Skip to Content

BUS-80: Insurance Programs for IT Systems

Printer-friendly versionPrinter-friendly version

The University of California has purchased an insurance policy to help defray the costs associated with incidents where the security of an information system has been breached.  To be covered by this new policy, specific security requirements must be met before and at the time of the breach.  

Business and Finance Bulletin 80,Insurance Programs for Information Technology Systems, provides the details of this new policy. Coverage under the policy is dependent upon adherence to the security procedures outlined in Business and Finance Bulletin IS-3, Electronic Information Security. At a minimum, the following conditions must be in place for coverage to apply:

  • Install anti-virus and malware prevention solutions on desktop computers and update every 30 days at a minimum.
  • Implement firewalls for any computer systems that connect to the internet.
  • Secure data when processing, storing, or transmitting any credit card payment data or other personally identifiable information.
  • Maintain, update, and enforce written policies for information security, privacy, business continuity/disaster planning and third party vendors.
  • Employ qualified information technology and network security staff.
  • Engage an authorized third party to “scan” all internet-facing servers at least quarterly.
  • Test web applications for the ability to deflect SQL injections and other exploits.  This test can be performed by using scanning software or by a coding review.
  • Encrypt personal data stored on disk and tape, including backup tapes.
  • Encrypt laptops, especially employee laptops with restricted information.
  • Encrypt any restricted personal information or protected health information stored on mobile USB devices.
  • Establish a patch management process to ensure timely patching of network system s and servers.
  • Deploy an intrusion detection system and monitor real time alerts.
  • Periodically review access rights and credentials for anyone who is able to log on to campus servers, and terminate those rights when needed.
  • Segregate and isolate servers storing and transmitting personally identifiable information or personal health information.
  • Provision user accounts based on user roles. 
  • Maintain an adequate incident reporting and response program.
  • Maintain an inventory of servers and networks used to store and transmit restricted information.

If there is a breach, an independent third party assessor (e.g. NetDiligence) will review the circumstances surrounding the event, and provide a certification of whether the security processes have been adequately implemented, and/or a confirmation that the security processes were still in place and adequately maintained at the time the loss occurred. 

In the event that the department fails these assessments, the insurance will be declined or materially reduced.