30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

gTLDFull Legal NameE-mail suffixDetail
.SHOPCommercial Connect LLCdotShop.comView

With e-commerce comes compliance regarding PCI⁄DSS Security standards. We will be in compliance with those provided by the PCI Security Standards Council. http:⁄⁄www.nessus.org⁄solutions⁄compliance-solutions⁄regulatory-compliance⁄pci
We will use standards by the Center for Internet Security (CIS) to perform a wide variety of Unix, Windows and application audits based on best practice consensus benchmarks developed by CIS. CIS policies apply for the following technologies:
• Applications
• Routers
• Desktop Operating Systems
• Server Operating Systems
• SQL Databases
We will use SANS Consensus Audit guidelines: (CAG) The SANS Consensus Audit Guidelines (CAG) is a compliance standard that specifies 20 ʺcontrol pointsʺ that have been identified through a consensus of federal and private industry security professionals. (http:⁄⁄www.nessus.org⁄expert-resources⁄whitepapers⁄real-time-auditing-for-sans-consensus-audit-guidelines)
• Active scanning, patch auditing, passive network monitoring and process accounting help monitoring for authorized and unauthorized software and devices.
• Active, passive and credentialed vulnerability scanning provides continuous and accurate monitoring for new security issues.
• Configuration auditing and file integrity monitoring of applications, desktops, routers and operating systems can be performed against a wide variety of government and commercial standards.
• Network and intranet perimeters can be monitored and correlated by aggregating logs from NIDS, firewalls, DMZ servers and netflow.
• Custom web applications can be audited with web application tests and logs from the applications can be monitored for abuse. Custom applications can also undergo rigorous configuration audits of the OS, application and SQL database.
• All user accounts and user activity can be strictly audited and monitored for abuse and suspicious activity.
• All web browsing can be passively logged and searched which enables analysis of botnets, malware and user activity.
• Anti-virus software can be audited to ensure it is working correctly. Logs from desktop, email, NIDS, gateway devices and ʺblacklistedʺ sites can be correlated for a complete view of your malware exposure.
• Full log searches as well as complete configuration audits can be used to accelerate your incident response efforts.
• Unauthorized wireless access points as well as desktops with incorrect wireless SSIDs can be identified.

We are compliant with Domain Name System Security Extensions (DNSSEC) for the .shop top-level domain. DNSSEC is designed to protect Internet servers from domain name system attacks, such as DNS cache poisoning by malicious users. It is a set of DNS extensions which provide 3 basic functions:

1. Data Origin Authentication - assures that data is received from the authorized DNS server; can protect from impersonation attacks
2. Data Integrity - assures that data received matches data on the origin DNS server, and is not modified during transit; protects from man-in-the-middle type pollution attacks.
3. Authenticated Denial of Existence - assures that a ʺNon-existentʺ response is valid.

Our Security Policy contains the following and commitments to registrants and our registrars:
I. Provisions for Data: We may access, copy, preserve, disclose, remove, suspend or delete any Data in accordance with privacy and security.
II. Provision for Intellectual Property Rights:
III. Provisions for Confidentialty
IV. Our Server Monitoring Policy
V. Our Incident Response Policy
VI. Constant Review of Network Risks
VII. Personnel Background Checks of Security Personnel
VIII. Network Security Policy
IX. Vulnerability Scanning
X. Vulnerability Management
XI. Configuration Auditing
XII. Log Management
XIII. Acceptable Use Policy for Company Employees

These items are discussed further in Question 30b.

Continuous network monitoring has emerged as a critical best practice across governmental, commercial, and educational environments. Itʹs essential in combatting rapidly evolving security threats, improving our ability to manage new technology risks, and maintain compliance with ever-increasing regulatory and audit requirements. We will be using toolkits for correlation and reporting, and analytical solutions that meet these requirements.
We will perform network scanning, patch auditing and configuration testing. We will offer real-time network and passive vulnerability scanning. Our solution monitors network traffic to discover new hosts and vulnerabilities continuously. Network traffic contains a tremendous amount of information that can be used to identify new web servers, SQL injection, missing patches, vulnerable web browsers, out of date SSL certificates and much more. Our combination of active and passive vulnerability and network monitoring allows for scaleability.



Similar gTLD applications: (0)

gTLDFull Legal NameE-mail suffixzDetail