[Ssr2-review] ICANN SSR answers

Scott McCormick smccormick at hackerone.com
Wed May 1 20:08:37 UTC 2019


Thanks Jennifer,
This is exactly what we are looking for.  At this time, I have no
other questions for this.

-Scott
*Scott McCormick*
Security Compliance
mobile 443.691.2013
smccormick at hackerone.com
<https://www.hackerone.com>

*Check out the 2018 Hacker Powered Security Report
<https://www.hackerone.com/sites/default/files/2018-07/The%20Hacker-Powered%20Security%20Report%202018.pdf>*
[image: linkedin3.png] <https://www.linkedin.com/company/hackerone> [image:
twitter-xxl.png]
<http://t.yesware.com/tt/324020b77f436d605944dd917f93cf8de45fe242/62c45ebe131fc28be581b4bff2ca67fb/01d7a328dc464e0519e7eeb20aae62ee/twitter.com/hacker0x01>
[image:
facebook-symbol_318-37686.jpg]
<http://t.yesware.com/tt/324020b77f436d605944dd917f93cf8de45fe242/62c45ebe131fc28be581b4bff2ca67fb/e2e4bd1be597154a7d7cb6695eba218f/facebook.com/hacker0x01>


On Tue, Apr 30, 2019 at 1:02 AM Jennifer Bryce <jennifer.bryce at icann.org>
wrote:

> Dear Scott, dear Noorul,
>
>
>
> The below answer in highlight has been added to the Q&A Google doc: https://docs.google.com/document/d/14eJwDGP-LvS9ltTmZoh1i19Fi0_pB2nJ4JYMsS7lsco/edit?usp=sharing
> [docs.google.com]
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.google.com_document_d_14eJwDGP-2DLvS9ltTmZoh1i19Fi0-5FpB2nJ4JYMsS7lsco_edit-3Fusp-3Dsharing&d=DwMGaQ&c=FmY1u3PJp6wrcrwll3mSVzgfkbPSS6sJms7xcl4I5cM&r=VuRMFw6YascG5ysc1jEHBZgGTtD6QSLrFmqdvMx5FM8&m=hxj2juBnL5SI2_a2ShzX2n6QIksiETU2ES0QpYAdac8&s=2ccPlHIHQA6bJ48H2PKPem1o_nHyeaJbMNxUNcVNbg8&e=>.
> Please let us know if you have any questions.
>
>
>
> *Review Team volunteers: Scott*, Noorul
>
> *Workstream: ICANN SSR *
>
> *Topic 4: Perform an assessment of how effectively ICANN has implemented
> its Security Incident Management and Response Processes to reduce
> (pro-active and reactive) the probability of DNS-related incidents. *
>
>
>
> *Outstanding questions: 0*
>
>
>
> Q: Which certifications is ICANN pursuing for the organisation and staff?
>
> A: The certifications undertaken in ICANN are dependent on job function,
> and on a needs basis. For instance, InfoSec team members and all operations
> members complete and maintain GIAC SANS security modules. Software
> engineers are incentivised to undertake Secure Software Development
> Lifecycle training. ICANN Managed Root Server Team members have and
> maintain ITIL certifications. And all staff undergo mandatory yearly end
> user security training that encompasses infosec hygiene practices for end
> users, and awareness on phishing, spear-phishing, and other social
> engineering attempts.
>
>
>
> Q: Which certifications and compliance frameworks has ICANN completed?
>
> A: ICANN was following the Center for Internet Security (CIS) controls
> framework, after selecting 20 controls that best applied to ICANN business
> and operations. Recently the decision was made to move aware from CIS as it
> has shortcoming for the type of environment in which ICANN exists. The
> future framework of choice will be the NIST Cyber Security Framework (CSF)
> which is a better fit for ICANN and has a higher propensity for increasing
> the security posture to meaningful levels, inclusive of reviewing
> processes, for the entire ICANN Org. Work has commenced on building the
> ICANN Org CSF profile.
>
>
>
> Q: Who are ICANN’s auditors, what audits are completed regularly?
>
> A: Until recently ICANN used Leidos to complete its annual CIS audit. This
> has now been paused until the CSF work is done within ICANN, and an
> evaluation on auditors (for the ability to audit against CSF profiles) has
> been completed.
>
>
>
> --
>
> *Jennifer Bryce*
>
> Senior Reviews Coordinator
>
> Internet Corporation for Assigned Names and Numbers (ICANN)
>
>
>
> Email: jennifer.bryce at icann.org
>
> Skype: jennifer.bryce.icann
>
> www.icann.org
> _______________________________________________
> Ssr2-review mailing list
> Ssr2-review at icann.org
> https://mm.icann.org/mailman/listinfo/ssr2-review
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/ssr2-review/attachments/20190501/bdd389b2/attachment.html>


More information about the Ssr2-review mailing list