Skip to main content

Minutes | Board Risk Committee (BRC) Meeting

BRC Attendees: Rafael Lito Ibarra (Chair), Merike Käo, Akinori Maemura, Kaveh Ranjbar, and Matthew Shears

BRC Member Apologies: Harald Alvestrand and Nigel Roberts

Other Board Member Attendees: Avri Doria, Manal Ismail, Danko Jevtović, and Patricio Poblete

ICANN Organization Attendees: Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), Elizabeth Le (Associate General Counsel), Terry Manderson (Sr. Director, Network Engineering & Security), Ashwin Rangan (SVP, Engineering and Chief Information Officer), and Amy Stathos (Deputy General Counsel)

The following is a summary of discussions, actions taken and actions identified:

  1. Information Security Update – The Committee received an update from ICANN org Information Security (InfoSec) Programs in place, which included updates on the InfoSec Ambassador Program, Computer Security Incident Response Team (CSIRT) processes, device management, penetration testing, tabletop exercises, automated systems for auditing and reporting and the NIST cybersecurity framework. ICANN org's InfoSec Ambassador Program was started in the third quarter of 2018 and allows the InfoSec team to provide monthly topical updates to representatives of each function within ICANN org, and these representatives would in turn share the information with the members in their function. ICANN org's CSIRT processes are quite mature with well-established playbooks and full engagement from all business owners including communications, legal, information security and physical security. ICANN org's penetration testing allows a third-party organization, and sometimes internal team members, to attempt to compromise ICANN. Every year, ICANN org's managed root server team conducts a tabletop exercise to prepare for potential security attacks against the root server. Every two years, ICANN org performs a tabletop exercise for IANA as part of the audit process. Every three to four years, ICANN org looks at all of the E&IT function teams. Each tabletop exercise generates a report and a set of recommendations that feed into security process improvements. ICANN org is currently using the NIST cybersecurity framework which has integrated exceptionally well with ICANN org. NIST has allowed ICANN org to: (i) think more critically about how the organization works and where InfoSec concerns should be addressed; (ii) better identify the pathway to align InfoSec-related strategic objectives with ICANN org's E&IT objectives; and (iii) produce a foundational strategy and alignment with governance and societal responsibility with broader strategic planning and objectives, especially related to ICANN org itself. The BRC agreed that the full Board should receive brief summary of the InfoSec Update.
  2. Workshop Agenda and Materials – The Committee discussed the agenda for the upcoming Board Risk Workshop which will include among other things an information security update, an overview of the risk progression model and target model, risk management framework, risk identification process, risk register and risk appetite statement.
  3. BRC Report to the Board – The Committee discussed the upcoming BRC Report to the Board and agreed to focus on the BRC activities and updates to the Risk Register.  
  4. AOB – Members of the Risk Committee and ICANN org thanked the outgoing Chair for his years of leadership and wished him the best of luck on his future endeavors.

The Chair then called the meeting to a close.

Published on 26 October 2021

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."