30(a) Security Policy: Summary of the security policy for the proposed registry
|gTLD||Full Legal Name||E-mail suffix||Detail|
Applicant Citigroup Inc. (“Applicant”) and its back-end operator, Neustar, recognize the vital need to secure the systems and the integrity of the data in commercial solutions relating to the .BANAMEX TLD (“TLD”). The TLD registry solution will thus leverage industry-best security practices including the consideration of physical, network, server, and application elements.
The following is a summary of the security policies that will be used in the TLD, including:
1. Summary of the security policies used in the registry operations
2. Description of independent security assessments
3. Description of security features that are appropriate for the TLD
4. List of commitments made to registrants regarding security levels
All of the security policies and levels described in this section are appropriate for the Applicant’s financial services registry.
Summary of Applicant’s Security Policies
Applicant’s information and data security policies abide by industry standards for the financial services industry, and they will apply to any information and data received by the Applicant relating to the TLD registry. Indeed, online security and protecting confidential information is of the utmost importance to Applicant. Applicant believes that good security covers all the bases—sophisticated technology, as well as the most stringent principles of privacy. Below, Applicant outlines a few of the ways it safeguards Internet users’ current online experience at its websites and how it will do so in relation to the TLD registry, if it ever uses the TLD with the public.
Strong Encryption—To ensure security while accessing its password-protected websites, Applicant employs 128-bit encryption and Secure Sockets Layer. 128-bit encryption, the strongest level of encryption generally available today, provides high-level security for these transmissions and is the industry standard for electronic financial transactions.
Secure User Name and Password–Users will select their preferred user name and password for websites that contain private information, and these items must be entered every time they sign-in to such a website. For information security reasons, users will be instructed to change their password periodically.
Automatic Time Out—When there is no activity for 20 minutes on one of its websites, a user’s session will be terminated to help protect against unauthorized access.
Client-Driven Authentication Questions – When a user calls Web Services and Support with questions about a website within the TLD, Applicant will confirm its identity on the phone before discussing any account information. The questions and answers the user selects when logging into a website in the TLD for the first time will be used for this identification process.
Of course, much of Applicant’s data security occurs behind the scenes. And, Applicant has a legal duty under federal and state information security laws, contracts, and industry standards to protect its customers’ nonpublic personal information (NPI), including any NPI in the custody of a third-party service provider. Applicant commits to providing backend registry services in accordance with the following relevant security standards.
Specifically, there are a wide variety of federal, state, and industry information security rules that create a duty to detect, prevent and respond to any anticipated threats or hazards to the security or integrity of customer records, including attacks, intrusions or other systems failures, as well as to protect against unauthorized access to or use of customersʹ records or information that could cause them harm or inconvenience. In general, these laws require financial services companies to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information. There are also state regulations addressing privacy and information security.
Applicant has already developed several internal information security policies that apply to its websites in the current Internet space and will apply to any websites within the TLD used with the public to meet these requirements and Internet users’ Web-based security expectations. These policies, which are attached to the answer to Question 30b, consist primarily of:
Data Management Policy and Standards. The objective of this policy is to ensure the proper management of data or information that has broad applicability to Applicant and its business processes, especially consolidated functions, and individual elements of data that support key processes and outputs, i.e., critical business uses of the data. These items, which are key resources utilized by Applicant and external stakeholders, are accorded special treatment under the Data Management Policy and Standards. Specifically, the Data Management Policy sets forth the minimum requirements for Senior Management to implement a consistent and controlled approach to the development and use of data and information across Applicant’s company. The Data Management Standards set forth the standards for implementation and compliance with the Data Management Policy.
Records Management Policy & Standards. The Records Management Policy and Standards establishes a uniform process for identifying, managing, retaining, securing, and when appropriate, disposing of Applicant’s Records. This policy is designed to address the legal, regulatory, financial and operational obligations associated with Records Management. Specifically, Applicant requires the maintenance of authentic, reliable and useable records that support the business requirements and activities for which they were created. Records must be kept as long as, and only as long as, required to meet legal, regulatory and operational requirements. Effective implementation of this policy includes a well-defined governance structure. It establishes a systematic and consistent approach to the classification, retention, protection, retrieval and disposal of records.
Information Security Standards. Applicant’s Information Security Standards establish clear and concise minimum security requirements which every one of Applicant’s businesses must satisfy in their environments. These standards identify information protection requirements to ensure all of Applicant’s businesses protect Applicant’s information in accordance with applicable legal and regulatory requirements in the locations where Applicant does business. These standards are based on International code of practice for information security management (ISO 27002) and are updated on a regular basis.
Information Technology Management Standards. Applicant’s Information Technology Management Standards details how Applicant protects its clients’ information entrusted to it as well as ensuring the security and integrity of its own information. These standards are based on an International Framework (COBIT 4.1) for managing Information Technology. These standards also encompass U.S. as well as other country’s regulatory and legal Information Technology and Security requirements.
Information Technology Management Policy. Applicant’s Information Technology Management Policy demonstrates how Applicant protects clients’ information and ensures the security and integrity of Applicant’s information. Specifically, Applicant’s Technology Management has been set into 14 process areas, covering all major aspects of IT, in order to maintain an effective governance structure. This policy is based on an International Framework (Control Objectives for Information and related Technology (COBIT 4.1)) for managing technology and encompasses country-specific legal and regulatory requirements.
Policy on Confidentiality of Information. The objective of this policy is to set forth minimum standards for the safeguarding of confidential or proprietary information by Applicant’s employees. This policy requires that Applicant’s employees safeguard all non-public information from disclosure to the public. This includes not disclosing confidential information, profiting from confidential information, seeking confidential information unnecessary to the employee’s job, and⁄or sharing information with other employees where unnecessary, among others.
These standards and policies, which work together and provide for a robust Information Security Policy, are attached to the answer to application Question 30(b) in whole. These policies will apply to the TLD registry once launched.
Both internal and external auditors as well as regulators regularly review and test Applicant’s Information Security Program.
Neustarʹs approach to information security starts with comprehensive information security policies. These are based on the industry best practices for security including SANS (SysAdmin, Audit, Network, Security) Institute, NIST (National Institute of Standards and Technology), and CIS (Center for Internet Security). Policies are reviewed annually by Neustarʹs information security team.
All of the security policies and levels described in this section are appropriate for the TLD registry.
30.(a).2 Summary of Security Policies
Neustar has developed a comprehensive Information Security Program in order to create effective administrative, technical, and physical safeguards for the protection of its information assets, and to comply with Neustarʹs obligations under applicable law, regulations, and contracts. This Program establishes Neustarʹs policies for accessing, collecting, storing, using, transmitting, and protecting electronic, paper, and other records containing sensitive information.
-The policies for internal users and our clients to ensure the safe, organized and fair use of information resources.
-The rights that can be expected with that use.
-The standards that must be met to effectively comply with policy.
-The responsibilities of the owners, maintainers, and users of Neustarʹs information resources.
-Rules and principles used at Neustar to approach information security issues
The following policies are included in the Program:
1. Acceptable Use Policy
The Acceptable Use Policy provides the rules of behavior covering all Neustar Associates for using Neustar resources or accessing sensitive information.
2. Information Risk Management Policy
The Information Risk Management Policy describes the requirements for the on-going information security risk management program, including defining roles and responsibilities for conducting and evaluating risk assessments, assessments of technologies used to provide information security and monitoring procedures used to measure policy compliance.
3. Data Protection Policy
The Data Protection Policy provides the requirements for creating, storing, transmitting, disclosing, and disposing of sensitive information, including data classification and labeling requirements, the requirements for data retention. Encryption and related technologies such as digital certificates are also covered under this policy.
4. Third Party Policy
The Third Party Policy provides the requirements for handling service provider contracts, including specifically the vetting process, required contract reviews, and on-going monitoring of service providers for policy compliance.
5. Security Awareness and Training Policy
The Security Awareness and Training Policy provide the requirements for managing the on-going awareness and training program at Neustar. This includes awareness and training activities provided to all Neustar Associates.
6. Incident Response Policy
The Incident Response Policy provides the requirements for reacting to reports of potential security policy violations. This policy defines the necessary steps for identifying and reporting security incidents, remediation of problems, and conducting lessons learned post-mortem reviews in order to provide feedback on the effectiveness of this Program. Additionally, this policy contains the requirement for reporting data security breaches to the appropriate authorities and to the public, as required by law, contractual requirements, or regulatory bodies.
7. Physical and Environmental Controls Policy
The Physical and Environment Controls Policy provides the requirements for securely storing sensitive information and the supporting information technology equipment and infrastructure. This policy includes details on the storage of paper records as well as access to computer systems and equipment locations by authorized personnel and visitors.
Neustar supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. Neustar supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals.
9. Identity and Access Management Policy
The Identity and Access Management Policy covers user accounts (login ID naming convention, assignment, authoritative source) as well as ID lifecycle (request, approval, creation, use, suspension, deletion, review), including provisions for system⁄application accounts, shared⁄group accounts, guest⁄public accounts, temporary⁄emergency accounts, administrative access, and remote access. This policy also includes the user password policy requirements.
10. Network Security Policy
The Network Security Policy covers aspects of Neustar network infrastructure and the technical controls in place to prevent and detect security policy violations.
11. Platform Security Policy
The Platform Security Policy covers the requirements for configuration management of servers, shared systems, applications, databases, middle-ware, and desktops and laptops owned or operated by Neustar Associates.
12. Mobile Device Security Policy
The Mobile Device Policy covers the requirements specific to mobile devices with information storage or processing capabilities. This policy includes laptop standards, as well as requirements for PDAs, mobile phones, digital cameras and music players, and any other removable device capable of transmitting, processing or storing information.
13. Vulnerability and Threat Management Policy
The Vulnerability and Threat Management Policy provides the requirements for patch management, vulnerability scanning, penetration testing, threat management (modeling and monitoring) and the appropriate ties to the Risk Management Policy.
14. Monitoring and Audit Policy
The Monitoring and Audit Policy covers the details regarding which types of computer events to record, how to maintain the logs, and the roles and responsibilities for how to review, monitor, and respond to log information. This policy also includes the requirements for backup, archival, reporting, forensics use, and retention of audit logs.
15. Project and System Development and Maintenance Policy
The System Development and Maintenance Policy covers the minimum security requirements for all software, application, and system development performed by or on behalf of Neustar and the minimum security requirements for maintaining information systems.
30.(a).3 Independent Assessment Reports
Neustar IT Operations is subject to yearly Sarbanes-Oxley (SOX), Statement on Auditing Standards #70 (SAS70) and ISO audits. Testing of controls implemented by Neustar management in the areas of access to programs and data, change management and IT Operations are subject to testing by both internal and external SOX and SAS70 audit groups. Audit Findings are communicated to process owners, Quality Management Group and Executive Management. Actions are taken to make process adjustments where required and remediation of issues is monitored by internal audit and QM groups.
External Penetration Test is conducted by a third party on a yearly basis. As authorized by Neustar, the third party performs an external Penetration Test to review potential security weaknesses of network devices and hosts and demonstrate the impact to the environment. The assessment is conducted remotely from the Internet with testing divided into four phases:
-A network survey is performed in order to gain a better knowledge of the network that was being tested
-Vulnerability scanning is initiated with all the hosts that are discovered in the previous phase
-Identification of key systems for further exploitation is conducted
-Exploitation of the identified systems is attempted.
Each phase of the audit is supported by detailed documentation of audit procedures and results. Identified vulnerabilities are classified as high, medium and low risk to facilitate managementʹs prioritization of remediation efforts. Tactical and strategic recommendations are provided to management supported by reference to industry best practices.
30.(a).4 Augmented Security Levels and Capabilities
There are no increased security levels specific for TLD. However, Neustar will provide the same high level of security provided across all of the registries it manages.
A key to Neustarʹs Operational success is Neustarʹs highly structured operations practices. The standards and governance of these processes:
-Include annual independent review of information security practices
-Include annual external penetration tests by a third party
-Conform to the ISO 9001 standard (Part of Neustarʹs ISO-based Quality Management System)
-Are aligned to Information Technology Infrastructure Library (ITIL) and CoBIT best practices
-Are aligned with all aspects of ISO IEC 17799
-Are in compliance with Sarbanes-Oxley (SOX) requirements (audited annually)
-Are focused on continuous process improvement (metrics driven with product scorecards reviewed monthly).
A summary view to Neustarʹs security policy in alignment with ISO 17799 can be found in section 30.(a).5 below.
30.(a).5 Commitments and Security Levels
The TLD registry commits to high security levels that are consistent with the needs of the TLD. These commitments include:
Compliance with High Security Standards
-Security procedures and practices that are in alignment with ISO 17799
-Annual SOC 2 Audits on all critical registry systems
-Annual 3rd Party Penetration Tests
-Annual Sarbanes Oxley Audits
Highly Developed and Document Security Policies
-Compliance with all provisions described in section 30.(b) and in the attached security policy document.
-Resources necessary for providing information security
-Fully documented security policies
-Annual security training for all operations personnel
High Levels of Registry Security
-Multiple redundant data centers
-High Availability Design
-Architecture that includes multiple layers of security
-Diversified firewall and networking hardware vendors
-Multi-factor authentication for accessing registry systems
-Physical security access controls
-A 24x7 manned Network Operations Center that monitors all systems and applications
-A 24x7 manned Security Operations Center that monitors and mitigates DDoS attacks
-DDoS mitigation using traffic scrubbing technologies
Similar gTLD applications: (1)
|gTLD||Full Legal Name||E-mail suffix||z||Detail|