28. Abuse Prevention and Mitigation
The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. Registration in .SMART is not open to the general public. By controlling every registration in the .SMART gTLD, the company will totally eliminate abusive registrations and other activities that affect the legal rights of others.
A domain name in the .SMART gTLD is considered to be a valid domain name if it meets at least one of the following characteristics:
1) it corresponds to a bona fide offering of goods or services
2) it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
3) it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
4) it is a generic or a descriptive name which the company has fair use of
Only valid domain names may be registered in the .SMART gTLD.
An Abusive Registration is one which is not a valid domain name and which
1) was registered to take an unfair advantage of or to the detriment of a Complainantʹs Rights or
2) has been used in a manner which has taken unfair advantage of or has been unfairly detrimental to the Complainantʹs Rights
Despite the policy of registering only valid domain names, it is possible for the company or its employees to commit mistakes. These unwitting mistakes will be flagged when a complainant notifies the company of its specific concerns and details the specific conduct the complainant believes as an abusive registration. The company will publish in its website a single abuse point of contact responsible for addressing complaints of abusive registrations. At any given time, at least one staff member of the SMART operations staff is tasked with the responsibility of ensuring that the
The following details the .SMART policy and procedures for handling complaints of abusive registrations:
COMMUNICATION
1) All complaints must be in English or Filipino and must be in written form.
2) Complaints must be submitted by fax, e-mail, or registered mail. In the .SMART website, the registry will publish an e-mail address, fax number(s), and postal address to receive complaints of abuse.
3) E-mailed complaints must be sent as plain text and attachments must be in PDF.
4) All complaints are deemed to have been received on:
i. if sent by fax , on the date transmitted; or
ii. if sent by registered mail, on the day of delivery; or
iii. if sent via the Internet, on the date that the e-mail was received by .SMART’s mail server(s);
iv. and, unless otherwise provided in this procedure, the time periods provided for under the Policy and this Procedure shall be calculated accordingly.
COMPLAINTS
1) Any person or organization may submit a complaint of Abusive Registration following the procedures in this document.
2) The complaint shall:
a) not exceed 5000 words
b) specify the complete name and address (postal and e-mail) of the complainant
c) specify the domain name which the complainant alleges to be an Abusive Registration
and
i) if alleging violation of complainant’s rights,
I. the rights the complainant claims in the name or mark
II. the name or mark the complainant claims it has rights to
III. documentary evidence to prove such rights over the name or mark
ii) if not alleging violation of complainant’s rights, describe the grounds on which the complaint is made and why the domain name should be considered to be an Abusive Registration in the hands of the Respondent
REGISTRY’S ACTION
.SMART will check that the complaint complies with the form prescribed in this document. If non-compliant, .SMART will immediately inform the complainant of the deficiencies in the filed complaint and allow the complainant to file a modified complaint to remedy the deficiencies. If the complaint is valid in form and substance, the registry will forward the complaint to the registrant of the domain, together with an explanatory covering letter. The registry will handle all complaints within three (3) working days.
REGISTRANT’S RESPONSE
Within five (5) working days after receipt of the complaint, the respondent registrant must submit its reply to the complaint. The reply shall:
a) not exceed 5000 words
b) specify the grounds of the registrant to rebut the complaint of an Abusive Registration:
i) if violation of complainant’s rights is alleged,
I. the rights the registrant claims in the name or mark
II. the name or mark the registrant claims it has rights to
III. documentary evidence to prove such rights over the name or mark
ii) if violation of complainant’s rights is not alleged, describe the grounds on why the domain name should not be considered to be an Abusive Registration
The Registry will forward the response to the complainant within three (3) working days after receipt of the same.
Should the registrant fail to respond to the complaint, the complaint is deemed to be submitted for resolution.
COMPLAINANT’S REPLY
Within five (5) days of receiving the respondent’s response, the complainant must submit a reply to the response. The reply shall:
a) not exceed 2000 words and be solely restricted to the issues raised by the respondent and not repeat the issues raised in the initial complaint.
or
b) indicate that the complainant has no further reply to the response of the respondent
REGISTRY’S DECISION
Within three (3) working days of receiving the complainant’s reply or the failure of the registrant to reply, the Registry will issue its decision. Should the Registry find that the assailed domain name does not meet any one of the following criteria:
• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of the complainant
• it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of
then the Registry will issue an adverse ruling against the respondent registrant.
Should the assailed domain meet one of the above criteria, the complaint will be dismissed. The parties to the complaint will be informed of the decision within one (1) working day after the decision is made.
Should the assailed registration be found to be an Abusive Registration, it will be removed from the .SMART registry within two (2) working days.
Should the complaint be dismissed by the Registry, the Complainant may opt to avail of the different ICANN-mandated Rights Protection Mechanism (RPM) to which .SMART adheres.
THE TICKET TRACKING SYSTEM
At any given time, the Registry will have a person assigned to handle all complaints of abusive registrations. Upon receiving a complaint, the person logs the complaint to SMART’s abuse desk facility by filling in details of the complaint which includes the complainant’s e-mail address, the domain being assailed as an abusive registration, the date of complaint, among other details. Once the complaint is logged, the system automatically generates a ticket number and a password for the complainant and the complaint is tagged as “UNDER EVALUATION.” The complainant, using the ticket number and the password, may track the progress of the complaint through the system by logging in to the system’s web-based interface.
When a complaint is logged into the system, it it automatically assigned to a member of the Registry’s operations staff for handling. The staff member checks whether the complaint is valid in form and substance. If so, the handler forwards the complaint to the registrant of the assailed domain. The registrant is given a password to the system to allow it to follow the progress of the complaint through the system by logging in to the system’s web-based interface.
The status of the complaint is changed to “FORWARDED.”
If the complaint is not valid in form and substance, the handler will note all the deficiencies in the complaint and change its status to “COMPLAINT DEFICIENT.” The complainant may then correct all the deficiencies in the complaint and re-submit the complaint under the same ticket number.
When a resubmitted complaint is received, the status is changed to “COMPLAINT EVALUATION.” After seven (7) working days of not being corrected by the complainant, a “COMPLAINT DEFICIENT” complaint is automatically “CLOSED.”
When a registry receives an answer from the registrant, the status of the complaint is changed from “FORWARDED” to “RESPONSE EVALUATION.” The handler evaluates whether the response is valid in form and substance. If so, the response is forwarded to the complainant and the complaint is tagged as “REGISTRANT ANSWERED.” If the response is not valid in form and substance, the deficiencies are logged and the respondent is notified of the deficiencies.
“FORWARDED” complaints are automatically changed to “FOR RESOLUTION” after five (5) days. This occurs when the respondent does not submit an answer to the complaint.
When the complainant’s reply to the registrant’s answer is received, the status of the complaint is changed from “REGISTRANT ANSWERED” to “COMPLAINANT REPLY EVALUATION.” The handler checks that the reply is valid in form and substance. If so, the status is changed from “COMPLAINANT REPLY EVALUATION” to “FOR RESOLUTION.”
After five (5) days, a “REGISTRANT ANSWERED” complaint is changed to “FOR RESOLUTION.” This occurs when no complainant reply which is valid in form and substance is received.
When a complaint’s status changes to “FOR RESOLUTION”, and the complaint is sent to the DotSMART Policy Board for resolution.
RESOURCING PLANS
There will be at least three persons assigned to man the abuse desk ticketing system.
ORPHAN GLUE RECORDS
The registry does not allow orphan glue records.
WHOIS ACCURACY
The accuracy of WHOIS data is guaranteed because the .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. This means that all the registrants are all known to the company. Authentication of the identity of each and every registrant is assured because of each registrant’s relationship with the company.
As stated in the Registry’s Mission and Purpose, the .SMART gTLD will serve the needs of SMART including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers.
The .SMART gTLD is for the exclusive use of the company and its subsidiaries, its authorized partners, and its subscribers. Registration in .SMART is not open to the general public. By controlling every registration in the .SMART gTLD, the company will totally eliminate abusive registrations and other activities that affect the legal rights of others. Through its Policy Board, the company will ensure that each domain name registered in the .SMART has at least one of the following characteristics:
• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
• it corresponds to the name that the company’s subsidiary, authorized partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of
Furthermore, the company will comply with the Rights Protection Mechanisms (RPMs) that have been established by ICANN to protect trademark holders from abusive registrations. Each mechanism is listed below:
1. Trademark Clearinghouse
2. Uniform Rapid Suspension (URS)
3. Post Delegation Dispute Resolution Procedure (PDDRP)
4. Uniform Domain Name Dispute Resolution Policy (UDRP)
This document describes how the .SMART Registry will comply with policies and practices that minimize abusive registrations and other activities that affect the legal rights of others.
1. Trademark Clearinghouse
As a centralized repository of verified data on registered, court-validated word marks or word marks that are protected by statute or treaty, the Clearinghouse is to be used for the Trademark Claims service and the Sunrise Process.
1.1 Trademark Claims service
As a registry for the exclusive use of the company, the registry will not be open to the general public. Only company-related registrants (as defined in the Mission⁄Objective part of the Application) may register domain names in the registry. The Trademark Clearinghouse would be used by the company to be informed of any Trademark claims on prospective domain names as this would impact how the domain names could be used by the company. Should the company decide to continue the registration of a domain name contained in the Clearinghouse Database, company would promptly notify the mark holder(s) of the registration.
1.2. Sunrise service
The objective of the Sunrise service is to allow mark-holders the opportunity to register domain names for their marks ahead of non-mark-holders. However, the purpose of .SMART is to the deliver the company’s goods and services including the provisioning of its cellular, wireless broadband, financial, technology solutions, mobile virtual networks and satellite services for the use of its authorized mobile and Internet subscribers. The registry will not be open to the general public. It doesn’t make sense for the company to allow non-company related entities to register domains in the registry, even if these entities are mark-holders, because that would violate the purpose of the .SMART Registry.
In fact, allowing these mark-holders to register their marks in the .SMART Registry would create the wrong impression that these mark-holders are part of the company, or have a business relationship with the company, or are vetted by the company.
Worse would be to allow a competitor company, COMPETITOR, the mark-holder of the same company name, to register the domain COMPETITOR.SMART as part of the Sunrise service. This would imply to the general public that the company vets for the service of the competitor
company, COMPETITOR.
.SMART is seeking exemption from ICANN from providing this Sunrise service. The company submits that the rights of the mark-holders are amply protected by the Trademark Claims Service.
2. Uniform Rapid Suspension (URS)
Designed as a lighter and quicker relief for trademark holders than the existing UDRP, the remedy that a panel may grant to a complainant is the suspension of a domain name. Within twenty-four (24) hours of receipt of a Notice of Complaint from a URS Provider, the company shall restrict all changes to the registration data. The company shall notify the URS Provider immediately upon locking the domain with a “Notice of Lock.” When a URS panel finds a clear-cut case of trademark abuse in a registered domain name, the Registry will comply with a suspension order immediately upon receipt of the Determination. The nameservers for the domain shall be redirected to the informational web page provided by URS Provider.
3. Post Delegation Dispute Resolution Procedure (PDDRP)
The PDDRP is an administrative option for trademark holders to file an objection against a registry whose affirmative conduct in its operation or use of its gTLD is alleged to cause or materially contribute to the infringement of its trademark and thereby harm the trademark holder.
The Registry understands that because it operates a closed company-only registry, the registration of second-level domains may only be done under the control of the company. Thus it has a great responsibility to ensure that the rights of trademark holders are protected. We believe that by ensuring that the company only registers domain names which meet the characteristics itemized in the Introduction, trademark will never be infringed and the respective trademark holders will never be harmed.
Nevertheless, it is possible for the company or its employees to commit mistakes. These unwitting mistakes will be flagged when a complainant notifies the company of its specific concerns and details the specific conduct the complainant believes infringes on the complainant’s trademarks. The company will attempt to resolve these issues by meeting the conferring with the complainant.
4. Uniform Domain Name Dispute ResolutionPolicy (UDRP)
The UDRP is an administrative remedy for for rights-holding complainant to resolve cases of bad-faith, abusive registration of domain names. Should a UDRP panel favor a complainant, the UDRP panel may order the transfer or the cancellation of a domain name. The registrar is obliged to implement this decision.
As a closed registry, only company-affiliated registrants are allowed to register .SMART domain names and only the company-affiliated registrar may register in their behalf. Should a UDRP decision to cancel or transfer a domain name be received, the company registrar must comply with the order except when restrained by a competent court.
We believe that by ensuring that the company only registers domain names which meet the characteristics itemized in the Introduction, rights will never be infringed and the respective trademark holders will never be harmed.
5. Additional Protection Mechanism
The company is committed to protecting the rights of trademark holders in the .SMART gTLD. This is ensured by following the guideline that a domain name may be registered only if it meets at least one of the following criteria:
• it corresponds to a bona fide offering of goods or services
• it is not intended to mislead or divert consumers away or tarnish the trademark or service mark of any mark-holders
• it corresponds to the name that the company’s susbidiary, authorized
partner, or product is commonly known
• it is a generic or a descriptive name which the company has fair use of
These, in addition to the use of the Trademark Clearing House will ensure that the rights of trademark-holders are amply protected pro-actively. In addition to the above RPMs, the company will make available a specific e-mail address, trademarks@smart, to which rights-holder complaints may be addressed. This will be routed to the members of the .SMART Policy Board. The Legal Staff of the Board is specifically tasked to investigate and answer complaints coursed through the e-mail address. This will ensure that mistakes by the Registry are promptly corrected, even without going through the ICANN-mandated RPMs.
SMART has a dedicated Information Asset Protection and Assurance (IAPA) Department that identifies and minimizes risks in order to maximize the success of the company by ensuring confidentiality, integrity and availability of information assets within the company, which will include the operations of .SMART registry.
INDEPENDENT ASSESSMENT BY AN EXTERNAL PARTY
SMART, as a wholly owned mobile phone and Internet service subsidiary of the Philippine Long Distance Telephone Company (PLDT) is required to comply with Sarbanes-Oxley Act. Annual assessment is being conducted by an external party, Ernst & Young (E&Y), to accredit SMART as compliant to the said U.S. Federal Law.
As part of Sarbanes-Oxley Act, the assessment by the external party is to ensure User Access Management (UAM) is strictly followed by the company. UAM in SMART is being reviewed based on the following:
· Type of access (i.e. physical and logical access)
· Type of account (e.g. administrator, regular user, system account)
· Access privilege to ensure practice of least privilege and segregation of duties
· Frequency of review (e.g. monthly, quarterly)
· Employee movement (e.g. transfer, resignation)
Also, SMART Money service of SMART is a Payment Card Industry Data Security Standard (PCI-DSS) compliant service being accredited by PCI Council, one of which is MasterCard. In order to be compliant, a PCI Council-accredited Qualified Security Assessor (QSA) is needed to annually assess all involved processes and systems of the said service.
CORPORATE INFORMATION SECURITY POLICY
The Corporate Information Security Policy of SMART is annually reviewed, updated as necessary, and approved by the top level management before being cascaded to different groups or departments. Current security policy is based on the eleven (11) domains and controls of the ISO 27001:
· Security Policy -- the creation, suitability, adequacy and effectiveness of the information security policy shall be ensured by reviewing the policy at planned intervals or after changes which affect the organization’s security requirements are approved and implemented.
· Organization of information security Policy – this policy pertains to the establishment of applicable processes and controls for both internal and external parties of SMART’s.
· Internal – includes the management commitment to Information Security, establishment of Information Security Steering Committee (ISSC) responsible for developing the management for framework for information security, accountability.
· External – addressing security when outsourcing or dealing with clients or contractors.
· Asset Management Policy – this includes the responsibility for assets and classification of assets
· Human Resource Policy – the policy addresses the security concerning employment lifecycle from prior to employment, during employment, termination or change of employment of an employee, contractor, or third party. The security being addressed includes employee terms and conditions, non-disclosure agreement (NDA), declaration of compliance, inclusion of security responsibilities in the performance evaluation, security awareness and training.
· Physical and Environmental Security Policy – this policy addresses security that includes establishment of physical security perimeter, segregation of areas, access restriction and access authorization requirements, logging of physical entry access, monitoring and audit of the logs, establishment of controls against external and environmental threats, protection of equipment.
· Communications and Operations Management Policy – this policy includes the need for documentation of operation procedures, change management, segregation of duties, separation of facilities (i.e. development, testing, operational), third party service delivery management, system planning and acceptance, protection against malicious and mobile code, back-up, different media handling, exchange of information.
· Access Control Policy – this policy includes the need for endorsement and approval of access request, legal contract or agreement by an authorized SMART office with contractor, business partners, or third party. It also requires following user access management, which refers to user registration, privilege management, password management, and review of user access rights. The policy also includes the need for applicable controls on network, server, application, mobile computing and teleworking.
· Information Systems Acquisition, Development and Maintenance Policy – this policy includes the need for security requirements specifications on all business requirements for new or existing information systems, control of internal processing, data validation, use of cryptographic controls, key management, access control to program source code, security in development and support processes, technical vulnerability management.
· Incident Management Policy – this policy includes reporting information security events and weaknesses, management of information security incidents and improvements that refers to development of Security Response Team, collection and handling of evidence.
· Business Continuity Management Policy – this policy includes the need to adopt a program for developing, testing, maintaining, and update as necessary of business continuity plan throughout SMART in case of a disaster.
· Compliance Policy – this policy includes the need for compliance with legal requirements which refers to identification of applicable legislation, intellectual property rights (IPR), regulation of cryptographic controls, data protection and privacy of personal information. It also includes compliance with SMART’s security policies and standards, and audit considerations.
Complementing the 11 policies are sub-policies that touch on detailed security controls covering the following areas:
· Password and Login Control – covers the security of login and passwords that include, but are not limited to, password complexity, password length, password expiration and account locking.
· Network Security – covers network controls that include, but are not limited to, securing internal networks, externally-access networks or DMZs, implementation of firewalls, other network protection systems (i.e. intrusion detection, web filtering, SPAM control, etc.) and network management. It also covers security of Internet access provided to employees that include, but are not limited to, acceptable use, web filtering, provision of access and compliance with Intellectual Property Rights.
· Information Processing Facilities – covers security for Company facilities used to process Company information that include, but are not limited to, facility classification & corresponding security controls, physical access controls, security of physical equipment and environmental security
· Information Asset Classification – covers security of Company information which includes, but not limited to, classification of information, handling of information based on classification, classification labeling, information ownership and roles & responsibilities.
· Security Monitoring & Incident Management – covers monitoring for security events and managing security incidents that include, but are not limited to, management of system logs (i.e. collection, review, protection, etc.), incident reporting, investigation, response & handling and disciplinary process. This also includes the security of email, desktop, and application systems.
· User Access Management – covers security implemented on all systems that manage all levels of accesses (both from users and from systems) to ensure that systems are accessed only by authorized users or systems at any point in time.
· Outsourcing and Third Party – covers security for working Third Party entities for various engagements and for Outsourcing engagements that include, but are not limited to, service level agreements (SLAs), maintenance services, escalation, contract management, acceptance and data confidentiality.
IAPA RESPONSIBILITIES
Technical Standards – IAPA has a list of different technical standards internally available to SMART technical teams to ensure that systems being deployed follow an internationally-accepted settings or configurations. These technical standards are derived from the documents publicly available on:
· Center for Internet Security or CIS (http:⁄⁄www.cisecurity.org)
· National Institute of Standards and Technology or NIST (http:⁄⁄www.nist.gov⁄index.html)
· Other sites that provide security best practices, such as (but not limited to):
· SANS Institute (http:⁄⁄www.sans.org⁄security-resources)
· Information Systems Audit and Control Association or ISACA (http:⁄⁄www.isaca.org)
Enrollment to Control Compliance Tool – this is an activity to ensure that systems are checked as compliant with the existing technical standards. This activity is done before deployment of systems to production, and regularly observed while the systems are in production.
Vulnerability Management – an activity ensuring a regular vulnerability assessment of systems are performed before and after being deployed. As publicly known, it is a cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. IAPA has a commercially-developed tool to conduct the scan in order to identify the vulnerabilities present on a system. After this, a report will be generated and IAPA will classify or assess what vulnerabilities need to be remediated based on the severity. The assessment will then be forwarded to the custodian of the systems for remediation and mitigation. If all vulnerabilities subject for remediation have been addressed, another round of vulnerability scanning will be conducted for validation.
Installation of Intrusion Detection System (IDS) – an activity currently performed on perimeter of SMART’s network. IAPA is using an open-source IDS tool to detect anomaly-based intrusion and then logged to the centralized log tool in real time. Incident management process follows if intrusion is detected.
Incident Management - handled by the Computer Security Incident Response Team (CSIRT) in IAPA with the following roles and responsibilities:
· Available 24⁄7 to respond to alerts corresponding to intrusion detection, intrusion prevention, and file integrity monitoring systems
· Performs initial investigation of the cause of problems encountered
· Ensure immediate system availability
· Tests the incident management plan (annually) in coordination with the other teams
· Performs Security Monitoring activities scanning our environment for vulnerabilities, threats, and abnormal activities from our systems
· Monitors for the presence of rogue wireless access devices
Sample of Incident Management:
· Operating System Event – Switch user to root
· Any attempts seen will notify CSIRT via e-mail.
· CSIRT will file immediately an incident ticket and directly assign it to the respective custodians of the system involved
· Custodians will then investigate why the users switch user to root
· Comment in the incident ticket coming from the user who triggered the event will be required, explaining the event.
· Assessment, including mitigation and sanctions, will be provided as applicable
(2) Security capabilities are consistent with the overall business approach and planned size of the registry.
IAPA has sufficient manpower and funding to ensure security of gTLD systems and processes.
(3) A technical plan adequately resourced in the planned costs detailed in the financial section.
IAPA has the process, technical plan, and roadmap to implement processes and solutions across Smart Communications. IAPA has also ongoing discussions and implementations of security solutions with vendors including, but not limited to:
· IBM
· HP
· ArcSight
· Tripwire
· Cyber-Ark
IAPA has an annual CAPEX budget to cover new technology tools that would increase the protection of information and USD1.0M for OPEX to continue operations of existing tools and implement Service-type (e.g. Consultations, Outsourced services, etc) security controls.
(4) Security measures are consistent with any commitments made to registrants regarding security levels. Registrant information is protected in that .SMART does not rent, sell, or share personal information about the registrant with other people or non-affiliated companies except to provide products or services that the registrant has requested and has given permission (to be shared).
(5) Security measures are appropriate for the applied for gTLD string (For example, applications for strings with unique trust implications, such as financial services-oriented strings, would be expected to provide a commensurate level of security).
Please refer to section 30(a)(2) above.
