SFC - DNS Registrar
The SEAL Framework Checklist (SFC) for DNS Registrar provides best practice for securely managing domain names and DNS configurations.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Domain Management
0/4
Domain Management Policies and Procedures
Do you maintain documented policies and procedures governing domain management operations?
Accountability for Domain Security
Is there a clearly designated person or team accountable for domain security (policy maintenance, security reviews, renewal management)?
Domain Inventory and Attributes
Do you maintain a comprehensive inventory of all domains including ownership, purpose, criticality classification, expiration dates, and relationships to business services/applications?
Current Configuration Baselines for Critical Domains
Do you document and maintain current configuration baselines for all critical domains (DNS records, security settings, registrar configurations)?
Section 2: Risk Assessment & Classification
0/3
Formal Domain Classification System
Do you maintain a formal classification system for domains based on criticality, financial exposure, and operational impact?
Mapping Domain Classifications to Controls
Do you map domain classifications to required security controls (monitoring frequency, approval requirements, backup procedures)?
Registrar and DNS Provider Security Criteria
Do you maintain security evaluation criteria for selecting domain registrars and DNS hosting providers?
Section 3: Access Control & Authentication
0/5
Procedures for Registrar Access
Do you maintain documented procedures for managing access to domain registrar accounts?
Multi-factor Authentication for Registrar Accounts
Do you enforce multi-factor authentication requirements for all registrar and DNS management accounts?
Dedicated Domain Security Contact Email
Do you maintain a separate, dedicated security contact email for domain management that is independent from your primary domain?
Periodic Access Reviews for Domain Privileges
Do you conduct periodic access reviews for all personnel with domain management privileges?
Approval Workflows for Critical Domain Operations
Do you maintain documented approval workflows for critical domain operations (transfers, deletions, nameserver changes)?
Section 4: Technical Security Controls
0/6
DNS Security Configuration Standards
Do you maintain documented standards for DNS security configurations (DNSSEC, CAA records, TTL policies)?
Email Authentication Protocol Standards
Do you maintain documented standards for email authentication (SPF, DKIM, DMARC, MTA-STS)?
DMARC Monitoring and Response Procedures
Do you have procedures for monitoring and responding to DMARC reports and policy violations?
Documented Domain Lock Procedures
Do you maintain documented procedures for implementing domain locks (transfer locks, registry locks, EPP status codes)?
Out of Band Domain Change Verification
Do you have procedures for out-of-band verification of domain changes through registrar support channels?
TLS Certificate Lifecycle Management Procedures
Do you maintain documented procedures for TLS certificate lifecycle management, including issuance, renewal, revocation, and monitoring for expiration across all domains and services?
Section 5: Operational Procedures
0/3
Domain Registration Lifecycle Procedures
Do you maintain documented procedures for domain registration, renewal, decommissioning, and expiration prevention (auto-renewal, multiple reminders, backup payment methods)?
Secure Domain Transfer Procedures
Do you maintain documented procedures for secure domain transfers between registrars?
DNS Change Management Procedures
Do you maintain formal change management procedures for DNS record modifications?
Section 6: Monitoring & Detection
0/5
Continuous Monitoring for DNS Changes
Do you maintain continuous monitoring for unauthorized DNS record changes across all critical domains?
DNS Compromise Indicators Monitoring
Do you monitor for specific indicators of DNS compromise (TTL changes, nameserver modifications, record anomalies)?
Monitor Certificate Transparency Logs
Do you maintain procedures for monitoring Certificate Transparency logs for unauthorized certificate issuance?
Unauthorized Domain Registration Monitoring
Do you monitor domain registration status and registrar lock settings for unauthorized changes?
Detecting Domain Expiration Risks
Do you maintain procedures for detecting and responding to domain expiration risks?
Section 7: Incident Response
0/5
Domain Hijacking Incident Response
Do you maintain incident response procedures specific to domain hijacking and DNS compromise scenarios?
Registrar and DNS Emergency Contacts
Do you maintain emergency contact information for registrars and DNS hosting providers?
Emergency Registry Lock Activation
Do you maintain procedures for emergency registry lock activation to prevent unauthorized domain changes?
Regaining Control of Compromised Domains
Do you have documented procedures for regaining control of compromised domains?
DNS Record Integrity Validation Procedures
Do you maintain procedures for validating DNS record integrity after incident recovery?