Current version v4.0 published date: 2/4/2022
The CIS website (www.cisecurity.org) is intended to make it easy and efficient to learn about and interact with CIS and its various program areas such as CIS Controls™, CIS Benchmarks®, CIS CyberMarket, and the MS-ISAC®.
The mission of CIS is to improve and enhance cybersecurity, so we are sensitive to privacy issues on the Internet and recognize that visitors to this website and those who use our products and services are concerned about the type of information we collect and how we use it. CIS is committed to preserving your privacy and this policy discusses our practices.
"Controller" means a person or organization that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
"Customer" means any entity that purchases, subscribes or downloads CIS services or products.
"Customer Data" means the electronic data uploaded into the web application by or for a Customer or its Users.
"Personal Data" means any information, including Sensitive Data that is about an identified or identifiable individual and received by CIS in the U.S. from the European Union, the United Kingdom or Switzerland in connection with the Service.
"Processor" means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.
"Sensitive Data" means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.
"User" means an individual authorized by Customer to access and use the web application and information service.
Information we collect
CIS hosts and processes “Customer Data,” including “Personal Data” therein at the direction of and pursuant to the instructions of our “Customers.”
CIS serves as a Data Processor for the following products and services:
- Downloadable content from the CIS Website: CIS Benchmarks, CIS Controls, Cybermarket, and White papers/downloadable guides/best practices.
- SecureSuite membership including Workbench, CSAT, and CIS-CAT
CIS service as a Data Controller for the following products and services:
- MS/EI-ISAC memberships, monitoring of SLTT systems and SLTT partner paid services.
Information is defined as: (1) personal information, which is information that can be identified to a particular individual because of a name, number, symbol, mark or other indicator; and (2) non-personal information that does not identify a particular individual.
CIS receives and stores certain types of information whenever you interact with us. Any personal information you provide is voluntarily gathered by initiating an online transaction, such as a survey, registration or order form, or establishing a login for access and use of certain tools or SecureSuite member areas of our website.
How to access and control your personal data
You can control the personal data that is collected with opt-in choices on the CIS services website. Not all personal data can be controlled in this manner; you can exercise your data protection rights by contacting [email protected]. In some cases, your access or control over personal data may be limited as required or permitted by applicable law. Depending upon the services that you use, the method of control will vary. For example:
- CIS downloads can be controlled with the opt-in section of the page, thus controlling the interest-based advertising from CIS.
- CIS Workbench controls are made either through the portal to modify your personal data or via a request to [email protected] (mailto:[email protected]) for removal.
- A request for removal of information gathered via the CIS website can be made via a request to [email protected] (mailto:[email protected]).
If you do voluntarily provide personal information, your email address and the entire contents of your email message and other information you provide are retained.
If you do not wish to have identifying information disclosed, we honor all requests to omit individual or organization names from website listings. If such a request is made, identifying information will not be disclosed by CIS unless we are legally required to do so.
CIS collects general information about the "Customer," including the customer company name and address, credit card information, and the "Customer" representative's contact information for billing and contracting purposes.
As a service provider, we aim to provide you the necessary access to update the personal information that is within our records. If that information is incorrect, we give you ways to update it quickly.
If you request to delete the data that is present within our systems, we will do so with a validated request, unless we have to keep that information for legitimate business or legal purposes. The maintenance of service is required to protect all information from accidental or malicious destruction. If your request to delete is completed, we may not immediately delete this data from residual copies and we may not remove it from archived or backed up systems.
Reasons we share your personal data
CIS may be required to disclose personal information in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements.
Cookies are text files stored by your web browser in order to record information about you or your activities on a website. Using cookies for this purpose is a common, generally accepted practice on the Internet. We may use temporary cookies to enhance, customize, or enable your visit to this website. Temporary cookies do not contain personal information that can be used to identify you, do not compromise your privacy or security, and are erased when you close your browser.
Certain features on this website may require you to fill in a registration form used to personalize your user experience. Such features may store a persistent cookie on your computer's hard drive that is not deleted when you close your browser. A persistent cookie allows us to recognize you on your next visit and tailor your user experience to your needs and interests.
If the program you use to access this site is set to refuse new cookies or delete existing cookies, your ability to use some of the features on this website may be limited.
Types of cookies used by CIS:
|Category||What do they do?|
|Necessary||These cookies are essential to make the CIS website functional and work. The enablement of these cookies is to enable specific feature, without which the user experience would be null.
|Analytics/Performance||Cookies are used to determine performance; we use these cookies to understand and improve our products and services.
|Targeting/Marketing||CIS uses these cookies to show you relevant advertising and targeted ads. We may also use them to learn about ad utilization and the action taken with a specific marketing cookie, e.g., to visit and download a Benchmark, join a webcast or download a whitepaper. Similarly, partners may use the same process to determine ad performance, and the use of ads both on and off the CIS website.
|Preferences/ Functional||These cookies define your preferred setting and communication preferences.|
In order to utilize the functionality and provide the required information CIS needs to process and manage products and services some cookies are deemed Strictly Necessary. These are required to maintain the functionality of the CIS products and services offered. If your preference is to not accept these cookies, your actions and access to specific products and services will be severely limited and, in some cases, restricted.
The specific cookies used by CIS are listed here (https://www.cisecurity.org/privacy-policy/specific cookies-used-by-cis/).
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Managing cookies in your browser, opt out options for cookies.
Depending on personal preference, you may want to limit or delete cookies. This preference can be implemented within your web browsers and gives you the ability to manage cookies to suit your requirements. Depending on the browser, it may limit or delete cookies, so you may want to review your cookie settings and advertisement or marketing settings. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your opt-out needs. This means that you can disallow cookies from all sites based on your privacy preference.
Web Beacons and Analytics Services
CIS websites and emails may contain an electronic image known as a web beacon (or single-pixel gifs). We use these to help deliver cookies on our websites, analyze promotional email messages, count users who have visited our websites, deliver CIS content and to determine whether users open emails and act on them. The actions and data that CIS captures includes:
- When an email is opened
- When a link is clicked
- Date/time email was delivered, opened, clicked
- Time spent viewing email (in seconds)
- Email client (Gmail, Outlook, Apple Mail iOS, etc.)
- Browser (Chrome, IE, Firefox, etc.)
Information obtained by Google Analytics
This website uses the Google Analytics web analysis service and enters into an agreement with Google as the data processor. Google Analytics stores a persistent cookie on your hard drive. The information in this cookie (including your IP address) is transmitted to Google and stored on Google servers. Google uses this information to anonymously analyze your use of the website, compile reports on your website activity for site operators, and provide other services related to your website activity and Internet usage. Google may transfer this information to third parties where required to do so by law or where those third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.
Information obtained by Sitecore
This website uses a cookie to track anonymous contacts - specifically the
SC_ANALYTICS_GLOBAL_COOKIE cookie. When an anonymous visitor goes to cisecurity.org – a device GUID is generated and saved. If the visitor returns to cisecurity.org the tracker has enough information to identify the contact as an existing anonymous contact and a new interaction is saved on session end. If the visitor, returns to cisecurity.org returns to the website on the same device, after clearing their cookies and new device GUID is generated and saved.
CIS uses this information for the following purposes:
- Personalization of content based on behavior during the current session.
- Historic personalization of content-based behavior during previous sessions.
- Reacting to activities such as goals triggered during the current interaction.
Cookies capture this information and securely transmit and store such information on Sitecore servers. The use of such cookies can be disabled in your web browser, as set forth in the section entitled, It should be noted cookies can be disabled in the web browser, see the section above titled, “Managing cookies in your browser, opt out options for cookies”
Who has access to this information?
If you provide personal information to CIS, our employees who have access based upon specific roles defined by procedural role-based access controls, use this information following appropriate procedures in handling and disclosing your information. All personal information about you or your organization that we receive via fax or mail is physically protected. In addition, CIS has implemented procedures to safeguard the integrity of its information technology assets, including but not limited to authentication, monitoring and auditing. These security measures have been integrated into the design, implementation and day-to-day operations of our business processes as part of our continuing commitment to the security and privacy of electronic content as well as the electronic transmission of information.
Purposes of Collection and Use
In order to use CIS services and products, CIS shall collect personal information from you when you register for and use these services. Such information can include your name, email, password, and in some instances your payment card data, for purposes of creating your account profile to provide you with access to certain services and features. We do not sell or distribute email addresses or other personal information to others for their commercial use. The purposes for which CIS collects and uses personal information shall include:
- Providing you with the CIS applications, information, and websites for which you have registered, as well as any products or services, or support requested;
- Publish listings of CIS SecureSuite members and CIS Controls Supporters on our website which, in the case of individual members, includes names and organizational affiliations;
- Publish testimonials of CIS products and service on our website provided by individuals, which would include name, title and affiliate organization;
- Gain a better understanding how our website, product or services are being used so that we can improve them and engage with users;
- Diagnosing problems;
- Sending you business messages and marketing related to payments or expiration of subscriptions;
- Sending you information about CIS products, services, opportunities, updates, advisories, special offers, and similar information;
- Conducting market research about our customers, and the effectiveness of our marketing campaigns.
We also collect some information that is not considered to be personal information. When visiting our website, the following non-personal information about your visit is automatically collected and stored:
- The type of browser and operating system you use when you visit this site;
- The date and time when you visit this site;
- The webpage and services you access at this site;
- The forms that you download from this website;
- Additionally, non-personal information such as a company or governmental entity name and address. IP address may be provided when registering or signing up for CIS products or services. This information is used to determine eligibility for certain products or services.
We use non-personal information internally to find out how people use this website, to help us understand which types of information are of most interest to our visitors so that we can improve this website's content, to assess system performance and to identify problem areas. We do not sell or distribute this information to others for their commercial use.
If you do not use this website to request services or information, you may receive them by other means (such as through your membership in a group to which we may send correspondence). Your ability to view or download most information available to the public on this website will not be affected.
The utilization of this information is strictly for legitimate business purposes and is retained for only as long as necessary to carry out the specific requirements of providing CIS products, services, opportunities, updates, advisories, special offers, and similar information.
Details of third parties with whom we share your information
CIS products and services and hosted and processed by the third parties as defined below:
|Amazon Web Services, Inc. / United States||
Amazon Web Services, Inc.,
Amazon Web Services, Inc. is a cloud service provider.
|Microsoft, Inc. / United States||
Microsoft Privacy, Microsoft Corporation
Phone: +1 (415) 380 0600
|Sitecore provides direct training and technical support through our existing customer relationships, as well as educational and marketing services to certain partners and prospective customers through secure, password-protected portals. In these relationships, where the data is still controlled by you (the customer, partner, prospective customer), Sitecore is a processor. Sitecore collects, processes and stores information throughout these processes||Link|
|Google LLC/ United States||
|We build a range of services that help millions of people daily to explore and interact with the world in new ways. Our services include:
Google apps, sites and devices, such as Search, YouTube and Google Home Platforms such as the Chrome browser and Android operating system
Products that are integrated into third-party apps and sites, such as ads and embedded Google Maps
CIS recognizes the privacy interests of children and we encourage parents or guardians to take an active role in their children's online activity. CIS services are not intended for children under the age of 13. CIS does not target or market our services to children under 13. If CIS has data that has been collected without the requisite parental consent, CIS will take appropriate actions to remedy and delete the collected information.
Privacy Shield Framework
The following website provides a link to the Privacy Shield List (https://www.privacyshield.gov/listt This framework provides the Principles of all personal data received by CIS from the EU and the commitment that CIS places on such data processing and utilization in providing our products and services.
CIS is self-certifying its compliance to the requirements of both the Privacy Shield Framework and the Swiss-U.S. Privacy Shield. To learn more about the Privacy Shield Framework visit https://www.privacyshield.gov/
If CIS maintains your Personal Data in one of the services within the scope of our Privacy Shield certification, you may direct any inquiries or complaints concerning our Privacy Shield compliance to [email protected] (mailto:[email protected]) If your complaint cannot be resolved with the internal process, CIS will cooperate with an independent dispute resolution body. These bodies are created to provide a free recourse process, free of charge to individuals. The contact information for both the EU Data Protection Authorities (DPA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) are:
EU Data Protection Authorities (DPA):
Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html
The mediator as identified above may propose any appropriate remedy, such as deletion of the relevant Personal Data, publicity for findings of non-compliance, payment of compensation for losses incurred as a result of non-compliance, or cessation of processing of Personal Data of the Customer who brought forth the complaint. The mediator or the Customer may refer the matter to the U.S. Federal Trade Commission, which has Privacy Shield investigatory and enforcement powers over CIS. Under certain circumstances, Customers may be able to invoke binding arbitration to address complaints about CIS's compliance with the Principles.
Liability for Onward Transfers
CIS complies with the Privacy Shield's Principle regarding accountability for onward transfers. CIS remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless CIS provides proof that it was not responsible for the event that lead to the damage.
CIS employs procedural and technological security measures that are reasonably designed to help protect your personal information from loss, unauthorized access, disclosure, alteration, or destruction. CIS uses password protection, encryption, and other security measures to help prevent unauthorized access to your personal information. However, no security measure can guarantee against compromise. You also have an important role in protecting personal information. You should not share your usernames/email addresses and passwords with anyone, and you should not re-use passwords across more than one web site.
Links to CIS Website
We welcome links to the CIS website. Although we prefer that you link to our homepage, you may create links to specific pages within our website. Any individual or organization linking to CIS's website must comply with all applicable laws and with the following conditions:
Unless CIS specifically authorizes you to do so, you may not imply that CIS endorses you, your organization, or your products. In addition:
- You may not misrepresent your, or your organizations, relationship with CIS;
- You may not present false information about CIS;
- You may not link to the CIS website if your or your organization's website contains content that could be construed as distasteful, offensive or controversial, or is not appropriate for viewing by all age groups;
- CIS may change content on our site at any time, causing other organizations to have a broken or incorrect link;.
- CIS is not responsible for misdirected links from external websites.
Who can I contact with questions or concerns?
For any issues, omissions, or questions please contact [email protected]