30(a) Security Policy: Summary of the security policy for the proposed registry
Prototypical answer:
gTLD | Full Legal Name | E-mail suffix | Detail | .scb | The Siam Commercial Bank Public Company Limited (ʺSCBʺ) | scb.co.th | View |
.SCB TLD will be used solely by Siam Commercial Bank PCL the first commercial bank in Thailand established since 1904. The TLD will be used primarily for offering financial services. The Registry operator commits to develop processes and deploy the security management across infrastructure and systems to comply with an international standard ISO⁄IEC 27001:2005 (Please see the “Enterprise Information Security Policy” submitted as a separate document for the complete registry operator’s security policy, file name “Q30(b)-Exhibit30_DotSCB_REGISTRY_Information_Security_Policy.pdf”).
Registry operation will also be charged with following the Financial Services gTLD Control Requirements (http:⁄⁄www.icann.org⁄en⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf) to provide reasonable assurance that the security, availability, and confidentiality of systems and information assets. In particular, the registry operator will ensure that critical registry operations (i.e., registration services, registry databases, zone administration, and provision of domain name resolution services) and business
operations are maintained according to the following:
- defining and communicating performance objectives, policies, and standards for system and information asset security, availability, confidentiality, and privacy
- utilizing procedures, people, software, data, and infrastructure to achieve defined objectives in accordance with established policies and standards
- monitoring the system and information assets and taking action to achieve compliance with defined objectives, policies, and standards
Below, the security policies of the registry operator as well as the control required over registrars are described.
1. Registry Operator’s Security Policy
+Domain Name Registration⁄Maintenance
-DNSSEC must be used for all DNS transactions
+ Encryptions
- All traffic among registry operators, registrars and registrants shall be encrypted
- All domains shall utilize HTTPS when the activity includes the display or entry of non-public personal information, the display of financial records, or the transacting of financial activities
- All data related to authentication credentials associated with the interaction of registry operators, registrars and registrants shall be encrypted in the storage
+ Defined Naming Conventions
- Registry operator shall define and implement name allocation policy including a process to resolve a conflict between identical or confusingly similar names
+ Authentications
- Registry operator requires that Registrars accessing Registry services must use strong, dual factor authentication to ensure only authorized access
- Registry Operator shall provide non-discriminatory access for all approved registrars
+ Maintenance and Accuracy of Whois data
- The registry shall perform verification quarterly with ICANN about the accuracy of Whois data
- Proxy registrations are prohibited within the registry
+ Resolution Services
- DNS lookup services shall be available at all times with rapid response to all queries
- Registry operator must offer Thick Whois
+ Server Configuration⁄Maintenance Standards
- Server configuration and maintenance shall be consistent with NIST Special Publication SP-800-123, “Guide to General Server Security”
+ Business Continuity Requirements⁄Backup And Disaster Recovery Capabilities
- Registry operations will be located in a geography with minimal exposure to natural disasters
- Registry operations shall provide sufficient physical redundancy to assure continuous operations of the domain in the event of a natural or man-made physical disaster
- Registry operators shall plan for ability to withstand and quickly recover from a cyber-attack including ability to recover from known attack scenarios including distributed
denials of service and penetration attacks (i.e., those which take advantage of unfixed vulnerabilities)
+ Registry operator shall test its physical recovery capabilities at least annually
- Registry operator shall test its cyber-attack recovery capabilities at least semi-annually
- Registry operator is willing to participate in at least one major industry-level physical disaster simulation and one major industry-level cyber-attack simulation annually
+ Auditing of Backup and Disaster Recovery Capabilities
- Registry operator shall make its backup and recovery plans and test results available for third party verification by an industry-approved review service independent of the
registry operator
+ Ongoing Monitoring
- Registry operator shall be able to detect variations from expected “normal” state of IT operations
- Registry operator shall be able to detect actual and potential cyber attacks
- Registry operator shall have and monitor a reliable source to gather physical and cyber threat intelligence
+ Incident Management Process Requirements
- Registry operator shall ensure that the mitigation of threats, be they physical, cyber or operational, will not degrade the ongoing operation and legitimate domain traffic
- Registry operator shall inform registrars and registrants of threat intelligence it identifies as a result of its own monitoring and must have capability to issue immediate alerts
upon identification of critical or high-risk incidents
+ Change Management Process Requirements
- Registry operator shall implement procedures related to environmental changes in hardware, software or operations that incorporate adequate pre-implementation planning and notification to parties potentially affected, adequate pre-implementation testing, post-implementation testing and adequate back-out contingencies
+ Security
- Registry operator shall comply with industry standards and best practices for DNS signing
- Registry operator requires DNSSEC for all domain names and sub-domains whose purposes involve accessing to private information, financial information or the execution of financial transactions
- DNSSEC shall employ NextSecure⁄NSEC (and preferably with NSEC3)
+ Encryptions
- Registry operator requires all traffic utilize a minimum of 128-bit encryption
+ Key Management Controls for Signing Keys
- Registry operator will have adequate procedures to control the upgrade, replacement, retirement of encryption keys for both the TLD keys and domain name zones
+ Other Security Requirements
- Registry operator shall utilize commercially reasonable defense in depth protections including network and personal firewall protections, intrusion prevention and filtering to block malicious traffic
- Registry operators shall monitor their environment for security breaches or potential indicators of security issues utilizing commercially reasonable monitoring tools including IDS monitoring, etc.
- Registry operator shall perform at least annual network penetration testing
- Registry operator will ensure that its Internal Registry Systems shall be protected using PKI certificates for authentication and encryption of sensitive data
- Registry operation shall have written policies and procedures for key generation and storage, and aging and renewal of certificates (including alerting to certificate recipients of upcoming expirations)
2. Registrar Control
+ The registry operator will limit the number of registrars to the fewest possible to effectively serve any financial services gTLD. And all registrars must meet all the following criteria:
+ Registrars must provide the following evidences to the registry operator:
+ Financial Background (preferably at least 10 years back)
+ Criminal Background (preferably at least 10 years back)
+ Registrars must be revalidated based on the above criteria at least quarterly. If the Registrant fails any of these checks during any post-initial acceptance revalidation, the Registry operator should suspend the Registrar.
+ Registry operator will monitor registrar fraud activity looking for patterns indicative of inappropriate registrar controls
+ Registry operator will provide written policies and procedures for registering, suspending and terminating registrars
+ In any cases, the registry operator requires that registrar registration procedures implement policy and procedures aligned to the requirements specified in the Financial Services gTLD Control Requirements (http:⁄⁄www.icann.org⁄en⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf)
+ Registry operator also requires that registrants shall behave and follow the requirements specified in the Financial Services gTLD Control Requirements (http:⁄⁄www.icann.org⁄en⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf)
Similar gTLD applications: (0)
gTLD | Full Legal Name | E-mail suffix | z | Detail |