><o:p> </o:p></p>
<p class="MsoNormal" style="vertical-align:baseline">Q: <span style="color:black">
Are there any plans to adopt a formal framework? If so, please give details of the framework, timeline for implementation and budget allocated. If not, provide reasoning for pursuing a formal framework.
<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">A: ICANN org has carried out assessments based on the CIS20 Cyber Security Framework starting in 2014. During 2018, ICANN transitioned to the NIST Cyber Security Framework. The
benchmarking assessment has been done annually by a consulting firm with expertise in such assessments. In addition, two annual information security audits are performed related to the IANA Functions. The IANA department has been performing SOC3 audits on
the Root Zone Key Signing Key Operator System since 2010, and SOC2 audits on the Registry Assignment and Maintenance System since 2013. Those audits are performed by external auditors.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Please provide documentation (links/perma-links) about your business continuity and risk management processes.<o:p></o:p></p>
<p class="MsoNormal">A: ICANN org is not able to provide links to these processes, as this detailed information is confidential and unable to be shared due the nature of risk management, which may involve vulnerabilities and threats to the organization. Therefore,
it would not be prudent to provide details of those vulnerabilities and threats nor details of the countermeasures ICANN takes or would take to counter vulnerabilities and threats.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In general, however, ICANN org has a risk management policy and risk identification process. The policy and the process are reviewed by a Risk Management Committee made up of the org executives, approved by the President and CEO, and reviewed
by the Board Risk Committee. Key elements of the policy have been presented to the full Board.<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">A Continuity Plan is under development for ICANN organization and will be delivered later in 2019. That Continuity Plan will also be reviewed by a committee of the org executives, approved by the President and CEO, and reviewed by the
Board Risk Committee.<o:p></o:p></p>
<p class="MsoNormal"><o:p></o:p></p>
<p class="MsoNormal">ICANN org is planning to develop public risk management reporting in 2019 which would highlight some of our risk management activities.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: Is James Caulfield still the person responsible for risk and business continuity management?<o:p></o:p></p>
<p class="MsoNormal">A: Yes.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline"><span style="color:black">Q: There is a Board Risk Committee which meets at least twice a year, and considers the risk register. Is this still the case? The Committee organises an interactive
risk workshop at least once a year, is that still the case? Please give dates of meetings since 2016, along with attendees, agendas, and outcome reports.</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:black">A: Yes and yes. Minutes of the Board and Board Committee meetings are a matter of public record and can be found here: </span><a href="https://www.icann.org/resources/pages/minutes-2014-03-24-en"><span style="color:#1155CC">https://www.icann.org/resources/pages/minutes-2014-03-24-en</span></a><o:p></o:p></p>
<p style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline"><o:p> </o:p></p>
<p style="margin:0in;margin-bottom:.0001pt;vertical-align:baseline">Q: <span style="color:black">
Please confirm that the risk register is updated on an ongoing basis, and give evidence of these updates.<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">A: Yes, the Risk Register is updated regularly. Please refer to the Board Risk Committee minutes.<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">Q: Relevant managers are responsible for declaring a disaster. Is this still the case?<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">A: ICANN organization has a crisis management policy that defines the roles and responsibilities for declaring a crisis. Per that policy, it is the responsibility of executive management
to determine whether a crisis is in progress.<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black"><o:p> </o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><b><span style="color:black">Review Team volunteers:
<span style="background:yellow;mso-highlight:yellow">Denise, </span></span></b><span style="color:black;background:yellow;mso-highlight:yellow">Žarko, Kerry-Ann</span><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><b><span style="color:black">Workstream: ICANN SSR
</span></b><span style="color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><b>Topic 7: Perform an assessment how effectively ICANN has implemented its processes to ensure compliance regarding registrar agreements and the consensus policies.<o:p></o:p></b></p>
<p class="MsoNormal"><b>Outstanding questions: 3<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:12.0pt;color:black">Q: Is there are separate risk management framework (including risk register and business continuity plan) for the PTI?<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">A: There is a separate continuity plan for the IANA Functions, and that plan is also included in the ICANN organization risk management framework.</span><span style="font-size:12.0pt;color:black"><o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: IANA (PTI) systems (both IT and operational) continue to be dependent on ICANN. When PTI staff login in the morning, they are on the ICANN secured network, correct? Is this still the case? Note: may want to address this off the public
list/wiki)<o:p></o:p></p>
<p class="MsoNormal">A: ICANN org is unable to provide a specific response to this question due to system security concerns. Further, ICANN org understands that a response has already been provided in the questions answered by the IANA functions regarding
the level of network access security.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:12.0pt;color:black">Q: Within risk classification or scoring, there is no multiplier for potential impact on the internet’s system of unique identifiers. Is this still the case?<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="color:black">A: Yes, there is no multiplier, and we do not see that as a standard risk management approach.<o:p></o:p></span></p>
<p class="MsoNormal" style="vertical-align:baseline"><span style="font-size:12.0pt;color:black"><o:p> </o:p></span></p>
<p class="MsoNormal"><b>Review Team volunteers: <span style="background:yellow;mso-highlight:yellow">
Noorul,</span></b><span style="background:yellow;mso-highlight:yellow"> Kerry-Ann, Eric, Laurin, Norm</span><o:p></o:p></p>
<p class="MsoNormal"><b>Workstream: Future Challenges </b><o:p></o:p></p>
<p class="MsoNormal"><b>Topic: Root server system protection: assess the threatscape of top threats (e.g. DDoS to the root system)
<o:p></o:p></b></p>
<p class="MsoNormal"><b>Outstanding questions: 0<o:p></o:p></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Q: What does staff and the community already do regarding emerging and future threats, and related issues? We are aware of efforts focused on emerging technologies; are there ones that focus on threats too?<o:p></o:p></p>
<p class="MsoNormal">A: Emerging risks are treated in the usual risk management process. For example the recent DNS threat alert:
<a href="https://www.icann.org/news/announcement-2019-02-15-en">https://www.icann.org/news/announcement-2019-02-15-en</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="color:black">-- </span><o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><b><span style="color:#595959">Jennifer Bryce</span></b><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#595959">Senior Reviews Coordinator </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#595959">Internet Corporation for Assigned Names and Numbers (ICANN)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#595959">Email: jennifer.bryce@icann.org</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#595959">Skype: jennifer.bryce.icann</span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="color:#595959">www.icann.org</span><o:p></o:p></p>
</div>
</body>
</html>