Back

30(a) Security Policy: Summary of the security policy for the proposed registry

gTLDFull Legal NameE-mail suffixDetail
.公司Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center)cnnic.cnView
30(a). Security Policy

In accordance with the security standard ISO 27001 (GB⁄T 22080), China Internet Network Information Center (CNNIC) has established an Information Security Management System (ISMS) to provide a complete set of security policies and corresponding security measures for ʺ.公司ʺ registry services.

The CNNIC-established ISMS has been certified by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS), accords with ISO 27001:2005 and the Statement of Applicability (SOA) thereof, and possesses relevant ISCCC certificates.

Meanwhile, CNNIC has made the security level commitments about vital business systems to registrants according to the state classified protection standard and put the security and safeguarding measures into place compliant with the security requirements of corresponding levels. Correspondingly, CNNIC has set up a system for regular self-inspection and for third-party security assessment to ensure the security level commitments can be achieved.

30(a).1 Overview of Security Policy

The security policies and corresponding security measures provided by CNNIC for ʺ.公司ʺ registry services are divided into two categories. One is for technical security and the other is for management security. Technical security includes physical security, network security, system security, application security, data security and auditing security. Management security involves security management organizations, security management personnel and security management rules. Relevant security policies conform to the following standards:

(1) YD⁄T2091-2010 Security Specification for Public DNS Resolution System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3460-1.htm)

(2) YD⁄T2140-2010 Technical Specification of DNS Security Framework (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3523-1.htm)

(3) YD⁄T 2136-2010 Technical Specifications of DNS Delegation (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3519-1.htm)

(4) YD⁄T 2245-2011 Security Protection Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3684-1.htm)

(5) YD⁄T 2246-2011 Security Protection Testing Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3685-1.htm)

(6) YD⁄T 2052-2009 Security Protection Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3397-1.htm)

(7) YD⁄T 2053-2009 Security Protection Testing Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3398-1.htm)

(8) Information Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008) (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8623)

(9) GB⁄T 22080:2008 (ISO⁄IEC 27001:2005, IDT) Information technology-Security techniques-Information security management systems-Requirements (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8618)

(10) GB⁄T 22081:2008 (ISO⁄IEC 27002:2005, IDT) Information technology-Security techniques-Code of practice for information security management (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-gb-8619-1.htm)

Below is an introduction of the above-mentioned various security policies.

30(a).1.1 Technical Security Policy

30(a).1.1.1 Physical Security Policy

All the systems related to ʺ.公司ʺ registry services are deployed in the Internet Data Center (IDC) rooms that meet the following security requirements:

(1) 7*24 on-site security personnel.

(2) A 7*24 video monitoring system is used to monitor the IDC room.

(3) Door-access cards and fingerprint identification technology are used for access control.

(4) Two separate circuits and one standby Uninterruptible Power Supply (UPS) are available to ensure uninterrupted power supply.

(5) Lightening-proof, fire prevention and anti-static measures are taken.

(6) All windows are equipped with infrared anti-theft alarm devices.

Furthermore, only authorized technicians (e.g. system administrators) are permitted to enter the IDC room for operations such as hardware or software update.

30(a).1.1.2 Network Security Policy

A full redundancy design is adopted for all the network equipments and links related to ʺ.公司ʺ registry services. Four security zones are respectively defined as an office subnet, a monitoring subnet, a service subnet and a database subnet according to their security level. Intrusion Detection Systems (IDS) and equipment against Denial of Service (DOS)⁄Distributed Denial of Service (DDOS) have been deployed by CNNIC.

All the servers for ʺ.公司ʺ registry services are protected by load balancers. Each server adopts the intranet IP address defined in Request for Comments (RFC) 1918. Important internal servers such as databases also adopt Intranet IP addresses to prevent Internet users from accessing these servers.

30(a).1.1.3 System Security Policy

All systems related to ʺ.公司ʺ registry services conform to the following security policies:

(1) Unnecessary services and processes are prohibited.

(2) Upgrading operating systems and important application programs shall be performed at a regular basis.

(3) Dynamic RSA token security systems shall be deployed for system authorization, access control and access password protection.

(4) Remote server management within the Intranet shall be performed through bastion hosts.

In addition, the CNNIC monitoring system monitors the use of server resources and service status in a real-time manner round the clock, and once an abnormity is detected, gives off an alarm. System-level scanning devices are used to perform systematic vulnerability scanning periodically for the internal and external networks and system reinforcement is performed very soon.

30(a).1.1.4 Application Security Policy

All applications related to ʺ.公司ʺ registry services conform to the following security policies:

(1) Shared Registration System (SRS)

(a) The SRS connection between the registrar and the registry shall adopt the Secure Sockets Layer (SSL) encryption technology, and a client certificate and a username⁄password shall be used to achieve the strong authentication to each registrar.

(b) If a registrar does not perform any operation within a preset period of time after successful login, SRS will automatically terminate the connection.

(c) Each registrarʹs login password in the SRS is restricted to within 6-32 characters, which is stored in an encrypted form.

(2) DNS service

(a) Hidden DNS resolution primary masters are established which are not connected with the Internet and which do not provide resolution service, so as to ensure the security of the original zone files of ʺ.公司ʺ.

(b) Transmission of zone files between hidden primary masters and each secondary server at each nameserver data center is achieved in the way of IPsec encryption, so as to achieve safe transmission of zone files of ʺ.公司ʺ.

(c) A monitoring system is set up to ensure data integrity in the process of generating and transmitting zone files of ʺ.公司ʺ .

(d) The specified security configuration regulations are formulated for the configuration of resolution software with inspection to the configuration at regular intervals (quarterly). If the items are not accordant with the regulations, they will be modified to keep the software configuration safe.

(e) Track the vulnerabilities of the resolution software by the specialized personnel and test and upgrade in time after detecting the vulnerabilities.

(3) Whois

(a) Whois only permits Internet usersʹ queries and no alteration is permitted.

(b) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to response to Whois queries.

(4) DNS Security Extensions (DNSSEC)

(a) The Hardware Security Module (HSM) used for Key Signing Key (KSK) signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent key disclosure from the interference of electro-magnetic signal.

(b) Both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.

(5) Internationalized Domain Names (IDN)

(a) To address the problem of phishing due to similarity of internationalized domain names, an system of Chinese domain similarity detection is established, through which phishing domain names related to ʺ.公司ʺ can be detected and then corresponding measures can be taken.

30(a).1.1.5 Data Security Policy

Only Database Administrators (DBA) who are responsible for maintenance are permitted to manage database servers. Only through specific management PCs and specific accounts can a DBA access a database server. For any change in the data and programs of an internal database, an application must be submitted through the procedures as specified for managing changes in internal databases. The application shall be reviewed by the DBA and the competent person before operations are performed at the presence of the DBA. CNNIC DBAs inspect the data backup of the database on a daily basis to make sure that the backup data is correct.Technical measures are taken to perform real-time check of the integrity of updated DNS zone files. A system has been established to guard against illegal alteration of websites to ensure data integrity of the websites related to ʺ.公司ʺ registry services. Important data of CNNIC are regularly backed up into the local tape library. Local and remote secondary operation centers have been built to realize backup of important data in the three operation centers in Beijing and Chengdu.

30(a).1.1.6 Auditing Security Policy

CNNIC formulated the thorough auditing technical methods and management measures:

CNNIC deploys the specified database auditing system to audit with the database orders, bastion hosts system to audit the server management operation and in addition, the specified centralized log collection and auditing system (LegendSec) to collect the logs of all network devices, servers and application systems, uniformly collecting and centralizing the logs to make the records.

CNNICʹs internal auditors use the database auditing system, bastion hosts system and log collection and auditing system to audit at each level and produce corresponding reports on a regular basis.

30(a).1.2 Management Security Policy

30(a).1.2.1 Security Management Organization

CINNIC has established a security management center which is responsible for ensuring the security of ʺ.公司ʺ registry services and for emergency response.

In addition to the security management center, CNNIC, to strength its ISMS, has also established, on the basis of the existing organizational structure, a ʺvirtualʺ information security management organization which consists of three tiers: the decision-making tier, the execution tier and the auditing tier.

30(a).1.2.2 Security Management Personnel

An investigation must be conducted on the background of the personnel responsible for security management related to ʺ.公司ʺ registry services to make sure that they are reliable enough in terms of educational level, work experiences, credibility, etc. The investigation should be carried out by the Personnel Department. All to-be security management personnel must be subject to background investigation.

30(a).1.2.3 Security Management Rules

Security management rules for ʺ.公司ʺ registry services are documents of the ISMS established by CNNIC. They consist of 4 tiers of documents: information security management manual; management specifications⁄measures⁄procedures⁄standards; implementation rules⁄operation guidelines⁄work guidance; and records⁄logs. See the figure below:

Please see Figure 1 in the attachment of Q30a_Attachment_Figure.

(1) The information security management manual is the guiding document for CNNIC information security management work. The manual contains such contents as information security policy, overall objective and control measures that are mentioned in the SOA and that have been implemented. Documents of the second and third tiers, such as management specifications and implementation rules can be regarded as documents supporting the information security management manual.

(2) Management specifications, measures, procedures and standards clearly define various management systems and technical control measures. Documents of the second tier provide methods and guidance for carrying out main activities of implementing the information security management system and for allocating duties. Lower-tier documents should also be referred to in implementing ISMS.

(3) Implementation rules, operation guidelines and work guidance are documents that give a detailed description of the processes mentioned in the second-tier documents. Consisting of work guidance, tables & lists, workflow charts, service standards and system manuals, documents of this tier give a detailed description of specific work and activities.

(4) Records and logs are used to keep record of various activities, serving as evidence that these activities meet the requirements of upper-tier documents. During the implementation of ISMS, a series of record tables and reports need to be kept to serve as the evidence that relevant preventive and corrective measures have been carried out.

30(a).2 Security Capability Assessment

30(a).2.1 Security Assessment Report

The CNNIC-established ISMS was certified on March 9, 2011 by ISCCC accredited by CNAS. With relevant ISCCC certificates, ISMS conforms to ISO 27001:2005 and the SOA thereof.

Please see Figure2 in the attachment of Q30a_Attachment_Figure.

30(a).2.2 Security Capability Test and Assessment

CNNIC carries out a security risk assessment at least once a year which covers classification and categorization of information assets; identification and assessment of risks; risk treatment plan and implementation thereof; continuous improvement of risk assessment, etc. The assessment results will serve as the basis for CNNIC to make decisions on overall risk management, to clearly understand the overall information risk it faces, and to formulate risk treatment measures and plans.

Meanwhile, CNNIC invites a third-party security service organization to conduct security inspection and assessment every year, the result of which will be used as an important basis for carrying out security-related work.

30(a).3 Security Level Commitment

30(a).3.1 Introduction to Classified Protection Standard

In compliant with the state classified protection standard, CNNIC has determined the security levels of the major services and made the commitments to the public to achieve the security requirements of corresponding levels according to the classes of protection standard.

According to the classified protection standard, information system is classified into five Classes from low to high depending on the importance to the state security, economic construction, social life, and the damage extent to the state security, social order, public interests, legal rights of citizen and other organizations. ʺGB⁄T 22239-2008 Information Security Technology--Baseline for Classified Protection of Information System Securityʺ clarifies the security requirements which information systems of different classes shall achieve as below:

Class I: can prevent the system from malicious attacks from individual-level threats with very little resources, ordinary natural disaster, and vital resources damage caused by other threats with corresponding damage extent. The system can be recovered for partial functions after it is damaged.

Class II: can prevent the system from the malicious attack from small-organization-level threats with little resources, common natural disaster, and important resources damage caused by other threats with corresponding damage extent. The important security vulnerabilities and incidents can be detected. Partial functions can be recovered within a specific period of time after the system is damaged.

Class III: under the unified security strategy, can prevent the system from the malicious attack from organization-level threats with relatively abundant resources, relatively serious natural disaster, and the major resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. Most functions can be recovered relatively quickly after the system is damaged.

Class IV: under the unified security strategy, can prevent the system from the malicious attack from the state-level threats with abundant resources, serious natural disaster, and the resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. All functions can be recovered promptly after the system is damaged.

Class V: not defined in the standard.

ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ defines the security requirements for information systems with different classes. Based on this, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ further define the security requirements to domain name systems and domain name registration systems with different security classes. These security requirements are classified into the basic technical requirements and basic management requirements. Technical security requirements are related to the technology and security mechanism provided by the information system and achieved mainly through deployment of the software and hardware and the proper configuration of the security functions. Management security requirements are related to the activities various roles participate in and achieved by mainly controlling the activities of various roles from the angles of policies, regulations, procedures and records and so on.

30(a).3.2 Security Level Commitment

According to the classified protection standard of ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ, CNNIC undertakes the following security commitments to registrants:

(1) The DNS⁄DNSSEC service system provides global Internet users with ʺ.公司ʺ domain name resolution services. Class-4 protection is used for the primary operation centers and Class-3 protection for nameserver data centers (all nameserver data centers as one unit).

(2) With Class-3 protection, SRS service provides global users with ʺ.公司ʺ domain name registration service through registrars.

(3) With Class-3 protection, Whois service provides global users with ʺ.公司ʺ domain name query service.

CNNIC set up the corresponding security policy with the reference to the security requirements to information systems with the classes, and deploys the security assurance measures to satisfy each requirement in the standards and accept the examination of the third-party organizations.
gTLDFull Legal NameE-mail suffixDetail
.网络Computer Network Information Center of Chinese Academy of Sciences (China Internet Network Information Center)cnnic.cnView
30(a). Security Policy

In accordance with the security standard ISO 27001 (GB⁄T 22080), China Internet Network Information Center (CNNIC) has established an Information Security Management System (ISMS) to provide a complete set of security policies and corresponding security measures for ʺ.网络ʺ registry services.

The CNNIC-established ISMS has been certified by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS), accords with ISO 27001:2005 and the Statement of Applicability (SOA) thereof, and possesses relevant ISCCC certificates.

Meanwhile, CNNIC has made the security level commitments about vital business systems to registrants according to the state classified protection standard and put the security and safeguarding measures into place compliant with the security requirements of corresponding levels. Correspondingly, CNNIC has set up a system for regular self-inspection and for third-party security assessment to ensure the security level commitments can be achieved.

30(a).1 Overview of Security Policy

The security policies and corresponding security measures provided by CNNIC for ʺ.网络ʺ registry services are divided into two categories. One is for technical security and the other is for management security. Technical security includes physical security, network security, system security, application security, data security and auditing security. Management security involves security management organizations, security management personnel and security management rules. Relevant security policies conform to the following standards:

(1) YD⁄T2091-2010 Security Specification for Public DNS Resolution System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3460-1.htm)

(2) YD⁄T2140-2010 Technical Specification of DNS Security Framework (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3523-1.htm)

(3) YD⁄T 2136-2010 Technical Specifications of DNS Delegation (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3519-1.htm)

(4) YD⁄T 2245-2011 Security Protection Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3684-1.htm)

(5) YD⁄T 2246-2011 Security Protection Testing Requirements for the Domain Name Registration System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3685-1.htm)

(6) YD⁄T 2052-2009 Security Protection Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3397-1.htm)

(7) YD⁄T 2053-2009 Security Protection Testing Requirements for the Domain Name System (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-yd-3398-1.htm)

(8) Information Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008) (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8623)

(9) GB⁄T 22080:2008 (ISO⁄IEC 27001:2005, IDT) Information technology-Security techniques-Information security management systems-Requirements (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show.php?source=gb&id=8618)

(10) GB⁄T 22081:2008 (ISO⁄IEC 27002:2005, IDT) Information technology-Security techniques-Code of practice for information security management (http:⁄⁄www.ptsn.net.cn⁄standard⁄std_query⁄show-gb-8619-1.htm)

Below is an introduction of the above-mentioned various security policies.

30(a).1.1 Technical Security Policy

30(a).1.1.1 Physical Security Policy

All the systems related to ʺ.网络ʺ registry services are deployed in the Internet Data Center (IDC) rooms that meet the following security requirements:

(1) 7*24 on-site security personnel.

(2) A 7*24 video monitoring system is used to monitor the IDC room.

(3) Door-access cards and fingerprint identification technology are used for access control.

(4) Two separate circuits and one standby Uninterruptible Power Supply (UPS) are available to ensure uninterrupted power supply.

(5) Lightening-proof, fire prevention and anti-static measures are taken.

(6) All windows are equipped with infrared anti-theft alarm devices.

Furthermore, only authorized technicians (e.g. system administrators) are permitted to enter the IDC room for operations such as hardware or software update.

30(a).1.1.2 Network Security Policy

A full redundancy design is adopted for all the network equipments and links related to ʺ.网络ʺ registry services. Four security zones are respectively defined as an office subnet, a monitoring subnet, a service subnet and a database subnet according to their security level. Intrusion Detection Systems (IDS) and equipment against Denial of Service (DOS)⁄Distributed Denial of Service (DDOS) have been deployed by CNNIC.

All the servers for ʺ.网络ʺ registry services are protected by load balancers. Each server adopts the intranet IP address defined in Request for Comments (RFC) 1918. Important internal servers such as databases also adopt Intranet IP addresses to prevent Internet users from accessing these servers.

30(a).1.1.3 System Security Policy

All systems related to ʺ.网络ʺ registry services conform to the following security policies:

(1) Unnecessary services and processes are prohibited.

(2) Upgrading operating systems and important application programs shall be performed at a regular basis.

(3) Dynamic RSA token security systems shall be deployed for system authorization, access control and access password protection.

(4) Remote server management within the Intranet shall be performed through bastion hosts.

In addition, the CNNIC monitoring system monitors the use of server resources and service status in a real-time manner round the clock, and once an abnormity is detected, gives off an alarm. System-level scanning devices are used to perform systematic vulnerability scanning periodically for the internal and external networks and system reinforcement is performed very soon.

30(a).1.1.4 Application Security Policy

All applications related to ʺ.网络ʺ registry services conform to the following security policies:

(1) Shared Registration System (SRS)

(a) The SRS connection between the registrar and the registry shall adopt the Secure Sockets Layer (SSL) encryption technology, and a client certificate and a username⁄password shall be used to achieve the strong authentication to each registrar.

(b) If a registrar does not perform any operation within a preset period of time after successful login, SRS will automatically terminate the connection.

(c) Each registrarʹs login password in the SRS is restricted to within 6-32 characters, which is stored in an encrypted form.

(2) DNS service

(a) Hidden DNS resolution primary masters are established which are not connected with the Internet and which do not provide resolution service, so as to ensure the security of the original zone files of ʺ.网络ʺ.

(b) Transmission of zone files between hidden primary masters and each secondary server at each nameserver data center is achieved in the way of IPsec encryption, so as to achieve safe transmission of zone files of ʺ.网络ʺ.

(c) A monitoring system is set up to ensure data integrity in the process of generating and transmitting zone files of ʺ.网络ʺ .

(d) The specified security configuration regulations are formulated for the configuration of resolution software with inspection to the configuration at regular intervals (quarterly). If the items are not accordant with the regulations, they will be modified to keep the software configuration safe.

(e) Track the vulnerabilities of the resolution software by the specialized personnel and test and upgrade in time after detecting the vulnerabilities.

(3) Whois

(a) Whois only permits Internet usersʹ queries and no alteration is permitted.

(b) Whois Web servers are only used to transform Whois Web requests into WhoisD query requests and transmit such requests to WhoisD servers through load balancers. Then WhoisD servers are connected to Whois database to response to Whois queries.

(4) DNS Security Extensions (DNSSEC)

(a) The Hardware Security Module (HSM) used for Key Signing Key (KSK) signing is installed in a locked electro-magnetic shielding cabinet which can effectively prevent key disclosure from the interference of electro-magnetic signal.

(b) Both the HSM and the cabinet are placed in a separate room with access control measures and only authorized persons may get access to the cabinet.

(5) Internationalized Domain Names (IDN)

(a) To address the problem of phishing due to similarity of internationalized domain names, an system of Chinese domain similarity detection is established, through which phishing domain names related to ʺ.网络ʺ can be detected and then corresponding measures can be taken.

30(a).1.1.5 Data Security Policy

Only Database Administrators (DBA) who are responsible for maintenance are permitted to manage database servers. Only through specific management PCs and specific accounts can a DBA access a database server. For any change in the data and programs of an internal database, an application must be submitted through the procedures as specified for managing changes in internal databases. The application shall be reviewed by the DBA and the competent person before operations are performed at the presence of the DBA. CNNIC DBAs inspect the data backup of the database on a daily basis to make sure that the backup data is correct.Technical measures are taken to perform real-time check of the integrity of updated DNS zone files. A system has been established to guard against illegal alteration of websites to ensure data integrity of the websites related to ʺ.网络ʺ registry services. Important data of CNNIC are regularly backed up into the local tape library. Local and remote secondary operation centers have been built to realize backup of important data in the three operation centers in Beijing and Chengdu.

30(a).1.1.6 Auditing Security Policy

CNNIC formulated the thorough auditing technical methods and management measures:

CNNIC deploys the specified database auditing system to audit with the database orders, bastion hosts system to audit the server management operation and in addition, the specified centralized log collection and auditing system (LegendSec) to collect the logs of all network devices, servers and application systems, uniformly collecting and centralizing the logs to make the records.

CNNICʹs internal auditors use the database auditing system, bastion hosts system and log collection and auditing system to audit at each level and produce corresponding reports on a regular basis.

30(a).1.2 Management Security Policy

30(a).1.2.1 Security Management Organization

CINNIC has established a security management center which is responsible for ensuring the security of ʺ.网络ʺ registry services and for emergency response.

In addition to the security management center, CNNIC, to strength its ISMS, has also established, on the basis of the existing organizational structure, a ʺvirtualʺ information security management organization which consists of three tiers: the decision-making tier, the execution tier and the auditing tier.

30(a).1.2.2 Security Management Personnel

An investigation must be conducted on the background of the personnel responsible for security management related to ʺ.网络ʺ registry services to make sure that they are reliable enough in terms of educational level, work experiences, credibility, etc. The investigation should be carried out by the Personnel Department. All to-be security management personnel must be subject to background investigation.

30(a).1.2.3 Security Management Rules

Security management rules for ʺ.网络ʺ registry services are documents of the ISMS established by CNNIC. They consist of 4 tiers of documents: information security management manual; management specifications⁄measures⁄procedures⁄standards; implementation rules⁄operation guidelines⁄work guidance; and records⁄logs. See the figure below:

Please see Figure 1 in the attachment of Q30a_Attachment_Figure.

(1) The information security management manual is the guiding document for CNNIC information security management work. The manual contains such contents as information security policy, overall objective and control measures that are mentioned in the SOA and that have been implemented. Documents of the second and third tiers, such as management specifications and implementation rules can be regarded as documents supporting the information security management manual.

(2) Management specifications, measures, procedures and standards clearly define various management systems and technical control measures. Documents of the second tier provide methods and guidance for carrying out main activities of implementing the information security management system and for allocating duties. Lower-tier documents should also be referred to in implementing ISMS.

(3) Implementation rules, operation guidelines and work guidance are documents that give a detailed description of the processes mentioned in the second-tier documents. Consisting of work guidance, tables & lists, workflow charts, service standards and system manuals, documents of this tier give a detailed description of specific work and activities.

(4) Records and logs are used to keep record of various activities, serving as evidence that these activities meet the requirements of upper-tier documents. During the implementation of ISMS, a series of record tables and reports need to be kept to serve as the evidence that relevant preventive and corrective measures have been carried out.

30(a).2 Security Capability Assessment

30(a).2.1 Security Assessment Report

The CNNIC-established ISMS was certified on March 9, 2011 by ISCCC accredited by CNAS. With relevant ISCCC certificates, ISMS conforms to ISO 27001:2005 and the SOA thereof.

Please see Figure2 in the attachment of Q30a_Attachment_Figure.

30(a).2.2 Security Capability Test and Assessment

CNNIC carries out a security risk assessment at least once a year which covers classification and categorization of information assets; identification and assessment of risks; risk treatment plan and implementation thereof; continuous improvement of risk assessment, etc. The assessment results will serve as the basis for CNNIC to make decisions on overall risk management, to clearly understand the overall information risk it faces, and to formulate risk treatment measures and plans.

Meanwhile, CNNIC invites a third-party security service organization to conduct security inspection and assessment every year, the result of which will be used as an important basis for carrying out security-related work.

30(a).3 Security Level Commitment

30(a).3.1 Introduction to Classified Protection Standard

In compliant with the state classified protection standard, CNNIC has determined the security levels of the major services and made the commitments to the public to achieve the security requirements of corresponding levels according to the classes of protection standard.

According to the classified protection standard, information system is classified into five Classes from low to high depending on the importance to the state security, economic construction, social life, and the damage extent to the state security, social order, public interests, legal rights of citizen and other organizations. ʺGB⁄T 22239-2008 Information Security Technology--Baseline for Classified Protection of Information System Securityʺ clarifies the security requirements which information systems of different classes shall achieve as below:

Class I: can prevent the system from malicious attacks from individual-level threats with very little resources, ordinary natural disaster, and vital resources damage caused by other threats with corresponding damage extent. The system can be recovered for partial functions after it is damaged.

Class II: can prevent the system from the malicious attack from small-organization-level threats with little resources, common natural disaster, and important resources damage caused by other threats with corresponding damage extent. The important security vulnerabilities and incidents can be detected. Partial functions can be recovered within a specific period of time after the system is damaged.

Class III: under the unified security strategy, can prevent the system from the malicious attack from organization-level threats with relatively abundant resources, relatively serious natural disaster, and the major resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. Most functions can be recovered relatively quickly after the system is damaged.

Class IV: under the unified security strategy, can prevent the system from the malicious attack from the state-level threats with abundant resources, serious natural disaster, and the resources damage caused by other threats with corresponding damage extent. The security vulnerabilities and incidents can be detected. All functions can be recovered promptly after the system is damaged.

Class V: not defined in the standard.

ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ defines the security requirements for information systems with different classes. Based on this, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ further define the security requirements to domain name systems and domain name registration systems with different security classes. These security requirements are classified into the basic technical requirements and basic management requirements. Technical security requirements are related to the technology and security mechanism provided by the information system and achieved mainly through deployment of the software and hardware and the proper configuration of the security functions. Management security requirements are related to the activities various roles participate in and achieved by mainly controlling the activities of various roles from the angles of policies, regulations, procedures and records and so on.

30(a).3.2 Security Level Commitment

According to the classified protection standard of ʺInformation Security Technology -- Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ, CNNIC undertakes the following security commitments to registrants:

(1) The DNS⁄DNSSEC service system provides global Internet users with ʺ.网络ʺ domain name resolution services. Class-4 protection is used for the primary operation centers and Class-3 protection for nameserver data centers (all nameserver data centers as one unit).

(2) With Class-3 protection, SRS service provides global users with ʺ.网络ʺ domain name registration service through registrars.

(3) With Class-3 protection, Whois service provides global users with ʺ.网络ʺ domain name query service.

CNNIC set up the corresponding security policy with the reference to the security requirements to information systems with the classes, and deploys the security assurance measures to satisfy each requirement in the standards and accept the examination of the third-party organizations.