Dear SSR2 Team,

Please find below a letter from the ICANN Board, indicating our concern on scope of Subgroup 2’s audit plan.
SSR2 will receive this letter through the standard board communication channel shortly, but in the meantime I thought it is good to share the text with you, since time is of essence.

Please let me know if you have any questions or comments.

All the best,
Kaveh.

=====
To: SSR2 Team Members

The ICANN Board recently examined the proposed work plan for SSR2’s Subteam 2 on ICANN SSR, and has identified some areas of concern to flag for the broader Review Team.  The mandate of the SSR2, from the Bylaws, is to perform a review of ICANN's execution of its commitment to enhance the operational stability, reliability, resiliency, security, and global interoperability of the systems and processes, both internal and external, that directly affect and/or are affected by the Internet's system of unique identifiers that ICANN coordinates.” The SSR2’s working definitions, set out in the Terms of Reference, also affirms the focus of the SSR2’s work on the Internet’s unique identifiers:

·Security – The capacity to protect and prevent misuse of Internet unique identifiers;

·Stability – The capacity to ensure that the Identifier System operates as expected and that users of unique identifiers have confidence that the system operates as expected;

·Resiliency – The capacity of the Identifier System to effectively withstand, tolerate and survive malicious attacks and other disruptive events without disruption or cessation of service.

·Unique Identifiers - ICANN’s technical mission includes helping to coordinate, at the overall level, the allocation of the Internet’s system of unique identifiers: specifically, top-level domain names, blocks of Internet Protocol (IP) addresses and autonomous system (AS) numbers allocated to the Regional Internet Registries, and protocol parameters as directed by the IETF.

As the Board noted in its 23 June 2017 response to the Terms of Reference, the Board looks forward to providing further input once the SSR2’s work plan is finalized and adopted.  While the Board has not yet seen a final work plan for the review as a whole, our examination of the Subgroup 2 work plan on the performance of an audit over general ICANN security issues raised some scope concerns.

While we support the community in receiving information necessary to perform a full and meaningful review over ICANN’s SSR commitments, there are portions of the more detailed “audit” plan that do not seem appropriate for in-depth investigation by the subgroup.  Maintaining a plan to proceed with detailed assessments of these areas is likely to result in recommendations that are not tethered to the scope of the SSR review, and as such, may not be appropriate for Board acceptance when recommendations are issued.  This also can expand the time and resources needed to perform this part of the review.

The areas the Board is concerned with are areas that indeed raise important organizational information security and organizational oversight questions.  However, these are also areas that are not segregated for community review, and are the responsibility of the ICANN Organization (through the CEO) to perform under the oversight of the ICANN Board.

 Specifically, we are concerned with

1- Perform an assessment of ICANN's Information Security Management System;

3- Perform a comprehensive assessment of ICANN's Risk Management Methodology and Framework;

5- Perform a comprehensive assessment of internal security, stability and resiliency of ICANN's operation processes and services; and

7- Perform an assessment how effectively ICANN has implemented its processes to ensure compliance regarding REGISTRAR agreement and the consensus policies.

 The Board also has concerns with two sub-questions under section two:

2.7       Business Continuity Plans (BCP)

2.8       Evaluation of Business Continuity Procedures 

Understanding, at a high level, the work that ICANN does on many of these fronts could be helpful to give the RT a full picture of ICANN’s work.  That is much different from performing detailed assessments or audits of these items.

In advance of the Subteam’s visit to the ICANN office in Los Angeles in October 2017, the Subteam is encouraged to focus on narrowing the areas scheduled for fuller assessment to those that are more reasonably tethered to the expected mandate of the SSR2 team.  The Board supports an agenda that provides a high-level overview of multiple topics, while also focusing the Subteam’s face-to-face time primarily on those areas which are likely to lead to recommendations that are within the scope of the SSR2’s mandate.

The Board requests the SSR2 to revisit the Subteam 2 audit plan, as well as work plans across all the SSR2 Subteams, and provide updates on those plans.  For Subteam 2, the Board requests confirmation of the restructuring of its work plan prior to the October 2017 face-to-face meeting.

=====