Today, the ICANN organization published our Cybersecurity Transparency Guidelines [PDF, 17 KB], which reaffirm our commitment to a high standard of openness and transparency concerning the security of the systems and services we operate.
Late last year, we identified the need to fill a gap in how we ensure that the ICANN org’s internal guidelines and processes meet the community’s expectations for transparency around information technology (IT) security.
In general, we will disclose major security vulnerabilities and resulting incidents that cause significant risk to the security of ICANN’s systems, or to the rights and interests of data subjects, or otherwise require disclosure under applicable legal requirements, in a cybersecurity incident log. The log will include incidents, the ICANN org’s response, and impact.
Obviously, security incidents deserve appropriate and thorough investigation. In the context of our desire to notify our community, our initial goal is to deliver these notifications within 60 days after we become aware of an incident, with an eventual target of 30 days.
If you have any questions or feedback, please email me directly at terry.manderson@icann.org.