It’s that time of year: business insurance renewal. I received the “Network Security & Privacy” section of an application for Errors & Omissions (E&O) insurance from our CFO last week.
Nothing terribly noteworthy there, but as I started to read through the list of 20+ questions I was surprised and impressed with the information the insurance provider wanted us to provide and how much more specific and rigorous their expectations are in 2013 than they were when we last completed this application in 2011 (when they only asked 15 questions!).
Evidently, this particular provider has bought into the wisdom of adopting the SANS 20 Critical Security Controls for Effective Cyber Defense! Here are a few examples of how the questions they want answers to map to the SANS “Top 20.”
One of the first things they asked was whether or not we have a firewall in place. That’s a pretty standard question. Check.
But then they asked if our “firewalls, information systems and security mechanisms” are securely configured,” and further qualified that by stating, in bold print no less, than we should “Check ‘NO’ if your systems are configured using factory default settings.”
While this is clearly a leading practice and maps directly to SANS 3, 10, and 13, I was gratified that they called it out as an expectation for applicants for insurance. (And check again, in case you were wondering!)
On to the next question: “Do you enforce a software update process that includes monitoring of vendors or automatically receiving notices from them for availability of security patches, upgrades, testing and installing critical security patches?”
Another leading practice and another check, but here again, they went on to ask how often we do this: weekly, within 30 days, or more than 30 days.
This reflects the “remediation” element of SANS 4. What’s interesting about this question was that on the 2011 form from the same provider, they simply wanted to know if critical security patches, etc. were installed “as soon as possible, but not later than 30 days.”
They’re clearly probing for – and expecting – a much higher level of security rigor in 2013 than they did two years ago!
For the final example, they ask about our use of encryption of information stored on databases, servers, and data files, which maps to SANS 17 and the importance of data loss prevention.
Here again, though, what’s interesting is the additional questions they’ve added in the last two years. Specifically, if encryption isn’t in place, they want to know if we’ve deployed compensating controls, e.g. segregation of servers storing confidential information and/or role-based access controls.
We all know information security is getting more complex and the expectations for how we implement and manage it are increasing in concert. This application serves as tangible evidence of that added complexity and increasing expectations.
In my next post, I’ll talk about how I used this document as an opportunity to “connect security to the business” by reviewing it with our aforementioned CFO and General Counsel.
- 20 Critical Security Controls: Control 15 – Controlled Access
- Control and Capabilities Drive Enterprise Security Confidence
- Security Configuration Management for Dummies
- SecureCheq Uncovers Critical Configuration Vulnerabilities
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock