Educause Security Discussion mailing list archives

Re: Insurance - Privacy and Network Liability

From: "Plesco, Todd" <tplesco () CHAPMAN EDU>
Date: Tue, 20 Oct 2009 15:24:35 -0700

We're in a very similar situation.  I've been onboard since March and
have been trying to close gaps while also doing risk assessments in the
most critical areas identified.  We did pursue cyber insurance per the
risk manager's own project initiative rather than IT's full knowledge of
our tolerance.  (It made adequate business sense.)  The policy has
resulted in "subjectivities" (recommendations with required responses
stating those areas are being addressed.)  Free advice is not always
negative criticism.  I look at it as further re-inforcement.

 

To keep things in perspective, security is an ongoing process which also
addresses changes in business and changes in technology.  Even NASA was
hit pretty heavily by the GAO's internal IT audit.  The deputy director
had a very good response to the GAO report.  I've kept a similar
approach in the ready for these situations.  While I don't expect any
negative reflections from the recommendations, it is always good to be
able to address them individually should it raise questions.

 

Todd A. Plesco  CISM, CBCP

Chapman University, Director of Information Security

One University Drive, Orange, CA 92866

Phone: (714) 744-7979/Fax: (714) 744-7041

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew Giannetto
Sent: Tuesday, October 20, 2009 2:12 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Insurance - Privacy and Network Liability

 

It seems to be an annual occurrence that our President asks my Vice
President if we need privacy/network liability insurance.  Naturally,
she then asks me the same question.

 

We're still in the early stages of building our IT security program and
see data loss as one of our most significant threats.  I'm wondering if
privacy/network liability insurance is worthwhile, maybe even just until
our IT security program matures and we're more comfortable with the
safeguards we have in place.  Obviously, though, the decision depends on
our risk tolerance and the cost of the policy.

 

We're also trying to determine if carrying privacy/network liability
insurance is becoming any more common for other schools.  Does anyone
care to share their experiences, either purchasing this type of
insurance, or researching and deciding not to purchase?

 

Thanks,

 

Matt Giannetto 

Manager of IT Security

Montgomery County Community College

mgiannetto () mc3 edu | (215) 619-7442

 

 

________________________________

Montgomery County Community College is proud to be
the #1 ranked technology-savvy community college in the nation,
as determined by the Center for Digital Education and the
American Association of Community Colleges (AACC).

Current thread:

Insurance - Privacy and Network Liability Matthew Giannetto (Oct 20)
- <Possible follow-ups>
- Re: Insurance - Privacy and Network Liability Plesco, Todd (Oct 20)
- Re: Insurance - Privacy and Network Liability Dave Kovarik (Oct 21)