Strategic Risk Committee Meeting Minutes

23 February 2015 – 1.30pm

Present:

Julie Hammer (Chair), Adam King, Chris Disspain, Graham McDonald, George Pongas, Jo Lim, Simon Johnson, Jacki O’Sullivan (Minutes)

Apologies:

Kartic Srinivasan

1.        Continuous Disclosure

  • The Committee welcomed new members Graham McDonald and Simon Johnson.
  • There were no matters to be disclosed.

2.        Previous Minutes

  • The Committee noted the previously approved and published 25 August 2014 minutes.

3.        Review of Outstanding Action Items:

  • Own Cloud:  New file structure to be set up for trial run for Risk Committee, framework & guidelines for Board requirements – Action C/F.
  • Handover Brief, Disaster Recovery and Threat Matrix documents:  Adam King provided an update and advised the final documents will be put into Own Cloud for review once Own Cloud is set up – Action C/F.
  • Crisis Communications Plan:  Committee advised plan has now been completed and will be put into Own Cloud for review once Own Cloud is set up – Action C/F.

4.        Risk Action Status Report:

  • The Committee was advised there were currently no red flag Action Items on the Risk Log.  It was agreed the following was required:
    • The Risk Log is to be updated to incorporate additional risks previously identified at the August 2014 Meeting.
    • The Risk Log is to be updated to incorporate additional risks identified at this meeting as a result of the new Strategic Plan 2015-2018.
    •  The Committee will identify those risks worthy of Committee review and compile into extracted list of items for updates from auDA Staff.
    • auDA Staff will monitor the status of all other Action Items on the Risk Log and bring to the attention of the Committee any whose status warrants discussion.

5.        Risk Log Review:

  • The following items identified in the August 2014 Risk Committee Meeting were discussed by the Committee and, taking into account some progress in the last 6 months, the following updates need to be incorporated into the Risk Log:
    • New Government and changes in Department arrangements (CD/JL) - no change required as a result of the new Government. However Risk Category 6 - Government Relations should be updated to take into consideration the risk of not having an agreement with AGIMO for the .gov.au 2LD and the resultant lack of clarity regarding the relationship between AGIMO and auDA
    • IANA Stewardship Transition(CD/JL) – Several new risks identified in August 2014 are to be included in the Risk Log under Risk Category 7 – International Environment:
      • Risk of the consensus based solution for the USG role transition not being acceptable to auDA.
      • Risk that the Australian Government may wish to impose additional process on auDA.
    • Roll out of new gTLDs – auDA Staff, as part of their normal monitoring of .au performance, will consider whether new gTLDs could have had any impact - no change required to the Risk Log.
    • Recent Security incidents(JL/AK/GP) – New risks need to be added under Risk Categories 4 – Security Threats and Attacks against .au, Risk Category 5 – Registrar Security Breach, and Risk Category 6 – Government Relations. In particular:
      •  The wording of Risk Category 4 needs to be updated and the Probability raised from ‘Possible’ to ‘Likely’, and
      • Risk Category 5.1 needs to be updated to reflect the introduction of the new Information Security Standard (ISS).
    • DNSSEC rollout for .au (AK/JL) – DNSSEC Rollout is now complete and only the Annual DNSSEC Key Rollover remains a risk.  This aspect should still be included under Risk Category 3 – The Critical Nature of the DNS, specifically under 3.1 and 3.3.
  • The following issues were identified from the 2015-2018 Strategic Plan as requiring update:
    • Resellers (CD/JL) - With added focus on resellers in the Strategic Plan, the risk of failures, degradation or security breaches in resellers should be added to the Risk Log.
    • Cybersecurity (CD/JL) – With the current review of Cybersecurity being undertaken by the Government, the risks associated with this review should be added under Risk Category 6  - Government Relations
  • The Committee agreed that a separate 'watching brief list' would be compiled on issues that warrant the attention of the Risk Committee eg Cybersecurity, for circulation prior to the next meeting (CD/JL).

6.        Next meeting

  • The next meeting will be held on 20 April 2014 at 2.00pm.