auDA and .au registrars successfully work together to improve security

Posted by Jo Lim and Lujia Chen on 4 November 2015

We live in an era where information security breaches can affect businesses of all types and sizes, causing significant damage and distress not only to the business itself but also to its customers.  Over the past few years, dozens of major hacking incidents have occurred, exploiting security vulnerabilities in the systems and infrastructure of domain name registrars to perform malicious activities on the domain names and associated websites of their customers.  

Recognising the need to take action, and with full endorsement by the industry, auDA implemented a world-first Information Security Standard (ISS) for Accredited Registrars (auDA ISS) which officially launched on 17 October 2013.

The auDA ISS reinforces the obligations of registrars under their Registrar Agreement with auDA to:

• take all reasonable or prudent actions to preserve the confidentiality and security of all registrant data
• have adequate capability for providing information security procedures to prevent system hacks, break-ins, data tampering and other disruptions to its business
• promote and protect the stability and integrity of the Australian domain name system
• ensure the effective and efficient operation of the domain name registration system.

All existing auDA accredited registrars were required to achieve ISS compliance by 31 October 2015, with assessment services provided by information security auditing company Vectra Corporation.

Registrars ISS Compliance Status Post 31 October 2015

At the end of October, 12 auDA accredited registrars have achieved full ISS certification. Cheaper Domains, Discount Domain Names, and Information Brokers, considered relatively small-sized registrars, were the first ones certified with the auDA ISS in December 2013.

All remaining registrars are in the process of completing their ISS assessment, with many of them waiting for their onsite audit to be scheduled by a Vectra assessor. Given the significant progress these registrars have made towards meeting the ISS requirements so far, they are regarded as having met the deadline and not in breach of the relevant provisions under the Registrar Agreement and auDA ISS policy.

Implementation of ISS compliance caused some registrars to undertake a cost-benefit analysis of their registrar accreditation and, as predicted, we saw a consolidation in the registrar industry ahead of the October deadline - with five registrars making the decision to voluntarily terminate their accreditation and move to a reseller platform with ISS compliant registrars.

General feedback from registrars who have gone through the ISS assessment process has been positive. These registrars tell us that since completing the ISS assessment, they have developed a better understanding and documentation of their own business processes, systems and technology.

Given the auDA ISS was modelled on the well-known ISO 27001 and PCI DSS standards, a number of registrars who already met these standards for information security management were able to complete their auDA ISS assessment with more efficiency and confidence. On the flipside, completing the ISS assessment has motivated some registrars to take the next steps towards ISO 27001 and PCI DSS compliance.

Early adopters of the ISS say they noticed an increase in the number of new customers that decided to sign up or switch from their current registrar to one that is ISS certified, feeling that their online assets (i.e. domain name and website) would be better protected and prepared against cyber-attacks.     

ISS Certification and What Happens Next

We believe that the implementation of the auDA ISS has increased security mindfulness and built greater capability across all accredited registrars to respond to and remediate potential attacks, reinforcing instilled trust and confidence in the .au.

It’s worth noting that the costs of the ISS compliance program (not including registrars’ internal costs) have been borne by auDA, which represents a significant financial investment in the Australian domain name industry for the benefit of all stakeholders, supply and demand.

Following the 24-months ISS phase in period for existing registrars, auDA will be conducting a formal review of the auDA ISS. auDA will be inviting feedback from registrars on all aspects of their ISS assessment, including any ideas on how we can improve the ISS overall and how we best handle the ongoing 3 year re-certification process. More information on this will be published in the near future on the auDA website or information sent to subscribers to auDA announcements mailing list, you can join that list by emailing info@auda.org.au