ICANN Resolutions » Funding Digital Services platforms and code-base review
Important note: The Board Resolutions are as reported in the Board Meeting Transcripts, Minutes & Resolutions portion of ICANN's website. Only the words contained in the Resolutions themselves represent the official acts of the Board. The explanatory text provided through this database (including the summary, implementation actions, identification of related resolutions, and additional information) is an interpretation or an explanation that has no official authority and does not represent the purpose behind the Board actions, nor does any explanations or interpretations modify or override the Resolutions themselves. Resolutions can only be modified through further act of the ICANN Board.
The board is asked to approve the CIIO's recommendations that there is an immediate need to assess the software code-base managed by ICANN staff that has not already been assessed.
Whereas, staff has compiled a complete list of all digital services offered by ICANN to its served communities.
Whereas, ICANN offers a total of 85 such digital services, some 50 of which are services that have been partially or wholly developed by ICANN staff, or under ICANN staff supervision, leaving a code-base for maintenance under ICANN staff control.
Whereas, the Board Risk Committee has reviewed preliminary findings as presented by the Chief Innovation and Information Officer (CIIO) during ICANN52 in Singapore.
Whereas, the Board Risk Committee has reviewed the CIIO's short- and longer-term treatment of IT security matters on 17 April 2015 and agrees with the CIIO's recommendations that there is an immediate need to assess the software code-base managed by ICANN staff that has not already been assessed.
Whereas, the individual assessments may not individually reach the threshold of US$500,000 requiring Board approval, however because collectively they may reach that threshold, the Board Risk Committee further referred this matter to the Board Finance Committee.
Whereas, the Board Finance Committee has recommended that the Board delegate to the President and CEO, or his designee(s), the authority to perform all necessary contracting and disbursements to address the immediate need of assessing the software code-base managed by ICANN staff.
Whereas, there are sufficient funds in the FY15 contingency fund to cover the costs of this project.
Resolved (2015.04.26.23), the Board authorizes the President and CEO, or his designee(s), to perform all necessary contracting and disbursements to obtain a comprehensive review and security vulnerability assessment of all software platforms in use at ICANN for delivering digital services, including contracting with external service providers, acquiring needful tools, expenditure disbursement and undertaking remediation measures as appropriate.
Resolved (2015.04.26.24), the Board directs the President and CEO, or his designee(s), to provide regular updates to the Board Risk Committee on the progress of the long-term plan to ensure systems design and systems architecture are integrated into standard ICANN processes, and that security considerations occupy an essential role in corporate decision making.
As part of ICANN's digital services health-check, during the first quarter of FY152014, ICANN's IT organization initiated an RFP process to select a suitable external third-party with a reputation and the needful skills to assess all the services and the underlying technologies ICANN has deployed. Following the RFP process, ICANN selected and engaged the services of a globally-recognized leader in undertaking such assignments.
The selected contractor performed a thorough analysis of the ICANN portfolio of digital services. ICANN staff decided to leverage the SANS Institute 20-factor Critical Security Controls framework (see http://www.sans.org/critical-security-controls/controls. The contractor produced a report during the first quarter of FY15 to identify those framework-factors that met or exceeded the "Green" standard, while also identifying those framework-factors that could use further attention.
The report particularly highlighted one factor – Application Software Security – for deeper analysis.
Concurrently, staff inventoried all the digital services it offers the ICANN community. That number stands at 85 today. Staff catalogued the number of software platforms (development environment plus database or content management system), which have been leveraged to develop these services over the last 15+ years. Staff also determined that ICANN delivers digital services leveraging 10+ software platforms for the benefit of its served communities.
Following the SANS Institute framework-based assessment, ICANN IT staff initiated a 16-projects portfolio, focused on improving ICANN's defences in those IT infrastructure areas meriting further attention.
Staff analysed the nature of data captured, manipulated, stored and delivered by these services. The analyses looked at data integrity, data sensitivity and data privacy, among other factors. The result of this analysis showed a concentration of high-sensitivity data in services that serve ICANN's Contracted Parties community.
Staff retained the services of a deep-specialty firm with expertise in the software package and platform utilized by ICANN to specifically assess digital services deployed for the benefit of the New gTLD program. This specialty firm produced a report in late February of 2015, identifying areas that merited further attention.
Staff has determined that all other (~10) software platforms merit similar assessments. In attempting to estimate the costs of this project, staff approached three large firms with extensive ranges of skill sets and knowledge on numerous software platforms. Staff then also made cost inquiries at smaller, niche or subject matter expert firms that have concentrated expertise on just one or a few software platforms. The estimates received from the larger firms were significantly higher than those from the niche firms, even though both size firms have relatively equal expertise on any given software platform for which the niche firms have concentrated expertise. Accordingly, staff appropriately determined to recommend using numerous, smaller niche firms, rather than one larger firm for this project. This will have the added benefit of allowing multiple assessments to be performed in parallel.
The Board reviewed staff's recommendation for assessing potential software-driven vulnerabilities in the code-base of services leveraging these platforms, and the determination that the proposal met the standard for such assessments. The process for selection of subject matter expert firms for such assessments does not call for public consultation, as the assessment of the code-base is the primary consideration and the expenditure with any given vendor is not expected to reach the level requiring a public bidding process as set out in ICANN's Procurement Guidelines (see https://www.icann.org/en/system/files/files/procurement-guidelines-21feb... [PDF, 1.03 MB]). However, the collective amount anticipated to be spent in this effort across firms is anticipated to be above the contracting and disbursement limit for which ICANN management alone can approve.
It should be noted that this project is just the first step in a comprehensive approach. ICANN acknowledges that we have experienced some security issues, resulting from various causes in the recent past, and the Board and staff are committed to taking the steps necessary to help ensure such issues, or any other issues, do not arise in the future. To that end, the Board has directed the President and CEO, or his designee(s), to dedicate additional attention and resources to all IT facilitates to ensure that they achieve and/or maintain the level of security that is appropriate and warranted given ICANN's mandate and to report periodically back to the Board on continued progress.
There will be a financial impact on ICANN in engaging in such an assessment but it is already covered in the budget under the contingency fund.
This is an Organizational Administrative function that does not require public comment