30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

30.1. NTT Groupʹs Information Security Policy and the Information Security related Documents
The Information Security Management Standard is defined in NTT (Holding Company) based on NTT Groupʹs Information Security Policy, which is defined as the top information security document in the NTT Group. Similarly, in terms of information system security, the Iinformation System Security Guideline is defined in NTT (Holding Company), based on the NTT Group Information System Security Guideline. In this section, key measures and procedures to operate registry services will be described in reference to these documents.
30.1.1. NTT Information Security Philosophy and NTT Groupʹs Information Security Policy
NTT fulfills its corporate social responsibilities by recognizing the importance of information in business activities, complying with the relevant laws and regulations such as the Personal Information Protection Act, utilizing information owned by the company in a safe manner based on the social principle. In addition, NTT has established the NTT Groupʹs Information Security Policy as the basic policy of information security in the whole NTT Group.
NTT Groupʹs Information Security Policy is described in #30.6 (NTT Groupʹs Information Security Policy).
30.1.2. Risk Management
NTT shall implement appropriate risk management strategies to support the maintenance and enlargement of the companyʹs value and the companyʹs persistent growth.
The details of .ntt risk management are described in #30.7 (Risk Management).
30.1.3. Information Security Organization
NTT shall establish an internal organization to manage information security and define the respective roles and responsibilities.
The details of information security organization are described in #30.8 (Information Security Organization).
30.1.4. Asset Management
NTT shall classify information in order to manage confidential information properly and all information shall be handled according to the classification level.
The details of asset management are described in #30.9 (Asset Management).
30.1.5. Human Resource Security
In order to prevent security breaches such as human error or misuse, NTT shall implement human resource security such as background checks and security trainings.
The details of human resource security are described in #30.10 (Human Resource Security).
30.1.6. Physical Security
NTT shall implement entry controls for NTT offices and registry related data centers to ensure that only authorized personnel are granted access and to prevent unauthorized access, interference and damage to its business premises.
The details of physical security are described in #30.11 (Physical Security).
30.1.7. Communications and Operations Management
In order to minimize the risk of systems failures, NTT shall establish communications and operations management such as third party service delivery management, network and strage capacity management, protection against malicious and mobile code, backup and monitoring.
The details of communications and operations management are described in #30.12 (Communications and Operations Management).
30.1.8. Access Control
Information systems shall be accessible to only the minimum required personnel and the activities within information system shall be traceable in order to check the responsibility and to prevent unauthorized use of information systems.
NTT shall implement access control such as user access management, privilege management, network access control, mobile computing and teleworking, protection against DoS⁄DDoS attacks and intrusion detection system.
The details of the above are described in #30.13 (Access Control).
30.1.9. Information Systems Acquisition, Development and Maintenance
While developing information systems, NTT shall conduct risk assessment and implement security measures which commensurate with the amount of the damage of failures or security incidents.
The details of information system acquisition, development and maintenance security are described in #30.14 (Information Systems Acquisition, Development and Maintenance).
30.1.10. Information Security Incident Management
NTT shall cope with security incidents rapidly to minimize the impact of damage by defining response procedures when security incidents occur or discovering any attempts which may lead to the security incident occurrence.
The details of information security incident response procedures are described in #30.15 (Information Security Incident Management).
30.1.11. Business Continuity Management
NTT shall ensure to provide the communication method and protect important communication in the occurrence of disaster by cooperating with the group companies etc., establish a disaster prevention organization and clarify the disaster emergency response in order to play a role as a designated public institution adequately.
The NTT Group shall plan and conduct disaster prevention training regularly to be able to carry out disaster prevention work safely and quickly.
30.1.12. Internal Audits
NTT shall conduct internal audits regularly to review the implementation of information security.
The details of internal audit procedures are described in #30.16 (Internal Audits).
30.2. Security Capability of the .ntt Registry Services
As described in the answers for #18 (Mission⁄purpose), the .ntt will restrict the registration and the use of the domain names to within NTT and NTT Subsidiaries and NTT projects that the maximum registration number for .ntt is no more than around 1,000.
The .ntt is built based not only on the best practice of the NTT Group information security but also on the knowledge and skills required to operate registry services, provided by the .ntt Registry Operator . This enable NTT to apply adequate security measures to the .ntt registry services.
30.3. Security Capabilities to the Other Answers in this Application
Various security measures are implemented in .ntt registry services based on the NTT Groupʹs Information Security Policy, the information security related documents.
Security measures implemented in five main registry functions, Shared Registration System, DNS, DNSSEC, Registry Data Publication Services (Whois, Zone File Access, Bulk Registration Data Access), Data Escrow, are described in #30.17 (Security measures implemented in the five main features of the .ntt registry services).
Further detailed technical and operational approaches to implement security measures are described in the other answers of ʹTechnical and Operational Capabilityʹ part of this application.
Also, the resourcing and financial planning are described in the answers of ʹʹFinancial Capabilityʹ part of this application.
30.4. Compliance with the Commitments Made to Registrants
NTT understands that it is very important to provide adequate security to .ntt registry services.
The following are the most important commitments made to registrants regarding its security levels.
- Compliance with the Personal Information Protection Act and its regulations and guidelines in Japan
- Handling registration information by following the ʺPersonnel Personal Information Management Regulationʺ
- Operation of DNSSEC on the basis of .ntt DPS
These commitments can be ensured by deploying security measures in accordance with the principles of the NTT information security related documents.
30.5. Reference Security Standards
In the security point of view, NTT refers to and shall comply with the following RFC and shall comply.
- RFC2870
ʺRoot Name Server Operational Requirements RFC 2870,ʺ IETF 〈http:⁄⁄www.ietf.org⁄rfc⁄rfc2870.txt〉

In addition, NTT refers to the following standards and shall implement their basic concepts of them, which are considered necessary to operate registry services.
- ISO⁄IEC 27001:2005,ISO⁄IEC 27002:2005,ISO⁄IEC 27005:2011
ʺInternational Organization for Standardization,ʺ International Organization for Standardization
〈http:⁄⁄www.iso.org⁄iso⁄home.htm〉

Similar gTLD applications: (0)