30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail

Summary of Security Policies

Registry will outsource the technical backend registry service to Qinetics. Registry will deploy Security Policy and Security Measures as adopted by Qinetics. The policies established provide a comprehensive approach as highlighted below, to identify and prevent unauthorized access, intrusion, loss of information and software error. Qinetics has wide experience on security implementation with successful implementation of ISO27001 in .HK registry system. The procedures, policies, and infrastructure deployed for the ISO27001 certification will be deployed for the extension.

In the following summary we will address shortly the following security elements:

1. Phsical Security
2. Network Security
3. Server Level Security
4. Application Level Security

Furthermore a General Policy Framework will be outlined and the result of an independent product assesment will be referenced.

1. Physical Security

Application and infrastructure security are based on a set of layers. The initial layer is the Physical Security Layer. Physical security is provided by the data centers that will be used to deploy the registry solution. Only authorized personnel are allowed to enter the premises of the data center. The data center has several policies in place regarding physical security including but not limited to: Data Center Access Policy, Equipment Policy, Site Visits Policy and Network Security. This layer protects all equipment in the network from hacker or malicious attack at a physical level.

2. Network Security

On top of the Physical layer, a Network Security Layer will provide monitoring and reaction policies to mitigate any attack based on the network infrastructure. For this, a set of sniffers will be in place to screen all the traffic of the registration system. Packetes and traffic will be monitored continuously to avoid DDOS attacks or other malicious attemtps to affect the system by degrading the network performance. Security alarm will be triggered if there are abnormal activities in the network. Policies related to Network Security have been put in place and include, among others: Firewall Policy, Denial of Services Policy and mitigation plans, System Monitoring Policy, Network Hosts Security.

3. Server Level Security

The Server Level Security policy layer enforces the policies and procedures in place that mitigate any issues related with security at the server level. This includes management and attention to security issues relating Operating System and Server extensions and access policies. These two sets of policies are in place to mitigate any issues that may be compromise security at the Server and Usage level of the registry services deployed. A governance policy will be developed and strictly enforced to establish control over access and movement of servers.

4. Application Level Security

Security is built within the applications running on the servers. The applications are built using the well known OWASP security policy. This way the application is built maintained and managed taking into account: 1) Organizational Management towards security threat mitigation, 2) A written policy properly communicated aross the organization for all related parties and derived from strict standards, 3) A development and maintenance methodology with thorough checkpoints and monitoring, and 3) A clear devised process for the secure release and configuration of products, changes and procedures.

General Policy Framework

Furthermore, a strict set of policies have been structured at the General Level to guarantee consistent methods of access, usage and transmission of information within and outside the organization. These policies include:

- A Systemwide Password Policy that mandates on general parameters of use and maintenance of Passwords.
- A Data Integrity Policy to enforce integrity of information and infrastructure at the General Level of the Registry.
- A System audit Policy to perform independent assesment of the Security, policies, procedures and implementations in place.
- A Security Patch Policy built in to structure upgrades and keep systems up to date.
- A Security Response Policy that guides every step that should be taken into account as a reaction to any materialized threat.
- An Acceptable Use Policy to determine any and every user´s acceptable behavior related to the Registry system.

Registrar Security: A Registrar Agreement will be in place with the corresponding measures of the Policy Framework that are related to Registrars.

Product Assessment

Qinetics has engaged independent 3rd party auditor to perform product assessment on 28th Dec 2011 till 29th Dec 2011. The Malaysia MSC Product Assessment & Rating Standard was developed by TUV Rheinland Malaysia Sdn. Bhd., in collaboration with Macrofirm Technology Sdn. Bhd., under the commissioning of the Multimedia Development Corporation (MDeC). TUV Rheinland Malaysia is a member of TÜV Rheinland Group, a global leader in independent testing and assessment services. The TÜV Rheinland Group was established in 1872, and has offices located in over 490 locations in 61 countries on all five continents.

Existing software quality evaluation standards were used as the basis for the development and endorsement of the software quality criteria and sub-criteria to be assessed in MSC Malaysia Software Product Assessment and Rating Standard. This is also referred to as the “As-is Situation”. The standards used as the basis for development of this assessment standard are as follows:

- CMMI (Capability Maturity Model Integration) Ver. 1.3 Dev
- ISO⁄IEC 9126 (Software Engineering Product Quality)
- ISO⁄IEC 14598 (Information technology - Software product evaluation)
- Common Criteria (CC)

In the product assessment, a total of 13 main requirements or criteria, divided into 6 process-related criteria (criteria in which the process of development of the software product is assessed) and 7 product-related criteria (criteria in which the developer’s methods to manage and ensure the actual performance of their software product is assessed), were identified for inclusion in the Standard. These criteria in turn were divided into a further 44 process-related sub-criteria and 32 product-related sub-criteria to make a total of 76 sub-criteria.

Evaluation Report

This evaluation report is based on the findings of the MSC Malaysia Product Assessment & Rating on-site product evaluation. As a supplement to the awarded rating, this report provides recommendations to improve the company’s methods of ensuring product quality.

The MSC Malaysia Product Assessment & Rating rates the product on 13 main criteria which are divided into:

1) Six (6) Process-related criteria, ie. criteria in which the process of development of the software product is assessed.
2) Seven (7) Product-related criteria, ie. criteria in which the developer’s methods to manage and ensure the actual performance of their software product itself is assessed.

Results of the evaluation are as below:

Overall % Compliance 97 %

Process-Related Requirements:

- Requirements Management 95 %
- Technical Solution 100 %
- Product Integration 100 %
- Validation 98 %
- Verification 100 %
- Support 100 %

Product-Related Requirements:

- Functionality 100 %
- Reliability 100 %
- Security 91 %
- Usability 92 %
- Maintainability 100 %
- Portability 96 %
- Architectural Principles 97 %

The assesment states the proper implementation of Qinetics of Security policies and procedures. The Registry an Qinetics will constantly work together to further strengthen and improve policies and procedures regarding Security.

Resource and Operation Plan

On-hand resources:

- Qinetics has served domain registration services for .HK, .SG, .MY, .CD, etc. with a long track record of success. Technical resources are on hand for the full implementation of the proposed Registry.
- Registry team has run for almost 3 years Domain Registration Services that have been very successful in Colombia and in more than 10 countries around the world. Registry team will be comprised of experienced executives in the domain registration business from Central Comercializadora de Internet (ICANN Accredited Registrar). Resources are on hand for all the non technical operations of the Registry. On hand operational non technical resources include:

- Project manager
- Two support specialists
- Technical leader

These resources are currently part of the team that runs Central Comercializadora de Internet (ICANN Accredited Registrar).

Resource activity plan:

Qinetics will deploy the Registry Service of Registry using its existing system and infrastructure. During the implementation of Registry, new server hardware will be provisioned for the Registry service that will alow for the configuration all the Security Mechanisms.

The following human resources will be used:

- Project Manager
- Datacenter Engineer
- System Administrator
- Database Administrator
- Software Developer⁄Application support
- Test Engineer

The Data Center Engineer will perform the server provisioning and installation of OS. Once the hardware is provisioned, System Administrator shall continue to install the required software and perform security configurations. The assigned Software Developer will configure the rules that apply for the Security requisites of the system. Once done, the Test Engineer will perform rigorous testing procedures to ensure the system performs according to specifications. When testing is completed, the registration system shall be hand-over to System Administrator to perform deployment to production environment. Throughout the process, a Project Manager is assigned to perform project management and overall control on the implementation. The Project Manager will conduct training to the registry users on the specific behavior of domains under the registry.

After deployment

The system will be in maintenance mode after the System is deployed. Any issues regarding security of the system will be immediately attended. Whenever there is a support ticket related to security, Application Support Engineer and System Administrator will further escalate the support request. The emergency response team will be triggered whenever there is a catastrophic scenario at the highest severity.

From the Registry side, Project manager, support specialists, and Technical Leader will handle issues related to administrative control, non technical relationship with Registrars, relationship with ICANN, relationship with providers such as Qinetics, Policy monitoring and Management, etc.

Bug tracking

After an issue has been identified, and once a remedy is available, the Test Engineer will perform testing on the fixes before deployment by System Administrator. During maintenance, Qintetics will commit 4 resources for the 24 x 7 helpdesk, 4 data center engineers, 2 application support engineers, 1 support manager, 1 test engineer and 2 system administrators.

Continuous management

As part of ongoing policy changes, a team of software developers is available for any standards upgrades and necessary changes to system setup. Changes will trigger the change request procedure in accordance to CMMI standards.

Similar gTLD applications: (2)

gTLDFull Legal NameE-mail suffixzDetail
.LEGALPRIMER NIVEL S.A.mi.com.co-4.04Compare
.NEWSPRIMER NIVEL S.A.mi.com.co-4.04Compare