www.cisecurity.org Open in urlscan Pro
104.18.28.89  Public Scan

Form analysis
0 forms found in the DOM

Text Content

This website uses cookies

You’re here because you take cybersecurity seriously, and so does CIS. The
information we track while users are on our websites helps us analyze site
traffic, optimize site performance, improve our services, and identify new
products and services of interest to our users. To learn more please see
our Privacy Policy.

AcceptDecline

You need to enable JavaScript to run this app.

Effective September 25, 2023: New Website Privacy Notice | Learn More

CIS Hardened ImagesSupportCIS WorkBench Sign In
Alert Level: guarded
Company
Back
Company
Who We AreCIS is an independent, nonprofit organization with a mission to create
confidence in the connected world.

About Us
Leadership Principles
Leadership Team
Testimonials
Media
Events
Contact Us

Solutions
Back
Solutions
Secure Your Organization
CIS Critical Security ControlsPrioritized & simplified best practices
CIS Controls CommunityHelp develop and maintain the Controls
CIS RAMInformation security risk assessment method
CIS CSATAssess & measure Controls implementation
Secure Specific Platforms
CIS Benchmarks™100+ vendor-neutral configuration guides
CIS Benchmarks CommunityDevelop & update secure configuration guides
CIS-CAT®ProAssess system conformance to CIS Benchmarks
CIS Hardened Images®Virtual images hardened to CIS Benchmarks on cloud service
provider marketplaces
CIS SecureSuite®Start secure and stay secure with integrated cybersecurity tools
and resources designed to help you implement CIS Benchmarks and CIS Controls
Learn MoreApply Now
U.S. State, Local, Tribal & Territorial Governments
Memberships
MS-ISAC®Cybersecurity resource for SLTT Governments
EI-ISAC®Election-focused cyber defense suite
Elections
Election Security Tools And ResourcesSources to support the cybersecurity needs
of the election community
Services for Members
Albert Network Monitoring®Cost-effective Intrusion Detection System
Managed Security ServicesSecurity monitoring of enterprises devices
CIS Endpoint Security ServicesDevice-level protection and response
CIS CyberMarket®Savings on training and software
Malicious Domain Blocking and Reporting PlusPrevent connection to harmful web
domains
View All CIS Services
View All Products & Services
Insights
Back
Insights
InsightsExplore trending articles, expert perspectives, real-world applications,
and more from the best minds in cybersecurity and IT.

Advisories
Blog
Case Studies
Spotlights
Newsletters
Podcasts
Webinars
Whitepapers
View All Insights
Join CIS
Back
Join CIS
Get InvolvedJoin us on our mission to secure online experiences for all. Become
a CIS member, partner, or volunteer—and explore our career opportunities.

CIS SecureSuite® Membership
Multi-State ISAC (MS-ISAC®)
Elections Infrastructure ISAC (EI-ISAC®)
CIS CyberMarket® Vendors
CIS Communities
Careers



HomeCIS Website Privacy Notice


CIS WEBSITE PRIVACY NOTICE


PRIVACY NOTICE INTRODUCTION

Your privacy is important to CIS. CIS knows that you care how information about
you is used and shared, and we appreciate your trust that we will do so
carefully and sensibly. This Privacy Notice describes our privacy practices,
including what data we collect, how we use data and for what purpose. Given the
importance we place on privacy, it is important that you read this notice
carefully. 

The Privacy Notice may be updated at the discretion of CIS periodically and
without prior notice to you to reflect changes in our information practices or
relevant laws. In the event of material changes to the Privacy Notice, CIS shall
provide appropriate notification to applicable parties through various
mechanisms such as but not limited to email or pop-up notifications on the
website. To view previous versions, visit the Privacy Notice version history.
Any question or comments with respect to the Privacy Notice should be directed
to privacy@cisecurity.org .

The CIS website (www.cisecurity.org) is intended to make it easy and efficient
to learn about ad interact with CIS and its various program areas such as CIS
Controls™, CIS Benchmarks®, CIS CyberMarket, and MS-ISAC®.

The mission of CIS is to improve and enhance cybersecurity, so we are sensitive
to privacy issues on the Internet and recognize that visitors to this website
and those who use our products and services are concerned about the type of
information we collect and how we use it. CIS is committed to preserving your
privacy and this Privacy Notice outlines our practices. For definitions of key
terms used in this Privacy Notice, click here. 


CIS WEBSITE PRIVACY NOTICE

Current version v7.0 published date: 09/29/2023
Privacy Notice version history.




TABLE OF CONTENTS

 1.  Information we collect
 2.  How to access and control your personal data
 3.  Data transfer
 4.  Reasons we share your personal data
 5.  Cookies
 6.  Web beacons and analytics services
 7.  Security of your information
 8.  Data storage and retention
 9.  Purposes of collection and use
 10. Children’s privacy
 11. Other websites
 12. Links to CIS website
 13. Terminology
     
 14. Who can I contact with questions or concerns




INFORMATION WE COLLECT

CIS hosts and processes “Customer Data,” including “Personal Data” therein at
the direction of and pursuant to the instructions of our “Customers.”

CIS serves as a Data Processor for the following products and services:

 * SecureSuite membership including CIS Workbench, CSAT, and CIS-CAT

CIS serves as a Data Controller for the following products and services:

 * MS/EI-ISAC memberships, monitoring of SLTT systems and SLTT partner paid
   services.
 * Downloadable content from the CIS Website: CIS Benchmarks, CIS Controls,
   Cybermarket, and White papers/downloadable guides/best practices.

“Information” is defined as: (1) personal information, which is information that
can be identified to a particular individual because of a name, number, symbol,
mark or other indicator; and (2) non-personal information that does not identify
a particular individual.

CIS receives and stores certain types of information whenever you interact with
us. Any personal information you provide is voluntarily gathered by initiating
an online transaction, such as a survey, registration or order form, or
establishing a login for access and use of certain tools or SecureSuite member
areas of our website.

Back to top




HOW TO ACCESS AND CONTROL YOUR PERSONAL DATA

You can control the personal data that is collected with opt-in choices on the
CIS services website. Not all personal data can be controlled in this manner;
you can exercise your data protection rights by contacting
privacy@cisecurity.org. In some cases, your access or control over personal data
may be limited as required or permitted by applicable law. Depending upon the
services that you use, the method of control will vary. For example:

 * CIS downloads can be controlled with the opt-in section of the page, thus
   controlling the interest-based advertising from CIS.
 * CIS Workbench controls are made either through the portal to modify your
   personal data or via a request to privacy@cisecurity.org for removal.
 * A request for removal of information gathered via the CIS website can be made
   via a request to privacy@cisecurity.org.

If you do voluntarily provide personal information, your email address and the
entire contents of your email message and other information you provide are
retained.

If you do not wish to have identifying information disclosed, we honor all
requests to omit individual or organization names from website listings. If such
a request is made, identifying information will not be disclosed by CIS unless
we are legally required to do so.

CIS collects general information about the “Customer,” including the customer
company name and address, credit card information, and the “Customer”
representative’s contact information for billing and contracting purposes.

As a service provider, we aim to provide you the necessary access to update the
personal information that is within our records. If that information is
incorrect, we give you ways to update it quickly.

If you request to delete the data that is present within our systems, we will do
so with a validated request, unless we have to keep that information for
legitimate business or legal purposes. The maintenance of service is required to
protect all information from accidental or malicious destruction. If your
request to delete is completed, we may not immediately delete this data from
residual copies and we may not remove it from archived or backed up systems.

All requests shall be processed within thirty (30) business days, when feasible
and appropriate. 

Back to top




DATA TRANSFER

CIS has its headquarters in the United States. Information we collect about you
will be processed in the United States. By using CIS services and products, you
acknowledge that your personal information will be processed in the United
States. The United States has not sought nor received a finding of “adequacy”
from the European Union under Article 45 of the GDPR. 

Depending on the circumstance, CIS also collects and transfers to the U.S.
personal data with consent or to perform a contract with you. CIS endeavors to
apply suitable safeguards to protect the privacy and security of your personal
data and to use it only consistent with your relationship with CIS and the
practices described in this Privacy Notice. CIS also enters into data processing
agreements and model clauses with its vendors and/or service providers whenever
feasible and appropriate. 

Back to top




REASONS WE SHARE YOUR PERSONAL DATA

CIS may be required to disclose personal information in response to lawful
requests by public authorities, including disclosures to meet national security
or law enforcement requirements.

At your request, where you have affirmatively provided consent to CIS to share
your personal information with a third party in order for CIS or the third party
to provide services to you.

Back to top




COOKIES

Cookies are text files stored by your web browser in order to record information
about you or your activities on a website. Using cookies for this purpose is a
common, generally accepted practice on the Internet. We may use temporary
cookies to enhance, customize, or enable your visit to this website. Temporary
cookies do not contain personal information that can be used to identify you, do
not compromise your privacy or security, and are erased when you close your
browser.

Certain features on this website may require you to fill in a registration form
used to personalize your user experience. Such features may store a persistent
cookie on your computer's hard drive that is not deleted when you close your
browser. A persistent cookie allows us to recognize you on your next visit and
tailor your user experience to your needs and interests.

If the program you use to access this site is set to refuse new cookies or
delete existing cookies, your ability to use some of the features on this
website may be limited.


TYPES OF COOKIES USED BY CIS

Category 

What do they do? 

Necessary

These cookies are essential to make the CIS website functional and work. The
enablement of these cookies is to enable specific feature, without which the
user experience would be null. 

Analytics/Performance

Cookies are used to determine performance; we use these cookies to understand
and improve our products and services. 

Targeting/Marketing

CIS uses these cookies to show you relevant advertising and targeted ads. We may
also use them to learn about ad utilization and the action taken with a specific
marketing cookie, e.g., to visit and download a Benchmark, join a webcast or
download a whitepaper. Similarly, partnersmay use the same process to determine
ad performance, and the use of ads both on and off the CIS website. 

Preferences/ Functional

These cookies define your preferred setting and communication preferences.

 

In order to utilize the functionality and provide the required information CIS
needs to process and manage products and services, some cookies are deemed
Necessary. These are required to maintain the functionality of the CIS products
and services offered. If your preference is to not accept these cookies, your
actions and access to specific products and services will be severely limited
and in some cases restricted.

Please refer to the specific cookies used by CIS page.

Unclassified cookies are cookies that we are in the process of classifying,
together with the providers of individual cookies.


MANAGING COOKIES IN YOUR BROWSER, OPT OUT OPTIONS FOR COOKIES

Depending on personal preference, you may want to limit or delete cookies. This
preference can be implemented within your web browsers and gives you the ability
to manage cookies to suit your requirements. Depending on the browser, it may
limit or delete cookies, so you may want to review your cookie settings and
advertisement or marketing settings. In some browsers, you can set up rules to
manage cookies on a site-by-site basis, giving you more fine-grained control
over your opt-out needs. This means that you can disallow cookies from all sites
based on your privacy preference.

Back to top




WEB BEACONS AND ANALYTICS SERVICES

CIS websites and emails may contain an electronic image known as a web beacon
(or single-pixel gifs). We use these to help deliver cookies on our websites,
analyze promotional email messages, count users who have visited our websites,
deliver CIS content and to determine whether users open emails and act on them.
The actions and data that CIS captures includes:

 * When an email is opened
 * When a link is clicked
 * Date/time email was delivered, opened, clicked
 * Time spent viewing email (in seconds)
 * Email client (Gmail, Outlook, Apple Mail iOS, etc.)
 * Browser (Chrome, IE, Firefox, etc.)


INFORMATION OBTAINED BY GOOGLE ANALYTICS

This website uses the Google Analytics web analysis service and enters into an
agreement with Google as the data processor. Google Analytics stores a
persistent cookie on your hard drive. The information in this cookie (including
your IP address) is transmitted to Google and stored on Google servers. Google
uses this information to anonymously analyze your use of the website, compile
reports on your website activity for site operators, and provide other services
related to your website activity and Internet usage. Google may transfer this
information to third parties where required to do so by law or where those third
parties process the information on Google's behalf. Google will not associate
your IP address with any other data held by Google.

By using this website, you consent to Google's processing of data about you. For
a review of Google Privacy Policy please see
https://policies.google.com/privacy.


INFORMATION OBTAINED BY SITECORE

This website uses a cookie to track anonymous contacts - specifically the
SC_ANALYTICS_GLOBAL_COOKIE cookie. When an anonymous visitor goes to
www.cisecurity.org – a device GUID is generated and saved. If the visitor
returns to www.cisecurity.org the tracker has enough information to identify the
contact as an existing anonymous contact and a new interaction is saved on
session end. If the visitor returns to www.cisecurity.org and returns to the
website on the same device, after clearing their cookies a new device GUID is
generated and saved.

CIS uses this information for the following purposes:

 * Personalization of content based on behavior during the current session.
 * Historic personalization of content-based behavior during previous sessions.
 * Reacting to activities such as goals triggered during the current
   interaction.

Cookies capture this information and securely transmit and store such
information on Sitecore servers. The use of such cookies can be disabled in your
web browser, as set forth in the section entitled, “Managing Cookies in Your
Browser, Opt Out Options for Cookies.” 

By using this website, you consent to Sitecore’s processing of data about you.
For a review of the Sitecore Privacy Policy, please see
https://www.sitecore.com/trust/privacy-policy.

Back to top




SECURITY OF YOUR INFORMATION

To help protect the privacy of data and personally identifiable information you
transmit through use of this Site, we maintain physical, technical and
administrative safeguards. We update and test our security technology on an
ongoing basis. We restrict access to your personal data to those employees who
need to know that information to provide benefits or services to you. In
addition, we train our employees about the importance of confidentiality and
maintaining the privacy and security of your information.  

CIS employs procedural and technological security measures that are reasonably
designed to help protect your personal information from loss, unauthorized
access, disclosure, alteration, or destruction. CIS uses password protection,
encryption, and other security measures to help prevent unauthorized access to
your personal information. However, no security measure can guarantee against
compromise. You also have an important role in protecting personal information.
You should not share your usernames/email addresses and passwords with anyone,
and you should not re-use passwords across more than one web site.

Back to top




DATA STORAGE AND RETENTION

Your personal data is stored by CIS on its servers, and on the servers of the
cloud-based database management services CIS engages, located in the United
States. CIS retains data for the duration of the customer’s or member’s business
relationship with CIS and for a period of time thereafter to allow customersto
recover accounts if they decide to renew, to analyze the data for CIS’s own
operations, and for historical and archiving purposes. For more information on
where and how long your personal data is stored, and for more information on
your rights of erasure and portability, please contact privacy@cisecurity.org.

Back to top




PURPOSES OF COLLECTION AND USE

In order to use CIS services and products, CIS shall collect personal
information from you when you register for and use these services. Such
information can include your name, email, password, and in some instances your
payment card data, for purposes of creating your account profile to provide you
with access to certain services and features. We do not sell or distribute email
addresses or other personal information to others for their commercial use. The
purposes for which CIS collects and uses personal information shall include:

 * Providing you with the CIS applications, information, and websites for which
   you have registered, as well as any products or services, or support
   requested;
 * Publish listings of CIS SecureSuite members and CIS Controls Supporters on
   our website which, in the case of individual members, includes names and
   organizational affiliations;
 * Publish testimonials of CIS products and service on our website provided by
   individuals, which would include name, title and affiliate organization;
 * Gain a better understanding how our website, product or services are being
   used so that we can improve them and engage with users;
 * Diagnosing problems;
 * Sending you business messages and marketing related to payments or expiration
   of subscriptions;
 * Sending you information about CIS products, services, opportunities, updates,
   advisories, special offers, and similar information;
 * Conducting market research about our customers, and the effectiveness of our
   marketing campaigns.

We also collect some information that is not considered to be personal
information. When visiting our website, the following non-personal information
about your visit is automatically collected and stored:

 * The type of browser and operating system you use when you visit this site;
 * The date and time when you visit this site;
 * The webpage and services you access at this site;
 * The forms that you download from this website;
 * Additionally, non-personal information such as a company or governmental
   entity name and address. IP address may be provided when registering or
   signing up for CIS products or services. This information is used to
   determine eligibility for certain products or services.

We use non-personal information internally to find out how people use this
website, to help us understand which types of information are of most interest
to our visitors so that we can improve this website's content, to assess system
performance and to identify problem areas. We do not sell or distribute this
information to others for their commercial use.

If you do not use this website to request services or information, you may
receive them by other means (such as through your membership in a group to which
we may send correspondence). Your ability to view or download most information
available to the public on this website will not be affected. The utilization of
this information is strictly for legitimate business purposes and is retained
for only as long as necessary to carry out the specific requirements of
providing CIS products, services, opportunities, updates, advisories, special
offers, and similar information.  

The utilization of this information is strictly for legitimate business purposes
and is retained for only as long as necessary to carry out the specific
requirements of providing CIS products, services, opportunities, updates,
advisories, special offers, and similar information.

To the extent that CIS engages third party subprocessor to have access in order
to assist in the provision of services to you, such subprocessor shall be
subject to the same level of data protection and security as CIS. A listing of
subprocessors can be found here. This list of subprocessors is subject to change
and the website will be updated accordingly. We recommend that you review this
list periodically for updates. You may choose to opt-out of services based on
this list of subprocessors by notifying CIS at privacy@cisecurity.org. Your
continued use of the service shall be deemed your acceptance of the use of such
subprocessors.



Back to top




CHILDREN’S PRIVACY

CIS recognizes the privacy interests of children and we encourage parents or
guardians to take an active role in their children’s online activity. CIS
services are not intended for children under the age of 13. CIS does not target
or market our services to children under 13. If CIS has data that has been
collected without the requisite parental consent, CIS will take appropriate
actions to remedy and delete the collected information.

Back to top




OTHER WEBSITES

This website may provide links to websites maintained by other organizations. A
link to another website does not constitute an endorsement of the content,
viewpoint, accuracy, opinions, policies, products or services of that other
website. Once you navigate from this website to another site, you are subject to
the terms and conditions of that site, including the provisions of its privacy
policy.

Back to top




LINKS TO CIS WEBSITE

We welcome links to the CIS website. Although we prefer that you link to our
homepage, you may create links to specific pages within our website. Any
individual or organization linking to CIS's website must comply with all
applicable laws and with the following conditions:

Unless CIS specifically authorizes you to do so, you may not imply that CIS
endorses you, your organization, or your products. In addition:

 * You may not misrepresent your, or your organization's, relationship with CIS;
 * You may not present false information about CIS;
 * You may not link to the CIS website if your or your organization's website
   contains content that could be construed as distasteful, offensive or
   controversial, or is not appropriate for viewing by all age groups;
 * CIS may change content on our site at any time, causing other organizations
   to have a broken or incorrect link;
 * CIS is not responsible for misdirected links from external websites.

Back to top




TERMINOLOGY

For the purposes of this Privacy Notice:

"Controller" means a person or organization that, alone or jointly with others,
determines the purposes and means of the processing of Personal Data. 

"Customer" means any entity that purchases, subscribes or downloads CIS services
or products.

"Customer Data" means the electronic data uploaded into the web application by
or for a Customer or its Users.

"Personal Data" means any information, including Sensitive Data that is about an
identified or identifiable individual and received by CIS in the U.S. from the
European Union, the United Kingdom or Switzerland in connection with the
Service.

"Processor" means any natural or legal person, public authority, agency or other
body that processes Personal Data on behalf of a Controller.

"Sensitive Data" means Personal Data specifying medical or health conditions,
racial or ethnic origin, political opinions, religious or philosophical beliefs,
trade union membership, sex life, the commission or alleged commission of any
offense, any proceedings for any offense committed or alleged to have been
committed by the individual or the disposal of such proceedings, or the sentence
of any court in such proceedings.

“SLTT” means a United States State, Local, Tribal or Territorial government.

"User" means an individual authorized by Customer to access and use the web
application and information service.

Back to top

 


WHO CAN I CONTACT WITH QUESTIONS OR CONCERNS?

If you have questions, concerns, complaints, or would like to exercise your
rights, please contact privacy@cisecurity.org.

The information provided in this Privacy Notice cannot be interpreted as
business, legal or other advice, or as warranting fail-proof security for
information provided through this website. Information provided on this website
is intended to allow the public access to information related to CIS. While all
attempts are made to provide accurate, current and reliable information, there
is possibility of human and/or mechanical error. If your personal data is in
error your ability to rectify this information is controlled by using the manage
account function within CIS products or services. This Privacy Notice is not
intended to and does not create any contractual or other legal rights for or on
behalf of any party.

Back to top

 SPECIFIC COOKIES USED BY CIS

 PRIVACY NOTICE VERSION HISTORY

 THIRD PARTY SUBPROCESSORS


INFORMATION HUB

Press Release08.24.2023
Center for Internet Security Wins Gold Brandon Hall Group Human Capital
Management (HCM) Excellence Award
Read More
Blog Post08.23.2023
4 Reasons Why Assessments Are Key to Your Governance Audits
Read More
Media Mention08.23.2023
Iowa becomes the fourth state to incentivize cybersecurity best practices
Read More
Blog Post08.22.2023
Renew Your Ransomware Defense with CISA's Updated Guidance
Read More
About
Leadership
Board
Communities
Careers
Media
Testimonials
Events
US Cyber Challenge
Support
Contact
Products And Tools
CIS Critical Security Controls®
CIS Benchmarks™
CIS Hardened Images®
CIS SecureSuite®

CIS-CAT®Lite
CIS-CAT®Pro
CIS RAM
CIS CSAT
CIS WorkBench
For SLTT Governments
MS-ISAC®
EI-ISAC®
Election Resources

CIS Services®
Albert Network Monitoring
Managed Security Services
Endpoint Security Services
Malicious Domain Blocking and Reporting Plus

CIS CyberMarket®
Explore
Blog
Whitepapers
Newsletters
Webinars
Case Studies
Spotlights
Videos

Copyright © 2023 Center for Internet Security®

Privacy Notice
TwitterFacebookYouTubeLinkedIn