Skip to main content

Archived Plans

You can find our plans from previous quarters along with requests from the community on this page. In Q1 2023, we separated the work items of Information Technology from the Information Security, Risk and Compliance and added them to this area. We update this page at the end of each quarter.

2024 Plans and Community Input

Our plans from previous quarters were redrafted and broken down into different components for clarity.

Item 1: Ensure adherence to regulatory and security industry standards

In 2024, we completed the ISAE 3000 / SOC2 Type I RPKI audit and received the final assurance report. In Q1 2025, we kicked off the preparation efforts for the RPKI ISAE 3000 / SOC2 Type II audit and initiated internal control testing to ensure our processes are operating according to the designed control framework. This effort will continue in Q2 2025.

We continue to work on establishing compliance with the ISO 27001 standard. In Q2 2025, we will continue focusing on increasing our business continuity readiness and formalising our data governance. This initiative will also ensure that RIPE NCC is ready to comply with the upcoming NIS2 EU regulation.

In the first two quarters of 2025, we will also be working on publishing our compliance with regulatory and security industry standards via a Trust portal. The portal will focus on creating a secure, user-friendly interface where interested parties can easily access high-level information about the information security posture of the RIPE NCC.

Status: Continues in 2025.

Item 2: Strengthen system security and resilience

This activity is part of the wider efforts to build our vulnerability management framework.

In Q2 2025, we will continue to focus on our vulnerability remediation efforts, by refining our policies and procedures and expanding our reporting capabilities. In the first two quarters of 2025, we will also direct our efforts to enhance the security posture of our on-premise Kubernetes cluster.

Status: Continues in 2025.

Item 3: Enhance the incident detection and response capability

Due to resource constraints, we have placed this work item on hold.

During Q2 2024, we expanded our detection and response capabilities to cover Google Workspace and continued our work to prevent RIPE NCC account takeovers.

Our future plans are to expand our network monitoring capabilities and enhance our detection capabilities for the identification of potentially compromised RIPE NCC Access accounts.

Item 4: Gain maturity in Risk Management

This activity is part of the wider efforts to modernise our enterprise risk management.

In 2023, we redesigned our Enterprise Risk Management Framework, following industry standards and executed an organisation-wide risk assessment. Throughout 2024, we are operationalising the framework. We have established a Governance Committee and conducted the first meeting in Q2 2024. The Governance Committee, composed of executive team members and the risk manager, is central to the efforts of risk management, alongside other duties like policy review and approval.

In Q3 2024, we will finalise the risk treatment plans to address relevant risks. We will continue to conduct risk assessments for all areas of the organisation, updating the risk register, the definitions of enterprise risks and their risk level.

2023 Plans and Community Input

Item 1: Cooperation with security organisations

We are supporting the development of an independent TF-CSIRT and intend to join the Supervisory Board of the new Dutch foundation.

Completed in Q3 2023.

Item 2: Vulnerability management framework

In 2023, we guided organisation-wide efforts to streamline our patch management and vulnerability management processes. Specifically, in Q1 2023, we focused on improving the infrastructure vulnerability detection accuracy and coverage. Additionally, we designed the workflows and tooling for managing the remediation lifecycle of application layer vulnerabilities. In Q2 2023, we continued expanding the coverage of our infrastructure vulnerability detection. Next to that, the vulnerability management policy was drafted. The remediation lifecycle for application layer vulnerabilities is planned to be operationalised based on the drafted policy.

Item 3: Cloud security enhancements

In Q1 2023, we outlined the core areas where cloud security enhancements are required and engaged with relevant experts. The execution of the outlined security improvements was planned for the rest of 2023. Additionally, in Q1, further cloud configuration checks were implemented to enhance security visibility.

Item 4: Enterprise risk management modernisation

In Q1 2023, we established an internal Risk & Compliance function. In order to modernise our risk management methodology in a robust manner, a Risk Management policy has been drafted, and industry risk management frameworks have been evaluated.

In Q2 2023, we updated our Risk Management framework and established the relevant internal governance structure.

Item 5: Security Awareness Programme

In Q2 2023, we launched our internal security awareness programme. The programme encompasses security awareness training for new joiners, current staff and people in high-risk roles.

Completed in Q2 2023.

Item 6: Compliance with ISO/IEC 27000

Define our operations within the ISO/IEC 27000 framework and ensure that we are at the level of ISO 27001 certification, with the Plan/Do/Check/Act cycle fully in place.

In Q1 2023, we completed the gap analysis against the ISO 27001 standard, which was initiated in Q4 2022. In Q2 2023, we focused on designing our Information Security Management System and drafted our overarching Information Security Policy according to the ISO 27001 standard. The timeline for implementation and certification against the standard is the end of 2024.

2022 Plans and Community Input

Item 1: Bug bounty programme

To supplement our existing responsible disclosure policy, we planned the implementation of a public bug bounty programme for our external facing services.

Researchers were invited to participate in the RIPE NCC programme and identify security vulnerabilities for our external perimeter and services. The identified vulnerabilities are triaged internally and, according to their criticality, a bug bounty was paid out.

Completed in Q4 2022.