Board Risk Committee (RC) – Minutes | 31 January 2013

RC Attendees: Steve Crocker, Ram Mohan, Thomas Narten, Gonzalo Navarro, Mike Silber – Chair, Judith Duavit Vazquez, and Suzanne Woolf

Other Board Attendees: Bruce Tonkin

Staff Attendees: Akram Atallah – Chief Operational Officer; John Jeffrey – General Counsel and Secretary; Jeff Moss – Chief Security Officer; Geoff Bickers, Megan Bishop, Samantha Eisner, Elise Gerich, Daniel Halloran, Patrick Jones, and Amy Stathos


The following is a summary of discussions, actions taken and actions identified:

  1. Minutes of Previous Meeting: The RC approved the minutes of its previous meeting in October 2012.

  2. Review of Action Items: The RC reviewed the open action items from the previous meeting, noting that research is ongoing relating to the use of cloud computing and mobile devices and work is underway to update internal policies. The other open action items are addressed on the agenda.

  3. DNS Risk Management Framework: Staff provided an update on the development of a DNS Risk Management Framework. A draft is expected to be provided to the RC in advance of the RC's meeting in Beijing.

  4. Update on Risk Matrix (IT Department): The RC received an update on the identification of risks within the IT department and the work ongoing to mitigate those risks.

  5. Coordinated Disclosure Process: Staff provided the RC with an update on a proposal to address the Security, Stability & Resiliency Review Team's recommendation 15, regarding ICANN acting as a facilitator in the responsible disclosure and dissemination of DNS security threats and mitigation techniques. The RC began a discussion of when the RC is looking for reporting on these events and in the coordinated disclosure process. The RC requested that staff produce a sample of some high level reporting on incidents were ICANN is an impacted party, to determine if the level of reporting is sufficient. The RC noted that it does not wish to be an extra step in the incident-response environment.

    • Action:

      • Staff to produce samples of reporting incidents for RC consideration.

  6. Planning for next meeting: The RC reviewed the proposed topics for its next meeting. One of the areas for review are the risk matrices for a couple of departments within ICANN. Staff also provided an update on how the Security Team will be working throughout the organization to roll out the development of risk matrices for the remainder of departments. The RC requested some regularity of reporting when there are material changes to the risk matrices for the organization. The RC also requested that New gTLD Program risks be incorporated into the broader risk matrix for the organization, noting that editing may be appropriate where some of the risks may give rise to conflicts of interest issues, and confirmed that Incident reports related to the New gTLD Program are more appropriate for consideration by the New gTLD Program Committee.

    • Action:

      • Staff to provide a proposal for discussion on the appropriate level of reporting against the risk matrix and definition of what should be run as an annual program for review by the RC.

  7. Any Other Business: The RC requested a status on an incident review requested by the RC at a recent meeting.

Published on 8 May 2014