[Icannsecurity-ssr2-rt] additional focus

Denise Michel denisemichel at fb.com
Mon Oct 9 17:52:18 UTC 2017 

Dear All,

As discussed, in addition to refining our focus within information security management system arena, I suggest we also consider fleshing out our fact finding relating to these areas:
·         ICANN compliance,
·         Scope of ICANN’s SSR responsibilities,
·         Business continuity management

For your consideration/discussion, some initial questions are included below that exemplify this inquiry.

Best,
Denise

Denise Michel
Domain Name System Strategy & Management
Facebook, Inc.
denisemichel at fb.com<mailto:denisemichel at fb.com>

ICANN Compliance

  *   DNS Abuse

     *   What level of ICANN compliance workload is related to complaints of DNS abuse by contracted parties?

     *   To what extent does ICANN measure the incidence and impact of registration abuse and/or malicious conduct by contracted parties?

     *   Please provideinformation on enforcement actions relating to DNS abuse (including, in relation to breaches of data escrow obligations and (for the RA) unauthorized disclosure, alteration, insertion or destruction of registry data, lack of compliance with RFCs, and (for the RAA) endangerment of Registrar Services, Registry Services or the DNS or the Internet.
     *   What are ICANN standard processes around vetting registry and registrar operators?
  *   Standard contracts

     *   Is ICANN planning to review and/or revise its standard contracts (RA, RAA) (e.g. in light of the coming into force of data protection regulations?).If so, please provide evidence of ICANN’s roadmap and implementation and SSR/OCTO’s assessment/role regarding SSR implications.
     *   What measurements exist for the effectiveness of mechanisms to mitigate domain name abuse, as required in SSR1 recommendation 11?
     *   Please provide details of the measures of success relating to new gTLDs and IDN that expressly address SSR related program objectives. (The link in the staff report did not resolve.)
     *   Please provide details of how SSR objectives are explicitly referenced in ICANN’s standard operating procedures, Service Level Agreements and monitoring, emergency back- end registry operators and data escrow, Trademark Clearinghouse, root zone scaling management, DNSSEC-related activities, and Compliance Dept. activities

Scope of ICANN’s SSR Responsibilities

     *   This needs careful attention because it was one of the central subjects of  SSR1’s recommendations and many of those recommendations have yet to be fully executed.

     *   This is an area where it seems good work is being done, but it’s not clear whether the work flows from strategic decisions/plans and not a lot of public information is available on this.
     *   The subteam’s work in this area might be to help ICANN’s SSR team better focus and report on its work (it is difficult to find information and reporting/public information posting are not regularly done)

Business Continuity Management

     *   The subteam should consider focusing on how business continuity affects operational, compliance, and root zone security.

     *   There is significant work within ICANN but not much reporting on disaster preparedness and operational recovery planning. More information is needed.

     *   Is there a need for adoption of a formal framework for security contingency planning (for instance, from NIST or ISO)? I think fact-finding is needed with a particular focus on disaster management and recovery for those systems that have a clear impact on the Internet’s public identifiers.

Information Security Management

     *   Will ICANN commit to an accepted Framework for information security management related to those systems that support, and have a direct effect on, the Internet’s public identifier systems? Such a Framework could contribute to a community understanding of how the systems that are used as the foundation for the Internet’s public identifier systems are protected.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/icannsecurity-ssr2-rt/attachments/20171009/62c7c041/attachment-0001.html>

More information about the ICANNSecurity-SSR2-RT mailing list