[gnso-rds-pdp-wg] What does "accreditation" mean here? (was Re: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc)

[Stephanie Perrin]

I agree that ICANN should have no role in this matter.  I was intrigued 
by the suggestion of a clearinghouse in the ECO model, but it is lean on 
details.  I want to hear more.

I agree that existing bodies (eg. Cybercrime treaty signatories, 
Interpol) have methods already to accredit their members.  they just 
need to get on with it.  The standard I am thinking of would be similar to

1)  ISO 17024:2012 Conformity assessment – general requirements for 
bodies operating certification of persons.  ISO/IEC 17024:2012 contains 
principles and requirements for a body certifying persons against 
specific requirements, and includes the development and maintenance of a 
certification scheme for persons; and

2)  ISO 27021:2017 Information technology – Security techniques – 
Competence requirements for information security management system 
professionals. ISO/IEC 27021:2017 specifies the requirements of 
competence for ISMS professionals leading or involved in establishing, 
implementing, maintaining and continually improving one or more 
information security management system processes that conforms to 
ISO/IEC 27001

Basically, the addition to these security requirements would be 
compliance with data protection principles, which could be assured by 
meeting CAN/CSA-Q830. Accreditation to the potential standard which 
would be developed, drawing extensively from experts present in the 
stakeholder community at ICANN, could then be achieved totally 
independently from ICANN, in a global manner, with the possibility of 
independent audit of the quality standards the individual or 
organization claims to follow.  I would suggest that the APWG already 
has procedural and policy documents that would be good inputs to such a 
standards development process.

cheers Stephanie Perrin

On 2018-02-15 15:35, Andrew Sullivan wrote:
> Hi,
>
> On Thu, Feb 15, 2018 at 12:44:32PM -0500, Stephanie Perrin wrote:
>> Barcelona meeting to discuss accreditation requirements for cybersecurity an
>> IP actors who want to retain access to personal data in a tiered access
>> solution.
> What do you mean by "accreditation"?
>
> It seems to me there are two models.
>
> One is that ICANN is a gate-keeper, and makes decisions about everyone
> who wants access to these things.
>
> Another is that ICANN relies on various sector- or industry-related
> bodies to do that work, and ICANN just acts as a clearing house.  So,
> for instance, ICANN could decide that INTERPOL gets to decide what a
> police officer is, and ICANN simply accepts that definition.
>
> It strikes me that quite possibly both mechanisms could be needed,
> with the first providing a fallback when someone has a legitimate need
> but doesn't have a relevant approved community group to rely on.
>
> A nice thing about option (2) is that ICANN then doesn't need to be in
> the business of making a lot of decisions.  If there's already some
> international or treaty body that governments accept, then ICANN can
> just incorporate that acceptance all on its own.  (This is similar to
> how ICANN doesn't need to decide who a country is.)  Even better, the
> mechanism for such accreditation is for the "accrediting organization"
> to run an OAuth server.  That way, the org in question could change
> its membership all it wanted without informing or even having anything
> to do with ICANN.  An OAuth profile would identify that kind of
> account, and the user would get the appropriate access.  This is just
> how it works when you "use Google" to long into a non-Google site.
> It's an already-invented technology that is ready to go for RDAP
> today.  You can see it working IIRC in Scott Hollenbeck's testbed/demo
> system.
>
> We have the technology today, ready to go and waiting, to make this
> easy.  Let's please not design a new accreditation system that gets
> ICANN into the business of evaluating every professional claim on the
> Internet.
>
> Best regards,
>
> A
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20180215/ced4b4ed/attachment.html>