30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
|.信息||Beijing Tele-info Network Technology Co., Ltd.||tele-info.cn||View|
Beijing Tele-info Network Technology Co., Ltd. (Tele-info Ltd.) provides ʺ.信息ʺ TLD with sound security strategy and guarantee.
Tele-info Ltd. entrusts China Internet Network Information Center (CNNIC) to provide the technology and operation for ʺ.信息ʺ TLD through the ʺBack-End Registry Service Platformʺ of CNNIC. Tele-info Ltd. will designate specialists to carry out coordination and supervise the work of CNNIC.
The Information Security Management System (ISMS), established by CNNIC, has been certified by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS), accords with ISO 27001:2005 and the Statement of Applicability (SOA) thereof, and possesses relevant ISCCC certificates. Since ISMS is viewed to be suitable for the information security management of ʺ.信息ʺ, the security policy is jointly formulated by Tele-info Ltd. and CNNIC based on ISMS and the risk assessment of ʺ.信息ʺ. Associated assurance measures will be implemented according to the policy.
By far, all human resources, funds and equipment necessary for implementing corresponding security strategy have been put in place by Tele-info Ltd. and CNNIC respectively.
30(a).1 Overview of Security Policy
The security policies and corresponding security measures for ʺ.信息ʺ registry services are divided into two categories. One is for technical security and the other is for management security. Technical security includes physical security, network security, system security, application security, data security and auditing security. Management security involves security management organizations, security management personnel and security management rules. Relevant security policies conform to the following standards:
(1) YD⁄T2091-2010 Security Specification for Public DNS Resolution System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3460-1.htm)
(2) YD⁄T2140-2010 Technical Specification of DNS Security Framework (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3523-1.htm)
(3) YD⁄T 2136-2010 Technical Specifications of DNS Delegation (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3519-1.htm)
(4) YD⁄T 2245-2011 Security Protection Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3684-1.htm)
(5) YD⁄T 2246-2011 Security Protection Testing Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3685-1.htm)
(6) YD⁄T 2052-2009 Security Protection Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3397-1.htm)
(7) YD⁄T 2053-2009 Security Protection Testing Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3398-1.htm)
(8) Information Security Technology—Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008) (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8623)
(9) GB⁄T 22080:2008 (ISO⁄IEC 27001:2005, IDT) Information technology-Security techniques-Information security management systems-Requirements (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8618)
(10) GB⁄T 22081:2008 (ISO⁄IEC 27002:2005, IDT) Information technology-Security techniques-Code of practice for information security management (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-gb-8619-1.htm)
Below is an introduction of the above-mentioned various security policies.
30(a).1.1 Technical Security Policy
30(a).1.1.1 Physical Security Policy
All the systems related to ʺ.信息ʺ registry services are deployed in the Internet Data Center (IDC) that meet the following security requirements:
(1) 7*24 on-site security personnel.
(2) A 7*24 video monitoring system is used to monitor the IDC room.
(3) Door-access cards and fingerprint identification technology are used for access control.
(4) Two separate circuits and one standby Uninterruptible Power Supply (UPS) are available to ensure uninterrupted power supply.
(5) Lightening-proof, fire prevention and anti-static measures are taken.
(6) All windows are equipped with infrared anti-theft alarm devices.
Furthermore, only authorized technicians (e.g. system administrators) are permitted to enter the IDC room for operations such as hardware or software update.
30(a).1.1.2 Network Security Policy
A full redundancy design is adopted for all the network equipment and links related to ʺ.信息ʺ registry services. Four security zones are respectively defined as office subnet, a monitoring subnet, a service subnet and a database subnet according to their security level. Intrusion Detection Systems (IDS) and equipment against Denial of Service (DOS)⁄Distributed Denial of Service (DDOS) have been adopted by ʺ.信息ʺ.
All the servers for ʺ.信息ʺ registry services are protected by load balancers. Each server adopts the intranet IP address defined in Request for Comments (RFC) 1918. Important internal servers such as databases also adopt intranet IP addresses to prevent Internet users from accessing these servers.
30(a).1.1.3 System Security Policy
All systems related to ʺ.信息ʺ registry services conform to the following security policies:
(1) Unnecessary services and processes are prohibited.
(2) Upgrading operating systems and important application programs shall be performed at a regular basis.
(3) Dynamic Rivest-Shamir-Adieman (RSA) token security systems shall be deployed for system authorization, access control and access password protection.
(4) Remote operation of servers within the intranet shall be performed through bastion hosts.
In addition, the use of server resources and service status will be monitored on a 7*24 basis by a exclusive network operation and maintenance system and an alarm will be given off once an abnormity is detected. System-level scanning devices are used to perform systematic vulnerability scanning periodically for the internal and external networks and system reinforcement is performed very soon.
30(a).1.1.4 Application Security Policy
All applications related to ʺ.信息ʺ registry services conform to the following security policies:
(1) Shared Registration System (SRS)
(a) The SRS connection between Tele-info Ltd. and the registrars shall adopt the Secure Sockets Layer (SSL) encryption technology, and a client certificate and a username⁄password shall be used to achieve the strong authentication to each registrar.
(b) If a registrar does not perform any operation within a preset period of time after successful login, SRS will automatically terminate the connection.
(c) Each registrarʹs login password in the SRS is restricted to within 6-32 characters, which is stored in an encrypted form.
(2) DNS service
(a) Hidden DNS resolution primary masters are adopted which are not connected with the Internet and which do not provide resolution service, so as to ensure the security of the original zone files of ʺ.信息ʺ.
(b) Transmission of zone files between hidden primary masters and each secondary server at each nameserver data center is achieved in the way of IPsec encryption, so as to achieve safe transmission of zone files of ʺ.信息ʺ.
(c) A monitoring system is adopted to ensure data integrity in the process of generating and transmitting zone files of ʺ.信息ʺ.
(d) The specified security configuration regulations are formulated for the configuration of resolution software with inspection to the configuration at regular intervals (quarterly). If the items are not accordant with the regulations, they will be modified to keep the software configuration safe.
(e) Track the vulnerabilities of the resolution software by the specialized personnel and test and upgrade in time after detecting the vulnerabilities.
(a) Whois only permits Internet usersʹ queries and no alteration is permitted.
(b) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to response to Whois queries.
(4) DNS Security Extensions (DNSSEC)
(a) The Hardware Security Module (HSM) used for Key Signing Key (KSK) signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent key disclosure from the interference of electro-magnetic signals from the outside.
(b) Both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.
(5) Internationalized Domain Names (IDN)
(a) To address the problem of phishing due to similarity of internationalized domain names, an system of Chinese domain similarity detection is adopted by “.信息”, through which phishing domain names related to ʺ.信息ʺ can be detected and then corresponding measures can be taken.
30(a).1.1.5 Data Security Policy
Only Database Administrators (DBA) who are responsible for maintenance are permitted to manage database servers. Only through specific management PCs and specific accounts can a DBA access a database server. For any change in the data and programs of an internal database, an application must be submitted through the procedures as specified for managing changes in internal databases. The application shall be reviewed by the DBA and the responsible person before operations are performed at the presence of the DBA. DBAs inspect the data backup of the database on a daily basis to make sure that backup data is correct. Technical measures are taken to perform real-time check of the integrity of updated DNS zone files.
A system has been adopted to guard against illegal alteration of websites to ensure data integrity of the websites related to ʺ.信息ʺ registry services. Important data are regularly backed up into the local tape library and the local secondary operation center. The local and remote secondary operation centers have been adopted to realize backup of important data in the three operation centers in Beijing and Chengdu.
30(a).1.1.6 Auditing Security Policy
ʺ.信息ʺ formulates the thorough auditing technical methods and management measures;
ʺ.信息ʺ adopts exclusive database auditing system to audit with the database orders, bastion hosts system to audit the server management operation and in addition, the specified centralized log collection and auditing system (LegendSec) to collect the logs of all network devices, servers and application systems, uniformly collecting and centralizing the logs to make the records.
Auditors use the database auditing system, bastion hosts system and log collection and auditing system to audit at each level and produce corresponding reports on a regular basis.
30(a).1.2 Management Security Policy
30(a).1.2.1 Security Management Organization
Tele-info Ltd. and CNNIC are jointly responsible for relevant security management and emergency response of ʺ.信息ʺ registry services. CNNIC has established a security management department to organize and implement all security-related work; Tele-info Ltd. arranges special technical personnel as security contacts, who are responsible for coordinating the regular security affairs with CNNICʹs security management department, as well as supervise the work of CNNIC. In addition, Tele-info Ltd. and CNNIC jointly agree to establish, on the basis of the existing organizational structure, a ʺvirtualʺ information security management organization which consists of three tiers: the decision-making tier, the execution tier and the auditing tier.
30(a).1.2.2 Security Management Personnel
An investigation must be conducted on the background of the personnel responsible for security management related to ʺ.信息ʺ registry services to make sure that they are reliable enough in terms of educational level, work experiences, credibility, etc. The investigation should be carried out by corresponding Personnel Department.
30(a).1.2.3 Security Management Rules
Security management rules of “.信息” registry services will be put into place in accordance with ISMS, which has been set up by CNNIC for ccTLDs and Chinese domain names in compliant with ISO27001, and viewed to be suitable for ʺ.信息ʺ as well. Based on the ISMS, the security management rules is formulated consisting of 4 tiers of documents: information security management manual; management specifications⁄measures⁄procedures⁄standards; implementation rules⁄operation guidelines⁄work guidance; and records⁄logs. See the figure below:
Please see Figure 1 in the attachment of Q30a_Attachment_Figure.
(1) The information security management manual is the guiding document for ʺ.信息ʺ information security management work. The manual contains such contents as information security policy, overall objective and control measures that are mentioned in the SOA and that have been implemented. Documents of the second and third tiers, such as management specifications and implementation rules can be regarded as documents supporting the information security management manual.
(2) Management specifications, measures, procedures and standards clearly define various management systems and technical control measures. Documents of the second tier provide methods and guidance for carrying out main activities of implementing the information security management system and for allocating duties. Lower-tier documents should also be referred to in implementing ISMS.
(3) Implementation rules, operation guidelines and work guidance are documents that give a detailed description of the processes mentioned in the second-tier documents. Consisting of work guidance, tables & lists, workflow charts, service standards and system manuals, documents of this tier give a detailed description of specific work and activities.
(4) Records and logs are used to keep record of various activities, serving as evidence that these activities meet the requirements of upper-tier documents. During the implementation of ISMS, a series of record tables and reports need to be kept to serve as the evidence that relevant preventive and corrective measures have been carried out.
30(a).2 Security Capability Assessment
30(a).2.1 Security assessment report
The security and safeguarding measures concerning the implementation of “.信息” registry services will be put into place in accordance with ISMS, which was set up by CNNIC for ccTLDs and Chinese domain names in compliant with ISO27001(GB⁄T 22080). The ISMS was certified on March 9, 2011 by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS). With relevant ISCCC certificates, ISMS conforms to ISO 27001:2005 and the SOA thereof.
Please see Figure2 in the attachment of Q30a_Attachment_Figure.
30(a).2.2 Security Capability Test and Assessment
A ʺ.信息ʺ security risk assessment will be carried out at least once a year which covers classification and categorization of information assets; identification and assessment of risks; risk treatment plan and implementation thereof; continuous improvement of risk assessment, etc.. The assessment results will serve as the basis for Tele-info Ltd. and CNNIC to make decisions on overall risk management of ʺ.信息ʺ, assist us in identifying overall risks facing ʺ.信息ʺ, and formulate or adjust risk treatment measures and plans.
Meanwhile, ʺ.信息ʺ invites a third-party security service organization to conduct security inspection and assessment every year, the result of which will be used as an important basis for carrying out security-related work.
30(a).3 Security Level Commitment
According to the classified protection standard of ʺInformation Security Technology—Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ (please refer to Section 30(b).3.1 for the details of security level introduction), ʺ.信息ʺ undertakes the following security commitments to registrants:
(1) The DNS ⁄DNSSEC service system provides global Internet users with ʺ.信息ʺ domain name resolution services. Class-4 protection is used for the primary operation centers and Class-3 protection for nameserver data centers (all nameserver data centers as one unit).
(2) With Class-3 protection, SRS service provides global users with ʺ.信息ʺ domain name registration service through registrars.
(3) With Class-3 protection, Whois service provides global users with ʺ.信息ʺ domain name query service.
Tele-info Ltd. and CNNIC have agreed to set up corresponding security policy with the reference to the security requirements to information systems of different classes, deploy security assurance measures, satisfy each requirement in the standards and accept the examination of the third-party organizations, in a view to guaranteeing ʺ.信息ʺʹs fulfillment of its security-level promises to the public.
Similar gTLD applications: (0)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|