Educause Security Discussion mailing list archives
Re: IT Security Insurance
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 21 Aug 2007 11:40:13 -0400
We received a similar offer. We (InfoSec) opined against such a purchase for a few reasons, including: - It required that all IT adhere to one specification/standard (the underwriter's), which was not practical for an entity as diverse as a university. - It provided monetary compensation in case of breach. Money couldn't repair the nature of a major facet of the potential damage (reputational). An effective InfoSec program can be viewed as a form of insurance. On the plus side, a monetary insurance policy may cover your costs of incident investigation (which might be important in some environments), and perhaps costs associated with incident recovery, such as credit monitoring for individuals. Allen, Jon D wrote:
During our insurance renewal process this year we were presented with the option of adding a IT Security policy. In the past, we did not see a lot of value in the policies but wanted to review the current landscape to see if that assessment has changed. Has anyone purchased one of these policies? If so was the purchase a result of a recommendation by the security staff? Have you used the policy and if so to what benefit was the policy? I appreciate an insight into this topic. Jon Allen Information Security Officer Baylor University
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies
Current thread:
- IT Security Insurance Allen, Jon D (Aug 21)
- <Possible follow-ups>
- Re: IT Security Insurance Gary Dobbins (Aug 21)
- Re: IT Security Insurance Chad McDonald (Aug 21)
- IT Security insurance Theresa M Rowe (Aug 22)