CIIO Perspectives- Volume 3
A few weeks back, I blogged about how ICANN manages its IT assets and digital services in light of cyber-security threats. I also wrote at the time that we have engaged a globally-recognized, independent third party to annually audit ICANN's security controls, and I committed to occasionally blog about our journey.
In Buenos Aires, many of you - members of the community - met with me and my colleagues from the ICANN team. During these meetings, there were many suggestions, but the underlying theme was clear and consistent: you want to see ICANN make progress in reducing its cybersecurity risks and for ICANN to become more operationally and technically resilient.
Focusing on cybersecurity, it is common to approach cyber-risk assessments by leveraging a framework. There are numerous such frameworks, which are typically voluntarily adopted and serve as guidance, not as a one-size-fits-all prescription, and organizations customize them to best suit their needs, situation and risks. However once the customization is done, frameworks offer practices and prescriptions for organizations to implementation to achieve positive outcomes. Lastly, many frameworks enable assessors to assign some sort of a score so the organization has a numerical target to shoot for.
This is one sense of a framework. In a different sense, a framework can be likened to a window with many window-panes. It leverages existing standards, guidelines and practices, which helps organizations see all the components that make up its asset/ risk-base in one place. Given the many panes, an organization can quickly get a multi-faceted view of the asset-base, and through that view, a holistic view of the organization's cyber-risk. This also allows organizations to deep-dive into one or more panes in the window, using a set of drivers germane to the organization's context and needs. As a result, it is typical for frameworks to inform organizations as to which activities are most important to assure critical operations and service delivery. This helps organizations make informed choices on where and how best to make investments, maximizing the impact of each dollar. And lastly, frameworks also help organizations to communicate with internal and external stakeholders about the state of cybersecurity and risk in 'plain English' that everyone can understand.
IN 2014, ICANN adopted the SANS Institute Critical Security Controls framework for cyber-defense. On the heels of adopting this framework, ICANN retained the services of Leidos, a company with a reputation for cybersecurity audits. Leidos proceeded to deliver a baseline assessment of ICANN's cybersecurity status.
In their own words, as Leidos conveyed to the management team, ICANN was 'on-par' with typical business organizations when we started. We felt happy that ICANN was not behind, but we were far from satisfied! As I have blogged previously, in one avatar, ICANN serves as a 'data depository desk' which is critical to the operations of the Internet. In this avatar, we have to be playing at the same level as the best – organizations like well-regarded financial institutions, for example.
With timely support from the Board for resources and appropriate priority trade-offs, IT started to rigorously address areas, which merited attention. As a result, in the last 12 months, many aspects of ICANN's cyber-defense were reviewed under the microscope, and efforts to bolster or remediate focused on areas, which merited the most attention. We made palpable progress in a number of different areas such as applications software, training, access controls and pen testing.
As planned, Leidos conducted its annual audit from May-June this year, and we've recently received the audit report, which I am happy to share.
Leidos 2015 Audit Report Highlights
I am pleased to say that, in roughly half the 20 factors measured, ICANN is in the GREEN zone. Equally important, ICANN is not in the RED zone in any dimension. According to the Leidos, "ICANN has dramatically improved its cybersecurity efforts over the past year, reflecting its leadership's commitment to addressing cybersecurity concerns and establishing itself as a leader in the space." Looking ahead, they anticipate that by next year when the current roadmap is finished, ICANN will be on par with world-class organizations.
In the ever-changing landscape of cybersecurity, achieving excellence is not a destination, it is a never-ending journey. And we are committed to this journey. We have made steps in the right direction, have a clear roadmap, and we are on our way.
As always, feel free to reach out to me at Ashwin.Rangan@icann.org to discuss further.