As the body responsible for the hardware and software infrastructure behind French domain name operations, we keep a constant watch on the stability and security of the internet in France.
Afnic makes every effort to maintain a high level of quality, security and continuity of service for the TLDs it manages.
To ensure this high level of performance, our approach is one of continuous improvement, constantly seeking the balance between compliance with ever more demanding standards and resilience and agility.
An ISO 27001 certified ISMS
Afnic has always made security one of its top priorities. The implementation of the Information Security Management System (ISMS) has made this objective even more tangible. Embodied in the 2012 agreement with the State, ISO 27001 certification, obtained in 2016, provides assurance to our stakeholders that this commitment is met at all times.
Renewed by Afnor (French standards association) in 2019, the certification covers the essential services involved in the management of .fr:
- DNS (domain name) resolution and the DNSSEC protocol
- The .fr directory (Whois)
- The Shared Registration System (SRS)
- The escrow service (daily back-up of .fr data)
- The registry database
Since 2020, the scope has been extended to French overseas registries (.pm, .re, .tf, .wt and .yt). And with the overhaul of our information system, it will be formally extended to all TLDs for which Afnic is the back-end registry operator (.paris, .bzh, etc.).
The essential services of .fr management
Beyond the ISO 27001 certification procedure, we also rely on the recommendations and best practices issued on behalf of the State by ANSSI, the French National Cybersecurity Agency).
Beyond compliance: security by design
Security is not just a matter of information systems: it is part of our DNA (thanks to our INRIA roots), inherent in our core business and an essential component of our organisation.
The integrated management of our ‘Security’ and ‘Excellence’ processes make security everyone’s business and a key dimension:
- of the continuous evolution of our information systems;
- and of the development of our products and services.
We also rely on a number of different manufacturers and software publishers: it’s a question of independence, risk control and cost control. We maintain in-house business skills at the highest level and carry out certain developments ourselves.
… and data protection by design
A pioneering registry in the protection of personal data (anonymised by default since 2006), Afnic upgraded its systems in 2018, not only to implement the GDPR (General Data Protection Regulation), but also to integrate this issue into the lower layers of the information system.
Rather than simply complying, we decided to create a Personal Data protection Management System, as well as the post of DPO (Data Protection Officer), to strengthen data protection in all processes.
It is a question of security and confidentiality, but also of commitment: at Afnic, we consider personal data as essential data.
Essential service, uncomprising security
In 2019, Afnic was declared an operator of an essential service, defined as a “service the interruption of which would have a significant impact on the functioning of the economy or of society”.
This classification entails new demands in terms of cybersecurity, and the commitment to comply by 2022 with the rules of the European NIS (Network and Information Services) Directive, in close collaboration with ANSSI.
True to our drive for excellence, we chose to apply a continuous improvement approach to each of these 23 rules of the Directive. Our ambition is to make our IS as resilient as possible, to strengthen our capacity to deal with incidents quickly and to minimise their effects.
Security approval: our commitment
The security approval of an information system is an information and accountability process that leads to a formal decision taken by Afnic, a comptent authority (Approval Authority), which certifies that the risks to security of this system have been identified and that the necessary measures to protect it are implemented. It also certifies that any risks that remain (residual risks) have been identified and accepted by the Approval Authority.
Afnic has started this process in 2013 and formally pronounced the first approval in 2014. This approval has since been periodically renewed in 2015, 2016, 2018, 2019 for periods of 12 to 18 months.
The approval concerns the information system supporting the essential services of the French Top Level Domains managed by Afnic, namely, .fr, .pm, .re, .tf, .wf and .yt.
An approach based on continuous improvement
Like all Afnic’s processes, security is dealt with in the context of an approach based on continuous improvement. We operate in a field in which both technologies and threats are evolving rapidly. The constant evolution of our IS is essential if we are to respond to the demands of our clients (registrars and registries). It is also a matter of ensuring that all the TLDs for which we are responsible benefit from an IS that is ever more agile, stable and robust.
The services developed for our clients, such as .FR Lock and Abuse Report, also contribute to this continuous improvement, constantly enriching our experience in the field of security.
Furthermore, in accordance with the commitment made to the State, Afnic invests heavily each year, devoting more than 8% of its turnover to the acquisition of hardware and software contributing to the security and stability of .fr.