For purposes of this policy, "IISRI" shall mean Independent Information Security Rating Institute Limited.
2. Information CollectedBelow you will find a description of possible interactions with IISRI where private information might be collected.
2.2. Rating reports.In order to purchase our rating reports, you need to provide us with the following details: your first and last name, email address and (optionally) organization name. This information is retained for 12 months or until the rating expires. After this period all your personal information is automatically removed.
2.3. External assessments.External assessments are performed based on publicly available information. Therefore, none of the information is classified as privacy related information. All information used during the assessments is mirrored, timestamped, encrypted and stored in a secure location.
2.4. Internal assessments.Internal assessments are performed with the cooperation of the assessed organization and therefore privacy related, sensitive or confidential information may be provided to IISRI. All information obtained via electronic communication is transferred over an encrypted channel. Access to this information is strictly limited to the IISRI assessors per assessment and the IISRI rating committee. ALL data used during and after the assessment are encrypted.
2.5. Email.Any information sent to IISRI by email is considered to be send through ann unencrypted channel. Therefore such information is automatically declassified and is not covered by this policy.
3. Use of Collected InformationOnly in two situations does IISRI use your personal information: when you buy our reports from our website and when we perform internal assessments. This information is retained for 12 months or until the rating expires.
3.1. ReportsInformation provided by you is used to create a unique watermark and stored in case you lose your rating report. You can contact us and based on this information we can send you a copy of the report.
IISRI will not disclose confidential information to third parties. However, in case of internal assessments, the assessed organisation might request us to disclose confidential parts of the report to third parties. In order to do that IISRI will first confirm that the requestor is the owner or legitimate representative of the assessed organization.