Minutes | Board Risk Committee (RC) Meeting | 16 April 2015
Posted 19 June 2015
RC Attendees: Rinalia Abdul Rahim, Ram Mohan – Co-Chair, Mike Silber – Co-Chair, Suzanne Woolf, and Kuo-Wei Wu
RC Member Apologies: Jonne Soininen
Executive and Staff Attendees: Akram Atallah (President, Global Domains Division), Susanna Bennett (Chief Operating Officer), Dan Halloran (Deputy General Counsel), John Jeffrey (General Counsel and Secretary), Jacks Khawaja (Enterprise Risk Director), Elizabeth Le (Senior Counsel), Wendy Profit (Board Support Specialist), Ashwin Rangan (Chief Innovation and Information Officer), and Amy Stathos (Deputy General Counsel)
The following is a summary of discussions, actions taken, and actions identified:
- Assessment of Digital Services/Expenses – Staff presented an overview of the 2014 analysis of ICANN's digital security conducted by an external expert firm, the security measures that have already been implemented, and the areas of focus recommended in order to strengthen ICANN's digital security—the first of which is an in-depth assessment of ICANN's software platforms. Staff explained that ICANN delivers a portfolio of 85 digital services for the benefit of its served communities. These services have been developed and placed in service over the last 15 years, utilizing 10+ different software platforms. ICANN needs to obtain a comprehensive review and assessment of these software platforms by external subject matter experts with specific technical expertise for each type of platform. This exercise was not budgeted for FY15, but it is important to begin the process before the start of FY16. Staff further explained that there are sufficient funds in the FY15 contingency fund to cover the cost of the recommended assessments. The RC discussed the matter and agreed to recommend that the Board delegate to the President and CEO, or his designee(s), the authority to take all necessary actions to obtain a comprehensive assessment of all software platforms in use at ICANN for delivering digital services.
- Long Term View: Ensuring Data Security at ICANN – Staff provided an overview of the types of digital services that ICANN provides, the sensitivity of the data gathered and stored by such services, short term plans to better secure the data, and longer term plans to safeguard the data. The short terms plans include the 16 projects currently underway in the infrastructure zone and the in-depth assessments of ICANN's software platforms (discussed above). Longer term plans to increase IT security include a combination of technology with people and processes. Such plans include, for example, mandatory security training, integrated industry standard testing and QA approaches, network monitoring, formal IT Steering Committee (ITSC), Computer Incident Response Team (CIRT) reviews, and annual audits from external expert parties. In order to ensure and monitor progress on these longer term plans, the RC agreed to recommend to the Board, as part of its recommendation regarding the software platform assessments (noted above), that the Board direct the President and CEO, or his designee(s), to provide regular updates to the RC on the progress of the long-term plan to ensure systems design and systems architecture are integrated into standard ICANN processes, and that security considerations occupy an essential role in corporate decision making
- Data-Sharing Configuration in GDD Portals – Staff provided an overview of the services related to the Salesforce.com software platform, including the Applicant Portal and the Registries Portal (the GDD Portals), and the incident reported in February 2015 regarding the data-sharing database configuration. The GDD Portals were taken off-line for approximately three days to modify the database configuration and rectify the issue. Staff further explained the subsequent measures implemented in order to investigate the situation and mitigate against such circumstances in the future.