Convergence Q&A

This is the second of two columns on the topic of cyber insurance. Last month’s column identified nine types of cyber insurance coverage, and defined the term cyber insurance, which is also known by various names including e-commerce insurance, e-business insurance, information security insurance, cyber risk insurance, network security insurance, hackers insurance, network intrusion insurance and cyber liability insurance. The column also listed some of the physical security/corporate security items that cyber insurance companies consider in their evaluations.

This column further discusses cyber insurance and provides some information resources. Additionally, it presents two innovative physical security products that can cost-affordably and conveniently strengthen physical and electronic information access relating to sensitive information.

Cyber Insurance
Last month’s column stated there are no cyber insurance standards and that policy coverage varies from one insurance company to another. One reason for the variations is that the information assets, as well as the impacts of unauthorized access to information, vary from company to company. Another reason is that information security measures vary as well. John Spain, President and COO of Information Risk Group (www.goirg.com), explains: “Cyber insurance is intended to cover residual risk. This is the risk that remains after your information security program is put info effect. For the insurance company, one of the largest variables is the strength and completeness of the security programs that customer companies have in place.”

More than 10 years ago, IRG was selected by Lloyds of London to develop risk review and assessment protocols to support their e-Comprehensive insurance product. IRG is also Lloyd’s of London’s exclusive agent to conduct e-Comprehensive security reviews.

You can download the Lloyd’s cyber insurance application by clicking on the Lloyd’s icon on IRG’s home page. Reviewing the application is an educational exercise, and it provides an overview of what is considered in evaluating the residual information security risk.

Security and Convenience
There are two security devices worth calling to the attention of security practitioners because they offer strong and affordable security that is also highly convenient, and can be deployed in a matter of minutes for each device. Both can have a very significant impact in strengthening information protection.

One product, plusID from Privaris (www.privaris.com) won the Security Industry Association’s 2008 New Product Showcase Award for excellence in biometrics product design. The device contains fingerprint biometrics on a multi-technology key fob, which stores the fingerprint template directly on the fob instead of in a central database (privacy advocates take note). The fob emulates proximity cards and smart cards, and thus works with existing access control systems without having to change the existing systems or card readers. A single fob can emulate up to four cards, a convenience for those who currently carry several cards. Of additional importance is the fact that the device also acts as a a biometrically activated smart card when connected by USB cable or Bluetooth to a workstation or laptop computer. Thus, security departments can use it to implement biometric authentication for PC or laptop remote access to IT resources including security systems, video systems, etc. The plusID device “instantly” adds biometric access to any card reader, which is a very practical solution for situations where temporary highly-secure storage has to be provided due to construction, remodeling work or event-related protection requirements.

Another product, XyLoc from Ensure Technologies (www.ensuretech.com), was developed specifically to address HIPAA’s medical information security requirements. XyLoc uses RFID proximity cards to automatically lock a workstation when the authorized user steps away, and unlock it when the user returns, providing both security and convenience. XyLoc provides protection for workstations where any type of critical or sensitive information may be displayed including financial, security, personnel, engineering and R&D.

Additional Cyber Insurance Information
A Google search for “cyber insurance” will yield many results. Here are links to information worth initial consideration:
Article, “Putting Cyber Risks on the Board’s Radar Screen,” by Tracey Vispoli, vice president and global cyber solutions manager for the Chubb Group of insurance companies — it is available as a downloadable PDF file at www.chubb.com/journalists/chubb5255.pdf. Also available from Chubb are very educational cyber insurance application forms, by searching for cyber security on the Chubb search page: search.chubb.com/formsearch.
Article, “Cyber Insurance Disarray,” Risk Management magazine, Volume 55, July 2008 — available at press time through the “Fine Print” department link on the home page, later available by searching for the title using Web site’s search function.

New Question:

Q: In your organization, who takes the lead on the protection of physical forms of information, and for the physical protection of network and telecom equipment?

If you have experience that relates to this question, or have other convergence experience you want to share, e-mail your answer to me at [email protected] or call me at 949-831-6788. If you have a question you would like answered, I’d like to see it. We don’t need to reveal your name or company name in the column. I look forward to hearing from you!

Ray Bernard, PSP, CHS-III is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. Mr. Bernard has also provided pivotal strategic and technical advice in the security and building automation industries for more than 18 years. He is founder and publisher of The Security Minute 60-second newsletter (www.TheSecurityMinute.com). For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.