30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.政府Net-Chinese Co., Ltd.net-chinese.com.twView

30(a)-1 Demonstration of Security Capabilities

The .政府 registry not only considers with physical, network, server, and application elements, but also consults with our back-end operator, TWNIC, in order to provide industry-best security practices. TWNIC has taken the security into account and developed the comprehensive security policies for the .政府 registry. Complying with related laws, regulations, and requirements, the policies cover adminstrative, techinical and physical aspects in order to protect the information assets.

The guidelines which will be used in the security policies of .政府TLD are listed below:
- TWNIC supports the right of privacy. The end user has rights to control the use of his⁄her personal data. TWNIC will follows domestic and international laws and regulations to protect the users’ privacy rights.
- TWNIC provides the user guideline for those who use TWNIC’s resources or access to sensitive information.
- TWNIC provides the security training courses and related activities.
- TWNIC develops the policy for the physical protection on sensitive information⁄personal data and the equipment and infrastructure related.
- TWNIC develops the policy for technical protection on sensitive information ⁄personal data including data classification, labeling requirements, and data retention, encryption and related technologies.
- TWNIC develops the policy for information risk management to define the risks, responsibilities and roles of personnel involved, the technologies and the procedure.
- TWNIC develops the policy for access control to define the various types of user account, systems and the related procedures.
- TWNIC develops the incident response policy to identify various types of incidents, responsibilities and procedure to report and respond any security incident.
- TWNIC develops the policy for network security to prevent from any security policy violation in TWNIC’s network infrastructure.
- TWNIC develops the policy for log information monitoring and backup. It defines various types of log information, the procedures of log information process and the roles and responsibilities in different log information processes.
- TWNIC develops policy for system maintenance. It is to describe all software, application, and system development performed by TWNIC and the security requirements for maintaining information systems.

The guidelines mentioned above are to ensure the secure information resources management and utilization, to protect the rights of end users and to define the procedures and responsibilities in different processes.

30(a)-2 Augmented Security levels Or Capabilities

TWNIC registry operation is subject to ISO Audit based on ISMS and QMS Standards. TWNIC management takes responsibility for the testing of controls, and the third party PWC and BSI are respectively subject to conducting internal and external audits. The audit findings will be reported to TWNIC by detailed documentation of audit for the confirmation of registry security and service quality.

The assessment is conducted by PWC and BSI with testing divided into two phases:
- Internal Audit: TWNIC will conduct Information asset assessment and to identify information asset vulnerabilities classified as high, medium and low risk to facilitate management’s prioritization and set different points of control. And the internal audit will focus on the points of control to confirm the ISO 27001 and ISO 9001 standards.
- External Audit: The external audit is conducted by the third party BSI to test the confirmation of the ISO 27001 and ISO 9001 standards including access to registration data, change management and IT Operations. TWNIC has certificated by BSI for the ISO 27001 (latest issue: 12 May 2009) and ISO 9001 (latest issue: 17 May 2010) respectively since 2004 and 2006.

30(a)-3 Commitments

The .政府 registry commits to high level security that are consistent with the needs of the .政府, as below:
- Compliance with ISO 27001, including conforming the ISO 27001 security procedures and practices and annual ISO internal and external audits on registry systems.
- Contiuing to develop security policy, allocating all necessary resoureces to ensure the information security, and providing series of security training courses for system administrators, operators, and registrants.
- Pursuing higher standard of registry security, including availability design, multiple layers architecture of security, authentication for accessing registry systems, physical security access controls, 24x7 network systems monitoring.

Similar gTLD applications: (0)

gTLDFull Legal NameE-mail suffixzDetail