Board Risk Committee (RC) – Minutes
RC Attendees: Steve Crocker, Ray Plzak, Mike Silber – Chair, Bruce Tonkin, R. Ramaraj, Thomas Roessler, and Suzanne Woolf
Other Board Attendees: George Sadowsky, Ram Mohan and Thomas Narten
RC Apologies: Judith Vazquez
Staff Attendees: Akram Atallah – Chief Operational Officer; Xavier Calvez – Chief Financial Officer; John Jeffrey – General Counsel and Secretary; Jeff Moss – Chief Security Officer; Kurt Pritz – Chief Strategy Officer, Stakeholder Relations; Edward Beck, Megan Bishop, Michelle Bright, Samantha Eisner, Daniel Halloran, Patrick Jones, Denise Michel and Amy Stathos
The following is a summary of discussions, actions taken and actions identified:
- Minutes of Previous Meeting: The RC approved the minutes of its previous meeting in September 2012.
ICANN Strategic Risks: Staff provided the RC with a review of the high-level areas that have been the focus of ICANN's risk management efforts. Staff also discussed ICANN's work in coordinating cross-functional risk management teams to continually discuss risks. A risk template was also introduced, as a format to help deal with risk-related issues in common terminology across the organization.
- Staff to refine template to incorporate standard risk management terminology.
DNS Risk Management Framework WG: Staff reported that the RFP was posted after Prague and a consultant has been identified to assist with the DNS Risk Management Framework. The WG that was formed to oversee this effort will likely then be folded into the RC for continued oversight of this work, though the WG has not yet formalized any transition plans. Staff reported that the finalized framework is expected to be delivered in 2013 (with comments on drafts prior), and will describe roles, responsibilities, authority and accountability for each component. The framework will address some of the recommendations coming out of the Security and Stability Review Team. The RC also discussed how it can plan and bring in ad hoc expertise from other Board members as its necessary.
- Chair of WG and Chair of RC to discuss transition and knowledge transfer from the WG to the RC.
- RC to draft note for Board Governance Committee regarding the Board member skills that are useful for service on the RC.
- MyICANN: The RC received a presentation on the introduction of MyICANN, which will initially serve to aggregate information from public sites to form streams to organize activity within ICANN. Staff confirmed that the security staff has reviewed the MyICANN platform to assess risks and mitigation. There is a long-term focus on increasing security within the platform. The RC received a report on the coordination among ICANN's security, legal and IT teams to assure that the MyICANN vendor is aware of ICANN's needs, including receipt of security procedures documentation, access needs and additional items that will be incorporated into standard evaluation and use of other third-party hosted systems by ICANN. Staff confirmed that risk assessment for future phases is already underway.
- New gTLD Risk Area Summary: The RC received a report from staff on the areas of risk within the New gTLD Program that have been reviewed and are being tracked with the New gTLD Program Committee, as well as work on the ongoing risk assessment and analysis over the Program.
Any Other Business: The RC raised the issue of cloud computing and requested some risk guidance on the use of cloud services and mobile devices. The RC also discussed how it can better track comprehensive risks to the organization, including a regular reporting structure and cycle.
- Staff to provide information and guidelines on the use of cloud computing and mobile devices.
- Staff to provide an update to a comprehensive risk matrix for ICANN.
- The RC should review the document at its next face-to-face meeting to refine the document and assure it meets the organization's needs.
- Each RC meeting should begin with a short review to identify the changes to the risk matrix.