Please prepare for the plenary call on Thursday
I hope everyone had an uneventful trip home from Barcelona. This week, there are three areas that need your attention for the call on Thursday. 1) Laurin added text into the SSR1 Google Doc for Recommendation 4. Please review it. Please raise any issues or concerns on the mail list. See https://docs.google.com/document/d/1qUxV4L-gS5xHmC4QQPGRk81MgQuhQvsbnEU7xxe8... 2) In Barcelona we talked abut the topics in the Internal Facing work stream. See https://docs.google.com/document/d/1Eaj92r_ZbGBqO-2t3-tJv4Teqtix20Dly7C14XKj... and https://community.icann.org/display/SSR/Subgroup+%232+-+ICANN+SSR Before the pause, there was a lot of information collected here: https://trello.com/b/5Eu1ppuv/ssr2-subtopic-2-icann-ssr Please review this material. Are there any questions we need to ask? We will need volunteers to start writing text. Please be ready to volunteer for some writing. 3) In Barcelona KC agreed to propose a set of topics for the External Facing work stream. It will be a merge of several working documents. KC said that she would send something out on Wednesday. Please review it when it comes to your mailbox. Think about what information needs to be gathered to cover those topics. Thanks, Russ
Hi Russ, Thursday is a special holiday here, when we pay courtesy to our defuncts. I will not be able to join the call. more inline…
On 29 Oct 2018, at 18:24, Russ Housley <housley@vigilsec.com> wrote:
I hope everyone had an uneventful trip home from Barcelona.
I did...
This week, there are three areas that need your attention for the call on Thursday.
1) Laurin added text into the SSR1 Google Doc for Recommendation 4.
Please review it. Please raise any issues or concerns on the mail list.
See https://docs.google.com/document/d/1qUxV4L-gS5xHmC4QQPGRk81MgQuhQvsbnEU7xxe8... <https://docs.google.com/document/d/1qUxV4L-gS5xHmC4QQPGRk81MgQuhQvsbnEU7xxe8...>
I do have some concerns and issues and will raise them
2) In Barcelona we talked abut the topics in the Internal Facing work stream.
See https://docs.google.com/document/d/1Eaj92r_ZbGBqO-2t3-tJv4Teqtix20Dly7C14XKj... and https://community.icann.org/display/SSR/Subgroup+%232+-+ICANN+SSR
Before the pause, there was a lot of information collected here: https://trello.com/b/5Eu1ppuv/ssr2-subtopic-2-icann-ssr
Please review this material. Are there any questions we need to ask?
Ok.
We will need volunteers to start writing text. Please be ready to volunteer for some writing.
3) In Barcelona KC agreed to propose a set of topics for the External Facing work stream. It will be a merge of several working documents. KC said that she would send something out on Wednesday. Please review it when it comes to your mailbox. Think about what information needs to be gathered to cover those topics.
OK. seem to be lot of readings and works which request more time to get some good stuff especially after a face to face week where many are supposed to catch up with some left professional works. Thanks —Alain
Thanks, Russ
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
On Mon, Oct 29, 2018 at 02:24:50PM -0400, Russ Housley wrote:
Please review it. Please raise any issues or concerns on the mail list. See https://docs.google.com/document/d/1qUxV4L-gS5xHmC4QQPGRk81MgQuhQvsbnEU7xxe8...
There is still a "clarification sought" that someone on the RT was supposed to answer? did Laruin? (The following applies to all recommendations, and is something for the editing phase, but it's not clear the editor can do it without clarity of content from whoever did the research/note-taking.) (1) The claim "The assessment is based on reviewing the documents" should make clear exactly what documents were reviwed in this assessment, with titles and dates attached. You mean your whole assessment was just with doc [1] listed below? That seems inconsistent with the text above.. (2) In general, there are Yes or No questions for each sub-part, so our answers should have "Yes" or "No", or we should decide what are other viable answers. Rec 4 is an example where we have not done so. Rest looks great.
2) In Barcelona we talked abut the topics in the Internal Facing work stream.
See https://docs.google.com/document/d/1Eaj92r_ZbGBqO-2t3-tJv4Teqtix20Dly7C14XKj... and https://community.icann.org/display/SSR/Subgroup+%232+-+ICANN+SSR
Before the pause, there was a lot of information collected here: https://trello.com/b/5Eu1ppuv/ssr2-subtopic-2-icann-ssr
Please review this material. Are there any questions we need to ask? We will need volunteers to start writing text. Please be ready to volunteer for some writing.
sorry, i was probably sleeping in the wrong time zone when this decision was made, but I find the new "Internally Facing" name of this group to be a misleading. Contractual Compliance, probably the most resource-intensive topic in here, is definitely not facing internally to ICANN. the old term seemed more appropriate: these are things that are, by community consensus, SSR activities lead by ICANN. They are not even mostly internally facing.
3) In Barcelona KC agreed to propose a set of topics for the External Facing work stream. It will be a merge of several working documents. KC said that she would send something out on Wednesday. Please review it when it comes to your mailbox. Think about what information needs to be gathered to cover those topics.
So, two goals hee: 1) review of WorkStream 4 subtopics with an eye toward potentially integrating some of them into WorkStream 3 Eric and I jsut took a pass over that; the result is some strikethrough on the current version of WorkStream 4 in the "Working Document SSR2 topics": https://docs.google.com/document/d/1Eaj92r_ZbGBqO-2t3-tJv4Teqtix20Dly7C14XKj... to be discussed tomorrow before we actually move them into Workstream 3 (or delete). 2) Integrate geoff's distillation of salient points re DNS SSR from his meeting with ICANN (Kim Davies): https://docs.google.com/document/d/1KWvdcZ2g8hBxUzvzPqgzVmsT4RZ5CbIo-N2IpUUY... and integration of relevant material into Workstream 3. As far as I'm concerned, all of these topics should be folded into WorkStream 3, though the formats of the two documents currently differ so I'm not inclined to just cut and paste. If the larger team considers this appropriate, the sub-team for this workstream wilil take it as an action item for next week (or realistically it might take two weeks, i'm fully booked next week). anyone interested in being on this subteam should speak up in the next week or two. k
Hello,
On 29 Oct 2018, at 18:24, Russ Housley <housley@vigilsec.com> wrote:
I hope everyone had an uneventful trip home from Barcelona.
This week, there are three areas that need your attention for the call on Thursday.
1) Laurin added text into the SSR1 Google Doc for Recommendation 4.
Please review it. Please raise any issues or concerns on the mail list.
See https://docs.google.com/document/d/1qUxV4L-gS5xHmC4QQPGRk81MgQuhQvsbnEU7xxe8...
I still think the methodology we used for the assessment of the implementation of the 28 recommendations is not very suitable. We ended the following conclusions: 1- most of the recommendations are vague and not measurable and sometimes not implementable 2- we have not seen evidence of implementation and effect, and so the recommendation has not been fully implemented, effect can’t be measured, etc... on 1) we will have at some point, to review the board actions on the 28 recommendations and respond to certain aspects in our assessment. https://www.icann.org/resources/board-material/resolutions-2012-10-18-en#1.e On 2) we have not agreed on all documents or evidences required for our assessment. We shall also factor in the fact that the organisation has evolved over the years. The recommendations were issued on 2012, and implemented throughout up to 2017 and we are reviewing the impact in 2017/2018. the SSR framework and the implementation of some of the recommendations have influenced the Strategic plan and Operation plan and the 5 years operating plan regularly updated, have KPIs for programs to y19 and y20 which are SSR related. Most of the impact of the implementation in my opinion are to be investigated in strategic objectives and their implementation through activities portfolio throughout the years. We shall measure the impact from the KPI and deliverable in the OP, Annual report and also how SSR inputs and influences the strategic/ operation plannings and the prioritisation of the activities and projects. Engage with Staff, board and any other affected parties or constituencies by the recommendations. On the specifics. For example we claimed that definition of security in the registry agreement differs from the one published in the SSR framework, added to the ICANN glossary and supposed to be used in all materials. But, section 7.3 of the registry agreement does not define “security”, or “stability” but define what “effect on them mean or refer to" ====== (a) For the purposes of this Agreement, an effect on “Security” shall mean (1) the unauthorized disclosure, alteration, insertion or destruction of registry data, or (2) the unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with all applicable standards. (b) For purposes of this Agreement, an effect on “Stability” shall refer to (1) lack of compliance with applicable relevant standards that are authoritative and published by a well-established and recognized Internet standards body, such as the ======= So using this example to justify a breach in the implementation of the recommendation is not appropriate in my opinion. Hope this helps thanks —Alain
2) In Barcelona we talked abut the topics in the Internal Facing work stream.
See https://docs.google.com/document/d/1Eaj92r_ZbGBqO-2t3-tJv4Teqtix20Dly7C14XKj... and https://community.icann.org/display/SSR/Subgroup+%232+-+ICANN+SSR
Before the pause, there was a lot of information collected here: https://trello.com/b/5Eu1ppuv/ssr2-subtopic-2-icann-ssr
Please review this material. Are there any questions we need to ask? We will need volunteers to start writing text. Please be ready to volunteer for some writing.
3) In Barcelona KC agreed to propose a set of topics for the External Facing work stream. It will be a merge of several working documents. KC said that she would send something out on Wednesday. Please review it when it comes to your mailbox. Think about what information needs to be gathered to cover those topics.
Thanks, Russ
_______________________________________________ Ssr2-review mailing list Ssr2-review@icann.org https://mm.icann.org/mailman/listinfo/ssr2-review
Hi Alain, all, On 01.11.18 09:36, ALAIN AINA wrote:
Most of the impact of the implementation in my opinion are to be investigated in strategic objectives and their implementation through activities portfolio throughout the years. We shall measure the impact from the KPI and deliverable in the OP, Annual report and also how SSR inputs and influences the strategic/ operation plannings and the prioritisation of the activities and projects. Engage with Staff, board and any other affected parties or constituencies by the recommendations.
That sounds really good and reasonable, but I doubt that we can do it on a voluntary basis in this form. I also see that the evaluation of the implementation status of individual recommendations has only included a handful of evidences. Let's take the example of strategic planning and the risks assessment we discussed in this context. Until this workshop in Barcelona, we obviously had not previously reviewed the strategic planning document https://www.icann.org/en/system/files/files/strategic-plan-2016-2020-10oct14... - otherwise we would know that strategic risks were being considered in this context. I don't expect - and in my opinion nobody can - that we know everything and have to know where something is written. But IMHO there has to be an in-depth review, either through evidence (in form of available documents) or through interviews with SME's. Based on the above-mentioned facts, I also find it difficult to conclude at end, that most of the 28 recommendations are still not implemented. Which brings me back to the question, should we not use external resources more within the review? I would like to hear from all RT-members their own point of view on this. So, how do you see it? Are you satisfied with the result of the review of SSR1 recommendations and can you stand for the conclusion?
On the specifics.
For example we claimed that definition of security in the registry agreement differs from the one published in the SSR framework, added to the ICANN glossary and supposed to be used in all materials.
But, section 7.3 of the registry agreement does not define “security”, or “stability” but define what “effect on them mean or refer to"
======
(a) For the purposes of this Agreement, an effect on “Security” shall mean
(1) the unauthorized disclosure, alteration, insertion or destruction of registry data, or (2) the unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with all applicable standards.
(b) For purposes of this Agreement, an effect on “Stability” shall refer to
(1) lack of compliance with applicable relevant standards that are authoritative and published by a well-established and recognized Internet standards body, such as the
======= So using this example to justify a breach in the implementation of the recommendation is not appropriate in my opinion.
I had already mentioned this in Barcelona and I will still agree with you. We should give everyone - and especially ICANN's legal department when it comes to drafting contracts - the option of interpreting and refining a definition for or in a particular context. Maybe we can include this in the analysis as an observation. Best regards - Boban.
Dear all, On 01.11.18 12:20, Boban Krsic wrote:
Which brings me back to the question, should we not use external resources more within the review? I would like to hear from all RT-members their own point of view on this. So, how do you see it? Are you satisfied with the result of the review of SSR1 recommendations and can you stand for the conclusion?
Just a friendly reminder - especially to those of our team who have not been in Barcelona or regularly attend at the weekly conference calls. Thanks! - Boban. -- Boban Kršić Chief Information Security Officer DENIC eG, Kaiserstraße 75-77, 60329 Frankfurt am Main, GERMANY E-Mail: krsic@denic.de, Fon: +49 69 272 35-120, Fax: -248 Mobil: +49 172 67 61 671 https://www.denic.de PGP Key-ID: 0x43C89BA9 Fingerprint: B974 E725 FEF7 CB3A E452 BEE0 5B80 73E9 43C8 9BA9 Angaben nach § 25a Absatz 1 GenG: DENIC eG (Sitz: Frankfurt am Main) Vorstand: Helga Krüger, Martin Küchenthal, Andreas Musielak, Dr. Jörg Schweiger Vorsitzender des Aufsichtsrats: Thomas Keller Eingetragen unter Nr. 770 im Genossenschaftsregister, Amtsgericht Frankfurt am Main
On Nov 1, 2018, at 4:36 AM, ALAIN AINA <aalain@trstech.net> wrote:
I still think the methodology we used for the assessment of the implementation of the 28 recommendations is not very suitable. We ended the following conclusions:
1- most of the recommendations are vague and not measurable and sometimes not implementable 2- we have not seen evidence of implementation and effect, and so the recommendation has not been fully implemented, effect can’t be measured, etc...
on 1) we will have at some point, to review the board actions on the 28 recommendations and respond to certain aspects in our assessment.
https://www.icann.org/resources/board-material/resolutions-2012-10-18-en#1.e
On 2) we have not agreed on all documents or evidences required for our assessment. We shall also factor in the fact that the organisation has evolved over the years. The recommendations were issued on 2012, and implemented throughout up to 2017 and we are reviewing the impact in 2017/2018.
the SSR framework and the implementation of some of the recommendations have influenced the Strategic plan and Operation plan and the 5 years operating plan regularly updated, have KPIs for programs to y19 and y20 which are SSR related.
Most of the impact of the implementation in my opinion are to be investigated in strategic objectives and their implementation through activities portfolio throughout the years. We shall measure the impact from the KPI and deliverable in the OP, Annual report and also how SSR inputs and influences the strategic/ operation plannings and the prioritisation of the activities and projects. Engage with Staff, board and any other affected parties or constituencies by the recommendations.
On the specifics.
For example we claimed that definition of security in the registry agreement differs from the one published in the SSR framework, added to the ICANN glossary and supposed to be used in all materials.
But, section 7.3 of the registry agreement does not define “security”, or “stability” but define what “effect on them mean or refer to"
======
(a) For the purposes of this Agreement, an effect on “Security” shall mean
(1) the unauthorized disclosure, alteration, insertion or destruction of registry data, or (2) the unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with all applicable standards.
(b) For purposes of this Agreement, an effect on “Stability” shall refer to
(1) lack of compliance with applicable relevant standards that are authoritative and published by a well-established and recognized Internet standards body, such as the
======= So using this example to justify a breach in the implementation of the recommendation is not appropriate in my opinion.
Alain: The Bylaws say: (iv) The SSR Review Team shall also assess the extent to which prior SSR Review recommendations have been implemented and the extent to which implementation of such recommendations has resulted in the intended effect. I think we have done what the Bylaws require. Some actions were taken to implement each of the recommendations. The write-up summarizes those actions. We made an assessment regarding whether those actions "resulted in the intended effect." In some cases, we have follow-on recommendations. We agreed that the wording of many SSR1 recommendations were not measurable, and we agreed to two things: 1) Include some text regarding the situation. Your words above seem like a good strawman. 2) When we write our recommendations, we will make sure that they are measurable. Russ
Hello,
On 1 Nov 2018, at 23:39, Russ Housley <housley@vigilsec.com> wrote:
On Nov 1, 2018, at 4:36 AM, ALAIN AINA <aalain@trstech.net> wrote:
I still think the methodology we used for the assessment of the implementation of the 28 recommendations is not very suitable. We ended the following conclusions:
1- most of the recommendations are vague and not measurable and sometimes not implementable 2- we have not seen evidence of implementation and effect, and so the recommendation has not been fully implemented, effect can’t be measured, etc...
on 1) we will have at some point, to review the board actions on the 28 recommendations and respond to certain aspects in our assessment.
https://www.icann.org/resources/board-material/resolutions-2012-10-18-en#1.e
On 2) we have not agreed on all documents or evidences required for our assessment. We shall also factor in the fact that the organisation has evolved over the years. The recommendations were issued on 2012, and implemented throughout up to 2017 and we are reviewing the impact in 2017/2018.
the SSR framework and the implementation of some of the recommendations have influenced the Strategic plan and Operation plan and the 5 years operating plan regularly updated, have KPIs for programs to y19 and y20 which are SSR related.
Most of the impact of the implementation in my opinion are to be investigated in strategic objectives and their implementation through activities portfolio throughout the years. We shall measure the impact from the KPI and deliverable in the OP, Annual report and also how SSR inputs and influences the strategic/ operation plannings and the prioritisation of the activities and projects. Engage with Staff, board and any other affected parties or constituencies by the recommendations.
On the specifics.
For example we claimed that definition of security in the registry agreement differs from the one published in the SSR framework, added to the ICANN glossary and supposed to be used in all materials.
But, section 7.3 of the registry agreement does not define “security”, or “stability” but define what “effect on them mean or refer to"
======
(a) For the purposes of this Agreement, an effect on “Security” shall mean
(1) the unauthorized disclosure, alteration, insertion or destruction of registry data, or (2) the unauthorized access to or disclosure of information or resources on the Internet by systems operating in accordance with all applicable standards.
(b) For purposes of this Agreement, an effect on “Stability” shall refer to
(1) lack of compliance with applicable relevant standards that are authoritative and published by a well-established and recognized Internet standards body, such as the
======= So using this example to justify a breach in the implementation of the recommendation is not appropriate in my opinion.
Alain:
The Bylaws say:
(iv) The SSR Review Team shall also assess the extent to which prior SSR Review recommendations have been implemented and the extent to which implementation of such recommendations has resulted in the intended effect.
I think we have done what the Bylaws require.
We are in full agreement on the task list as per the bylaws, especially on the SSR1 recommendations. I assumed it is still work in progress as you asked for comments/discussions.
Some actions were taken to implement each of the recommendations. The write-up summarizes those actions.
We concluded that some recommendations were not fully implemented, while staff concluded that they were all fully implemented. This would call for reviewing board/staff understanding of the recommendations, the implementation plan and actions taken to implement to eventually determine where the gap is.
We made an assessment regarding whether those actions "resulted in the intended effect.”
my main concern in this thread is about how this assessment was made. It needs a more structured approach than going through responses to some questions to staff and through some random documentation.
In some cases, we have follow-on recommendations.
We agreed that the wording of many SSR1 recommendations were not measurable,
SSR1 like SSR2 is an “review” and i would say a ”high level review”, from which recommendations may not be directly measurable, as they affect strategic thinking/planning and operations of the organisation and/or the ecosystem. This is my last communication of the topic and as Boban suggested, would be good to hear what the team’s thoughts are about these points. Thanks —Alain
and we agreed to two things: 1) Include some text regarding the situation. Your words above seem like a good strawman. 2) When we write our recommendations, we will make sure that they are measurable.
Russ
participants (4)
-
ALAIN AINA -
Boban Krsic -
k claffy -
Russ Housley