30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

Summary of Security Policies
The registry adopts standard registration policies without any specific services related to e.g. financial services. As such Criterion 5 is not applicable to The registry. The registry outsource the technical backend registry service to Qinetics. The registry will deploy Security Policy and Security Measures as adopted by Qinetics.

The policies established provides a comprehensive approach as highlight below, to identify and prevent unauthorized access, intrusion, loss of information and software error. Qinetics has wide experience on security implementation with successful implementation of ISO27001 in .HK registry system.

• Physical Security
Physical security is provided by data center. Only authorized personnel are allowed to enter the premises of the data center. Below are standard policies set:
o Data Center Access Policy
o Equipment Policy
o Site Visits Policy

• Network Security
This layer protects all equipment in the network from hacker or malicious attack. Another layer of sniffer (IPS) is put in place as second layer of screening. Security alarm will be triggered if there are abnormal activities in the network. Standard policies applied:
o Firewall Policy
o Denial of Services Policy
o System Monitoring Policy

• Host Security
At the server level, governance policy is required to establish control over access to the servers and movement of servers. Below are the standard policies to achieve control over these parameters:
o Server Access Policy

• Application Security
Security is built within the applications running on the servers. The applications are built using the well known Open Web Application Security Project (OWASP) security policy

• General
Other that the above policies, general policies below applied across the network, server, application and data center to ensure system and registrants are well protected:
o Password Policy
o Data Integrity Policy
o System audit Policy
o Security Patch Policy
o Security Response Policy
o Acceptable Use Policy

Security Assessment
Qinetics has engaged independent 3rd party auditor to perform product assessment which is inclusive of security assessment as 1 of the core assessment. The Malaysia MSC Product Assessment & Rating Standard was developed by TUV Rheinland Malaysia Sdn. Bhd., in collaboration with Macrofirm Technology Sdn. Bhd., under the commissioning of the Multimedia Development Corporation (MDeC). TUV Rheinland Malaysia is a member of TÜV Rheinland Group, a global leader in independent testing and assessment services. The TÜV Rheinland Group was established in 1872, and has offices located in over 490 locations in 61 countries on all five continents.

Existing software quality evaluation standards were used as the basis for the development and endorsement of the software quality criteria and sub-criteria to be assessed in MSC Malaysia Software Product Assessment and Rating Standard. This is also referred to as the “As-is Situation”. The standards used as the basis for development of this assessment standard are as follows:
• CMMI (Capability Maturity Model Integration) Ver. 1.3 Dev
• ISO⁄IEC 9126 (Software Engineering – Product Quality)
• ISO⁄IEC 14598 (Information technology - Software product evaluation)
• Common Criteria (CC)

In the product assessment, a total of 13 main requirements or criteria, divided into 6 process-related criteria (criteria in which the process of development of the software product is assessed) and 7 product-related criteria (criteria in which the developer’s methods to manage and ensure the actual performance of their software product is assessed), were identified for inclusion in the Standard. These criteria in turn were divided into a further 44 process-related sub-criteria and 32 product-related sub-criteria to make a total of 76 sub-criteria.

Evaluation Report
This evaluation report is based on the findings of the MSC Malaysia Product Assessment & Rating on-site product evaluation. As a supplement to the awarded rating, this report provides recommendations to improve the company’s methods of ensuring product quality.

The MSC Malaysia Product Assessment & Rating rates the product on 13 main criteria which are divided into:
1) Six (6) Process-related criteria, ie. criteria in which the process of development of the software product is assessed.
2) Seven (7) Product-related criteria, ie. criteria in which the developer’s methods to manage and ensure the actual performance of their software product itself is assessed.

Results of the evaluation are as below:
Overall % Compliance 97%
Process-Related Requirements:
- Requirements Management 95%
- Technical Solution 100%
- Product Integration 100%
- Validation 98%
- Verification 100%
- Support 100%

Product-Related Requirements:
- Functionality 100%
- Reliability 100%
- Security 91%
- Usability 92%
- Maintainability 100%
- Portability 96%
- Architectural Principles 97%

A copy of the Product Assessment Evaluation and Rating Report and Product Assessment Certificate is attached.

Similar gTLD applications: (3)