Skip to main content

Minutes | Board Risk Committee (BRC) Meeting

BRC Attendees: Rafael Lito Ibarra (Chair), Merike Kaö, Akinori Maemura, Kaveh Ranjbar, Matthew Shears, and Nigel Roberts

BRC Member Apologies: Harald Alverstrand

Other Board Member Attendees: León Sánchez

ICANN Organization Attendees: Michelle Bright (Director, Board Operations Content), Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Vinciane Koenigsfeld (Director, Board Operations), Elizabeth Le (Associate General Counsel), Terry Manderson (Sr. Director, Security and Network Engineering), Ashwin Rangan (SVP, Engineering & Chief Information Officer) and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken and actions identified:

  1. CyberSecurity Update – The Committee received a cybersecurity update from ICANN org, which included updates on annual disaster recovery testing, penetration testing, and incident response tabletop exercises, which are conducted to ensure incident response best practices are followed and that sufficient information security processes and safeguards are in place. The BRC received an update on the Information Security Ambassador Program which allows the Information Security team to cascade information to the org by providing monthly topical updates to representatives for each function within ICANN org, and these representatives would in turn share the information with the members in their function. The BRC also received an update on employee educational training programs including the annual mandatory information security awareness training, regular policy reviews, information security risk assessments, and security audits.
  2. Organization Risk Register Update – The Committee discussed the updates to the Organization Risk Register. The Committee was reminded that many of the Committee's discussions, including the discussion relating to the Organization Risk Register, contain highly sensitive and confidential information. The BRC reviewed the controls and mitigation in place for the updated risks.
  3. Risk Appetite Statement – The Committee received a briefing on a proposal to the Board to adopt the Risk Appetite Statement and reviewed the relevant materials. The Risk Appetite Statement articulates the level of risk which ICANN org is willing to take and retain on a broad level to deliver its mission; fulfils the Risk Management Framework target model as set by the Board; and informs the operations of ICANN organization. The BRC approved a recommendation to the Board to adopt the Risk Appetite Statement. Management Framework target model as set by the Board; and informs the

    • Actions: ICANN org to schedule the presentation of the Board Paper to the Board.
  4. BRC Workplan – The Committee discussed its current workplan, which is on target and the draft workplan through December 2021. The Committee noted that governance activities are presented more granularly. The Committee further noted that the workplan should be updated to include the Chair of the Audit Committee in a joint meeting of certain committee chairs.

    • Actions: ICANN org to update workplan as discussed. 
  5. Board Risk Workshop Draft Presentation Materials – The Committee reviewed the presentation materials for the upcoming Board Risk Workshop.
  6. BRC Report to the Board – The Committee reviewed a draft of the BRC Report to the Board, which is presented twice a year.
  7. AOB – There were no AOB items discussed.

The Chair then called the meeting to a close.

Published on 21 December 2020

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."