European ccTLD Registries Address Security Issues With ISO27001: CENTR News

CENTR small logoSecurity is an ongoing issue for the domain name system and TLD registries are at the forefront of dealing with it.

So in 2011 CENTR, on its members’ request, created a Security Working Group for ccTLDs to share security best practices and discuss ways to mitigate security risks, the latest CENTR News highlights.

At a recent workshop in Brussels and for the second time a workshop was dedicated to one topic only, the ISO 27001 security standard.

“Over the past few years I got a lot of questions from colleagues from other ccTLDs about ISO 27001,” Bert ten Brinke, Security Officer with SIDN, Chair of the CENTR Security working group and expert in the field of ISO 27001 told CENTR News. “After a short inventory, the idea was born to organise a workshop completely focused on ISO 27001.”

“ISO forces you to build a process to deal with security risks within and around your organisation and its core tasks,” reported CENTR News. “When everyone involved starts to operate according to this process an organisation’s security will become less dependent on individual employees. Bert ten Brinke feels this is the main reason why ISO 27001 increases the chance of a better secured registry.”

“There are alternative standards that can be useful for ccTLDs and it’s of course possible to build your own processes follow your own standards. But by doing so, you’ll risk having to explain your standard over and over again. Official standards don’t have that issue. They are already accepted and used by a whole community.

“For companies there are a lot of security standards which can be used. Examples are: the American COBIT (Control Objectives for Information and Related Technology), which is an IT governance framework that addresses every aspect of IT and the originally British ISO 27001(International Organization for Standardization). COBIT lays more focus on Risk Management and following Bert ten Brinke it is more difficult to implement than the ISO27001 standard.”

“It is important to build a standard according to your organisation and not the other way around”. This is Bert’s main advice for ccTLDs that are considering implementing systematic security processes by means of an official standard. Furthermore, in order to start implementing security processes in a successful way the full support of the CEO or Managing Director is crucial.

“An ISO certificate is an engagement for the future. When you are certified ISO27001 for the first time this is only the beginning. Each year you have to proof that you are ‘worth’ the certificate and after three years, you have to recertify. For most companies it’s a never ending circle of security improvement.

On registry to recently acquire ISO27001 certification was nic.at, the registry for .at domain names. The announcement was made at the recent Domain Pulse conference held in Salzburg, Austria, and Richard Wein, General Manager, said the certification was proof of the registry’s dedication to security of .at domain names.

Elsewhere in the February 2014 edition of CENTR News, there are articles on CENTR preparations for the next Internet Governance Forum meeting to be held in Istanbul in September. Plus an update on DNSSEC in Europe, which shows there are two-thirds (67%) of registries that have implemented the security standard and a quarter (26%) planning its implementation, which are the findings of a survey of 26 ccTLD registries.

Plus there is a Q&A with Nominet Brand Manager Becky Bradburn and a European ccTLD update.

To download the latest CENTR News, go to https://centr.org/news/european-cctld-news-february-2014.