30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

SECURITY ASSESSMENT REPORTS

Annually, the company submits to three external assessments of its security processes.

1. The company’s SSL issuance service complies with WebTrust for Certificate Authorities and WebTrust Extended Validation criteria.

2. The company receives a Service Organization Control (SOC) 2⁄ 3 report relating to Statement on Standards for Attest Engagements (SSAE) No. 16 attesting to the security of its hosting operations.

3. The company complies with Payment Card Industry Data Security Standard (PCI-DSS) with respect to processing payments from its customers, and its Quick Shopping Cart product.

See Attachments 5-9 to the response to Question 30 (b) for details.

AUGMENTED SECURITY LEVELS

In addition to the requirements outlined in the Security Assessment Reports section, the company has also implemented security practices in accordance with:

1. ISO⁄IEC 27002, located at http:⁄⁄www.iso.org⁄iso⁄catalogue_detail?csnumber=50297

2. Open Web Application Security Project (OWASP), located at https:⁄⁄www.owasp.org⁄index.php⁄Main_Page

3. Computer Security Incident Response Team, located at http:⁄⁄www.csirt.org⁄

LOGICAL SECURITY PROCESSES & SOLUTIONS

The company has a dedicated security department made up of over 30 security professionals who report to the Chief Information Security Officer (CISO) and has twenty-four (24) hour per day, seven (7) day per week coverage to monitor the environment and respond to incidents. Each of the security personnel possess at least 4 years of security experience and are required to obtain their CISSP certification. The department is further broken into various specialty teams that ensure the overall security of the company. These teams include security operations, penetration testing, forensics, engineering, and research. The company also has a privacy committee made up of individuals from four different departments, including Security, Networking, Development, and eCommerce. They are responsible for review and approval of changes to security-sensitive environments, and the information security policy.

ROLES AND RESPONSIBILITIES

Roles and responsibilities for the information security department and teams responsible for implementing security are defined to enforce appropriate segregation of duties with respect to implementing and monitoring security. All individuals responsible for implementing and monitoring security, as well as individuals who are granted access to security-sensitive information are required to pass annual background and credit checks.

SECURITY POLICIES

The company’s security policies document details requirements for users and system administrators, and specifically cites ISO⁄IEC 27002, WebTrust for Certificate Authorities, and PCI-DSS, where applicable, for each policy. The document is posted on the company’s intranet site. Employees review and acknowledge the policies on hire and at least annually. See Attachment 1 to the response to Question # 30(b).

The company’s software development lifecycle document (SDLC) also contains specific guidance with respect to secure coding techniques required for software developed internally. See Attachment 2 to the response to Question # 30(b).

In addition to the security policies, the security department also maintains an operations guide and an incident response procedure. The operations guide details the daily monitoring and reporting responsibilities of the security operations staff. The incident response document is tested at least annually. See Attachment 3 to the response to Question # 30 (b) in relation to the SOC Operations Guide. See Attachment 4 to the response to Question # 30 (b) in relation to the CSIRT document.

SECURITY POLICIES VERSION 3.14

The security policy is broken into eleven (11) sections, topically addressing the security organization, asset management, integration with human resource policies, physical and environmental security, communications management, operations management, access control, software development, incident management, business continuity management and compliance.

Logical access control is enforced using a combination of hardware, software and procedures. Examples include, but are not limited to, firewalls, addressing, account management, security awareness exercises, security devices and physical security.

SOFTWARE DEVELOPMENT LIFECYCLE (SDLC) VERSION 1.18

The SDLC outlines the separation of test and production environments, provides guidelines for secure coding, outlines approvals and the change process, and details industry standards and best practices that should be used throughout the development lifecycle. See Attachment 2 to the response to Question 30(b) for details.

Pursuant to compliance standards and industry best practices, any development changes are implemented in the test environment, tested by Quality Assurance (QA), approved by the appropriate members of management, and deployed into production. Prior to implementation of any changes, a rollback plan is conceived which outlines the details for removing the change from the production environment. Post implementation testing is also required, during which time QA verifies the functionality of software in the production environment.

The SDLC also outlines additional business approvals which help safeguard company information and availability. For example, additional approvals are required anytime there will be a system change which involves any financial or accounting information. A privacy committee is required to review and approve the Software Architecture Specification (SAS) for any such changes prior to implementation into the production environment. Furthermore, all high risk and high impact changes also have an additional level of approval, which must approve the change prior to deployment into the production environment.

The SDLC reaffirms the company’s subscription to the Open Web Application Security Project (OWASP - http:⁄⁄www.owasp.org) principles and best practices and mandates that all developers and QA are familiar with the OWASP site. Additional OWASP training materials are listed for employee reference. Additionally, Developers and QA who support protected systems are required to pass courses on the topic of programming for security.

COMPUTER SECURITY INCIDENT RESPONSE TEAM (CSIRT)

The CSIRT procedures are broken into seven sections that address the roles and responsibilities of the CSIRT. Its main purpose is to address the process for managing incidents as they arise and to delegate responsibility for the different members of the CSIRT. The seven sections are as follows: Document Description, Team Composition and Contact Information, Charter, Services, CSIRT Flow Chart, Attachment 1 (External Incident Report Form), and Attachment 2 (Major Incident Report Form). See Attachment 4 to the response to Question 30(b) for details.

SECURITY OPERATIONS CENTER (SOC) OPERATIONS GUIDE

The operations guide includes procedures for daily, monthly, quarterly and annual tasks performed by the Security Operations Center (SOC). In summary, the guide provides definitions of daily security reports, vulnerability scanning requirements, and required drills. See Attachment 3 to the response to Question 30(b) for details.

RELATIONSHIPS WITH OTHER SECTIONS OF THE APPLICATION

This overview is consistent with the technical, operational and financial approach outlined in answers provided to Questions # 22-29, 31-43 and 45-50. It encompasses commitments made to registrants in Go Daddy’s Privacy Policy, located at http:⁄⁄www.godaddy.com⁄agreements⁄ShowDoc.aspx?pageid=privacy and Go Daddy’s Universal Terms of Service and other service agreements, located at http:⁄⁄www.godaddy.com⁄legal-agreements.aspx?ci=46445&otab=2. Go Daddy will provide the same level of contractual commitments to registrants of the gTLD. As outlined in the Security Organization section above, an adequate level of resources are on hand, and additional resources may be committed if needed. The company’s current security, as outlined in this section, is commensurate with the nature of the applied-for gTLD string.

Similar gTLD applications: (2)