30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

ʺ.STRINGʺ deploys exclusive database auditing system to audit with the database orders, bastion hosts system to audit the server management operation and in addition, the specified centralized log collection and auditing system (legendsec) to collect the logs of all network devices, servers and application system, uniformlly collecting and centralizing the logs to make the records.

Auditors use the database auditing system, bastion hosts and log collection auditing system to audit at each level and produce corresponding reports on a regular basis.

30(a).1.2 Management security policy

30(a).1.2.1 Security management organization

The applicant and the Back-End Service Provider are jointly responsible for relevant security management and emergency response of ʺ.STRINGʺ registry services. the Back-End Service Provider has established a security management center. the applicant arranges special technical personnel as security contacts, who are responsible for coordinating the regular security affairs with the Back-End Service Providerʹs security management center, as well as supervising the work of the Back-End Service Provider.

The Back-End Service Provider, to strength its information security management system (ISMS), has also established, on, a ʺvirtualʺ information security management organization which consists of three tiers: the decision-making tier, the execution tier and the auditing tier.

30(a).1.2.2 Security management personnel

An investigation must be conducted on the background of the personnel responsible for security management related to ʺ.STRINGʺ registry services to make sure that they are reliable enough in terms of educational level, work experiences, credibility, etc. The investigation should be carried out by corresponding Personnel Department.

30(a).1.2.3 Security management standards

The applicant and the Back-End Service Provider will put the security management measures of the registry into place in accordance with the ccTLD provided by the Back-End Service Provider and the Information Security Management System (ISMS) of Chinese domain names.They consist of 4 tiers of documents: information security management manual; management specifications⁄measures⁄procedures⁄standards; implementation rules⁄operation guidelines⁄work guidance; and records⁄logs. See the figure below:

Please see Figure 1 in the attachment of Q30a_Attachment_Figure.

(1) The information security management manual is the guiding document for ʺ.STRINGʺ information security management work. The manual contains such contents as information security policy, overall objective and control measures that are mentioned in the statement of applicability (SOA) and that have been implemented. Documents of the second and third tiers, such as management specifications and implementation rules can be regarded as documents supporting the information security management manual.

(2) Management specifications, measures, procedures and standards clearly define various management systems and technical control measures. Documents of the second tier provide methods and guidance for implementation of the information security management system and for assignment of duties. Lower-tier documents should also be referred to in implementing ISMS.

(3) Implementation rules, operation guidelines and work guidance are documents that give a detailed description of the processes mentioned in the second-tier documents. Consisting of work guidance, tables & lists, workflow charts, service standards and system manuals, documents of this tier give a detailed description of specific work and activities.

(4) Records and logs are used to keep record of various activities, serving as evidence that these activities meet the requirements of upper-tier documents. During the implementation of ISMS, a series of record tables and reports need to be kept to serve as the evidence that relevant preventive and corrective measures have been carried out.

30(a).2 Security Capability Assessment

30(a).2.1 Security assessment report

ʺ.STRINGʺ will put the security and safeguarding measures concerning the implementation of registry services into place in accordance with the ʺ.CNʺ ccTLD provided by the Back-End Service Provider and the Information Security Management System (ISMS) of Chinese domain names. The Back-End Service Provider-established ISMS was built in compliance with ISO 27001(GB⁄T 22080) security standards and was certified on March 9, 2011 by China Information Security Certification Center (ISCCC) accredited by China National Accreditation Service for Conformity Assessment (CNAS). With relevant ISCCC certificates, ISMS conforms to ISO 27001:2005 and the statement of applicability (SOA) thereof.

Please see Figure2 in the attachment of Q30a_Attachment_Figure.

30(a).2.2 Security capability test and assessment

ʺ.STRINGʺ carries out a security risk assessment at least once a year which covers classification and categorization of information assets; identification and assessment of risks; risk treatment plan and implementation thereof; continuous improvement of risk assessment, etc. The assessment results will serve as the basis for ʺ.STRINGʺ to make decisions on overall risk management, assist the applicant in identifying overall risks facing ʺ.STRINGʺ, and formulate or adjust risk treatment measures and plans together with the Back-End Service Provider.

Meanwhile, ʺ.STRINGʺ invites a third-party security service organization to conduct security inspection and assessment every year, the result of which will be used as an important basis for carrying out security-related work.

30(a).3 Security Level Commitment

30(a).3.1 Introduction to Classified Protection Standard

ʺ.STRINGʺ registry services perform effective security management by adopting classified information security protection system. Relevant security level determination conforms to state classified protection standard, and the applicant promises to the public to achieve the security requirements of corresponding levels.

According to the classified protection standard, information system is classified into five Classes from low to high depending on the importance to the state security, economic construction, social life, and the damage extent to the state security, social order, public interests, legal rights of citizen, legal person and other organs. ʺGB⁄T 22239-2008 Information Security Technology--Baseline for Classified Protection of Information System Securityʺ clarifies the security requirements which the information system of different levels shall achieve as below:

Class I: prevent the system from malicious attacks from individual-level threats with very little resources, ordinary natural disaster, and vital resources damage caused by other threats with corresponding damage extent. The system can be recovered for partial functions after it is damaged.

Class II: prevent the system from the malicious attack from small-organization-level threats with little resources, common natural disaster, and important resources damage caused by other threats with corresponding damage extent. The important security bugs and incidents can be detected. Partial functions can be recovered within a specific period of time after the system is damaged.

Class III: prevent the system from the malicious attack from organization-level threats with relatively abundant resources, relatively serious natural disaster, and the major resources damage caused by other threats with corresponding damage extent. Most functions can be recovered relatively quickly after the system is damaged.

Class IV: under the unified security strategy, prevent the system from the malicious attack from the state-level threats with abundant resources, serious natural disaster, and the resources damage caused by other threats with corresponding damage extent. All functions can be recovered promptly after the system is damaged.

Class V: (yet to be defined)

ʺInformation Security Technology—Baseline for Classified Protection of Information System Security (GB⁄T 22239-2008)ʺ defines the security requirements for information system with different levels. Based on this, ʺSecurity Protection Requirements for the Domain Name System (YD⁄T 2052-2009)ʺ and ʺSecurity Protection Requirements for the Domain Name Registration System (YD⁄T 2245-2011)ʺ further define the security requirements to domain name system and domain name registration system with different security levels. These security requirements are classified into the basic technical requirements and basic management requirements. Technical security requirements are related to the technology and security mechanism provided by the information system and achieved mainly through deployment of the software and hardware and the proper configuration of the security functions. Management security requirements are related to the activities various roles participate in and achieved by mainly controlling the activities of various roles from the angles of policy, regulations, procedures and records and so on.

30(a).3.2 Security Level Commitment

ʺ.STRINGʺ undertakes the following security commitments to registrants:

(1) The DNS ⁄DNSSEC service system provides global Internet users with ʺ.STRINGʺ domain name resolution services. Class-4 protection is used for the primary operation centers and Class-3 protection for nameserver data centers (all name server data centers as one unit).

(2) With Class-3 protection, SRS service provides global users with ʺ.STRINGʺ domain name registration service through registry.

(3) With Class-3 protection, Whois service provides global users with ʺ.STRINGʺ domain name query service.

The applicant and the BESP have jointly agreed to set up corresponding security policy with the reference to the security requirements to information systems of different levels, deploy security assurance measures, satisfy each requirement in the standards and accept the examination of the third-party, in a view to guaranteeing ʺ.STRINGʺʹs fulfillment of its security-level commitments.

Similar gTLD applications: (0)