Re: IT Security Insurance

[Gary Dobbins <dobbins () ND EDU>]

We received a similar offer.  We (InfoSec) opined against such a
purchase for a few reasons, including:

- It required that all IT adhere to one specification/standard (the
underwriter's), which was not practical for an entity as diverse as a
university.

- It provided monetary compensation in case of breach.  Money couldn't
repair the nature of a major facet of the potential damage (reputational).

An effective InfoSec program can be viewed as a form of insurance.

On the plus side, a monetary insurance policy may cover your costs of
incident investigation (which might be important in some environments),
and perhaps costs associated with incident recovery, such as credit
monitoring for individuals.



Allen, Jon D wrote:
> During our insurance renewal process this year we were presented with
> the option of adding a IT Security policy.  In the past, we did not
> see a lot of value in the policies but wanted to review the current
> landscape to see if that assessment has changed.
>
>
>
> Has anyone purchased one of these policies?
>
>
>
> If so was the purchase a result of a recommendation by the security staff?
>
>
>
> Have you used the policy and if so to what benefit was the policy?
>
>
>
> I appreciate an insight into this topic.
>
>
>
> Jon Allen
>
> Information Security Officer
>
> Baylor University

--

 ------------------------------------------------------------
 Gary Dobbins, CISSP -- Director, Information Security
 University of Notre Dame, Office of Information Technologies