Katakri requirements for the EPP interface

Katakri is an auditing tool for authorities that can be used to assess the target organisation’s ability to protect an authority’s classified information.

If a domain name registrar uses FICORA's EPP interface as the technical interface, the registrar must meet the criteria derived from the requirements of the protection level (IV) of subdivision I, information assurance, of the currently valid version of Katakri with respect to the following:

  1. communications security
  2. system security.

Katakri brings together the minimum requirements based on national legislation and international obligations. Katakri 2015 Security Audit Tool was approved by the cooperation group of the National Security Authority (NSA) on 26 March 2015. Katakri, as such, does not set mandatory requirements on information security; instead, the requirements included in Katakri are based on legislation in force and international information security obligations binding on Finland. To ensure transparency, a source reference is always given in connection with the requirements presented in Katakri.

Subdivisions of requirements

The requirements in Katakri are divided into three subdivisions:

  • The subdivision on security management (T) aims to ensure that the organisation has sufficient security management abilities and skills.
  • The subdivision on physical security (F) describes the security requirements for the physical environment of processing classified information.
  • The subdivision on information assurance (I) describes the security requirements for the IT environment. This subdivision is further divided into three protection levels (IV, III, II) on the basis of the information handled.

Domain name registrars using FICORA’s EPP interface must meet the requirements in the subdivision of information assurance in terms of communications security and system security. The purpose of this is to ensure that the information security of the registrars’ customers is at high level.

The requirements apply specifically to domain name services. If a party engaged in domain name registration operations also carries out other operations, the requirements do not apply to such operations.

FICORA’s regulation refers to the currently valid version of the criteria. The valid version of Katakri is available on the website of the Ministry of Defence.

Support:

Contact us preferably by email via fi-domain-tech(at)ficora.fi.


Key words: Internet, Domain names


LinkedIn Print