SANS Institute

The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates.

2.7/10

How we calculate ratings →

Handling

Does the policy allow personally-targeted or behavioral marketing? Yes

0/10

Does the service allow you to permanently delete your personal data? Yes, by contacting someone

3/5

Even if there is a reasonable delay before the data is fully deleted (as is common), the data still counts as "permanently deleted" and satisfies the parameters for this question.

Score

Yes, by contacting someone

60%

Yes, using an automated mechanism

100%

N/A

The service doesn't collect any personal information.

100%

Citation

You can ask us to delete, rectify, or port your data by submitting a request through your account or by contacting privacy@sans.org.

For Residents of the European Union and the United Kingdom

If you are a resident of the European Union or United Kingdom, the E.U. or U.K. General Data Protection Regulation (collectively, the “GDPR”) is applicable to our use of your data. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed above. Under the GDPR you have a number of rights. For example, you can request to see a copy of the data we process about you, to delete or rectify your data, or to transfer your data elsewhere. You also have the right to make a complaint to your local supervisory authority and in the first instance to our Data Privacy Department.

If you wish to exert any of your rights, please contact us at via email at privacy@sans.org.

For Residents of California

Right to Delete: You have the right to request that a business delete any personal information about you which the business has collected from you.

We will use the following process to verify Requests to Know, Requests to Delete, and Requests to Correct: We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:

For a Request to Know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.

For a Request to Know specific pieces of personal information, Requests to Delete, Requests to Correct, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

An authorized agent can make a request on a California resident’s behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.

For Residents of Virginia

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) may grant you the following rights:

Right to Delete: You have the right to request that a business delete your personal information that was collected about you.

We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests:We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law.To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

Children’s Personal Information

When SANS collects personal information from or about children under the age of 17, we seek appropriate parental consent to process their information.

SANS products and services are not directed to children under the age of 13.SANS does not knowingly collect any personal information from children under the age of 13, nor does SANS knowingly distribute such information to third parties.If SANS becomes aware that it has received personal information from someone under the age of 13, SANS will take steps to delete such information from its records.If you believe SANS has personal information from individuals under the age of 13, please contact SANS at privacy@sans.org.

When does the policy allow law enforcement access to personal data? When reasonably requested

3/5

Score

Always

This includes cases in which law enforcement either runs the service or has a known backdoor into (or relationship with) the service.

Not specified

When reasonably requested

60%

Only when required by a court order or subpoena

80%

N/A (no personal data to share)

The service would have no personal data to share with law enforcement.

100%

Never (special legal jurisdiction)

The service operates in a jurisdiction in which sharing data with law enforcement is never required.

100%

Citation

Disclosure of Personal Information

We share or disclose your Personal Information where it is necessary to provide the Services, including sharing information with third party service providers, when required by law, to protect rights and safety, and with your consent. These third parties are detailed below.

Protect our rights: We may disclose personal information where we believe it necessary to respond to claims asserted against us, to comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation and/or to protect the rights, property or safety of our company, our customers and/or others.

Other situations: We also may disclose your information where required by law, in response to a court order, or to prevent or detect crime.

Does the service allow third-party access to private personal data? Yes

0/10

This may come in the form of outright data sharing or by using local third-party analytics software (such as Google Analytics, which collects a plethora of user information).

Note that whether the policy allows sharing aggregated user data does not affect this question.

If the personal data is encrypted when it passes through the third-party, it does not count as third-party access (as the data is inaccessible to that party).

If personal data has been made public by, for example, posting it to a blog, it does not count as private personal information (and is therefore not considered by this question).

Score

Yes

The policy allows sharing personal data with third parties (not just critical service providers), and does not explicitly list the third parties.

Yes, all parties specified (including non-critical service providers such as advertisers)

30%

Yes, not all parties specified (but only to critical service providers)

70%

Yes, all parties specified (only to critical service providers)

80%

100%

Citation

Categories of Personal Information Sold or Shared.

The California Consumer Privacy Act (“CCPA”) defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration, and it defines “share” in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising.

As defined by the CCPA, the categories of personal information that we may “sell” include:

Name, contact information and other identifiers

As defined by the CCPA, the categories of personal information that we may “share” include:

Name, contact information, and other identifiers

The categories of third parties to whom we sell or share the data, as defined by the CCPA, may include:

Data analytics providers

Service providers who are assisting us in fulfilling our contracts and carrying out our business

Sponsors of SANS events, programs and papers

The business purpose for which we sell or share the data, as defined by the CCPA, may include:

Lead generation, business prospecting, and similar activities

To gain insights into online activities through analytics

To provide leads to sponsors of SANS events, programs and papers

We have “sold” and “shared” the categories of personal information listed above to data analytics providers in the preceding twelve months.

Disclosure of Personal Information

Authorized service providers: These services may include fulfilling orders, processing credit card payments, delivering materials, providing customer service and marketing assistance, performing business and sales analysis, supporting our Websites’ functionality, and supporting contests, promotions, sweepstakes, surveys and other features offered through our Websites. These service providers may have access to Personal Information needed to perform their functions but are not permitted to share or use such information for any other purposes.

Co-Sponsoring organizations: Some SANS training events are co-sponsored by other organizations. Examples include SANS private training events, sponsored webcasts, or sponsored whitepapers. When you register for an event, the co-sponsoring organization may have access to your registration data where you agree and provide your explicit consent.

GIAC Certification Information: GIAC Certified Professionals are listed on the GIAC website and their identities and certifications are considered public information. Published data includes Analyst Number, Certification Holder’s Name and Certification Expiration Date. No personal contact information is published.

Business partners: When you make purchases or engage in promotions offered through our Websites, we may share Personal Information with your consent with the businesses with which we partner to offer you those services, promotions, contests and/or sweepstakes.

Business transfers: We may disclose and/or transfer personal information as part of any actual or contemplated merger, sale, transfer of assets, acquisition, financing and/or restructuring of all or part of our business, bankruptcy or similar event, including related to due diligence conducted prior to such event when permitted by law.

Protect our rights: We may disclose personal information where we believe it necessary to respond to claims asserted against us, to comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation and/or to protect the rights, property or safety of our company, our customers and/or others.

Other situations: We also may disclose your information where required by law, in response to a court order, or to prevent or detect crime.

Aggregated and Non-personal Information: We may share aggregated and non-personal information we collect under any of the circumstances set forth in this Policy. When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or customer. We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.

Transparency

Does the policy require users to be notified in case of a data breach? Not necessarily

0/7

Note that all companies operating in the EU are subject to Art. 33 of the GDPR, which requires companies to notify their data protection authority of a data breach within 72 hours of discovering it.

Score

Not necessarily

Yes, eventually

Users will be notified in case of a data breach but within an unspecified amount of time.

70%

Yes, within 72 hours

100%

N/A

The service collects so little personal data that notification would not be possible.

100%

Notes

Despite the SANS Institute playing a major role in the cybersecurity industry, their privacy policy does not specify a data breach protocol. It also notes the following:

The security of your Personal Information is important to us. Be aware that the internet is a global communications vehicle open to threats, viruses, and intrusions from others, so we cannot promise - and you should not expect - that we will be able to protect your personal information at all times and in all circumstances.

Is the policy's history made available? Only the date it was last modified

3/5

Will affected users be notified when the policy is meaningfully changed? No

0/5

Does the policy outline the service's general security practices? No

0/3

Score

Somewhat

The policy provides only a very vague overview of its security practices.

30%

Yes

60%

Yes, including audits

"Reviews," "monitoring," etc. also count as audits.

80%

Yes, including independent audits

Independent "reviews," "monitoring," etc. also count as independent audits.

100%

N/A

The service doesn't collect any personal information.

100%

Notes

Despite the SANS Institute playing a major role in the cybersecurity industry, their privacy policy doesn't mention whether any audits are ever done in the SANS Institute systems. They also do not appear to have a bug bounty, nor a responsible disclosure program.

Collection

Is it clear why the service collects the personal data that it does? Somewhat

3/10

Score

Somewhat

30%

Mostly

70%

Yes

100%

N/A

The service doesn't collect any personal information.

100%

Citation

General Uses

We may use information that we collect about you to:

deliver the services that you have requested

manage your account and provide you with customer support

perform research and analysis about your use of or interest in our services, our content, or products, as well as services or content offered by others

communicate with you by email, postal mail, telephone, our websites, our applications, and/or mobile devices about products, services, or resources that may be of interest to you either from us or other third parties

enforce our terms and conditions

manage our business and perform functions as otherwise described to you at the time of collection

for legal compliance purposes

occasionally notify you about special sales or services to personalize your experience with SANS (you can opt out if you wish)

process payment for any purchases or sales made on our Websites, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business

Notes

In some cases the required information for signing up may be excessive. For example, an account is required to download resources related to "CIS Controls v8", yet in such cases it does not make sense for SANS to request a physical living address, job function, phone numbers, etc.

Does the policy list the personal data it collects? Yes, generally

7/10

Score

The policy does not claim to not collect personal data, but it also doesn't provide any meaningful insight into the types of personal data it collects.

Only summarily

The policy uses overly vague language to provide a summary of the types of collected personal data.

30%

Yes, generally

All general categories of collected personal data are listed, though not all types of personal data are explicitly mentioned (for example, the list might use a phrase like 'such as' when listing types of personal data).

70%

Yes, exhaustively

All types of collected personal data are listed specifically

100%

N/A (no personal data is collected)

100%

Citation

Personal Information We Collect

You will be asked to provide personal data when you create a SANS account, make a purchase, or contact us for support. We also collect data recording how you interact with our services. We may also obtain information about you from our business partners or other third parties.

We may receive and collect certain data automatically for example from website analytics, information from your internet browser when you visit our Websites, and information collected by cookies. We may collect Personal Information that can identify you, such as your name and email address, and other information that does not identify you.

Information Provided by You

When You Set Up a SANS Account

We collect your name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region to create a SANS account. We also process and store data associated with training assignments, including scores on assessments you undertake, data associated with your registration for content such as webcasts and Summits, and data associated with your use of content provided by our Websites.

When You Use Our Websites

We use various technologies to collect information from your computer or device and about your activities on our Websites. These are detailed below:

Information automatically collected such as your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us, referring or exit website address, internet service provider, date/time stamp, operating system, locale and language preferences, and system configuration information.

Cookies. When you visit our Websites we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. These cookies may relate to tools such as Google Analytics and similar technologies. Through cookies we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Please see our Cookie Policy for more detail.

Other technologies. We may use standard internet technology, such as web beacons, session replay scripts, and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional email messages or newsletters. Web beacons are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, pixel tags are embedded invisibly on web pages. We may use these, in connection with our Websites to, among other things, track the activities users of our services, improve ads, personalize and manage content, and gather usage information about our Websites. We may also use these in HTML emails to, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded. Session replay software scripts capture information concerning a user’s interaction with the Websites, including keystrokes, mouse movements and clicks, movements within a webpage and through the Websites, interactions with menus, banners, and forms, and form field entries. We may use third-party software embedded in the script of the Websites to monitor your interaction with the Websites and/or for our compliance verification purposes, which may mean that the third-party software provider also collects this information. By using our Websites, you consent to this collection and disclosure of information.

Does the service allow the user to control whether personal data is collected or used for non-critical purposes? On an opt-out basis, for all non-critical data/uses

6/10

Some services allow users to opt-out or opt-in to of non-critical collection or use of personal data, such as collecting data for personalized advertisements.

Score

On an opt-out basis, but only for some non-critical data/uses

30%

On an opt-out basis, for all non-critical data/uses

60%

On an opt-in basis

60%

N/A (no data used for non-critical purposes)

100%

Citation

Opt-Out

We will not share personal data without your permission unless it is necessary for us to provide services to you.

You can opt out of non-essential use of your data at any time by selecting the “Opt-Out” link found in the footer of the communication or on our Websites and following the instructions or contacting us.

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.orgor at +1 301-654-7267 and request to speak to the Data Privacy Department.

Does the service collect personal data from third parties? Yes

0/10

Last Updated

June 13, 2023

Sources

Source #1 ↗

Contributors

ItsIgnacioPortal