30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.streamdot Stream Limitedfamousfourmedia.comView

The Applicant and our back-end operator, Neustar, recognize the vital need to secure the systems and the integrity of the data in commercial solutions. The Applicant’s registry solution will leverage industry-best security practices including the consideration of physical, network, server, and application elements.

The Applicant and Neustar’s approach to information security starts with comprehensive information security policies. These are based on the industry best practices for security including SANS (SysAdmin, Audit, Network, Security) Institute, NIST (National Institute of Standards and Technology), and Center for Internet Security (CIS). Policies are reviewed annually by Neustar’s information security team.

The following is a summary of the security policies that will be used in the Applicant’s registry, including:

1. Summary of the security policies used in the registry operations
2. Description of independent security assessments
3. Description of security features that are appropriate for the TLD
4. List of commitments made to registrants regarding security levels

All of the security policies and levels described in this section are appropriate for the Applicant’s registry.

30(a).1 Summary of Security Policies
Neustar, Inc. has developed a comprehensive Information Security Program in order to create effective administrative, technical, and physical safeguards for the protection of its information assets, and to comply with Neustarʹs obligations under applicable law, regulations, and contracts. This Program establishes Neustarʹs policies for accessing, collecting, storing, using, transmitting, and protecting electronic, paper, and other records containing sensitive information.

The Program defines:
- The policies for internal users and our clients to ensure the safe, organized and fair use of information resources.
- The rights that can be expected with that use.
- The standards that must be met to effectively comply with policy.
- The responsibilities of the owners, maintainers, and users of Neustar’s information resources.
- Rules and principles used at Neustar to approach information security issues

The following policies are included in the Program:

1. Acceptable Use Policy
The Acceptable Use Policy provides the “rules of behavior” covering all Neustar Associates for using Neustar resources or accessing sensitive information.

2. Information Risk Management Policy
The Information Risk Management Policy describes the requirements for the on-going information security risk management program, including defining roles and responsibilities for conducting and evaluating risk assessments, assessments of technologies used to provide information security and monitoring procedures used to measure policy compliance.

3. Data Protection Policy
The Data Protection Policy provides the requirements for creating, storing, transmitting, disclosing, and disposing of sensitive information, including data classification and labeling requirements, the requirements for data retention. Encryption and related technologies such as digital certificates are also covered under this policy.

4. Third Party Policy
The Third Party Policy provides the requirements for handling service provider contracts, including specifically the vetting process, required contract reviews, and on-going monitoring of service providers for policy compliance.

5. Security Awareness and Training Policy
The Security Awareness and Training Policy provide the requirements for managing the on-going awareness and training program at Neustar. This includes awareness and training activities provided to all Neustar Associates.

6. Incident Response Policy
The Incident Response Policy provides the requirements for reacting to reports of potential security policy violations. This policy defines the necessary steps for identifying and reporting security incidents, remediation of problems, and conducting “lessons learned” post-mortem reviews in order to provide feedback on the effectiveness of this Program. Additionally, this policy contains the requirement for reporting data security breaches to the appropriate authorities and to the public, as required by law, contractual requirements, or regulatory bodies.

7. Physical and Environmental Controls Policy
The Physical and Environment Controls Policy provides the requirements for securely storing sensitive information and the supporting information technology equipment and infrastructure. This policy includes details on the storage of paper records as well as access to computer systems and equipment locations by authorized personnel and visitors.

8. Privacy Policy
Neustar supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. Neustar supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals.

9. Identity and Access Management Policy
The Identity and Access Management Policy covers user accounts (login ID naming convention, assignment, authoritative source) as well as ID lifecycle (request, approval, creation, use, suspension, deletion, review), including provisions for system⁄application accounts, shared⁄group accounts, guest⁄public accounts, temporary⁄emergency accounts, administrative access, and remote access. This policy also includes the user password policy requirements.

10. Network Security Policy
The Network Security Policy covers aspects of Neustar network infrastructure and the technical controls in place to prevent and detect security policy violations.

11. Platform Security Policy
The Platform Security Policy covers the requirements for configuration management of servers, shared systems, applications, databases, middle-ware, and desktops and laptops owned or operated by Neustar Associates.

12. Mobile Device Security Policy
The Mobile Device Policy covers the requirements specific to mobile devices with information storage or processing capabilities. This policy includes laptop standards, as well as requirements for PDAs, mobile phones, digital cameras and music players, and any other removable device capable of transmitting, processing or storing information.

13. Vulnerability and Threat Management Policy
The Vulnerability and Threat Management Policy provides the requirements for patch management, vulnerability scanning, penetration testing, threat management (modeling and monitoring) and the appropriate ties to the Risk Management Policy.

14. Monitoring and Audit Policy
The Monitoring and Audit Policy covers the details regarding which types of computer events to record, how to maintain the logs, and the roles and responsibilities for how to review, monitor, and respond to log information. This policy also includes the requirements for backup, archival, reporting, forensics use, and retention of audit logs.

15. Project and System Development and Maintenance Policy
The System Development and Maintenance Policy covers the minimum security requirements for all software, application, and system development performed by or on behalf of Neustar and the minimum security requirements for maintaining information systems.

30.(a).2 Independent Assessment Reports
Neustar IT Operations is subject to yearly Sarbanes-Oxley (SOX), Statement on Auditing Standards #70 (SAS70) and ISO audits. Testing of controls implemented by Neustar management in the areas of access to programs and data, change management and IT Operations are subject to testing by both internal and external SOX and SAS70 audit groups. Audit Findings are communicated to process owners, Quality Management Group and Executive Management. Actions are taken to make process adjustments where required and remediation of issues is monitored by internal audit and QM groups.

External Penetration Test is conducted by a third party on a yearly basis. As authorized by Neustar, the third party performs an external Penetration Test to review potential security weaknesses of network devices and hosts and demonstrate the impact to the environment. The assessment is conducted remotely from the Internet with testing divided into four phases:

- A network survey is performed in order to gain a better knowledge of the network that was being tested
- Vulnerability scanning is initiated with all the hosts that are discovered in the previous phase
- Identification of key systems for further exploitation is conducted
- Exploitation of the identified systems is attempted.

Each phase of the audit is supported by detailed documentation of audit procedures and results. Identified vulnerabilities are classified as high, medium and low risk to facilitate management’s prioritization of remediation efforts. Tactical and strategic recommendations are provided to management supported by reference to industry best practices.

30.(a).3 Augmented Security Levels and Capabilities
The Applicant and its backend provider Neustar will provide the same high level of security provided across all of the registries it manages.

A key to Neustar’s Operational success is Neustar’s highly structured operations practices. The standards and governance of these processes:
- Include annual independent review of information security practices
- Include annual external penetration tests by a third party
- Conform to the ISO 9001 standard (Part of Neustar’s ISO-based Quality Management System)
- Are aligned to Information Technology Infrastructure Library (ITIL) and CoBIT best practices
- Are aligned with all aspects of ISO IEC 17799
- Are in compliance with Sarbanes-Oxley (SOX) requirements (audited annually)
- Are focused on continuous process improvement (metrics driven with product scorecards reviewed monthly).

A summary view to Neustar’s security policy in alignment with ISO 17799 can be found in section 30.(a).4 below.

BITS Recommendations
The Applicant will structure its policies around the BITS Recommendations where relevant to this gTLD.

The Applicants goal with this gTLD is to provide a safe and secure browsing experience for consumers of this gTLD. A domain within this gTLD that is owned, operated by or compromised by a malicious party could cause harm to consumers, to the TLD’s reputation and to the reputation of the Internet itself. As such, additional controls are in place relating to the validity of registrations, as well as additional measures to ensure the correct identity of both Registrants and Registrars relating to changes made within the SRS, and to protecting the integrity of the DNS service as a whole.

The Security Standards Working Group (SSWG) formed by BITS drafted a set of policy recommendations that should be applied to financial TLDs. The policy comprises of a set of 31 recommendations that should be adopted by ICANN in evaluating any applicant of a financial TLD. The recommendations were posted by BITS in the form of a letter to ICANN at [http:⁄⁄www.icann.org⁄en⁄correspondence⁄aba-bits-to-beckstrom-crocker-20dec11-en.pdf]

We welcome the recommendations from SSWG and will strongly consider the recommendations relating to the implementation of this gTLD where considered relevant.
Coalition for Online Accountability (“COA”) Recommendations

The Applicant will structure its policies around the COA Recommendations where relevant to this gTLD.

The Applicant’s goal with this gTLD is to provide a safe and secure browsing experience for consumers of this gTLD. A domain within this gTLD that is owned, operated by or compromised by a malicious party could cause harm to consumers, to the gTLDʹs reputation and to the reputation of the Internet itself. As such, additional controls are in place relating to the validity of registrations, as well as additional measures to ensure the correct identity of both Registrants and Registrars relating to changes made within the SRS, and to protecting the integrity of the DNS service as a whole.

The Coalition for Online Accountability have drafted a set of policy recommendations, also endorsed by many other international organizations representing the creative industries, that should be applied to entertainment gTLDs - especially those dependent on copyright protection. The policy comprises of a set of 7 recommendations that should be adopted by ICANN in evaluating any applicant for an entertainment-based gTLD. The recommendations were posted by COA in the form of a letter to ICANN at http:⁄⁄bit.ly⁄HuHtmq.

We welcome the recommendations from the COA and will strongly consider the recommendations relating to the implementation of this gTLD where considered relevant.

30.(a).4 Commitments and Security Levels
The Applicant’s registry commits to high security levels that are consistent with the needs of the TLD. These commitments include:

Compliance with High Security Standards
- Security procedures and practices that are in alignment with ISO 17799
- Annual SOC 2 Audits on all critical registry systems
- Annual 3rd Party Penetration Tests
- Annual Sarbanes Oxley Audits

Highly Developed and Document Security Policies
- Compliance with all provisions described in section 30.(a).4 below and in the attached security policy document.
- Resources necessary for providing information security
- Fully documented security policies
- Annual security training for all operations personnel

High Levels of Registry Security
- Multiple redundant data centers
- High Availability Design
- Architecture that includes multiple layers of security
- Diversified firewall and networking hardware vendors
- Multi-factor authentication for accessing registry systems
- Physical security access controls
- A 24x7 manned Network Operations Center that monitors all systems and applications
- A 24x7 manned Security Operations Center that monitors and mitigates DDoS attacks
- DDoS mitigation using traffic scrubbing technologies

We commit to the following:
Safeguarding the confidentiality, integrity and availability of registrant’s data.
Compliance with the relevant regulation and legislation with respect to privacy.
Working with law enforcement where appropriate in response to illegal activity or at the request of law enforcement agencies.
Validating requests from external parties requesting data or changes to the registry to ensure the identity of these parties and that their request is appropriate. This includes requests from ICANN.
That access to DNS and contact administrative facilities requires multi-factor authentication by the Registrar on behalf of the registrant.
That Registry data cannot be manipulated in any fashion other than those permitted to authenticated Registrars using the EPP or the SRS web interface. Authenticated Registrars can only access Registry data of domain names sponsored by them.
A Domain transfer can only be done by utilizing the AUTH CODE provided to the Domain Registrant.
Those emergency procedures are in place and tested to respond to extraordinary events affecting the integrity, confidentiality or availability of data within the registry.

The Applicant will further be implementing a thorough and extensive Abuse Prevention and Mitigation plan, designed to minimise abusive registrations and other detrimental activities that may impact security and negatively impact internet users. This plan includes the establishment of a single abuse point of contact, responsible for addressing matters requiring expedited attention and providing a timely response to abuse complaints concerning all names registered in the gTLD through all Registrars of record, including those involving a reseller. Details of this point of contact will be clearly published on the Applicant’s website.

The following is an overview of certain other security related initiatives undertaken by the Applicant - (see response to Q28 for more detail):

- Policies and Procedures to Minimize Abusive Registrations
- Abuse Point of Contact
- Policies for Handling Complaints Regarding the Abuse Policy
- Acceptable Use Policy (ʺAUPʺ)
- Measures for removal of Orphan Glue records
- Measures to promote Whois accuracy both directly by the Registry and by Registrars via requirements in the Registry-Registrar Agreement (“RRA”)):
- Registry semi-annual WHOIS verification
- Authentication of Registrant information as complete and accurate at time of registration.
- Regular monitoring of registration data for accuracy and completeness
- Registrar self-certification
- WHOIS Data reminder processes
- Establishing policies and procedures to ensure Registrar compliance with policies, which may include audits, financial incentives, penalties, or other means.
- Registrar verification of WHOIS
- Policies and procedures that define malicious or abusive behavior
- Abuse Response Process
- Service Levels Requirements for Resolution
- Service Levels Requirements for Law enforcement Requests
- Coordination with Industry Groups and Law Enforcement
- Controls to ensure proper access to domain functions:
- Enabling two-factor authentication from Registrants to process update, transfers, and deletion requests;
- Enabling multiple, unique points of contact to request and⁄or approve update, transfer, and deletion requests;
- Enabling the notification of multiple, unique points of contact when a domain has been updated, transferred, or deleted
- Additional Abuse Prevention and Mitigation initiatives:
- Additional Mechanism for Protection of Capital City Names
- Additional Mechanisms to Protect and Reserve IGO Names
- Increasing Registrant Security Awareness
- Registrant Disqualification
- Restrictions on Proxy Registration Services
- Registry Lock Option

Resourcing Plans

The development and maintenance of the information security policies and practices are the primary responsibility of the Information Security team. As described in response to Question 31, the information security team is comprised of highly trained security professionals. They establish security policies, actively monitor for intrusions and other nefarious activity, and ensure that all Neustar employees are adhering to Neustar’s security policies and best practices. These engineers ensure that the registry data is not compromised in any way.
The necessary resources to support all of the registry’s security needs will be pulled from the pool of resources described in detail in the response to Question 31. The following resources are available from the team:

- Information Security - 16 employees

The resources are more than adequate to support the database needs of all the TLDs operated by Neustar, including the Applicant’s registry.

Similar gTLD applications: (53)

gTLDFull Legal NameE-mail suffixzDetail
.loandot Loan Limitedfamousfourmedia.com-4.05Compare
.appdot App Limitedfamousfourmedia.com-4.05Compare
.hoteldot Hotel Limitedfamousfourmedia.com-4.05Compare
.saledot Sale Limitedfamousfourmedia.com-4.05Compare
.energydot Energy Limitedfamousfourmedia.com-4.05Compare
.moviedot Movie Limitedfamousfourmedia.com-4.05Compare
.moneydot Money Limitedfamousfourmedia.com-4.05Compare
.deliverydot Delivery Limitedfamousfourmedia.com-4.05Compare
.gameDot Game Limitedfamousfourmedia.com-4.05Compare
.shopDot Shop Limitedfamousfourmedia.com-4.05Compare
.restaurantdot Restaurant Limitedfamousfourmedia.com-4.05Compare
.newsdot News Limitedfamousfourmedia.com-4.05Compare
.giftDot Gift Limitedfamousfourmedia.com-4.05Compare
.charitySpring Registry Limitedfamousfourmedia.com-4.05Compare
.camdot Agency Limitedfamousfourmedia.com-4.05Compare
.bookBronze Registry Limitedfamousfourmedia.com-4.05Compare
.ticketsdot Tickets Limitedfamousfourmedia.com-4.05Compare
.babyCompact Registry Limitedfamousfourmedia.com-4.05Compare
.partyBlue Sky Registry Limitedfamousfourmedia.com-4.05Compare
.accountantdot Accountant Limitedfamousfourmedia.com-4.05Compare
.rundot Run Limitedfamousfourmedia.com-4.05Compare
.buydot Buy Limitedfamousfourmedia.com-4.05Compare
.lawSilver Registry Limitedfamousfourmedia.com-4.05Compare
.datedot Date Limitedfamousfourmedia.com-4.05Compare
.forumdot Forum Limitedfamousfourmedia.com-4.05Compare
.playStar Registry Limitedfamousfourmedia.com-4.05Compare
.downloaddot Support Limitedfamousfourmedia.com-4.05Compare
.searchdot Now Limitedfamousfourmedia.com-4.05Compare
.taxidot Taxi Limitedfamousfourmedia.com-4.05Compare
.fitPlatinum Registry Limitedfamousfourmedia.com-4.05Compare
.reviewdot Review Limitedfamousfourmedia.com-4.05Compare
.bingodot Bingo Limitedfamousfourmedia.com-4.05Compare
.faithdot Faith Limitedfamousfourmedia.com-4.05Compare
.rugbydot Rugby Limitedfamousfourmedia.com-4.05Compare
.cricketdot Cricket Limitedfamousfourmedia.com-4.05Compare
.sciencedot Science Limitedfamousfourmedia.com-4.05Compare
.biddot Bid Limitedfamousfourmedia.com-4.05Compare
.hockeydot Hockey Limitedfamousfourmedia.com-4.05Compare
.tradeElite Registry Limitedfamousfourmedia.com-4.05Compare
.casinodot Casino Limitedfamousfourmedia.com-4.05Compare
.winFirst Registry Limitedfamousfourmedia.com-4.05Compare
.pokerdot Poker Limitedfamousfourmedia.com-4.05Compare
.betdot Bet Limitedfamousfourmedia.com-4.05Compare
.chatdot Chat Limitedfamousfourmedia.com-4.05Compare
.dietdot Diet Limitedfamousfourmedia.com-4.05Compare
.racingPremier Registry Limitedfamousfourmedia.com-4.05Compare
.basketballdot Basketball Limitedfamousfourmedia.com-4.05Compare
.fashionDiamond Registry Limitedfamousfourmedia.com-4.05Compare
.tennisdot Tennis Limitedfamousfourmedia.com-4.05Compare
.footballdot Football Limitedfamousfourmedia.com-4.05Compare
.webcamdot Webcam Limitedfamousfourmedia.com-4.05Compare
.winedot Wine Limitedfamousfourmedia.com-4.05Compare
.golfGold Registry Limitedfamousfourmedia.com-4.05Compare