Home > Articles

This chapter is from the book

This chapter is from the book

Developing Cybersecurity Programs and Policies in an AI-Driven World, 4th EditionDeveloping Cybersecurity Programs and Policies in an AI-Driven World, 4th Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

Developing Cybersecurity Programs and Policies in an AI-Driven World, 4th EditionDeveloping Cybersecurity Programs and Policies in an AI-Driven World, 4th Edition

Learn More Buy

Policy Format

Writing policy documents can be challenging. Policies are complex documents that must be written to withstand legal and regulatory scrutiny and at the same time must be easy for a reader to read and understand. The starting point for choosing a format is identifying the policy audience.

Understand Your Audience

Who a policy is intended for is referred to as the policy audience. It is imperative during the planning portion of the security policy project to clearly define the audience. Policies may be intended for a particular group of employees based on job function or role. For example, an application development policy is targeted to developers. Other policies may be intended for a particular group or individual based on organizational role, such as a policy defining the responsibility of the chief information security officer (CISO). The policy, or portions of it, can sometimes apply to people outside the company, such as business partners, service providers, contractors, or consultants. The policy audience is a potential resource during the entire policy life cycle. Indeed, who better to help create and maintain an effective policy than the very people whose job it is to use those policies in the context of their everyday work?

Policy Format Types

Organize before you begin writing! It is important to decide how many sections and subsections you will require before you begin writing. Designing a template that allows the flexibility of editing will save considerable time and reduce aggravation. In this section, you will learn about the different sections and subsections of a policy, as well as the policy document formation options.

There are two general ways to structure and format a policy:

  • Singular policy: Write each policy as a discrete document.

  • Consolidated policy: Group together similar and related policies.

Consolidated policies are often organized by section and subsection.

Table 2-1 illustrates policy document format options.

TABLE 2-1 Policy Document Format Options

Format

Example

Singular policy

Chief information security officer (CISO) policy: Specific to the role and responsibility of the information security officer.

Consolidated policy

Governance policy: Addresses the role and responsibilities of the board of directors, executive management, chief risk officer, CISO, compliance officer, legal counsel, auditor, IT director, and users.

The advantage of creating individual policies is that each policy document can be short, clean, crisp, and targeted to its intended audience. The disadvantage is the need to manage multiple policy documents and the chance that they will become fragmented and lose consistency. The advantage of a consolidated policy is that it presents a composite management statement in a single voice. The disadvantages are the potential size of the document and the difficulty the reader may have locating applicable sections.

In the first edition of this book, we limited our study to singular policy documents. Since then, both the use of technology and the regulatory landscape have increased exponentially—only outpaced by escalating threats. In response to this ever-changing environment, the need for policies and the number of policies has grown. For many organizations, managing singular policies has become unwieldy. The current trend is toward consolidation. Throughout this edition, we have consolidated policies by security domain.

Regardless of which format you choose, you should not include standards, baselines, guidelines, or procedures in your policy document. If you do, you will end up with one big unruly document. And you will undoubtedly encounter one or more of the following problems:

  • Management challenge: Who is responsible for managing and maintaining a document that has multiple contributors?

  • Difficulty of updating: Because standards, guidelines, and procedures change far more often than policies, updating this whale of a document will be far more difficult than if these elements were properly treated separately. Version control will become a nightmare.

  • Cumbersome approval process: Various regulations as well as the corporate operating agreement require that the board of directors approve new policies as well as changes. Mashing it all together means that every change to a procedure, guideline, or standard will potentially require the board to review and approve it. This will become very costly and cumbersome for everyone involved.

Policy Components

Policy documents have multiple sections or components (see Table 2-2). How the components are used and in what order depends on which format—singular or consolidated—you choose. In this section, we examine the composition of each component. Consolidated policy examples are provided in the “In Practice” sidebars.

TABLE 2-2 Policy Document Components

Component

Purpose

Version control

To track changes

Introduction

To frame the document

Policy heading

To identify the topic

Policy goals and objectives

To convey intent

Policy statement

Mandatory directive

Policy exceptions

To acknowledge exclusions

Policy enforcement clause

Violation sanctions

Administrative notations

Additional information

Policy definitions

Glossary of terms

Version Control

Best practices dictate that policies are reviewed annually to ensure that they are still applicable and accurate. Of course, policies can (and should) be updated whenever there is a relevant change driver. Version control, as it relates to policies, is the management of changes to the document. The version is usually identified by a number or letter code. Major revisions generally advance to the next letter or digit (for example, from 2.0 to 3.0). Minor revisions generally advance as a subsection (for example, from 2.0 to 2.1). Version control documentation should include the change date, the name of the person or persons making the change; a brief synopsis of the change; the name of the person, committee, or board that authorized the change; and the effective date of the change.

  • For a singular policy document, this information is split between the policy heading and the administrative notation sections.

  • For a consolidated policy document, a version control table is included either at the beginning of the document or at the beginning of a section.

IN PRACTICE

Version Control Table

A consolidated policy document includes a version control table. The table is located after the title page, before the table of contents. Version control provides the reader with a history of the document. Here’s an example:

V.

Editor

Purpose

Change Description

Authorized By

Effective Date

1.0

S. Ford, EVP

 

Original

Sr. management committee

2024-07-17

1.1

S. Ford, EVP

Subsection addition

2.5: Disclosures to Third Parties.

Sr. management committee

2024-08-14

1.2

S. Ford, EVP

Subsection update

4.4: Border Device Management

5.8: Wireless Networks

Sr. management committee

2025-02-25

S. Ford, EVP

Annual review

No change

Sr. management committee

2025-07-18

2.0

B. Lin, CIO

Section revision

Revised “Section 1.0: Governance and Risk Management” to reflect internal reorganization of roles and responsibilities

Acme, Board of Directors

2025-09-19

Introduction

Think of the introduction as the opening act. This is where authors first meet the readers and have the opportunity to engage them. Here are the objectives of the introduction:

  • To provide context and meaning

  • To convey the importance of understanding and adhering to the policy

  • To acquaint the reader with the document and its contents

  • To explain the exemption process as well as the consequence of noncompliance

  • To reinforce the authority of the policy

The first part of the introduction should make the case for why the policy is necessary. It is a reflection of the guiding principles, defining for the reader the core values the company believes in and is committed to. This is also the place to set forth the regulatory and contractual obligations that the company has—often by listing which regulations, such as GLBA, HIPAA, or MA CMR 17 201, pertain to the organization as well as the scope of the policy.

The second part of the introduction should leave no doubt that compliance is mandatory. A strong statement of expectation from a senior authority, such as the chair of the board, CEO, or president, is appropriate. Users should understand that they are unequivocally and directly responsible for following the policy in the course of their normal employment or relationship with the company. This part of the introduction should also make clear that questions are welcome, and a resource is available who can clarify the policy and/or assist with compliance.

The third part of the introduction should describe the policy document, including the structure, categories, and storage location (for example, the company intranet). It should also reference companion documents such as standards, guidelines, programs, and plans. In some cases, the introduction includes a revision history, the stakeholders who may have reviewed the policy, and who to contact to make any modifications.

The fourth part of the introduction should explain how to handle situations where compliance may not be feasible. It should provide a high-level view of the exemption and enforcement process. The section should also address the consequences of willful noncompliance.

  • For a singular policy document, the introduction should be a separate document.

  • For a consolidated policy document, the introduction serves as the preface and follows the version control table.

IN PRACTICE

Introduction

The introduction has five objectives: to provide context and meaning, to convey the importance of understanding and adhering to the policy, to acquaint the reader with the document, to explain the exemption process and the consequence of noncompliance, and, finally, to thank the reader and reinforce the authority of the policy. Each objective is called out in the following example:

[Objective 1: Provide context and meaning]

The 21st century environment of connected technologies offers us many exciting present and future opportunities. Unfortunately, there are those who seek to exploit these opportunities for personal, financial, or political gain. We, as an organization, are committed to protecting our clients, employees, stakeholders, business partners, and community from harm and to providing exceptional service.

The objective of our Cybersecurity Policy is to protect and respect the confidentiality, integrity, and availability of client information, company proprietary data, and employee data, as well as the infrastructure that supports our services and business activities.

This policy has been designed to meet or exceed applicable federal and state information security–related regulations, including but not limited to sections 501 and 505(b) of the Gramm-Leach-Bliley Act (GLBA) and MA CMR 17 201 as well as our contractual obligations.

The scope of the Cybersecurity Policy extends to all functional areas and all employees, directors, consultants, contractors, temporary staff, co-op students, interns, partners and third-party employees, and joint venture partners, unless explicitly excluded.

[Objective 2: Convey the importance of understanding and adhering to the policy]

Diligent information security practices are a civic responsibility and a team effort involving the participation and support of every employee and affiliate who deals with information and/or information systems. It is the responsibility of every employee and affiliate to know, understand, and adhere to these policies and to conduct their activities accordingly. If you have any questions or would like more information, I encourage you to contact our Compliance Officer at x334.

[Objective 3: Acquaint the reader with the document and its contents]

At first glance, the policy [or policies, if you are using singular policy documents] may appear daunting. If you take a look at the table of contents [or list, if you are using singular policy documents], you will see that the Cybersecurity Policy is organized by category. These categories form the framework of our Cybersecurity Program. Supporting the policies are implementation standards, guidelines, and procedures. You can find these documents in the Governance section of our online company library.

[Objective 4: Explain the consequence of noncompliance as well as the exception process]

Where compliance is not technically feasible or justified by business needs, an exemption may be granted. Exemption requests must be submitted in writing to the chief operating officer (COO), including justification and benefits attributed to the exemption. Unless otherwise stated, the COO and the president have the authority to grant waivers.

Willful violation of this policy [or policies, if you are using singular policy documents] may result in disciplinary action, which may include termination for employees and temporaries, a termination of employment relations in the case of contractors and consultants, and dismissal for interns and volunteers. Additionally, individuals may be subject to civil and criminal prosecution.

[Objective 5: Thank the reader and provide a seal of authority]

I thank you in advance for your support, as we all do our best to create a secure environment and to fulfill our mission.

—Anthony Starks, Chief Executive Officer (CEO)

Policy Heading

A policy heading identifies the policy by name and provides the reader with an overview of the policy topic or category. The format and contents of the heading significantly depend on the format (singular or consolidated) you are using:

  • A singular policy must be able to stand on its own, which means it is necessary to include significant logistical detail in each heading. The information contained in a singular policy heading may include the organization or division name, category (section), subsection, policy number, name of the author, version number, approval authority, effective date of the policy, regulatory cross-reference, and a list of supporting resources and source material. The topic is generally self-explanatory and does not require an overview or explanation.

  • In a consolidated policy document, the heading serves as a section introduction and includes an overview. Because the version number, approval authority, and effective date of the policy have been documented in the version control table, it is unnecessary to include them in section headings. Regulatory cross-reference (if applicable), lead author, and supporting documentation are found in the Administrative Notation section of the policy.

IN PRACTICE

Policy Heading

A consolidated policy heading serves as the introduction to a section or category.

Section 1: Governance and Risk Management

Overview

Governance is the set of responsibilities and practices exercised by the board of directors and management team with the goal of providing strategic direction, ensuring that organizational objectives are achieved, risks are managed appropriately, and enterprise resources are used responsibly. The principal objective of an organization’s risk management process is to provide those in leadership and data steward roles with the information required to make well-informed decisions.

Policy Goals and Objectives

Policy goals and objectives act as a gateway to the content to come and the security principle they address. This component should concisely convey the intent of the policy. Note that even a singular policy can have multiple objectives. We live in a world where business matters are complex and interconnected, which means that a policy with a single objective might be at risk of not covering all aspects of a particular situation. It is therefore important, during the planning phase, to pay appropriate attention to the different objectives the security policy should seek to achieve.

  • A singular policy lists the goals and objectives either in the policy heading or in the body of the document.

  • In a consolidated policy document, the goals and objectives are grouped and follow the policy heading.

IN PRACTICE

Policy Goals and Objectives

Goals and objectives should convey the intent of the policy. Here’s an example:

Goals and Objectives for Section 1: Governance and Risk Management

  • To demonstrate our commitment to information security

  • To define organizational roles and responsibilities

  • To provide the framework for effective risk management and continuous assessment

  • To meet regulatory requirements

Policy Statement

Up to this point in the document, we have discussed everything but the actual policy statement. The policy statement is a high-level directive or strategic roadmap. This is the section where we lay out the rules that need to be followed and, in some cases, reference the implementation instructions (standards) or corresponding plans. Policy statements are intended to provide action items as well as the framework for situational responses. Policies are mandatory. Deviations or exceptions must be subject to a rigorous examination process.

IN PRACTICE

Policy Statement

The bulk of the final policy document is composed of policy statements. Here is an example of an excerpt from a governance and risk management policy:

1.1. Roles and Responsibilities

1.1.1. The board of directors will provide direction for and authorize the Cybersecurity Policy and corresponding program.

1.1.2. The chief operating officer (COO) is responsible for the oversight of, communication related to, and enforcement of the Cybersecurity Policy and corresponding program.

1.1.3. The COO will provide an annual report to the board of directors that provides them with the information necessary to measure the organization’s adherence to the Cybersecurity Policy objectives and to gauge the changing nature of risk inherent in lines of business and operations.

1.1.4. The chief information security officer (CISO) is charged with the implementation of the Cybersecurity Policy and standards including but not limited to:

  • Ensuring that administrative, physical, and technical controls are selected, implemented, and maintained to identify, measure, monitor, and control risks, in accordance with applicable regulatory guidelines and industry best practices

  • Managing risk assessment–related remediation

  • Authorizing access control permissions to client and proprietary information

  • Reviewing access control permissions in accordance with the audit standard

  • Responding to security incidents

1.1.5. In-house legal counsel is responsible for communicating to all contracted entities the information security requirements that pertain to them as detailed within the Cybersecurity Policy and the Vendor Management Program.

Policy Exceptions and the Exemption Process

Realistically, there will be situations in which it is not possible or practical—or perhaps may even be harmful—to obey a policy directive. This does not invalidate the purpose or quality of the policy. It just means that some special situations will call for exceptions to the rule. Policy exceptions are agreed waivers that are documented within the policy. For example, in order to protect its intellectual property, Company A has a policy that bans digital cameras from all company premises. However, a case could be made that the HR department should be equipped with a digital camera to take pictures of new employees to paste them on their ID badges. Or maybe the security officer should have a digital camera to document the proceedings of evidence gathering after a security breach has been detected. Both examples are valid reasons a digital camera might be needed. In these cases, an exception to the policy could be added to the document. If no exceptions are ever to be allowed, this should be clearly stated in the policy statement section as well.

An exemption or waiver process is required for exceptions identified after the policy has been authorized. The exemption process should be explained in the introduction. Only the method or process for requesting an exemption—and not the criteria or conditions for exemptions—should be detailed in the policy. Trying to list all the conditions to which exemptions apply can lead to creating a loophole in the exemption itself. It is also important that the process follow specific criteria under which exemptions are granted or rejected. Whether an exemption is granted or rejected, the requesting party should be given a written report with clear reasons either way.

Finally, it is recommended that you keep the number of approved exceptions and exemptions low, for several reasons:

  • Too many built-in exceptions may lead employees to perceive the policy as unimportant.

  • Granting too many exemptions may create the impression of favoritism.

  • It can become difficult to keep track of and successfully audit a large number of exceptions and exemptions.

If there are too many built-in exceptions and/or exemption requests, it may indicate that the policy is not appropriate in the first place. At that point, the policy should be subject to review.

IN PRACTICE

Policy Exception

Here’s a policy exception that informs the reader who is not required to conform to a specific clause and under what circumstances and whose authorization:

At the discretion of in-house legal counsel, contracted entities whose contracts include a confidentiality clause may be exempted from signing nondisclosure agreements.

The process for granting post-adoption exemptions should be included in the introduction. Here’s an example:

Where compliance is not technically feasible or as justified by business needs, an exemption may be granted. Exemption requests must be submitted in writing to the COO, including justification and benefits attributed to the exemption. Unless otherwise stated, the COO and the president have the authority to grant waivers.

Policy Enforcement Clause

The best way to deliver the message that policies are mandatory is to include the penalty for violating the rules. The policy enforcement clause is where the sanctions for non-adherence to the policy are unequivocally stated to reinforce the seriousness of compliance. Obviously, you must be careful with the nature of the penalty. It should be proportional to the rule that was broken, whether it was accidental or intentional, and the level of risk the company incurred.

An effective method of motivating compliance is proactive training. All employees should be trained in the acceptable practices presented in the security policy. Without training, it is hard to fault employees for not knowing they were supposed to act in a certain fashion. Imposing disciplinary actions in such situations can adversely affect morale. We take a look at various training, education, and awareness tools and techniques in later chapters.

IN PRACTICE

Policy Enforcement Clause

This example of a policy enforcement clause advises the reader, in no uncertain terms, what will happen if they do not obey the rules. It belongs in the introduction and, depending on the circumstances, may be repeated within the policy document:

Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries, a termination of employment relations in the case of contractors and consultants, and dismissal for interns and volunteers. Additionally, individuals are subject to civil and criminal prosecution.

Administrative Notations

The purpose of administrative notations is to refer the reader to additional information and/or provide a reference to an internal resource. Notations include regulatory cross-references; the names of corresponding documents, such as standards, guidelines, and programs; supporting documentation such as annual reports or job descriptions; and the policy author’s name and contact information. You should include only notations that are applicable to your organization. However, you should be consistent across all policies.

  • A singular policy incorporates administrative notations either in the heading, at the end of the document, or split between the two locations. How this is handled depends on the company’s policy template.

  • In a consolidated policy document, the administrative notations are located at the end of each section.

IN PRACTICE

Administrative Notations

Administrative notations are a reference point for additional information. If the policy is distributed in electronic format, it is a great idea to hyperlink the notations directly to the source document.

Regulatory Cross-Reference

Section 505(b) of the Gramm-Leach-Bliley Act

MA CMR 17 201

Lead Author

B. Lin, Chief Information Officer

b.lin@example.com

Corresponding Documents

Risk Management Standards

Vendor Management Program

Supporting Documentation

Job descriptions as maintained by the Human Resources Department

Policy Definitions

The policy definition section is a glossary of terms, abbreviations, and acronyms used in the document that the reader may be unfamiliar with. Adding definitions to the overall document will aid the target audience in understanding the policy and will therefore make the policy a much more effective document.

The general rule is to include definitions for any instance of industry-specific, technical, legal, or regulatory language. When deciding what terms to include, it makes sense to err on the side of caution. The purpose of the security policy document is communication and education. The target audience for this document usually encompasses all employees of the company and sometimes outside personnel. Even if some technical topics are well known to all in-house employees, some of those outside individuals who come in contact with the company—and therefore are governed by the security policy—may not be as well versed in the policy’s technical aspects.

Simply put, before you begin writing down definitions, it is recommended that you first define the target audience for whom the document is crafted and cater to the lowest common denominator to ensure optimum communication efficiency.

Another reason definitions should not be ignored is for the legal ramifications they represent. An employee cannot pretend to have thought that a certain term used in the policy meant one thing when it is clearly defined in the policy itself. When you’re choosing which words will be defined, therefore, it is important to look not only at those that could clearly be unknown but also at those that should be defined to remove any and all ambiguity. A security policy could be an instrumental part of legal proceedings and should therefore be viewed as a legal document and crafted as such.

IN PRACTICE

Terms and Definitions

Any term that may not be familiar to the reader or is open to interpretation should be defined.

Here’s an example of an abbreviation:

MOU—Memorandum of Understanding

Here’s an example of a regulatory reference:

MA CMR 17 201—Standards for the Protection of Personal Information of Residents of the Commonwealth establishes minimum standards to be met in connection with the safeguarding of personal information of Massachusetts residents.

And, finally, here are a few examples of security terms that might be included:

  • Distributed Denial of Service (DDoS): An attack in which there is a massive volume of IP packets from multiple sources. The flood of incoming packets consumes available resources, resulting in denial of service to legitimate users.

  • Exploit: A malicious program designed to exploit, or take advantage of, a single vulnerability or set of vulnerabilities.

  • Phishing: An attack in which the attacker presents to a user a link that looks like a valid, trusted resource. A user who clicks it is prompted to disclose confidential information such as their username and password.

  • Pharming: A technique an attacker uses to direct a customer’s URL from a valid resource to a malicious one that could be made to appear as the valid site to the user. From there, an attempt is made to extract confidential information from the user.

  • Malvertising: The act of incorporating malicious ads on trusted websites, which results in users’ browsers being inadvertently redirected to sites hosting malware.

  • Logic bomb: A type of malicious code that is injected into a legitimate application. An attacker can program a logic bomb to delete itself from the disk after it performs the malicious tasks on the system. Examples of these malicious tasks include deleting or corrupting files or databases and executing a specific instruction after certain system conditions are met.

  • Trojan horse: A type of malware that executes instructions to delete files, steal data, or compromise the integrity of the underlying operating system. Trojan horses typically use a form of social engineering to fool victims into installing such software on their computers or mobile devices. Trojans can also act as backdoors.

  • Backdoor: A piece of malware or a configuration change that allows an attacker to control the victim’s system remotely. For example, a backdoor can open a network port on the affected system so that the attacker can connect and control the system.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020