Skip to main content
Resources

Minutes | Board Risk Committee (RC) Meeting

Posted 19 June 2015

RC Attendees: Rinalia Abdul Rahim, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, Suzanne Woolf, and Kuo-Wei Wu

RC Member Apologies: Jonne Soininen

Executive and Staff Attendees: Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Dan Halloran (Deputy General Counsel), John Jeffrey (General Counsel and Secretary), Jacks Khawaja (Enterprise Risk Director), Elizabeth Le (Senior Counsel), Wendy Profit (Board Support Specialist), Ashwin Rangan (Chief Innovation and Information Officer), and Amy Stathos (Deputy General Counsel)


The following is a summary of discussions, actions taken, and actions identified:

  1. Assessment of Digital Services/Expenses – Staff presented an overview of the 2014 analysis of ICANN's digital security conducted by an external expert firm, the security measures that have already been implemented, and the areas of focus recommended in order to strengthen ICANN's digital security—the first of which is an in-depth assessment of ICANN's software platforms. Staff explained that ICANN delivers a portfolio of 85 digital services for the benefit of its served communities. These services have been developed and placed in service over the last 15 years, utilizing 10+ different software platforms. ICANN needs to obtain a comprehensive review and assessment of these software platforms by external subject matter experts with specific technical expertise for each type of platform. This exercise was not budgeted for FY15, but it is important to begin the process before the start of FY16. Staff further explained that there are sufficient funds in the FY15 contingency fund to cover the cost of the recommended assessments. The RC discussed the matter and agreed to recommend that the Board delegate to the President and CEO, or his designee(s), the authority to take all necessary actions to obtain a comprehensive assessment of all software platforms in use at ICANN for delivering digital services.
  2. Long Term View: Ensuring Data Security at ICANN – Staff provided an overview of the types of digital services that ICANN provides, the sensitivity of the data gathered and stored by such services, short term plans to better secure the data, and longer term plans to safeguard the data. The short terms plans include the 16 projects currently underway in the infrastructure zone and the in-depth assessments of ICANN's software platforms (discussed above). Longer term plans to increase IT security include a combination of technology with people and processes. Such plans include, for example, mandatory security training, integrated industry standard testing and QA approaches, network monitoring, formal IT Steering Committee (ITSC), Computer Incident Response Team (CIRT) reviews, and annual audits from external expert parties. In order to ensure and monitor progress on these longer term plans, the RC agreed to recommend to the Board, as part of its recommendation regarding the software platform assessments (noted above), that the Board direct the President and CEO, or his designee(s), to provide regular updates to the RC on the progress of the long-term plan to ensure systems design and systems architecture are integrated into standard ICANN processes, and that security considerations occupy an essential role in corporate decision making
  3. Data-Sharing Configuration in GDD Portals – Staff provided an overview of the services related to the Salesforce.com software platform, including the Applicant Portal and the Registries Portal (the GDD Portals), and the incident reported in February 2015 regarding the data-sharing database configuration. The GDD Portals were taken off-line for approximately three days to modify the database configuration and rectify the issue. Staff further explained the subsequent measures implemented in order to investigate the situation and mitigate against such circumstances in the future.
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."