[dssa] first-draft report outline
hi all, the Ops group has given this 1st-draft version of the report outline the following endorsement -- "Mikey, there's nothing in here that drives us absolutely crazy." :-) so here it is for you to review, in two formats… -- the native mind-map file (the one that ends in ".mm") can be read by Freemind or Mindjet's Mindmanager software. you can download the open-source Freemind software from SourceForge. here's the link to that resource. http://freemind.sourceforge.net/wiki/index.php/Main_Page -- i've also exported the outline to HTML -- that file should open in any browser. there are two little buttons at the very top of the file that are very handy but confusing. the "All +" button CLOSES the mind-map, the "All -" button OPENS it. me, i'd have reversed those, but hey… anyway you can either open/close each leg of the map, or use those buttons to open/close them all. please review this with several questions in mind; 1) is there anything in here that drives you crazy? 2) is there something major that you were expecting to see that you don't? 3) are there some topics that you are especially interested in writing about? that last one leads me to the final point in this note -- we're thinking that we will ask all of us to write a few paragraphs each that we can use to fill out this outline and very quickly get to a 1st-draft narrative. so it would be helpful if you would take a few minutes to see if there's some part of the outline that you're especially interested in so that we can start putting some names in here next to topics. thanks, mikey Attachment:
DSSA Report v2.mm <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd";> <html> <head> <title>DSSA Report</title> <style type="text/css"> li { list-style: none; margin: 0; } p { margin: 0; } span.foldopened { color: white; font-size: xx-small; border-width: 1; font-family: monospace; padding: 0em 0.25em 0em 0.25em; background: #e0e0e0; VISIBILITY: visible; cursor:pointer; } span.foldclosed { color: #666666; font-size: xx-small; border-width: 1; font-family: monospace; padding: 0em 0.25em 0em 0.25em; background: #e0e0e0; VISIBILITY: hidden; cursor:pointer; } span.foldspecial { color: #666666; font-size: xx-small; border-style: none solid solid none; border-color: #CCCCCC; border-width: 1; font-family: sans-serif; padding: 0em 0.1em 0em 0.1em; background: #e0e0e0; cursor:pointer; } span.l { color: red; font-weight: bold; } a.mapnode:link {text-decoration: none; color: black; } a.mapnode:visited {text-decoration: none; color: black; } a.mapnode:active {text-decoration: none; color: black; } a.mapnode:hover {text-decoration: none; color: black; background: #eeeee0; } </style> <!-- ^ Position is not set to relative / absolute here because of Mozilla --> </head> <body> <script type="text/javascript"> // Here we implement folding. It works fine with MSIE5.5, MSIE6.0 and // Mozilla 0.9.6. if (document.layers) { //Netscape 4 specific code pre = 'document.'; post = ''; } if (document.getElementById) { //Netscape 6 specific code pre = 'document.getElementById("'; post = '").style'; } if (document.all) { //IE4+ specific code pre = 'document.all.'; post = '.style'; } function layer_exists(layer) { try { eval(pre + layer + post); return true; } catch (error) { return false; }} function show_layer(layer) { eval(pre + layer + post).position = 'relative'; eval(pre + layer + post).visibility = 'visible'; } function hide_layer(layer) { eval(pre + layer + post).visibility = 'hidden'; eval(pre + layer + post).position = 'absolute'; } function hide_folder(folder) { hide_folding_layer(folder) show_layer('show'+folder); scrollBy(0,0); // This is a work around to make it work in Browsers (Explorer, Mozilla) } function show_folder(folder) { // Precondition: all subfolders are folded show_layer('hide'+folder); hide_layer('show'+folder); show_layer('fold'+folder); scrollBy(0,0); // This is a work around to make it work in Browsers (Explorer, Mozilla) var i; for (i=1; layer_exists('fold'+folder+'_'+i); ++i) { show_layer('show'+folder+'_'+i); } } function show_folder_completely(folder) { // Precondition: all subfolders are folded show_layer('hide'+folder); hide_layer('show'+folder); show_layer('fold'+folder); scrollBy(0,0); // This is a work around to make it work in Browsers (Explorer, Mozilla) var i; for (i=1; layer_exists('fold'+folder+'_'+i); ++i) { show_folder_completely(folder+'_'+i); } } function hide_folding_layer(folder) { var i; for (i=1; layer_exists('fold'+folder+'_'+i); ++i) { hide_folding_layer(folder+'_'+i); } hide_layer('hide'+folder); hide_layer('show'+folder); hide_layer('fold'+folder); scrollBy(0,0); // This is a work around to make it work in Browsers (Explorer, Mozilla) } function fold_document() { var i; var folder = '1'; for (i=1; layer_exists('fold'+folder+'_'+i); ++i) { hide_folder(folder+'_'+i); } } function unfold_document() { var i; var folder = '1'; for (i=1; layer_exists('fold'+folder+'_'+i); ++i) { show_folder_completely(folder+'_'+i); } } </script> <SPAN class="foldspecial" onclick="fold_document()">All +</SPAN> <SPAN class="foldspecial" onclick="unfold_document()">All -</SPAN> <p><span style="color: #000000;">DSSA Report</span> <ul><li><span style="color: #000000;">Executive Summary</span> </li> <li><span style="color: #000000;">Background</span> </li> <li><span id="show1_1" class="foldclosed" onClick="show_folder('1_1')" style="POSITION: absolute">+</span> <span id="hide1_1" class="foldopened" onClick="hide_folder('1_1')">-</span> <span style="color: #000000;">Findings</span> <ul id="fold1_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span id="show1_1_1" class="foldclosed" onClick="show_folder('1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_1" class="foldopened" onClick="hide_folder('1_1_1')">-</span> <span style="color: #000000;">Definition of "the DNS" used by the DSSA working group</span> <ul id="fold1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;font-family: Arial, sans-serif; ">
 <pre>Charter says the WG is to work on: "The actual level, frequency and
severity of threats to the DNS.... The DSSA‐WG should limit its activities
to considering issues at the root and top level domains within the framework
of ICANN’s coordinating role in managing Internet naming and numbering
resources as stated in its Mission and in its Bylaws."</pre>
 </span> <p><span id="show1_1_1_1" class="foldclosed" onClick="show_folder('1_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1" class="foldopened" onClick="hide_folder('1_1_1_1')">-</span> <span style="color: #000000;font-family: SansSerif, sans-serif; ">"The DNS" for the purposes of this analysis</span> <ul id="fold1_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_1_1_1" class="foldclosed" onClick="show_folder('1_1_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_1" class="foldopened" onClick="hide_folder('1_1_1_1_1')">-</span> <span style="color: #000000;">Root zone</span> <ul id="fold1_1_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Zone files</span> </li> <li><span style="color: #000000;">DNSSEC</span> </li> <li><span id="show1_1_1_1_1_1" class="foldclosed" onClick="show_folder('1_1_1_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_1_1" class="foldopened" onClick="hide_folder('1_1_1_1_1_1')">-</span> <span style="color: #000000;">Provisioning</span> <ul id="fold1_1_1_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">there is an automated system that's run by IANA</span> </li> <li><span style="color: #000000;">May differ by operator</span> </li> </ul> </li> <li><span id="show1_1_1_1_1_2" class="foldclosed" onClick="show_folder('1_1_1_1_1_2')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_1_2" class="foldopened" onClick="hide_folder('1_1_1_1_1_2')">-</span> <span style="color: #000000;">Out of scope of this analysis</span> <ul id="fold1_1_1_1_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">WHOIS</span> </li> <li><span style="color: #000000;">Zone file access</span> </li> <li><span style="color: #000000;">Data escrow</span> </li> <li><span style="color: #000000;">Bulk data access</span> </li> </ul> </li> </ul> </li> <li><span id="show1_1_1_1_2" class="foldclosed" onClick="show_folder('1_1_1_1_2')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_2" class="foldopened" onClick="hide_folder('1_1_1_1_2')">-</span> <span style="color: #000000;font-family: SansSerif, sans-serif; ">TLD zones</span> <ul id="fold1_1_1_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Zone files</span> </li> <li><span style="color: #000000;">DNSSEC</span> </li> <li><span id="show1_1_1_1_2_1" class="foldclosed" onClick="show_folder('1_1_1_1_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_2_1" class="foldopened" onClick="hide_folder('1_1_1_1_2_1')">-</span> <span style="color: #000000;">Registrar/registrant provisioning</span> <ul id="fold1_1_1_1_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">EPP</span> </li> </ul> </li> <li><span id="show1_1_1_1_2_2" class="foldclosed" onClick="show_folder('1_1_1_1_2_2')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_2_2" class="foldopened" onClick="hide_folder('1_1_1_1_2_2')">-</span> <span style="color: #000000;">Out of scope of this analysis</span> <ul id="fold1_1_1_1_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">WHOIS</span> </li> <li><span style="color: #000000;">Zone file access</span> </li> <li><span style="color: #000000;">Data escrow</span> </li> <li><span style="color: #000000;">Bulk data access</span> </li> </ul> </li> </ul> </li> <li><span id="show1_1_1_1_3" class="foldclosed" onClick="show_folder('1_1_1_1_3')" style="POSITION: absolute">+</span> <span id="hide1_1_1_1_3" class="foldopened" onClick="hide_folder('1_1_1_1_3')">-</span> <span style="color: #000000;font-family: SansSerif, sans-serif; ">Support files</span> <ul id="fold1_1_1_1_3" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Hints</span> </li> <li><span style="color: #000000;">root-servers.net</span> </li> <li><span style="color: #000000;">Roots public key</span> </li> <li><span style="color: #000000;">Resolver config files</span> </li> </ul> </li> </ul></li> </ul><p><span id="show1_1_2" class="foldclosed" onClick="show_folder('1_1_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2" class="foldopened" onClick="hide_folder('1_1_2')">-</span> <span style="color: #000000;">Actual level, frequency and severity of threats to the DNS, plus current efforts and activities to mitigate these.</span> <ul id="fold1_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span id="show1_1_2_1" class="foldclosed" onClick="show_folder('1_1_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_1" class="foldopened" onClick="hide_folder('1_1_2_1')">-</span> <span style="color: #000000;">Threat events - what happens?</span> <ul id="fold1_1_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Zone does not resolve or is not available</span> <p><span id="show1_1_2_1_1" class="foldclosed" onClick="show_folder('1_1_2_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_1_1" class="foldopened" onClick="hide_folder('1_1_2_1_1')">-</span> <span style="color: #000000;">Zone is incorrect or does not have integrity </span> <ul id="fold1_1_2_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_1_1_1" class="foldclosed" onClick="show_folder('1_1_2_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_1_1_1" class="foldopened" onClick="hide_folder('1_1_2_1_1_1')">-</span> <span style="color: #000000;">Security is compromised</span> <ul id="fold1_1_2_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Define list – Definie secutiy</span> </li> </ul> </li> <li><span style="color: #000000;">Information is inaccurate</span> </li> </ul><p><span style="color: #000000;">The third leg of the traditional "availability, integrity, confidentiality" triad may drop out, as the DNS does not contain confidential information??</span> </li> </ul><p><span id="show1_1_2_2" class="foldclosed" onClick="show_folder('1_1_2_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2" class="foldopened" onClick="hide_folder('1_1_2_2')">-</span> <span style="color: #000000;">Adverse impacts - what is the harm?</span> <ul id="fold1_1_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_2_1" class="foldclosed" onClick="show_folder('1_1_2_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_1" class="foldopened" onClick="hide_folder('1_1_2_2_1')">-</span> <span style="color: #000000;">Level of impact</span> <ul id="fold1_1_2_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">In the worst case there would be broad harm/consequence/impact to operations, assets, individuals, other organizations and the world if any of these threat-events occur. And in all cases there would be significant problems for registrants and users in the zone.</span> <p><span style="color: #000000;">Since the potential impact values for confidentiality, integrity, and availability may not always be the same in different contexts/circumstances, the "high water" concept is used to determine the impact level. Thus, a low-impact system is defined as an information system in which all three of the security objectives are low. A moderate-impact system is an information system in which at least one of the security objectives is moderate and no security objective is greater than moderate. And finally, a high- impact system is an information system in which at least one security objective is high. It is our conclusion that the DNS is a high-impact system because the goals for integrity and availability are high.</span> </li> </ul> </li> <li><span id="show1_1_2_2_2" class="foldclosed" onClick="show_folder('1_1_2_2_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2" class="foldopened" onClick="hide_folder('1_1_2_2_2')">-</span> <span style="color: #000000;">Nature of impact</span> <ul id="fold1_1_2_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_2_2_1" class="foldclosed" onClick="show_folder('1_1_2_2_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_1" class="foldopened" onClick="hide_folder('1_1_2_2_2_1')">-</span> <span style="color: #000000;">Harm to nations and the world; e.g.</span> <ul id="fold1_1_2_2_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Damage to a critical infrastructure sector</span> </li> <li><span style="color: #000000;">Loss of government continuity of operations.</span> </li> <li><span id="show1_1_2_2_2_1_1" class="foldclosed" onClick="show_folder('1_1_2_2_2_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_1_1" class="foldopened" onClick="hide_folder('1_1_2_2_2_1_1')">-</span> <span style="color: #000000;">Relational harms.</span> <ul id="fold1_1_2_2_2_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Damage to trust relationships with other governments or with nongovernmental entities.</span> </li> <li><span style="color: #000000;">Damage to national reputation (and hence future or potential trust relationships).</span> </li> </ul> </li> <li><span style="color: #000000;">Damage to current or future ability to achieve national objectives.</span> </li> </ul> </li> <li><span id="show1_1_2_2_2_2" class="foldclosed" onClick="show_folder('1_1_2_2_2_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_2" class="foldopened" onClick="hide_folder('1_1_2_2_2_2')">-</span> <span style="color: #000000;">Harm to individuals; e.g.</span> <ul id="fold1_1_2_2_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Identity theft.</span> </li> <li><span style="color: #000000;">Loss of Personally Identifiable Information.</span> </li> <li><span style="color: #000000;">Injury or loss of life.</span> </li> <li><span style="color: #000000;">Damage to image or reputation.</span> </li> </ul> </li> <li><span id="show1_1_2_2_2_3" class="foldclosed" onClick="show_folder('1_1_2_2_2_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3" class="foldopened" onClick="hide_folder('1_1_2_2_2_3')">-</span> <span style="color: #000000;">Harm to operations/organizations; e.g.</span> <ul id="fold1_1_2_2_2_3" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_2_2_3_1" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_1" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_1')">-</span> <span style="color: #000000;">Inability to perform current missions/business functions.</span> <ul id="fold1_1_2_2_2_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">In a sufficiently timely manner.</span> </li> <li><span style="color: #000000;">With sufficient confidence and/or correctness.</span> </li> <li><span style="color: #000000;">Within planned resource constraints.</span> </li> </ul> </li> <li><span id="show1_1_2_2_2_3_2" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_2" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_2')">-</span> <span style="color: #000000;">Inability, or limited ability, to perform missions/business functions in the future.</span> <ul id="fold1_1_2_2_2_3_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Inability to restore missions/business functions.</span> </li> <li><span style="color: #000000;">In a sufficiently timely manner.</span> </li> <li><span style="color: #000000;">With sufficient confidence and/or correctness.</span> </li> <li><span style="color: #000000;">Within planned resource constraints.</span> </li> </ul> </li> <li><span id="show1_1_2_2_2_3_3" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_3" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_3')">-</span> <span style="color: #000000;">Harms (e.g., financial costs, sanctions) due to noncompliance.</span> <ul id="fold1_1_2_2_2_3_3" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">With applicable laws or regulations.</span> </li> <li><span style="color: #000000;">With contractual requirements or other requirements in other binding agreements.</span> </li> </ul> </li> <li><span style="color: #000000;">Direct financial costs.</span> </li> <li><span id="show1_1_2_2_2_3_4" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_4')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_4" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_4')">-</span> <span style="color: #000000;">Damage to trust relationships or reputation</span> <ul id="fold1_1_2_2_2_3_4" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Damage to trust relationships.</span> </li> <li><span style="color: #000000;">Damage to image or reputation (and hence future or potential trust relationships).</span> </li> </ul> </li> <li><span style="color: #000000;">Relational harms.</span> </li> <li><span id="show1_1_2_2_2_3_5" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_5')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_5" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_5')">-</span> <span style="color: #000000;">Harm to other organizations</span> <ul id="fold1_1_2_2_2_3_5" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_2_2_3_5_1" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_5_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_5_1" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_5_1')">-</span> <span style="color: #000000;">Harms (e.g., financial costs, sanctions) due to noncompliance.</span> <ul id="fold1_1_2_2_2_3_5_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">With applicable laws or regulations.</span> </li> <li><span style="color: #000000;">With contractual requirements or other requirements in other binding agreements.</span> </li> </ul> </li> <li><span style="color: #000000;">Direct financial costs.</span> </li> <li><span id="show1_1_2_2_2_3_5_2" class="foldclosed" onClick="show_folder('1_1_2_2_2_3_5_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_3_5_2" class="foldopened" onClick="hide_folder('1_1_2_2_2_3_5_2')">-</span> <span style="color: #000000;">Relational harms.</span> <ul id="fold1_1_2_2_2_3_5_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Damage to trust relationships.</span> </li> <li><span style="color: #000000;">Damage to reputation (and hence future or potential trust relationships).</span> </li> </ul> </li> </ul> </li> </ul> </li> <li><span id="show1_1_2_2_2_4" class="foldclosed" onClick="show_folder('1_1_2_2_2_4')" style="POSITION: absolute">+</span> <span id="hide1_1_2_2_2_4" class="foldopened" onClick="hide_folder('1_1_2_2_2_4')">-</span> <span style="color: #000000;">Harm to assets; e.g.</span> <ul id="fold1_1_2_2_2_4" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Damage to or of loss of information assets.</span> </li> <li><span style="color: #000000;">Loss of intellectual property.</span> </li> <li><span style="color: #000000;">Damage to or loss of physical facilities.</span> </li> <li><span style="color: #000000;">Damage to or loss of information systems or networks.</span> </li> <li><span style="color: #000000;">Damage to or loss of information technology or equipment.</span> </li> <li><span style="color: #000000;">Damage to or loss of component parts or supplies.</span> </li> </ul> </li> </ul> </li> </ul><p><span id="show1_1_2_3" class="foldclosed" onClick="show_folder('1_1_2_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_3" class="foldopened" onClick="hide_folder('1_1_2_3')">-</span> <span style="color: #000000;">Likelihood of impact - will threat events result in adverse impacts if they happen? </span> <ul id="fold1_1_2_3" style="POSITION: relative; VISIBILITY: visible;"><li><p>NOTE: All threat events in this iteration of the analysis will have "Very High" impact on users of the zone and, depending on circumstances, will also have "Very High" impact worldwide. <p><span id="show1_1_2_3_1" class="foldclosed" onClick="show_folder('1_1_2_3_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_3_1" class="foldopened" onClick="hide_folder('1_1_2_3_1')">-</span> Scale <ul id="fold1_1_2_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Very High -- if the threat event happens, it is almost certain to have adverse impacts (10)</span> </li> <li><span style="color: #000000;">High -- if the threat event happens, it is highly likely to have adverse impacts</span> </li> <li><span style="color: #000000;">Moderate -- if the threat event happens, it is somewhat likely to have adverse impacts (5)</span> </li> <li><span style="color: #000000;">Low -- if the threat event happens, it is unlikely to have adverse impacts (2)</span> </li> <li><span style="color: #000000;">Very Low -- if the threat event happens, it is highly unlikely to have adverse impacts (0)</span> </li> </ul></li> </ul><p><span id="show1_1_2_4" class="foldclosed" onClick="show_folder('1_1_2_4')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4" class="foldopened" onClick="hide_folder('1_1_2_4')">-</span> <span style="color: #000000;">Vulnerabilities – severe and widespread?</span> <ul id="fold1_1_2_4" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_4_1" class="foldclosed" onClick="show_folder('1_1_2_4_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_1" class="foldopened" onClick="hide_folder('1_1_2_4_1')">-</span> <span style="color: #000000;">Managerial vulnerabilities</span> <ul id="fold1_1_2_4_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Interventions from outside the process</span> <p><span style="color: #000000;">Poor inter-organizational communications</span> <p><span style="color: #000000;">External relationships/dependencies</span> <p><span style="color: #000000;">Inconsistent or incorrect decisions about relative priorities of core missions and business functions</span> <p><span style="color: #000000;">Lack of effective risk-management activities</span> <p><span style="color: #000000;">Vulnerabilities arising from missing or ineffective security controls </span> <p><span style="color: #000000;">Mission/business processes (e.g., poorly defined processes, or processes that are not risk-aware)</span> <p><span style="color: #000000;">Security architectures (e.g., poor architectural decisions resulting in lack of diversity or resiliency in organizational information systems)</span> </li> </ul> </li> <li><span id="show1_1_2_4_2" class="foldclosed" onClick="show_folder('1_1_2_4_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_2" class="foldopened" onClick="hide_folder('1_1_2_4_2')">-</span> <span style="color: #000000;">Operational vulnerabilities</span> <ul id="fold1_1_2_4_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Infrastructure vulnerabilities</span> </li> <li><span style="color: #000000;">Business continuity vulnerabilities</span> </li> <li><span style="color: #000000;">Malicious or unintentional (erroneous) alteration of root or TLD DNS configuration information</span> </li> <li><span style="color: #000000;">Inadequate training/awareness</span> </li> <li><span style="color: #000000;">Inadequate incident-response</span> </li> </ul> </li> <li><span id="show1_1_2_4_3" class="foldclosed" onClick="show_folder('1_1_2_4_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3" class="foldopened" onClick="hide_folder('1_1_2_4_3')">-</span> <span style="color: #000000;">Technical vulnerabilities</span> <ul id="fold1_1_2_4_3" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_4_3_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_1')">-</span> <span style="color: #000000;">Under Discussion</span> <ul id="fold1_1_2_4_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">IDN attacks (lookalike characters etc. for standard exploitation techniques)</span> </li> </ul> </li> <li><span style="color: #000000;">Business/technical process </span> </li> <li><span id="show1_1_2_4_3_2" class="foldclosed" onClick="show_folder('1_1_2_4_3_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_2" class="foldopened" onClick="hide_folder('1_1_2_4_3_2')">-</span> <span style="color: #000000;">System and network</span> <ul id="fold1_1_2_4_3_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_4_3_2_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_2_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_2_1')">-</span> <span style="color: #3c1a36;">Recursive vs authoritative nameserver attacks</span> <ul id="fold1_1_2_4_3_2_1" style="POSITION: relative; VISIBILITY: visible;"><li>Using vulnerable recursive DNS servers as reflectors to attack TLD DNS servers </li> </ul> </li> <li><span id="show1_1_2_4_3_2_2" class="foldclosed" onClick="show_folder('1_1_2_4_3_2_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_2_2" class="foldopened" onClick="hide_folder('1_1_2_4_3_2_2')">-</span> <span style="color: #3c1a36;">DDOS</span> <ul id="fold1_1_2_4_3_2_2" style="POSITION: relative; VISIBILITY: visible;"><li>SSAC DDOS Advisory -- SAC 8 </li> <li>Securing the edge -- SAC 4 </li> <li><span id="show1_1_2_4_3_2_2_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_2_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_2_2_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_2_2_1')">-</span> <span style="color: #3c1a36;">Denial of service amplifier (RFC 3833)</span> <ul id="fold1_1_2_4_3_2_2_1" style="POSITION: relative; VISIBILITY: visible;"><li>Open recursive servers (SAC 8) </li> <li>Packet fragmentation (SAC 8) </li> <li>Source address validation (SAC 8) </li> <li><span style="color: #3c1a36;">Reflection attacks</span> </li> </ul> </li> </ul> </li> <li><span id="show1_1_2_4_3_2_3" class="foldclosed" onClick="show_folder('1_1_2_4_3_2_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_2_3" class="foldopened" onClick="hide_folder('1_1_2_4_3_2_3')">-</span> <span style="color: #3c1a36;">Email/spam</span> <ul id="fold1_1_2_4_3_2_3" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #3c1a36;">IPv6 -- Spammers hopping from IP to IP -- causing huge numbers of lookups -- volume related threats (perhaps unintentional) -- also may break normal DNS caching (which assumes repeated requests for the same thing)</span> <p><span style="color: #3c1a36;">Issues around reverse DNS for SMTP servers</span> <p><span style="color: #3c1a36;">Botnets</span> <p><span style="color: #3c1a36;">Collateral damage</span> <p><span style="color: #3c1a36;">Load</span> </li> </ul> </li> </ul> </li> <li><span id="show1_1_2_4_3_3" class="foldclosed" onClick="show_folder('1_1_2_4_3_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3" class="foldopened" onClick="hide_folder('1_1_2_4_3_3')">-</span> <span style="color: #000000;">Identification and authentication</span> <ul id="fold1_1_2_4_3_3" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_4_3_3_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_3_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_3_1')">-</span> <span style="color: #3c1a36;">Data poisoning (MITM, Cache)</span> <ul id="fold1_1_2_4_3_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_4_3_3_1_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_3_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3_1_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_3_1_1')">-</span> <span style="color: #3c1a36;">Cache poisoning attacks</span> <ul id="fold1_1_2_4_3_3_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #3c1a36;">Kaminsky</span> </li> <li><span style="color: #3c1a36;">Kaspureff</span> </li> </ul> </li> <li><span style="color: #3c1a36;">Name Chaining (RFC 3833)</span> </li> <li><span style="color: #3c1a36;">Betrayal by Trusted Server (RFC 3833)</span> </li> </ul> </li> <li><span id="show1_1_2_4_3_3_2" class="foldclosed" onClick="show_folder('1_1_2_4_3_3_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3_2" class="foldopened" onClick="hide_folder('1_1_2_4_3_3_2')">-</span> <span style="color: #3c1a36;">Authority or authentication compromise</span> <ul id="fold1_1_2_4_3_3_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #3c1a36;">Example: Gain control of account user/password</span> </li> <li>Registrar impersonation phishing attacks -- SAC 28 </li> </ul> </li> <li><span id="show1_1_2_4_3_3_3" class="foldclosed" onClick="show_folder('1_1_2_4_3_3_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3_3" class="foldopened" onClick="hide_folder('1_1_2_4_3_3_3')">-</span> <span style="color: #3c1a36;">Packet Interception</span> <ul id="fold1_1_2_4_3_3_3" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #3c1a36;">Man in the middle</span> </li> <li>Eavesdropping combined with spoofed responses </li> <li><span id="show1_1_2_4_3_3_3_1" class="foldclosed" onClick="show_folder('1_1_2_4_3_3_3_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_4_3_3_3_1" class="foldopened" onClick="hide_folder('1_1_2_4_3_3_3_1')">-</span> <span style="color: #3c1a36;">ID Guessing and Query Prediction</span> <ul id="fold1_1_2_4_3_3_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #3c1a36;">Generate packets which match the transport protocol parameters, predict ID based on previous traffic, etc.</span> </li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> </ul><p><span id="show1_1_2_5" class="foldclosed" onClick="show_folder('1_1_2_5')" style="POSITION: absolute">+</span> <span id="hide1_1_2_5" class="foldopened" onClick="hide_folder('1_1_2_5')">-</span> <span style="color: #000000;">Predisposing conditions – pervasive?</span> <ul id="fold1_1_2_5" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_5_1" class="foldclosed" onClick="show_folder('1_1_2_5_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_5_1" class="foldopened" onClick="hide_folder('1_1_2_5_1')">-</span> <span style="color: #000000;">Definition</span> <ul id="fold1_1_2_5_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">A condition that exists within an organization, a mission/business process, enterprise architecture, or information system including its environment of operation, which contributes to (i.e., increases or decreases) the likelihood that one or more threat events, once initiated, result in undesirable consequences or adverse impact to organizational operations and assets, individuals, other organizations, or the world.</span> </li> </ul> </li> <li><span id="show1_1_2_5_2" class="foldclosed" onClick="show_folder('1_1_2_5_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_5_2" class="foldopened" onClick="hide_folder('1_1_2_5_2')">-</span> <span style="color: #000000;">Managerial </span> <ul id="fold1_1_2_5_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Legal standing (and relative youth) of ICANN</span> <p><span style="color: #000000;">Multi-stakeholder, consensus-based decision-making model</span> <p><span style="color: #000000;">Managerial vs operational vs technical security skills/focus/resources</span> <p><span style="color: #000000;">Definitions of responsibility, accountibility, authority between DNS providers</span> <p><span style="color: #000000;">Security project and program management skills/capacity</span> <p><span style="color: #000000;">Common ("inheritable") vs hybrid vs organization/system-specific controls</span> <p><span style="color: #000000;">Mechanisms for providing (and receiving) risk assurances, and establishing trust-relationships, with external entities</span> <p><span style="color: #000000;">Contractual relationships between entities</span> </li> </ul> </li> <li><span id="show1_1_2_5_3" class="foldclosed" onClick="show_folder('1_1_2_5_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_5_3" class="foldopened" onClick="hide_folder('1_1_2_5_3')">-</span> <span style="color: #000000;">Operational</span> <ul id="fold1_1_2_5_3" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Diverse, distributed system architecture and deployment</span> </li> <li><span style="color: #000000;">Emphasis on resiliency and redundancy</span> </li> <li><span style="color: #000000;">Culture of collaboration built on personal trust relationships</span> </li> <li><span style="color: #000000;">Diverse operational environments and approaches</span> </li> </ul> </li> <li><span id="show1_1_2_5_4" class="foldclosed" onClick="show_folder('1_1_2_5_4')" style="POSITION: absolute">+</span> <span id="hide1_1_2_5_4" class="foldopened" onClick="hide_folder('1_1_2_5_4')">-</span> <span style="color: #000000;">Technical</span> <ul id="fold1_1_2_5_4" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Requirement for public access to DNS information</span> </li> <li><span style="color: #000000;">Requirements for scaling</span> </li> </ul> </li> </ul><p><span id="show1_1_2_6" class="foldclosed" onClick="show_folder('1_1_2_6')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6" class="foldopened" onClick="hide_folder('1_1_2_6')">-</span> <span style="color: #000000;">Controls and mitigation – effective and deployed?</span> <ul id="fold1_1_2_6" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_6_1" class="foldclosed" onClick="show_folder('1_1_2_6_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6_1" class="foldopened" onClick="hide_folder('1_1_2_6_1')">-</span> <span style="color: #000000;">Security controls</span> <ul id="fold1_1_2_6_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information.</span> <p><span id="show1_1_2_6_1_1" class="foldclosed" onClick="show_folder('1_1_2_6_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6_1_1" class="foldopened" onClick="hide_folder('1_1_2_6_1_1')">-</span> <span style="color: #000000;">Sources of specific lists</span> <ul id="fold1_1_2_6_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">4. National Institute of Standards and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, August 2009.</span> <p><span style="color: #000000;">5. National Institute of Standards and Technology Special Publication 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations: Building Effective Security Assessment Plans, June 2010.</span> <p><span style="color: #000000;">Special Publication 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach.</span> <p><span style="color: #000000;">While the risk management approach established by NIST originally focused on managing risk from information systems (as required by FISMA and described in NIST Special Publication 800-39), the approach is being expanded to include risk management at the organizational level. A forthcoming version of NIST Special Publication 800- 39 will incorporate ISO/IEC 27001 to manage organizational information security risk through the establishment of an ISMS.</span> </li> </ul></li> </ul> </li> <li><span id="show1_1_2_6_2" class="foldclosed" onClick="show_folder('1_1_2_6_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6_2" class="foldopened" onClick="hide_folder('1_1_2_6_2')">-</span> <span style="color: #000000;">Management controls</span> <ul id="fold1_1_2_6_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">The security controls (i.e., safeguards or countermeasures) for an information system that focus on the management of risk and the management of information system security.</span> <p><span style="color: #000000;">Security Assessment and Authorization </span> <p><span style="color: #000000;">Planning </span> <p><span style="color: #000000;">Risk Assessment </span> <p><span style="color: #000000;">System and Services Acquisition </span> <p><span style="color: #000000;">Program Management </span> </li> </ul> </li> <li><span id="show1_1_2_6_3" class="foldclosed" onClick="show_folder('1_1_2_6_3')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6_3" class="foldopened" onClick="hide_folder('1_1_2_6_3')">-</span> <span style="color: #000000;">Operational controls</span> <ul id="fold1_1_2_6_3" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by people (as opposed to systems).</span> <p><span style="color: #000000;">Awareness and Training </span> <p><span style="color: #000000;">Configuration Management </span> <p><span style="color: #000000;">Contingency Planning</span> <p><span style="color: #000000;">Incident Response</span> <p><span style="color: #000000;">Maintenance</span> <p><span style="color: #000000;">Media Protection</span> <p><span style="color: #000000;">Physical and Environmental Protection</span> <p><span style="color: #000000;">Personnel Security</span> <p><span style="color: #000000;">System and Information Integrity</span> </li> </ul> </li> <li><span id="show1_1_2_6_4" class="foldclosed" onClick="show_folder('1_1_2_6_4')" style="POSITION: absolute">+</span> <span id="hide1_1_2_6_4" class="foldopened" onClick="hide_folder('1_1_2_6_4')">-</span> <span style="color: #000000;">Technical controls</span> <ul id="fold1_1_2_6_4" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software, or firmware components of the system.</span> <p><span style="color: #000000;">Access Control</span> <p><span style="color: #000000;">Audit and Accountability</span> <p><span style="color: #000000;">Identification and Authentication</span> <p><span style="color: #000000;">System and Communications Protection</span> </li> </ul> </li> </ul><p><span id="show1_1_2_7" class="foldclosed" onClick="show_folder('1_1_2_7')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7" class="foldopened" onClick="hide_folder('1_1_2_7')">-</span> <span style="color: #000000;">Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?</span> <ul id="fold1_1_2_7" style="POSITION: relative; VISIBILITY: visible;"><li><p><span id="show1_1_2_7_1" class="foldclosed" onClick="show_folder('1_1_2_7_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7_1" class="foldopened" onClick="hide_folder('1_1_2_7_1')">-</span> <span style="color: #000000;">Non-adversarial (what is their range of effect?)</span> <ul id="fold1_1_2_7_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_7_1_1" class="foldclosed" onClick="show_folder('1_1_2_7_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7_1_1" class="foldopened" onClick="hide_folder('1_1_2_7_1_1')">-</span> <span style="color: #000000;">Root scaling impacts, e.g.</span> <ul id="fold1_1_2_7_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Alternate DNS roots</span> </li> <li><span style="color: #000000;">Root scaling (SAC 46)</span> </li> <li><span style="color: #000000;">Intentional or accidental results of DNS blocking (SAC 50)</span> </li> </ul> </li> <li><span style="color: #000000;">International governance/regulatory bodies</span> </li> <li><span style="color: #000000;">Key hardware failure</span> </li> <li><span style="color: #000000;">Privalaged users</span> </li> <li><span style="color: #000000;">Key providers</span> </li> <li><span style="color: #000000;">Nation states</span> </li> <li><span style="color: #000000;">Widespread infrastructure failure</span> </li> <li><span id="show1_1_2_7_1_2" class="foldclosed" onClick="show_folder('1_1_2_7_1_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7_1_2" class="foldopened" onClick="hide_folder('1_1_2_7_1_2')">-</span> <span style="color: #000000;">Natural disaster, e.g.</span> <ul id="fold1_1_2_7_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Earthquakes</span> </li> <li><span style="color: #000000;">Hurricanes</span> </li> <li><span style="color: #000000;">Tsunami</span> </li> <li><span style="color: #000000;">Blackout/Energy Failure</span> </li> <li><span style="color: #000000;">Snowstorm/blizzard/ice-storm</span> </li> </ul> </li> </ul><p><span id="show1_1_2_7_2" class="foldclosed" onClick="show_folder('1_1_2_7_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7_2" class="foldopened" onClick="hide_folder('1_1_2_7_2')">-</span> <span style="color: #000000;">Adversarial threat sources (what are their capabilities, how strong is their intent, are they targeting the DNS)?</span> <ul id="fold1_1_2_7_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_7_2_1" class="foldclosed" onClick="show_folder('1_1_2_7_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_7_2_1" class="foldopened" onClick="hide_folder('1_1_2_7_2_1')">-</span> <span style="color: #000000;">Bad players</span> <ul id="fold1_1_2_7_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Internation governance/regulatory bodies</span> </li> <li><span style="color: #000000;">Nation states</span> </li> <li><span style="color: #000000;">Rogue elements</span> </li> <li><span style="color: #000000;">Geo-political groups</span> </li> <li><span style="color: #000000;">External parties and contractors</span> </li> <li><span style="color: #000000;">Insiders</span> </li> <li><span style="color: #000000;">Organized crime</span> </li> </ul> </li> </ul></li> </ul><p><span id="show1_1_2_8" class="foldclosed" onClick="show_folder('1_1_2_8')" style="POSITION: absolute">+</span> <span id="hide1_1_2_8" class="foldopened" onClick="hide_folder('1_1_2_8')">-</span> <span style="color: #000000;">Initiation or occurance – what is the likelihood that a threat-event will happen?</span> <ul id="fold1_1_2_8" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_2_8_1" class="foldclosed" onClick="show_folder('1_1_2_8_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_8_1" class="foldopened" onClick="hide_folder('1_1_2_8_1')">-</span> <span style="color: #000000;">Likelihood that an adversarial threat event will be initiated</span> <ul id="fold1_1_2_8_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Very High -- the adversary is almost certain to initiate the threat event (10)</span> </li> <li><span style="color: #000000;">High -- the adversary is highly likely to initiate the threat event (8)</span> </li> <li><span style="color: #000000;">Moderate -- the adversary is somewhat likely to initiate the threat event (5)</span> </li> <li><span style="color: #000000;">Low -- the adversary is unlikely to initiate the threat event (2)</span> </li> <li><span style="color: #000000;">Very Low -- the adversary is highly unlikely to initiate the threat event</span> </li> </ul> </li> <li><span id="show1_1_2_8_2" class="foldclosed" onClick="show_folder('1_1_2_8_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_8_2" class="foldopened" onClick="hide_folder('1_1_2_8_2')">-</span> <span style="color: #000000;">Likelilhood that a non-adversarial threat event will occur</span> <ul id="fold1_1_2_8_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Very High -- the error, accident or act of nature is almost certain to occur, or occurs more than 100 times a year (10)</span> <p><span style="color: #000000;">High -- the error, accident or act of nature is highly likely to occur, or occurs between 10-100 times a year (8)</span> <p><span style="color: #000000;">Moderate -- the error, accident or act of nature is somewhat likely to occur, or occurs between 1-10 times a year (5)</span> <p><span style="color: #000000;">Low -- the error, accident or act of nature is unlikely to occur, or occurs less than once a year but more that once every 10 years (2)</span> <p><span style="color: #000000;">Very low -- the error, accident or act of nature is highly unlikely to occur, or occurs less than once every 10 years (0)</span> </li> </ul> </li> </ul><p><span id="show1_1_2_9" class="foldclosed" onClick="show_folder('1_1_2_9')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9" class="foldopened" onClick="hide_folder('1_1_2_9')">-</span> <span style="color: #000000;">Risk - what are the high-risk scenarios (those with high overall threat, harm, likelihood)?</span> <ul id="fold1_1_2_9" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">This is a combination of the scores of all the parts of the "compound sentence" -- high-risk scenarios will have high scores</span> <p><span id="show1_1_2_9_1" class="foldclosed" onClick="show_folder('1_1_2_9_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9_1" class="foldopened" onClick="hide_folder('1_1_2_9_1')">-</span> <span style="color: #000000;">Risk models</span> <ul id="fold1_1_2_9_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span id="show1_1_2_9_1_1" class="foldclosed" onClick="show_folder('1_1_2_9_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9_1_1" class="foldopened" onClick="hide_folder('1_1_2_9_1_1')">-</span> <span style="color: #000000;">Adversarial risk model (the one in the update slide deck)</span> <ul id="fold1_1_2_9_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">An ADVERSARIAL THREAT SOURCE (with a range of capability, intent and targeting)...</span> <p><span id="show1_1_2_9_1_1_1" class="foldclosed" onClick="show_folder('1_1_2_9_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9_1_1_1" class="foldopened" onClick="hide_folder('1_1_2_9_1_1_1')">-</span> <span style="color: #000000;">In the context of...</span> <ul id="fold1_1_2_9_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">VULNERABILITIES (ranging in severity),</span> </li> <li><span style="color: #000000;">PREDISPOSING CONDITIONS (with varying pervasiveness)</span> </li> <li><span style="color: #000000;">SECURITY CONTROLS (planned and implemented), </span> </li> </ul><p><span style="color: #000000;">could initiate (with varying LIKELIHOOD OF INITIATION) a THREAT EVENT,</span> <p><span style="color: #000000;">that could result in ADVERSE IMPACTS (which have RISK, which is in turn a combination of the nature of the impact and the likelihood that its effects will be felt)</span> </li> </ul><p><span id="show1_1_2_9_1_2" class="foldclosed" onClick="show_folder('1_1_2_9_1_2')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9_1_2" class="foldopened" onClick="hide_folder('1_1_2_9_1_2')">-</span> <span style="color: #000000;">Non-adversarial risk model (build out, based on the adversarial one -- pretty similar, just fewer threat-sources)</span> <ul id="fold1_1_2_9_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">A NON-ADVERSARIAL THREAT SOURCE (with a range of effects)...</span> <p><span id="show1_1_2_9_1_2_1" class="foldclosed" onClick="show_folder('1_1_2_9_1_2_1')" style="POSITION: absolute">+</span> <span id="hide1_1_2_9_1_2_1" class="foldopened" onClick="hide_folder('1_1_2_9_1_2_1')">-</span> <span style="color: #000000;">In the context of...</span> <ul id="fold1_1_2_9_1_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">PREDISPOSING CONDITIONS (with varying pervasiveness)</span> </li> <li><span style="color: #000000;">SECURITY CONTROLS (planned and implemented), and</span> </li> <li><span style="color: #000000;">VULNERABILITIES (ranging in severity),</span> </li> </ul><p><span style="color: #000000;">could INITIATE (with varying likelihood) a THREAT EVENT,</span> <p><span style="color: #000000;">which could result in ADVERSE IMPACTS (which have RISK, which is a combination of the nature of the impact and the likelihood that its effects will be felt)</span> </li> </ul></li> </ul></li> </ul></li> </ul><p><span id="show1_1_3" class="foldclosed" onClick="show_folder('1_1_3')" style="POSITION: absolute">+</span> <span id="hide1_1_3" class="foldopened" onClick="hide_folder('1_1_3')">-</span> <span style="color: #000000;">Analysis approach -- develop and evaluate risk scenarios using a "compound-sentence" risk model</span> <ul id="fold1_1_3" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Maybe build the sentences, then evaluate the components sometimes? seems like a two-way approach might work -- build then evaluate, evaluate then build</span> <p><span style="color: #000000;">Define a process that more specialized teams can use in the future to build more, or go into more depth</span> </li> </ul><p><span id="show1_1_4" class="foldclosed" onClick="show_folder('1_1_4')" style="POSITION: absolute">+</span> <span id="hide1_1_4" class="foldopened" onClick="hide_folder('1_1_4')">-</span> <span style="color: #000000;">Identify gaps in current response to DNS issues</span> <ul id="fold1_1_4" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Pay special attention to the "Controls" portion of the analysis -- missing or inadequate managerial, operational or technical controls should be highlighted</span> <p><span style="color: #000000;">Much of this may have to wait until next phase -- when we go deep</span> <p><span style="color: #000000;">May find a number of organizational-response topics in SSR-RT report</span> </li> </ul><p><span id="show1_1_5" class="foldclosed" onClick="show_folder('1_1_5')" style="POSITION: absolute">+</span> <span id="hide1_1_5" class="foldopened" onClick="hide_folder('1_1_5')">-</span> <span style="color: #000000;">Possible additional risk mitigation activities that would assist in closing those gaps</span> <ul id="fold1_1_5" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_1_5_1" class="foldclosed" onClick="show_folder('1_1_5_1')" style="POSITION: absolute">+</span> <span id="hide1_1_5_1" class="foldopened" onClick="hide_folder('1_1_5_1')">-</span> <span style="color: #000000;">Ongoing roles and reponsibilities</span> <ul id="fold1_1_5_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;"> </span> </li> </ul> </li> <li><span style="color: #000000;">Risk assessment methodology</span> </li> <li><span style="color: #000000;">Clarify responsibilities and accountibility between ICANN and others in the security community</span> </li> </ul></li> </ul> </li> <li><span id="show1_2" class="foldclosed" onClick="show_folder('1_2')" style="POSITION: absolute">+</span> <span id="hide1_2" class="foldopened" onClick="hide_folder('1_2')">-</span> <span style="color: #000000;">Approach</span> <ul id="fold1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_1" class="foldclosed" onClick="show_folder('1_2_1')" style="POSITION: absolute">+</span> <span id="hide1_2_1" class="foldopened" onClick="hide_folder('1_2_1')">-</span> Approach -- Hybrid -- go fast, then go deep <ul id="fold1_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><p>Use the same diagram, but change the underlying pyramid <p>Go back to the AC/SOs at the end of the first pass for instruction on what to do in the next phase (build a proposal for next-phase towards the end of this one) <p>Come up with a good name for the report -- preliminary/summary/phase-1/ </li> </ul> </li> <li><span id="show1_2_2" class="foldclosed" onClick="show_folder('1_2_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2" class="foldopened" onClick="hide_folder('1_2_2')">-</span> During this iteration <ul id="fold1_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_2_1" class="foldclosed" onClick="show_folder('1_2_2_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_1" class="foldopened" onClick="hide_folder('1_2_2_1')">-</span> <span style="color: #000000;">Methods -- selection and rationale</span> <ul id="fold1_2_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_2_1_1" class="foldclosed" onClick="show_folder('1_2_2_1_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_1_1" class="foldopened" onClick="hide_folder('1_2_2_1_1')">-</span> <span style="color: #000000;">Rationale</span> <ul id="fold1_2_2_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_2_1_1_1" class="foldclosed" onClick="show_folder('1_2_2_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_1_1_1" class="foldopened" onClick="hide_folder('1_2_2_1_1_1')">-</span> <span style="color: #000000;">Using a predefined methodology will save time and improve our work product</span> <ul id="fold1_2_2_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Consistent terminology</span> </li> <li><span style="color: #000000;">Shared model</span> </li> <li><span style="color: #000000;">Structured work</span> </li> <li><span style="color: #000000;">Sample deliverables</span> </li> </ul> </li> <li><span style="color: #000000;">Reviewed several dozen alternatives</span> </li> <li><span id="show1_2_2_1_1_2" class="foldclosed" onClick="show_folder('1_2_2_1_1_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2_1_1_2" class="foldopened" onClick="hide_folder('1_2_2_1_1_2')">-</span> <span style="color: #000000;">We selected this one because it’s:</span> <ul id="fold1_2_2_1_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Available at no cost</span> </li> <li><span style="color: #000000;">Actively supported and maintained</span> </li> <li><span style="color: #000000;">Widely known and endorsed in the community</span> </li> <li><span style="color: #000000;">Reusable elsewhere in ICANN</span> </li> </ul> </li> </ul> </li> <li><span id="show1_2_2_1_2" class="foldclosed" onClick="show_folder('1_2_2_1_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2_1_2" class="foldopened" onClick="hide_folder('1_2_2_1_2')">-</span> <span style="color: #000000;">Methods evaluated</span> <ul id="fold1_2_2_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">A&K Analysis - ISO 17799</span> </li> <li><span style="color: #000000;">Austrian IT Security Handbook</span> </li> <li><span style="color: #000000;">BSI - IT-Grundschutz </span> </li> <li><span style="color: #000000;">EBIOS - ISO 17799</span> </li> <li><span style="color: #000000;">Hazard Analysis -- Critical Control Point (HACCP) </span> </li> <li><span style="color: #000000;">HITRUST Common Security Framework</span> </li> <li><span style="color: #000000;">ISAMM</span> </li> <li><span style="color: #000000;">ISO/IEC 13335-2 (27005)</span> </li> <li><span style="color: #000000;">ISO/IEC 17799</span> </li> <li><span style="color: #000000;">ISO 27000 series </span> </li> <li><span style="color: #000000;">ISO 31000 series</span> </li> <li><span style="color: #000000;">Marion</span> </li> <li><span style="color: #000000;">NIST 800-30 </span> </li> <li><span style="color: #000000;">OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation)</span> </li> </ul> </li> </ul> </li> <li><span id="show1_2_2_2" class="foldclosed" onClick="show_folder('1_2_2_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2" class="foldopened" onClick="hide_folder('1_2_2_2')">-</span> <span style="color: #000000;">Risk model</span> <ul id="fold1_2_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_2_2_1" class="foldclosed" onClick="show_folder('1_2_2_2_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_1" class="foldopened" onClick="hide_folder('1_2_2_2_1')">-</span> <span style="color: #000000;">Risk model - relationships between risk factors (aka "compound sentences")</span> <ul id="fold1_2_2_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span id="show1_2_2_2_1_1" class="foldclosed" onClick="show_folder('1_2_2_2_1_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_1_1" class="foldopened" onClick="hide_folder('1_2_2_2_1_1')">-</span> <span style="color: #000000;">Picture of adversarial risk model (the one in the update slide deck)</span> <ul id="fold1_2_2_2_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">An ADVERSARIAL THREAT SOURCE (with a range of capability, intent and targeting)...</span> <p><span id="show1_2_2_2_1_1_1" class="foldclosed" onClick="show_folder('1_2_2_2_1_1_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_1_1_1" class="foldopened" onClick="hide_folder('1_2_2_2_1_1_1')">-</span> <span style="color: #000000;">In the context of...</span> <ul id="fold1_2_2_2_1_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">VULNERABILITIES (ranging in severity),</span> </li> <li><span style="color: #000000;">PREDISPOSING CONDITIONS (with varying pervasiveness)</span> </li> <li><span style="color: #000000;">SECURITY CONTROLS (planned and implemented), </span> </li> </ul><p><span style="color: #000000;">could INITIATE (with varying likelihood) a THREAT EVENT,</span> <p><span style="color: #000000;">that could result in ADVERSE IMPACTS (which have RISK, which is in turn a combination of the nature of the impact and the likelihood that its effects will be felt)</span> </li> </ul><p><span id="show1_2_2_2_1_2" class="foldclosed" onClick="show_folder('1_2_2_2_1_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_1_2" class="foldopened" onClick="hide_folder('1_2_2_2_1_2')">-</span> <span style="color: #000000;">Picture of non-adversarial risk model (build out, based on the adversarial one -- pretty similar, just fewer threat-sources)</span> <ul id="fold1_2_2_2_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">A NON-ADVERSARIAL THREAT SOURCE (with a range of effects)...</span> <p><span id="show1_2_2_2_1_2_1" class="foldclosed" onClick="show_folder('1_2_2_2_1_2_1')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_1_2_1" class="foldopened" onClick="hide_folder('1_2_2_2_1_2_1')">-</span> <span style="color: #000000;">In the context of...</span> <ul id="fold1_2_2_2_1_2_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">PREDISPOSING CONDITIONS (with varying pervasiveness)</span> </li> <li><span style="color: #000000;">SECURITY CONTROLS (planned and implemented), and</span> </li> <li><span style="color: #000000;">VULNERABILITIES (ranging in severity),</span> </li> </ul><p><span style="color: #000000;">could INITIATE (with varying likelihood) a THREAT EVENT,</span> <p><span style="color: #000000;">which could result in ADVERSE IMPACTS (which have RISK, which is a combination of the nature of the impact and the likelihood that its effects will be felt)</span> </li> </ul></li> </ul> </li> <li><span id="show1_2_2_2_2" class="foldclosed" onClick="show_folder('1_2_2_2_2')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_2" class="foldopened" onClick="hide_folder('1_2_2_2_2')">-</span> <span style="color: #000000;">Risk model - risk factor definitions</span> <ul id="fold1_2_2_2_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Threat events - what happens?</span> <p><span style="color: #000000;">Adverse impacts - what is the harm?</span> <p><span style="color: #000000;">Vulnerabilities – severe and widespread?</span> <p><span style="color: #000000;">Predisposing conditions – pervasive?</span> <p><span style="color: #000000;">Controls and mitigation – effective and deployed?</span> <p><span style="color: #000000;">Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?</span> <p><span style="color: #000000;">Initiation – what is the likelihood that a threat-event will happen?</span> <p><span style="color: #000000;">Risk - how bad is the impact and how likely is it that it will be felt?</span> </li> </ul> </li> <li><span id="show1_2_2_2_3" class="foldclosed" onClick="show_folder('1_2_2_2_3')" style="POSITION: absolute">+</span> <span id="hide1_2_2_2_3" class="foldopened" onClick="hide_folder('1_2_2_2_3')">-</span> <span style="color: #000000;">Assessment approach - range of values that risk factors can take</span> <ul id="fold1_2_2_2_3" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Threat events - what happens?</span> <p><span style="color: #000000;">Adverse impacts - what is the harm?</span> <p><span style="color: #000000;">Vulnerabilities – severe and widespread?</span> <p><span style="color: #000000;">Predisposing conditions – pervasive?</span> <p><span style="color: #000000;">Controls and mitigation – effective and deployed?</span> <p><span style="color: #000000;">Threat sources – how broad is range of impact, what are their capabilities, how strong is their intent, are they targeting the DNS?</span> <p><span style="color: #000000;">Initiation – what is the likelihood that a threat-event will happen?</span> <p><span style="color: #000000;">Risk - how bad is the impact and how likely is it that it will be felt?</span> </li> </ul> </li> <li><span style="color: #000000;">Analysis approach - how risk factors are combined to arrive at risk scenarios</span> </li> </ul> </li> <li><span id="show1_2_2_3" class="foldclosed" onClick="show_folder('1_2_2_3')" style="POSITION: absolute">+</span> <span id="hide1_2_2_3" class="foldopened" onClick="hide_folder('1_2_2_3')">-</span> <span style="color: #000000;">Protocol for handling confidential information</span> <ul id="fold1_2_2_3" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">[Insert Julie's draft when final] -- here? or in a "Tools" appendix?</span> </li> </ul> </li> <li>"test case" risk sceanarios </li> </ul> </li> <li>Question for AC/SOs - one more iteration or ongoing effort? </li> <li><span id="show1_2_3" class="foldclosed" onClick="show_folder('1_2_3')" style="POSITION: absolute">+</span> <span id="hide1_2_3" class="foldopened" onClick="hide_folder('1_2_3')">-</span> Next iteration <ul id="fold1_2_3" style="POSITION: relative; VISIBILITY: visible;"><li>More scenarios, more depth, more independent work-teams </li> <li><span id="show1_2_3_1" class="foldclosed" onClick="show_folder('1_2_3_1')" style="POSITION: absolute">+</span> <span id="hide1_2_3_1" class="foldopened" onClick="hide_folder('1_2_3_1')">-</span> Work breakdown <ul id="fold1_2_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_3_1_1" class="foldclosed" onClick="show_folder('1_2_3_1_1')" style="POSITION: absolute">+</span> <span id="hide1_2_3_1_1" class="foldopened" onClick="hide_folder('1_2_3_1_1')">-</span> Step 1 - Prepare for risk assessment <ul id="fold1_2_3_1_1" style="POSITION: relative; VISIBILITY: visible;"><li><p>TASK 1-1: Identify the purpose of the risk assessment in terms of the information the assessment is intended to produce and the decisions the assessment is intended to support. <p>TASK 1-2: Identify the scope of the risk assessment in terms of organizational applicability, time frame supported, and architectural/technology considerations. <p>TASK 1-3: Identify the specific assumptions and constraints under which the risk assessment is conducted. <p>TASK 1-4: Identify the sources of threat, vulnerability, and impact information to be used in the risk assessment. <p>TASK 1-5: Define (or refine) the risk model to be used in the risk assessment. </li> </ul> </li> <li><span id="show1_2_3_1_2" class="foldclosed" onClick="show_folder('1_2_3_1_2')" style="POSITION: absolute">+</span> <span id="hide1_2_3_1_2" class="foldopened" onClick="hide_folder('1_2_3_1_2')">-</span> Step 2 - Conduct risk assessment <ul id="fold1_2_3_1_2" style="POSITION: relative; VISIBILITY: visible;"><li><p>TASK 2-1: Identify and characterize the threat sources of concern to the organization, including the nature of the threats and for adversarial threats, capability, intent, and targeting characteristics. <p>TASK 2-2: Identify potential threat events, relevance to the organization, and the threat sources that could initiate the events. <p>TASK 2-3: Identify vulnerabilities and predisposing conditions that affect the likelihood that threat events of concern result in adverse impacts to the organization. <p>TASK 2-4: Determine the likelihood that threat events of concern result in adverse impacts to the organization, considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities and predisposing conditions identified; and (iii) organizational susceptibility reflecting safeguards/countermeasures planned or implemented to impede such events. <p>TASK 2-5: Determine the adverse impacts to the organization from threat events of concern considering: (i) the characteristics of the threat sources that could initiate the events; (ii) the vulnerabilities and predisposing conditions identified; and (iii) organizational susceptibility reflecting the safeguards/countermeasures planned or implemented to impede such events. <p>TASK 2-6: Determine the risk to the organization from threat events of concern considering: (i) the impact that would result from the events; and (ii) the likelihood of the events occurring. </li> </ul> </li> <li><span id="show1_2_3_1_3" class="foldclosed" onClick="show_folder('1_2_3_1_3')" style="POSITION: absolute">+</span> <span id="hide1_2_3_1_3" class="foldopened" onClick="hide_folder('1_2_3_1_3')">-</span> Step 3 - Maintain risk assessment <ul id="fold1_2_3_1_3" style="POSITION: relative; VISIBILITY: visible;"><li><p>TASK 3-1: Conduct ongoing monitoring of the factors that contribute to changes in risk to organizational operations and assets, individuals, other organizations, or the world. <p>TASK 3-2: Update existing risk assessment using the results from ongoing monitoring of risk factors. <p>3-1 -- Monitor risk factors </li> </ul> </li> </ul> </li> </ul> </li> <li><span id="show1_2_4" class="foldclosed" onClick="show_folder('1_2_4')" style="POSITION: absolute">+</span> <span id="hide1_2_4" class="foldopened" onClick="hide_folder('1_2_4')">-</span> <span style="color: #000000;">Possible ongoing organization and approach</span> <ul id="fold1_2_4" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_4_1" class="foldclosed" onClick="show_folder('1_2_4_1')" style="POSITION: absolute">+</span> <span id="hide1_2_4_1" class="foldopened" onClick="hide_folder('1_2_4_1')">-</span> <span style="color: #000000;">Purpose</span> <ul id="fold1_2_4_1" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">To quickly and accurately assess the actual level and severity of existing and emerging threats to the DNS</span> <p><span style="color: #000000;">To evolve/engage/empower a community of mutual trust and support to share ideas and resources</span> <p><span style="color: #000000;">To provide tools, models and best practices that assist the diverse community of DNS providers assess their own situation in an effective and appropriate way</span> </li> </ul> </li> <li><span id="show1_2_4_2" class="foldclosed" onClick="show_folder('1_2_4_2')" style="POSITION: absolute">+</span> <span id="hide1_2_4_2" class="foldopened" onClick="hide_folder('1_2_4_2')">-</span> <span style="color: #000000;">Principles</span> <ul id="fold1_2_4_2" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Favor the edge -- Vest authority, perform functions, and use resources in the smallest or most local part that includes all relevant and affected parties. </span> <p><span style="color: #000000;">Open membership -- to any who subscribe to purpose and principles</span> <p><span style="color: #000000;">Self organize -- for any activity consistent with purpose and principles</span> <p><span style="color: #000000;">Decision-making -- representative of all, dominated by none -- consensus where possible</span> <p><span style="color: #000000;">Resolve conflict creatively</span> <p><span style="color: #000000;">Draw out, rather than compel, action </span> <p><span style="color: #000000;">Freely exchange information unless it's confidential or materially reduces competitive position</span> </li> </ul> </li> <li><span id="show1_2_4_3" class="foldclosed" onClick="show_folder('1_2_4_3')" style="POSITION: absolute">+</span> <span id="hide1_2_4_3" class="foldopened" onClick="hide_folder('1_2_4_3')">-</span> <span style="color: #000000;">Participants</span> <ul id="fold1_2_4_3" style="POSITION: relative; VISIBILITY: visible;"><li><p><span style="color: #000000;">Individuals and organizations who see the purpose and principles as their own</span> <p><span style="color: #000000;">Provide a recognizable "doorway" for participants to enter (and depart)</span> <p><span style="color: #000000;">Is the current ICANN structure (AC/SOs) the best way to describe the "groupings" of participants? Are there any stakeholders missing?</span> <p><span style="color: #000000;">Determine what interests have to be balanced in order to create an organization trusted by all</span> </li> </ul> </li> <li><span id="show1_2_4_4" class="foldclosed" onClick="show_folder('1_2_4_4')" style="POSITION: absolute">+</span> <span id="hide1_2_4_4" class="foldopened" onClick="hide_folder('1_2_4_4')">-</span> <span style="color: #000000;">Organization</span> <ul id="fold1_2_4_4" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Decentralized, self-organizing</span> </li> <li><span style="color: #000000;">Diversity essential</span> </li> <li><span style="color: #000000;">Blurring the rules of competition and cooperation</span> </li> <li><span style="color: #000000;">Favor innovation, novelty, creativity and learning</span> </li> <li><span style="color: #000000;">Build intellectual and social capital that can be shared</span> </li> </ul> </li> <li><span id="show1_2_4_5" class="foldclosed" onClick="show_folder('1_2_4_5')" style="POSITION: absolute">+</span> <span id="hide1_2_4_5" class="foldopened" onClick="hide_folder('1_2_4_5')">-</span> <span style="color: #000000;">Edge-glue-middle relationship</span> <ul id="fold1_2_4_5" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_2_4_5_1" class="foldclosed" onClick="show_folder('1_2_4_5_1')" style="POSITION: absolute">+</span> <span id="hide1_2_4_5_1" class="foldopened" onClick="hide_folder('1_2_4_5_1')">-</span> <span style="color: #000000;">Edge-middle continuum</span> <ul id="fold1_2_4_5_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Middle -- start with ICANN staff and volunteer SSR thought-leaders and tool-builders</span> </li> <li><span style="color: #000000;">Glue -- Constituencies and related organizations</span> </li> <li><span style="color: #000000;">Edge -- DNS providers/deliverers/consumers</span> </li> </ul> </li> <li><span id="show1_2_4_5_2" class="foldclosed" onClick="show_folder('1_2_4_5_2')" style="POSITION: absolute">+</span> <span id="hide1_2_4_5_2" class="foldopened" onClick="hide_folder('1_2_4_5_2')">-</span> <span style="color: #000000;">capability (spokes, pie-slices)</span> <ul id="fold1_2_4_5_2" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;font-family: SansSerif, sans-serif; font-weight: bold; ">risk assessment</span> </li> <li><span style="color: #000000;">education, training, awareness</span> </li> <li><span style="color: #000000;">standards, tools, techniques</span> </li> <li><span style="color: #000000;">audit/compliance</span> </li> <li><span style="color: #000000;">mission continuity</span> </li> <li><span style="color: #000000;">DNS "delivery"</span> </li> </ul> </li> </ul> </li> </ul> </li> </ul> </li> <li><span id="show1_3" class="foldclosed" onClick="show_folder('1_3')" style="POSITION: absolute">+</span> <span id="hide1_3" class="foldopened" onClick="hide_folder('1_3')">-</span> <span style="color: #000000;">Appendices</span> <ul id="fold1_3" style="POSITION: relative; VISIBILITY: visible;"><li><span id="show1_3_1" class="foldclosed" onClick="show_folder('1_3_1')" style="POSITION: absolute">+</span> <span id="hide1_3_1" class="foldopened" onClick="hide_folder('1_3_1')">-</span> <span style="color: #000000;">Background materials and bibliography</span> <ul id="fold1_3_1" style="POSITION: relative; VISIBILITY: visible;"><li><span style="color: #000000;">Action: clean up the mind-map</span> </li> </ul> </li> <li><span style="color: #000000;">Tables?</span> </li> <li>Summary of methods? </li> <li>Confidential info protocol? </li> <li>Glossary </li> </ul> </li> </ul><SCRIPT type="text/javascript"> fold_document(); </SCRIPT> </body> </html> - - - - - - - - - phone 651-647-6109 fax 866-280-2356 web http://www.haven2.com handle OConnorStP (ID for public places like Twitter, Facebook, Google, etc.)
|