Board Risk Committee (RC) – Minutes 21 June 2013

BRC Members: Steve Crocker; Ram Mohan (Non Voting Liaison); Thomas Narten (Non Voting Liaison); Gonzalo Navarro; Mike Silber – Chair; Judith Duavit Vazquez; and Suzanne Woolf (Non Voting Liaison)

Staff Attendees: Akram Atallah – Chief Operating Officer; Edward Beck; Megan Bishop; Dan Halloran; John Jeffrey – General Counsel and Secretary; Patrick Jones; Erika Randall; and Amy Stathos


The following is a summary of discussions, decisions, and actions identified:

The Meeting was called to order at 18:35 UTC.

  1. Approval of Minutes – The BRC approved the minutes from the 16 May 2013 meeting.

  2. Review of Action Items: The BRC reviewed the open action items from the previous meeting. Regarding the alignment of the IT Best Practices Implementation plan with the Strategic Plan, the BRC agreed that due to the pending strategic planning work, this item should be slated for discussion at the BRC meeting in Durban, South Africa. Staff provided an update on the timing for hiring an Enterprise Risk Manager within ICANN. Regarding the discussion on ICANN's risk appetite and mitigation efforts, the BRC agreed to defer this topic to be considered at its meeting in Durban.

  3. IT Best Practices review and recommendations: The BRC engaged in an in-depth discussion regarding the IT Best Practices Report. This discussion was a continuation to initial conversations in previous meetings regarding the recommendations in the report. The BRC focused its discussion on what steps ICANN is currently taking or is proposing to take to address the recommendations, which included a progress report on the roll out of Salesforce.com to replace TAS, IT governance plans, and data and security policies. The BRC also discussed the quality control processes in place for properly designing, documenting and testing systems before they are deployed. Staff presented a technology roadmap to facilitate the BRC's discussion of the consolidation of ICANN's portfolio of software.

    • Action:
      • Staff to prepare an update on actions taken or proposed to be taken in response to items identified in the IT Best Practices Report as critical or highly recommended.

      • BRC to discuss and prepare an update to the community on implementation of IT Best Practices Report recommendations after the Durban meeting.

  4. Any Other Business – The BRC discussed current and planned security measures for MyICANN.

The meeting was adjourned at 20:25 UTC.