GIAC Privacy Policy

GIAC Privacy Policy

Updated: May 25, 2018

The Global Information Assurance Certification ("GIAC") program is among the most comprehensive information security certification programs in the world. Accordingly, we take our responsibilities to protect a candidate's personal information seriously.

GIAC is sensitive to privacy issues on the Internet. We believe it is important you understand how we treat the information you may provide to us. Unless specifically stated otherwise, the information you provide is never shared with anyone other than GIAC employees and authorized contractors. GIAC never trades or sells certification holder's personal information except as provided in this policy. We will ask for your consent for the processing of your information disclosed here, as well as again before using information for a purpose other than those that are set out in this Privacy Policy ("Policy").

This Policy applies to information collected by the websites associated with GIAC, including giac.org and other domains owned and operated by The ESCAL Institute of Advanced Technologies, Inc.

This Policy applies to all individuals, regardless of where they reside, or whether you have other dealings with GIAC that results in the collection of personal information. However, if you reside in the European Union ("EU"), this explanation and summary of the Policy is specifically designed to meet the requirements of the EU General Data Protection Regulation ("GDPR"), effective May 25, 2018.

Specific Information about Our Privacy Policy

Our Privacy Policy is described here in a concise, transparent, intelligible, and easily-accessible form. It is set forth in a series of specific components describing how our Policy operates and how it meets certain privacy rights.

Identity of the Data Controller

GIAC is the data controller - the entity that collects and processes personal data, or arranges for such actions taken on its behalf by its agents. As such, we are responsible for deciding the purposes for which personal information is used and processed, and the means by which such processing is done. Thus, it is GIAC's responsibility to inform you in advance concerning the processing of your personal information. You may contact GIAC concerning your rights under this Policy by writing to: policy@giac.org.

Legitimate Bases For Collecting/Using Your Personal Information

The principal basis on which we collect and use your information is when you give us your affirmative consent. However, when you register for the GIAC program, or make a purchase of testing and/or related services from us, GIAC has a legitimate basis beyond consent to collect your personal information in order to provide you with the goods or services that you expect us to deliver, which depends upon us having and using your personal information. In the process of registering for testing services, you will be asked to sign a Candidate Agreement, from which a legitimate basis is created for us to collect and use your personal information. Once you have a formal relationship with us, GIAC also has a legitimate interest in providing you with timely information about upcoming events and/or products in which you may have an interest; so, to better serve you, we will market or promote those events/products to you. Thus, depending on the precise situation, GIAC may rely on one of these legitimate bases in collecting your personal information.

How We Collect Personal Information

To save you time and make our web services easy to use, you may create a dashboard account using your personal information. You may do this by visiting https://www.sans.org/account/. The account dashboard system saves your information and references it to your email address and password. The next time you visit the GIAC website, you can simply enter your email address and password. If you purchase a certification or service from us, we request certain personally identifiable information from you on our order form. You must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). We use this information for billing purposes and to fill your orders. If we have trouble processing an order, we will use this information to contact you. We also use the mailing address to send you GIAC brochures and other items of interest.

When you register online for a certification, we collect the information you provide us, including your name, contact information, affiliation, and the name of the certification. We use this information to ensure you are properly registered for the certification you have selected, and to notify you about other certifications that may be of interest to you. We also use this information in the course of fulfilling our obligations to provide the certification to you, including providing you materials, if opted for a certification renewal, and contacting you with respect to the certification itself.

Many employers have purchasing arrangements with GIAC/SANS that may be used by their employees to pay for GIAC products. GIAC candidate data, including contact information and exam-related data may be shared with the purchasing organization's designated contact. As such, GIAC may share your certification status, and/or the results of GIAC certification attempts with the entity that GIAC determines, using commercially reasonable practices, directly or ultimately paid for your certification exam or other related GIAC product or service. GIAC may release to such organization only appropriately limited information, including your progress, exam appointment date, exam deadline, and the results of the test, subject to the commitment by that entity to keep GIAC data confidential and not to further disclose it to any third party without your express written consent.

GIAC may use outside vendors or third parties to proctor or administer exams we provide or for other certification, accreditation or licensing. The authentication and validation process may include requiring persons to provide identification (or photographing participants). Copies of such authentication information, as well as the identity of those taking the exams may be collected and stored by GIAC, but this information will be used by GIAC in accordance with this privacy policy, to prevent fraud and to ensure the identity of those taking the examination.

GIAC may occasionally provide you the opportunity to participate in contests or surveys on our site. If you participate, we may request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact and demographic information such as name and address. We may share aggregated demographic information about our user base with our partners and advertisers. When this information is shared, it is anonymous (ie., does not identify individual users).

When you contact GIAC, we may keep a record of your communication to help resolve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.

GIAC may use Twitter, Facebook or other social media outlets to market and promote its offerings and services. Any communications you make with GIAC using these media may be used by GIAC in accordance with this policy.

Access To Your Personal Information

You always have access to the information we have about you. To review and update your personal contact information, simply click https://www.sans.org/account/login and log in with your email address and password, then click Update Your Account. We encourage you to review your preferences regularly to keep the information current. You may also write policy@giac.org to have the information changed or removed, or to withdraw your consent.

Vendors, Suppliers, or Other Access to Your Information

We may provide access to your personal information to our affiliates or other trusted businesses or persons to process it for us, based on our instructions and in compliance with our Privacy Policy and any other appropriate confidentiality and security measures.

Sharing of Your Information

In general, we will only share your information with those individuals and/or entities whom you authorize or designate, for example, with your existing or prospective employer, with a governmental body that has authority to issue a credential or other certification, or with another certifying body.

We may share personal information with companies, organizations or individuals outside of GIAC if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process or enforceable governmental request.
  • enforce applicable Candidate Agreement Terms of Service, Terms of Use, or other potential violation of GIAC contracts or rules, including investigation of potential violations.
  • detect, prevent, investigate or otherwise address fraud, security or technical issues.
  • protect against harm to the rights, property or safety of GIAC, our users or the public as required or permitted by law.

When the certification body is required by law to release confidential information, the person concerned shall, unless prohibited by law, be notified as to what information will be provided.

Merger, Acquisition, Sale or Forced Sale

If GIAC is involved in a merger, acquisition or asset sale, including a forced sale of assets, we will, to the extent permitted by law, continue to ensure the confidentiality of any personal information and give affected users notice before personal information is transferred or becomes subject to a different privacy policy.

GIAC Certified Professional Information

GIAC Certified Professionals are listed on the GIAC website which is public information. Published data includes Analyst Number, Certificate Holder's Name, Gold Paper Title (if applicable) and Certification Expiration Date. No personal contact information is published.

Log Files

As is true of most Web sites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, referring/exit pages, operating system, date/time stamp, and clickstream data. We use this information to analyze trends, to administer the site, to track how visitors interact with the site.

Cookies

A cookie is a small text file that is stored on a users computer for record-keeping purposes. We do use cookies on our site. GIAC may use both session ID cookies and persistent cookies. We use session cookies to make it easier for you to navigate our site. A session cookie expires when you close your browser. A persistent cookie remains on your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in your Internet browsers help file.

When you log into your GIAC portal account you may select the "Remember me" check box to set a persistent cookie to store your password, so you don't have to enter it more than once. You can remove the portal login cookie by clicking the "Logout" link. If you reject cookies, you may still use our site, but your ability to use some areas of our site, such as the portal, contests or surveys, will be limited and you may need to reenter personal information when you register for events.

Policy and any other appropriate confidentiality and security measures.

Transfer of Your Information

GIAC generally transfers your personal information to the United States in order to process it (e.g., handle and follow up on your test registration and test results), as well as to store the information for future use (e.g., to comply with your instructions to share information, to provide you additional services). When we transfer personal data, we take all reasonable steps to ensure that the information is protected, including protection by contractors and/or subcontractors, and to ensure that your information is not shared in any manner that is inconsistent with this Privacy Policy. Whenever GIAC transfers personal information, we take every precaution to ensure that the entity with which we interact receives, stores, and processes your personal data in conformance with the GDPR and any other confidentiality/security requirements.

Details of Your Rights

Your rights in relation to your personal information are to: (1) be informed about its use; (2) have access to your information; (3) correct your personal information; (4) have your personal information deleted; and (5) restrict how we use your personal information. You also have the right to have your personal information ported to others; however, as explained in more detail in the Candidate Agreement, because GIAC's use of your personal information is specific to its uses (e.g., for testing and marketing activities related to our services), it is usually not technically feasible for us to honor such requests because we are not able to exchange that information with another entity with which we have no direct interface or any reason to exchange data. You are also entitled to know if GIAC is using any automated decision-making (including profiling); we do not use any such automated technologies in the processing of your personal information.

You have the right to withdraw your consent at any time during use of this website or by emailing GIAC at policy@giac.org. However, as described in more detail in the Candidate Agreement, any data processing performed in whole or in part by GIAC prior to your withdrawal of consent cannot be undone.

You also have the right to object to GIAC's collection and/or use of your personal information, or request access to your information as well as request that we correct any information we have or to remove you from our records. If your personal information changes (e.g., postal code, phone, email or postal address), you can change online, physical contact, and other information by contacting GIAC as shown above. If you wish to correct/update/delete information or no longer desire to receive information from GIAC, you can notify us by using any of the information in the Contact section of this Policy. We will respond to your request to access within 30 days.

You have the right to file a complaint with GIAC by emailing us at policy@giac.org and we will respond without undue delay, within at least 30 days unless we inform you that additional time will be required. In addition, you have the right to file a complaint with your relevant Supervisory Authority (i.e., Data Protection Authority).

How We Protect Your Personal Information

GIAC safeguards the security of the data you send us with physical, electronic, and managerial procedures. Likewise, we urge you to take every precaution to protect your personal data when you are on the Internet. These precautions include changing your password often, using a combination of letters, numbers and symbols, and using a secure browser.

The GIAC website uses SSL v3 and TLS v1 encryption on all web pages where personal information is submitted. This protects the confidentiality of your personal and credit card information as it is transmitted over the Internet.

GIAC does not store credit card numbers on our servers. Credit card numbers are submitted to a credit card authorization service. This service provides GIAC with credit card validation information only. We do not have access to your personal financial data.

GIAC may employ independent contractors to help manage data services, and such contractors may have access to data, similar to the access we give our employees. Also, GIAC may store sales account data, including personally identifiable information, with a third party application service provider.

Newsletters And Promotional Email

If you no longer wish to receive our newsletters and promotional communications from GIAC, you may withdraw your previous consent and stop receiving them by following the instructions included in each newsletter or communication or by accessing your preferences by logging into https://www.sans.org/account/login as described in the previous paragraph.

Links To Other Sites

The GIAC website contains links to other sites that are not owned or controlled by GIAC. Please be aware that GIAC is not responsible for the privacy practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every website that collects personally identifiable information.

Information Obtained From Third Parties

GIAC does not sell or trade your personal information. Nonetheless, we may at times receive contact lists from other organizations. We may send mailings such as brochures to these addresses. Typically, these are one-time mailings, and the data is not entered into our database. If you want to remove yourself from the third party's database, you must contact them directly. These mailings have a brochure code printed on the mailing label. By providing this code, we will be able to tell you from what provider we received your contact info.

Changes To This Privacy Statement

We reserve the right to modify this Privacy Policy at any time. Accordingly, please review it frequently. If we decide to change our Privacy Policy, we will post those changes to this privacy statement, the homepage, and other places we deem appropriate so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

Statement Regarding Privacy Shield

GIAC, as a subsidiary of The ESCAL Institute of Advanced Technologies, Inc., complies with the EU-U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. We have certified to the Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, GIAC commits to resolve complaints about your privacy and our collection or use of your personal information. European Union individuals with inquiries or complaints regarding this privacy policy should first contact GIAC at policy@giac.org.

GIAC has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

If you have exhausted all other means to resolve your complaint, you may be able to engage in binding arbitration through the Privacy Shield Panel.

GIAC's commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Contact Us

If you have any questions or suggestions regarding our privacy policy, please contact us at policy@giac.org.