Skip to main content

Minutes – Board Risk Committee (BRC) Meeting

BRC Attendees: Rafael Lito Ibarra, Akinori Maemura, Ram Mohan (Co-Chair), Kaveh Ranjbar, and Mike Silber (Co-Chair).

BRC Member Apologies: Maarten Botterman and Jonne Soininen.

Other Board Members Attendees: Khaled Koubaa, George Sadowsky

Invited Observers: Sarah Deutsch, Avri Doria, and Matthew Shears.

ICANN Organization Attendees: Susanna Bennett (SVP & Chief Operating Officer), Xavier Calvez (SVP & Chief Financial Officer), James Caulfield (VP, Enterprise Risk Management), Simon Garside (VP, Security Operations), Vinciane Koenigsfeld (Board Training & Content Senior Manager), Ashwin Rangan (SVP Engineering & Chief Information Officer), and Amy Stathos (Deputy General Counsel).

The following is a summary of discussions, actions taken and actions identified:

  1. BRC 2018 Work Plan – The BRC reviewed the draft work plan for the Committee for FY18. The Committee discussed whether there is a need for increased frequency on the cadence for assessing and tracking of external risks such as cybersecurity and IT related risks. The BRC asked ICANN organization to re-evaluate the frequency by which the list of risks is being refreshed and asked ICANN organization to align the frequency of the reporting of risks to the Committee with the frequency by which the list of risks is being refreshed. The BRC decided to re-evaluate and approve the work plan via email after the plan has been updated. The BRC also asked ICANN organization to reevaluate the frequency of the Risk survey which currently performed annually. The BRC also noted that Chairs of the BRC and the Board Technical Committee should engage with each other to coordinate on what the committees are asking ICANN organization to do, as there is a possibility of overlap between the two committees.

    • Actions:

      • ICANN organization to re-evaluate the frequency by which the list of risks is being refreshed and align the frequency of the reporting of risks to the BRC with the frequency by which the list of risks is being refreshed, and to provide an updated work plan as required to the BRC within a few weeks via email.
      • ICANN organization to reevaluate the frequency of Risk survey, its reporting to the BRC, and update the work plan accordingly.
  2. Cybersecurity – Information Update – The BRC received a briefing on cybersecurity from ICANN organization's Sr. VP Engineering & Chief Information Officer.

    ICANN organization is in its fourth year of using the CIS 20 framework to assess activities to shore up and improve the cybersecurity stance of the organization. There are 20 different factors and controls that get assessed with the CIS 20 framework. Each factor can be scored from a null, which means there is no evidence of any mitigation, to a ten, where the controls are effective, measurable, repeatable. ICANN organization has made significant progress year to year, increasing its score across all factors, noting the prohibitively expensive nature of the getting to a ten.

    Since the CIS 20 framework has been around, it periodically undergoes a revision where either a factor in the 20 factors used in the framework are changed or the scaling of the factor itself changes. Two years ago, there was revision to the scaling and another revision to the framework is expected this year. When the revision happened two years ago, ICANN organization invited a third-party company renowned for their cybersecurity work to conduct an audit. While ICANN organization has been maturing nicely on the CIS 20 framework, it is also considering other frameworks in cybersecurity such as NIST and ISO.

    This fiscal year, ICANN organization is planning to map its current state against the NIST framework. Because the auditors that conduct the audit are different each year and the framework continuously evolves, ICANN organization finds that it is not necessary to change auditing firms for FY18.  ICANN organization will consider moving to a different auditor next year when it moves to NIST framework. One significant change ICANN organization has made internally this year was to reorganize within the engineering and IT function and integrated cybersecurity (which used to be a stand-alone function) with DNS engineering and networking teams. It was noted that cloud based security testing is becoming a part of ICANN organization's normal rhythm as 40 percent of the services utilized at ICANN leverages some aspect of cloud.

Published on 2 November 2017

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."