30(a) Security Policy: Summary of the security policy for the proposed registry
Prototypical answer:
gTLD | Full Legal Name | E-mail suffix | Detail | .LAT | ECOM-LAC Federaciòn de Latinoamèrica y el Caribe para Internet y el Comercio Electrònico | cabase.org.ar | View |
SECURITY POLICY SUMMARY
NIC Mexico, has been selected by eCOM-LAC as back end registry service provider for .LAT Registry, and as such it is responsibility of NIC Mexicoʹs IT department to provide adequate security controls on registry data and software systems, whether held centrally or remotely, to ensure the continued availability of registry services to the internet community and to ensure the integrity of all registry data.
SECURITY POLICIES
The purpose and objective of the Security Policy is to provide a framework to guarantee availability of registry services and data. With this in mind NIC Mexico will implement security policies to:
* Guarantee availability, confidentiality and integrity of registry data and systems. Registry data and systems are always available for legitimate users and authorized staff only.
* Ensure that all operations executed within registry applications and systems are accountable and traceable.
* Encourage management and staff to maintain an appropriate level of awareness that help them to follow security measures and policy defined to safeguard information assets and systems.
* To ensure that the organization is able to continue its commercial activities in the event of significant contingencies of any nature.
NIC Mexico’s infrastructure featuring 1+1 redundancy and a high availability cluster design provide for high availability of services for legitimate users. In case of a contingency, the Hot Backup Site can be operational in 4 hours or less.
NIC Mexico´s security design includes features like 2-factor authentication, whitelisting and the use of strong passwords and VPN’s to provide access to registry systems to legitimate users and authorized personnel only. Furthermore, NIC Mexico’s registry systems include fine-grain access controls built-in into applications with per-user access control lists and with supervisor confirmation for specific operations on registry objects.
ACCOUNTABILITY AND TRACEABILITY
Access will be granted only to authorized personnel and users. All their activity in the system will be logged and linked to before-and-after data history objects. This provides for accountability and traceability in case of something goes wrong. With this, a registry object’s state can be recovered or traced back to find the origin of the failure.
ONGOING WORK
Currently, NIC Mexico is working with a consultancy firm to formalize NIC Mexicoʹs security capabilities to be able get certified by the Mexican Government as a highly secured organization to be able to offer specialized services to the Mexican IRS in the near future. The capabilities required by Mexican Government are a customized set of requirements based on ISO 27001 Standard, ITIL and COBIT.
All this guidelines and best practices are being integrated in an IT Governance Model and Information Technology Management framework.
An independent assessment report is provided as part of the answer to this question. This assessment is based on controls defined by the Mexican government to verify that interested enterprises have the necessary capabilities and potential to take part on providing the required services.
NIC Mexico will take advantage of this certification to get its security policy and procedures formalized in preparation to get certified on ISO 27001.
SECURITY CAPABILITIES
IT Department is in charge of NIC Mexico’s security. They are in charge of all security related to: physical access to the main offices, computer security and also secure access to services like e-mail, file servers and other business applications and all security related to the datacenters and registry services: SRS, Whois, Data Escrow, DNS, DNSSEC.
BACKGROUND CHECKS CONDUCTED ON SECURITY PERSONNEL;
NIC Mexicoʹs HR department performs background checks on all candidates to obtain a job position in the organization. Routine personal and past work’s reference checks are performed on all candidates. Additionally NIC Mexico makes complementary investigations in case the candidate omitted information that could reveal facts that would be relevant for his or her job application.
SPECIAL SECURITY CAPABILITIES
Additionally to all security controls maintained by NIC Mexico, there is one that can be described as an augmented security capability available on NIC Mexicoʹs implementation. Mexican companies can use the NOM-151 which is a Mexican government norm to store digital messages in a special format, so that they are recognized and accepted in a trial.
This NOM-151 defines a series of cryotographic requirements that all digital messages must comply to be considered equivalent with physical evidence. In NIC Mexicoʹs implementation for registry services every transaction is recorded and by the end of the day, the system generates a digest with the digital footprint from all the commands executed during that day. This daily log of operations is, digitally signed and sent to a certiification provider, or digital notary. The validation includes a new digital signature so all the elements included in the digest are then protected with features like origin autenticationn and non repudiation.
Whith this it is not possible to alter the outcomes of any previously executed command without breaking the signature chain as it will not be possible to generate de same digest again.
SECURITY COMMITMENTS WITH REGISTRANTS
.LAT registry is committed to maintain registration services and data available to accredited registrars at all time. Additional measures will be in place to guarantee security and integrity of all registration data. All operations will be traceable back to the originating party, so it will be possiblle to verify any allegued discrepancies.
SUMMARY OF SECURITY POLICIES
NIC Mexico’s security policies cover the following aspects
Datacenter security
* The datacenter is located in a zone free of high-impact risks like gas stations, explosive materials plants.
* The datacenter has structural protection like perimeter walls and security gates
* The datacenter has infrastructure protections like fire detection and suppression systems, air conditioning systems, electric system monitoring and structured cabling for electric power and networking.
* The datacenter has a Disaster Recovery Plan
Access Control, to Datacenters and Main Offices
* The datacenter has permanent security personnel
* The datacenter has in place procedures for surveillance and facilities’ access including logs, ID’s and security cameras.
* The datacenter maintains multiple-level electronic access controls
* The datacenter have secure and critical zones properly signaled.
* Security personnel escort any supplier or maintenance crew at all times.
Telecommunications
* The datacenter has redundant highly secured connections to the internet
* All telecommunication devices are protected from power surges, and unauthorized physical and network access.
Network
* NIC Mexico’s corporative network only provides internet access to registered equipment.
* Access to networked resources other than the internet connection is provided by means of a secured VPN
* Access to the VPN is protected by a 2 factor authentication scheme
* NIC Mexico’s IT Staff use a special separated VPN to perform administrative tasks .
Computer equipment
* Computer equipment is physically secured and protected against power surges.
* Operative Systems are frequently updated and patched
* The capacity and performance of computer equipment is constantly revised and evaluated
* The time of all computer equipment is synchronized using a GPS-based Time Server.
* There are adequate procedures to identification retirement and disposal of hard drives or any storage device involved in the registry services being from failure, obsolescence or any other reason.
* All commands executed on NIC Mexico’s servers are logged and stored in a secure facility.
User Applications
* The systems architecture for user application is designed for high availability and fault tolerance.
* User applications include multi-level access control mechanisms
* User applications include strong passwords and two factor authentication when possible.
* There is a procedure for password management and control for both users and system⁄business managers.
* There is a policy and procedures for password generation and management
* User applications include audit logs
* There is a policy and procedures in place for audit logs management and control
* All communication between applications use secure protocols
* There is a basic security configuration standard for all servers and system applications
* Penetration testing on all applications is performed at least each semester.
* Secure encryption protocols are used for storing passwords and for all network traffic through public networks.
Database and Backups Security
* Registry Database will be encrypted for added security
* Backups will include Operative Systems, Databases and Applications
* Backups will be encrypted for enhanced security.
* Backups will be performed closely enough to comply with the Recovery Time and Recovery Point Objectives
* Audit logs will be included in the backup scheme and encrypted
* Backups will have at least one additional copy stored in an off-site secure facility.
* There will be a procedure for the secure disposal of backup media
Risk Management
* There will be a Risk Management scheme for the registry
* The Risk Management Scheme will define a team to identify and classify risks
* The Risk Management team will define risk response options
* The scheme will be revised and updated periodically
Change management
* Change Management Procedures are implemented
* Change Management considers changes to applications, infrastructure and all hardware related to Registry Services.
* There is a team or committee in charge of defining and approving changes to the infrastructure.
Capacity Management
* There are Capacity Management Procedures
* There are key performance indicators defined according to performance specifications included in the Registry Agreement.
* The indicators are and evaluated to identify deviations to correct them and see if they match with the anticipated growth of the registry’s capacity.
Incident Response
* There is an Incident Response procedure
* The Incident Response procedure will include criteria and definitions for opening, follow-up and closing the incident.
* Incident Response procedure considers a single point of entry⁄reporting to guarantee that the procedures are applicable to all reported incidents.
RESOURCES
The security of .LAT Technical infrastructure and registry services will be managed by NIC Mexico’s IT Department. The resources committed to this task are responsible of preserving the security and stability of the operations of NIC Mexico’s infrastructure that will support both .MX and .LAT Registry operations. All roles will serve both .MX and .LAT technical infrastructure, except where indicated as exclusive for .LAT operations.
IT department is responsible for all security policy and implementation.
The resources assigned to the technical operation and security of .LAT are as follows:
Role: Operations VP - 1 FTE
The Operations VP is in charge of maintaining both .MX and .LAT operations in a secure manner. The role is responsible for maintaining the secure and continuous operation of the registry infrastructure. His involvement includes planning, provisioning coordination and deployment of the infrastructure that supports secure registry operations.
Role: Infrastructure Manager
Role: Security Manager
Both roles are covered with 1 FTE
Role: System and Network Administrator – 2FTE
In charge of maintaining the operations of .MX and .LAT registry’s systems: SRS, (www and EPP), Whois, DNS operations including DNSSEC, Data Escrow, Security.
Also in charge of network management of .MX and .LAT including broadband connections, wireless links, network equipment, VoIP, routing, network security, IP address management, both IPv4 and IPv6.
Technical product Manager – 1FTE, exclusive for .LAT Registry Systems, Level 3 Support
Systems Development – 1 FTE exclusive for the .LAT Registry Systems
In charge of maintaining the registry systems aligned with business rules, security policies and functions of the organization. The Technical product Manager has access to NIC Mexico’s system development team in a “on demand” basis to perform preventive and corrective maintenance tasks or implement new functionality.
DAY TO DAY OPERATIONS
Day to day operations and customer support will be provided by eCOM-LAC and NIC Mexico at different levels. Business related matters, like payments and notifications, and policy related processes like UDRP, URS, Transfers, etc, will be handled by eCOM-LAC. Also a first level of technical support like network access and incident reporting will also be handled by eCOM-LAC. For security incidents and other issues of technical nature there will be support from NIC Mexico’s IT personnel.
The resources assigned to the operation of .LAT are as follows:
Customer Support, On Call, 24x7 – 1FTE, exclusive for .LAT Registry
Available to respond to customer inquiries 24x7 (Level 1 Support)
NOC, 24x7 –5 FTE (System Operators)
Available to respond to incident reports 24x7 (Level 2 Support)
Systems operators are in charge of receiving inquiries regarding registry system operations regarding .MX and .LAT systems. Work hours distribution guarantee 24x7 availability.
Similar gTLD applications: (0)
gTLD | Full Legal Name | E-mail suffix | z | Detail |