CIS Website Privacy Policy

 

Current version v3.0 published date: 1/9/2020
Privacy policy version history.

Scope

CIS knows that you care how information about you is used and shared, and we appreciate your trust that we will do so carefully and sensibly. This notice describes our privacy policy, including what data we collect, how we use it and for what purpose. Given the importance we place on privacy it is important that you read this policy carefully.

The CIS website (www.cisecurity.org) is intended to make it easy and efficient to learn about and interact with CIS and its various program areas such as CIS Controls™, CIS Benchmarks®, CIS CyberMarket, and the MS-ISAC®.

The mission of CIS is to improve and enhance cybersecurity, so we are sensitive to  privacy issues on the Internet and recognize that visitors to this website and those who use our products and services are concerned about the type of information we collect and how we use it. CIS is committed to preserving your privacy and this policy discusses our practices.

CIS complies with the EU-U.S. and the Swiss-U.S. Privacy Shield Frameworks designed by the United States Department of Commerce and the European Commission and Swiss Administration. The Frameworks define the requirements for the collection, use, and retention of Personal Data transferred from the European Union, United Kingdom and Switzerland to the United States. This Privacy Policy defines CIS’s commitment to the Privacy Shield “Principles” and our practice of implementing the Principles.

Definitions

For the purposes of this Privacy Policy:

“Controller” means a person or organization that, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

“Customer” means any entity that purchases, subscribes or downloads CIS services or products.

“Customer Data” means the electronic data uploaded into the web application by or for a Customer or its Users.

“Personal Data” means any information, including Sensitive Data that is about an identified or identifiable individual and received by CIS in the U.S. from the European Union, the United Kingdom or Switzerland in connection with the Service.

“Processor” means any natural or legal person, public authority, agency or other body that processes Personal Data on behalf of a Controller.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

“User” means an individual authorized by Customer to access and use the web application and information service.

Information we collect

CIS hosts and processes “Customer Data,” including “Personal Data” therein at the direction of and pursuant to the instructions of our “Customers.”

Information is defined as: (1) personal information, which is information that can be identified to a particular individual because of a name, number, symbol, mark or other indicator; and (2) non-personal information that does not identify a particular individual.

CIS receives and stores certain types of information whenever you interact with us. Any personal information you provide is voluntarily gathered by initiating an online transaction, such as a survey, registration or order form, or establishing a login for access and use of certain tools or SecureSuite member areas of our website.

How to access and control your personal data

You can control the personal data that is collected with opt-in choices on the CIS services website. Not all personal data can be controlled in this manner; you can exercise your data protection rights by contacting privacy@cisecurity.org. In some cases, your access or control over personal data may be limited as required or permitted by applicable law. Depending upon the services that you use, the method of control will vary. For example:

  • CIS downloads can be controlled with the opt-in section of the page, thus controlling the interest-based advertising from CIS.
  • CIS Workbench controls are made either through the portal to modify your personal data or via a request to privacy@cisecurity.org for removal.

If you do voluntarily provide personal information, your email address and the entire contents of your email message and other information you provide are retained.

If you do not wish to have identifying information disclosed, we honor all requests to omit individual or organization names from website listings. If such a request is made, identifying information will not be disclosed by CIS unless we are legally required to do so.

CIS collects general information about the “Customer,” including the customer company name and address, credit card information, and the “Customer” representative’s contact information for billing and contracting purposes.

As a service provider, we aim to provide you the necessary access to update the personal information that is within our records. If that information is incorrect, we give you ways to update it quickly.

If you request to delete the data that is present within our systems, we will do so with a validated request, unless we have to keep that information for legitimate business or legal purposes. The maintenance of service is required to protect all information from accidental or malicious destruction. If your request to delete is completed, we may not immediately delete this data from residual copies and we may not remove it from archived or backed up systems.

Reasons we share your personal data

CIS may be required to disclose personal information in response to lawful requests by public authorities, including disclosures to meet national security or law enforcement requirements.

Cookies

Cookies are text files stored by your web browser in order to record information about you or your activities on a website. Using cookies for this purpose is a common, generally accepted practice on the Internet. We may use temporary cookies to enhance, customize, or enable your visit to this website. Temporary cookies do not contain personal information that can be used to identify you, do not compromise your privacy or security, and are erased when you close your browser.

Certain features on this website may require you to fill in a registration form used to personalize your user experience. Such features may store a persistent cookie on your computer's hard drive that is not deleted when you close your browser. A persistent cookie allows us to recognize you on your next visit and tailor your user experience to your needs and interests.

If the program you use to access this site is set to refuse new cookies or delete existing cookies, your ability to use some of the features on this website may be limited.

Types of cookies used by CIS:

Category What do they do?                           
Necessary These cookies are essential to make the CIS website functional and work. The enablement of these cookies is to enable specific feature, without which the user experience would be null.
Analytics/Performance Cookies are used to determine performance; we use these cookies to understand and improve our products and services.
Targeting/Marketing CIS may uses these cookies to show you relevant advertising and targeted ads. We may also use them to learn about ad utilization and the action taken with a specific marketing cookie, e.g., to visit and download a Benchmark, join a webcast or download a whitepaper. Similarly, partners may use the same process to determine ad performance, and the use of ads both on and off the CIS website.
Preferences/ Functional These cookies define your preferred setting and communication preferences.

In order to utilize the functionality and provide the required information CIS needs to process and manage products and services some cookies are deemed Strictly Necessary. These are required to maintain the functionality of the CIS products and services offered. If your preference is to not accept these cookies, your actions and access to specific products and services will be severely limited and in some cases restricted.

The specific cookies used by CIS are listed here.

Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.

Managing cookies in your browser, opt out options for cookies.

Depending on personal preference, you may want to limit or delete cookies. This preference can be implemented within your web browsers and gives you the ability to manage cookies to suit your requirements. Depending on the browser, it may limit or delete cookies, so you may want to review your cookie settings and advertisement or marketing settings. In some browsers, you can set up rules to manage cookies on a site-by-site basis, giving you more fine-grained control over your opt-out needs. This means that you can disallow cookies from all sites based on your privacy preference.

Web Beacons and Analytics Services

CIS websites and emails may contain an electronic image known as a web beacon (or single-pixel gifs). We use these to help deliver cookies on our websites, analyze promotional email messages, count users who have visited our websites, deliver CIS content and to determine whether users open emails and act on them. The actions and data that CIS captures includes:

  • When an email is opened
  • When a link is clicked
  • Date/time email was delivered, opened, clicked
  • Time spent viewing email (in seconds)
  • Email client (Gmail, Outlook, Apple Mail iOS, etc.)
  • Browser (Chrome, IE, Firefox, etc.)

Information obtained by Google Analytics

This website uses the Google Analytics web analysis service and enters into an agreement with Google as the data processor. Google Analytics stores a persistent cookie on your hard drive. The information in this cookie (including your IP address) is transmitted to Google and stored on Google servers. Google uses this information to anonymously analyze your use of the website, compile reports on your website activity for site operators, and provide other services related to your website activity and Internet usage. Google may transfer this information to third parties where required to do so by law or where those third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google.

By using this website, you consent to Google's processing of data about you. For a review of Google Privacy Policy please see https://policies.google.com/privacy.

Who has access to this information?

If you provide personal information to CIS, our employees who have access based upon specific roles defined by procedural role-based access controls, use this information following appropriate procedures in handling and disclosing your information. All personal information about you or your organization that we receive via fax or mail is physically protected. In addition, CIS has implemented procedures to safeguard the integrity of its information technology assets, including but not limited to authentication, monitoring and auditing. These security measures have been integrated into the design, implementation and day-to-day operations of our business processes as part of our continuing commitment to the security and privacy of electronic content as well as the electronic transmission of information.

Purposes of Collection and Use

In order to use CIS services and products, CIS shall collect personal information from you when you register for and use these services. Such information can include your name, email, password, and in some instances your payment card data, for purposes of creating your account profile to provide you with access to certain services and features. We do not sell or distribute email addresses or other personal information to others for their commercial use. The purposes for which CIS collects and uses personal information shall include:

  • Providing you with the CIS applications, information, and websites for which you have registered, as well as any products or services, or support requested;
  • Publish listings of CIS SecureSuite members and CIS Controls Supporters on our website which, in the case of individual members, includes names and organizational affiliations;
  • Publish testimonials of CIS products and service on our website provided by individuals, which would include name, title and affiliate organization;
  • Gain a better understanding how our website, product or services are being used so that we can improve them and engage with users;
  • Diagnosing problems;
  • Sending you business messages and marketing related to payments or expiration of subscriptions;
  • Sending you information about CIS products, services, opportunities, updates, advisories, special offers, and similar information;
  • Conducting market research about our customers, and the effectiveness of our marketing campaigns.

We also collect some information that is not considered to be personal information. When visiting our website, the following non-personal information about your visit is automatically collected and stored:

  • The type of browser and operating system you use when you visit this site;
  • The date and time when you visit this site;
  • The webpage and services you access at this site;
  • The forms that you download from this website;
  • Additionally, non-personal information such as a company or governmental entity name and address. IP address may be provided when registering or signing up for CIS products or services. This information is used to determine eligibility for certain products or services.

We use non-personal information internally to find out how people use this website, to help us understand which types of information are of most interest to our visitors so that we can improve this website's content, to assess system performance and to identify problem areas. We do not sell or distribute this information to others for their commercial use.

If you do not use this website to request services or information, you may receive them by other means (such as through your membership in a group to which we may send correspondence). Your ability to view or download most information available to the public on this website will not be affected.

The utilization of this information is strictly for legitimate business purposes and is retained for only as long as necessary to carry out the specific requirements of providing CIS products, services, opportunities, updates, advisories, special offers, and similar information.

Details of third parties with whom we share your information

CIS products and services and hosted and processed by the third parties as defined below:

 

Third Party Recipients / Location Contact Information for Personal Information Related Inquiries Personal Information Collected, Purposes, and Retention Third Party Privacy Policy
Amazon Web Services, Inc. / United States Amazon Web Services, Inc.,

410 Terry Avenue North, Seattle, WA 98109-5210,

ATTN: AWS Legal

Amazon Web Services, Inc. is a cloud service provider. Your general personal information will be processed by Amazon Web Services, Inc. for storage purposes for the period necessary to fulfil the purposes outlined in this Privacy Policy and in accordance with applicable law. Link
Microsoft, Inc. / United States Microsoft Privacy, Microsoft Corporation,

One Microsoft Way, Redmond, Washington 98052,

USA.

Telephone: +1 (425) 882 8080.

Microsoft offers a wide range of products, including cloud server products. Your general personal information will be processed by Microsoft, Inc. for storage purposes for the period necessary to fulfil the purposes outlined in this Privacy Policy and in accordance with applicable law Link

 

Children’s Privacy

CIS recognizes the privacy interests of children and we encourage parents or guardians to take an active role in their children’s online activity. CIS services are not intended for children under the age of 13. CIS does not target or market our services to children under 13. If CIS has data that has been collected without the requisite parental consent, CIS will take appropriate actions to remedy and delete the collected information.

Privacy Shield Framework

The following website provides a link to the Privacy Shield List. This framework provides the Principles of all personal data received by CIS from the EU and the commitment that CIS places on such data processing and utilization in providing our products and services.

CIS is self-certifying its compliance to the requirements of both the Privacy Shield Framework and the Swiss-U.S. Privacy Shield. To learn more about the Privacy Shield Framework visit https://www.privacyshield.gov/.

Dispute Resolution

If CIS maintains your Personal Data in one of the services within the scope of our Privacy Shield certification, you may direct any inquiries or complaints concerning our Privacy Shield compliance to privacy@cisecurity.org. If your complaint cannot be resolved with the internal process, CIS will cooperate with an independent dispute resolution body. These bodies are created to provide a free recourse process, free of charge to individuals. The contact information for both the EU Data Protection Authorities (DPA) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) are:

EU Data Protection Authorities (DPA):

https://edpb.europa.eu/about-edpb/board/members_en

Swiss Federal Data Protection and Information Commissioner (FDPIC): https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/contact.html

The mediator as identified above may propose any appropriate remedy, such as deletion of the relevant Personal Data, publicity for findings of non‑compliance, payment of compensation for losses incurred as a result of non‑compliance, or cessation of processing of Personal Data of the Customer who brought forth the complaint.  The mediator or the Customer may refer the matter to the U.S. Federal Trade Commission, which has Privacy Shield investigatory and enforcement powers over CIS.  Under certain circumstances, Customers may be able to invoke binding arbitration to address complaints about CIS’s compliance with the Principles.

Liability for Onward Transfers

CIS complies with the Privacy Shield’s Principle regarding accountability for onward transfers.  CIS remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless CIS provides proof that it was not responsible for the event that lead to the damage.

Security

CIS employs procedural and technological security measures that are reasonably designed to help protect your personal information from loss, unauthorized access, disclosure, alteration, or destruction. CIS uses password protection, encryption, and other security measures to help prevent unauthorized access to your personal information. However, no security measure can guarantee against compromise. You also have an important role in protecting personal information. You should not share your usernames/email addresses and passwords with anyone, and you should not re-use passwords across more than one web site.

Other Websites

This website may provide links to websites maintained by other organizations. A link to another website does not constitute an endorsement of the content, viewpoint, accuracy, opinions, policies, products or services of that other website. Once you navigate from this website to another site, you are subject to the terms and conditions of that site, including the provisions of its privacy policy.

Links to CIS Website

We welcome links to the CIS website. Although we prefer that you link to our homepage, you may create links to specific pages within our website. Any individual or organization linking to CIS's website must comply with all applicable laws and with the following conditions:

Unless CIS specifically authorizes you to do so, you may not imply that CIS endorses you, your organization, or your products. In addition:

  • You may not misrepresent your, or your organization’s, relationship with CIS;
  • You may not present false information about CIS;
  • You may not link to the CIS website if your or your organization's website contains content that could be construed as distasteful, offensive or controversial, or is not appropriate for viewing by all age groups;
  • CIS may change content on our site at any time, causing other organizations to have a broken or incorrect link;.
  • CIS is not responsible for misdirected links from external websites.

The information provided in this Privacy Policy cannot be interpreted as business, legal or other advice, or as warranting fail-proof security for information provided through this website. Information provided on this website is intended to allow the public access to information related to CIS. While all attempts are made to provide accurate, current and reliable information, there is possibility of human and/or mechanical error. If your personal data is in error your ability to rectify this information is controlled by using the manage account function within CIS products or services. This Privacy Policy is not intended to and does not create any contractual or other legal rights for or on behalf of any party.

Who can I contact with questions or concerns?

For any issues, omissions, or questions please contact privacy@cisecurity.org