SSAC Improvements Implementation Plan SSAC Improvements Implementation Plan Security and Stability Advisory Committee (SSAC) FINAL 18 March 2011 1
Preface This is the Implementation Plan for improvements to the Security and Stability Advisory Committee (SSAC). The SSAC advises the ICANN community and Board on matters relating to the security and integrity of the Internet's naming and address allocation systems. This includes operational matters (e.g., matters pertaining to the correct and reliable operation of the root name system), administrative matters (e.g., matters pertaining to address allocation and Internet number assignment), and registration matters (e.g., matters pertaining to registry and registrar services such as WHOIS). The SSAC engages in ongoing threat assessment and risk analysis of the Internet naming and address allocation services to assess where the principal threats to stability and security lie, and advises the ICANN community accordingly. The SSAC has no official authority to regulate, enforce or adjudicate. Those functions belong to others, and the advice offered here should be evaluated on its merits. 2
1. ExecutiveSummary This implementation plan outlines the approach developed jointly by the SSAC Support staff and the ICANN Board s Structural Improvements Committee (SIC) to implement the 33 recommendations outlined in the January 2010 Final report of the ICANN Board SSAC Review Working Group http://www.icann.org/en/reviews/ssac/ssac-review-wg-final-report-29jan10-en.pdf. This Plan conforms to all guidance contained in the ICANN Board s Resolution 2010.06.25.05 that the SIC will, in coordination with staff, provide the Board with final implementation plans to conform with the measures recommended by the SIC to address the conclusions and recommendations in the final report of the Board Security and Stability Advisory Committee review Working Group. Specifically the Plan has been developed jointly by the SSAC support staff and the SIC, in consultation with ICANN s legal staff, and contains an implementation timeline. According to this timeline, all elements of the plan were completed as of 18 March 2011. 2. Introduction This implementation plan outlines the approach developed jointly by the SSAC Support staff and the ICANN Board s Structural Improvements Committee (SIC) to implement the 33 recommendations outlined in the January 2010 Final report of the ICANN Board SSAC Review Working Group http://www.icann.org/en/reviews/ssac/ssac-review-wg-final-report-29jan10-en.pdf. In developing this Plan, the SSAC Support Staff consulted with ICANN s legal staff and incorporated its advice fully regarding the implications in a number of areas, including: Compliance with guidance from the ICANN Board; and Proposed ICANN Bylaws changes. The Improvements Status section of this Plan provides a timeline. As of 18 March 2011 all elements of the plan were completed. 3. BoardGuidance Guidance from ICANN s Board regarding this plan is contained within the Board s Resolution, which states: Resolved (2010.06.25.05), the SIC will, in coordination with staff, provide the Board with final implementation plans to conform with the measures recommended by the SIC to address the conclusions and recommendations in the final reports of the Board review Working Group, Nominating Committee review finalization Working Group and Security and Stability Advisory Committee review Working Group. This Plan conforms to all guidance offered in this resolution. Specifically, the Plan has been developed jointly by SIC and the SSAC Support staff and conforms with the measures recommended by the SSAC to address the conclusions and recommendations in the final report of the SSAC review Working Group. Furthermore, the Plan contains an implementation timeline consisting of target completion dates for each of the Final Report s recommendations, as well as for the individual tasks into which these recommendations have been divided. 3
4. BylawsChanges The SIC, in coordination with the ICANN Legal Department, identified minor changes to the ICANN Bylaws required by the SSAC improvements. All proposed Bylaws changes occurred within Article XI of the Bylaws (Advisory Committees), Section 2 (Specific Advisory Committees), Number 2 (Security and Stability Advisory Committee). 5. ImprovementsStatusandCompletion The following table provides a timeline with the completion date for each recommendation. 4
Recommendation 1. ICANNmaintainanadvisorybodycomprisedof outsideexpertsonthesecurityandstabilityofthe Internet suniqueidentifiersystems. 2. SSACmaintainitsfundamentalidentityasan AdvisoryBoardcharteredbyandreportingtothe BoardofDirectors. 3. AsSSACandRSSACaredesignedfordifferent purposes,wedonotrecommendthecombination ofthesebodies. 4. SSACmembersshouldnotberequiredtosign confidentialityordutyofloyaltyagreementswith ICANN. 5. TheSSACChartershouldbeamendedtoexclude dealingswithconfidentialorproprietary informationabsentspecificguidancefromthe Board.Inthecaseofitsdisclosurethis informationhastobetreatedundertheterms set/tobesetbytheownersoftheinformation; thiscouldimplythesigningofproject specific confidentialityagreementsorothermeasures consideredappropriatebytheinformation owners.inthecaseofrequeststoicanntheceo, andifnecessarytheboard,shoulddecideonthe accesstoconfidentialorproprietaryinformation, consideringthereasonsfortherequest,andthe possibilitytosetandenforcespecifictermsof access.anyrecurrenceofthisprocessshouldbe properlydocumented. ImprovementsStatus ActionRequired Budget Implications Estimated Completion Status None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. StafftoincorporateintotheSSACOperational Procedures.TheSICtoconsiderthe procedure.thesictoassessthe effectivenessoftherule. None November 2010 Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection2.2.1affirmation ofconfidentialityandnon Disclosure. 5
Recommendation 6. TheSSACCharterbeamendedtoexclude involvementwithorreviewofinternalicann operationsexceptasspecificallydirectedbythe Board.IntheinterestofICANN,SSACisentitled tosignaltotheicannboardandmanagement wheneveritconsidersthattherearepotential threatstothesecurityandstabilityoftheinternet causedbyicann sinternaloperations,including IANA,shouldreporttotheBoardannuallyand aftereachsecurityandstabilityincidentonthe measureadoptedtofacethreatstothesecurity andstabilityoftheinternetthatmaybecausedby itsinternaloperations.theboardwilldecideon thepartialorfulldisclosureofthesereportsto SSAC,asappropriate. 7. CorrecttheperceptionofSSAC independence throughimprovementsinformality,transparency, andincreasedboardinteractionwithoutlimiting SSACmembers freedomofexpression(specific recommendationsinmultiplelocations).thewg considersthatnospecificmeasureneedtobe adoptedtoaddressthisremark,asother recommendationsdealalreadywiththesame topic. 8. SSACCharterbeamendedtoaddarequirement thatthessacchairandthessacboardliaison arenotthesameindividual.thewgagreeswith thecommentsmadebyssac,anddoesnot considerthatthessaccharterrequires amendmentinthesensesuggestedbyreviewers. 9. ICANNreimbursetravelexpensesfortheSSAC ChairtoICANNmeetingswhenappropriate.The WGagreeswiththerecommendationofthe externalreviewers. ActionRequired Boardtodecideoncase by casebasis.no actionrequiredunlessrequestedbythesic. Budget Estimated Status Implications Completion None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. Noactionrequiredunlessrequestedbythe SIC. None Notapplicable Noactionrequired. 6
Recommendation 10. ICANNBoardstudytheissueofpayingastipend orhonorariumtossacleadershipandmembers. 11. Reviewers Recommendation:TheSSACCharter beamendedtospecificallyincludenon technical riskstosecurityandstabilityaswithinscope.wg determination:thessachasalready demonstratedbeingabletoanalyzetechnical consequencesofnon technicaldecisions.wg determination:thewgconsidersthatthessac Charterdoesnotneedtobeamendedinthe sensesuggestedbyreviewers. 12. SSACmaintainfocusondevelopingandsharing knowledgeandunderstandingofnewand evolvingrisks;ssacshouldspecificallyavoid tacticalinvolvementinresponseormitigation activities.wgdetermination:nospecificactions areneeded. 13. SSACcomment:Thedetailedadvicedoesnot actuallyimpingeonssac sgoalofobjectivityas longasitislimitedto(1)avoidblindsiding individuals,(2)recognitionthatthereisno requirementforanyonetofollowssac sadvice, (3)SSAC sguidancemayconflictwithcontractual obligations,and(4)ssacmustcontinueto conductitselfwiththehighestlevelof professionalismandintegrity.wgdetermination: TheWGagreeswiththecommentformulatedby SSAC,andconsidersthatnoactionisrequired. 14. SSACcomment:Thecurrentcharteradequately indicatesthatssac smissionisstrategicrather thanoperational.wgdetermination:thewg agreeswiththecommentformulatedbyssac, andconsidersthatnoactionisrequired. ActionRequired Budget Implications Estimated Completion Status Stafftopresentdetailedplans.SICto Tobe Notapplicable Noactionrequired. endorse.boardtoadopt. determined None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. None None Notapplicable Noactionrequired. 7
Recommendation 15. WGdetermination:TheWGagreeson theneedforssactosetupa lightweightplanningprocess. 16. SSACkeepandpublishmeetingminutes onthessacwebsiteinatimely fashion. 17. SSACshouldendeavortokeeptheir websitecurrenttoincludeworkin progressandworkplannedforthe future. 18. Thefirstiteminthecurrentcharter( ) shouldberemoved. ActionRequired SSACtodevelopalightweightplanningprocess.Staffto incorporateintothessacoperationalprocedures.the SICtoconsidertheprocedure.TheSICtoassessthe effectivenessoftherule. SSACtokeepandpublishmeetingminutesinatimely fashion.stafftoincorporateintothessacoperational Procedures.TheSICtoconsidertheprocedure.TheSIC toassesstheeffectivenessoftherule. SSACtokeeptheirwebpagecurrenttoincludeworkin progressandworkplannedforthefuture. BoardResolution(2010.28.10.11)directsthatthe proposedbylawsamendmentshouldbepostedfor publiccommentforaperiodofnolessthan30days. Postedfrom03Novemberto02December.FinalBoard determinationon18march2011.removalapproved. Budget Implications None None Estimated Completion November 2010 November 2010 Status Completed15November 2010:Planningis incorporatedintothessac OperationalProceduresin Section4SSACWorkPlan andactivityreporting. Completed15November 2010:Meetingminutesis incorporatedintothessac OperationalProceduresin Section5SSACMeetings. None February2010 CompletedFebruary2010: SSACWorkPlansareposted tothessacwebpage. None March2011 Completed18March2011: BoardResolution 2011.03.18.06 8
Recommendation 19. SSACshouldendeavortofindthebestexperts globallywithoutregardforgeographicproximity. SSACmembershipshouldnotbesubjectto artificialgeographicquotas. 20. SSACmembershipappointmentsbeforatermof threeyears,renewablebytheboardatthe recommendationofthessacchairindefinitely. 21. Donotimposealimitonthenumberoftermsan SSACmembermayserve. 22. StaggerSSACmembertermssuchthatroughly1/3 ofthetermsareupforrenewaleachyear. 23. TheWGconsidersthatall[SSAC]Liaisonsshould beappointedforathree yearterm,withthe possibilitytoserveforamaximumofthree consecutiveterms. 24. TheWGagreesthatprotectivemeasuresshould beputinplacetoremovedisruptiveor underperformingacmembersorchair. Budget Estimated ActionRequired Implications Completion Status None None Noapplicable Noactionrequired. ChangetheICANNBylawstoinclude membershipappointmentsforatermof threeyears,renewablebytheboardatthe recommendationofthessacchair indefinitely. ChangetheICANNBylawstoincludelanguage thatstatesthatssacmembershipis renewablebytheboardatthe recommendationofthessacchair indefinitely. ChangetheICANNBylawstoincludelanguage thatstatesthatssacmembertermsshallbe staggeredsuchthatroughly1/3oftheterms areupforrenewaleachyear. Noactionrequiredunlessrequestedbythe SIC. BoardResolution(2010.28.10.11)directsthat theproposedbylawsamendmentshouldbe postedforpubliccommentforaperiodofno lessthan30days.postedfrom03november to02december.finalboarddetermination on10december. None None None 05August 2010 05August 2010 05August 2010 Completed05August2010: BoardResolutions 2010.08.05.07and 2010.08.05.08 Completed05August2010: BoardResolutions 2010.08.05.07and 2010.08.05.08 Completed05August2010: BoardResolutions 2010.08.05.07and 2010.08.05.08 None Notapplicable Noactionrequired None March2011 Completed18March2011: BoardResolution 2011.03.18.06 9
10 Recommendation ActionRequired Budget Implications Estimated Completion Status 25. TheWGconsidersthat ifandwhenapplicablewhenmakingstatementsssacmembersshould clarifywhethertheyrefertotheirpersonalview ortopositionsexpressedinssacdocuments. StafftoincorporateintotheSSACOperational Procedures.TheSICtoconsiderthe procedure.thesictoassessthe effectivenessoftherule. None November 2010 Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection1.1relationshipto ICANN. 26. TheWGagreeswiththerecommendationissued byreviewersandremarksthatthepositionof SSACwasformulatedinresponsetotheinitial draftversionofreviewers report,which containedanexcessivelyformalapproachto documentdecision makinganddocumentation processes.thefinalversionofreviewers report formulatesproposalsthatappearconsistentwith thecultureofssac. Chairselectsandenforcestheregularuseof transparentdecision makinganda documentationstrategyadequatetossac culture.stafftoincorporateintothessac OperationalProcedures.TheSICtoconsider theprocedure.thesictoassessthe effectivenessoftherule. None November 2010 Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection3ssacpublication ProceduresandSection4 SSACWorkPlanandActivity Reporting. 27. TheSSACformallyapproveandreleaseallwork productspursuanttothechosedecisionmaking anddocumentationstrategy. Chairselectsandenforcestheregularuseof transparentdecision makinganda documentationstrategyadequatetossac culture.stafftoincorporateintothessac OperationalProcedures.TheSICtoconsider theprocedure.thesictoassessthe effectivenessoftherule. None November 2010 Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection3ssacpublication ProceduresandSection4 SSACWorkPlanandActivity Reporting.
Recommendation 28. SSACformallyandvisiblyadoptasuitabledefault confidentialitypolicy.otherpoliciesareusedas necessarybymutualagreement. 29. TheWGrecommendsthatSSACproducesa lightweight,yearlyreportofactivitiestothe Board;thereportshouldbepublishedas appropriate. 30. WGrecommendsSSACtoproperlydocumentthe disclosingbyitsmembersofpotentialsituations ofconflictofinterest,wheneveraspecific circumstancecallsforthis. 31. EachSSACworkproductshallincludea Dissents section.anyssacmemberwishingtodissent shalldosoherebynameoranonymously.ifthere arenodissents,theverbiage NoDissents shall appear. ActionRequired SSACtodevelopaconfidentialitypolicy.Staff toincorporateintothessacoperational Procedures.TheSICtoconsiderthe procedure.thesictoassessthe effectivenessoftherule. SSACproduceareportofactivitiestothe Boardandforpublication. SSACtodevelopaconflictsofinterestpolicy. StafftoincorporateintotheSSACOperational Procedures.TheSICtoconsiderthe procedure.thesictoassessthe effectivenessoftherule. SSACpublicationsincludean Objectionsor Withdrawals section. Budget Implications None Estimated Completion November 2010 Status Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection2.2.1affirmation ofconfidentialityandnon Disclosure. None February2010 CompletedFebruary2010: SSACWorkPlansareposted tothessacwebpage. None None November 2010 October2009 Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection1.1relationshipto ICANN. CompletedOctober2009: Alsoincorporatedintothe SSACOperationalProcedures insection3ssacpublication Procedures. 11
Recommendation 32. EachSSACworkproductshallincludea Recusals section.thenameofanyssac memberwhorecusedhimorherselfduring anypartofthepreparationanddiscussionof thespecificworkproductshallappearhere. Iftheindividualwishestoremainanonymous, theterm XRecusals shallappearinthis section,wherexisthenumberofanonymous recusals.iftherearenorecusals,the verbiage NoRecusals shallappear.wg determination:agreement;theuseofthe term Abstentions issuggestedtosubstitute theterm Recusals. 33. SSACdevelopandpostaconflictsofinterest policybasedontheicannboardpolicy. ActionRequired SSACpublicationsincludean Objectionsor Withdrawals section. SSACtodevelopaconflictsofinterestpolicy. StafftoincorporateintotheSSACOperational Procedures.TheSICtoconsiderthe procedure.thesictoassessthe effectivenessoftherule. Budget Implications None None Estimated Completion October2009 November 2010 Status CompletedOctober2009: Alsoincorporatedintothe SSACOperationalProcedures insection3ssacpublication Procedures. Completed15November 2010:Incorporatedintothe SSACOperationalProcedures insection1.1relationshipto ICANN. 12