FormPrint Document

RISK MANAGERS, Inc.

Website Insurance Programs
Application Questionnaire

Producer Information

Producer Name
Agency Name
Phone
Fax
Email Name
Alternate Contact
Alternate Phone
Alternate Email

Part I: Applicant Information

Company Name
Street Address
Street Address
City, State, Zip
Phone Numbers	Voice Fax
Managerial Contact Name
Phone Numbers	Voice Fax
Email	Email
Technical Contact Name
Phone Numbers	Voice Fax
Email	Email
Names of Subsidiaries or Associated Companies
Street Address
Street Address
City, State, Zip
Phone Numbers	Voice Fax

PART II: Coverage Information

1. Requested Effective Date

2. Limits of Insurance requested

Coverage	Amount	Deductible
Loss of Revenue
Intellectual Property Defense
Virus - First & Third Party
Credit Data Theft Liability
Crime
Libel & slander
Directors & Officers
Errors & Omissions
Credit Card Charge Back

PART III: About Your Business

3.Applicant is a/an
If "Other", please explain
4. How long has the applicant been in business?
5. Name and description of products/services offered

6. Number of employees

Board of Directors		Technical
Executive		Sales
Managerial		Operations
Professional		Clerical

7. What are the applicant's annual revenues from all sources?

	Prior Fiscal Year	Forecast Current Year
Sales generated from U.S. customers
Sales generated from foreign customers
Total Sales

8. How many credit/debit cards are stored on covered servers
9. Web Sales: Does applicant expect to accept credit/debit/smart cards at the website, for payment of sales completed at a covered website?

If yes, please break down as follows (annual sales in Question 7 above should
include website sales).

	Prior Fiscal Year	Forecast Current Year
Website revenues - all sources
All other company revenues
Total all revenues

10. Does applicant currently have and maintain General Liability,
Professional Liability, Crime and/or Property insurance?

If yes, indicate type of coverage, carrier name, limits and policy effective date.

PART IV: Tell us About the Website and the Web Server(s)

11. List the year the website was established.

12. For each server to be covered, please complete the following information:

Host Name	#1	#2	#3
IP Address
Make
Serial Number
Operating System
Function
	#4	#5	#6
Host Name
IP Address
Make
Serial Number
Operating System
Function

13. Does your company own all of the above hosts?
14. Are all of the above hosts externally accessible, via the Internet?
15. Did Applicants set up their own website?
If no, please give name and address of organization that set up the website.
16 Are there any special assessment requirements, such as bonding, security clearances, etc.?
17. Does Applicant perform all maintenance on its website?
If no, list name and address of company that performs maintenance.
18. Do you link to other sites?
19. Name of ISP that hosts website, include name and contact information.

20. If your company has a contractual relationship with a payment processing
intermediary for e-commerce, please describe

21. Website Metrics: Indicate the type of transactions you conduct on your website
and the number of hits to the site for each type:

# Hits	Transaction Type	# Hits	Transaction Type
	Marketing - promotion of your company products and services		Web link to other sites - cross promotion of related companies or services.
	Information reception - requesting and receiving personal and/or sensitive information		Data Transfer - distribution of documents, programs or sensitive information to 3rd parties.
	Electronic Commerce - credit card transactions over the Internet.		Electronic Funds Transfer - processing of credit cards and other payment means between parties.
	Internal Business Process Transactions - Intra-department and inter-company data exchange.		Automated Business Process Transactions - 3rd party contracting, quoting, etc.

22. Does the applicant intend to expand use of its website(s) beyond its
current usage?

If yes, please explain.

PART V: Y2K Declaration

23. Are the websites to be covered under the proposed insurance Y2K compliant?
24. If the answer to the above is NO, state date when the websites will be Y2K compliant.

PART VI: Security Measures

25. Please attach a logical diagram of your website to be covered, including firewalls
and routers.

26. What operating systems do you use on each of the insured devices and what are
the versions?

System	Version
UNIX
Windows NT
Linux
Solaris
Other:

27. How many firewalls do you use?

      None, do not know.
      One, at the border.
      One, but it protects a demilitarized zone and the intranet separately.
      Two, one protects the demilitarized zone and the other protects the intranet.
      Two, one protects the demilitarized zone and the other protects the intranet.
             We also run firewall or filtering software on our servers.

28. What type (brand) of firewall do you use and what is the version?

Type	Version
AXENT
ISS/CHECKPOINTE FIREWALL ONE
CISCO
FT. KNOX
GAUNTLET
BLACKHOLE
SUN CATALYST
LUCENT
NORTEL
MICON
BAY ASCEND
OTHER:

29. How many ports are open on your firewall?
30. Do you have an Information Security Policy?

31. Do you have Information Security Standards that reflect the requirements defined in your Information security Policy?
32. Do you have an Information Security Officer? If yes, please provide contact information:

33. Do you have an incident response
team?

35. Do you keep up on system vulnerability announcements? (Bugtrac, CERT, CIAC)

      No
      Sometimes
      Yes, someone is assigned to do this.

34. How often do you apply security patches, both operating system and application?

      Never
      When a new version of the operating system, or application is released.
      Whenever the vendor releases a new patch.

36. Do you perform security audits of in house applications?

      No
      Yes
      We do not use in house applications.

37. Do you have a "hot" spare for your web server?

      No
      No, but we have a cold spare
      No, but we have a warm spare
      Yes, it is on the same network segment as the main server
      Yes, but it is not on the same network segment as the main server, and it has
             greater protection

38. Does the insured web server interact with the backend server (1.e. database
       server, cybercash server)?

      Do not know
      Yes, the backend server is in the demilitarized zone
      Yes, the backend server is in the intranet
      Yes, the backend server is only accessible from the web servers
      No

39 What computers have access to the web servers?

      All computers have access, it is wide open
      A limited number of computers have access
      A limited number of computers have access, and they are all on the intranet
      No computers have access have access, only console access is allowed

40. Do you use encrypted login access to your web servers?

      No
      We use SSH or SSl-Telnet
      We use SSH or SSL-Telnet, IPSEC and VPN
      We do not use remote access

41. What do you use to encrypt stored credit card information?

Nothing	Black Leopard Systems
Kremlin	Netlib
PC Magic	PGP Data Security
Steganos	We do not store credit card information

Other

42. What shopping cart software do you use?

Nothing	Cart32.exe
CreativeCart	EasyCart
Hypercart	Perl$hop
UlltraShopShoppingCart	ViaJCart

We do not use shopping cart software

Other

43. What of the services do you run on your web server?

      Lots, (Email, FTP, POP3, IMAP, NFS)
      Some, just what is needed (i.e. NFS or samba)
      No extra services are running

44. Do you audit security logs on exposed systems?

      No
      Yes, we audit them manually
      Yes, we audit them automatically, (using swatch, logsurfer or the like)
      Yes, we audit them automatically and periodically review them

45. Do you run system integrity software on exposed systems?

No
Yes (Tripwire, other)

46. Do you run vulnerability assessment tools on your exposed systems (ISS,
      Cybercop, Netranger, Nessus, other)

      No
      Yes, we infrequently run an assessment tool
      Yes, we regularly run an assessment tool
      Yes, we regularly run an assessment tool against all of our computers

47. Do you run virus detection software?

No
Yes

48. Are there access controls between web servers and back-end servers?

No
Yes

49 Do you employ virus detection software on your Internet exposed systems?

      No
      Yes If so, which type and version is in use?

50. Do you update your virus software?

      No
      Yes, yearly
      Yes, monthly
      Yes, weekly on an automatic basis

51. Are your website and the associated web servers certified by a computer security
      firm?

      No
      Not yet, in process
      Yes by

PART VII: Disaster Recovery

52. Does the applicant maintain a Disaster Recovery Plan?

53. If so, when was the last time the Plan was fully tested?

54. Who is responsible for maintaining the Plan?

55. How often is the Plan revised?

56. Where is the recovery site?

57. How often are media taken off site and stored?

58. What type of recovery site?

Cold Warm Hot

PART VIII: Loss History

59. Has applicant ever sustained a systems intrusion, tampering, data loss, hacking,
      data theft or other similar type of incident?   Yes     No

      If yes, explain,

60. Has any third party reported damages as a result of a systems intrusion, hacking,
      data theft or other similar type of incident involving your website?
      Yes     No

      If yes, explain,

PART IX: Scheduling Questions

A. Are there any routinely scheduled events (system down time, end of
month processing, payroll, system backups, etc.) that could impact
the ability to conduct this assessment?

B. If yes, please provide Point of Contact information.

C. Please indicate the date and work shift for this assessment to be conducted.

Date Shift

D. Are there any questions or comments concerning scheduling that should be
addresses prior to the start of this assessment?