Emily, I have added Kerry-Ann’s items to the Google Doc for her. Karen Mulberry Multistakeholder Strategy and Strategic Initiatives (MSSI) ICANN From: <ssr2-review-bounces@icann.org> on behalf of Emily Taylor <emily.taylor@oxil.co.uk> Date: Monday, May 15, 2017 at 9:41 AM To: "Barrett, Kerry-Ann" <KABarrett@oas.org> Cc: SSR2 Review Team Email List <ssr2-review@icann.org> Subject: Re: [Ssr2-review] [EXT] Re: SSR2 Google Drive and Google Doc for Input Hi Kerry Many thanks for this. We will try to get your comments included in the Google Doc. Safe journey home. Best Emily On Mon, May 15, 2017 at 8:30 AM, Barrett, Kerry-Ann <KABarrett@oas.org<mailto:KABarrett@oas.org>> wrote: Hi everyone I was unable to edit as well. I'm in additional security checks so won't be able to join as planned. I also had points 1-3 of Emily's as well as: 1. Physical security requirements in place and enforcement of minimum security specification for DNSSEC key storage Facility 2. Level of compliance requirement for registrars agreements 3. SLAM and performance indicators 4. With regards to SSR1, implementation of Rec 7, 10, 11 and 27, to see to what extent the current OCTO research feeds into the risk management framework especially in relation to the SSR of unique identifier space. An observation from SSR 1 was to ensure ICANN outlines its process for security stability and resilience and keeping in mind comment made yesterday regarding OCTO's mandate we should revisit how clear this outlines. ( if not clear I can clarify in email list) All the best today Sincerely, Kerry-Ann Barrett Cybersecurity Policy Specialist On May 15, 2017, at 8:38 AM, Emily Taylor <emily.taylor@oxil.co.uk<mailto:emily.taylor@oxil.co.uk>> wrote: Hi all I was also unable to write in changes into the document. Here are my suggestions. I'm basing these on Eric's bullet points. · Universal resolvability: Can identifiers be uniquely resolved and consumed? · Alternate root · Name collisions (status and remediations) · Universal resolvability and the internet of things · IPv6 / CGN complexity (query the role of ICANN on this?) · Headline and not-so-headline threats and exploits · DDoS * Improving the security of unique identifiers * DNSSec (progress, Key roll over) · Universal acceptance: Can identifiers be consumed by clients · IDNs and new gTLDs · Platforms, approaches, and status · Measures and metrics · How can the community measure the status of ‘S’, ‘S’, and ‘R’? · What are, and how can the community measure the relevant abuses for ICANN identifiers? · The evidence base: DNS health index and abuse data. What the evidence tells us; access to information (risks and benefits) · ICANN's internal security, stability and resiliency operations: · Allocation of resources and priority within the organisation · Outreach and public information role (training, vulnerability disclosure, system attack mitigation etc) · Risk management, compliance with relevant frameworks. · White-hat operations · What are the white-hat operations that are taken in ICANN space that may need exceptional handling (gratis for registering sink-holes, etc.) On Mon, May 15, 2017 at 7:12 AM, Osterweil, Eric via Ssr2-review <ssr2-review@icann.org<mailto:ssr2-review@icann.org>> wrote: My changes are also not being saved in the doc. Here is my list (it’s a little rough because I retyped in a hurry after realizing that it didn’t get saved the first time). Eric (second try) * Universal resolvability: Can identifiers be uniquely resolved and consumed? * Alternate root * Name collisions (status and remediations) * Universal acceptance: Can identifiers be consumed by clients * Platforms, approaches, and status * Measures and metrics * How can the community measure the status of ‘S’, ‘S’, and ‘R’? * What are, and how can the community measure the relevant abuses for ICANN identifiers? * White-hat operations * What are the white-hat operations that are taken in ICANN space that may need exceptional handling (gratis for registering sink-holes, etc.) Eric From: <ssr2-review-bounces@icann.org<mailto:ssr2-review-bounces@icann.org>> on behalf of ALAIN AINA <aalain@trstech.net<mailto:aalain@trstech.net>> Date: Monday, May 15, 2017 at 7:24 AM To: SSR2 <ssr2-review@icann.org<mailto:ssr2-review@icann.org>> Subject: [EXTERNAL] Re: [Ssr2-review] SSR2 Google Drive and Google Doc for Input Hello, I also have some issues accessing and editing the document, see below : Possible focus area. ====== - Complete the assessment of the implementation of SSR1 recommendations, the impact of the implementation, how the post implementation is being managed and what implications for the SSR2 review. - Scope of ICANN’s SSR responsibilities: action zone, influence zone, coordination zone *ICANN SSR responsibility for the coordination of the global unique Identifiers *ICANN operational role *ICANN influence role (TLD operators, registrars ….), *ICANN coordination role( IETF, RIRs Root zone operators ,technical community - Effectiveness of ICANN’s SSR framework, SSR Plan and its implementation *Security framework * Contingence planning *security framework robustness for a rapid evolving security environment ========= On 14 May 2017, at 17:28, Boban Krsic <krsic@denic.de<mailto:krsic@denic.de>> wrote: Dear All, Given that I could not access the Google Drive folder, please find my homework in accordance to James proposal below ;-) ----- Focus on Sub-Team Number 2 - ICANN’ Internal Security Processes The sub team will be responsible for reviewing the completeness and effectiveness of ICANNs internal security processes and the effectiveness of the ICANN security framework Due to ICANN’s orientation to ISO/IEC 27001 I would recommend to provide a gap-analysis to the normative requirements of the management part and Annex A of the ISO standard based on the SoA (Scope). - Perform interviews and review descriptions and evidence of: * ISMS Scope * Information security policy * Information risk assessment and risk treatment processes * Information security objectives * Information security roles and responsibilities * ISMS internal audit program and results of conducted audits * Operational planning and control documents * Evidence of top management reviews of the ISMS Various others from the Annex A like rules for acceptable use of assets, access control policy, operating procedures, confidentiality or non-disclosure agreements, secure system engineering principles, information security policy for supplier relationships, etc. - Categorize and prioritize the outcome of the analysis - Develop a short-, medium- and long-term schedule to implement different controls in accordance to the requirements - Define a set of metrics to measure the effectiveness of the implementation With the goal to achieve a high level of maturity and to pass a successful certification process concerning ICANNs ISMS. Best, - Boban. Am 14.05.17 um 17:08 schrieb Karen Mulberry: Dear SSR2 Review Team, Per the discussion this afternoon on next steps, I have created a Google Drive for the SSR2 Review Team to place their collaborative materials. Here is the link to the Folder where I have created a Google Doc for you to add your areas of interest or topics for tomorrow’s planning discussion. https://drive.google.com/drive/folders/0B_IP1b20BSBUcndyOFVpbEZKbTQ?usp=shar... Sincerely, Karen Mulberry Director, Multistakeholder Strategy and Strategic Initiatives (MSSI) ICANN 12025 Waterfront Dr., Suite 300 Los Angeles, CA 90094 Phone: +1 424 353 9745<tel:(424)%20353-9745> _______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org<mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review -- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de<mailto:krsic@denic.de>, Fon: +49 69 272 35-120<tel:+49%2069%2027235120>, Fax: -248 Mobil: +49 172 67 61 671<tel:+49%20172%206761671> https://www.denic.de X.509 Key-ID: 00A54FCB79884413A4 Fingerprint: 9D37 F593 AF9A D766 FAB4 8B88 D49A 2716 PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main _______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org<mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review _______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org<mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review -- Emily Taylor CEO, Oxford Information Labs Associate Fellow, Chatham House; Editor, Journal of Cyber Policy PLEASE NOTE MY NEW EMAIL ADDRESS AND CONTACTS AS OF 1 JANUARY 2017 Magdalen Centre, Oxford OX4 4GA | T: 01865 582885 E: emily.taylor@oxil.co.uk<mailto:emily.taylor@oxil.co.uk> | D: 01865 582811 | M: +44 7540 049322 [https://s3-eu-west-1.amazonaws.com/static.oxil/oxil_logo-150x.png] [https://docs.google.com/a/oxil.co.uk/uc?id=0B7sS_6djDxsHNm92d21jM21HMDQ&expo...] <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> Registered office: 37 Market Square, Witney, Oxfordshire OX28 6RE. Registered in England and Wales No. 4520925. VAT No. 799526263 . _______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org<mailto:Ssr2-review@icann.org> https://mm.icann.org/mailman/listinfo/ssr2-review -- Emily Taylor CEO, Oxford Information Labs Associate Fellow, Chatham House; Editor, Journal of Cyber Policy PLEASE NOTE MY NEW EMAIL ADDRESS AND CONTACTS AS OF 1 JANUARY 2017 Magdalen Centre, Oxford OX4 4GA | T: 01865 582885 E: emily.taylor@oxil.co.uk<mailto:emily.taylor@oxil.co.uk> | D: 01865 582811 | M: +44 7540 049322 [https://s3-eu-west-1.amazonaws.com/static.oxil/oxil_logo-150x.png] [https://docs.google.com/a/oxil.co.uk/uc?id=0B7sS_6djDxsHNm92d21jM21HMDQ&expo...] <http://explore.tandfonline.com/cfp/pgas/rcyb-cfp-2017> Registered office: 37 Market Square, Witney, Oxfordshire OX28 6RE. Registered in England and Wales No. 4520925. VAT No. 799526263 .