gTLD Application Analysis by simMachines
Back

30(a) Security Policy: Summary of the security policy for the proposed registry

gTLDFull Legal NameE-mail suffixDetail
.BBCBritish Broadcasting Corporationbbc.co.ukView
Question 30a – Security Policy

Nominet, the Registry Services Provider has been running the dot UK TLD for the past 15 years and has an impeccable security record in protecting both the dot UK TLD and the information within the registry. Nominet works at the forefront of information security and contributes to the development of both global and national security standards to further protect the security, stability and resilience of the Internet.

The aim of Nominetʹs Security Programme is to secure the business, its data, its people, and the services that the organisation provides. Nominet maintains policies, standards and procedures that are designed to protect the company assets according to their sensitivity, criticality and value.

The goals of Nominetʹs Security programme are:

- Allocation of responsibility by Nominet management for development, implementation, monitoring and review of information security policies and standards
- Monitoring, evaluation and management of information security threats, vulnerabilities and risks
- Awareness of, and adherence to, all published information security policies, standards and processes applicable to management or use of information assets by Nominet Personnel with access to such information assets
- Access controls and business continuity management of Nominet information processing facilities, information assets and business processes
- Implementation of an information security incident management process
- Periodic review of the Information Security Programme to ensure its effectiveness.


Processes and Solutions

Nominet employs security capabilities which are robust and appropriate for the high profile and large TLD registry that it operates. Nominet is fully compliant and certified with the British Standard for Business Continuity BS25999-2:2007. Any gTLD that Nominet operates will benefit from this proven security approach.

Physical security at Nominet includes a permanently manned reception area with CCTV monitoring of all entrances including recording of video. All staff wear visible corporate photo ID cards and are encouraged to challenge unaccompanied strangers. Access to server areas requires biometric identification in addition to ID cards. In addition to these physical checks already mentioned, Nominetʹs datacentre locations employ further physical security measures including a 24x7 manned reception, ballistic resistant glass mantrap, and air locks. Security staff ensure that access is only available to those specifically authorised. Nominetʹs servers are housed in a secure caged area within the datacentre with a card access controlled door.

Server security starts with a minimal install of the operating system, with extra software only being installed if required. Access is restricted to those required to administer the server and its software, with audits carried out at regular intervals to ensure that access is still required.

Patching is carried out as part of a regular and ongoing patch management programme to ensure that critical servers and services are kept secure. Nominet also maintain a very close relationship with DNS software providers and have reported bugs to them to help patch their software, following responsible disclosure guidelines.

All external connections to Nominetʹs systems are encrypted using TLS (Transport Layer Security), with internal connections being encrypted where possible. TLS ensures that where appropriate TCP, UDP and BGP connections are encrypted. All privileged access to Nominetʹs servers is protected with two factor authentication. HSMs are used where appropriate to store private key information.

Networks are separated with firewalls (Juniper SRX3600) deployed between different network segments to help protect Nominetʹs sensitive information. All external access to Nominetʹs services is through firewalls to servers located in a Demilitarized Zone (DMZ). Wireless access points in Nominetʹs offices are also located in a DMZ to prevent direct access to internal systems. Wireless access is encrypted following best practice guidelines. Only authorised devices are permitted to connect to the company network.

Access to all devices (desktop devices, servers, network devices etc) is via individual usernames and passwords controlled by a central directory service (Microsoft Active Directory). This allows easy control of all user access from a single location, helping simplify user access control. Access to Nominetʹs systems is forbidden unless expressly permitted, and users are granted the minimal access required to perform their job function effectively. Users are assigned unique user ids, and these user ids are never re-issued to other users. Accounts are disabled for any user who no longer requires access or has left the company, and user access is reviewed on a regular basis. The following roles are not carried out by the same people - Systems operation, Systems development, Systems⁄Network administration.

The following controls are also applied to separate systems:

- Development and production software are run in separate environments.
- Development and test work are separated.
- Development facilities are not loaded on production systems.
- Development personnel use separate logon IDs for development and test systems to reduce the risk of error.
- Development staff do not have access to production systems.

Anti-virus software from a reputable supplier is used to scan computers and media on a routine basis. Anti-virus software is kept up to date on a centralised basis.

All access to Nominetʹs services and servers is logged locally, and also to a central location. Nominet also collect logs from firewalls, Intrusion Detection Systems (IDS)⁄Intrusion Prevention Systems (IPS), network devices, security devices, applications, databases etc. Event correlation is performed on all these logs to help identify any unusual activity. Nominet use security information and event management software (Arcsight Express) to do this event correlation.

In addition to the monitoring that is carried out by the devices listed above, Nominet has developed a proprietary technology platform to capture and analyse traffic at its name servers. With this technology Nominet can discover trends, identify abuse patterns and research the behaviour of botnets etc. Using this Nominet can identify security flaws and help the company understand the effect they may have on global DNS infrastructure.

Security for in-house written applications is controlled in many ways:

- All application code is peer reviewed.
- Security guidelines for software development have been written and are followed.
- All source code is held in a central repository, access to which is restricted by password.
- All changes to code are regression tested to ensure the application continues to function as expected.
- All changes to code can be attributed to the developer who made them.

Secure disposal of equipment is tightly controlled, with all storage media removed from equipment prior to disposal and all media is then wiped in accordance with best practice guidelines.

Change control is a tightly controlled process at Nominet, with identification and recording of significant changes, including all changes to security configuration. Approval must be gained at every stage, with all changes tested before being put into the live environment. System owners are always involved in these changes to ensure that no registry system is affected without the business being made aware of upcoming changes. Assessment of the potential impact of any changes is made, and there is an approval procedure for proposed changes. Nominet try to ensure that implementation of change causes minimal disruption to normal operations, bundling up changes into a formal release where applicable. All changes must have an approved rollback plan for recovering from unsuccessful changes.

Staff are encouraged to report security incidents, and all such incidents are investigated by Nominetʹs system administration team, who have access to the research team if required. Action is taken to reduce the impact of the problem initially, and the root cause of the problem is determined. Action is then taken to deal with problem, making changes as required. Any affected users are notified along with any recommended action (such as changing passwords).


Independent Assessment Reports

Nominet currently undergoes specific security testing as part of an approach to maintain PCI-DSS (Payment Card Industry Data Security Standard) Compliance. Using a third party (Trustkeeper), monthly scans are carried out against a section of Nominetʹs internet facing systems to test for vulnerabilities. These scans are designed to detect more than 5,000 known network, operating system and application vulnerabilities including the SANS Institute Top 20 list and are executed without any impact on Nominetʹs systems. The most recent scan was carried out on the 17th January 2012 and the result was a pass.

Nominet is also undergoing a three year programme of security testing using an ISO27001 certified third party assessor (First Base Technologies). The scope of the testing that First Base is carrying out includes (but is not limited to):

- Public IP Address Scan
- External Infrastructure Penetration Test
- Authenticated Remote Access Test
- Web Application Penetration Test
- Internal Infrastructure Penetration Test
- Server and Network technical Audit
- Wireless network Discovery
- Wireless Client Device Discovery and Analysis
- Building Access Test
- Email Spear Phishing
- USB Spear Phishing
- Telephone Social Engineering
- Technical Workshop participation

In addition to the above, First Base have also carried out training programmes for staff on information security vulnerability, and social engineering compliance. Nominet is fully committed to passing the programme of work being carried out by First Base, and where applicable, putting suitable remediation plans in place.


Other Security Measures

Nominet is fully engaged with National and International security agencies to fully understand the ever changing global risk register for security vulnerabilities. Agencies include the US NTIA, UK Cabinet Office, UK GCHQ (Government Communications Head Quarters), UK EC-RRG (Electronic Communications Resilience and Response Group) and many other formal and informal security groups.

Nominet works closely within the internet community to develop, support and publicise security standards and best practice across the global internet. Staff at Nominet helped develop the global DNSSEC security standard and authored a number of the key RFCs (Requests for Comments) that make up this standard. Nominet is currently at the forefront of DNS research, attempting to understand patterns of misuse and criminal behaviour with the global DNS. Nominetʹs Director of IT was selected as one of 12 global experts to analyse and audit ICANNʹs security, stability and resilience work and report back to both the ICANN board and the NTIA on areas for improvement. Nominetʹs Head of Research is a member of the DSSAWG (Domain Stability and Security Working Group) looking into how best to coordinate global DNS security incidents.


Commitments to registrants

We will commit to dot BBC registrants that:

- All data will be secured and protected in line with ISO 27001 guidelines
- We will not take any action in relation to a domain name registration unless we are satisfied that it has been received from the right person;
- We will require registrars to prove their identity, including by the use of unique identifiers and multi-factorial authentication where appropriate, when they submit transactions to our systems;
- Our registrars will be contractually obliged to maintain the security of their system identifiers and passwords and prevent the unauthorised disclosure of the same; and
- The registry will be operated in accordance with the Data Protection Act 1998 which, amongst other things, requires us to implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.


Resourcing plan

Nominet employs a dedicated Head of Information and Technology Security to help develop best-practice security policy and to liaise with national and international security agencies, organisations and groups in order to ensure that both Nominet and the TLDs that it operates are as secure as possible.

The implementation of Nominetʹs security policy is already in place. Nominet has a dedicated security team and large infrastructure team from which it will dedicate the following resources to post launch maintenance tasks related to the security policies that will be used by the dot BBC registry.

- Maintenance, review and improvement of the security policy and arrangements: 5 hours a week by the Head of IT Security
- Technical support: 5 hours per week

Total post launch resource: 10 hours per week.
gTLDFull Legal NameE-mail suffixDetail
.cymruNominet UKnominet.org.ukView
Nominet has been running the dot UK TLD for the past 15 years and we have an impeccable security record in protecting both the dot UK TLD and the information within the registry. We work at the forefront of information security and contribute to the development of both global and national security standards to further protect the security, stability and resilience of the Internet.

We have a Security Programme in place, the aim of which is to secure our business, its data, its people, and the services that we provide. We maintain policies, standards and procedures that are designed to protect the company assets according to their sensitivity, criticality and value.

The goals of our Security programme are:

- allocation of responsibility by management for development, implementation, monitoring and review of information security policies and standards;
- monitoring, evaluation and management of information security threats, vulnerabilities and risks;
- awareness of, and adherence to, all published information security policies, standards and processes applicable to management or use of information assets by personnel with access to such information assets;
- access controls and business continuity management of information processing facilities, information assets and business processes;
- implementation of an information security incident management process; and
- periodic review of the Information Security Programme to ensure its effectiveness.


Processes and Solutions

We employ security capabilities which are robust and appropriate for the high profile and large TLD registry that we operate. We are fully compliant and certified with the British Standard for Business Continuity Management BS25999. Any gTLD that we operate will benefit from this proven security approach.

Physical security includes a permanently-manned reception area with CCTV monitoring of all entrances including recording of video. All staff wear visible corporate photo ID cards and are encouraged to challenge unaccompanied strangers. Access to server areas requires biometric identification in addition to ID cards. In addition to these physical checks , our datacentre locations employ further physical security measures including a 24x7 manned reception, ballistic resistant glass mantrap, and air locks. Security staff ensure that access is only available to those specifically authorised. Our servers are housed in a secure caged area within the datacentre with a card access controlled door.

Server security starts with a minimal install of the operating system, with extra software only being installed if required. Access is restricted to those required to administer the server and its software, with audits carried out at regular intervals to ensure that access is still required.

Patching is carried out as part of a regular and ongoing patch management programme to ensure that critical servers and services are kept secure. We also maintain a very close relationship with DNS software providers and have reported bugs to them to help patch their software, following responsible disclosure guidelines.

All external connections to our systems are encrypted using Transport Layer Security (TLS), with internal connections being encrypted where possible. TLS ensures that, where appropriate, Transition Control Protocol (TCP), User Datagram Protocol (UDP) and Border Gateway Protocol) (BGP) connections are encrypted. All privileged access to servers is protected with two factor authentication. Hardware security modules (HSM) are used where appropriate to store private key information.

Networks are separated with firewalls (Juniper SRX3600) deployed between different network segments to help protect sensitive information. All external access to our services is through firewalls to servers located in a ʺdemilitarized zoneʺ (DMZ). Wireless access points in our offices are also located in a DMZ to prevent direct access to internal systems. Wireless access is encrypted following best practice guidelines. Only authorised devices are permitted to connect to the company network.

Access to all devices (desktop devices, servers, network devices etc) is via individual usernames and passwords controlled by a central directory service (Microsoft Active Directory). This allows easy control of all user access from a single location, helping simplify user access control. Access to systems is forbidden unless expressly permitted, and users are granted the minimal access required to perform their job function effectively. Users are assigned unique user ids, and these user ids are never re-issued to other users. Accounts are disabled for any user who no longer requires access or has left the company, and user access is reviewed on a regular basis. The following roles are not carried out by the same people: systems operation, systems development, and systems⁄network administration.

The following controls are also applied to separate systems:

- development and production software are run in separate environments;
- development and test work are separated;
- development facilities are not loaded on production systems;
- development personnel use separate logon IDs for development and test systems to reduce the risk of error; and
- development staff do not have access to production systems.

Anti-virus software from a reputable supplier is used to scan computers and media on a routine basis. Anti-virus software is kept up to date on a centralised basis.

All access to services and servers is logged locally, and also to a central location. We also collect logs from firewalls, intrusion detection systems (IDS)⁄intrusion prevention systems (IPS), network devices, security devices, applications, databases etc. Event correlation is performed on all these logs to help identify any unusual activity. We use security information and event management software (Arcsight Express) to do this event correlation.

In addition to the monitoring that is carried out by the devices listed above, we have developed a proprietary technology platform to capture and analyse traffic at name servers. With this technology we can discover trends, identify abuse patterns and research the behaviour of botnets etc. Using this we can identify security flaws and help us understand the effect we may have on global DNS infrastructure.


Security for in-house written applications is controlled in many ways:

- all application code is peer reviewed;
- security guidelines for software development have been written and are followed;
- all source code is held in a central repository, access to which is restricted by password;
- all changes to code are regression tested to ensure the application continues to function as expected; and
- all changes to code can be attributed to the developer who made them.

Secure disposal of equipment is tightly controlled, with all storage media removed from equipment prior to disposal and all media is then wiped in accordance with best practice guidelines.

Change control is a tightly controlled process, with significant changes identified and recorded, including all changes to security configuration. Approval must be gained at every stage, with all changes tested before being put into the live environment. System owners are always involved in these changes to ensure that no registry system is affected without the business being made aware of upcoming changes. Assessment of the potential impact of any changes is made, and there is an approval procedure for proposed changes. We try to ensure that implementation of change causes minimal disruption to normal operations, bundling up changes into a formal release where applicable. All changes must have an approved rollback plan for recovering from unsuccessful changes.

Staff are encouraged to report security incidents, and all such incidents are investigated by the system administration team, who have access to the research team if required. Action is taken to reduce the impact of the problem initially, and the root cause of the problem is determined. Action is then taken to deal with problem, making changes as required. Any affected users are notified along with any recommended action (such as changing passwords).


Independent Assessment Reports

We currently undergo specific security testing as part of an approach to maintain PCI-DSS (Payment Card Industry Data Security Standard) Compliance. Monthly scans are carried out by a third party provider (Trustkeeper), monthly scans are carried out against a section of our internet facing systems to test for vulnerabilities. These scans are designed to detect more than 5,000 known network, operating system and application vulnerabilities including the SANS Institute Top 20 list and are executed without any impact on our systems. The most recent scan was carried out on 17th January 2012 and the result was a pass.

We are also undergoing a three year programme of security testing using an ISO27001 certified third party assessor (First Base Technologies). The scope of the testing that First Base is carrying out includes (but is not limited to):

- Public IP Address Scan;
- External Infrastructure Penetration Test;
- Authenticated Remote Access Test;
- Web Application Penetration Test;
- Internal Infrastructure Penetration Test;
- Server and Network technical Audit;
- Wireless network Discovery;
- Wireless Client Device Discovery and Analysis;
- Building Access Test;
- Email Spear Phishing;
- USB Spear Phishing;
- Telephone Social Engineering; and
- Technical Workshop participation.

In addition to the above, First Base have also carried out training programmes for staff on information security vulnerability, and social engineering compliance. We are fully committed to passing the programme of work being carried out by First Base, and where applicable, putting suitable remediation plans in place.


Other Security Measures

We are fully engaged with national and international security agencies to fully understand the ever-changing global risk register for security vulnerabilities. Agencies include the US NTIA, UK Cabinet Office, UK GCHQ (Government Communications Head Quarters), UK EC-RRG (Electronic Communications Resilience and Response Group) and many other formal and informal security groups.

We work closely within the internet community to develop, support and publicise security standards and best practice across the global internet. Staff at Nominet helped develop the global DNSSEC security standard and authored a number of the key RFCs (Requests for Comments) that make up this standard. We are currently at the forefront of DNS research, attempting to understand patterns of misuse and criminal behaviour with the global DNS. Our Director of IT was selected as one of 12 global experts to analyse and audit ICANNʹs security, stability and resilience work and report back to both the ICANN board and the NTIA on areas for improvement. Our Head of Research is a member of the DSSAWG (Domain Stability and Security Working Group) looking into how best to coordinate global DNS security incidents.


Commitments to registrants

We will commit to dot CYMRU registrants that:

- All data will be secured and protected in line with ISO 27001 guidelines
- We will not take any action in relation to a domain name registration unless we are satisfied that it has been received from the right person;
- We will require registrars to prove their identity, including by the use of unique identifiers and multi-factorial authentication where appropriate, when they submit transactions to our systems;
- Our registrars will be contractually obliged to maintain the security of their system identifiers and passwords and prevent the unauthorised disclosure of the same; and
- The registry will be operated in accordance with the Data Protection Act 1998 which, amongst other things, requires us to implement appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.



Resourcing plan

We employ a dedicated Head of Information and Technology Security to help develop best-practice security policy and to liaise with national and international security agencies, organisations and groups in order to ensure that both Nominet and the TLDs that we operate are as secure as possible.

The implementation of our security policy is already in place. We have a dedicated security team and an infrastructure team of 15 staff from which we will dedicate the following resources to post launch maintenance tasks related to the security policies that will be used by the dot CYMRU registry.

- Maintenance, review and improvement of the security policy and arrangements: 5 hours a week by the Head of IT Security
- Technical support: 3 hours per week

Total post launch resource: 8 hours per week.