Hello, I also have some issues accessing and editing the document, see below : Possible focus area. ====== - Complete the assessment of the implementation of SSR1 recommendations, the impact of the implementation, how the post implementation is being managed and what implications for the SSR2 review. - Scope of ICANN’s SSR responsibilities: action zone, influence zone, coordination zone *ICANN SSR responsibility for the coordination of the global unique Identifiers *ICANN operational role *ICANN influence role (TLD operators, registrars ….), *ICANN coordination role( IETF, RIRs Root zone operators ,technical community - Effectiveness of ICANN’s SSR framework, SSR Plan and its implementation *Security framework * Contingence planning *security framework robustness for a rapid evolving security environment =========
On 14 May 2017, at 17:28, Boban Krsic <krsic@denic.de> wrote:
Dear All,
Given that I could not access the Google Drive folder, please find my homework in accordance to James proposal below ;-)
-----
Focus on Sub-Team Number 2 - ICANN’ Internal Security Processes
The sub team will be responsible for reviewing the completeness and effectiveness of ICANNs internal security processes and the effectiveness of the ICANN security framework
Due to ICANN’s orientation to ISO/IEC 27001 I would recommend to provide a gap-analysis to the normative requirements of the management part and Annex A of the ISO standard based on the SoA (Scope).
- Perform interviews and review descriptions and evidence of:
* ISMS Scope * Information security policy * Information risk assessment and risk treatment processes * Information security objectives * Information security roles and responsibilities * ISMS internal audit program and results of conducted audits * Operational planning and control documents * Evidence of top management reviews of the ISMS
Various others from the Annex A like rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, etc.
- Categorize and prioritize the outcome of the analysis
- Develop a short-, medium- and long-term schedule to implement different controls in accordance to the requirements
- Define a set of metrics to measure the effectiveness of the implementation
With the goal to achieve a high level of maturity and to pass a successful certification process concerning ICANNs ISMS.
Best,
- Boban.
Am 14.05.17 um 17:08 schrieb Karen Mulberry:
Dear SSR2 Review Team,
Per the discussion this afternoon on next steps, I have created a Google Drive for the SSR2 Review Team to place their collaborative materials.
Here is the link to the Folder where I have created a Google Doc for you to add your areas of interest or topics for tomorrow’s planning discussion. https://drive.google.com/drive/folders/0B_IP1b20BSBUcndyOFVpbEZKbTQ?usp=shar...
Sincerely,
Karen Mulberry Director, Multistakeholder Strategy and Strategic Initiatives (MSSI) ICANN 12025 Waterfront Dr., Suite 300 Los Angeles, CA 90094 Phone: +1 424 353 9745
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
--
Boban Kršić Chief Information Security Officer
DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY
E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de
X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716
PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9
Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main _______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review