30(a) Security Policy: Summary of the security policy for the proposed registry

Prototypical answer:

30.1. JPRS Information Security Policy and the ISMS Documents
In this section, the summary of the key measures and procedures to operate registry services will be described from JPRS information security policy and the ISMS Documents.

30.1.1. Scope
The JPRS information security policy and the ISMS Documents shall cover everything related to the JPRS registry services such as human, physical and environmental information asset and processes.

30.1.2. JPRS Corporate Philosophy and the Information Security Policy
JPRS corporate philosophy is ʹAs a company dedicated to maintaining the network infrastructure, JPRS contributes to the development of the Internet and the building of a better future for everyone.ʹ JPRS considers all the internet users in the world as our clients and that it is our social responsibility to protect registry information appropriately and handle them securely. To ensure that all personnel are aware of their responsibilities and their duties, the information security policy is further established.
The details of JPRS Information Security Policy are described in #30.6 (Information Security Policy).

30.1.3. Risk Management
JPRS shall establish risk management policy, organization and procedures to conduct risk management in order to prevent information assets from security risks such as theft, loss and damage.
The details of risk management are described in #30.7 (Risk Management).

30.1.4. Information Security Organization
JPRS shall establish an internal organization to manage information security and define the respective roles and responsibilities.
The details of information security organization are described in #30.8 (Information Security Organization).

30.1.5. Asset Management
JPRS shall identify an owner who is responsible for each information asset and manage them appropriately depending on the sensitivity of the information. All documents of registry services are basically labeled as the most confidential documents and the only personnel who require them for operation can view them.

30.1.6. Human Resource Security
In order to prevent security breaches such as human error or misuse, JPRS shall implement human resource security such as background checks and security training.
The details of human resource security are described in #30.9 (Human Resource Security).

30.1.7. Physical and Environmental Security
JPRS shall implement entry controls for its offices and data centers to ensure that only authorized personnel are allowed access and to prevent unauthorized access, interference and damage to its business premises.
The details of physical and environmental security are described in #30.10 (Physical and Environmental Security).

30.1.8. Communications and Operations Management
JPRS shall develop the communications and operational management procedures to minimize the risk of system failures and to prevent incomplete communication, and review them at least once a year. This shall be achieved by understanding the technical and business demands required for registry services and managing the configuration of software, hardware and networks.
The details of communications and operations management such as operational procedures and change management, segregation of duties, facilities and networks, third party service delivery management, network and storage capacity management, protection against malicious and mobile code, backup, media handling, exchange of information and monitoring are described in #30.11 (Communications and Operations Management).

30.1.9. Access Control
Access control to information asset and information systems shall be implemented to ensure authorized user access and to prevent unauthorized access.
The details of access control such as user access management, privilege management, network access control, operating system access control, mobile computing and teleworking, protection against DoS⁄DDoS attacks, and intrusion detection system are described in #30.12 (Access Control).

30.1.10. Information Systems Acquisition, Development and Maintenance
JPRS shall ensure that security measures are properly implemented for new information systems.
The details of information systems acquisition, development and maintenance are described in #30.13 (Information Systems Acquisition, Development and Maintenance).

30.1.11. Information Security Incident Management
JPRS shall establish a policy and mechanisms to prevent recurrences of security incidents by monitoring security incidents which occurred and minimize the damage from them.
The details of information security incident response procedures are described in #30.14 (Information Security Incident Management).

30.1.12. Business Continuity Management
JPRS shall establish business continuity planning by considering the interference to registry services and the results.
The details of business continuity management are described in #30.15 (Business Continuity Management).

30.1.13. Internal Audits
JPRS shall conduct internal audits regularly to review the implementation of information security.
The details of internal audit procedures are described in #30.16 (Internal Audits).

30.2. Security Capability of .jprs Registry Services
As described in #18 (Mission⁄purpose), JPRS intends to share the second level domain of .jprs with our JPRS partners (business partners and various community partners) and JPRS will be the sole registrant and the primary user of .jprs. Hence, JPRS projects that the .jprs second level registered domain names to be as many as 1,000.
JPRS does recognize that it is highly important to protect registrantsʹ information and ensure 100% availability of DNS service. Therefore, JPRS has implemented various security measures to protect confidentiality, integrity and availability of information while operating .jp registry services for more than ten years.
e.g.
- Access controls, network configurations
- Encryption of the communication and the data,
- Digital signature, including deployment of the DNSSEC solutions
- Diversity of software, hardware, network and site configuration
JPRS has developed the knowledge and skills which are required to operate registry services and .jprs registry services are constructed based on them. In addition, this knowledge and skills are reflected in the information security policy and the ISMS documents which apply to .jprs registry services and those documents will be reviewed and improved regularly if necessary.
Thus, it is ensured that JPRS can apply adequate security measures to .jprs registry services.

30.3. Security Capabilities to The Other Answers in This Application
Various security measures are implemented in .jprs registry services based on the JPRS information Security Policy and the ISMS Documents.
Security measures implemented in five main registry functions, specifically Shared Registration System, DNS, DNSSEC, Registry Data Publication Services (Whois, Zone File Access, Bulk Registration Data Access) and Data Escrow, are described in #30.17 (Security measures implemented in the five main features of the .jprs registry services). Further detailed technical and operational approaches to implement security measures are described in the other answers of ʹTechnical and Operational Capabilityʹ part of this application.
Also, the resourcing and financial planning are described in the answers of ʹʹFinancial Capabilityʹ part of this application.

30.4. Compliance with the Commitments Made to Registrants
JPRS understands that it is very important to provide adequate security to .jprs registry services.
The following are the most important commitments made to registrants regarding its security levels.
- Compliance with the Personal Information Protection Act in Japan
- Operation of DNS servers for 24⁄7
- Handling registration information by following the ʺRegistration Information Handling Manual of JPRS domain nameʺ
- Operation of DNSSEC on the basis of JPRS DPS
These commitments can be ensured by deploying security measures in accordance with the principles of the JPRS information security policy and the ISMS Documents.

30.5. Reference Security Standards
In the security point of view, JPRS refers to and shall comply with the following RFC and shall comply.
- RFC2870
ʺRoot Name Server Operational Requirements RFC2870,ʺ IETF 〈http:⁄⁄www.ietf.org⁄rfc⁄rfc2870.txt〉

In addition, JPRS refers to the following standards and shall implement their basic concepts of them, which are considered necessary to operate registry services.
- ISO⁄IEC 27001:2005,ISO⁄IEC 27002:2005,ISO⁄IEC 27005:2011
ʺInternational Organization for Standardization,ʺ International Organization for Standardization
Information technology -- Security techniques -- Information security management systems - Requirements
Information technology -- Security techniques -- Code of practice for information security management
Information technology -- Security techniques -- Information security risk management
〈http:⁄⁄www.iso.org⁄iso⁄home.htm〉
- PMBOK
ʺPMBOK (r) Guide and Standards,ʺ Project Management Institute http:⁄⁄www.pmi.org⁄PMBOK-Guide-and-Standards.aspx

Similar gTLD applications: (0)