Risk management

A domain name registrar must identify the functions, information and systems that are critical for the continuity of its operations and regularly evaluate and address any information security risks that they may be exposed to and the management of such risks. The risk management processes and results must be documented.

A security risk refers to the likelihood of an injury or damage and its consequences. An information security risk means an accidental or deliberate event that compromises the confidentiality, integrity or availability of domain name registration operations. The difference between an information security risk and an information security threat is that the likelihood and consequences of a risk have been assessed.

Information security risks may arise from the following:

  • human error
  • gaps in or non-compliance with the instructions provided to the personnel
  • theft or vandalism
  • flaws and malfunctions of equipment, systems or software
  • malware spread
  • destruction of data
  • fire or water damage
  • errors and neglect on the part of a subcontractor or a member of a partner network.

Objectives of risk management

Risk management is a process that aims at identifying risks, reducing their likelihood and/or impact to an acceptable level and maintaining the achieved level. The purpose of risk management is to protect the organisation and its ability to perform its operations, taking into account economic factors.

The objective of risk management requirements is to ensure that a domain name registrar is aware of the consequences of a potential realisation of the risks and knows whether the risk-mitigating measures are adequate.

The objectives of risk management include:

  • speeding up recovery after information security incidents
  • reducing the costs and damage caused by information security incidents
  • helping in allocating investments that improve the information security of domain name registration operations
  • improving the quality and productivity of domain name registration operations
  • optimising, in terms of finances, the management of risks related to domain name registration operations and preventing the realisation of risks.

Identifying and addressing risks

Examples of standards and publications in which risk management has been discussed include the following:

  • ISO/IEC 27005 [21]
  • NIST 800- 30 Risk Management Guide [22]
  • OCTAVE [23].

FICORA does not set any obligation to comply with a particular standard. Risk management models vary from company to company, and there is no single model that would suit every purpose.

FICORA requires a domain name registrar to identify the risks related to its operations and their continuity and how to address such risks. Addressing the risks means that the domain name registrar determines an acceptable risk level to its operations and takes appropriate measures (often called controls) to reach this level. This means that practical risk management requires the determination of responsibilities and schedules. In addition, the implementation and impact of risk management measures should be monitored.

FICORA also requires that the risk management is regular, i.e. that risks and the measures to manage them are evaluated on a regular basis. A domain name registrar is free to determine the appropriate monitoring cycles. Typically companies run risk management

  • regularly on an annual basis
  • whenever new services or functions are being established
  • every time after a potential risk is realised.

Documentation of the process and its results

FICORA supervises domain name registrars’ operations and the registrars must document their established risk management process and results to monitor the compliance with the risk management requirements.


Key words: Internet, Domain names


LinkedIn Print