30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

30.1. SAKURA Internet ISMS Operation
SAKURA Internet has implemented and been operating its Information Security Management System (ISMS) in order to cope with the critical management issue to protect the information assets from the various threats. Our ISMS protects our information assets from different kinds of threat, and we operate the management system based on a PDCA cycle. In case of an apparent damage, we are prepared with a task force to respond rapidly to recover from damages, in order to maintain and continue our operations and businesses.

SAKURA Internet has obtained the certification for the information security management standards, JIS (Japan Industrial Standard) Q 27001:2006 (ISO⁄IEC27001:2005), in April of 2006. The ISO27001⁄ISMS is the international strndard with a third-party conformity assessment system pertaining to the proper establishment and operation of a documented Information Security Management System (ISMS).

In July 2006, SAKURA Internet has obtained the Privacy Mark Certification complying with the Japan Industrial Standard, Compliance Program for Personal Information Protection, JIS Q 15001:2006, as it recognized the importace of the personal information.

Privacy Mark is an evaluation program based on the JIS Q 15001 standard with a third-party conformity assessment system, and the program evaluates and certifies businesses of their comformity pertaining to the implementation of personal information protection. SAKURA Internet has established a personal information protection management system, pertaining to the personal information protection, and we have implemented and maintained it and will continue to improve it.

30.1.1. SAKURA Internet Information Security Fundamenatl Policy
In implementing ISMS, we will reveal the fundamental policy by presenting ʺISMS Manualʺ as the basis for the operation of our information security management system. As an internet services provider, SAKURA Internet has been striving to become a type of company that the society requires, by joinning its entire forces, and always with new ideas and an ability to take action.

We have created the information security fundamental policy for the purpose of treating the various information assets properly by complying with the relevant laws and regulations pertaining to the information security and with the security obligations set forth in the agreement, establishing the autonomous rules adequate for our coporate philosophy.

Based upon the ideas behind our information security fundamental policy, we will implement appropriate information security pertaining to comprehension, management and secutiry measures of the information assets, by making a concerted effort of the executive officers and employees (including contracted employees, temporary staffs, part-time employees and other personnel from the subcontractors).

The details of the SAKURA Internet Information Security Fundamanetal Policy and its action guidelines are described in the answer for #30.6 (SAKURA Internet Information Security Policy).

30.1.2. Risk Management
SAKURA Internet shall implement appropriate risk management strategies to manage effectively avoiding or minimizing unexpected contingent losses casued by various risks, with a minimal expense. The details of .sakura risk management are described in #30.7 (Risk Management).

30.1.3. Information Security Organization
SAKURA Internet shall establish an internal organization to manage information security and define the respective roles and responsibilities.
The details of information security organization are described in #30.8 (Information Security Organization).

30.1.4. Information Asset Management
SAKURA Internet shall classify information in order to manage confidential information properly and all information shall be handled according to the classification level.
The details of information asset management are described in #30.9 (Information Asset Management).

30.1.5. Human Resources Security
In order to prevent security breaches such as inteneded or non-intended human error and misuse by the executive officers and employees, SAKURA Internet shall implement human resource security such as background checks and security trainings. The details of human resource security are described in #30.10 (Human Resources Security).

30.1.6. Physical Security
SAKURA Internet shall implement entry controls for SAKURA Internet offices to ensure that only authorized personnel are granted access and to prevent unauthorized access, interference and damage to its business premises. The details of physical security are described in #30.11 (Physical Security).

30.1.7. Communications and Operations Management
In order to minimise the risk of systems failures, SAKURA Internet shall establish communications and operations management such as third party service delivery management, network and storage capacity management, protection against malicious and mobile code, backup and monitoring. The details of communications and operations management are described in #30.12 (Communications and Operations Management).

30.1.8. Access Control
The SAKURA Internet information systems shall be accessible to only the minimum required personnel and the activities within information system shall be traceable in order to check the responsibility and to prevent unauthorized use of information systems. SAKURA Internet shall implement access control such as user access management, privilege management, network access control, mobile computing and teleworking, protection against DoS⁄DDoS attacks and intrusion detection system. The details of the above are described in #30.13 (Access Control).

30.1.9. Information Systems Development and Maintenance
While developing information systems, SAKURA Internet shall conduct a risk assessment and implement security measures which commensurate with the anticipated amount of the damage caused by a system failure or a security breach. The details of information systems development and maintenance are described in #30.14 (Information Systems Development and Maintenance).

30.1.10. Information Security Incident Management
SAKURA Internet shall cope with security incidents rapidly to minimize the impact of damage by defining response procedures when security incidents occur or discovering any attempts which may lead to the security incident occurrence. The details of information security incident response procedures are described in #30.15 (Information Security Incident Management).

30.1.11. Business Continuity Management
SAKURA Internet shall design and maintain the procedures necessary to ensure the continued business activities by recovering the critical information systems, in the occurrence of natural or earthquake disaster or in the case of communications facilities failures and malfunctions, take into the account the major risk of our services and operations being interrupted for a long period of time.

SAKURA Internet shall plan and conduct a business continuity test on a regular basis to ensure that the plan functions effectively. Furthermore, we will evaluate the plan after the periodic test in order to make sure that the plan is compatible with the most current business conditions.

30.1.12. Internal Audits
SAKURA Internet shall conduct internal audits regularly to review the implementation of information security. The details of internal audit procedures are described in #30.16 (Internal Audits).

30.2. Security Capability of .sakura
As described in the answers for #18 (Mission⁄purpose), the .sakura will restrict the registration and the use of the domain names to within SAKURA Internet, and SAKURA Internet projects that the maximum registration number for .sakura to be no more than 1,000. The .sakura will be built based not only on the best practice of the SAKURA Internet information security but also on the knowledge and skills required to operate registry services, provided by the .sakura Registry Operator. This enables SAKURA Internet to apply adequate security measures to the .sakura registry services.

30.3. Compatibility with Other Capabilities
Various security measures are implemented in the .sakura registry services based on the SAKURA Internet Information Security Fundamanetal Policy. The security measures implemented in five main registry functions, specifically Shared Registration System, DNS, DNSSEC, Registry Data Publication Services (Whois, Zone File Access, Bulk Registration Data Access), and Data Escrow, are described in #30.17 (Security Measures Implemented in Five Major Registry Services). Further detailed technical and operational approaches to implement security measures are described in the answers for the following:#24 (SRS performance), #25.1 (EPP), #26 (Whois), #27 (Registration life cycle), #28 (Abuse prevention & mitigation), #29 (Rights protection mechanisms), #31 (Technical overview of proposed registry), #32 (Architecture), #33 (Database capabilities), #34 (Geographic diversity), #35 (DNS service compliance), #36 (IPv6 reachability), #37 (Data backup policies and procedures), #38 (Escrow), #39.4.2 (Registry Continuity), #40 (Registry transition), #41 (Failover testing), #42 (Monitoring and fault escalation processes), #43 (DNSSEC), #44 (IDNs). Also, the resourcing and financial planning are described in the answers for the following:#45 (Financial statements), #46 (Projections template: costs and funding), #47 (Costs: setup and operating), #48 (Funding and revenue), #49 (Contingency planning), #50 (Continuity: continued operations instrument).

30.4. Commitments Made to Registrants for Security and Compliance
SAKURA Internet understands that it is very important to provide adequate security to the .sakura registry services. In July 2006, SAKURA Internet has obtained the Privacy Mark Certification complying with the Japan Industrial Standard, Compliance Program for Personal Information Protection, JIS Q 15001:2006, and we have established a personal information protection management system, pertaining to the personal information protection. We have implemented and maintained the system and continued to improve it. The following are the most important commitments made to registrants regarding its security levels:

- Compliance with the regulations and related laws for the personal information protection, as well as with the guidelines set forth by the responsible ministries and agencies, and by the related industry associations;
- Handling registration information in compliance with JIS Q 15001:2006
- Operation of DNSSEC on the basis of .sakura DPS

These commitments can be ensured by deploying security measures in accordance with the principles of the SAKURA Internet information security rules and regulations.

30.5. Referenced Security Standards
In the security point of view, SAKURA Internet refers to and shall comply with the following RFC.
- RFC2870
ʺRoot Name Server Operational Requirements RFC 2870,ʺ IETF 〈http:⁄⁄www.ietf.org⁄rfc⁄rfc2870.txt〉

In addition, SAKURA Internet has been certified for the following standards and shall operate in accordance with the certification standards:
・JIS Q 27001:2006 (ISO⁄IEC27001:2005)
・JIS Q 15001:2006 (Privacy Mark)

Similar gTLD applications: (0)