ICANN New gTLD Application

New gTLD Application Submitted to ICANN by: Smart Communications, Inc. (SMART)

String: smart

Originally Posted: 13 June 2012

Application ID: 1-2139-55785


Applicant Information


1. Full legal name

Smart Communications, Inc. (SMART)

2. Address of the principal place of business

Smart Tower, 6799 Ayala Avenue
Makati City Metro Manila 1226
PH

3. Phone number

+6325113101

4. Fax number

+6325113100

5. If applicable, website or URL

http:⁄⁄www.smart.com.ph

Primary Contact


6(a). Name

Ms. Nora Imelda Bautista Wilwayco

6(b). Title

Manager, Online Services, Public Affairs Group

6(c). Address


6(d). Phone Number

+6325113101

6(e). Fax Number

+6325113100

6(f). Email Address

nbwilwayco@smart.com.ph

Secondary Contact


7(a). Name

Mr. Victor Goto Reyes

7(b). Title

Manager, Planning and Architecture - Infra, Technical Services Division

7(c). Address


7(d). Phone Number

+6325114280

7(e). Fax Number

+6325113100

7(f). Email Address

vgreyes@smart.com.ph

Proof of Legal Establishment


8(a). Legal form of the Applicant

Corporation

8(b). State the specific national or other jursidiction that defines the type of entity identified in 8(a).

Philippine Laws

8(c). Attach evidence of the applicant's establishment.

Attachments are not displayed on this form.

9(a). If applying company is publicly traded, provide the exchange and symbol.


9(b). If the applying entity is a subsidiary, provide the parent company.

Philippine Long Distance Telephone Company

9(c). If the applying entity is a joint venture, list all joint venture partners.


Applicant Background


11(a). Name(s) and position(s) of all directors

Anabelle L. ChuaChief Financial Officer
George LimDirector
Imelda A. ManguiatDirector
Lorenzo V. TanDirector
Manuel V. PangilinanChairman
Napoleon L. NazarenoPresident and CEO
Orlando B. VeaChief Wireless Advisor
Oscar ReyesDirectro
Ramoncito FernandezDirector
Rolando G. PenaHead, Customer Assurance

11(b). Name(s) and position(s) of all officers and partners

Anabelle L. ChuaChief Financial Officer
Charles A. LimAdvisor
Emmanuel Ramon C. LorenzanaHead, Wireless Consumer
Jovan S. BaracAdvisor
Lawrence GohChief Information Officer
Manuel V. PangilinanChairman
Mario G. TamayoHead, Technical Services
Napoleon L. NazarenoPresident and CEO
Orlando B. VeaChief Wireless Advisor
Rene G. BanezHead, Administration and Materials Management
Rolando G. PenaHead, Customer Assurance
Setsuya KimuraAdvisor

11(c). Name(s) and position(s) of all shareholders holding at least 15% of shares

Philippine Long Distance Telephone CompanyNot Applicable

11(d). For an applying entity that does not have directors, officers, partners, or shareholders: Name(s) and position(s) of all individuals having legal or executive responsibility


Applied-for gTLD string


13. Provide the applied-for gTLD string. If an IDN, provide the U-label.

smart

14(a). If an IDN, provide the A-label (beginning with "xn--").


14(b). If an IDN, provide the meaning or restatement of the string in English, that is, a description of the literal meaning of the string in the opinion of the applicant.


14(c). If an IDN, provide the language of the label (in English).


14(c). If an IDN, provide the language of the label (as referenced by ISO-639-1).


14(d). If an IDN, provide the script of the label (in English).


14(d). If an IDN, provide the script of the label (as referenced by ISO 15924).


14(e). If an IDN, list all code points contained in the U-label according to Unicode form.


15(a). If an IDN, Attach IDN Tables for the proposed registry.

Attachments are not displayed on this form.

15(b). Describe the process used for development of the IDN tables submitted, including consultations and sources used.


15(c). List any variant strings to the applied-for gTLD string according to the relevant IDN tables.


16. Describe the applicant's efforts to ensure that there are no known operational or rendering problems concerning the applied-for gTLD string. If such issues are known, describe steps that will be taken to mitigate these issues in software and other applications.

The applied-for gTLD string is not an IDN and shall not have any known operational or rendering problems.

17. (OPTIONAL) Provide a representation of the label according to the International Phonetic Alphabet (http://www.langsci.ucl.ac.uk/ipa/).


Mission/Purpose


18(a). Describe the mission/purpose of your proposed gTLD.

Smart Communications, Inc. (SMART) is the Philippinesʹ leading wireless services provider with 49.0 million subscribers on its GSM network as of end-December 2011.

SMART has built an international reputation for innovation, having introduced world-first wireless data services, such as Smart Money (the world’s first electronic wallet linked to a mobile phone), Smart Load (electronic prepaid top-ups in sachet denominations), Smart Padala (mobile-based remittance service) and the Netphone (Android-based operator feature phone). SMART also offers 3G and HSPA+ services, and the country’s first and only LTE network. Its Smart Link service provides communications to the global maritime industry.

Smart Broadband, Inc., a wholly-owned subsidiary, offers a wireless broadband service, Smart BRO, with over 1.6 million subscribers as of end-December 2011.

SMART is a wholly-owned subsidiary of the Philippinesʹ leading telecommunications carrier, the Philippine Long Distance Telephone Company which is listed at the New York Stock Exchange.
SMART has nationwide coverage in the Philippines and has worldwide partnerships.
In the Philippines, SMART has an extensive network of over 1.4 million load retailers and dealers selling prepaid top-ups.

Launched in Hong Kong in August 2004, 1528 SMART is a prepaid GSM mobile phone service offering in Hong Kong designed and packaged to cater to the Filipino community. It is the product of the partnership of Hong Kong CSL Ltd. and PLDT (HK) Ltd.⁄ PLDT Global, in close collaboration with Smart.

Through strategic partnerships with The Western Union Company® (NYSE:WU) and MoneyGram International (NYSE: MGI) in November 2010, Filipinos all over the world can now send cash directly to the Smart mobile phones of their loved ones in the Philippines through any of over 95,000 international money transfer locations, including the United States and Hong Kong.
In June 2010, MasterCard Worldwide and Smart subsidiary, Smart Hub, Inc., announced a joint venture to accelerate the delivery of mobile payment solutions that will enable financial institutions and cellular phone networks around the world to deliver end-to-end mobile payment services through the MasterCard Worldwide Network. This service, which made its debut in Brazil, will be brought to major markets in Eurasia, Europe, Africa, and Middle East.
In the Philippines, the SMART brand is one of the most recognized trademarks in the country, with wide-recall among the population.

In the telecommunications industry worldwide, the SMART brand is automatically associated with the company, having won numerous international awards and acknowledged as a leader in the global associations of mobile operators.

As part of its thrust to introduce innovative services for its subscribers and as a strategy for growth in its global partnerships, SMART is planning to provide the .SMART gTLD as integral in increasing the value of its service delivery in its efforts to further expand and consolidate its leadership role in the mobile and Internet field.

The .SMART gTLD will serve the needs of the SMART including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers.

The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. Registration in .SMART is not open to the general public.

SMART is investing PhP22.3-M for capital expenditures and an average of PhP15-M for operations yearly. Based on current utilization of its DNS infrastructure, SMART foresees two million authoritative queries per day in the first year alone. This does not account for future service offerings that the company will be introducing under the .SMART gTLD.

The .SMART gTLD will be integral to the company’s delivery of services for its subsidiaries, affiliates, partners and subscribers not only in the Philippines but worldwide. SMART will be using the .gTLD as part of its strategy to constantly be competitive in the industry. It will promote competitiveness, consumer trust and brand choice.

18(b). How do you expect that your proposed gTLD will benefit registrants, Internet users, and others?

The .SMART gTLD will serve the needs of SMART including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers.

The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers, hence it will be a closed-registry model. It is not for the use of the general public.

Applications for registrations will be reviewed by the company’s .SMART Policy Board to protect the interests of its subscribers, partners, affiliates and equity.

The .SMART gTLD will follow SMART’s privacy policies for its services. Please refer to answers to Sections 26 and 30 for the details.

SMART will use the .SMART gTLD to operate its businesses. The registry will not be a direct business of the company but is seen as a support infrastructure for the company’s businesses. Hence, the stability of the registry is dependent on the stability of the company. Funding for the registry will come from the company’s network, IT and marketing budgets. SMART is one of the highest earning companies in the Philippines and high growth is still foreseen especially for its broadband Internet business.

SMART has a strong and robust technical infrastructure and capabilities and because the company will be directly controlling the .SMART gTLD, capacity and operations can be planned.

Completely and solely operated by the company, the registryʹs reputation will be tied with that of the company. This will assure the companyʹs partners and subscribers that every domain in the registry is vetted by the company in the same manner that it vets its service and products.
In its delivery, the .SMART gTLD will help mitigate security risks for its services and operations, ensuring consumer confidence.

The .SMART gTLD will also be a conduit for new and innovative products from SMART as it further expands its businesses not only for subscribers in the Philippines but also to subscribers and partners worldwide.

To achieve these projected benefits, SMART will conduct a multimedia campaign strategy and program that will communicate the establishment of the .SMART gTLD as well as its applications for various business streams. The campaign will ride on and will be integrated in SMART’s heavy marketing and communications investments.

18(c). What operating rules will you adopt to eliminate or minimize social costs?

Since this will be a closed .gTLD system, SMART will reserve the right to decide on multiple domain name applications through its .SMART Policy Board.

Because SMART will be operating the registry for its businesses, it will be an integral add-on benefit for its partners, affiliates and subscribers, a value-for-money proposition on top of the services they are paying for.

SMART will control the period for domain allocations at no greater than ten years at a time.

Community-based Designation


19. Is the application for a community-based TLD?

No

20(a). Provide the name and full description of the community that the applicant is committing to serve.


20(b). Explain the applicant's relationship to the community identified in 20(a).


20(c). Provide a description of the community-based purpose of the applied-for gTLD.


20(d). Explain the relationship between the applied-for gTLD string and the community identified in 20(a).


20(e). Provide a description of the applicant's intended registration policies in support of the community-based purpose of the applied-for gTLD.


20(f). Attach any written endorsements from institutions/groups representative of the community identified in 20(a).

Attachments are not displayed on this form.

Geographic Names


21(a). Is the application for a geographic name?

No

Protection of Geographic Names


22. Describe proposed measures for protection of geographic names at the second and other levels in the applied-for gTLD.

Every domain name that will be registered in the TLD is fully controlled by SMART Communications, Inc. and will go through a rigorous vetting process by the Internet Committee.The Internet Committee will be composed of Network Services, Information Technology, Legal, Marketing, and Public Affairs. As a policy, the committee will disallow geographic names at the second and other levels in the applied-for gTLD. The Internet Committee will be consulting ISO 3166-1 standard and the ISO 3166-2 standard as part of the vetting process.

Registry Services


23. Provide name and full description of all the Registry Services to be provided.

The .SMART TLD will be operated by SMART as the Registry Operator. The TLD is for the exclusive use of the company, its authorized affiliates, partners, and subscribers. The company will use .SMART to communicate with its affiliates, partners, and subscribers and to deliver official corporate information to the general public.

The registration of a second-level domain in the registry is to be restricted to the company and would be based on on the company’s operational needs. Registration to .SMART is not to be open to any registrant outside of the above restricted population.

CUSTOMARY REGISTRY SERVICES

The following is a list of the ICANN-defined customary registry services. Explanations are given if .SMART will not offer or will offer them in a manner unique to the TLD.

(A) Receipt of data from registrars concerning registration of domain names and name servers.
Not offered. Reason: The registry will be restricted for the exclusive use of the company and is not open to the general public. There will be no external registrars because there will be no non-company affiliated registrants.

(B) Dissemination of TLD zone files.
Offered. The registry will use BIND 9.9 for its DNS and will comply with all the relevant RFCs.

(C) Dissemination of contact or other information concerning domain name registrations (e.g., port-43 WHOIS, Web- based Whois, RESTful Whois service).
Offered. With Modification For all the SLDs, the registrant contact information will all be the same as that of the TLD and will refer to the company’s official contact person(s). Registration in the TLD will be subject to the company’s internal procedures and may not be done without the approval of the Head of the Business Unit. Hence the Head of the Business Unit will be able to answer all questions regarding any SLD.

(D) Dissemination of TLD zone files.
Offered. The registry will use BIND 9.9 for its DNS and will comply with all the relevant RFCs.

(E) Internationalized Domain Names, where offered.
Not offered. Reason: The company uses English and Filipino as its official business languages and both are accommodated by ASCII.

(F) DNS Security Extensions (DNSSEC).
Offered. The registry will use BIND 9.9 for its DNS servers and will comply with all the relevant RFCs. The registry will offer only the above customary services with the stated modifications. Because all of the above services are standards-compliant, the Registry Operator foresees no harmful effect on the stability or security of the DNS.


Demonstration of Technical & Operational Capability


24. Shared Registration System (SRS) Performance

As previously explained, .SMART would be for the exclusive use of the company and there would be no external Registrars to the registry. However, to comply with the requirements of ICANN, the company had tested the Domain Name Registry System (DNRS) Version 5.09, the open source version of the New Zealand Shared Registry System (NZ-SRS) deployed by the .NZ ccTLD. The company would use this system, with minor modifications, as its Shared Registration System.

The DNRS is a system which allows authorized registrars to interface with the .SMART registry in a secure manner to be able to perform registration and maintenance services on the domain names under the registry. For the purpose of .SMART , the registrars are the different company business units which may register domains in behalf of their units.

Four classes of users, based on their roles, have been identified as users of the SRS. In the following table, we detail each class together with a description of its role and interaction with the system.

CLASS ROLES:

General Internet : The user seeks information about a domain User to determine whether such a SLD exists and, if it does, get the responsible person and his contact details.

Registrar : Registers and manages one or more SLDs in behalf of a registrant. The company had modified the DNRS to create two classes of registrars: internal and external. An external registrar has access only to the Query commands to retrieve information about domains. It has no access to any of the Object Transform commands. The internal registrar which is operated by the company has access to both Query and Object Transform Commands. The classification of registrars is a mere table entry and may be modified by the Registry.

Registry: This approves the creation⁄deletion⁄transfer of SLDs.This class includes the staff of the registry authorized to perform actions on registered domains in behalf of the company.

Technical Staff: This monitors the operations of the SRS and performs maintenance services on the systems. They receive system alerts and may perform authorized modifications to the system.

25. Extensible Provisioning Protocol (EPP)

Although the DNRS natively uses the SRS protocol, there is an existing Perl Module, SRS::EPP::Proxy, which implements an XML to XML gateway between the two contemporary protocols, SRS and EPP.  This EPP Gateway⁄Proxy transforms EPP to the native SRS of DNRS and vice-versa. The EPP Gateway is compliant with EPP in RFCs 5730-5735. The DNRS is able to implement all the EPP commands.

The .SMART registry has two types of registrars, internal and external. An internal registrar is a company-operated registrar which may register domains in behalf of their units. An internal registrar has access to both EPP Query and Object Transform Commands. All non-internal registrars are external registrars. Object Transform commands from external registrars will never be successfully processed. The SRS will always respond with a “Negative Completion Reply” to Object Transform commands from external registrars.

.SMART will not implement any EPP extensions.

26. Whois

Smart will setup a publicly accessible look-up⁄ Whois service which will provide a reliable, stable, standards-compliant platform for supporting the .SMART registry. Near real-time updates to the Whois will synchronize updates with the zone file and the .SMART  database to avoid subscriber confusion.

One of the critical functions of a registry , Whois is an administrative tool that provides identifying information related to the domain name. The protocol is defined in RFC954. It will be available to anyone via the IANA-assigned port 43 or the .SMART registry website.

The .SMART Whois will support a thick registry model which will contain the contact information associated with the registrant, The Whois service will accommodate queries regarding the data sets listed in the following table.

We would like to clarify that the Whois server will only respond to queries within the domains covered by the .SMART registry. The Whois server will also have a web interface to service these queries.

27. Registration Life Cycle

The life-cycle of a typical .SMART domain name will be as follows.

1. Internal registrant goes through the Internal Registrar’s website to apply for a domain name. The registrant fills up the application form in the website with the necessary information, including the following:
a. the SLD to be registered
b. the authoritative DNS servers for the SLD
c. the department⁄unit requesting for the SLD

No registry staff is involved in this step.

2. The Internal Registrar queries the SMART Registry to determine whether the requested SLD is available. If available, the application is marked as “PENDING.” If not available, the application is rejected.

No registry staff is involved in this step.

3. The “PENDING” application is kept until all the necessary requirements are fulfilled. The registrant has seven days to fulfill all the necessary requirements. After seven days, all “PENDING” applications are removed from the system.

No registry staff is involved in this step.

4. The details about the “PENDING” application are e-mailed to the head of the department⁄unit for confirmation.

No registry staff is involved in this step.

5. When confirmation is received from the Department⁄Unit head, the application is approved and marked as “ACTIVE.” It is registered for a period of one (1) year.

There will be at least one registry staff member, designated as the “Approver”, who manually checks the confirmation e-mail from the Department⁄Unit Head. The Approver manually sets the “PENDING” domain name to “ACTIVE.”

6. Two months before the expiration date, an e-mail is sent to the registrant reminding the registrant of the date of expiration. The registration is marked as “EXPIRING.”
No registry staff is involved in this step.

7. One month before the expiration date, an e-mail is sent to the registrant reminding the registrant of the date of expiration. No registry staff is involved in this step.

8. “EXPIRING” domains may be renewed at any time by the registrant by replying to any of the two reminder e-mails. No registry staff is involved in this step.

9. “EXPIRING” domains are automatically deleted from the Registry upon the date of expiration. No registry staff is involved in this step.

28. Abuse Prevention and Mitigation

The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. Registration in .SMART is not open to the general public. By controlling every registration in the .SMART gTLD, the company will totally eliminate abusive registrations and other activities that affect the legal rights of others. 

A domain name in the .SMART gTLD is considered to be a valid domain name if it meets at least one of the following characteristics:
1) it corresponds to a bona fide offering of goods or services
2) it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
3) it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
4) it is a generic or a descriptive name which the company has fair use of

Only valid domain names may be registered in the .SMART gTLD.

An Abusive Registration is one which is not a valid domain name and which
1) was registered to take an unfair advantage of or to the detriment of a Complainantʹs Rights or
2) has been used in a manner which has taken unfair advantage of or has been unfairly detrimental to the Complainantʹs Rights

Despite the policy of registering only valid domain names, it is possible for the company or its employees to commit mistakes. These unwitting mistakes will be flagged when a complainant notifies the company of its specific concerns and details the specific conduct the complainant believes as an abusive registration. The company will publish in its website a single abuse point of contact responsible for addressing complaints of abusive registrations. At any given time, at least one staff member of the SMART operations staff is tasked with the responsibility of ensuring that the

The following details the .SMART policy and procedures for handling complaints of abusive registrations:

COMMUNICATION

1) All complaints must be in English or Filipino and must be in written form.
2) Complaints must be submitted by fax, e-mail, or registered mail. In the .SMART website, the registry will publish an e-mail address, fax number(s), and postal address to receive complaints of abuse.
3) E-mailed complaints must be sent as plain text and attachments must be in PDF.
4) All complaints are deemed to have been received on:
i. if sent by fax , on the date transmitted; or
ii. if sent by registered mail, on the day of delivery; or
iii. if sent via the Internet, on the date that the e-mail was received by .SMART’s mail server(s);
iv. and, unless otherwise provided in this procedure, the time periods provided for under the Policy and this Procedure shall be calculated accordingly.


COMPLAINTS

1) Any person or organization may submit a complaint of Abusive Registration following the procedures in this document.
2) The complaint shall:
a) not exceed 5000 words
b) specify the complete name and address (postal and e-mail) of the complainant
c) specify the domain name which the complainant alleges to be an Abusive Registration
and

i) if alleging violation of complainant’s rights,
I. the rights the complainant claims in the name or mark
II. the name or mark the complainant claims it has rights to
III. documentary evidence to prove such rights over the name or mark

ii) if not alleging violation of complainant’s rights, describe the grounds on which the complaint is made and why the domain name should be considered to be an Abusive Registration in the hands of the Respondent


REGISTRY’S ACTION

.SMART will check that the complaint complies with the form prescribed in this document. If non-compliant, .SMART will immediately inform the complainant of the deficiencies in the filed complaint and allow the complainant to file a modified complaint to remedy the deficiencies. If the complaint is valid in form and substance, the registry will forward the complaint to the registrant of the domain, together with an explanatory covering letter. The registry will handle all complaints within three (3) working days.


REGISTRANT’S RESPONSE

Within five (5) working days after receipt of the complaint, the respondent registrant must submit its reply to the complaint. The reply shall:
a) not exceed 5000 words
b) specify the grounds of the registrant to rebut the complaint of an Abusive Registration:

i) if violation of complainant’s rights is alleged,
I. the rights the registrant claims in the name or mark
II. the name or mark the registrant claims it has rights to
III. documentary evidence to prove such rights over the name or mark

ii) if violation of complainant’s rights is not alleged, describe the grounds on why the domain name should not be considered to be an Abusive Registration

The Registry will forward the response to the complainant within three (3) working days after receipt of the same.

Should the registrant fail to respond to the complaint, the complaint is deemed to be submitted for resolution.


COMPLAINANT’S REPLY

Within five (5) days of receiving the respondent’s response, the complainant must submit a reply to the response. The reply shall:
a) not exceed 2000 words and be solely restricted to the issues raised by the respondent and not repeat the issues raised in the initial complaint.
or
b) indicate that the complainant has no further reply to the response of the respondent


REGISTRY’S DECISION

Within three (3) working days of receiving the complainant’s reply or the failure of the registrant to reply, the Registry will issue its decision. Should the Registry find that the assailed domain name does not meet any one of the following criteria:

• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of the complainant
• it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of

then the Registry will issue an adverse ruling against the respondent registrant.

Should the assailed domain meet one of the above criteria, the complaint will be dismissed. The parties to the complaint will be informed of the decision within one (1) working day after the decision is made.

Should the assailed registration be found to be an Abusive Registration, it will be removed from the .SMART registry within two (2) working days.

Should the complaint be dismissed by the Registry, the Complainant may opt to avail of the different ICANN-mandated Rights Protection Mechanism (RPM) to which .SMART adheres.


THE TICKET TRACKING SYSTEM

At any given time, the Registry will have a person assigned to handle all complaints of abusive registrations. Upon receiving a complaint, the person logs the complaint to SMART’s abuse desk facility by filling in details of the complaint which includes the complainant’s e-mail address, the domain being assailed as an abusive registration, the date of complaint, among other details. Once the complaint is logged, the system automatically generates a ticket number and a password for the complainant and the complaint is tagged as “UNDER EVALUATION.” The complainant, using the ticket number and the password, may track the progress of the complaint through the system by logging in to the system’s web-based interface.

When a complaint is logged into the system, it it automatically assigned to a member of the Registry’s operations staff for handling. The staff member checks whether the complaint is valid in form and substance. If so, the handler forwards the complaint to the registrant of the assailed domain. The registrant is given a password to the system to allow it to follow the progress of the complaint through the system by logging in to the system’s web-based interface.

The status of the complaint is changed to “FORWARDED.”

If the complaint is not valid in form and substance, the handler will note all the deficiencies in the complaint and change its status to “COMPLAINT DEFICIENT.” The complainant may then correct all the deficiencies in the complaint and re-submit the complaint under the same ticket number.

When a resubmitted complaint is received, the status is changed to “COMPLAINT EVALUATION.” After seven (7) working days of not being corrected by the complainant, a “COMPLAINT DEFICIENT” complaint is automatically “CLOSED.”

When a registry receives an answer from the registrant, the status of the complaint is changed from “FORWARDED” to “RESPONSE EVALUATION.” The handler evaluates whether the response is valid in form and substance. If so, the response is forwarded to the complainant and the complaint is tagged as “REGISTRANT ANSWERED.” If the response is not valid in form and substance, the deficiencies are logged and the respondent is notified of the deficiencies.


“FORWARDED” complaints are automatically changed to “FOR RESOLUTION” after five (5) days. This occurs when the respondent does not submit an answer to the complaint.

When the complainant’s reply to the registrant’s answer is received, the status of the complaint is changed from “REGISTRANT ANSWERED” to “COMPLAINANT REPLY EVALUATION.” The handler checks that the reply is valid in form and substance. If so, the status is changed from “COMPLAINANT REPLY EVALUATION” to “FOR RESOLUTION.”

After five (5) days, a “REGISTRANT ANSWERED” complaint is changed to “FOR RESOLUTION.” This occurs when no complainant reply which is valid in form and substance is received.

When a complaint’s status changes to “FOR RESOLUTION”, and the complaint is sent to the DotSMART Policy Board for resolution.

RESOURCING PLANS

There will be at least three persons assigned to man the abuse desk ticketing system.

ORPHAN GLUE RECORDS

The registry does not allow orphan glue records.

WHOIS ACCURACY

The accuracy of WHOIS data is guaranteed because the .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. This means that all the registrants are all known to the company. Authentication of the identity of each and every registrant is assured because of each registrant’s relationship with the company.

29. Rights Protection Mechanisms

As stated in the Registry’s Mission and Purpose, the .SMART gTLD will serve the needs of SMART including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers.

The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. Registration in .SMART is not open to the general public. By controlling every registration in the .SMART gTLD, the company will totally eliminate abusive registrations and other activities that affect the legal rights of others. Through its Policy Board, the company will ensure that each domain name registered in the .SMART has at least one of the following characteristics:

• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
• it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of

Furthermore, the company will comply with the Rights Protection Mechanisms (RPMs) that have been established by ICANN to protect trademark holders from abusive registrations. Each mechanism is listed below:

1. Trademark Clearinghouse
2. Uniform Rapid Suspension (URS)
3. Post Delegation Dispute Resolution Procedure (PDDRP)
4. Uniform Domain Name Dispute Resolution Policy (UDRP)

This document describes how the .SMART Registry will comply with policies and practices that minimize abusive registrations and other activities that affect the legal rights of others.

1. Trademark Clearinghouse

As a centralized repository of verified data on registered, court-validated word marks or word marks that are protected by statute or treaty, the Clearinghouse is to be used for the Trademark Claims service and the Sunrise Process.

1.1 Trademark Claims service

As a registry for the exclusive use of the company, the registry will not be open to the general public. Only company-related registrants (as defined in the Mission⁄Objective part of the Application) may register domain names in the registry. The Trademark Clearinghouse would be used by the company to be informed of any Trademark claims on prospective domain names as this would impact how the domain names could be used by the company. Should the company decide to continue the registration of a domain name contained in the Clearinghouse Database, company would promptly notify the mark holder(s) of the registration.

1.2. Sunrise service

The objective of the Sunrise service is to allow mark-holders the opportunity to register domain names for their marks ahead of non-mark-holders. However, the purpose of .SMART is to the deliver the company’s goods and services including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers. The registry will not be open to the general public. It doesn’t make sense for the company to allow non-company related entities to register domains in the registry, even if these entities are mark-holders, because that would violate the purpose of the .SMART Registry.

In fact, allowing these mark-holders to register their marks in the .SMART Registry would create the wrong impression that these mark-holders are part of the company, or have a business relationship with the company, or are vetted by the company.

Worse would be to allow a competitor company, COMPETITOR, the mark-holder of the same company name, to register the domain COMPETITOR.SMART as part of the Sunrise service. This would imply to the general public that the company vets for the service of the competitor
company, COMPETITOR.

.SMART is seeking exemption from ICANN from providing this Sunrise service. The company submits that the rights of the mark-holders are amply protected by the Trademark Claims Service.

2. Uniform Rapid Suspension (URS)

Designed as a lighter and quicker relief for trademark holders than the existing UDRP, the remedy that a panel may grant to a complainant is the suspension of a domain name. Within twenty-four (24) hours of receipt of a Notice of Complaint from a URS Provider, the company shall restrict all changes to the registration data. The company shall notify the URS Provider immediately upon locking the domain with a “Notice of Lock.” When a URS panel finds a clear-cut case of trademark abuse in a registered domain name, the Registry will comply with a suspension order immediately upon receipt of the Determination. The nameservers for the domain shall be redirected to the informational web page provided by URS Provider.

3. Post Delegation Dispute Resolution Procedure (PDDRP)

The PDDRP is an administrative option for trademark holders to file an objection against a registry whose affirmative conduct in its operation or use of its gTLD is alleged to cause or materially contribute to the infringement of its trademark and thereby harm the trademark holder.

The Registry understands that because it operates a closed company-only registry, the registration of second-level domains may only be done under the control of the company. Thus it has a great responsibility to ensure that the rights of trademark holders are protected. We believe that by ensuring that the company only registers domain names which meet the characteristics itemized in the Introduction, trademark will never be infringed and the respective trademark holders will never be harmed.

Nevertheless, it is possible for the company or its employees to commit mistakes. These unwitting mistakes will be flagged when a complainant notifies the company of its specific concerns and details the specific conduct the complainant believes infringes on the complainant’s trademarks. The company will attempt to resolve these issues by meeting the conferring with the complainant.

4. Uniform Domain Name Dispute ResolutionPolicy (UDRP)

The UDRP is an administrative remedy for for rights-holding complainant to resolve cases of bad-faith, abusive registration of domain names. Should a UDRP panel favor a complainant, the UDRP panel may order the transfer or the cancellation of a domain name. The registrar is obliged to implement this decision.

As a closed registry, only company-affiliated registrants are allowed to register .SMART domain names and only the company-affiliated registrar may register in their behalf. Should a UDRP decision to cancel or transfer a domain name be received, the company registrar must comply with the order except when restrained by a competent court.

We believe that by ensuring that the company only registers domain names which meet the characteristics itemized in the Introduction, rights will never be infringed and the respective trademark holders will never be harmed.

5. Additional Protection Mechanism

The company is committed to protecting the rights of trademark holders in the .SMART gTLD. This is ensured by following the guideline that a domain name may be registered only if it meets at least one of the following criteria:
• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
• it corresponds to the name that the company’s susbidiary, authorized
partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of


These, in addition to the use of the Trademark Clearing House will ensure that the rights of trademark-holders are amply protected pro-actively. In addition to the above RPMs, the company will make available a specific e-mail address, trademarks@smart, to which rights-holder complaints may be addressed. This will be routed to the members of the .SMART Policy Board. The Legal Staff of the Board is specifically tasked to investigate and answer complaints coursed through the e-mail address. This will ensure that mistakes by the Registry are promptly corrected, even without going through the ICANN-mandated RPMs.

30(a). Security Policy: Summary of the security policy for the proposed registry

SMART has a dedicated Information Asset Protection and Assurance (IAPA) Department that identifies and minimizes risks in order to maximize the success of the company by ensuring confidentiality, integrity and availability of information assets within the company, which will include the operations of .SMART registry.

INDEPENDENT ASSESSMENT BY AN EXTERNAL PARTY

SMART, as a wholly owned mobile phone and Internet service subsidiary of the Philippine Long Distance Telephone Company (PLDT) is required to comply with Sarbanes-Oxley Act. Annual assessment is being conducted by an external party, Ernst & Young (E&Y), to accredit SMART as compliant to the said U.S. Federal Law.

As part of Sarbanes-Oxley Act, the assessment by the external party is to ensure User Access Management (UAM) is strictly followed by the company. UAM in SMART is being reviewed based on the following:

· Type of access (i.e. physical and logical access)
· Type of account (e.g. administrator, regular user, system account)
· Access privilege to ensure practice of least privilege and segregation of duties
· Frequency of review (e.g. monthly, quarterly)
· Employee movement (e.g. transfer, resignation)

Also, SMART Money service of SMART is a Payment Card Industry Data Security Standard (PCI-DSS) compliant service being accredited by PCI Council, one of which is MasterCard. In order to be compliant, a PCI Council-accredited Qualified Security Assessor (QSA) is needed to annually assess all involved processes and systems of the said service.

CORPORATE INFORMATION SECURITY POLICY

The Corporate Information Security Policy of SMART is annually reviewed, updated as necessary, and approved by the top level management before being cascaded to different groups or departments. Current security policy is based on the eleven (11) domains and controls of the ISO 27001:

· Security Policy -- the creation, suitability, adequacy and effectiveness of the information security policy shall be ensured by reviewing the policy at planned intervals or after changes which affect the organization’s security requirements are approved and implemented.
· Organization of information security Policy – this policy pertains to the establishment of applicable processes and controls for both internal and external parties of SMART’s.
· Internal – includes the management commitment to Information Security, establishment of Information Security Steering Committee (ISSC) responsible for developing the management for framework for information security, accountability.
· External – addressing security when outsourcing or dealing with clients or contractors.
· Asset Management Policy – this includes the responsibility for assets and classification of assets
· Human Resource Policy – the policy addresses the security concerning employment lifecycle from prior to employment, during employment, termination or change of employment of an employee, contractor, or third party. The security being addressed includes employee terms and conditions, non-disclosure agreement (NDA), declaration of compliance, inclusion of security responsibilities in the performance evaluation, security awareness and training.
· Physical and Environmental Security Policy – this policy addresses security that includes establishment of physical security perimeter, segregation of areas, access restriction and access authorization requirements, logging of physical entry access, monitoring and audit of the logs, establishment of controls against external and environmental threats, protection of equipment.
· Communications and Operations Management Policy – this policy includes the need for documentation of operation procedures, change management, segregation of duties, separation of facilities (i.e. development, testing, operational), third party service delivery management, system planning and acceptance, protection against malicious and mobile code, back-up, different media handling, exchange of information.
· Access Control Policy – this policy includes the need for endorsement and approval of access request, legal contract or agreement by an authorized SMART office with contractor, business partners, or third party. It also requires following user access management, which refers to user registration, privilege management, password management, and review of user access rights. The policy also includes the need for applicable controls on network, server, application, mobile computing and teleworking.
· Information Systems Acquisition, Development and Maintenance Policy – this policy includes the need for security requirements specifications on all business requirements for new or existing information systems, control of internal processing, data validation, use of cryptographic controls, key management, access control to program source code, security in development and support processes, technical vulnerability management.
· Incident Management Policy – this policy includes reporting information security events and weaknesses, management of information security incidents and improvements that refers to development of Security Response Team, collection and handling of evidence.
· Business Continuity Management Policy – this policy includes the need to adopt a program for developing, testing, maintaining, and update as necessary of business continuity plan throughout SMART in case of a disaster.
· Compliance Policy – this policy includes the need for compliance with legal requirements which refers to identification of applicable legislation, intellectual property rights (IPR), regulation of cryptographic controls, data protection and privacy of personal information. It also includes compliance with SMART’s security policies and standards, and audit considerations.


Complementing the 11 policies are sub-policies that touch on detailed security controls covering the following areas:
· Password and Login Control – covers the security of login and passwords that include, but are not limited to, password complexity, password length, password expiration and account locking.
· Network Security – covers network controls that include, but are not limited to, securing internal networks, externally-access networks or DMZs, implementation of firewalls, other network protection systems (i.e. intrusion detection, web filtering, SPAM control, etc.) and network management. It also covers security of Internet access provided to employees that include, but are not limited to, acceptable use, web filtering, provision of access and compliance with Intellectual Property Rights.
· Information Processing Facilities – covers security for Company facilities used to process Company information that include, but are not limited to, facility classification & corresponding security controls, physical access controls, security of physical equipment and environmental security
· Information Asset Classification – covers security of Company information which includes, but not limited to, classification of information, handling of information based on classification, classification labeling, information ownership and roles & responsibilities.
· Security Monitoring & Incident Management – covers monitoring for security events and managing security incidents that include, but are not limited to, management of system logs (i.e. collection, review, protection, etc.), incident reporting, investigation, response & handling and disciplinary process. This also includes the security of email, desktop, and application systems.
· User Access Management – covers security implemented on all systems that manage all levels of accesses (both from users and from systems) to ensure that systems are accessed only by authorized users or systems at any point in time.
· Outsourcing and Third Party – covers security for working Third Party entities for various engagements and for Outsourcing engagements that include, but are not limited to, service level agreements (SLAs), maintenance services, escalation, contract management, acceptance and data confidentiality.

IAPA RESPONSIBILITIES

Technical Standards – IAPA has a list of different technical standards internally available to SMART technical teams to ensure that systems being deployed follow an internationally-accepted settings or configurations. These technical standards are derived from the documents publicly available on:

· Center for Internet Security or CIS (http:⁄⁄www.cisecurity.org)
· National Institute of Standards and Technology or NIST (http:⁄⁄www.nist.gov⁄index.html)
· Other sites that provide security best practices, such as (but not limited to):
· SANS Institute (http:⁄⁄www.sans.org⁄security-resources)
· Information Systems Audit and Control Association or ISACA (http:⁄⁄www.isaca.org)


Enrollment to Control Compliance Tool – this is an activity to ensure that systems are checked as compliant with the existing technical standards. This activity is done before deployment of systems to production, and regularly observed while the systems are in production.

Vulnerability Management – an activity ensuring a regular vulnerability assessment of systems are performed before and after being deployed. As publicly known, it is a cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. IAPA has a commercially-developed tool to conduct the scan in order to identify the vulnerabilities present on a system. After this, a report will be generated and IAPA will classify or assess what vulnerabilities need to be remediated based on the severity. The assessment will then be forwarded to the custodian of the systems for remediation and mitigation. If all vulnerabilities subject for remediation have been addressed, another round of vulnerability scanning will be conducted for validation.

Installation of Intrusion Detection System (IDS) – an activity currently performed on perimeter of SMART’s network. IAPA is using an open-source IDS tool to detect anomaly-based intrusion and then logged to the centralized log tool in real time. Incident management process follows if intrusion is detected.

Incident Management - handled by the Computer Security Incident Response Team (CSIRT) in IAPA with the following roles and responsibilities:
· Available 24⁄7 to respond to alerts corresponding to intrusion detection, intrusion prevention, and file integrity monitoring systems
· Performs initial investigation of the cause of problems encountered
· Ensure immediate system availability
· Tests the incident management plan (annually) in coordination with the other teams
· Performs Security Monitoring activities scanning our environment for vulnerabilities, threats, and abnormal activities from our systems
· Monitors for the presence of rogue wireless access devices

Sample of Incident Management:
· Operating System Event – Switch user to root
· Any attempts seen will notify CSIRT via e-mail.
· CSIRT will file immediately an incident ticket and directly assign it to the respective custodians of the system involved
· Custodians will then investigate why the users switch user to root
· Comment in the incident ticket coming from the user who triggered the event will be required, explaining the event.
· Assessment, including mitigation and sanctions, will be provided as applicable

(2) Security capabilities are consistent with the overall business approach and planned size of the registry.

IAPA has sufficient manpower and funding to ensure security of gTLD systems and processes.

(3) A technical plan adequately resourced in the planned costs detailed in the financial section.

IAPA has the process, technical plan, and roadmap to implement processes and solutions across Smart Communications. IAPA has also ongoing discussions and implementations of security solutions with vendors including, but not limited to:
· IBM
· HP
· ArcSight
· Tripwire
· Cyber-Ark

IAPA has an annual CAPEX budget to cover new technology tools that would increase the protection of information and USD1.0M for OPEX to continue operations of existing tools and implement Service-type (e.g. Consultations, Outsourced services, etc) security controls.

(4) Security measures are consistent with any commitments made to registrants regarding security levels. Registrant information is protected in that .SMART does not rent, sell, or share personal information about the registrant with other people or non-affiliated companies except to provide products or services that the registrant has requested and has given permission (to be shared).

(5) Security measures are appropriate for the applied for gTLD string (For example, applications for strings with unique trust implications, such as financial services-oriented strings, would be expected to provide a commensurate level of security).

Please refer to section 30(a)(2) above.



© Internet Corporation For Assigned Names and Numbers.