Back

30(a) Security Policy: Summary of the security policy for the proposed registry

gTLDFull Legal NameE-mail suffixDetail
.theatreKey GTLD Holding Incwolfe-sbmc.comView
1 DETAILED DESCRIPTION OF PROCESSES AND SOLUTIONS DEPLOYED TO MANAGE LOGICAL SECURITY ACROSS INFRASTRUCTURE AND SYSTEMS, MONITORING AND DETECTING THREATS AND SECURITY VULNERABILITIES AND TAKING APPROPRIATE STEPS TO RESOLVE THEM
The Applicant’s selected backend registry services provider’s (Verisign’s) comprehensive security policy has evolved over the years as part of managing some of the world’s most critical TLDs. Verisign’s Information Security Policy is the primary guideline that sets the baseline for all other policies, procedures, and standards that Verisign follows. This security policy addresses all of the critical components for the management of backend registry services, including architecture, engineering, and operations.
Verisign’s general security policies and standards with respect to these areas are provided as follows:
• Architecture
• Information Security Architecture Standard: This standard establishes the Verisign standard for application and network architecture. The document explains the methods for segmenting application tiers, using authentication mechanisms, and implementing application functions.
• Information Security Secure Linux Standard: This standard establishes the information security requirements for all systems that run Linux throughout the Verisign organization.
• Information Security Secure Oracle Standard: This standard establishes the information security requirements for all systems that run Oracle throughout the Verisign organization.
• Information Security Remote Access Standard: This standard establishes the information security requirements for remote access to terminal services throughout the Verisign organization.
• Information Security SSH Standard: This standard establishes the information security requirements for the application of Secure Shell (SSH) on all systems throughout the Verisign organization.
• Engineering
• Secure SSL⁄TLS Configuration Standard: This standard establishes the information security requirements for the configuration of Secure Sockets Layer⁄Transport Layer Security (SSL⁄TLS) for all systems throughout the Verisign organization.
• Information Security C++ Standards: These standards explain how to use and implement the functions and application programming interfaces (APIs) within C++. The document also describes how to perform logging, authentication, and database connectivity.
• Information Security Java Standards: These standards explain how to use and implement the functions and APIs within Java. The document also describes how to perform logging, authentication, and database connectivity.
• Operations
• Information Security DNS Standard: This standard establishes the information security requirements for all systems that run DNS systems throughout the Verisign organization.
• Information Security Cryptographic Key Management Standard: This standard provides detailed information on both technology and processes for the use of encryption on Verisign information security systems.
• Secure Apache Standard: Verisign has a multitude of Apache web servers, which are used in both production and development environments on the Verisign intranet and on the Internet. They provide a centralized, dynamic, and extensible interface to various other systems that deliver information to the end user. Because of their exposure and the confidential nature of the data that these systems host, adequate security measures must be in place. The Secure Apache Standard establishes the information security requirements for all systems that run Apache web servers throughout the Verisign organization.
• Secure Sendmail Standard: Verisign uses sendmail servers in both the production and development environments on the Verisign intranet and on the Internet. Sendmail allows users to communicate with one another via email. The Secure Sendmail Standard establishes the information security requirements for all systems that run sendmail servers throughout the Verisign organization.
• Secure Logging Standard: This standard establishes the information security logging requirements for all systems and applications throughout the Verisign organization. Where specific standards documents have been created for operating systems or applications, the logging standards have been detailed. This document covers all technologies.
• Patch Management Standard: This standard establishes the information security patch and upgrade management requirements for all systems and applications throughout Verisign.
• General
• Secure Password Standard: Because passwords are the most popular and, in many cases, the sole mechanism for authenticating a user to a system, great care must be taken to help ensure that passwords are “strong” and secure. The Secure Password Standard details requirements for the use and implementation of passwords.
• Secure Anti-Virus Standard: Verisign must be protected continuously from computer viruses and other forms of malicious code. These threats can cause significant damage to the overall operation and security of the Verisign network. The Secure Anti-Virus Standard describes the requirements for minimizing the occurrence and impact of these incidents.

Security processes and solutions for this TLD are based on the standards defined above, each of which is derived from Verisign’s experience and industry best practice. These standards comprise the framework for the overall security solution and applicable processes implemented across all products under Verisign’s management. The security solution and applicable processes include, but are not limited to:
• System and network access control (e.g., monitoring, logging, and backup)
• Independent assessment and periodic independent assessment reports
• Denial of service (DoS) and distributed denial of service (DDoS) attack mitigation
• Computer and network incident response policies, plans, and processes
• Minimization of risk of unauthorized access to systems or tampering with registry data
• Intrusion detection mechanisms, threat analysis, defenses, and updates
• Auditing of network access
• Physical security

Further details of these processes and solutions are provided in Part B of this response.
1.1 Security Policy and Procedures for the Proposed Registry
Specific security policy related details, requested as the bulleted items of Question 30 – Part A, are provided here.
Independent Assessment and Periodic Independent Assessment Reports. To help ensure effective security controls are in place, the Applicant, through its selected backend registry services provider, Verisign, conducts a yearly American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) SAS 70 audit on all of its data centers, hosted systems, and applications. During these SAS 70 audits, security controls at the operational, technical, and human level are rigorously tested. These audits are conducted by a certified and accredited third party and help ensure that Verisign in-place environments meet the security criteria specified in Verisign’s customer contractual agreements and are in accordance with commercially accepted security controls and practices. Verisign also performs numerous audits throughout the year to verify its security processes and activities. These audits cover many different environments and technologies and validate Verisign’s capability to protect its registry and DNS resolution environments. Figure ‎30A 1 lists a subset of the audits that Verisign conducts. For each audit program or certification listed in Figure ‎30A 1, Verisign has included, as attachments to the Part B component of this response, copies of the assessment reports conducted by the listed third-party auditor. From Verisign’s experience operating registries, it has determined that together these audit programs and certifications provide a reliable means to ensure effective security controls are in place and that these controls are sufficient to meet ICANN security requirements and therefore are commensurate with the guidelines defined by ISO 27001.

Augmented Security Levels or Capabilities. See Section 5 of this response.
Commitments Made to Registrants Concerning Security Levels. See Section 4 of this response.
2 SECURITY CAPABILITIES ARE CONSISTENT WITH THE OVERALL BUSINESS APPROACH AND PLANNED SIZE OF THE REGISTRY
Verisign, the Applicant’s selected backend registry services provider, is an experienced backend registry provider that has developed and uses proprietary system scaling models to guide the growth of its TLD supporting infrastructure. These models direct Verisign’s infrastructure scaling to include, but not be limited to, server capacity, data storage volume, and network throughput that are aligned to projected demand and usage patterns. Verisign periodically updates these models to account for the adoption of more capable and cost-effective technologies.
Verisign’s scaling models are proven predictors of needed capacity and related cost. As such, they provide the means to link the projected infrastructure needs of the TLD with necessary implementation and sustainment cost. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its scaling models, Verisign derived the necessary infrastructure required to implement and sustain this gTLD. Verisign’s pricing for the backend registry services it provides to the Applicant fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.
3 TECHNICAL PLAN ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION
Verisign, the Applicant’s selected backend registry services provider, is an experienced backend registry provider that has developed a set of proprietary resourcing models to project the number and type of personnel resources necessary to operate a TLD. Verisign routinely adjusts these staffing models to account for new tools and process innovations. These models enable Verisign to continually right-size its staff to accommodate projected demand and meet service level agreements as well as Internet security and stability requirements. Using the projected usage volume for the most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as an input to its staffing models, Verisign derived the necessary personnel levels required for this gTLD’s initial implementation and ongoing maintenance. Verisign’s pricing for the backend registry services it provides to the Applicant fully accounts for cost related to this infrastructure, which is provided as “Total Critical Registry Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections response.
Verisign employs more than 1,040 individuals of which more than 775 comprise its technical work force. (Current statistics are publicly available in Verisign’s quarterly filings.) Drawing from this pool of on-hand and fully committed technical resources, Verisign has maintained DNS operational accuracy and stability 100 percent of the time for more than 13 years for .com, proving Verisign’s ability to align personnel resource growth to the scale increases of Verisign’s TLD service offerings.
Verisign projects it will use the following personnel role, which is described in Section 5 of the response to Question 31, Technical Overview of Proposed Registry, to support its security policy:
• Information Security Engineers: 11

To implement and manage the TLD as described in this application, Verisign, the Applicant’s selected backend registry services provider, scales, as needed, the size of each technical area now supporting its portfolio of TLDs. Consistent with its resource modeling, Verisign periodically reviews the level of work to be performed and adjusts staff levels for each technical area.
When usage projections indicate a need for additional staff, Verisign’s internal staffing group uses an in-place staffing process to identify qualified candidates. These candidates are then interviewed by the lead of the relevant technical area. By scaling one common team across all its TLDs instead of creating a new entity to manage only this proposed gTLD, Verisign realizes significant economies of scale and ensures its TLD best practices are followed consistently. This consistent application of best practices helps ensure the security and stability of both the Internet and this proposed gTLD, as Verisign holds all contributing staff members accountable to the same procedures that guide its execution of the Internet’s largest TLDs (i.e., .com and .net). Moreover, by augmenting existing teams, Verisign affords new employees the opportunity to be mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps ensure that new staff members properly execute their duties.
4 SECURITY MEASURES ARE CONSISTENT WITH ANY COMMITMENTS MADE TO REGISTRANTS REGARDING SECURITY LEVELS
Verisign is the Applicant’s selected backend registry services provider. For this gTLD, no unique security measures or commitments must be made by Verisign or the Applicant to any registrant.
5 SECURITY MEASURES ARE APPROPRIATE FOR THE APPLIED-FOR gTLD STRING (FOR EXAMPLE, APPLICATIONS FOR STRINGS WITH UNIQUE TRUST IMPLICATIONS, SUCH AS FINANCIAL SERVICES-ORIENTED STRINGS, WOULD BE EXPECTED TO PROVIDE A COMMENSURATE LEVEL OF SECURITY)
No unique security measures are necessary to implement this gTLD. As defined in Section 1 of this response, Verisign, the Applicant’s selected backend registry services provider, commits to providing backend registry services in accordance with the following international and relevant security standards:
• American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) SAS 70
• WebTrust⁄SysTrust for Certification Authorities (CA)
As defined in Section 1 of this response, Verisign, the Applicant’s selected backend registry services provider, commits to providing backend registry services in accordance with the following international and relevant security standards:
• American Institute of Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA) SAS 70
• WebTrust⁄SysTrust for Certification Authorities (CA)

gTLDFull Legal NameE-mail suffixDetail
.닷넷VeriSign Sarlverisign.comView
1 DETAILED DESCRIPTION OF PROCESSES AND SOLUTIONS DEPLOYED TO MANAGE LOGICAL SECURITY
ACROSS INFRASTRUCTURE AND SYSTEMS, MONITORING AND DETECTING THREATS AND SECURITY
VULNERABILITIES AND TAKING APPROPRIATE STEPS TO RESOLVE THEM

Verisign’s comprehensive security policy has evolved over the years as part of managing some
of the world’s most critical TLDs. Our Information Security Policy is the primary guideline that
sets the baseline for all other policies, procedures, and standards that we follow. This security
policy addresses all of the critical components for the management of backend registry services,
including architecture, engineering, and operations.

Our general security policies and standards with respect to these areas are provided as follows:

Architecture

* Information Security Architecture Standard: This standard establishes the Verisign
standard for application and network architecture. The document explains the methods
for segmenting application tiers, using authentication mechanisms, and implementing
application functions.

* Information Security Secure Linux Standard: This standard establishes the
information security requirements for all systems that run Linux throughout the Verisign
organization.

* Information Security Secure Oracle Standard: This standard establishes the
information security requirements for all systems that run Oracle throughout the Verisign
organization.

* Information Security Remote Access Standard: This standard establishes the
information security requirements for remote access to terminal services throughout the
Verisign organization.

* Information Security SSH Standard: This standard establishes the information security
requirements for the application of Secure Shell (SSH) on all systems throughout the
Verisign organization.


Engineering

* Secure SSL⁄TLS Configuration Standard: This standard establishes the information
security requirements for the configuration of Secure Sockets Layer⁄Transport Layer
Security (SSL⁄TLS) for all systems throughout the Verisign organization.

* Information Security C++ Standards: These standards explain how to use and
implement the functions and application programming interfaces (APIs) within C++. The
document also describes how to perform logging, authentication, and database
connectivity.

* Information Security Java Standards: These standards explain how to use and
implement the functions and APIs within Java. The document also describes how to
perform logging, authentication, and database connectivity.


Operations

* Information Security DNS Standard: This standard establishes the information
security requirements for all systems that run DNS systems throughout the Verisign
organization.

* Information Security Cryptographic Key Management Standard: This standard
provides detailed information on both technology and processes for the use of
encryption on Verisign information security systems.

* Secure Apache Standard: We have a multitude of Apache web servers, which are
used in both production and development environments on the Verisign intranet and on
the Internet. They provide a centralized, dynamic, and extensible interface to various
other systems that deliver information to the end user. Because of their exposure and
the confidential nature of the data that these systems host, adequate security measures
must be in place. The Secure Apache Standard establishes the information security
requirements for all systems that run Apache web servers throughout the Verisign
organization.

* Secure Sendmail Standard: We use sendmail servers in both the production and
development environments on the Verisign intranet and on the Internet. Sendmail allows
users to communicate with one another via email. The Secure Sendmail Standard
establishes the information security requirements for all systems that run sendmail
servers throughout the Verisign organization.

* Secure Logging Standard: This standard establishes the information security logging
requirements for all systems and applications throughout the Verisign organization.
Where specific standards documents have been created for operating systems or
applications, the logging standards have been detailed. This document covers all
technologies.

* Patch Management Standard: This standard establishes the information security patch
and upgrade management requirements for all systems and applications throughout
Verisign.


General

* Secure Password Standard: Because passwords are the most popular and, in many
cases, the sole mechanism for authenticating a user to a system, great care must be
taken to help ensure that passwords are “strong” and secure. The Secure Password
Standard details requirements for the use and implementation of passwords.

* Secure Anti-Virus Standard: Verisign must be protected continuously from computer
viruses and other forms of malicious code. These threats can cause significant damage
to the overall operation and security of the Verisign network. The Secure Anti-Virus
Standard describes the requirements for minimizing the occurrence and impact of these
incidents.


Security processes and solutions for the KOREAN_TRANSLITERATION_OF_.NET gTLD are based on the
standards defined above, each of which is derived from our experience and industry best
practice. These standards comprise the framework for the overall security solution and
applicable processes implemented across all products under our management. The security
solution and applicable processes include, but are not limited to:

* System and network access control (e.g., monitoring, logging, and backup)

* Independent assessment and periodic independent assessment reports

* Denial of service (DoS) and distributed denial of service (DDoS) attack mitigation

* Computer and network incident response policies, plans, and processes

* Minimization of risk of unauthorized access to systems or tampering with registry data

* Intrusion detection mechanisms, threat analysis, defenses, and updates

* Auditing of network access

* Physical security


Further details of these processes and solutions are provided in Part B of this response.


1.1 Security Policy and Procedures for the Proposed Registry

Specific security policy related details, requested as the bulleted items of Question 30 – Part A,
are provided here.


Independent Assessment and Periodic Independent Assessment Reports

To help ensure effective security controls are in place, we conduct a yearly American Institute of
Certified Public Accountants (AICPA) and Canadian Institute of Chartered Accountants (CICA)
SAS 70 audit on all of our data centers, hosted systems, and applications. During these SAS 70
audits, security controls at the operational, technical, and human level are rigorously tested.
These audits are conducted by a certified and accredited third party and help ensure that
Verisign in-place environments meet the security criteria specified in our customer contractual
agreements and are in accordance with commercially accepted security controls and practices.
We also perform numerous audits throughout the year to verify our security processes and
activities. These audits cover many different environments and technologies and validate our
capability to protect our registry and DNS resolution environments. Figure 30A-1 (see
Attachment VRSN_.netKor_Q30A_Figures for all figures in this response) lists a subset of the
audits that Verisign conducts. For each audit program or certification listed in Figure 30A-1, we
have included, as attachments to the Part B component of this response, copies of the
assessment reports conducted by the listed third-party auditor. (See VRSN_.netKor_Q30B-
1_Attachment_SAS70; VRSN_.netKor_Q30B-2_Attachment_KPMGSysTrust; VRSN_.netKor
_Q30B-3_Attachment_KPMG 10K; and VRSN_.netKor_Q30B-4_Attachment_InfoSecPolicy.)

From our experience operating registries, we have determined that together these audit
programs and certifications provide a reliable means to ensure effective security controls are in
place and that these controls are sufficient to meet ICANN security requirements and therefore
are commensurate with the guidelines defined by ISO 27001.


Augmented Security Levels or Capabilities

See Section 5 of this response.


Commitments Made to Registrants Concerning Security Levels
See Section 4 of this response.



2 SECURITY CAPABILITIES ARE CONSISTENT WITH THE OVERALL BUSINESS APPROACH
AND PLANNED SIZE OF THE REGISTRY

As an experienced backend registry provider, we have developed and use proprietary system
scaling models to guide the growth of our TLD supporting infrastructure. These models direct
our infrastructure scaling to include, but not be limited to, server capacity, data storage volume,
and network throughput that are aligned to projected demand and usage patterns. We
periodically update these models to account for the adoption of more capable and cost-effective
technologies.

Our scaling models are proven predictors of needed capacity and related cost. As such, they
provide the means to link the projected infrastructure needs of the KOREAN_TRANSLITERATION_OF_.NET gTLD
with necessary implementation and sustainment cost. Using the projected usage volume for the
most likely scenario (defined in Question 46, Template 1 – Financial Projections: Most Likely) as
an input to our scaling models, we derived the necessary infrastructure required to implement
and sustain this gTLD. Cost related to this infrastructure is provided as “Total Critical Registry
Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections
response.


3 TECHNICAL PLAN ADEQUATELY RESOURCED IN THE PLANNED COSTS DETAILED IN THE FINANCIAL SECTION

As an experienced backend registry provider, we have developed and use a set of proprietary
resourcing models to project the number and type of personnel resources necessary to operate
a TLD. We routinely adjust these staffing models to account for new tools and process
innovations. These models enable us to continually right-size our staff to accommodate
projected demand and meet service level agreements as well as Internet security and stability
requirements. Using the projected usage volume for the most likely scenario (defined in
Question 46, Template 1 – Financial Projections: Most Likely) as an input to our staffing models,
we derived the necessary personnel levels required for this gTLD’s initial implementation and
ongoing maintenance. Cost related to this infrastructure is provided as “Total Critical Registry
Function Cash Outflows” (Template 1, Line IIb.G) within the Question 46 financial projections
response.

We employ more than 1,040 individuals of which more than 775 comprise our technical work
force. (Current statistics are publicly available in our quarterly filings.) Drawing from this pool of
on-hand and fully committed technical resources, we have maintained DNS operational
accuracy and stability 100 percent of the time for more than 13 years for .com, proving our
ability to align personnel resource growth to the scale increases of our TLD service offerings.

We project we will use the following personnel role, which is described in Section 5 of the
response to Question 31, Technical Overview of Proposed Registry, to support our security
policy:

* Information Security Engineers: 11

To implement and manage the KOREAN_TRANSLITERATION_OF_.NET gTLD as described in this application, we
scale, as needed, the size of each technical area now supporting our portfolio of TLDs.
Consistent with our resource modeling, we periodically review the level of work to be performed
and adjust staff levels for each technical area.

When usage projections indicate a need for additional staff, our internal staffing group uses an
in-place staffing process to identify qualified candidates. These candidates are then interviewed
by the lead of the relevant technical area. By scaling one common team across all our TLDs
instead of creating a new entity to manage only this proposed gTLD, we realize significant
economies of scale and ensure our TLD best practices are followed consistently. This
consistent application of best practices helps ensure the security and stability of both the
Internet and this proposed gTLD, as we hold all contributing staff members accountable to the
same procedures that guide our execution of the Internet’s largest TLDs (i.e., .com and .net).
Moreover, by augmenting existing teams, we afford new employees the opportunity to be
mentored by existing senior staff. This mentoring minimizes start-up learning curves and helps
ensure that new staff members properly execute their duties.



4 SECURITY MEASURES ARE CONSISTENT WITH ANY COMMITMENTS MADE TO REGISTRANTS
REGARDING SECURITY LEVELS

For the KOREAN_TRANSLITERATION_OF_.NET gTLD, no unique security measures or commitments must be
made by Verisign to any registrant.



5 SECURITY MEASURES ARE APPROPRIATE FOR THE APPLIED-FOR gTLD STRING (FOR EXAMPLE,
APPLICATIONS FOR STRINGS WITH UNIQUE TRUST IMPLICATIONS, SUCH AS FINANCIAL SERVICES-ORIENTED
STRINGS, WOULD BE EXPECTED TO PROVIDE A COMMENSURATE LEVEL OF SECURITY)

No unique security measures are necessary to implement the KOREAN_TRANSLITERATION_OF_.NET gTLD. As
defined in Section 1 of this response, we commit to providing backend registry services in
accordance with the following international and relevant security standards:

* American Institute of Certified Public Accountants (AICPA) and Canadian Institute of
Chartered Accountants (CICA) SAS 70

* WebTrust⁄SysTrust for Certification Authorities (CA)