CIS Website Privacy Notice

Privacy Notice Introduction

Your privacy is important to CIS. CIS knows that you care how information about you is used and shared, and we appreciate your trust that we will do so carefully and sensibly. This Privacy Notice describes our privacy practices, including what data we collect, how we use data and for what purpose. Given the importance we place on privacy, it is important that you read this notice carefully.

The Privacy Notice may be updated at the discretion of CIS periodically and without prior notice to you to reflect changes in our information practices or relevant laws. In the event of material changes to the Privacy Notice, CIS shall provide appropriate notification to applicable parties through various mechanisms such as but not limited to email or pop-up notifications on the website. To view previous versions, visit the Privacy Notice version history. Any question or comments with respect to the Privacy Notice should be directed to [email protected] .

The CIS website (www.cisecurity.org) is intended to make it easy and efficient to learn about ad interact with CIS and its various program areas such as CIS Controls™, CIS Benchmarks®, CIS CyberMarket, and MS-ISAC®.

The mission of CIS is to improve and enhance cybersecurity, so we are sensitive to privacy issues on the Internet and recognize that visitors to this website and those who use our products and services are concerned about the type of information we collect and how we use it. CIS is committed to preserving your privacy and this Privacy Notice outlines our practices. For definitions of key terms used in this Privacy Notice, click here.

CIS Website Privacy Notice

Current version v7.0 published date: 09/29/2023
Privacy Notice version history.

Information we collect
How to access and control your personal data
Data transfer
Reasons we share your personal data
Cookies
Web beacons and analytics services
Security of your information
Data storage and retention
Purposes of collection and use
Children’s privacy
Other websites
Links to CIS website
Terminology

Who can I contact with questions or concerns

Information we collect

CIS hosts and processes “Customer Data,” including “Personal Data” therein at the direction of and pursuant to the instructions of our “Customers.”

CIS serves as a Data Processor for the following products and services:

SecureSuite membership including CIS Workbench, CSAT, and CIS-CAT

CIS serves as a Data Controller for the following products and services:

MS/EI-ISAC memberships, monitoring of SLTT systems and SLTT partner paid services.
Downloadable content from the CIS Website: CIS Benchmarks, CIS Controls, Cybermarket, and White papers/downloadable guides/best practices.

“Information” is defined as: (1) personal information, which is information that can be identified to a particular individual because of a name, number, symbol, mark or other indicator; and (2) non-personal information that does not identify a particular individual.

CIS receives and stores certain types of information whenever you interact with us. Any personal information you provide is voluntarily gathered by initiating an online transaction, such as a survey, registration or order form, or establishing a login for access and use of certain tools or SecureSuite member areas of our website.

How to access and control your personal data

You can control the personal data that is collected with opt-in choices on the CIS services website. Not all personal data can be controlled in this manner; you can exercise your data protection rights by contacting [email protected]. In some cases, your access or control over personal data may be limited as required or permitted by applicable law. Depending upon the services that you use, the method of control will vary. For example:

CIS downloads can be controlled with the opt-in section of the page, thus controlling the interest-based advertising from CIS.
CIS Workbench controls are made either through the portal to modify your personal data or via a request to [email protected] for removal.
A request for removal of information gathered via the CIS website can be made via a request to [email protected].

If you do voluntarily provide personal information, your email address and the entire contents of your email message and other information you provide are retained.

If you do not wish to have identifying information disclosed, we honor all requests to omit individual or organization names from website listings. If such a request is made, identifying information will not be disclosed by CIS unless we are legally required to do so.

CIS collects general information about the “Customer,” including the customer company name and address, credit card information, and the “Customer” representative’s contact information for billing and contracting purposes.

As a service provider, we aim to provide you the necessary access to update the personal information that is within our records. If that information is incorrect, we give you ways to update it quickly.

If you request to delete the data that is present within our systems, we will do so with a validated request, unless we have to keep that information for legitimate business or legal purposes. The maintenance of service is required to protect all information from accidental or malicious destruction. If your request to delete is completed, we may not immediately delete this data from residual copies and we may not remove it from archived or backed up systems.

All requests shall be processed within thirty (30) business days, when feasible and appropriate.

Data transfer

CIS has its headquarters in the United States. Information we collect about you will be processed in the United States. By using CIS services and products, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR.

Depending on the circumstance, CIS also collects and transfers to the U.S. personal data with consent or to perform a contract with you. CIS endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with CIS and the practices described in this Privacy Notice. CIS also enters into data processing agreements and model clauses with its vendors and/or service providers whenever feasible and appropriate.

Reasons we share your personal data

CIS may be required to disclose personal information in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements.

At your request, where you have affirmatively provided consent to CIS to share your personal information with a third party in order for CIS or the third party to provide services to you.

Cookies

Cookies are text files stored by your web browser in order to record information about you or your activities on a website. Using cookies for this purpose is a common, generally accepted practice on the Internet. We may use temporary cookies to enhance, customize, or enable your visit to this website. Temporary cookies do not contain personal information that can be used to identify you, do not compromise your privacy or security, and are erased when you close your browser.

Certain features on this website may require you to fill in a registration form used to personalize your user experience. Such features may store a persistent cookie on your computer's hard drive that is not deleted when you close your browser. A persistent cookie allows us to recognize you on your next visit and tailor your user experience to your needs and interests.

If the program you use to access this site is set to refuse new cookies or delete existing cookies, your ability to use some of the features on this website may be limited.

Types of cookies used by CIS

Category	What do they do?
Necessary	These cookies are essential to make the CIS website functional and work. The enablement of these cookies is to enable specific feature, without which the user experience would be null.
Analytics/Performance	Cookies are used to determine performance; we use these cookies to understand and improve our products and services.
Targeting/Marketing	CIS uses these cookies to show you relevant advertising and targeted ads. We may also use them to learn about ad utilization and the action taken with a specific marketing cookie, e.g., to visit and download a Benchmark, join a webcast or download a whitepaper. Similarly, partnersmay use the same process to determine ad performance, and the use of ads both on and off the CIS website.
Preferences/ Functional	These cookies define your preferred setting and communication preferences.

In order to utilize the functionality and provide the required information CIS needs to process and manage products and services, some cookies are deemed Necessary. These are required to maintain the functionality of the CIS products and services offered. If your preference is to not accept these cookies, your actions and access to specific products and services will be severely limited and in some cases restricted.

Please refer to the specific cookies used by CIS page.

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

Managing Cookies in Your Browser, Opt Out Options for Cookies

Depending on personal preference, you may want to limit or delete cookies. This preference can be implemented within your web browsers and gives you the ability to manage cookies to suit your requirements. Depending on the browser, it may limit or delete cookies, so you may want to review your cookie settings and advertisement or marketing settings. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your opt-out needs. This means that you can disallow cookies from all sites based on your privacy preference.

Web beacons and analytics services

CIS websites and emails may contain an electronic image known as a web beacon (or single-pixel gifs). We use these to help deliver cookies on our websites, analyze promotional email messages, count users who have visited our websites, deliver CIS content and to determine whether users open emails and act on them. The actions and data that CIS captures includes:

When an email is opened
When a link is clicked
Date/time email was delivered, opened, clicked
Time spent viewing email (in seconds)
Email client (Gmail, Outlook, Apple Mail iOS, etc.)
Browser (Chrome, IE, Firefox, etc.)

Information obtained by Google Analytics

This website uses the Google Analytics web analysis service and enters into an agreement with Google as the data processor. Google Analytics stores a persistent cookie on your hard drive. The information in this cookie (including your IP address) is transmitted to Google and stored on Google servers. Google uses this information to anonymously analyze your use of the website, compile reports on your website activity for site operators, and provide other services related to your website activity and Internet usage. Google may transfer this information to third parties where required to do so by law or where those third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

By using this website, you consent to Google's processing of data about you. For a review of Google Privacy Policy please see https://policies.google.com/privacy.

Information obtained by Sitecore

This website uses a cookie to track anonymous contacts - specifically the SC_ANALYTICS_GLOBAL_COOKIE cookie. When an anonymous visitor goes to www.cisecurity.org – a device GUID is generated and saved. If the visitor returns to www.cisecurity.org the tracker has enough information to identify the contact as an existing anonymous contact and a new interaction is saved on session end. If the visitor returns to www.cisecurity.org and returns to the website on the same device, after clearing their cookies a new device GUID is generated and saved.

CIS uses this information for the following purposes:

Personalization of content based on behavior during the current session.
Historic personalization of content-based behavior during previous sessions.
Reacting to activities such as goals triggered during the current interaction.

Cookies capture this information and securely transmit and store such information on Sitecore servers. The use of such cookies can be disabled in your web browser, as set forth in the section entitled, “Managing Cookies in Your Browser, Opt Out Options for Cookies.”

By using this website, you consent to Sitecore’s processing of data about you. For a review of the Sitecore Privacy Policy, please see https://www.sitecore.com/trust/privacy-policy.

Security of your information

To help protect the privacy of data and personally identifiable information you transmit through use of this Site, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

CIS employs procedural and technological security measures that are reasonably designed to help protect your personal information from loss, unauthorized access, disclosure, alteration, or destruction. CIS uses password protection, encryption, and other security measures to help prevent unauthorized access to your personal information. However, no security measure can guarantee against compromise. You also have an important role in protecting personal information. You should not share your usernames/email addresses and passwords with anyone, and you should not re-use passwords across more than one web site.

Data storage and retention

Your personal data is stored by CIS on its servers, and on the servers of the cloud-based database management services CIS engages, located in the United States. CIS retains data for the duration of the customer’s or member’s business relationship with CIS and for a period of time thereafter to allow customersto recover accounts if they decide to renew, to analyze the data for CIS’s own operations, and for historical and archiving purposes. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact [email protected].

Purposes of collection and use

In order to use CIS services and products, CIS shall collect personal information from you when you register for and use these services. Such information can include your name, email, password, and in some instances your payment card data, for purposes of creating your account profile to provide you with access to certain services and features. We do not sell or distribute email addresses or other personal information to others for their commercial use. The purposes for which CIS collects and uses personal information shall include:

Providing you with the CIS applications, information, and websites for which you have registered, as well as any products or services, or support requested;
Publish listings of CIS SecureSuite members and CIS Controls Supporters on our website which, in the case of individual members, includes names and organizational affiliations;
Publish testimonials of CIS products and service on our website provided by individuals, which would include name, title and affiliate organization;
Gain a better understanding how our website, product or services are being used so that we can improve them and engage with users;
Diagnosing problems;
Sending you business messages and marketing related to payments or expiration of subscriptions;
Sending you information about CIS products, services, opportunities, updates, advisories, special offers, and similar information;
Conducting market research about our customers, and the effectiveness of our marketing campaigns.

We also collect some information that is not considered to be personal information. When visiting our website, the following non-personal information about your visit is automatically collected and stored:

The type of browser and operating system you use when you visit this site;
The date and time when you visit this site;
The webpage and services you access at this site;
The forms that you download from this website;
Additionally, non-personal information such as a company or governmental entity name and address. IP address may be provided when registering or signing up for CIS products or services. This information is used to determine eligibility for certain products or services.

We use non-personal information internally to find out how people use this website, to help us understand which types of information are of most interest to our visitors so that we can improve this website's content, to assess system performance and to identify problem areas. We do not sell or distribute this information to others for their commercial use.

If you do not use this website to request services or information, you may receive them by other means (such as through your membership in a group to which we may send correspondence). Your ability to view or download most information available to the public on this website will not be affected. The utilization of this information is strictly for legitimate business purposes and is retained for only as long as necessary to carry out the specific requirements of providing CIS products, services, opportunities, updates, advisories, special offers, and similar information.

The utilization of this information is strictly for legitimate business purposes and is retained for only as long as necessary to carry out the specific requirements of providing CIS products, services, opportunities, updates, advisories, special offers, and similar information.

To the extent that CIS engages third party subprocessor to have access in order to assist in the provision of services to you, such subprocessor shall be subject to the same level of data protection and security as CIS. A listing of subprocessors can be found here. This list of subprocessors is subject to change and the website will be updated accordingly. We recommend that you review this list periodically for updates. You may choose to opt-out of services based on this list of subprocessors by notifying CIS at [email protected]. Your continued use of the service shall be deemed your acceptance of the use of such subprocessors.

Children’s privacy

CIS recognizes the privacy interests of children and we encourage parents or guardians to take an active role in their children’s online activity. CIS services are not intended for children under the age of 13. CIS does not target or market our services to children under 13. If CIS has data that has been collected without the requisite parental consent, CIS will take appropriate actions to remedy and delete the collected information.

Other websites

This website may provide links to websites maintained by other organizations. A link to another website does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products or services of that other website. Once you navigate from this website to another site, you are subject to the terms and conditions of that site, including the provisions of its privacy policy.

Links to CIS website

We welcome links to the CIS website. Although we prefer that you link to our homepage, you may create links to specific pages within our website. Any individual or organization linking to CIS's website must comply with all applicable laws and with the following conditions:

Unless CIS specifically authorizes you to do so, you may not imply that CIS endorses you, your organization, or your products. In addition:

You may not misrepresent your, or your organization's, relationship with CIS;
You may not present false information about CIS;
You may not link to the CIS website if your or your organization's website contains content that could be construed as distasteful, offensive or controversial, or is not appropriate for viewing by all age groups;
CIS may change content on our site at any time, causing other organizations to have a broken or incorrect link;
CIS is not responsible for misdirected links from external websites.

Terminology

For the purposes of this Privacy Notice:

"Controller" means a person or organization that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

"Customer" means any entity that purchases, subscribes or downloads CIS services or products.

"Customer Data" means the electronic data uploaded into the web application by or for a Customer or its Users.

"Personal Data" means any information, including Sensitive Data that is about an identified or identifiable individual and received by CIS in the U.S. from the European Union, the United Kingdom or Switzerland in connection with the Service.

"Processor" means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

"Sensitive Data" means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

“SLTT” means a United States State, Local, Tribal or Territorial government.

"User" means an individual authorized by Customer to access and use the web application and information service.

Who can I contact with questions or concerns?

If you have questions, concerns, complaints, or would like to exercise your rights, please contact [email protected].

The information provided in this Privacy Notice cannot be interpreted as business, legal or other advice, or as warranting fail-proof security for information provided through this website. Information provided on this website is intended to allow the public access to information related to CIS. While all attempts are made to provide accurate, current and reliable information, there is possibility of human and/or mechanical error. If your personal data is in error your ability to rectify this information is controlled by using the manage account function within CIS products or services. This Privacy Notice is not intended to and does not create any contractual or other legal rights for or on behalf of any party.