Minutes | Meeting of the Risk Committee of the Board (BRC) | 30 November 2022
BRC Attendees: Harald Alvestrand (Chair), Chris Chapman, James Galvin, Wes Hardaker, Christian Kaufmann, Patricio Poblete, and Matthew Shears
Other Board Member Attendees: Manal Ismail and Katrina Sataki
ICANN Organization Attendees: Xavier Calvez (SVP, Planning and Chief Financial Officer), Franco Carrasco (Board Operations Specialist), James Caulfield (Vice President, Risk Management), John Crain (SVP, Chief Technical Officer), John Jeffrey (General Counsel and Secretary), Elizabeth Le (Associate General Counsel), Terry Manderson (VP, Information Security and Network Engineering), Ashwin Rangan (SVP, Engineering and Chief Information Officer), Simon Raveh (VP, Software Engineering), and Amy Stathos (Deputy General Counsel)
The following is a summary of discussions, actions taken, and actions identified:
- Introduction and Opening Remarks – The Chair opened the meeting and introduced the agenda. He noted that the Board Risk Workshop agenda item has been completed and thus, does not need to be discussed. The Chair further noted that he would like to discuss under Any Other Business an example of a risk process being executed on a risk in the org Risk Register.
Information Security (InfoSec) Update – The Committee received its annual update regarding ICANN org's InfoSec Programs in place, which included updates on the Computer Security Incident Response Team (CSIRT) processes, device management, penetration testing, tabletop exercises, automated systems for auditing and reporting and the National Institute for Standards and Technologies (NIST) cybersecurity framework. The org reported that ICANN org's CSIRT processes are quite mature with well-established playbooks and full engagement from all business owners including communications, legal, information security and physical security. Per the presentation, ICANN org's penetration testing allows a third-party organization, and sometimes internal team members, to attempt to compromise ICANN. ICANN org's managed root server team frequently conducts a tabletop exercise to prepare for potential security attacks against the root server. ICANN org also frequently performs a tabletop exercise for IANA as part of the audit process. The org reported that each tabletop exercise generates a report and potentially a set of recommendations that feed into security process enhancements or improvements. The Committee discussed that ICANN org is currently using the NIST cybersecurity framework which has integrated exceptionally well with ICANN org. The BRC further discussed that vendors undergo an information security evaluation as part of the procurement and onboarding processes. The BRC also discussed the escalation path for cybersecurity incidents, which includes the Crisis Management Team and CSIRT processes. ICANN org reported that there is a planned assessment of the NIST Cybersecurity Framework (CSF) by external consultants in 2023, and that the org will report the assessment results to the Committee once completed. ICANN org noted that it will include more information regarding how external vendors factor into the org's overall information security profile and how ICANN org manages supply chains as part of the next InfoSec briefing to the BRC.
- ICANN org to provide a report on the independent assessment of the NIST CSF once the assessment has been completed.
- ICANN org to include additional information on how external vendors fact into the org's overall information security profile and how the org manages supply chains as part of the next InfoSec update to the Committee.
- Existential Threat Monitoring – The BRC received a briefing on the existential threat monitoring process. The org reported that existential threat monitoring is integrated into ICANN's risk identification process. The BRC discussed that potential existential risks that the org monitors include geopolitical initiatives, legal, attacks on the root server system or other zones administered by ICANN. The BRC received a briefing on the list of existential threats that are currently being monitored by the org and the risks associated with the threats. The risk ratings and mitigation plans for these threats are identified in the Risk Register.
Report to ICANN Board from the BRC – The BRC agreed to provide its feedback on the draft Report to the Board through email before the Report is finalized for presentation to the Board in December.
- Action: BRC members to provide feedback on the draft Report to the Board by email.
- Any Other Business – There was insufficient time to discuss the AOB item mentioned in point number one and was deferred to a later meeting.