Blog2021-03-25T19:15:41-04:00
Proprietary data, expert analysis and bold thinking for leaders who want to achieve the extraordinary.

Cyber Risk Board Oversight

The high-profile breach of Target's data reinforced that cyber security does not only impact IT but also the whole of a business. The resignation of the CEO and CIO underscored the repurcussions a cyber-incident can have on the confidence in an organization's leadership, market reputation, and shareholder value.

December 28th, 2017|
Read More

The Case for Audit

Admin Assistant Jane was considered a “trusted employee” by the non-profit’s CEO. Jane also happened to own a bridal business and was regarded a "fairy godmother" for having donated over a million dollars. So how was Jane able to pocket $5 million dollars over an eight-year period, undetected?

November 27th, 2016|
Read More

Cyberinsurance: Value Generator or Cost Burden?

Although larger companies may be equipped to weather a cyberstorm and its aftermath, 60% of small businesses close their doors within six months after an attack, making cybercrime an equal opportunity with unequal consequences. Some enterprises are beginning to consider cyberinsurance as a component of their risk transfer strategy.

October 11th, 2016|
Read More

Extending CDM into the Cloud

ControlPoints led the first CDM deployment in the cloud across the US federal government. In this case study we share our lessons learned, some noteworthy challenges, and recommendations for improving the program with national security implications.

September 27th, 2016|
Read More

Social Media Security

Social media adoption is rapidly gaining traction, with businesses making heavy investments to keep pace with the velocity of consumer demand from distinct social media platforms. What are some of the security pitfalls brands must understand and avoid to reap the benefits?

August 29th, 2013|
Read More

SAS70 Modernized

SAS70 is a report commonly used by an entity to gain insight into their third-party service provider's internal controls. Similar to the SAS70 report, there are two types of SSAE 16 service auditor reports; Type I and Type II.

February 8th, 2013|
Read More

Categories

 

 

Privacy & Disclosure Policy

 

Effective Date: May 25, 2018

This policy explains what information we collect when you use ControlPoints’ site, services, mobile applications, products, and content (“Services”). It also has information about how we store, use, transfer, and delete that information. Our aim is not just to comply with privacy law. It’s to earn your trust.

Information We Collect & How We Use It

We obtain personal information about you if you choose to provide it — for example, to contact mailboxes or to register for certain services. In some cases, you will have previously provided your personal information to ControlPoints (if, for example, you are a former employee). If you choose to register or login to a ControlPoints web site using a third party single sign-in service that authenticates your identity and connects your social media login information (e.g., LinkedIn, Google, or Twitter) with ControlPoints, we will collect any information or content needed for the registration or log-in that you have permitted the social media provider to share with us, such as your name and email address. Other information we collect will depend on the privacy settings you have set with your social media provider, so please review the privacy statement or policy of the applicable service.

When you register or submit personal information to ControlPoints we will use this information in the manner outlined in this privacy statement. Your personal information is not used for other purposes, unless we obtain your permission, or unless otherwise required or permitted by law or professional standards. For example, if you register to a ControlPoints web site and provide information about your preferences we will use this information to personalize your user experience. Where you register or login using a third party single user sign-in we may also recognize you as the same user across any different devices you use and personalize your user experience across other ControlPoints sites you visit. If you send us a resume or curriculum vitae (CV) to apply online for a position with ControlPoints, we will use the information that you provide to match you with available ControlPoints job opportunities. In some cases where you have registered for certain services we will store your email address temporarily until we receive confirmation of the information you provided via an email (i.e. where we send an email to the email address provided as part of your registration to confirm a subscription request).

Legal Grounds We Have to Use Your Information

ControlPoints generally collects only the personal information necessary to fulfill your request. Where additional, optional information is sought, you will be notified of this at the point of collection. The law in the United States and Europe allows us to process personal information, so long as we have a ground under the law to do so. It also requires us to tell you what those grounds are. As a result, when we process your personal information, we will rely on one of the following processing conditions:

  • Performance of a contract: this is when the processing of your personal information is necessary in order to perform our obligations under a contract;
  • Legal obligation: this is when we are required to process your personal information in order to comply with a legal obligation, such as keeping records for tax purposes or providing information to a public body or law enforcement agency;
  • Legitimate interests: we will process information about you where it is in our legitimate interest in running a lawful business to do so in order to further that business, so long as it doesn’t outweigh your interests; or
  • Your consent: in some cases, we will ask you for specific permission to process some of your personal information, and we will only process your personal information in this way if you agree to us doing so. You may withdraw your consent at any time by contacting ControlPoints at [email protected].

Examples of the ‘legitimate interests’ referred to above are:

  • To offer information and/or services to individuals who visit our web site or offer information about employment opportunities.
  • To prevent fraud or criminal activity and to safeguard our IT systems.
  • To customize individuals’ online experience and improve the performance, usability and effectiveness of ControlPoints’ online presence.
  • To conduct, and to analyze, our marketing activities.
  • To meet our corporate and social responsibility obligations.
  • To exercise our fundamental rights in the EU under Articles 16 and 17 of the Charter of Fundamental Rights, including our freedom to conduct a business and right to property.

In some cases, the personal data that we collect will also include special categories of data, such as diversity related information (including data about racial and ethnic origin, political opinions, religious beliefs and other beliefs of a similar nature, trade union membership and data about sexual life and sexual orientation), or health data and data about alleged or proven criminal offences in each case where permitted by law.

Children

ControlPoints understands the importance of protecting children’s privacy, especially in an online environment. In particular, our sites are not intentionally designed for or directed at children under the age of 13. It is our policy never to knowingly collect or maintain information about anyone under the age of 13, except as part of an engagement to provide professional services.

Information Disclosure

ControlPoints won’t transfer information about you to third parties for the purpose of providing or facilitating third-party advertising to you. We won’t sell information about you. We may share your account information with third parties in some circumstances, including: (1) with your consent; (2) to a service provider or partner who meets our data protection standards; (3) with academic or non-profit researchers, with aggregation, anonymization, or pseudonomization; (4) when we have a good faith belief it is required by law, such as pursuant to a subpoena or other legal process; (5) when we have a good faith belief that doing so will help prevent imminent harm to someone. If we are going to share your information in response to legal process, we’ll give you notice so you can challenge it (for example by seeking court intervention), unless we’re prohibited by law or believe doing so may endanger others. We will object to requests for information about users of our services that we believe are improper.

Data Storage

ControlPoints uses third-party vendors and hosting partners, for hardware, software, networking, storage, and related technology we need to run ControlPoints. We maintain two types of logs: server logs and event logs. By using ControlPoints Services, you authorize ControlPoints to transfer, store, and use your information in the United States and any other country where we operate.

Third-Party Embeds

Some of the content that you see displayed on ControlPoints is not hosted by ControlPoints. These “embeds” are hosted by a third-party and embedded in ControlPoints. For example: YouTube or Vimeo videos, Amazon products, SoundCloud audio files, Twitter tweets, GitHub code, or Scribd documents that appear within a ControlPoints post. These files send data to the hosted site just as if you were visiting that site directly (for example, when you load a ControlPoints post page with a YouTube video embedded in it, YouTube receives data about your activity). ControlPoints does not control what data third parties collect in cases like this, or what they will do with it. So, third-party embeds on ControlPoints are not covered by this privacy policy. They are covered by the privacy policy of the third-party service. Some embeds may ask you for personal information, such as your email address, through a form. We do our best to keep bad actors off of ControlPoints. However, if you choose to submit your information to a third party this way, we don’t know what they may do with it. As explained above, their actions are not covered by this Privacy Policy. So, please be careful when you see embedded forms on ControlPoints asking for your email address or any other personal information. Make sure you understand who you are submitting your information to and what they say they plan to do with it. We suggest that you do not submit personal information to any third-party through an embedded form. If you embed a form that allows submission of personal information by users, you must provide near the embedded form a prominent link to an applicable Privacy Policy that clearly states how to you intend to use any information collected. Failure to do so may lead ControlPoints to disable the post or take other action to limit or disable your account.

Tracking & Cookies

We use browser cookies and similar technologies to recognize you when you return to our Services. We use them in various ways, for example to log you in, remember your preferences (such as default language), evaluate email effectiveness, allow our paywall and meter to function, and personalize content and other information. ControlPoints doesn’t track you across the Internet. We track only your interactions within the ControlPoints network (which encompasses ControlPoints.com and custom domains hosted by ControlPoints). Further information about managing cookies can be found in your browser’s help file or through sites such as www.allaboutcookies.org.

Some third-party services that we use to provide the ControlPoints Service, such as Google Analytics, may place their own cookies in your browser. This Privacy Policy covers use of cookies by ControlPoints only and not the use of cookies by third parties.

ControlPoints complies with the “Do Not Track” (“DNT”) standard recommended by the World Wide Web Consortium. For logged-out users browsing with DNT enabled, ControlPoints’s analytics will not receive data about you, but we will do some first-party tracking in order to customize content and provide data to third-party service providers that enable ControlPoints Services to work. When you use ControlPoints while logged-in to your account, we cannot comply with DNT.

Modifying or Deleting Your Personal Information

If you have a ControlPoints account, you can access, modify or export your personal information, or delete your account. To protect information from accidental or malicious destruction, we may maintain residual copies for a brief time period. But, if you delete your account, your information and content will be unrecoverable after that time. ControlPoints may preserve and maintain copies of your information when required to do so by law.

Data Security

We use encryption (HTTPS/TLS) to protect data transmitted to and from our site. However, no data transmission over the Internet is 100% secure, so we can’t guarantee security. You use the Service at your own risk, and you’re responsible for taking reasonable measures to secure your account.

Business Transfers

If we are involved in a merger, acquisition, bankruptcy, reorganization or sale of assets such that your information would be transferred or become subject to a different privacy policy, we’ll notify you in advance so you can opt out of any such new policy by deleting your account before transfer.

Email from ControlPoints

Sometimes we’ll send you emails about your account, service changes or new policies. You can’t opt out of this type of “transactional” email (unless you delete your account). But, you can opt out of non-administrative emails such as digests, newsletters, and activity notifications. When you interact with an email sent from ControlPoints (such as opening an email or clicking on a particular link in an email), we may receive information about that interaction. We won’t email you to ask for your password or other account information. If you receive such an email, please send it to us so we can investigate.

When you choose to opt in to materials on www.controlpoints.com or provide your email address for any reason, you are subject to receive promotional emails, educational emails, and content emails that include video material, blog material, and special offers or notices of upcoming live events and workshops hosted by ControlPoints. The email address that you provide is stored in our database for www.controlpoints.com so that we may track user behavior and tag your behavior in order to provide a better user experience based on items you have shown an interest in or have opted in for on the website. We may maintain separate email lists for different purposes. In order to end your email subscription to a particular list, you must follow the instructions on how to unsubscribe contained in every email correspondence that you receive from ControlPoints. Unsubscribing from one list will not automatically unsubscribe you from all email lists. We only send email marketing to individuals that have agreed, whether by opting in for materials on this website or through third party websites, to receive email marketing from ControlPoints or its affiliates and partners. Though we make every effort to preserve user privacy, we may be required to disclose personal information in some instances, such as: 1) when required by law wherein we have a good faith belief that such action is necessary to comply with a judicial proceeding, court order, and/or subpoena; 2) in the event that ControlPoints is sold or acquired; or 3) in the event that we believe that the Website is being, or has been, used in violation of our terms and conditions or to commit unlawful acts. Moreover, you hereby consent to the disclosure of any record or communication to any third party when ControlPoints, in its sole discretion, determines the disclosure to be appropriate including, without limitation, sharing your email address with other third parties for suppression purposes in compliance with the provisions of the CAN-SPAM Act of 2003, as amended from time-to-time. To prevent unauthorized access, maintain data accuracy and to ensure the appropriate use of information, we have put in place physical, electronic and managerial procedures to protect the information we collect online. We shall continue to take reasonable steps to provide effective data protection at all times, however, no security technology can provide invulnerability to information compromise. Therefore ControlPoints cannot, and does not, guarantee the security of any information that you transmit to us or to any third party affiliated with the Site. It is important for you to protect against unauthorized access to your password and to your computer. Be sure to sign off when finished using a shared computer.

Data Protection Statement for European Union Users

Description of Processing Activity

ControlPoints collects and stores personal information about its users to customize their reading experience and enable personalized distribution of content. It shares minimal data with its service providers.

Purposes of Processing

  • Provide, test, promote, and improve the services
  • Gather usage statistics of services
  • Provide customized reading experience
  • Publish and distribute user-generated content
  • Provide access to paid content
  • Pay authors in Partnership Program for certain content
  • Fight spam, fraud, and other abuse of services

Legal Bases

In order to provide the services, ControlPoints collects and stores personal data about its users on the legal basis of consent given when you create an account and agree to the Privacy Policy. ControlPoints also pursues its legitimate interests by collecting minimal data of logged out users to provide the services, as outlined above.

Where ControlPoints collects and stores personal data about non-users, it does so under performance of contract obligations with users who use the services to publish content on web sites hosted by ControlPoints. In such cases, users authoring such content containing personal data of third parties are responsible for that content. ControlPoints will consider related complaints in compliance with the General Data Protection Regulation’s rights of the data subject, as well as rights of expression and access to information.

Public Nature of Personal Data

Logged-in users may choose to interact publicly with the ControlPoints Services in the form of liking a post, highlighting parts of a post, following other user accounts, sharing links on connected social media accounts, or writing original posts. Where such personal data may reveal special category protected data, it is processed on the basis that it is manifestly made public by the user. Additional information on potential consequences of such processing can be found below. If you do not agree to this public usage, do not create an account or use these features of ControlPoints Services.

Categories of Personal Data Collected

Logged out users

  • Reading history
  • IP address
  • Browser information
  • DNT status

Logged in users:

  • Username
  • Display name
  • Bio
  • Avatar image
  • Email address (non-public)
  • Session activity (security)
  • Linked social media accounts (optional)
  • IP address
  • Browser information
  • Reading history (on ControlPoints network only)
  • Network interactions (recommends, follows, etc.)
  • Posts, responses, or series published by user

Members:

  • Billing information and history

Partner authors:

  • Bank account for payments
  • Business information, if applicable

Categories of Recipients

ControlPoints shares minimal personal data with third-party processors in order to provide the Services. These processors offer at least the same level of data protection as that set out in this statement. This includes the following categories of recipients:

  • Hosting, Storage, & Other Infrastructure
  • Security
  • Analytics
  • Communication & Support
  • Payment Processors

Search engines will index user profiles, public interactions, and any user-generated content. Users may also share links to your content on social media.

Payment Processors

ControlPoints provides Services in conjunction with several payment processors, including: Stripe, Paypal, Google Play, and Apple Pay, through which users may pay for ControlPoints memberships or receive payment based on participation in our Partner program. Those companies acting as payment processors may collect and store personal data related to your billing information and history in order to provide their services, and may collect and store personal data and business data to prevent fraud and other abuse. When you delete your ControlPoints account, ControlPoints deletes your personal data as outlined in this document. However, to delete your payment or billing information, you will need to do so with your payment provider, as ControlPoints only has minimal secure access to those records as needed to provide the services.

Embedded Content

ControlPoints posts may contain third-party embeds, which may in some cases collect and store personal data. The use of personal data by embedded content providers is not covered by this statement, but by the privacy policies of those sites or services.

Existence of Automated Decision-making

ControlPoints collects and stores personal data about its users to customize reading. This includes automated decision-making to promote content tailored to the preferences and interests indicated by the user, and to their browsing history and network interactions. ControlPoints also filters content for the purposes of fighting and preventing spam, fraud, and other forms of abuse.

Potential Consequences of Processing

By creating an account on ControlPoints, users may make certain personal data about themselves public and accessible to others on their profile and through network interactions. This may in some cases constitute special category protected data which is considered manifestly made public by the user. Due to the public nature of information posted to ControlPoints, it may be possible for third parties to derive identifying personal data from posts, whether by reading, inference, supplemental research, or automated extraction and analysis. Users are free to use their real name and information, or a pseudonym of their choosing, for their account. Users may also choose to use the service without posting data or engaging in network interactions. However, if you do not agree with and accept the risks of such usage, you may not use the services.

Cross-border Transfers

ControlPoints is hosted in the United States. By using ControlPoints Services, you authorize ControlPoints to transfer, store, and use your information in the United States and any other country where we operate. Where your data is disclosed to our processors, it is subject by contract to at least the same level of data protection as that set out in this statement.

Retention

ControlPoints retains personal data associated with your account for the lifetime of your account. If you would like to delete your personal information, you can delete your account at any time. Deleted account profile pages will yield an error 404 “file not found” page, immediately upon initiating deletion, and will become unrecoverable in our system after a period of fourteen days. It may take several additional days for your personal data to be de-indexed from search engines, depending on those search engines’ practices, over which ControlPoints may have limited or no control. To delete your payment or billing information, you will need to do so with your payment provider, as ControlPoints only has minimal secure access to those records as needed to provide the services.

Your Rights

If ControlPoints processes personal information about you, you have the following rights:

  1. If you sign up for a ControlPoints account, you may correct information associated with your account after logging in.
  2. You may withdraw consent by deleting your account at any time, which will erase your personal information completely within 14 days (except to the extent ControlPoints is prevented by law from deleting your information).
  3. You may object at any time to the use of your personal data by contacting [email protected]. If your complaint relates to alleged misuse of your personal data by a third party, it may result in suspension of that post or account in keeping with relevant law, public interest, our contractual obligations, and the rights of expression and access to information of others.
  4. You may at any time lodge a complaint regarding the processing of your personal data by ControlPoints with the Supervisory Authority of your EU member state.

Data Security and Integrity

ControlPoints has reasonable security policies and procedures in place to protect personal information from unauthorized loss, misuse, alteration, or destruction. Despite ControlPoints’ best efforts, however, security cannot be absolutely guaranteed against all threats. To the best of our ability, access to your personal information is limited to those who have a need to know. Those individuals who have access to the data are required to maintain the confidentiality of such information.

Changes to this Policy

ControlPoints may modify this Privacy Statement from time to time to reflect our current privacy practices. When we make changes to this statement, we will revise the “updated” date at the top of this page. Any changes to the processing of personal information as described in this Privacy Statement affecting you will be communicated to you through an appropriate channel, depending on how we normally communicate with you.

Policy Questions

ControlPoints is committed to protecting the online privacy of your personal information. If you have questions or comments about our administration of your personal information, please contact us at [email protected].

ControlPoints
www.controlpoints.com
Houston, Texas
United States of America

 

 

Legal

 

ControlPoints is a US entity that provides Services and Products. The information contained and accessed on this site (the “Site”) is provided by ControlPoints for general guidance and is intended to offer the user general information of interest. The information provided is not intended to replace or serve as substitute for any governance, risk, compliance, audit, cyber, advisory, or other professional advice, consultation or service. You should consult with a ControlPoints professional to obtain such services.

The application of laws and regulations may vary depending on specific facts or circumstances. Due to the nature of electronic communication processes, ControlPoints does not guarantee or warrant the Site will be uninterrupted, without delay, error-free, omission-free, or free of viruses. Therefore, the information is provided ‘as is’ without warranties of any kind, express or implied, including accuracy, timeliness and completeness. In no event shall ControlPoints, or any of its respective partners, principals, agents or employees, be liable for any direct, indirect, incidental, special, exemplary, punitive, consequential or other damages (including but not limited to, liability for loss of use, data or profits), without regard to the form of any action, including but not limited to, contract, negligence or other tortious actions, arising out of or in connection with the Site, any content on or accessed by use of the Site, or any copying, display or other use.

As content on the Site (including any concepts, ideas, methods, procedures, processes, know-how, techniques, programs, publications, models, products templates, technologies, software, designs, art work, graphics and information on or described in the Site) may be copyrighted, proprietary and subject to intellectual property or other rights (which rights are owned by ControlPoints), any unauthorized use of any materials on the Site may violate copyright, trademark and other laws or applicable intellectual property or other rights. Users are encouraged to print or distribute content (e.g., via link on a social network) provided that:

  • The use of the content is personal and noncommercial.
  • All copyright, trademark and similar notices are retained.
  • The content is not used as or implies that ControlPoints is providing a testimonial or endorsement of an organization, its products or services.

Materials on the Site may not be modified, reproduced, publicly displayed, performed, distributed or used for any public or commercial purposes without explicit written permission from the appropriate content or material provider (including third-party links). ControlPoints bears no risk, responsibility or liability in the event that a user does not obtain such explicit written permission as advised by ControlPoints.

The ControlPoints name and logo are registered trademarks or trademarks of ControlPoints and other product and service names mentioned on the Site may be the registered trademarks or trademarks of ControlPoints. Use of these marks requires express prior permission from, and a license agreement with, ControlPoints. Unauthorized use of these and any other of ControlPoints’ portfolio of trademarks will be prohibited to the fullest extent of the law. To request this written approval, contact the webmaster or use the “Contact us” feature.

Third-party links are provided as a convenience to our users. ControlPoints does not control and is not responsible for any of these sites or their content. ControlPoints vigorously protects its reputation and trademarks and ControlPoints reserves the right to request removal of any link to our web site.

The following web link activities are explicitly prohibited by ControlPoints and may present trademark and copyright infringement issues:

  • links that involve unauthorized use of our logo
  • a form of link that disguises the URL and/or bypasses the homepage or pages containing the entity copyright, legal disclaimer and online policy statement.