Board Activities and Meetings
OEC Attendees: Katrina Sataki – Chair, Alan Barrett, Avri Doria and Matthew Shears
OEC Apologies: Chris Chapman
Other Board Member Attendee: Danko Jevtovic
Executive and Staff Attendees: Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), Samantha Eisner (Deputy General Counsel), Evin Erdogdu (Project Manager, Review Support & Accountability), Negar Farzinnia (Director, Implementations Operations), Larisa Gurnick (VP, Review Support & Accountability), John Jeffrey (General Counsel and Secretary), Alice Jensen (Senior Manager, Implementation Operations), Wendy Profit (Board Operations Senior Manager), Laena Rahim (Regional Counsel, APAC), Giovanni Seppia (VP, Implementation Operations) and Mary Wong (VP, Strategic Community Operations, Planning and Engagement).
The following is a summary of discussions, decisions, and actions identified:
The Meeting was called to order at 19:00 UTC.
- Agenda – The Chair established the agenda for the meeting and gave an overview of items to be discussed.
- Review of Open Action Items – The OEC reviewed the "Open Action Items" with ICANN organization.
Update on the Second Review of the Security, Stability and Resiliency of the DNS (SSR2) Recommendation Implementation and Proposed Board Action – Further to the OEC's discussion on this topic at its meeting on 6 October 2022, Danko Jevtovic (Chair of the Board Caucus Group on SSR2 Review) and ICANN org provided an update in relation to a group of SSR2 pending recommendations. The purpose of this agenda item is for the OEC to discuss its recommendation to Board on 21 of the 31 remaining, pending recommendations:
- On 22 July 2021, the Board took action on each of the 63 final SSR2 recommendations.
- 34 recommendations were placed into pending status.
- 3 recommendations were resolved by Board action on 1 May 2022 (1 approved, 2 rejected).
21 of the pending recommendations are now proposed for Board action as follows:
- 12 recommendations (3.1, 4.3, 6.1, 6.2, 7.4, 16.2, 16.3, 18.1, 18.2, 18.3, 20.1 and 20.2) proposed for rejection; and
- 9 recommendations (3.2, 3.3, 5.3, 7.1, 7.2, 7.3, 7.5, 11.1 and 24.1) proposed for approval.
10 recommendations (9.2, 9.3, 12.1, 12.2, 12.3, 12.4, 13.1, 13.2, 14.2 and 17.1) remain in pending status (additional time is required to continue addressing these pending recommendations):
- 7 recommendations regarding DNS abuse;
- 2 recommendations regarding contracted parties registration data accuracy; and
- 1 recommendation regarding a framework to characterize the nature and frequency of name collisions and resulting concerns.
In relation to Recommendation 5.3 (Requiring external parties that provide services to ICANN org to be compliant with relevant security standards and documenting their diligence regarding vendors and service providers), the OEC sought clarification as to whether ICANN org has the appropriate security management and procedures in place; or if a new framework is required to address this recommendation. ICANN org explained that the Engineering & Information Technology (E&IT) function already requires all vendors and service providers to have a risk assessment performed and documented, which meets industry-standard requirements. To complete the implementation of this recommendation, when renegotiating its one-year based contracts with external service-provider parties, ICANN org would need to include a clause on compliance with relevant security standards.
The OEC also sought clarification on the proposed timeframe to address Recommendation 7.5 (Publishing a summary of overall Business Continuity (BC) and Disaster Recovery (DR) plans and procedures and engaging an external auditor to verify compliance with these BC and DR plans). Subject to prioritization, and based on internal discussions, ICANN org estimated that the publication of an appropriate summary of its BC and DR plans can be completed within a reasonable time.
In relation to Recommendation 4.3 (naming or appointing a dedicated, responsible person in charge of security risk management that will report to the C-Suite Security role), Danko noted that this recommendation is proposed for rejection as the structure of ICANN org's risk management and risk assessment have evolved since the SSR2 began, and various improvements have been made in this aspect. Thus this recommendation is considered "outdated", as it was upon completion of the SSR2 Review.
Upon being briefed by ICANN org, and a review of the draft Board Paper, the OEC, as the sponsoring committee for the SSR2 Board Caucus Group, discussed and agreed to recommend to the Board to take action on 21 of the 31 pending SSR2 recommendations, as explained in the Scorecard titled "Detailed Scorecard – SSR2 Pending Recommendations – Proposed Board Action" (incorporating the OEC's suggested modifications). The OEC makes its recommendation to the Board based on the input received from the SSR2 Board Caucus Group.
- ICANN org to finalize the Board Paper, incorporating the relevant suggestions from the OEC.
- The OEC to forward its recommendation to the Board for its consideration.
ICANN org will continue to keep the OEC updated of progress and timelines of work involved on the SSR2 recommendations.
Any Other Business
- OEC Operating Procedures – For purposes of internal coordination, the Chair requested ICANN org to prepare a brief document containing a checklist for all the relevant steps and/or processes for the OEC (e.g., steps to be taken by ICANN org to obtain the OEC's approval to move an OEC recommendation to the Board).
The Chair called the meeting to a close.