We are committed to ensuring the security and stability of the Internet's unique identifier systems. As part of this commitment, we conducts two third-party audits each year on different aspects of the IANA functions we provide. These audits evaluate our service organization controls (SOCs) against the “Trust Services Principles and Criteria”.
SOC 3 Certification of Root Zone KSK System
As the DNSSEC Root Zone Key Signing Key (RZ KSK) manager, we engage a third party to ensure we have appropriate internal controls in place to meet the availability, processing integrity and security objectives for our RZ KSK System. For this system, we use the SOC 3 framework (formerly known as SysTrust), with the audit conducted by the international accounting firm, PricewaterhouseCoopers, LLP (PwC). We have engaged PwC to perform the SysTrust/SOC 3 audit since 15 June 2010. PwC has evaluated the IT operational practices and controls around the RZ KSK System and awarded us with SOC 3 certification with an unqualified opinion. We will renew this certification annually.
SOC 2 for IANA Registry Management Systems
As part of our commitment to the Trust Services Principles and Criteria, we engage a third party to ensure we have appropriate internal controls in place to meet the availability, processing integrity and security objectives for the key systems used to support the IANA function’s transaction processing. These systems are referred to as our Registry Assignment and Maintenance Systems (RAMS), and including the Root Zone Management System, and system used to manage the IETF protocol parameter registries. The RAMS are audited using the SOC 2 framework, with the audit conducted by PwC.
PwC has prepared SOC 2 audits covering periods commencing June 2013, with audits conducted on an annual basis.
The audit is provided to NTIA to fulfill a requirement of the contract between NTIA and ICANN for the delivery of the IANA functions. In addition to the existing controls that are checked and verified for the registry maintenance systems, additional controls were added for the period commencing December 2013 to include verification of processing requests related to protocol parameters. Conducting such a review of ICANN’s service for the review and assignment of protocol parameters was a deliverable in the 2014 SLA between ICANN and the IAOC.
About the Trust Services Principles and Criteria
The Trust Services Principles and Criteria is an international set of principles and criteria developed and managed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The SOC 2 and SOC 3 examination is a rigorous process developed by the AICPA and CICA to provide independent assurance that an organization's systems are reliable. Our SOC certification and reports focus on the following Trust Services principles:
- Availability — the system was available for operation and use, as committed or agreed
- Processing Integrity — the system processing was complete, accurate, timely, and authorized
- Security — the system was protected against unauthorized access
Each principle is supported by well-defined and detailed criteria that encompass a company's infrastructure, software, data, people, and procedures.
SysTrust/SOC 3 Reports
- SOC 3 Report — 1 December 2015 to 30 September 2016
- SOC 3 Report — 1 December 2014 to 30 November 2015
- SOC 3 Report — 1 December 2013 to 30 November 2014
- SysTrust Report — 1 December 2012 to 30 November 2013
- SysTrust Report — 1 December 2011 to 30 November 2012
- SysTrust Report — 1 December 2010 to 30 November 2011
- SysTrust Report — 15 June 2010 to 30 November 2010