Information security in practice

Domain name registrars must document and maintain an up-to-date description of how they take various areas of information security into consideration in their operations.

There are several aspects to be considered in implementing and documenting information security measures, that are listed in FICORA’s Regulation 68. The regulation does not specify how this should be done in practice, since relevant information security measures may vary from company to company depending, for example, on services offered.

Therefore, the essential requirement is that the domain name registrar identifies the requirements and the practices that best serve all of their operations as an fi-domain name registrar.

FICORA requires that a registrar has up-to-date documents on how it implements information security measures in its operations. FICORA does not specify the different documents that a domain name registrar must prepare. This is left to the discretion of the registrar. The key issue is that the documentation is updated and that it proves that all the information security themes listed in the section have been considered in the operations.

Areas of information security

Through all stages of fi-domain name services, registrars must pay attention to the following areas of information security:

Administrative information security

  • information security guidance documents (typical examples include information security policy and architecture) with which the management of the organisation proves its determination to ensure information security, the general principles of information security and its commitment to information security matters
  • processes and their management
  • management of risks and business continuity (see section 15 of Regulation 68)
  • documentation practices and systems
  • auditing and rehearsing procedures.

Personnel security

  • personnel’s information security responsibilities and obligations
  • personnel’s information security skills and skills development
  • personnel’s background investigations
  • key employee risks
  • prevention of risky combinations of responsibilities and tasks
  • job rotation to detect irregularities
  • procedures to be followed when employment is terminated
  • misconduct and non-compliance of personnel.

Security of hardware, software and data communications

  • vulnerability management
  • detection of information security violations (see sections 17 and 18 of Regulation 68)
  • change management (see section 19 of Regulation 68)

Security of information material and usage

  • safeguarding the confidentiality, integrity and availability of information
  • classification of information material and treatment according to the classification (see section 16 of Regulation 68)
  • responsibilities related to the maintenance of a user rights register: awarding, amending and cancelling user rights
  • prevention of the accumulation of user rights
  • prevention of unauthorised access to the administration and configuration data related to the provision of domain name registration services and to the invoicing, account and log data of the customers of the domain name registrar
  • data storage and deletion.

Physical security

  • location of facilities and the security of the surroundings
  • access control
  • structural protection.

FICORA has the right to audit a registrar's operations, if necessary.


Key words: Information security, Internet, Conformity, Cyber security, Data protection, Denial-of-service attack, Domain names, Registrar, Supervision, Guidelines, Recommendations, Regulations


LinkedIn Print