Insurance Purchase Policy
|Version: 1.00||Issue Date: 3/3/2015|
This Insurance Purchase Policy ensures that adequate insurance is purchased and risk is properly assessed.
This Insurance Purchase Policy will help ensure that adequate and appropriate insurance is purchased where the organization is not willing or unable to accept risk.
This Insurance Purchase Policy provides guidelines for establishing and reviewing insurance coverage relative to the risks to both the business processes and assets of the organization. The organization must purchase insurance coverage for risk that is not acceptable so long as the insurance coverage is affordable and practical.
This Insurance Purchase Policy applies to all insurance policies purchased and risk assessments. This policy is effective as of the issue date and does not expire unless superceded by another policy.
The departmental managers are responsible for coordinating with their designated security officer to assess and determine their risks to business processes, employees, and assets. The Chief Information Security Officer is responsible for ensuring that risk assessment occurs on an enterprise level. The enterprise level risk assessment should include an assessment of threats to computer center and Information Technology operations. The possible financial losses and cost of insurance should be considered. All risk assessments should allow the organizational upper management to consider whether to transfer risk using insurance policies. The Chief Information Security Officer is responsible for documenting procedures for risk analysis and disaster recovery.
The Chief Information Security Officer is responsible for ensuring that insurance policy copies are stored at off-site and secure locations along with appropriate disaster recovery procedures, disaster recovery plan, and documentation as defined in the Disaster Recovery Policy.
5.0 Risk Analysis of Possible Disasters
A risk analysis of possible disaster scenarios for the organization on an enterprise and departmental level must be created. Any business processes that can affect the life of the organization must be considered. The following must be considered:
Damage or loss to one or more servers.
Damage to or loss of the computer center facilities.
Damage to any building facilities that may render them unusable.
Errors by employees.
Theft, sabatage, or deliberate damage done by employees.
Loss of data electronically from databases, during transmission, or during transit.
Financial loss of assest, business revenue, and employee time due to various disasters.
Losses due to interruption to the business process.
6.0 Review of Insurance
The Chief Information Security Officer and CEO must review risk assessment processes and modify them as appropriate at least annually to be sure insurance concerns are adequately addressed in the light of current technology and risks. The risk assessment process must provide a process for being sure insurance provides proper coverage levels. The Chief Information Security Officer and CEO must work together to be sure insurance contracts adequately address risks. The Chief Information Security Officer and CEO must work together to be sure the terms of insurance contracts are being followed.
Since following the Insurance Purchase Policy is important for the security and welfare of the organization, employees that purposely violate this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.
8.0 Additional Requirements
Processes for assessing insurance contract adequacy must be developed and reviewed and updated regularly. Consideration must be given to business requirements and current and new technology.
Approved by:__________________________ Signature:_____________________ Date:_______________