Minutes | Board Risk Committee (BRC) Meeting | 14 October 2021

BRC Attendees: Rafael Lito Ibarra (Chair), Merike Käo, Akinori Maemura, Kaveh Ranjbar, and Matthew Shears

BRC Member Apologies: Harald Alvestrand and Nigel Roberts

Other Board Member Attendees: Avri Doria, Manal Ismail, Danko Jevtović, and Patricio Poblete

ICANN Organization Attendees: Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Elizabeth Le (Associate General Counsel), Terry Manderson (Sr. Director, Network Engineering & Security), Ashwin Rangan (SVP, Engineering and Chief Information Officer), and Amy Stathos (Deputy General Counsel)


The following is a summary of discussions, actions taken and actions identified:

  1. Information Security Update – The Committee received an update from ICANN org Information Security (InfoSec) Programs in place, which included updates on the InfoSec Ambassador Program, Computer Security Incident Response Team (CSIRT) processes, device management, penetration testing, tabletop exercises, automated systems for auditing and reporting and the NIST cybersecurity framework. ICANN org's InfoSec Ambassador Program was started in the third quarter of 2018 and allows the InfoSec team to provide monthly topical updates to representatives of each function within ICANN org, and these representatives would in turn share the information with the members in their function. ICANN org's CSIRT processes are quite mature with well-established playbooks and full engagement from all business owners including communications, legal, information security and physical security. ICANN org's penetration testing allows a third-party organization, and sometimes internal team members, to attempt to compromise ICANN. Every year, ICANN org's managed root server team conducts a tabletop exercise to prepare for potential security attacks against the root server. Every two years, ICANN org performs a tabletop exercise for IANA as part of the audit process. Every three to four years, ICANN org looks at all of the E&IT function teams. Each tabletop exercise generates a report and a set of recommendations that feed into security process improvements. ICANN org is currently using the NIST cybersecurity framework which has integrated exceptionally well with ICANN org. NIST has allowed ICANN org to: (i) think more critically about how the organization works and where InfoSec concerns should be addressed; (ii) better identify the pathway to align InfoSec-related strategic objectives with ICANN org's E&IT objectives; and (iii) produce a foundational strategy and alignment with governance and societal responsibility with broader strategic planning and objectives, especially related to ICANN org itself. The BRC agreed that the full Board should receive brief summary of the InfoSec Update.
  2. Workshop Agenda and Materials – The Committee discussed the agenda for the upcoming Board Risk Workshop which will include among other things an information security update, an overview of the risk progression model and target model, risk management framework, risk identification process, risk register and risk appetite statement.
  3. BRC Report to the Board – The Committee discussed the upcoming BRC Report to the Board and agreed to focus on the BRC activities and updates to the Risk Register.  
  4. AOB – Members of the Risk Committee and ICANN org thanked the outgoing Chair for his years of leadership and wished him the best of luck on his future endeavors.

The Chair then called the meeting to a close.

Published on 26 October 2021