This privacy statement applies to information collected by the websites SANS manages and controls, including sans.org, sans.edu, giac.org, and other domains owned and operated by SANS, GIAC, and the ESCAL Institute, hereafter referred to collectively as SANS.
To save you time and make our web services even easier to use, you may create a SANS dashboard account using your personal information. You may do this by visiting https://www.sans.org/account/. The SANS account dashboard system saves your information and references it to your email address and password. The next time you visit the SANS website, you can simply enter your email address and password. If you purchase a product or service from us, we request certain personally identifiable information from you on our order form. You must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date). We use this information for billing purposes and to fill your orders. If we have trouble processing an order, we will use this information to contact you. We also use the mailing address to send you conference brochures and other items of interest.
When you register online for a conference, we collect the information you provide us, including your name, contact information, affiliation, the name and location of the course, and attendance information. We use this information to ensure that you are properly registered for the course you have selected, and to notify you about other courses that may be of interest to you. We also use this information in the course of fulfilling our obligations to provide the course to you, including providing you course materials and contacting you with respect to the course itself. We also create a paper attendee list and provide a copy of that list to every student and vendor that attends the conference. If you wish, you may opt out of being included in a paper attendee list by indicating so where the registration form lists "include my name in attendee list." The information on the attendee list consists of first name, last name, company, city, state and country. In addition, student evaluation forms, together with the identity of the student completing the evaluation, may be made available to SANS employees responsible for evaluating the quality of the course, including the instructors themselves.
Some SANS training events are co-sponsored by other organizations. Examples include SANS OnSite events that are held in conjunction with private industry, government agencies, or education institutions. When you register for one of these events, the co-sponsoring organization may have access to your registration data. The co-sponsor may use this information for purposes related to the event but, unless you are specifically notified otherwise, may not share it with others or use the data for marketing purposes. When you attend a conference, whether sponsored by SANS or otherwise, SANS may collect information concerning your participation and feedback. For example, SANS representatives may scan badges of conference participants, and may share the information from such scans with sponsoring vendors.
Many organizations purchase vouchers that may be used by their employees to pay for SANS training. By using a voucher, the student understands and agrees that their student data, including contact information and course-related data may be shared with the organization's designated contact.
When you register for a free vendor-sponsored webcast, you have the opportunity to opt out from a registrant list that will be sent to the sponsoring vendor. The information SANS provides to the vendor is for their organization only and the sponsoring vendor agrees not to share or resell the provided information. The data given to the sponsoring vendor includes email address, first name, last name, title, work phone, company name, address, city, state, postal code and country.
SANS may occasionally provide you the opportunity to participate in contests or surveys on our site. If you participate, we may request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact and demographic information such as name and address. We may share aggregated demographic information about our user base with our partners and advertisers. This information does not identify individual users.
When you contact SANS, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.
SANS may use Twitter, Facebook or other social media outlets to market and promote its offerings and services. Any communications you make with SANS using these media may be used by SANS in accordance with this policy.
We may share personal information with companies, organizations or individuals outside of SANS if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
GIAC Certified Professionals are listed on the GIAC website and is considered public information. Published data includes Analyst Number, Certificate Holder's Name, Practical Title (if applicable), Exam Grades, and Certification Expiration Date. No personal contact information is published.
As is true of most Web sites, we gather certain information automatically and store it in log files. This information may include IP addresses, browser type, referring/exit pages, operating system, date/time stamp, and clickstream data. We may collect device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). SANS may associate your device identifiers or phone number with your SANS Account.
We use this information to analyze trends, to administer the site, to track how visitors interact with the site.
When you log into your SANS account dashboard you may select the "Remember me" check box to set a persistent cookie to store your password, so you don't have to enter it more than once. You can remove the dashboard login cookie by clicking the "Logout" link.
If you reject cookies, you may still use our site, but your ability to use some areas of our site, such as the account dashboard, contests or surveys, will be limited and you may need to reenter personal information when you register for events.
SANS safeguards the security of the data you send us with physical, electronic, administrative and managerial procedures. Likewise, we urge you to take every precaution to protect your personal data when you are on the Internet. These precautions include not storing passwords, changing your password often, using a combination of letters, numbers and symbols, and using a secure browser over a secured network.
The SANS website currently uses at least SSL v3 and TLS v1 encryption on all web pages where personal information is submitted. This is designed to protect the confidentiality of your personal and credit card information as it is transmitted to us over the Internet.
SANS has designed its system to not store credit card numbers on our servers. Credit card numbers are submitted to a credit card authorization service. This service provides SANS with credit card validation information only. We do not have access to your personal financial data.
SANS may employ independent contractors to help manage data services, and such contractors may have access to data, similar to the access we give our employees. Also, SANS may store sales account data, including personally identifiable information, with a third party application service provider.
You always have access to the personal information we have about you. To review and update your personal contact information, simply click https://www.sans.org/account/ and log in with your email address and password, then click Update Your Account. We encourage you to review your preferences regularly to keep the information current. You may also write firstname.lastname@example.org to have the information changed or removed.
If you no longer wish to receive our newsletters and promotional communications from SANS, you may opt-out of receiving them by following the instructions included in each newsletter or communication or by accessing your preferences by logging into https://www.sans.org/account/ as described in the previous paragraph.
The SANS web site contains links to other sites that are not owned or controlled by SANS. Please be aware that SANS is not responsible for the privacy or security practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every web site that collects personally identifiable information.
SANS does not sell or trade your personal information. We may at times receive contact lists from other organizations. We may send mailings such as brochures to these addresses. Typically, these are one-time mailings, and the data is not entered into our database. If you want to remove yourself from the third party's database, you must contact them directly. These mailings have a brochure code printed on the mailing label. By providing this code, we will be able to tell you from what provider we received your contact info.
SANS complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. SANS has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view SANS's certification, please visit http://www.export.gov/safeharbor/
When we receive formal written complaints about our compliance with our privacy policies, including the Safe Harbor Frameworks, we will contact the person who made the complaint to follow up. We work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of personal data that we cannot resolve with our users directly.