<div dir="ltr">Thanks Jennifer,<div>This is exactly what we are looking for.  At this time, I have no other questions for this.</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr">-Scott<div><div style="margin:0px;padding:0px 0px 20px;width:1062px;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;font-size:medium"><div style="font-size:12.8px;margin:8px 0px 0px;padding:0px"><div dir="ltr"><span><font color="#888888"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div><strong style="font-family:helvetica,arial,sans-serif;font-size:13px;line-height:1.3">Scott McCormick</strong><br></div><div><span style="font-size:13px;font-family:helvetica,arial,sans-serif;line-height:1.3">Security Compliance</span></div><div><span style="font-size:13px;font-family:helvetica,arial,sans-serif;line-height:1.3">mobile 443.691.2013</span></div><div><span style="font-size:13px;font-family:helvetica,arial,sans-serif;line-height:1.3"><a href="mailto:smccormick@hackerone.com" target="_blank">smccormick@hackerone.com</a><br></span></div><div><span style="font-size:13px;font-family:helvetica,arial,sans-serif;line-height:1.3"><a href="https://www.hackerone.com" target="_blank"><img src="https://www.hackerone.com/sites/default/files/2017-06/HackerOne.png" width="96" height="18"></a></span></div><div><br></div><div><div style="color:rgb(80,0,80);font-family:Arial,Helvetica,sans-serif;font-size:small"><div><div><b><i><font color="#999999">Check out the 2018 <a href="https://www.hackerone.com/sites/default/files/2018-07/The%20Hacker-Powered%20Security%20Report%202018.pdf" style="color:rgb(17,85,204)" target="_blank">Hacker Powered Security Report</a></font></i></b></div></div><div><font color="#999999"><a href="https://www.linkedin.com/company/hackerone" style="color:rgb(17,85,204);font-family:arial,helvetica,sans-serif;white-space:pre-wrap" target="_blank"><img src="https://lh5.googleusercontent.com/l72v8gzfiQ8LSSzXf0gUAeKF7MLumVN5STPAGhbKpthTe809JAt_lY5SBk5V1ZHPJwXx-LHc-qGF6SX6GLqERGkDpS6_rIumcDZRwKya_XY4Iv_KV94DOTdMuwP14dmuR-H61ei4" width="20" height="20" alt="linkedin3.png" style="border:none"></a> <span style="background-color:transparent;font-family:arial;vertical-align:baseline;white-space:pre-wrap"><a href="http://t.yesware.com/tt/324020b77f436d605944dd917f93cf8de45fe242/62c45ebe131fc28be581b4bff2ca67fb/01d7a328dc464e0519e7eeb20aae62ee/twitter.com/hacker0x01" style="color:rgb(17,85,204)" target="_blank"><img src="https://lh6.googleusercontent.com/44mwwDB55iBGC3OfXGidhFNZrv1ht36Y5tTLEOndITZhzh6yTYsrLvYBMnBWwsI_7xQvX6KT-dtZq0klEe7YFb0AyEDJMzxwEkqWmGtY0u3KGQLyrWj0MF2mDFh9BwhvesH9rwDG" width="20" height="20" alt="twitter-xxl.png" style="border:none"></a> </span><span style="background-color:transparent;font-family:arial;vertical-align:baseline;white-space:pre-wrap"><a href="http://t.yesware.com/tt/324020b77f436d605944dd917f93cf8de45fe242/62c45ebe131fc28be581b4bff2ca67fb/e2e4bd1be597154a7d7cb6695eba218f/facebook.com/hacker0x01" style="color:rgb(17,85,204)" target="_blank"><img src="https://lh5.googleusercontent.com/saPeJzaTQbtANmN6IY0MjfyjQoKSw0DxgOhTnLZhQi9lACYbKn4V_OFeAhfeosTWWftz7lL2oGPHRxmVtI_ixVXZca8PlbhvMtymL9UpiBJ_z7ncqdkk-JyYaPbsGLAnQ6VE0oOI" width="20" height="20" alt="facebook-symbol_318-37686.jpg" style="border:none"></a></span></font></div></div></div></div></div></div></font></span></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Apr 30, 2019 at 1:02 AM Jennifer Bryce <<a href="mailto:jennifer.bryce@icann.org">jennifer.bryce@icann.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">







<div bgcolor="white" lang="EN-US">
<div class="gmail-m_5663940988309644864WordSection1">
<p class="MsoNormal"><span style="font-size:11pt">Dear Scott, dear Noorul,</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11pt">The below answer in highlight has been added to the Q&A Google doc: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=" target="_blank">https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing
 [docs.google.com]</a>. Please let us know if you have any questions.</span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt"> </span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt">Review Team volunteers<span style="background:yellow">: Scott</span></span></b><span style="font-size:11pt;background:yellow">, Noorul</span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt">Workstream: ICANN SSR </span>
</b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt">Topic 4: Perform an assessment of how effectively ICANN has implemented its Security Incident Management and Response Processes to reduce (pro-active and reactive) the probability of DNS-related incidents.
</span></b><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt">Outstanding questions: 0</span></b><u></u><u></u></p>
<p class="MsoNormal"><b><span style="font-size:11pt"> </span></b><span style="font-size:11pt"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:11pt">Q: Which certifications is ICANN pursuing for the organisation and staff?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">A: The certifications undertaken in ICANN are dependent on job function, and on a needs basis. For instance, InfoSec team members and all operations members complete and maintain GIAC SANS security modules.
 Software engineers are incentivised to undertake Secure Software Development Lifecycle training. ICANN Managed Root Server Team members have and maintain ITIL certifications. And all staff undergo mandatory yearly end user security training that encompasses
 infosec hygiene practices for end users, and awareness on phishing, spear-phishing, and other social engineering attempts.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Q: Which certifications and compliance frameworks has ICANN completed?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">A: ICANN was following the Center for Internet Security (CIS) controls framework, after selecting 20 controls that best applied to ICANN business and operations. Recently the decision was made to move aware
 from CIS as it has shortcoming for the type of environment in which ICANN exists. The future framework of choice will be the NIST Cyber Security Framework (CSF) which is a better fit for ICANN and has a higher propensity for increasing the security posture
 to meaningful levels, inclusive of reviewing processes, for the entire ICANN Org. Work has commenced on building the ICANN Org CSF profile.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">Q: Who are ICANN’s auditors, what audits are completed regularly?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt">A: Until recently ICANN used Leidos to complete its annual CIS audit. This has now been paused until the CSF work is done within ICANN, and an evaluation on auditors (for the ability to audit against CSF profiles)
 has been completed.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11pt"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10.5pt;color:black">-- </span><u></u><u></u></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)">Jennifer Bryce</span></b><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)">Senior Reviews Coordinator </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)">Internet Corporation for Assigned Names and Numbers (ICANN)</span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:black"> </span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)">Email: <a href="mailto:jennifer.bryce@icann.org" target="_blank">jennifer.bryce@icann.org</a></span><u></u><u></u></p>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)">Skype: jennifer.bryce.icann</span><u></u><u></u></p>
</div>
<p class="MsoNormal"><span style="font-size:10pt;font-family:"Source Sans Pro";color:rgb(89,89,89)"><a href="http://www.icann.org" target="_blank">www.icann.org</a></span><u></u><u></u></p>
</div>
</div>

_______________________________________________<br>
Ssr2-review mailing list<br>
<a href="mailto:Ssr2-review@icann.org" target="_blank">Ssr2-review@icann.org</a><br>
<a href="https://mm.icann.org/mailman/listinfo/ssr2-review" rel="noreferrer" target="_blank">https://mm.icann.org/mailman/listinfo/ssr2-review</a><br>
</blockquote></div>