Consider the following scenario. A business unit needs a web site for a specific purpose, comes up with a descriptive and available domain name, and an individual in the unit registers the name and pays for it using a personal credit card. When the domain name needs to be renewed, the person who registered the domain name has left your company but is still the administrative contact required to renew or transfer the domain name. Your company now faces a difficult and time consuming process to have a name that has become important properly transferred.It is easy to see why many companies get caught in this scenario. If your organization does not have a written policy covering Internet domain names, it should. The shorter, simpler and more explicit the written policy, the more likely it will be remembered and followed. It should include the expected behavior, how the behavior will be monitored and what the sanctions are for non-compliance. To be truly effective, the policy also will contain expectations, and sanctions, for higher levels of management. For example, what is the responsibility and sanctions for a business unit VP if someone in his or her business unit registers a business domain name without following the policy?It is preferable to have the registered contact points be titles or organizations rather than individuals. If the domains are registered with positions, then an individual leaving will not create the problems mentioned above. No matter how well written, a policy will not be followed if people dont know it exists. Developing a communication plan for the policy is required. This involves not only the initial awareness campaign, but also ongoing reinforcement for existing employees and institutionalized training of new employees. Finally, there needs to be a process to bring the existing domain names into compliance. A helpful technique is to publish all the domain names that are already known on a page on the intranet. The communication of the policy can direct people to that page to see if a domain name they know of is already on the list. If it is not, the communication (and the page) should provide instructions for getting the domain on the list. As domain names are discovered they should be added to the list quickly, then brought into compliance using the documented processes. Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe