Information security in practice
Therefore, the essential requirement is that the domain name registrar identifies the requirements and the practices that best serve all of their operations as an fi-domain name registrar.
FICORA requires that a registrar has up-to-date documents on how it implements information security measures in its operations. FICORA does not specify the different documents that a domain name registrar must prepare. This is left to the discretion of the registrar. The key issue is that the documentation is updated and that it proves that all the information security themes listed in the section have been considered in the operations.
Through all stages of fi-domain name services, registrars must pay attention to the following areas of information security:
- information security guidance documents (typical examples include information security policy and architecture) with which the management of the organisation proves its determination to ensure information security, the general principles of information security and its commitment to information security matters
- processes and their management
- management of risks and business continuity (see section 15 of Regulation 68)
- documentation practices and systems
- auditing and rehearsing procedures.
- personnel’s information security responsibilities and obligations
- personnel’s information security skills and skills development
- personnel’s background investigations
- key employee risks
- prevention of risky combinations of responsibilities and tasks
- job rotation to detect irregularities
- procedures to be followed when employment is terminated
- misconduct and non-compliance of personnel.
- vulnerability management
- detection of information security violations (see sections 17 and 18 of Regulation 68)
- change management (see section 19 of Regulation 68)
- safeguarding the confidentiality, integrity and availability of information
- classification of information material and treatment according to the classification (see section 16 of Regulation 68)
- responsibilities related to the maintenance of a user rights register: awarding, amending and cancelling user rights
- prevention of the accumulation of user rights
- prevention of unauthorised access to the administration and configuration data related to the provision of domain name registration services and to the invoicing, account and log data of the customers of the domain name registrar
- data storage and deletion.
- location of facilities and the security of the surroundings
- access control
- structural protection.
FICORA has the right to audit a registrar's operations, if necessary.