Home page logo

educause logo Educause Security Discussion mailing list archives

Re: IT Security Insurance
From: Gary Dobbins <dobbins () ND EDU>
Date: Tue, 21 Aug 2007 11:40:13 -0400

We received a similar offer.  We (InfoSec) opined against such a
purchase for a few reasons, including:

- It required that all IT adhere to one specification/standard (the
underwriter's), which was not practical for an entity as diverse as a

- It provided monetary compensation in case of breach.  Money couldn't
repair the nature of a major facet of the potential damage (reputational).

An effective InfoSec program can be viewed as a form of insurance.

On the plus side, a monetary insurance policy may cover your costs of
incident investigation (which might be important in some environments),
and perhaps costs associated with incident recovery, such as credit
monitoring for individuals.

Allen, Jon D wrote:

During our insurance renewal process this year we were presented with
the option of adding a IT Security policy.  In the past, we did not
see a lot of value in the policies but wanted to review the current
landscape to see if that assessment has changed.

Has anyone purchased one of these policies?

If so was the purchase a result of a recommendation by the security staff?

Have you used the policy and if so to what benefit was the policy?

I appreciate an insight into this topic.

Jon Allen

Information Security Officer

Baylor University


 Gary Dobbins, CISSP -- Director, Information Security
 University of Notre Dame, Office of Information Technologies

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]