Back

30(a) Security Policy: Summary of the security policy for the proposed registry

gTLDFull Legal NameE-mail suffixDetail
.書籍Amazon EU S.à r.l.valideus.comView
Amazon EU S.à r.l. and our back-end operator, Neustar, recognize the vital need to secure the systems and the integrity of the data in commercial solutions. The .書籍 registry solution will leverage industry-best security practices including the consideration of physical, network, server, and application elements.
Neustar’s approach to information security starts with comprehensive information security policies. These are based on the industry best practices for security including SANS (SysAdmin, Audit, Network, Security) Institute, NIST (National Institute of Standards and Technology), and Center for Internet Security (CIS). Policies are reviewed annually by Neustar’s information security team.
The following is a summary of the security policies that will be used in the .書籍 registry, including:
1. Summary of the security policies used in the registry operations
2. Description of independent security assessments
3. Description of security features that are appropriate for .書籍
4. List of commitments made to registrants regarding security levels

All of the security policies and levels described in this section are appropriate for the .書籍 registry.
30.(a).1 Summary of Security Policies

Neustar, Inc. has developed a comprehensive Information Security Program in order to create effective administrative, technical, and physical safeguards for the protection of its information assets, and to comply with Neustarʹs obligations under applicable law, regulations, and contracts. This Program establishes Neustarʹs policies for accessing, collecting, storing, using, transmitting, and protecting electronic, paper, and other records containing sensitive information.
The Program defines:
 The policies for internal users and our clients to ensure the safe, organized and fair use of information resources.
 The rights that can be expected with that use.
 The standards that must be met to effectively comply with policy.
 The responsibilities of the owners, maintainers, and users of Neustar’s information resources.
 Rules and principles used at Neustar to approach information security issues

The following policies are included in the Program:
1. Acceptable Use Policy
The Acceptable Use Policy provides the “rules of behavior” covering all Neustar Associates for using Neustar resources or accessing sensitive information.
2. Information Risk Management Policy
The Information Risk Management Policy describes the requirements for the on-going information security risk management program, including defining roles and responsibilities for conducting and evaluating risk assessments, assessments of technologies used to provide information security and monitoring procedures used to measure policy compliance.
3. Data Protection Policy
The Data Protection Policy provides the requirements for creating, storing, transmitting, disclosing, and disposing of sensitive information, including data classification and labeling requirements, the requirements for data retention. Encryption and related technologies such as digital certificates are also covered under this policy.
4. Third Party Policy
The Third Party Policy provides the requirements for handling service provider contracts, including specifically the vetting process, required contract reviews, and on-going monitoring of service providers for policy compliance.
5. Security Awareness and Training Policy
The Security Awareness and Training Policy provide the requirements for managing the on-going awareness and training program at Neustar. This includes awareness and training activities provided to all Neustar Associates.
6. Incident Response Policy
The Incident Response Policy provides the requirements for reacting to reports of potential security policy violations. This policy defines the necessary steps for identifying and reporting security incidents, remediation of problems, and conducting “lessons learned” post-mortem reviews in order to provide feedback on the effectiveness of this Program. Additionally, this policy contains the requirement for reporting data security breaches to the appropriate authorities and to the public, as required by law, contractual requirements, or regulatory bodies.
7. Physical and Environmental Controls Policy
The Physical and Environment Controls Policy provides the requirements for securely storing sensitive information and the supporting information technology equipment and infrastructure. This policy includes details on the storage of paper records as well as access to computer systems and equipment locations by authorized personnel and visitors.
8. Privacy Policy
Neustar supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. Neustar supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals.
9. Identity and Access Management Policy
The Identity and Access Management Policy covers user accounts (login ID naming convention, assignment, authoritative source) as well as ID lifecycle (request, approval, creation, use, suspension, deletion, review), including provisions for system⁄application accounts, shared⁄group accounts, guest⁄public accounts, temporary⁄emergency accounts, administrative access, and remote access. This policy also includes the user password policy requirements.
10. Network Security Policy
The Network Security Policy covers aspects of Neustar network infrastructure and the technical controls in place to prevent and detect security policy violations.
11. Platform Security Policy
The Platform Security Policy covers the requirements for configuration management of servers, shared systems, applications, databases, middle-ware, and desktops and laptops owned or operated by Neustar Associates.
12. Mobile Device Security Policy
The Mobile Device Policy covers the requirements specific to mobile devices with information storage or processing capabilities. This policy includes laptop standards, as well as requirements for PDAs, mobile phones, digital cameras and music players, and any other removable device capable of transmitting, processing or storing information.
13. Vulnerability and Threat Management Policy
The Vulnerability and Threat Management Policy provides the requirements for patch management, vulnerability scanning, penetration testing, threat management (modeling and monitoring) and the appropriate ties to the Risk Management Policy.
14. Monitoring and Audit Policy
The Monitoring and Audit Policy covers the details regarding which types of computer events to record, how to maintain the logs, and the roles and responsibilities for how to review, monitor, and respond to log information. This policy also includes the requirements for backup, archival, reporting, forensics use, and retention of audit logs.
15. Project and System Development and Maintenance Policy
The System Development and Maintenance Policy covers the minimum security requirements for all software, application, and system development performed by or on behalf of Neustar and the minimum security requirements for maintaining information systems.

30. (a).2 Independent Assessment Reports
Neustar IT Operations is subject to yearly Sarbanes-Oxley (SOX), Statement on Auditing Standards #70 (SAS70) and ISO audits. Testing of controls implemented by Neustar management in the areas of access to programs and data, change management and IT Operations are subject to testing by both internal and external SOX and SAS70 audit groups. Audit Findings are communicated to process owners, Quality Management Group and Executive Management. Actions are taken to make process adjustments where required and remediation of issues is monitored by internal audit and QM groups.
External Penetration Test is conducted by a third party on a yearly basis. As authorized by Neustar, the third party performs an external Penetration Test to review potential security weaknesses of network devices and hosts and demonstrate the impact to the environment. The assessment is conducted remotely from the Internet with testing divided into four phases:
 A network survey is performed in order to gain a better knowledge of the network that was being tested
 Vulnerability scanning is initiated with all the hosts that are discovered in the previous phase
 Identification of key systems for further exploitation is conducted
 Exploitation of the identified systems is attempted.
Each phase of the audit is supported by detailed documentation of audit procedures and results. Identified vulnerabilities are classified as high, medium and low risk to facilitate management’s prioritization of remediation efforts. Tactical and strategic recommendations are provided to management supported by reference to industry best practices.
30.(a).3 Augmented Security Levels and Capabilities
There are no increased security levels specific for .書籍. However, Neustar will provide the same high level of security provided across all of the registries it manages.
A key to Neustar’s Operational success is Neustar’s highly structured operations practices. The standards and governance of these processes:
 Include annual independent review of information security practices
 Include annual external penetration tests by a third party
 Conform to the ISO 9001 standard (Part of Neustar’s ISO-based Quality Management System)
 Are aligned to Information Technology Infrastructure Library (ITIL) and CoBIT best practices
 Are aligned with all aspects of ISO IEC 17799
 Are in compliance with Sarbanes-Oxley (SOX) requirements (audited annually)
 Are focused on continuous process improvement (metrics driven with product scorecards reviewed monthly).
A summary view to Neustar’s security policy in alignment with ISO 17799 can be found in section 30.(a).4 below.
30.(a).4 Commitments and Security Levels
The .書籍 registry commits to high security levels that are consistent with the needs of the TLD. These commitments include:

Compliance with High Security Standards
 Security procedures and practices that are in alignment with ISO 17799
 Annual SOC 2 Audits on all critical registry systems
 Annual 3rd Party Penetration Tests
 Annual Sarbanes Oxley Audits

Highly Developed and Document Security Policies
 Compliance with all provisions described in section 30.(a).4 below and in the attached security policy document.
 Resources necessary for providing information security
 Fully documented security policies
 Annual security training for all operations personnel

High Levels of Registry Security
 Multiple redundant data centers
 High Availability Design
 Architecture that includes multiple layers of security
 Diversified firewall and networking hardware vendors
 Multi-factor authentication for accessing registry systems
 Physical security access controls
 A 24x7 manned Network Operations Center that monitors all systems and applications
 A 24x7 manned Security Operations Center that monitors and mitigates DDoS attacks
 DDoS mitigation using traffic scrubbing technologies
gTLDFull Legal NameE-mail suffixDetail
.BASEBALLMLB Advanced Media DH, LLCfairwindspartners.comView
MLB Advanced Media DH, LLC and its back-end operator, Neustar, Inc. (“Neustar”), recognize the vital need to secure the systems and the integrity of the data in commercial solutions. The .BASEBALL registry solution will leverage industry-best security practices including the consideration of physical, network, server, and application elements.
Neustar’s approach to information security starts with comprehensive information security policies. These are based on the industry best practices for security including SANS (SysAdmin, Audit, Network, Security) Institute, NIST (National Institute of Standards and Technology), and Center for Internet Security (CIS). Policies are reviewed annually by Neustar’s information security team.
The following is a summary of the security policies that will be used in the .BASEBALL registry, including:
Summary of the security policies used in the registry operations;
Description of independent security assessments;
Description of security features that are appropriate for .BASEBALL;
List of commitments made to registrants regarding security levels;
All of the security policies and levels described in this section are appropriate for the .BASEBALL registry.
30.(a).1 Summary of Security Policies
Neustar, Inc. has developed a comprehensive Information Security Program in order to create effective administrative, technical, and physical safeguards for the protection of its information assets, and to comply with Neustarʹs obligations under applicable law, regulations, and contracts. This Program establishes Neustarʹs policies for accessing, collecting, storing, using, transmitting, and protecting electronic, paper, and other records containing sensitive information.
The Program defines:
The policies for internal users and its clients to ensure the safe, organized, and fair use of information resources:
The rights that can be expected with that use;
The standards that must be met to effectively comply with policy;
The responsibilities of the owners, maintainers, and users of Neustar’s information resources;
Rules and principles used at Neustar to approach information security issues.

The following policies are included in the Program:
Acceptable Use Policy
The Acceptable Use Policy provides the “rules of behavior” covering all Neustar Associates for using Neustar resources or accessing sensitive information.
Information Risk Management Policy
The Information Risk Management Policy describes the requirements for the ongoing information security risk management program, including defining roles and responsibilities for conducting and evaluating risk assessments; assessments of technologies used to provide information security; and monitoring procedures used to measure policy compliance.
Data Protection Policy
The Data Protection Policy provides the requirements for creating, storing, transmitting, disclosing, and disposing of sensitive information, including data classification and labeling requirements, the requirements for data retention. Encryption and related technologies such as digital certificates are also covered under this policy.
Third Party Policy
The Third Party Policy provides the requirements for handling service provider contracts, including specifically the vetting process, required contract reviews, and on-going monitoring of service providers for policy compliance.
Security Awareness and Training Policy
The Security Awareness and Training Policy provide the requirements for managing the ongoing awareness and training program at Neustar. This includes awareness and training activities provided to all Neustar Associates.
Incident Response Policy
The Incident Response Policy provides the requirements for reacting to reports of potential security policy violations. This policy defines the necessary steps for identifying and reporting security incidents, remediation of problems, and conducting “lessons learned” post-mortem reviews in order to provide feedback on the effectiveness of this Program. Additionally, this policy contains the requirement for reporting data security breaches to the appropriate authorities and to the public, as required by law, contractual requirements, or regulatory bodies.
Physical and Environmental Controls Policy
The Physical and Environment Controls Policy provides the requirements for securely storing sensitive information and the supporting information technology equipment and infrastructure. This policy includes details on the storage of paper records as well as access to computer systems and equipment locations by authorized personnel and visitors.
Privacy Policy
Neustar supports the right to privacy, including the rights of individuals to control the dissemination and use of personal data that describes them, their personal choices, or life experiences. Neustar supports domestic and international laws and regulations that seek to protect the privacy rights of such individuals.
Identity and Access Management Policy
The Identity and Access Management Policy covers user accounts (login ID naming convention, assignment, authoritative source) as well as ID lifecycle (request, approval, creation, use, suspension, deletion, review), including provisions for system⁄application accounts, shared⁄group accounts, guest⁄public accounts, temporary⁄emergency accounts, administrative access, and remote access. This policy also includes the user password policy requirements.
Network Security Policy
The Network Security Policy covers aspects of Neustar network infrastructure and the technical controls in place to prevent and detect security policy violations.
Platform Security Policy
The Platform Security Policy covers the requirements for configuration management of servers, shared systems, applications, databases, middle-ware, and desktops and laptops owned or operated by Neustar Associates.
Mobile Device Security Policy
The Mobile Device Policy covers the requirements specific to mobile devices with information storage or processing capabilities. This policy includes laptop standards, as well as requirements for PDAs, mobile phones, digital cameras and music players, and any other removable device capable of transmitting, processing, or storing information.
Vulnerability and Threat Management Policy
The Vulnerability and Threat Management Policy provides the requirements for patch management, vulnerability scanning, penetration testing, threat management (modeling and monitoring), and the appropriate ties to the Risk Management Policy.
Monitoring and Audit Policy
The Monitoring and Audit Policy covers the details regarding which types of computer events to record, how to maintain the logs, and the roles and responsibilities for how to review, monitor, and respond to log information. This policy also includes the requirements for backup, archival, reporting, forensics use, and retention of audit logs.
Project and System Development and Maintenance Policy
The System Development and Maintenance Policy covers the minimum security requirements for all software, application, and system development performed by or on behalf of Neustar and the minimum security requirements for maintaining information systems.
30.(a).2 Independent Assessment Reports
Neustar IT Operations is subject to yearly Sarbanes-Oxley (SOX), Statement on Auditing Standards #70 (SAS70), and ISO audits. Testing of controls implemented by Neustar management in the areas of access to programs and data, change management, and IT Operations are subject to testing by both internal and external SOX and SAS70 audit groups. Audit Findings are communicated to process owners, Quality Management Group, and Executive Management. Actions are taken to make process adjustments where required and remediation of issues is monitored by internal audit and QM groups.
External Penetration Test is conducted by a third party on a yearly basis. As authorized by Neustar, the third party performs an external Penetration Test to review potential security weaknesses of network devices and hosts, and demonstrate the impact to the environment. The assessment is conducted remotely from the Internet with testing divided into four phases:
A network survey is performed in order to gain a better knowledge of the network that was being tested;
Vulnerability scanning is initiated with all the hosts that are discovered in the previous phase;
Identification of key systems for further exploitation is conducted;
Exploitation of the identified systems is attempted.
Each phase of the audit is supported by detailed documentation of audit procedures and results. Identified vulnerabilities are classified as high, medium and low risk to facilitate management’s prioritization of remediation efforts. Tactical and strategic recommendations are provided to management supported by reference to industry best practices.
30.(a).3 Augmented Security Levels and Capabilities
There are no increased security levels specific for .BASEBALL. However, Neustar will provide the same high level of security provided across all of the registries it manages.
A key to Neustar’s operational success is Neustar’s highly structured operations practices. The standards and governance of these processes:
Include annual independent review of information security practices;
Include annual external penetration tests by a third party;
Conform to the ISO 9001 standard (Part of Neustar’s ISO-based Quality Management System);
Are aligned to Information Technology Infrastructure Library (ITIL) and CoBIT best practices;
Are aligned with all aspects of ISO IEC 17799;
Are in compliance with Sarbanes-Oxley (SOX) requirements (audited annually);
Are focused on continuous process improvement (metrics driven with product scorecards reviewed monthly).
A summary view to Neustar’s security policy in alignment with ISO 17799 can be found in section 30.(a).4, below.
30.(a).4 Commitments and Security Levels
The .BASEBALL registry commits to high security levels that are consistent with the needs of the TLD. These commitments include:
Compliance with High Security Standards;
Security procedures and practices that are in alignment with ISO 17799;
Annual SOC 2 Audits on all critical registry systems;
Annual 3rd Party Penetration Tests;
Annual Sarbanes Oxley Audits;
Highly Developed and Document Security Policies;
Compliance with all provisions described in section 30.(a).4, below, and in the attached security policy document.
Resources necessary for providing information security;
Fully documented security policies;
Annual security training for all operations personnel;
High Levels of Registry Security;
Multiple redundant data centers;
High Availability Design;
Architecture that includes multiple layers of security;
Diversified firewall and networking hardware vendors;
Multi-factor authentication for accessing registry systems;
Physical security access controls;
A 24⁄7 manned Network Operations Center that monitors all systems and applications;
A 24⁄7 manned Security Operations Center that monitors and mitigates DDoS attacks;
DDoS mitigation using traffic scrubbing technologies.