Skip to main content
Resources

Minutes – Board Risk Committee (BRC) Meeting

Published 5 March 2016

BRC Attendees: Rinalia Abdul Rahim, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, Jonne Soininen, Suzanne Woolf, and Kuo-Wei Wu

Other Board Member Attendees: Cherine Chalaby and Chris Disspain

ICANN Executives and Staff Attendees: Susanna Bennett (Chief Operating Officer), Megan Bishop (Board Support Coordinator), Xavier Calvez (Chief Financial Officer), Jacks Khawaja (Enterprise Risk Director), Vinciane Koenigsfeld (Board Support Content Manager), Becky Nash (VP Finance), Ashwin Rangan (Chief Innovation and Information Officer), Jeff Reid (Senior IT Leader), Amy Stathos (Deputy General Counsel), Randy Watanabe (Enterprise Risk Manager), and Christine Willett (VP of gTLD Operations)


The following is a summary of discussions, actions taken, and actions identified:

  1. Minutes – The BRC approved the minutes of the 16 and 24 April 2015 meetings.

  2. SO/AC Engagement Plan – Staff briefed the BRC on the SO/AC Engagement Plan. The purpose of the Plan is to achieve a comprehensive risk assessment, to expand risk communication with stakeholders, and to increase transparency and trust. The Plan includes integrating Enterprise Risk Management (ERM) and risk management as part of the overall operations communications strategy by discussing with the community risk assessments, as well as the ERM methodology and framework. The BRC noted that the first SO/AC meeting that will include a discussion of risk assessments will take place on Wednesday, 23 June 2015. BRC members are encouraged to attend the session if they are available.

  3. IT Cyber Security Risk Management – Staff briefed the BRC on the status of IT security and efforts underway to harden ICANN security. In June/July of last year, ICANN engaged a third party consultant to perform an assessment of all IT assets based upon the Critical Securities Control Framework of 20 factors. Based upon the results of the assessment, ICANN has been taking affirmative steps to improve its assessment score. These efforts included hiring IT security-oriented professionals, defining all but one process. The next step will be to execute the processes. With respect to platform consolidation, the inventory assessment and the election of platforms have been completed, but the work of transitioning from the old to the new platforms will take some time. In regards to IT security initiatives, staff reported that ICANN has completed ten of the sixteen infrastructure oriented projects, with the remaining six expected to be completed by September. Additionally, pursuant to Resolutions 2015.04.26.23-2015.04.26.14, adopted by the Board at its 26 April 2015 meeting, ICANN has engaged two firms to conduct a comprehensive review and security vulnerability assessment of all software platforms in use at ICANN for delivering digital services. Staff also reported that the score from the yearly IT Audit has improved significantly in the past year, but there is always room for continuing improvement.

    • Actions:

      • Staff to develop a roadmap of how to define good as it relates to IT cyber security risk management for further consideration and discussion by the BRC.

      • Staff to expand the assessment of people to include all ICANN staff.

      • Staff to provide reporting to the BRC on a regular basis at BRC meetings regarding IT cyber security risk management.

  4. Updates to BRC

      • Revised SO/AC Risk Descriptions – The BRC noted that a few of the SO/AC risk descriptions have been revised to be more in the form of a risk statement and incorporated in the ERM Risk Register.
      • Impact of USG Stewardship Transition on Risk – Staff provided an update on the assessment of the impact of the USG Stewardship transition on risk. The ERM staff has identified risks that may impact the transition and preliminarily rated these risks based on the perceived impact. The ERM staff will then review the preliminary assessment with management and include results in 'quarterly' reporting.
      • Updated Roadmap – Staff reported that the input provided by the BRC at the 29 April 2015 meeting has been incorporated in the revised ERM Roadmap and Work Plan.
      • ERM Evaluation - Staff briefed the BRC on the actions that have been taken in ERM evaluation of the effectiveness of the ERM framework and methodology, including assessment of several firms' good practices benchmark approach, and the selection of one firm to review the framework, methodology and roadmap including policies, processes, and procedures and to help develop a preliminary maturity assessment. The purpose of the ERM evaluation is to achieve best practices. The next steps include validating the preliminary maturity assessment and developing an ERM Maturity Plan. It is anticipated that the ERM Maturity Plan will be shared with the BRC at the ICANN54 Board workshop.
      • Risk Appetite – Staff briefed the BRC on the actions that have been taken to assess the organization's risk appetite, including conducting a preliminary SWOT (strength, weaknesses, opportunities and threats) analysis. The next steps include concluding the SWOT analysis, identifying organizational business drivers, and establishing risk appetite. It is anticipated that the results will be shared with the BRC at the ICANN54 Board workshop.
        • Action:

          • Staff and BRC Co-Chairs to prepare a Working Group, including BRC and other Board Members, to discuss ERM Maturity Continuum:

            • Design Outline
            • Prepare Materials
            • Set Up Facilitation at a session in Dublin (ICANN 54), expected to last 4-6 hours
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."