30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
|.дети||The Foundation for Network Initiatives “The Smart Internet”||tcinet.ru||View|
1. SECURITY POLICY IS A FUNDAMENTAL DOCUMENT ENSURING PROTECTION OF THE REGISTRY SERVICE PROVIDER’S INFORMATION
The policy is developed by IT-security department and approved by the CEO of the Registry Service Provider.
The policy is developed in accordance with effective national standards, law and mandatory information security regulation and procedures:
- ISO⁄IEC 27001:2005, ISO⁄IEC 27002:2005, ISO⁄IEC 27005:2005, ISO⁄IEC 17799:2005, ISO⁄IEC 15408, site – www.iso.org;
- FIPS PUB 199, site - csrc.nist.gov;
- GOST R ISO⁄MEK 27001, GOST R ISO⁄MEK 17799, GOST R ISO⁄MEK 13335-3-2007, GOST R ISO⁄MEK 15408, site - www.gost.ru;
- BSI-Standard 100-3, site - www.bsi.bund.de;
- Federal law of the RF No 152 ‘On personal data’ of 27.07.2006, site - www.duma.gov.ru;
- Federal law of the RF No 149 ‘On information, information technologies and protection of information’ of 27.07.2006, site - www.duma.gov.ru;
- Federal law of the RF No 126 ‘On communications’, site - www.duma.gov.ru.
2. THE SECURITY POLICY SPECIFIES LEVELS OF THE REGISTRY’S INFORMATION SECURITY:
Security level 1. RISK ASSESSMENT AND TREATMENT;
Security level 2. SECURITY POLICY;
Security level 3. ORGANIZING INFORMATION SECURITY;
Security level 4. ASSET MANAGEMENT;
Security level 5. HUMAN RESOURCES SECURITY;
Security level 6. PHYSICAL AND ENVIRONMENTAL SECURITY;
Security level 7. COMMUNICATIONS AND OPERATIONS MANAGEMENT;
Security level 8. ACCESS CONTROL;
Security level 9. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE;
Security level 10. INFORMATION SECURITY INCIDENT MANAGEMENT;
Security level 11. BUSINESS CONTINUITY MANAGEMENT.
Security level 1. RISK ASSESSMENT AND TREATMENT
The level is implemented organizationally. A threat model is developed with account of peculiarities of the WHOIS service, EPP service, DNS service, NTP service, Data escrow service, system and network architecture. While detecting or predicting threats to protected assets the Registry Service Provider evaluates the probability of their implementation using all available means including engagement of specialized organizations. The Applicant acts for the benefit of registrants and all other participants in the registration system. Evaluation of probability of threats implementation and degree of their impact on the registration system is performed on the basis of a methodology allowing comparable and reproducible results;
A particular ‘Information risk management policy’ is applied.
Security level 2. SECURITY POLICY
The level is implemented organizationally. The Security Policy of the Registry Service Provider and a set of private Security Policies are developed. The Security Policy of Registry Service Provider is approved by the CEO of the Registry Service Provider.
Security level 3. ORGANIZING INFORMATION SECURITY
The level is implemented organizationally. Control over implementation and deployment of information security is assigned to a specialized structure subdivision – IT security department. The applicant is obligated to periodically (at least twice a year) run the internal audit of effectiveness of means of information protection in use. At least once in two years, an independent specialized organization shall inspect and review the policy implementation. In accordance with the ‘Security audit policy’, employees of the IT security department regularly carry out checks and tests of information security system including those of software and hardware means, and firewall policies.
The following specific policies are applied:
- ‘Security system documentation management policy’
- ‘Security management duties allocation policy’
- ‘Security audit policy’;
Security level 4. ASSET MANAGEMENT
The level is implemented organizationally. An identification and classification procedure has been performed. A regular inventory of resources is provided for. Owners of all resources such as servers, network equipment, software, databases are specified. The resource owner is responsible for its duly protection. The resource owner, is as a rule, a manager of the subdivision responsible for maintenance of the registry service, within which the given resource is mainly used.
Information assets are split into different categories. The classification of information assets is based on provisions of FIPS PUB 199.
A particular ‘Asset categorization (classification) policy’ is applied;
Security level 5. HUMAN RESOURCES SECURITY
The level is implemented organizationally. Measures to verify candidates for the job are carried out. The employee enters into a confidentiality agreement (NDA). Measures of periodical control are provided for.
A specific ‘Personnel security policy’ is applied.
Security level 6. PHYSICAL AND ENVIRONMENTAL SECURITY
The level is implemented organizationally in combination with technical means. The Network Operation Centers, registry nodes, DNS nodes, network equipment are located in protected data processing centers, which have an established security perimeter with respective protective barriers and access control mechanisms. They are physically shielded from an unauthorized access, damage and intrusion.
A specific ‘Physical Security Policy’ is applied.
Security level 7. COMMUNICATIONS AND OPERATIONS MANAGEMENT
The level is implemented organizationally in combination with technical means. The procedures of management and maintenance of technical systems providing the WHOIS service, EPP service, DNS service, NTP Service, Data escrow service, communication networks and security provision system operations are developed. If service is outsourced control over the necessary level of security is performed. The procedures of planning, protecting from malicious software (viruses), backup, network security management, data carrier turnover, information exchange, monitoring of information handling operations (access logs management and review, etc.) are carried out. The distributed architecture of the registry, together with the use of two completely interchangeable and geographically distributed co-active SRS nodes, ensures a safe storage and backup of EPP, WHOIS services information, registrar data and secondary DNS information. SSH is used to transfer data between primary and standby database that it connects via secure channel via L2 link. In accordance with the ‘Network security policy’ and ‘Security audit policy’ the regular checkups of firewall configuration and log files are carried out.
The following specific policies are applied:
- ‘Anti-virus protection policy’;
- ‘Internet Security Policy’;
- ‘Backup policy’;
- ‘Performance management policy’;
- ‘Network security policy’;
- ‘Data carrier use policy’;
- ‘Equipment authorization policy’;
- ‘Policy of monitoring, audit and registration of information security events’;
- ‘Policy of control over the data handling in systems’.
Security level 8. ACCESS CONTROL
The level is implemented organizationally in combination with technical means. The policies of control of access to the registry services are developed for the following participants in the system: TLD Registry Operator, Registry Service Provider, Registrars and Registrants. The technical means of access control built into the registration system services require password authentication, SSL certificate and use firewalls to set restrictions of access at the network level.
The following particular policies are applied:
- ‘Access Control policy’;
- ‘Account management policy’;
- ‘Password use policy’.
Security level 9. (INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE)
The level is implemented organizationally in combination with technical means. Registration system services such as the WHOIS, EPP, Secondary DNS service, NTP service, Data escrow service and others are supplied with built-in security provision mechanisms. The system security requirements were taken into account at the design and implementation stages. Solutions of the leading manufacturers such as Oracle, Cisco, HP are used.
The following particular policies are applied:
- ‘Cryptography and Key Management Policy’
- ‘Information system change management policy’
- ‘Instrumental analysis and vulnerability management policy’
- ‘Update management policy’.
Security level 10. INFORMATION SECURITY INCIDENT MANAGEMENT
The level is implemented organizationally in combination with software and hardware means of monitoring and notification system. The policies and procedures of response to information security incidents are developed.
A specific ‘Incident Response and Management’ policy is applied.
Security level 11. BUSINESS CONTINUITY MANAGEMENT
The level is implemented organizationally in combination with technical means. The registry architecture (described in the answer to Evaluation Question 32) ensures a fault and accident resistance. In combination with the backup system, data escrow system and DNS distributed system, the registry system ensures a steady and continuous technical support of business process. Business continuity support process is developed and maintained to meet the information security requirements pursuing the goal of ensuring continuity of the organization’s business. For the registry’s continuity this aspect is considered in a greater detail in the answer to Evaluation Question 39.
A specific ‘Business continuity support policy’ is applied;
3. THE SECURITY POLICY SPECIFIES DUTIES FOR THE PARTICIPANTS IN THE SHARED REGISTRATION SYSTEM (SRS): REGISTRY SERVICE PROVIDER, REGISTRY OPERATOR, REGISTRARS AND REGISTRANTS
(i) ensuring confidentiality of information in the SRS, including but not limited to:
- authentication data;
- Registrants’ personal data;
- other registration data which are not in public access;
(ii) ensuring integrity of information in the SRS, including but not limited to:
- registration data;
- authentication data;
- Registrants’ personal data;
- other data necessary for the registration system’s operation;
(iii) ensuring availability of information in the SRS, including but not limited to:
- registration data published via the WHOIS service;
- registration data disseminated via the DNS service;
- NTP service data;
- EPP service data;
- data using for the data escrow deposits;
- other data necessary for the SRS operation.
The obligation to ensure confidentiality means that the Registry Service Provider warrants unavailability of the registry’s information or nondisclosure of its content to unauthorized persons, subjects or processes.
The obligation to ensure integrity means that the Registry Service Provider warrants accuracy and completeness of the registry’s information.
The obligation to ensure availability means that the Registry Service Provider warrants the possibility to use the registry’s information where necessary.
4. SPECIAL INFORMATION SECURITY CONTROL AND MANAGEMENT MEASURES
In addition to the Security Policy’s information security levels the Registry Service Provider introduces four groups of special security control and management measures.
Group 1. Prevention of information incidents
Control identification of Registry system is multilayer.
As to registrars, within the given group the Registry obligates the registrar to employ the following measures:
- In compliance with RRA terms, the registrars are obligated to check passwords used by registrants to manage their domain names for complexity.
- To provide protection from an unauthorized access to domain name management on the part of third parties, the Registry Operator also plans to stimulate the employment of client certificates both in web-interfaces and in electronic documents. The Registry Operator believes that this instrument has a considerable potential for an efficient protection from the perspective of domain name management.
- The registrar is obligated to provide the registrant with access to domain name’s management within web-interfaces granted by the registrar over HTTPS protocol.
- To perform the critical operations with the domain (such as domain transfer to another registrar for maintenance, domain deletion, re-registration), the registrar is obligated to notify all the contact parties concerned (registrant, administrative and technical contacts) of exercise of these operations. The registrar is also obligated to include into the given notifications information on who one should turn to if the performed operation has not been authorized by the registrant.
- The registrar is obligated to install technical restrictions with regard to checking on steadiness and safety of passwords used by registrants to access the management of domain. The registrar is also obligated to alert the registrant and his contacts of the responsibility for adherence to password storage safety requirements.
- The registrar is recommended to install technical restrictions for registrants with regard to compulsory use of only automatically generated passwords to access domain management.
- To ensure security an access limitation is introduced for registrars receiving the registry services by indication of the end list of IP addresses for each contractor.
Group 2. ‘Detection’ –measures are undertaken to early detect incidents which have arisen in spite of preventive measures
Detection of early signs of DDOS attacks by employing special methods.
Group 3. ‘Limitation’ –measures are undertaken to reduce losses even where the incident occurred in spite of preventive measures
For example, independent ACL for each components of registry system, backup procedures, distributed Registry Operator’s architecture. For details, see the answers to Evaluation Questions #37 and #38.
Group 4. ‘Recovery’ – a full and timely information recovery is ensured
For example, the situation of a SRS failure can occur. The complete failure of the registration system, for instance, can result from a data deletion on the primary and standby database servers. Should that happen, the data recovery from the backup is carried out. Because the database archive redo logs backup is constantly performed, the data version immediately preceding the time of the failure can be recovered. Applications of any domain operations should be forbidden for f the duration of the database recovery from the backup.
In details see answers to Evaluation Questions #37 and #41.
5. In 2011 the ‘Group IB’, a Russian NGO company, rendering comprehensive consulting services with respect to investigation of information security incidents, completed an independent evaluation of information security support of the Registry Service Provider’s system. According to the report the following processes and procedures are in need for improvement:
- for any new components of registry system should be assigned ACL;
- interaction and collaboration with professional associations and expert forums in the sphere of security should be broadened;
- regulations specifying rules of acceptable asset use should be supplemented;
- the assets management policy and respective procedures should be supplemented with the need to obtain permission for an assets transfer and recording of facts of assets transfer and their return therein.
In accordance to the approved 2012 Registry Service Provider’s development plan an audit of the information security management system for compliance with requirements of international standard ISO 27001:2005 will be carried out in the IV quarter of 2012.
6. THE TECHNICAL SOLUTION OF THE INFORMATION PROTECTION SYSTEM IS BASED ON COMBINATION OF THE FOLLOWING SUBSYSTEMS:
- firewall subsystem;
- access control subsystem;
- antivirus protection subsystem;
- cryptographic protection subsystem;
The IT security department periodically evaluates internal normative regulations for their effectiveness and consistency and maintains the said documents in actual status.
7. DESCRIPTION OF THE ORGANIZATIONAL STRUCTURE OF INFORMATION PROTECTION
The functions of organizing the information protection process are assigned to IT-security department. More details on the organizational structure are given in the answer to Evaluation Question #30(b).
The research and development department is responsible for ensuring information security of the SRS⁄WHOIS⁄DNSSEC⁄ Billing systems.
The network infrastructure department is responsible for ensuring information security of the IP and Ethernet infrastructure.
8. INFORMATION SECURITY MEASURES IN THE REGISTRY SERVICE PROVIDER’S INFORMATION SYSTEM
Information security measures in the Registry Service Provider’s information system include:
- classification of the information system;
- specification of security threats to protected information during its processing in the information system;
- development of a specific threat model related to a concrete information system;
- development of a protection system on the basis of the specific threat model, which ensures neutralization of envisaged threats with the use of protective methods and ways provided for the respective class of information system.
- type classification of the information system was made on the basis of a threat model;
- deployment and implementation of protective means in accordance with the operational and technical documentation;
- staff training on operation with the protection means used in the information system;
- control of the used protection means, operational and technical documentation thereto and carriers of protected information;
- control of employees accessed to work with protected information in the information system;
- investigate facts of inappropriate usage or violation of usage of protection means, which may lead to breaching the confidentiality of information or other kinds of erroneous moves decreasing the level of information security, to develop and implement measures on prevention of possible dangerous consequences of such failures from happening.
Similar gTLD applications: (2)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|
|.skolkovo||Fund for Development of the Center for Elaboration and Commercialization of New Technologies||cctld.ru||-4.05||Compare|
|.tatar||Limited Liability Company ʺCoordination Center of Regional Domain of Tatarstan Republicʺ||cctld.ru||-4.05||Compare|