Jump to content

Registration Infrastructure Security Group

From ICANNWiki
Type: Non-profit
Industry: Internet Security
Founded: 2008
Headquarters: 1775 Wiehle Avenue, Suite 200

Reston Reston VA 20190 USA

Country: USA
Website: registrysafety.org
Key People
Roelof Meijer, (Acting Chair)
Jeff Neuman, Board Secretary
Jay Daley, Board Treasurer
Manoj Srivastava & James Bladel, Board Members

RISG (Registration Infrastructure Security Group) is a non-profit organization dedicated to finding solutions, and developing the best practices, to decrease the incidence of Internet security threats such as identity theft, phishing and malware distribution.

Background

Public Interest Registry, registry operator of the .org gTLD, initiated the establishment of RISG in 2008. Its objective is to help improve the existing internet security. Alexa Raad, then CEO of the Public Interest Registry, was the first elected Chairman of the RISG Board.[1]

Members

The members of the RISG Charter include the Public Interest Registry, SIDN, Afilias Limited, Nominet, NeuStar, Inc., China Internet Network Information Center (CNNIC), Cyveillance, Inc., Melbourne IT, Symantec Corporation, Shinkuro, GoDaddy.com, Inc., MarkMonitor, Network Solutions, McAfee, Internet Identity, Verisign, and InternetNZ.[2]

Activities and Responsibilities

The following are activities and responsibilities of RISG members:[3]

  • Collaborate with the Internet community to develop best practices for Registries and Registrars to prevent Internet security threats.
  • Appoint a liaison to the Anti-Phishing Working Group every year.
  • Actively participate in dialogues and share data with RISG members to facilitate the development of policy to solve or decrease the occurrence of phishing and malware distribution.
  • Conduct a meeting every quarter of the year to discuss relevant issues and strategies to achieve the mission of RISG.
  • Review the scope and terms of the data sharing plan.
  • Adopt procedures to resolve disputes or complaints raised by RISG members.
  • Review and approve any official RISG statement for publication.
  • Evaluate the adequacy of the RISG Charter annually.

RISG and ICANN

The Registry Internet Security Group commented on ICANN High Security Zone and Malicious Conduct Mitigation Programs and expressed that it can not support the major security proposals and procedural implementations included in the Draft Application Guidebook (DAG). RISG emphasized that the ICANN security proposals seemed to ignore established security protocols, failed to provide adequate implementation detail, and inappropriately broadened the scope of ICANN’s security responsibilities.[4]

The RISG enumerated the following objections:[5]

  1. Several measures are included that violate ICANN's limited technical coordination role. RISG pointed out that ICANN has a limited technical coordination role and its primary role is to maintain the security and stability of the Domain Name System (DNS). According to RISG, this role does not extend to the malicious use of domain names.
  2. ICANN's wider policy process in developing policies related to Whois implementation and the clear disregard to the GNSO.
  3. Measures included in the DAG not related to Internet security such as the issue on intellectual property infringement.
  4. Insufficient empirical evidence, academic study or substantive explanation for most of the proposals to demonstrate efficacy or demand.
  5. Considerations for legal issues of indemnification, current contractual requirements and enforcement of current contracts are not substantial.
  6. The lack of consideration of the market impact particularly on differentiated service offerings by registrars.

The organization recommended for ICANN to focus on the participation of cross-industry groups that have already implemented successful solutions to security threats, not to surpass the policy implementation process, and to be more aware of its technical coordination role and to provide empirical data to demonstrate market demand, need, and the impact of new requirements.[6]

References