30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
|.公益||China Organizational Name Administration Center||conac.cn||View|
30 (a) Security Policy
Giving particular attention to the security of information and information systems, CONAC has developed comprehensive information security policy which is the guideline for secure operations of “.公益” TLD. CONAC’s security policies will be updated and improved to meet emerging security threats and changing conditions.
30.1 Independent Assessment Report of Security Performance
CONAC has established the quality and security management system in accordance with ISO 9001:2008 and ISO⁄IEC 27001:2005, and has obtained corresponding international certifications, which may be found at Table 1 of Q30(a)_attachment. CONAC internally assesses, and also engages third party risk assessment organization to assess the risks of “.公益” TLD registry system on a regular basis.
30.2 Security Level Commensurate with the Nature of the Applied-for gTLD String
30.2.1 Standard Compliance
CONAC commits to complying with the following standards.
1. International Standard for Quality Management
ISO 9001:2008 Quality management systems – Requirements
2. International Standards for Information Technology Service Management
ISO⁄IEC 20000-2:2005 Information technology - Service Management - Part 2: Code of practice
ISO⁄IEC TR 20000-3:2009 Information technology - Service Management - Part 3: Guidance on scope definition and applicability of ISO⁄IEC 20000-1
ISO⁄IEC TR 20000-5:2010 Information technology - Service management - Part 5: Exemplar implementation plan for ISO⁄IEC 20000-1
3. International Standards for Information Security Management Systems
ISO⁄IEC 27001:2005 Information technology - Information security management systems - Requirements
ISO⁄IEC 27002:2005 Information technology - Security techniques - Code of practice for information security management
ISO⁄IEC 27003:2010 Information technology - Security techniques - Information security management system implementation guidance
ISO⁄IEC 27004:2009 Information technology - Security techniques - Information security management – Measurement
ISO⁄IEC 27005:2008 Information technology - Security techniques - Information security risk management
4. National Standards or Specifications of the People’s Republic of China for the Classification of Security Protection Level of Computer Information System, Requirements on Each Security Level and Implementation Guides for Security Protection Level Related
GB 17859-1999 Classified criteria for security protection of computer information system
GB⁄T 22239-2008 Information security technology – Baseline for classified protection of information system security
GB⁄T 20269-2006 Information security technology - Information system security management requirements
GB⁄T 20270-2006 Information security technology - Basis security techniques requirement for network
GB⁄T 20271-2006 Information security technology - Common security techniques requirement for information system
GB⁄T 22240-2008 Information security technology - Information security technology - Classification guide for classified protection of information system security
GB⁄T 24363-2009 Information security technology - Specifications of emergency response plan for information security
GB⁄T 25058-2010 Information security technology - Implementation guide for classified protection of information system
GB⁄T 21052-2007 Information security technology - Physical security technical requirement for information system
GB⁄T 20984-2007 Information security technology - Risk assessment specification for information security
GB⁄Z 20985-2007 Information technology - Security techniques - Information security incident management guide
GB⁄Z 20986-2007 Information security technology - Guidelines for the category and classification of information security incidents
5. International Standards or National Standards of the People’s Republic of China for Security Protection of Domain Name System
IETF RFC6168 Requirements for management of name servers for the DNS
YD⁄T 2052-2009 Communication industry standard of the People’s Republic of China - Security protection requirements for the domain name system
6. Reference Website of the aforementioned Standards and Specifications
ISO series: http:⁄⁄www.iso.org;
National standard of the People’s Republic of China series: http:⁄⁄www.spc.net.cn;
Request for Comments (RFC): http:⁄⁄www.ietf.org;
Communication industry standard of the People’s Republic of China series and Guiding Technical Document for National Standard of the People’s Republic of China series: http:⁄⁄www.ccsa.org.cn
30.2.2 Description of the Standards Applied
CONAC mainly adopts two national standards, GB⁄T 22240-2008 and GB⁄T 22239-2008 for the classification of security protection levels of information and information system, and requirements on each security level. GB⁄T 22240-2008 stipulates that the security protection levels of the information system shall be classified on the basis of the degree of harm caused if the information system is damaged. There are five levels, Level 1 User Discretionary Security Protection, Level 2 System Auditing Protection, Level 3 Label Security Protection, Level 4 Structured Protection, and Level 5 Access Verification Security Protection. GB⁄T 22239-2008 stipulates a baseline for information system security commensurate with classified security protection levels. Until now, specific security requirements on Level 5 have not yet been released. Therefore, Level 4 is the highest level for information system security in actual use.
30.2.3 Security Demand of “.公益” TLD and Corresponding Security Levels
The “.公益” TLD seeks to provide a dedicated Chinese TLD for global public interest organizations that provide services in Chinese. With promotion of the influence and attraction of “.公益” TLD, it is expected to achieve a penetration rate of over 40% by the end of the year 2015. Meanwhile, overseas public interest organizations will be encouraged to register “.公益” domain names. The increasing registration volume of “.公益” domain names will offer them a favorable environment to provide even more efficient online services to Chinese language users. CONAC hopes to develop the TLD the most authoritative Chinese gTLD with the fewest disputes, and to eventually make it one of the most widely used Chinese gTLDs for public interest organizations providing services in Chinese. For details, please refer to the response to Question 18.
In light of the characteristics of public interest organizations (especially public interest organizations in China), CONAC believes that, after identifying and analyzing security risks, if the registry system of “.公益” TLD is sabotaged, the social order and public interest will be gravely damaged, or national network security may be impaired. If the core data area of “.公益” TLD is sabotaged, the social order and public interest will be severely damaged, or even the national network security will be greatly impaired. Therefore, the security level for the whole registry system of “.公益” TLD is set to level 3 as defined in GB⁄T 22240-2008, and meets Basic Security Requirements on Level 3 as defined in GB⁄T 22239-2008; the security level for core data area of “.公益” TLD is set to level 4 as defined in GB⁄T 22240-2008, and meets Basic Security Requirements on Level 4 as defined in GB⁄T 22239-2008.
30.2.4 Security Benchmark Evaluation
CONAC actively carries out risk analysis and assessment, on the basis of the security protection level, security risk assessment, as well as disaster backup and recovery defined in international standards or national standards of the People’s Republic of China of information technology security.
184.108.40.206 Risk Measurement Benchmark
The risk measurement is based on GB⁄T 20984-2007, ISO⁄IEC 27004:2009 and ISO⁄IEC27002:2005.
The financial value of confidentiality of one dataset is calculated by
(financial consequences due to loss of confidentiality in a typical incident)⁄( duration of a typical incident(in hours))
The financial value of availability for one hour is calculated by
(financial consequences due to loss of availability in a typical incident)⁄( duration of a typical incident (in hours))
The financial value of integrity of one dataset is calculated by
(financial consequences due to loss of integrity in a typical incident)⁄( duration of a typical incident (in hours))
220.127.116.11 Definition of Vulnerability
As per the definition and requirements of vulnerability in GB⁄T 20984-2007 as well as vulnerability assessment methods defined in ISO⁄IEC 27005:2008, CONAC rates vulnerability levels as very high, high, medium, low and very low. Following international norm, vulnerability levels are rated on the basis of scanning results of Nessus software.
18.104.22.168 Risk Level Rating
As per the definition of risks and related requirements in GB⁄T 20984-2007, CONAC rates the risk level of the equipments. Equipment is distributed in the primary operations center, the backup operations center, Network Operations Center (NOC) and other resolution sites. The risk levels of the equipment are rated as very high, high, medium, low and very low on the basis of the loss caused by a failure and whether there is a backup. The overall rating is determined by summing up the risk level and vulnerability level. The overall rating is provided to the chief responsible person for the equipment. The chief responsible person will provide the correction response, further develop specific access control policy, preventative measures, monitoring and a continuous improvement plan, and provide guidance on daily operation and maintenance.
30.3 Security Level Commitments
Overall “.公益” registry system complies with Basic Security Requirement on Level 3 defined in GB⁄T 22239-2008, and the core data area complies with Basic Security Requirement on Level 4 defined in GB⁄T 22239-2008. CONAC has issued the basic commitment of security level, Statement of Applicability (SOA), during which the applicability of all security controls is listed. For details about SOA, please refer to CONAC website www.conac.cn.
30.4 Security Capability
To meet ICANN requirements on security, CONAC has obtained ISO 9001:2008 and ISO⁄IEC 27001:2005 certification and established an information security protection system suitable for CONAC.
30.4.1 Information Security Management System
As per GB⁄T 20269-2006 and ISO⁄IEC 27001:2005, CONAC puts in place its own Information Security Management System (ISMS) by establishing CONAC Overall Strategy for Quality and Security Management as well as CONAC Information and Technology Management Mechanism, which cover 11 aspects such as the security policy, information security organization, asset management, human resources security, physical and environmental security, communications and operations management, access control, information system acquisition, development and maintenance, information security incident management, business continuity management and compliance. In compliance with Plan-Do-Check-Act (PDCA) model, CONAC has established a series of regulations, specifications and processes for information security risk management to ensure the constant improvement of the information security management system. For details about PDCA, please refer to Figure 1 of Q30(a)_attachment.
30.4.2 Information Security Technology System
CONAC utilizes a “defense-in-depth model” to build a comprehensive information security technology system at physical, network, server, data, application and business service levels. See Figure 2 of Q30(a)_attachment for the in-depth defense hierarchy. CONAC takes appropriate defense measures at each level. Details are as follow.
1. At the physical level, CONAC takes the following measures.
1) Geographical diversity of IDC rooms;
2) Security requirements for IDC rooms, including (1) access card, and (2) fingerprint identification;
3) Security management for IDC rooms, including managing the entry and exit of equipment and visitors;
4) Power supply including (1) redundant power access, (2) providing Uninterrupted Power Supply (UPS), and (3) provision of electric generator.
2. At the network level, CONAC takes the following preventive measures.
1) Link redundancy and equipment redundancy;
2) Using firewall for access control;
3) DDoS prevention and traffic cleansing;
4) Configuring Intrusion Detection System ⁄Intrusion Prevention System (IDS) ⁄ (IPS);
5) Auditing the operation log of network devices;
6) Reasonable division of security zone;
7) Distributed deployment of multiple resolution sites;
8) Data are synchronized via VPN and monitoring information is transmitted via VPN;
9) Binding of IP address and media access control (MAC) at the network border of DNS;
10) Idle port disabled.
To detect problems, CONAC uses intrusion prevention and security auditing.
3. At the server level, CONAC takes the following preventive measures.
1) Servers use load balancing;
3) Scanning for security loopholes of the servers;
4) Reinforcing the security configuration of the servers;
5) Identity authentication and access control;
6) Malicious code resistance;
7) Asset control including (1) asset management, (2) configuration management, (3) status record, and (4) archived file for equipment configuration;
8) Magnetic tape eraser is used to remove all information in the disused critical equipments so as to prevent vital information from disclose.
To detect problems, CONAC uses intrusion prevention and security auditing.
4. At data level, disaster recovery data backup is used, and anomalous traffic is monitored.
5. At the application level, preventive security measures are adopted from the following aspects.
1) Secure management of application system development;
2) Deployment of firewalls at application layer;
3) Application security gateway;
4) Security of application code;
5) Security auditing;
6) Resolution sites are connected by dedicated line or VPN;
7) Resolution application uses F5 or Open Shortest Path First (OSPF) for load balancing;
8) Limiting concurrent connection number and maximum connection number;
9) Access control.
To detect problems, CONAC monitors application availability, Trojan horse, and application security.
6. At a business services level, business operation is standardized, and problems can be detected through continuous business monitoring and a business risk warning system.
7. From a human resources perspective, CONAC takes the following preventive measures.
1) Signing Employee Confidentiality Agreement and conducting background check prior to an employee starting work.
2) Leaving and transferring: special flows and record sheet will be used to ensure that related permissions are cancelled if the employee leaves or transfers from the current role.
8. From a security training perspective, CONAC takes the following measures.
1) Conducting annual information security awareness training;
2) ISO⁄IEC 27001:2005 training for the information security officer of each department (i.e. internal auditor);
3) Security technology training for security engineers by security service providers;
4) Security programming training to software engineers by security service providers;
5) Training on security device usage and basic security technology to software engineers by security engineers.
All security controls including security plans, security baselines and operation regulations are established in accordance with the characteristics of SRS, WHOIS, DNS, DNSSEC, data escrow, monitoring system, network and network management system, in a bid to guarantee the registry system of “.公益” TLD has security prevention capability, security monitoring capability, security response capability and security recovery capability.
1. Prevention capability
During the development of the security technology system, CONAC reinforces the development of technical capability and strategies for the access control protection, on the basis of the requirements on the access control strategy defined in GB⁄T 20270-2006. CONAC not only adopts security access control technologies, but also develops a series of access control regulations, processes and specifications. The access controls mainly include physical access control, network access control, operating system access control, application access control, user access control and external personnel access control.
2. Monitoring capability
At the security incident monitoring level, CONAC establishes the Network Operations Center (NOC), develops detailed monitoring and failure processing procedures, and has sound security monitoring system, on the basis of the requirements on detecting and reporting security incidents defined in GB⁄Z 20985-2007. CONAC monitoring system utilizes advanced network management software to provide 7X24X365 monitoring to SRS, WHOIS, DNS, DNSSEC, data escrow and other business systems so as to detect the failure and manage the failure in a timely manner. For details, please refer to section 42.2 of Question 42.
3. Incident response capability
On the basis of the requirements on security incident response defined in GB⁄Z 20985-2007, CONAC develops security incident reporting and handling management mechanisms, which specify the management responsibility of the security incident in the process of onsite handling, incident reporting and post recovery, identify the level of the computer security incidents according to the effect of the incident in the system, define the security incident reporting and response procedures, and determine the incident reporting flow, response and handling scope, extent and method. For details, please refer to section 42.3 of Question 42.
4. Emergency recovery capability
As per requirements on emergency plans for security defined in GB⁄T 24363-2009, CONAC develops a uniform framework under which the emergency response plans are made for different incidents. The framework for emergency response plan includes the condition of triggering the emergency plan, emergency response procedures, system recovery procedures, lessons drawn from the emergency, training, and regular walkthroughs.
In order to ensure the recovery of data and the entire system in a timely manner, in case of the failure of registry system, data loss or regional disasters (earthquake, fire, flood, war, etc.), CONAC establishes a series of backup and recovery management mechanisms, specifications and procedures, and requires to regularly execute the recovery procedure, checks and tests the effectiveness of the backup media to ensure the backup recovery can be completed in the time length specified by the recovery procedure. For details, please refer to the response to Question 39.
30.4.3 Information Security System for Operation and Maintenance
For system operation and maintenance, CONAC defines a series of secure operation and maintenance specifications including management in 5 major areas, IDC room, assets, network, systems and security, in accordance with GB⁄T 20269-2006, ISO⁄IEC TR 20000-5:2010 and ISO⁄IEC 27001:2005. The IDC room management includes the environment management and infrastructure management. The asset management includes the asset and medium management. The network management includes the network performance monitoring and security management. The system management includes the system performance monitoring and backup and recovery management. The security management includes the log auditing and analysis, malicious code prevention, security incident management and emergency response plan management. For the classification, associated mechanism, operation procedures, forms and records, and reports for operation and maintenance IDC room, asset, network, system and security management, please refer to Figure 3 of Q30(a)_attachment.
Similar gTLD applications: (1)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|
|.政务||China Organizational Name Administration Center||conac.cn||-3.64||Compare|