Mathieu — per your request below, we added these 2 items under Proposed Accountability Measures, for Stress Tests #1 & 2 and for #11.

Another measure is to require annual external security audits and publication of results. [Mathieu]

Another measure is to require certification per international standards (ISO 27001) and publication of results.  [Mathieu]

They will appear in ST Draft v8 to be circulated later today. 

From: Mathieu Weill
Reply-To: Mathieu Weill
Date: Wednesday, March 18, 2015 at 2:54 AM
To: Steve DelBianco, Cheryl Langdon-Orr, "ccwg-accountability4@icann.org"
Cc: ACCT-Staff
Subject: Re: [ST-WP] nearly complete draft of Applying Stress Tests

Dear Colleagues,

As discussed yesterday during the call, regarding stress test #11, I would like to suggest the following edit to the "proposed accountability measure".

No measures yet suggested would force ICANN management to execute its stated security procedures for employees and contractors.

One proposed measure is to empower the community to force ICANN’s board to implement a recommendation arising from an AoC Review – namely, Security Stability and Resiliency.

Suggested addition ; best practice of accountability in terms of information security could be added to the CCWG recommendations. They include :
- adoption of audit policies including the practice of regular (at least once a year in terms of security) external audits, inclusion of reports regarding audit policy compliance into annual reports.
- certification according to security international standards (such as ISO 27001), and publication of outcome of certification audits summaries (these standards generally require regular, more focused audits)

 Another possibility is to empower the community to force ICANN to respond to security recommendations from advisory committees such as SSAC.

While this is typically work stream 2, I guess we'd better record it right away.

I also believe this type of recommendation could be helpful with regards to stress tests #1 and #2 and, more generally, to demonstrate Icann's accountability to its purpose of excellence in operations. Business excellence standards commitment, and external assessments would certainly be appropriate, not only for IANA operations but for all of Icann operations, from the most technically oriented to the organisation of meetings or support of policy decisions. I can testify of this first-hand since this is a key reason why Afnic (other ccTLD managers did that as well) engaged into both EFQM external assessments (to demonstrate the excellence of our operations to our customers and stakeholders) and ISO27001 (for the security aspects).

Best
Mathieu

Le 11/03/2015 02:28, Samantha Eisner a écrit :
Hi everyone, 

In advance of our call later, here are some comments, questions and proposed edits.

Best,

Sam

From: Steve DelBianco <sdelbianco@netchoice.org>
Date: Friday, March 6, 2015 at 8:19 PM
To: Cheryl Langdon-Orr <langdonorr@gmail.com>, "ccwg-accountability4@icann.org" <ccwg-accountability4@icann.org>
Cc: ACCT-Staff <acct-staff@icann.org>
Subject: [ST-WP] nearly complete draft of Applying Stress Tests

Cheryl and team — the attached is a nearly-complete draft of how we might apply those 25 Stress Tests to what the CWG and CCWG are presently considering. 

As we’ve said, you can’t apply stress tests definitively until you have a defined mechanism/structure to test.   

Nonetheless, we’ll do our best with the proposed mechanisms at this point. 

Please review over the weekend and provide edits.  We can discuss on our call Wednesday 11-March at 11:00 UTC.

Regards,
Steve

Steve DelBianco
Executive Director
NetChoice
+1.703.615.6206




_______________________________________________
Ccwg-accountability4 mailing list
Ccwg-accountability4@icann.orghttps://mm.icann.org/mailman/listinfo/ccwg-accountability4

-- 
*****************************
Mathieu WEILL
AFNIC - directeur général
Tél: +33 1 39 30 83 06
mathieu.weill@afnic.fr
Twitter : @mathieuweill
*****************************