Skip to main content

Minutes | Board Risk Committee (RC) Meeting

RC Attendees: Rinalia Abdul Rahim, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, Jonne Soininen, and Suzanne Woolf

RC Member Apologies: Kuo-Wei Wu

Other Board Member Attendees: Fadi Chehadé, Steve Crocker, Chris Disspain, Asha Hemrajani, and Markus Kummer

Executive and Staff Attendees: Francisco Arias (Director, Technical Services), Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), Xavier Calvez (Chief Financial Officer), David Conrad (Chief Technology Officer), Dan Halloran (Deputy General Counsel), John Jeffrey (General Counsel and Secretary), Patrick Jones (Senior Director, Global Stakeholder Engagement), Jacks Khawaja (Enterprise Risk Director), Cyrus Namazi (V.P., DNS Industry Engagement), Ashwin Rangan (Chief Innovation and Information Officer), Amy Stathos (Deputy General Counsel), and Christine Willet (V.P., gTLD Operations)

The following is a summary of discussions, actions taken, and actions identified:

  1. Minutes – The RC approved the minutes from the 15 October 2014 meeting.

  2. Top 10 Enterprise Risks – Ram Mohan provided an overview of the agenda item, explaining that the presented list of identified top ten risks to the organization were sorted based upon the 2014 ratings for likelihood and severity, and agreed upon in the Global Leader Workshop in December 2014. The RC discussed the risks identified, clarification and refinement of the definitions, and prioritization of the identified risks, as well as potential additional risks.

    • Action: Staff to clarify the language for some of the listed risks as needed, and review the balance of operational and reputational risk items to see if they capture the necessary scope.

  3. Spear-Phishing Incident and Mitigation – Staff provided an overview of the spear-phishing incident and cyber security in general. Staff provided a summary of the spear-phishing incident and information accessed, the lessons learned as a result of the incident. Staff provided an overview of the types of sensitive data within ICANN's IT-enabled services as well as the additional cyber security training, tests, reviews, and protections being instituted and the timetable for each task. Staff described the proposed three-phase approach and relative costs over the next five years in order to increase ICANN's cyber security. The RC discussed the proposal, the affiliated costs and the additional information needed in order to provide a recommendation to the Board.

    • Actions:
      • Staff to update and clarify the three-phase proposal and affiliated costs based upon the RC's comments and questions, and provide this update to the RC for review.

      • Staff to determine the best method of sharing a report with the community and a means to gain input from the community.

  4. Universal Acceptance of TLDs Initiative – Staff provided a brief overview of the Universal Acceptance of TLDs Initiative and progress to date. The RC discussed the progress thus far and potential resources necessary for the continuation of the Initiative. Staff indicated that an informal workshop of volunteers was assembled in Washington D.C. in January 2015 in order to discuss ways in which to move forward with the Initiative. As a result of the workshop, staff developed a proposal that will be presented to the community, focusing on communications, messaging, and getting more volunteers involved. Once the community provides input, staff will finalize the proposal and present it to the RC to review the process and the expected outcomes. Once that is completed, the proposal would then be presented to the BFC for budget purposes.

    • Action: Staff to prepare proposal regarding the Initiative, obtain community input, and then present to the RC for review.

  5. New gTLD Risk/Quantification Presentation – Staff provided an overview of the reasons why an updated New gTLD Risk Assessment has been conducted, the methodology used, the risks that were identified, and the cost quantification of those risks. The RC discussed the risks and costs, and ways in which to reflect the results.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."