The auDA’s Industry Advisory Panel has drafted an information security standard (ISS) that calls on domain name registrars to “manage and improve the security of their own businesses in a way that also protects the integrity and stability of the .au domain space”, according to the panel’s issues paper.
Currently, registrars are required to provide immediate notice to auDA in the event of a security breach. The panel proposes to expand security requirements for registrars by requiring them to adhere to the auDA ISS.
The ISS would require registrars to carry out a risk assessment and institute security controls based on that assessment. The panel is developing a certification process that each registrar would be required to pass; an auDA-nominated assessor would carry out an audit every three years. Any registrar that failed the assessment would have its accreditation suspended. The accreditation would be terminated if it did not pass its assessment within three months of suspension.
“The panel is aware that the introduction of a mandatory security standard for registrars would be a ‘world-first’, and would represent a significant change to the industry – not just for existing accredited registrars but also for prospective applicants for accreditation”, the paper said.
The auDA is seeking comments on the ISS proposal, along with other changes in the policy paper. Comments are due to the auDA by July 20, 2012.