30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

1 Synopsis

This chapter provides a summary of the security policy for the proposed
dotDurban TLD to be provided and implemented by the ZA Central Reg-
istry.


2 Independant Assessment

The ZA Central Registry has developed and ISO27001 Information Security
Management System (ISMS) policy with an accreditation provider. The ZA
Central Registry is committed to obtaining ISO27001 certification. Further
details are included in Question 30b.


3 Registry Security Policy

The Registry Security Policy acts the overseeing policy for the following key
aspects:

Data Security:- The data security must be maintained to ensure data
integrity and confidentiality. All the policies and procedures for data
security are detailed in the Data Security Policy.

Hardware Security:- Hardware security must be instituted to maintain
system availability, integrity and confidentiality. All the policies and
procedures for hardware security are detailed in the Hardware Security
Policy.

Network Security:- Network must be secure to ensure system availabil-
ity, integrity and confidentiality. All the policies and procedures for
network security are detailed in the Network Security Policy.

Software Security:- Software security for all system services must be main-
tained to ensure system availability, integrity and confidentiality. All
the policies and procedures for software security are detailed in the
System Services Security Policy.

Physical Security:- Physical security must be maintained at all sites to
ensure system availability, integrity and confidentiality. All the poli-
cies and procedures for physical security are detailed in the Physical
Security Policy.

Threat Security:- Threats must be identified mitigated and managed to
ensure system availability, integrity and confidentiality. All the policies
and procedures for threats are detailed in the Threat Security Policy.

Issue Tracking System:- The registry must provide and maintain a issue
tracking system for tracking security incidents, the system will contain
all information detailed the Security Incident Report contained in the
Threat Response Procedure.

The Main Policy Statement is:
The ZA Central Registry must ensure the registry system main-
tains availability, integrity and appropriate confidentiality of all
information.
Compliance to the Registry Security Policy is ensured through the following
Compliance Clause:
The security measures will be tested and a report will be compiled
and reviewed by management in accordance with the security pol-
icy schedule to be defined by management.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the above
mentioned key aspects as well as any other criteria identified by the man-
agement.


4 Data Security

The security policy governing Data Security is the ʺData Security Policyʺ
with the following Main Policy Statement:
The ZA Central Registry does ensure the protection of registry
system data and backups and prevent any unauthorised access.
The Data Security Policy address the following key aspects:

Access Control:- Access to registry system must be performed through
the following mechanisms:

1. Authentication in accordance with the following procedure:Authentication
Procedure
2. Access Control Lists (ACL) in accordance with the following pro-
cedure:Access Control List Procedure

Data Encryption:- All communication with the database must be over
encrypted SSL connections.
Private Keys:- Private Keys for zone signing must be stored in Hardware
Security Module HSM devices. These will be managed according to
the HSM Key Procedure.
Backups:- Backups are stored in secure storage and in secure off site stor-
age facilities. Backups are also encrypted and will be performed ac-
cording to the procedure detailed in the Backup Procedure.
Data Escrow:- dotDurban TLD conforms with ICANNʹs requirements on
registry data escrow as outlined by Specification 2 of the Agreement
as contained in the Applicant Guidebook. The procedure for handling
data escrow is defined in the Data Escrow Procedure.
Portable Storage:- Sensitive registry data must not be stored on portable
drives or USB flash disks unless required to by security procedure and
fully encrypted.

Compliance to the Data Security Policy is ensured through the following
Compliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the abovemen-
tioned key aspects as well as any other criteria identified by the management.


5 Hardware Security

The security policy governing Hardware Security is the ʺHardware Security
Policyʺ with the following Main Policy Statement:
The ZA Central Registry must ensure the registry system hard-
ware including servers, HSMʹs and routers are protected from
unauthorised access.
The Hardware Security Policy address the following key aspects:

Physical Access:- Physical access to the area containing registry hardware
including servers, HSMʹs and routers are controlled by keycard and

biometric access control mechanisms. Keycards are used and issued
according to the Keycard Issuing Procedure.

Server Access:- All servers are housed in locked server cabinets.

Router Access:- All routers are housed in locked server cabinets.

HSM Access:- All HSMʹs are housed in locked server cabinets or locked
safes.

Console Access:- All console access is restricted by system level password
authentication and follow the procedures defined in the Authentication
Procedure.

Auditing Access:- All network access is logged and audited in accordance
with the Threat Detection Through Auditing section.

Compliance to the Hardware Security Policy is ensured through the following
Compliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the abovemen-
tioned key aspects as well as any other criteria identified by the management.


6 Network Security

The security policy governing Network Security is the ʺNetwork Security
Policyʺ with the following Main Policy Statement:
The ZA Central Registry must ensure the registry system network
infrastructure routers are protected from unauthorised access and
DOS attacks.
The Network Security Policy address the following key aspects:

Firewall:- A Firewall is configured to limit connections according to an
ACL. The ACL will be operated in accordance with the Access Control
List Procedure

Routers:- Routers are secured by limiting access according to an ACL.
The ACL must be operated in accordance with the Access Control
List Procedure

DOS Mitigation:- A plan is in place to mitigate the effects of a DOS
attack. The procedures for mitigating security threats is detailed in
the Threat Mitigation Procedure.

Network Access:- Network access is controlled by the use of the following
2 mechanisms:

1. Authentication in accordance with the Authentication Procedure

2. Access Control Lists (ACL) in accordance with the Access Con-
trol List Procedure



Compliance to the Network Security Policy is ensured through the following
Compliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.


7 System Service Security

The security policy governing System Service Security is the ʺSystem Service
Security Policyʺ with the following Main Policy Statement:
The ZA Central Registry must ensure the registry system software
is maintained and updated to prevent any security issues.
The System Service Security Policy address the following key aspects:

Operating System:- All registry systems run Ubuntu LTS 12.04 or newer.

Operating System Security Updates:- All security patches for operat-
ing systems that are identified as required by the registry system are
applied as follows:

Critical :- within 24 hours of the notice being received.
High :- within the next maintenance window.
Warning :- within the next 4 maintenance windows.

OpenSSL Software Updates:- All security updates to the OpenSSL li-
braries that are identified as required by the registry system are applied
as follows:
Critical :- within 24 hours of the notice being received.
High :- within the next maintenance window.
Warning :- within the next 4 maintenance windows.
OpenSSH Server Software Updates:- All security updates to the OpenSSH
server that are identified as required by the registry system are applied
as follows:
Critical :- within 24 hours of the notice being received.
High :- within the next maintenance window.
Warning :- within the next 4 maintenance windows.
BIND Server Software Updates:- All security updates to the BIND server
that are identified as required by the registry system are applied as
follows:
Critical :- within 24 hours of the notice being received.
High :- within the next maintenance window.
Warning :- within the next 4 maintenance windows.

Compliance to the System Security Security Policy is ensured through the
following Compliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the abovemen-
tioned key aspects as well as any other criteria identified by the management.


8 Physical Security

The security policy governing Physical Security is the ʺPhysical Security
Policyʺ with the following Main Policy Statement:
The ZA Central Registry must ensure the registry system physical
sites are secure to prevent any unauthorized access.
The Physical Security Policy address the following key aspects:

Regulation Compliance:- The registry physical security measures com-
ply with local safety codes, building codes and fire prevention codes.

Building Access:- Building Access is controlled by the use of key cards.

Server Room Access:- Server Room Access is controlled by the use of
biometric testing.

Server Cabinet Access:- Server Cabinet Access is controlled by the use
of keys.

Access Auditing:- All access logs are kept for auditing purposes.

Compliance to the Physical Security Policy is ensured through the following
Compliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the abovemen-
tioned key aspects as well as any other criteria identified by the management.


9 Threat Security

The security policy governing Threat Security is the ʺThreat Security Pol-
icyʺ with the following Main Policy Statement:
The ZA Central Registry must ensure the registry system man-
ages its security risk against threats identified.
The Threat Security Policy addresses the following key aspects:

Threat Identification:- Threats that are identified are reported on in ac-
cordance with the Threat Identification Procedure.

Threat Classification:- Threats are classified. Threat Classification must
be done in accordance with the Incident Severity Classification Proce-
dure.

Threat Detection:- Threats are identified through auditing logs. Threat
Detection is done in accordance with the Threat Auditing Procedure.

Threat Mitigation:- Threats are mitigated to reduce risk to the registry
system where reasonable. Threat mitigation is done in accordance
with the Threat Mitigation Procedure.

Threat Response:- Threats are responded to in accordance with the threat
classification and Threat Response Procedure.

Compliance to the Threat Security Policy is ensured by the following Com-
pliance Clause:
The security measures will be tested every 6 months and a report
will be compiled and reviewed by management. This period may
be reviewed at the discretion of the IT Manager.
Any reports required for decision making will be made available in a timely
manner prior to the policy compliance review date.
All processes and procedures are supported by reporting systems, allowing
timely access to required information.
Compliance is measured according to the success or failure of the abovemen-
tioned key aspects as well as any other criteria identified by the management.


10 Additional Information

Monitoring of systems for compliance to the abovementioned policies is per-
formed by various tools that review logs, monitor critical systems availabil-
ity, produce security reports and will escalate identified anomalies to the
network and system administrators on a 24x7 basis.


11 Commitment to Registrants

The ZA Central Registry is committing to running industry standard secu-
rity practices or higher where possible.


11.1 Registrant Rights

The registrant will retain control of their domain name, and in this regard
registrants must be able to choose the registrar they wish to use to maintain
the domain name. The registrar will not operate in such a way that the
registrant is locked-in, or such that their actions could make the registrant
reasonably believe that they are locked-in.

Similar gTLD applications: (3)