Minutes – Board Risk Committee (BRC) Meeting 26 October 2017

BRC Attendees: Rafael Lito Ibarra, Akinori Maemura, Ram Mohan (Co-Chair), Kaveh Ranjbar, and Mike Silber (Co-Chair).

BRC Member Apologies: Maarten Botterman and Jonne Soininen.

Other Board Members Attendees: Khaled Koubaa, George Sadowsky

Invited Observers: Sarah Deutsch, Avri Doria, and Matthew Shears.

ICANN Organization Attendees: Susanna Bennett (SVP & Chief Operating Officer), Xavier Calvez (SVP & Chief Financial Officer), James Caulfield (VP, Enterprise Risk Management), Simon Garside (VP, Security Operations), Vinciane Koenigsfeld (Board Training & Content Senior Manager), Ashwin Rangan (SVP Engineering & Chief Information Officer), and Amy Stathos (Deputy General Counsel).


The following is a summary of discussions, actions taken and actions identified:

  1. BRC 2018 Work Plan – The BRC reviewed the draft work plan for the Committee for FY18. The Committee discussed whether there is a need for increased frequency on the cadence for assessing and tracking of external risks such as cybersecurity and IT related risks. The BRC asked ICANN organization to re-evaluate the frequency by which the list of risks is being refreshed and asked ICANN organization to align the frequency of the reporting of risks to the Committee with the frequency by which the list of risks is being refreshed. The BRC decided to re-evaluate and approve the work plan via email after the plan has been updated. The BRC also asked ICANN organization to reevaluate the frequency of the Risk survey which currently performed annually. The BRC also noted that Chairs of the BRC and the Board Technical Committee should engage with each other to coordinate on what the committees are asking ICANN organization to do, as there is a possibility of overlap between the two committees.

    • Actions:

      • ICANN organization to re-evaluate the frequency by which the list of risks is being refreshed and align the frequency of the reporting of risks to the BRC with the frequency by which the list of risks is being refreshed, and to provide an updated work plan as required to the BRC within a few weeks via email.
      • ICANN organization to reevaluate the frequency of Risk survey, its reporting to the BRC, and update the work plan accordingly.
  2. Cybersecurity – Information Update – The BRC received a briefing on cybersecurity from ICANN organization's Sr. VP Engineering & Chief Information Officer.

    ICANN organization is in its fourth year of using the CIS 20 framework to assess activities to shore up and improve the cybersecurity stance of the organization. There are 20 different factors and controls that get assessed with the CIS 20 framework. Each factor can be scored from a null, which means there is no evidence of any mitigation, to a ten, where the controls are effective, measurable, repeatable. ICANN organization has made significant progress year to year, increasing its score across all factors, noting the prohibitively expensive nature of the getting to a ten.

    Since the CIS 20 framework has been around, it periodically undergoes a revision where either a factor in the 20 factors used in the framework are changed or the scaling of the factor itself changes. Two years ago, there was revision to the scaling and another revision to the framework is expected this year. When the revision happened two years ago, ICANN organization invited a third-party company renowned for their cybersecurity work to conduct an audit. While ICANN organization has been maturing nicely on the CIS 20 framework, it is also considering other frameworks in cybersecurity such as NIST and ISO.

    This fiscal year, ICANN organization is planning to map its current state against the NIST framework. Because the auditors that conduct the audit are different each year and the framework continuously evolves, ICANN organization finds that it is not necessary to change auditing firms for FY18.  ICANN organization will consider moving to a different auditor next year when it moves to NIST framework. One significant change ICANN organization has made internally this year was to reorganize within the engineering and IT function and integrated cybersecurity (which used to be a stand-alone function) with DNS engineering and networking teams. It was noted that cloud based security testing is becoming a part of ICANN organization's normal rhythm as 40 percent of the services utilized at ICANN leverages some aspect of cloud.

Published on 2 November 2017