The International Information Systems Security Certifications Consortium, Inc. “(ISC)²” has created this privacy statement in order to demonstrate our firm commitment to privacy. The following discloses our information gathering and dissemination practices for this website: www.isc2.org.
(ISC)² reserves the right to change this policy at any time by notifying users of the existence of a new privacy statement.
Collection of Data
Examples of the information collected about your usage include: the top viewed and visited pages and links on our web site, top entry and exit points, number of form completions, time spent on pages, top downloads, top keywords used offsite to lead customers to our website, your internet protocol (IP) address, information collected via cookies, device event information such as system activity, crashes, hardware settings, browser type, etc.
In certain limited circumstances (for instance in our Examination Registration Form), we may ask you to provide information regarding your prior criminal convictions to assess your suitability to become an (ISC)² member, or information regarding your disability or health condition so that we can make suitable arrangements to accommodate you at examinations, seminars, and other events. We appreciate that you may consider this information to be particularly sensitive, and you can rest assured that we will keep such information in the strictest confidence and use it only for the limited purposes for which it was collected.
Purpose of Processing
The personal data collected is used by (ISC)², other (ISC)² group companies, and third parties acting on its behalf for customer administration and marketing related purposes including, to process applications received by (ISC)², to provide resources to and manage (ISC)²’s relationship with existing members, to process and respond to queries received from the public and to send marketing communications on (ISC)²’s behalf and on behalf of other selected vendors (see below).
In some cases, such as the request to download online Study Guides, (ISC)² does require the collection of home address and telephone numbers. It has been our experience that residential contact information is more constant than business contact information because of the mobility of professionals through their careers. This information is only used to contact individuals about upcoming examinations and training seminars.
(ISC)² will occasionally perform statistical analyses of user behaviour and characteristics in order to measure interest in and use of the various areas of the Site. (ISC)² will provide only aggregated data from analyses to affiliated third parties. (ISC)² also uses your IP address to help diagnose problems with our server and to administer the Site.
Where permitted by law, (ISC)²’s examination vendor uses biometric data to authenticate those taking its exams. While neither (ISC)² nor its examination vendor retain raw biometric data, the examination vendor does retain, for a period of five years following the person’s last contact with the vendor, data based upon an algorithm of the palm scan received when accessing an examination site. This assists (ISC)² in assuring the identify of those taking its exams and preventing fraud in the exam process. This data is destroyed after the five year period and is used for no other purpose.
(ISC)² is a certification organization and maintains information on those who possess its certifications or have expressed an interest in them. If you would like to see the information (ISC)² retains about you, please write to our marketing department at the address below.
For those who do not maintain their certification, (ISC)² retains certification records for a maximum of five (5) years following decertification, after which all records regarding a particular member are destroyed. However, for those who are decertified by the organization for violation of the (ISC)² Code of Ethics, fraudulently misrepresenting their education, experience or background, caught cheating on any (ISC)² exam, or otherwise permanently barred from ever holding an (ISC)² certification, (ISC)² permanently retains the name, address, appropriate identifying information and reason for the permanent ban from certification. (ISC)² expressly reserves the right to review its retention policy on a case-by-case basis, but not to exceed the maximum amount stated herein.
In those cases when you want (ISC)² to provide a copy of the information held on you, (ISC)² may require the payment of an administration fee of $15. Additionally and upon your written request, (ISC)² will update/correct personal information previously submitted which you believe to be inaccurate.
Requests may be sent to:
(ISC)² Member Services
311 Park Place Blvd.
Clearwater, Florida 33759
(ISC)² is a membership organization and, as such, must maintain contact information on its members to communicate relational or transactional information. (ISC)² also sends promotional material promoting its conferences, training opportunities, or other offerings. From time to time, (ISC)² collaborates with other security organizations and companies to promote other programs that may be of interest to information security professionals and (ISC)² constituents. In such cases, (ISC)² does not provide these organizations with any mailing information or otherwise disclose any contact information but distributes the organization’s information on their behalf to those who have elected to receive such information. We will always obtain your prior “opt-in” before sending you marketing communications. If, at any time, you do not wish to receive marketing material, every marketing e-mail will include an opt-out link at the bottom or you may notify (ISC)² in writing at the address below. This does not include opting-out of (ISC)² relational (constituent meetings, newsletters, AMF/CPE notices, (ISC)² functions) or transactional notices. Be aware that if you possess any (ISC)² certification, you may not opt-out of any (ISC)² relational or transactional notice.
Occasionally, (ISC)² out sources administration and other (ISC)² functions to contractors. In such cases, (ISC)² may provide these third parties with contact information for the sole purpose of performing (ISC)²-sanctioned tasks under the supervision of (ISC)² employees. These contractual relationships specifically address the manner in which they may use contact information and that they may not copy or disseminate that information or use it for any purpose other than that specified in the contract. Additionally, upon termination of the contract, they must return all information to (ISC)² and destroy any copies that they might possess.
(ISC)² Certification Verification
As an organization that certifies individuals in information security, (ISC)² is frequently requested to verify whether an individual’s assertion that they possess our certification is accurate. It is an implied duty that (ISC)² identify and attest to the certified status of those individuals who do possess our certification. As such, (ISC)2 will verify whether an individual is certified by (ISC)² or not upon receiving sufficient identifying information regarding the subject of the inquiry. (ISC)² also provides a verification process on its public website which lists members based on last name. This listing provides the name, city/state/country, and certification title held by the member. However, under no circumstances is any contact or other information disclosed.
(ISC)² Public Directory
As a service to the general public and (ISC)² members, (ISC)² publishes on the public side of its website, a directory listing of certificate holders which allows contact information to be listed. Listing in this directory is entirely voluntary. Those who elect to be listed should be aware that when they voluntarily disclose personally identifiable information (e.g., user name, email address) on the appropriate Directory for the (ISC)² sites, such information, along with any substantive information disclosed in the directory, can be collected and correlated and used by third parties and may result in unsolicited messages from other posters or third parties. Such activities are beyond the control of (ISC)².
CISSP Lists for Employers
Periodically, (ISC)² is asked by an employer to identify those employed by their organization who hold (ISC)² credentials. To that end, we provide names of those (ISC)² members who list the requester as their employer. No information, other than name, is revealed, and it is provided only to the employer upon written request. If you are an (ISC)² member and do not wish to be identified as such to your employer, do not list your employer in your contact information, as this is the information used to identify you for inclusion to such a list.
- You can send an email to legal at isc2.org
- You can send mail to the following postal address:
311 Park Place Blvd.
Clearwater, Florida 33759