Dear all, As mentioned last week, Žarko and I had a workshop last Friday and worked also on some SSR2 stuff. We finalized the draft of our sub group item list and drafted an audit plan with specific topics and questions for the forthcoming workshop. What we did in detail: * Rearrangement of the existing topics and work items from Sub Topic 2 – ICANN SSR in the document “SSR2 Sub topics” [1] * Consensus on the following seven key action steps - transitionally in a new document “SSR2_sub_topic_ICANN.SSR” [2]; we will merge them with “SSR2 Sub topics” [1] after a final feedback from the review team. 1. Perform a comprehensive assessment of ICANN's Information Security Management System. 2. Perform a comprehensive assessment of ICANN's Business Continuity Management System. 3. Perform a comprehensive assessment of ICANN's Risk Management Methodology and Framework. 4. Perform an assessment how effectively ICANN has implemented its Security Incident Management and Response Processes to reduce (proactive and reactive) the probability of DNS-related incidents. 5. Perform a comprehensive assessment of internal security, stability and resiliency of ICANN's operation processes and services. 6. Perform an assessment how effectively ICANN has implemented its processes around vetting registry operators and services concerning the New gTLD Delegation and Transition process. 7. Perform an assessment how effectively ICANN has implemented its processes to ensure compliance regarding registrar agreements and the consensus policies. * Drafted an audit plan [5] for planning purposes, to indicate the right persons at ICANN and to help us in the execution of the workshop - based on the structure from “SSR2_sub_topic_ICANN.SSR” [2] and with the content of the following both documents: * SSR2-ICANNSecurity-workplan-draft [3] * ICANN Security Questions for CIO [4] We will circulate the link of the draft after upload it to google docs - not later than Tuesday afternoon. What are the next steps: * Please provide final feedback on “SSR2_sub_topic_ICANN.SSR” [2] until August 28. We will consolidate potential feedback and finalize the document on Tuesday, August 29. * Please provide final feedback on the audit plan [5] until August 28. We will consolidate potential feedback and finalize the document on Tuesday, August 29. * MSSI Secretariat, You will be able to identify all responsible staff owners with the first draft of the document [5]. Please confirm their availability asap. We should be able to organize parallel tracks on the two workshop days. Thanks a lot and wishing all a relaxing Sunday. - Boban. [1] https://docs.google.com/document/d/1DWoT4VoMlT5Dvcy78EXI-O5tQFqa9CblwsDEV6go... [2] https://docs.google.com/document/d/145i1Q-ZXgsvuwpDIUi_jJt_WJlaCRoxBoh2vKtNv... [3] https://docs.google.com/spreadsheets/d/1vs1nyYdmg27cHXhM_qBaMOjmMEuNMst24cla... [4] https://docs.google.com/document/d/1QmUaAufCfYtEs0cXS-fTxwtkxHZMrBj1IwGIe332... [5] URL will follow -- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main