Contingency and Continuity of Operations Plan Test Report
11 March 2022
ICANN and PTI maintain a Contingency and Continuity of Operations Plan (“CCOP”) for the IANA Naming Function. This Plan is compiled and tested in accordance with section 5.2(b) of the IANA Naming Functions Agreement effective 1 October 2016, which reads:
“[PTI] shall collaborate with ICANN to develop and implement a [CCOP] for the IANA Naming Function. [PTI] in collaboration with ICANN shall from time to time update and annually test the CCOP as necessary to maintain the security and stability of the IANA Naming Function. The CCOP shall include details on plans for continuation of the IANA Naming Function in the event of cyber or physical attacks, emergencies, or natural disasters. [PTI] shall submit the CCOP to ICANN after each update and publish on the IANA Website a report documenting the outcomes of the CCOP tests within 90 calendar days of the annual test.”
This current version of the CCOP was adopted by the President of PTI in September 2021.
CCOP Annual Test
The CCOP is tested annually to enable robust collaboration amongst the incident response team in a safe environment. The exercise tests awareness of activities conducted by each party in case of operational failures, and seeks to identify opportunities to refine the approach described within.
For this year’s test, two scenarios were devised to simulate different types of disasters. The first scenario described broad unavailability of root zone management systems and test ability to complete emergency root zone change requests. The second scenario described a fire destroying one of the key management facilities.
A tabletop exercise was held on December 3, 2021 to test the CCOP’s ability to deal with these events. Present for the test were the PTI Continuity Team, composed of key staff members that perform the IANA functions that would take lead in restoration efforts. Also present were representatives from ICANN’s Engineering & Information Technology, Communications, Human Resources, Security Operations and Facilities, and Risk Management departments.
Findings
A report identifying strengths and opportunities for improvement was delivered to the PTI President on 3 March 2022. The report has been reviewed and has found the following:
- The exercise was successful in demonstrating that the plan was adequate to respond to the scenarios presented;
- Staff navigated simulated adverse scenarios and continued to provide essential functions;
- Processes for out-of-band communications with the Root Zone Maintainer should be reviewed to ensure adequate knowledge and availability;
- Operational plans should include tasks and responsibilities required of the plan when not actively managing a crisis;
- Future exercises would benefit from the use of external vendors for scenario design and facilitation;
- Staff should develop specific standard operating procedures for different categories of events.
Approval
Name: Kim Davies
Position: President, PTI
Date: 11 March 2022