Back

30(a) Security Policy: Summary of the security policy for the proposed registry

gTLDFull Legal NameE-mail suffixDetail
.gmbhTLDDOT GmbHdotgmbh.deView
Registry Policy Framework

The Information Security Management System was developed in accordance with the international standard ISO 27001 and the registry backend operator is currently on the ISO 27001 certification path for the Information Security Management System (ISMS) to be completed before launching the registry. For the secondary datacenter in Salzburg the certification will be completed in 2012 and the primary datacenter in Vienna is already certified – please find ISO 27001 certification document in attachment 30a-06.

Registry Back-end Operator Security Organization

The role of the Chief Information Security Officer (CISO) is defined in the organization operating the registry back-end, and is staffed with an FTE. This person is responsible for the setup, operation and continuous improvement of the Information Security Management System and Business Continuity Management System.

In the organization chart the CISO is located directly below senior management. This role is independent of operational management and directly reports to the upper management of the registry backend operator who in turn reports to the registry operator’s management. The CISO advises the management on all security related issues.

Information Security Management System (ISMS):

The ISO 27001 based ISMS supports and facilitates management in achieving the goals defined in the Corporate Security Policy and Security Standard. The ISMS as shown in diagram Q30a-1 provides the Deming - cycle (plan-do-check-act) in security concerns as referred to in ISO 27001.

The Security Policy Framework and Security Standard have a review cycle of a maximum of 1 year. The CISO is responsible for adhering to this review cycle.

Business Continuity Management System (BCMS)

Please find further details on BCMS in response to question 39.

Corporate Security Policy

The Corporate Security Policy is understood as the commitment by upper management to support and maintain information and IT security.

The main items are:

The overall goal of these activities is to prevent security incidents and to minimize their impact.
Prevention before damage reduction; personal responsibility and awareness before surveillance of employees.
Information security and IT security are important quality metrics for the registry.
Information security and IT security are core competences of the registry.
Safeguarding the integrity and availability of the gTLDs Domain Name System
In the event of a Security incident to minimize any potential damage.

Corporate Security Standard

The Corporate Security Standard, based on ISO 27001, defines the areas of responsibility for information – and IT security:

IT Risk Management
Continuous Improvement Process
Audit Management
IT Asset Management
Information Classification and Processing
IT Change Management
Identity and Access Management
Personal Management
Security Incident Management
IT Project Management
IT Patch and Update Management
Backup and Recovery
Logging and Monitoring
Spam and Antivirus
Mobile Devices
Media Disposal
Network Security
Physical Security
External Suppliers

These areas will be discussed in more detail in the following sections.

* IT Risk Management

Diagram Q30a-2 describes the risk management process in use at the registry.

The evaluation of risks is performed according to 4 different category types:

Finance: assesses any potential financial impact on the registry.
Operating Tasks: assesses the influence on the main business processes or tasks of the registry.
Corporate Image: assesses the effects of reputational damage or loss of trust in the registry.
Compliance: assesses impact of contractual or legal damages.

The risks are evaluated and categorized into the following severity levels:

Critical
High
Medium
Low

The risks are further measured by their estimated frequency of occurrence:

Very high probability: 1 per month or more frequently
High probability: 1 per year
Possible: every 10 years
Highly unlikely: every 100 years
Impossible: risk is not relevant (for example avalanches in Vienna)

The risk assessment is performed using the Delphi technique and involves management, the CISO and the head of IT. Within each category the worst cases are rated as the most important ones.

Aspects of risk management are also used for the vulnerability management.

ISO27001
Domain Name
6 Organization of information security
6.1 Internal organization
6.2 External parties
12 Information systems acquisition, development and maintenance
12.6 Technical vulnerability management

Continuous Improvement Process

The continuous improvement process is risk-management oriented, and shown in Figure Q30a - 3: Continuous Improvement process.

Regular organizational meetings are set up to trigger the process:

IT security update:
** Participants: Head of IT, CISO
** Topics: Operational tasks
** Frequency: At least every 2 weeks
Security jour fixe:
** Participants: CTO, CISO, optional head of IT
** Topics: Planning, monitoring of projects, tasks, countermeasures
** Frequency: At least every month
Management security jour fixe:
** Participants: CEO, CTO, CISO, optional head of IT
** Topics: Risk management, large scale management decisions

The management review has to take place at least once per year or as needed in the event that a potential risk arises.

Audit Management

The planning of all audit work including technical audits such as penetration tests and vulnerability scans is managed by the CISO.

Different kinds of technical security audits are accomplished:

Regular basis
** Vulnerability scans on systems at operating system level to identify problems in patch management or configuration processes
** Penetration tests are executed by third party security consultants to identify design issues, organizational deficits or other security issues. The focus of the penetration tests is varied every year.
** Web vulnerability scans (OWASP Top 10) are performed against all internal and external websites
Prior to the launch of a new system:
** Penetration testing of all business critical system elements
** Vulnerability scans on the system at an operating system level
** Web vulnerability scan (if the system is web-based)

ISO27001
Domain Name
6 Organization of information security
6.1 Internal organization
6.2 External parties
15 Compliance
15.1 Compliance with legal requirements
15.2 Compliance with security policies and standards, and technical compliance
15.3 Information systems audit considerations



IT Asset Management

All assets and their lifecycles are fully documented. Assets are categorized as follows:

Physical assets
Software assets
Information assets

ISO27001
Domain Name
7 Asset Management
7.1 Responsibility for assets
7.2 Information classification
8 Human resource security
8.3 Termination or change of employment

Information Classification

All information is classified into the following categories:

Public: For example data on public websites
Internal: For example general company information
Confidential: For example annual business reports before publication
Highly confidential: For example person specific data, penetration testing reports

The data classification policy defines how to store, transmit and share these different kinds of information.

ISO27001
Domain Name
7 Asset management
7.1 Responsibility of assets
7.2 Information classification
10 Communications and operations management
10.7 Media handling
10.8 Exchange of information
12 Information systems acquisition, development and maintenance
12.3 Cryptographic controls
15 Compliance
15.1 Compliance with legal requirements



IT Change Management

IT change management ensures that all modifications to IT systems can be reproduced, fulfill the organizational needs and are documented. Changes are categorized into following groups:

Changes without approval
** Below low risk
** Implemented within 1 week
Standard change
** Low risk
** Implemented within 1 month
Emergency change
** If availability of a service is dependent on a specific change
** Has to be done as soon as possible
** Can’t be scheduled any more
** Escalation to management is required

ISO27001
Domain Name
10 Communications and operations management
10.1 Operational procedures and responsibilities
12 Information systems acquisition, development and maintenance
12.6 Security in development and support processes



Identity and Access Management

All user rights are based on the “least privilege” and “need to know” principle. Roles are used to group the relevant user permissions where appropriate.

User accounts are personal accounts meaning that they identify one specific person. Group or role accounts are non-standard and have to be approved in writing by the CISO.

Administrative accounts have to be approved by the head of IT in writing. There are stronger policies, for example password policies.

External accounts (for third parties) also need written approval by the CISO. These types of accounts are deactivated after 30 days.

External administrative accounts need written approval by the head of IT and the CISO. Such accounts are subject to increased monitoring and logging. These types of accounts are also deactivated after 30 days by default.

If an employee leaves the company, his⁄her account is deactivated immediately.

Inactive accounts are deleted after 60 days.

At least once a year there is a review of the accounts structure and user rights permissions performed by analyzing a sample of accounts.

ISO27001
Domain Name
11 Access controls
11.1 Business requirement for access control
11.2 User access management
11.3 User responsibility
11.5 Operating system access control
11.6 Application and information access control

Personnel Management

Checklists exist for employee entry and exit activities. Every new employee is added to these lists and registered. All new employees have to prove that they have not been previously prosecuted and do not have a criminal record which means that there are no relevant records in the police records (Strafregisterauszug). Every employee must attend a security awareness course.

Background checks for security personnel

All Computer Emergency Response Team (CERT) members and the CISO are background security checked by the Federal Ministry of Interior (§55 Sicherheitspolizeigesetz).

ISO27001
Domain Name
8 Human resource security
8.1 Prior to employment
8.2 During employment
8.3 Termination or change of employment

Security Incident Management

A sister company of the registry backend operator also operates a CERT. This team consists of one Junior Security Analyst and a minimum of five Senior Security Analysts with at least 5 years and up to 15 years experience in IT Security.

This team also operates the national CERT for the Republic of Austria (CERT.at) and together with the Federal Chancellery of the Republic of Austria, the Austrian Government CERT (GovCERT Austria). It is internationally accredited as a Forum of Incident Response Member (FIRST) and a Trusted Introducer. By achieving these memberships the registry has built an excellent formal and informal information network. As a result the registry is well prepared for the prevention of and response to security incidents.

Figure Q30a – 4 the Security Incident Management Process is described.

Classification for the triage of security incidents

Urgency:

Immediate: Reaction within 1h, invoke crisis organization if necessary
Soon: Reaction within 8h or on the next business day
Normal: Equivalent to a systems change, defined by change management procedures

Impacts:

Critical
High
Middle
Low

ISO27001
Domain Name
13 Information security incident management
13.1 Reporting information security events and weaknesses
13.2 Management of information security incidents and improvements



IT Project Management

A specific project management methodology has been defined.

ISO27001
Domain Name
6 Organization of information security
6.2 Internal organization
10 Communications and operations management
10.1 Operational procedures and responsibilities
10.3 System planning and acceptance
12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
12.5 Security in development and support processes

IT Patch and Update Management

A formal vulnerability and patch management process has been defined (shown in Figure Q30a - 5: Vulnerability Management).

Patches are classified as:

Critical (remediation within hours)
Non critical (remediation by the next patch day)

All patches are fully tested prior to being deployed.

The effectiveness of the patching process is audited by vulnerability scans and by matching the actual software inventory with vulnerability databases.

Reports are discussed on a regular basis by management in order to guarantee continuous improvement.

ISO27001
Domain Name
10 Communications and operations management
10.1 Operational procedures and responsibilities
12 Information systems acquisition, development and maintenance
12.5 Security in development and support processes
12.6 Technical Vulnerability Management

Backup and Recovery

A full backup and recovery framework is in place. For details see the answer to question 37.

ISO27001
Domain Name
10 Communications and operations management
10.5 Back Up
15 Compliance
15.1 Compliance with legal requirements

Logging and Monitoring

A logging and monitoring solution is in operation to identify malicious activities and unauthorized access. All authorized access is also logged.

All servers and systems are time synced using the Network Time Protocol (NTP).

The level of detail of logging:

Varies with expected risks
Requirements of business processes
Requirements of data integrity and confidentiality

Minimum details are

User ID
Date and time
Type of access
Software
Non authorized access
** Not working action
Administrator actions
** System start and stop
** Change of system configuration
** Activation and de-activation of security components
Security components alarms
Error protocol
Security protocol, for example anti virus software

All relevant systems of the gTLD registry are controlled by a host-based intrusion detections system (HIDS). All events are logged on a central device.

The HIDS allows to:

Check of host integrity.
Check of file integrity.
Port monitoring
Programs using specific ports
Process checks
Login⁄logoff

The HIDS and the other log sources are integrated into a central monitoring tool. This tool can trigger certain events.

Analysis of logging and monitoring information is performed continuously to detect security incidents and performed as needed in the event of a security incident.

ISO27001
Domain Name
10 Communications and operations management
10.2 Third party service delivery management
10.10 Monitoring
15 Compliance
15.1 Compliance with legal requirements

Spam and Antivirus

All office systems are protected by anti malware software. Servers are checked on a regular basis, if real time protection is not possible.

ISO27001
Domain Name
10 Communications and operations management
10.4 Protection against malicious and mobile code
10.6 Network security management
13 Information security incident management
13.1 Reporting information security events and weaknesses

Mobile Devices

All smartphones and mobile devices (for example notebooks) must use full hard disk encryption if technically possible. If possible it should be combined with remote wipe functionality.

The actual standard for smartphones are to use Blackberry devices with a corporate policy.

Every loss of a device has to be reported to the IT department as soon as possible.

ISO27001
Domain Name
7 Asset management
7.1 Responsibility for assets
11 Access control
11.7 Mobile computing and teleworking

Media Disposal

Information in paper form must be shredded if it is classified as confidential or higher.

Hard disk drives (HDD) and other storage media are deleted or destroyed in conformance with policy requirements.

For example:

Overwrite HDDs multiple times with random data
Shredder CDs

Media disposal policies apply to all relevant devices, e.g. also HDDs in printer or other media devices.

ISO27001
Domain Name
9 Physical and environmental security
9.2 Equipment security
10 Communications and operations management
10.7 Media handling

Network Security

The aspects of integrity, confidentiality and availability are considered as essential aspects in our network design.

Integrity, confidentiality:

Encryption on network layers between:
** Data centers
** Offices and data centers

Availability

Redundant physical paths via multiple carriers

Access to the network itself is restricted by means of security zone definitions, for example no direct connection is available to the corporate network from visitor meeting rooms etc.

All controls are audited on a regular basis, for example by penetration tests.

ISO27001
Domain Name
10 Communications and operations management
10.6 Network security management
11 Access control
11.4 Network Access Control
12 Information systems acquisition, development and maintenance
12.3 Cryptographic controls

Physical Security

The physical security risks are again evaluated on an annual basis.

The gTLD systems themselves are operated in two different data centers with state-of the art security provisions in place, e.g. heavily restricted access to data center and locked racks.

For details see answer to question 39.

ISO27001
Domain Name
9 Physical and environmental security
9.1 Secure areas
9.2 Equipment security

External Suppliers

For external suppliers either the same restrictions as those for internal personnel or further restrictions are applied.

Domain Name
6 Organization of information security
6.2 External parties
10 Communications and operations management
10.2 Third party service delivery management

gTLDFull Legal NameE-mail suffixDetail
.berlindotBERLIN GmbH & Co. KGdotberlin.deView
Registry Policy Framework

The Information Security Management System was developed in accordance with the international standard ISO 27001 and the registry backend operator is currently on the ISO 27001 certification path for the Information Security Management System (ISMS) to be completed before launching the registry. For the secondary datacenter in Salzburg the certification will be completed in 2012 and the primary datacenter in Vienna is already certified – please find ISO 27001 certification document in attachment 30a-06.

Registry Back-end Operator Security Organization

The role of the Chief Information Security Officer (CISO) is defined in the organization operating the registry back-end, and is staffed with an FTE. This person is responsible for the setup, operation and continuous improvement of the Information Security Management System and Business Continuity Management System.

In the organization chart the CISO is located directly below senior management. This role is independent of operational management and directly reports to the upper management of the registry backend operator who in turn reports to the registry operator’s management. The CISO advises the management on all security related issues.

Information Security Management System (ISMS):

The ISO 27001 based ISMS supports and facilitates management in achieving the goals defined in the Corporate Security Policy and Security Standard. The ISMS as shown in diagram Q30a-1 provides the Deming - cycle (plan-do-check-act) in security concerns as referred to in ISO 27001.

The Security Policy Framework and Security Standard have a review cycle of a maximum of 1 year. The CISO is responsible for adhering to this review cycle.

Business Continuity Management System (BCMS)

Please find further details on BCMS in response to question 39.

Corporate Security Policy

The Corporate Security Policy is understood as the commitment by upper management to support and maintain information and IT security.

The main items are:

The overall goal of these activities is to prevent security incidents and to minimize their impact.
Prevention before damage reduction; personal responsibility and awareness before surveillance of employees.
Information security and IT security are important quality metrics for the registry.
Information security and IT security are core competences of the registry.
Safeguarding the integrity and availability of the gTLDs Domain Name System
In the event of a Security incident to minimize any potential damage.

Corporate Security Standard

The Corporate Security Standard, based on ISO 27001, defines the areas of responsibility for information – and IT security:

IT Risk Management
Continuous Improvement Process
Audit Management
IT Asset Management
Information Classification and Processing
IT Change Management
Identity and Access Management
Personal Management
Security Incident Management
IT Project Management
IT Patch and Update Management
Backup and Recovery
Logging and Monitoring
Spam and Antivirus
Mobile Devices
Media Disposal
Network Security
Physical Security
External Suppliers

These areas will be discussed in more detail in the following sections.

IT Risk Management

Diagram Q30a-2 describes the risk management process in use at the registry.

The evaluation of risks is performed according to 4 different category types:

Finance: assesses any potential financial impact on the registry.
Operating Tasks: assesses the influence on the main business processes or tasks of the registry.
Corporate Image: assesses the effects of reputational damage or loss of trust in the registry.
Compliance: assesses impact of contractual or legal damages.

The risks are evaluated and categorized into the following severity levels:

Critical
High
Medium
Low

The risks are further measured by their estimated frequency of occurrence:

Very high probability: 1 per month or more frequently
High probability: 1 per year
Possible: every 10 years
Highly unlikely: every 100 years
Impossible: risk is not relevant (for example avalanches in Vienna)

The risk assessment is performed using the Delphi technique and involves management, the CISO and the head of IT. Within each category the worst cases are rated as the most important ones.

Aspects of risk management are also used for the vulnerability management.

ISO27001
Domain Name
6 Organization of information security
6.1 Internal organization
6.2 External parties
12 Information systems acquisition, development and maintenance
12.6 Technical vulnerability management

Continuous Improvement Process

The continuous improvement process is risk-management oriented, and shown in Figure Q30a - 3: Continuous Improvement process.

Regular organizational meetings are set up to trigger the process:

IT security update:
** Participants: Head of IT, CISO
** Topics: Operational tasks
** Frequency: At least every 2 weeks
Security jour fixe:
** Participants: CTO, CISO, optional head of IT
** Topics: Planning, monitoring of projects, tasks, countermeasures
** Frequency: At least every month
Management security jour fixe:
** Participants: CEO, CTO, CISO, optional head of IT
** Topics: Risk management, large scale management decisions

The management review has to take place at least once per year or as needed in the event that a potential risk arises.

Audit Management

The planning of all audit work including technical audits such as penetration tests and vulnerability scans is managed by the CISO.

Different kinds of technical security audits are accomplished:

Regular basis
** Vulnerability scans on systems at operating system level to identify problems in patch management or configuration processes
** Penetration tests are executed by third party security consultants to identify design issues, organizational deficits or other security issues. The focus of the penetration tests is varied every year.
** Web vulnerability scans (OWASP Top 10) are performed against all internal and external websites
Prior to the launch of a new system:
** Penetration testing of all business critical system elements
** Vulnerability scans on the system at an operating system level
** Web vulnerability scan (if the system is web-based)

ISO27001
Domain Name
6 Organization of information security
6.1 Internal organization
6.2 External parties
15 Compliance
15.1 Compliance with legal requirements
15.2 Compliance with security policies and standards, and technical compliance
15.3 Information systems audit considerations



IT Asset Management

All assets and their lifecycles are fully documented. Assets are categorized as follows:

Physical assets
Software assets
Information assets

ISO27001
Domain Name
7 Asset Management
7.1 Responsibility for assets
7.2 Information classification
8 Human resource security
8.3 Termination or change of employment

Information Classification

All information is classified into the following categories:

Public: For example data on public websites
Internal: For example general company information
Confidential: For example annual business reports before publication
Highly confidential: For example person specific data, penetration testing reports

The data classification policy defines how to store, transmit and share these different kinds of information.

ISO27001
Domain Name
7 Asset management
7.1 Responsibility of assets
7.2 Information classification
10 Communications and operations management
10.7 Media handling
10.8 Exchange of information
12 Information systems acquisition, development and maintenance
12.3 Cryptographic controls
15 Compliance
15.1 Compliance with legal requirements



IT Change Management

IT change management ensures that all modifications to IT systems can be reproduced, fulfill the organizational needs and are documented. Changes are categorized into following groups:

Changes without approval
** Below low risk
** Implemented within 1 week
Standard change
** Low risk
** Implemented within 1 month
Emergency change
** If availability of a service is dependent on a specific change
** Has to be done as soon as possible
** Can’t be scheduled any more
** Escalation to management is required

ISO27001
Domain Name
10 Communications and operations management
10.1 Operational procedures and responsibilities
12 Information systems acquisition, development and maintenance
12.6 Security in development and support processes



Identity and Access Management

All user rights are based on the “least privilege” and “need to know” principle. Roles are used to group the relevant user permissions where appropriate.

User accounts are personal accounts meaning that they identify one specific person. Group or role accounts are non-standard and have to be approved in writing by the CISO.

Administrative accounts have to be approved by the head of IT in writing. There are stronger policies, for example password policies.

External accounts (for third parties) also need written approval by the CISO. These types of accounts are deactivated after 30 days.

External administrative accounts need written approval by the head of IT and the CISO. Such accounts are subject to increased monitoring and logging. These types of accounts are also deactivated after 30 days by default.

If an employee leaves the company, his⁄her account is deactivated immediately.

Inactive accounts are deleted after 60 days.

At least once a year there is a review of the accounts structure and user rights permissions performed by analyzing a sample of accounts.

ISO27001
Domain Name
11 Access controls
11.1 Business requirement for access control
11.2 User access management
11.3 User responsibility
11.5 Operating system access control
11.6 Application and information access control

Personnel Management

Checklists exist for employee entry and exit activities. Every new employee is added to these lists and registered. All new employees have to prove that they have not been previously prosecuted and do not have a criminal record which means that there are no relevant records in the police records (Strafregisterauszug). Every employee must attend a security awareness course.

Background checks for security personnel

All Computer Emergency Response Team (CERT) members and the CISO are background security checked by the Federal Ministry of Interior (§55 Sicherheitspolizeigesetz).

ISO27001
Domain Name
8 Human resource security
8.1 Prior to employment
8.2 During employment
8.3 Termination or change of employment

Security Incident Management

A sister company of the registry backend operator also operates a CERT. This team consists of one Junior Security Analyst and a minimum of five Senior Security Analysts with at least 5 years and up to 15 years experience in IT Security.

This team also operates the national CERT for the Republic of Austria (CERT.at) and together with the Federal Chancellery of the Republic of Austria, the Austrian Government CERT (GovCERT Austria). It is internationally accredited as a Forum of Incident Response Member (FIRST) and a Trusted Introducer. By achieving these memberships the registry has built an excellent formal and informal information network. As a result the registry is well prepared for the prevention of and response to security incidents.

Figure Q30a – 4 the Security Incident Management Process is described.

Classification for the triage of security incidents

Urgency:

Immediate: Reaction within 1h, invoke crisis organization if necessary
Soon: Reaction within 8h or on the next business day
Normal: Equivalent to a systems change, defined by change management procedures

Impacts:

Critical
High
Middle
Low

ISO27001
Domain Name
13 Information security incident management
13.1 Reporting information security events and weaknesses
13.2 Management of information security incidents and improvements



IT Project Management

A specific project management methodology has been defined.

ISO27001
Domain Name
6 Organization of information security
6.2 Internal organization
10 Communications and operations management
10.1 Operational procedures and responsibilities
10.3 System planning and acceptance
12 Information systems acquisition, development and maintenance
12.1 Security requirements of information systems
12.5 Security in development and support processes

IT Patch and Update Management

A formal vulnerability and patch management process has been defined (shown in Figure Q30a - 5: Vulnerability Management).

Patches are classified as:

Critical (remediation within hours)
Non critical (remediation by the next patch day)

All patches are fully tested prior to being deployed.

The effectiveness of the patching process is audited by vulnerability scans and by matching the actual software inventory with vulnerability databases.

Reports are discussed on a regular basis by management in order to guarantee continuous improvement.

ISO27001
Domain Name
10 Communications and operations management
10.1 Operational procedures and responsibilities
12 Information systems acquisition, development and maintenance
12.5 Security in development and support processes
12.6 Technical Vulnerability Management

Backup and Recovery

A full backup and recovery framework is in place. For details see the answer to question 37.

ISO27001
Domain Name
10 Communications and operations management
10.5 Back Up
15 Compliance
15.1 Compliance with legal requirements

Logging and Monitoring

A logging and monitoring solution is in operation to identify malicious activities and unauthorized access. All authorized access is also logged.

All servers and systems are time synced using the Network Time Protocol (NTP).

The level of detail of logging:

Varies with expected risks
Requirements of business processes
Requirements of data integrity and confidentiality

Minimum details are

User ID
Date and time
Type of access
Software
Non authorized access
** Not working action
Administrator actions
** System start and stop
** Change of system configuration
** Activation and de-activation of security components
Security components alarms
Error protocol
Security protocol, for example anti virus software

All relevant systems of the gTLD registry are controlled by a host-based intrusion detections system (HIDS). All events are logged on a central device.

The HIDS allows to:

Check of host integrity.
Check of file integrity.
Port monitoring
Programs using specific ports
Process checks
Login⁄logoff

The HIDS and the other log sources are integrated into a central monitoring tool. This tool can trigger certain events.

Analysis of logging and monitoring information is performed continuously to detect security incidents and performed as needed in the event of a security incident.

ISO27001
Domain Name
10 Communications and operations management
10.2 Third party service delivery management
10.10 Monitoring
15 Compliance
15.1 Compliance with legal requirements

Spam and Antivirus

All office systems are protected by anti malware software. Servers are checked on a regular basis, if real time protection is not possible.

ISO27001
Domain Name
10 Communications and operations management
10.4 Protection against malicious and mobile code
10.6 Network security management
13 Information security incident management
13.1 Reporting information security events and weaknesses

Mobile Devices

All smartphones and mobile devices (for example notebooks) must use full hard disk encryption if technically possible. If possible it should be combined with remote wipe functionality.

The actual standard for smartphones are to use Blackberry devices with a corporate policy.

Every loss of a device has to be reported to the IT department as soon as possible.

ISO27001
Domain Name
7 Asset management
7.1 Responsibility for assets
11 Access control
11.7 Mobile computing and teleworking

Media Disposal

Information in paper form must be shredded if it is classified as confidential or higher.

Hard disk drives (HDD) and other storage media are deleted or destroyed in conformance with policy requirements.

For example:

Overwrite HDDs multiple times with random data
Shredder CDs

Media disposal policies apply to all relevant devices, e.g. also HDDs in printer or other media devices.

ISO27001
Domain Name
9 Physical and environmental security
9.2 Equipment security
10 Communications and operations management
10.7 Media handling

Network Security

The aspects of integrity, confidentiality and availability are considered as essential aspects in our network design.

Integrity, confidentiality:

Encryption on network layers between:
** Data centers
** Offices and data centers

Availability

Redundant physical paths via multiple carriers

Access to the network itself is restricted by means of security zone definitions, for example no direct connection is available to the corporate network from visitor meeting rooms etc.

All controls are audited on a regular basis, for example by penetration tests.

ISO27001
Domain Name
10 Communications and operations management
10.6 Network security management
11 Access control
11.4 Network Access Control
12 Information systems acquisition, development and maintenance
12.3 Cryptographic controls

Physical Security

The physical security risks are again evaluated on an annual basis.

The gTLD systems themselves are operated in two different data centers with state-of the art security provisions in place, e.g. heavily restricted access to data center and locked racks.

For details see answer to question 39.

ISO27001
Domain Name
9 Physical and environmental security
9.1 Secure areas
9.2 Equipment security

External Suppliers

For external suppliers either the same restrictions as those for internal personnel or further restrictions are applied.

Domain Name
6 Organization of information security
6.2 External parties
10 Communications and operations management
10.2 Third party service delivery management