• United States



by Steve Telleen

Managing Internet Domain Names

Dec 09, 20022 mins
CSO and CISOData and Information Security

Consider the following scenario. A business unit needs a web site for a specific purpose, comes up with a descriptive and available domain name, and an individual in the unit registers the name and pays for it using a personal credit card. When the domain name needs to be renewed, the person who registered the domain name has left your company but is still the administrative contact required to renew or transfer the domain name. Your company now faces a difficult and time consuming process to have a name that has become important properly transferred.

It is easy to see why many companies get caught in this scenario. If your organization does not have a written policy covering Internet domain names, it should.

The shorter, simpler and more explicit the written policy, the more likely it will be remembered and followed. It should include the expected behavior, how the behavior will be monitored and what the sanctions are for non-compliance. To be truly effective, the policy also will contain expectations, and sanctions, for higher levels of management. For example, what is the responsibility and sanctions for a business unit VP if someone in his or her business unit registers a business domain name without following the policy?

It is preferable to have the registered contact points be titles or organizations rather than individuals. If the domains are registered with positions, then an individual leaving will not create the problems mentioned above.

No matter how well written, a policy will not be followed if people dont know it exists. Developing a communication plan for the policy is required. This involves not only the initial awareness campaign, but also ongoing reinforcement for existing employees and institutionalized training of new employees.

Finally, there needs to be a process to bring the existing domain names into compliance. A helpful technique is to publish all the domain names that are already known on a page on the intranet. The communication of the policy can direct people to that page to see if a domain name they know of is already on the list. If it is not, the communication (and the page) should provide instructions for getting the domain on the list. As domain names are discovered they should be added to the list quickly, then brought into compliance using the documented processes.