ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Forwarding comment from Anne-Marie Eklund-Löwinder

  • To: "comments-dns-rmf-final-23aug13@xxxxxxxxx" <comments-dns-rmf-final-23aug13@xxxxxxxxx>
  • Subject: Forwarding comment from Anne-Marie Eklund-Löwinder
  • From: Patrick Jones <patrick.jones@xxxxxxxxx>
  • Date: Sun, 6 Oct 2013 13:17:36 -0700

-----Ursprungligt meddelande-----
Från: Anne-Marie Eklund-Löwinder
Skickat: den 13 september 2013 23:14
Ämne: ICANN DNS Risk Management Framework DRAFT - 19 August 2013 version

* PGP Signed: 2013-09-13 at 23:13:38

These are my comments regarding the ICANN DNS Risk Management Framework DRAFT - 
19 August 2013 version.

The first 40 or so pages of the report is a lot of words that doesn't really 
add anything substantial. To be honest, I would have expected more.

Starting on page 42 with the summary, I am of the opinion that while it is 
preferable to refer to common standards, it is important to consider that ISO 
31000 is a quite recent standard (2009) that hasn't been widely adopted yet. 
That would be a good reason to use Risk Management systems that is more widely 
spread and used already, at least as a comparison in the suggested management 
system, like for instance ISO 27005 and NIST 800 Series of Risk Management 
standards for Computer Security.

Nevertheless, I am convinced that ISO 31000:2009 provides generic guidelines 
for the design, implementation and maintenance of risk management processes 
throughout an organization. This approach to formalizing risk management 
practices will facilitate broader adoption by companies who require an 
enterprise risk management standard to harmonize and get the work coordinated.

The report is held on a theoretical level, and moreover, it doesn't make 
perfectly clear if the suggested framework is for the ICANN organization as 
such, or if it is for DNS Risk Management in specific. It might be a good start 
to begin with the organizational level before one focus on specific functions 
like DNS.

The report lack references of what has been done so far and how risk management 
are taken care of within ICANN already.

The framework doesn't seem to be addressing DNS related risks at all, and I 
regret to say that I find it hard to believe that it will be of any guidance to 
ICANN on how to proceed.

With all due respect,

Anne-Marie Eklund Löwinder
Chief Information Security Officer

.SE (The Internet Infrastructure Foundation)
Direct: +46(8)-452 35 17 | Mobile: +46(73)-43 15 310
Twitter: @amelsec
Mail: PO Box 7399, SE-103 91 Stockholm, Sweden
Visitors: Ringvägen 100

* Anne-Marie Eklund-Lowinder 
* 0x42B1CF94

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy