Home > Articles > Other IT Certifications > CISSP

This chapter is from the book

This chapter is from the book

Risk Management and Analysis

Understand risk management and how to use risk analysis to make information security management decisions.

Risk management is the process of assessing risk and applying mechanisms to reduce, mitigate, or manage risks to the information assets. Risk management is not about creating a totally secure environment. Its purpose is to identify where risks exist, the probability that the risks could occur, the damage that could be caused, and the costs of securing the environment. Even if there is a risk to information assets, risk management can determine that it would cost more to secure the asset than if it was damaged or disclosed.

Risk management is not as straightforward as finding the risk and quantifying the cost of loss. Because risks can come from varying sources, an information asset can have several risks. For example, sales data stored on a network disk has the risk of

  • Unauthorized access from internal or external users

  • Loss from a software or hardware failure

  • Inaccessibility because of a network failure

Risk management looks at the various possibilities of loss, determines what would cause the greatest loss, and applies controls appropriately. As the risk manager, you might want to reduce all the risk to zero. This is a natural emotional reaction to trying to solve risk. However, you might find that it is impossible to prevent unauthorized access from internal users while trying to ensure accessibility of the data. Here, you must look at the likelihood of the risk and either look for other mitigations or accept it as a potential loss to the organization.

Assessing risk for information security involves considering the types of loss (risk category) and how that loss might occur (risk factor).

Risk Category

  • Damage—Results in physical loss of an asset or the inability to access the asset, such as cutting a network cable.

  • Disclosure—Disclosing critical information regardless of where or how it was disclosed.

  • Losses—These might be permanent or temporary, including the altering of data or the inability to access data.

Risk Factor

  • Physical damage—Can result from natural disasters or other factors, such as power loss or vandalism.

  • Malfunctions—The failure of systems, networks, or peripherals.

  • Attacks—Purposeful acts whether from the inside or outside. Misuse of data, such as unauthorized disclosure, is an attack on that information asset.

  • Human errors—Usually considered accidental incidents, whereas attacks are purposeful incidents.

  • Application errors—Failures of the application, including the operating system. These are usually accidental errors, whereas exploits of buffer overflows or viruses are considered attacks.

Every analyzed information asset has at least one risk category associated with one risk factor. Not every asset has more than one risk category or more than one risk factor. The real work of the risk analysis is to properly identify these issues.

Risk Analysis

Risk analysis is a process that is used to identify risk and quantify the possible damages that can occur to the information assets to determine the most cost-effective way to mitigate the risks. A risk analysis also assesses the possibility that the risk will occur in order to weigh the cost of mitigation. As information security professionals, we would like to create a secure, risk-free environment. However, it might not be possible to do so without a significant cost. As a security manager, you will have to weigh the costs versus the potential costs of loss.

Risk Analysis

Identifies a risk, quantifies the impact, and assesses a cost for mitigating the risk.

Business Versus Government Risk Analysis

A risk analysis for a government agency is no different from one performed for a nongovernment organization. The difference is how the information is used. Nongovernment entities can use the costs of mitigating the risk and the expected gain to determine whether to add countermeasures and which ones would be the most cost-effective. Most nongovernment entities work like this, including nonprofit corporations.

Because of laws, regulations, and legislative oversight, government agencies (particularly on the federal levels) have to run in a risk adverse environment rather than a risk-managed environment. Thus, agencies provide security controls that minimize the risk to a zero-cost, regardless of the costs, to prevent them from being campaign fodder. It is why the government will spend more money to secure systems than a private corporation will.

On completion of the risk analysis, the information allows the risk manager to perform a cost-benefit analysis (CBA), comparing safeguards or the costs of not adding the safeguards. Costs are usually given as an annualized cost and can be weighed against the likelihood of occurrence. As a general rule, safeguards are not employed when the costs of the countermeasure outweighs the potential loss. For example, an information asset is worth $10,000 should it be lost. Table 3.1 shows a possible analysis of this asset.


Cost of Countermeasure





By doing nothing, if the asset is lost, there could be a complete loss that costs $10,000.



If the countermeasure costs $5,000, you will gain $5,000 in providing the protection by mitigating the loss.



The cost of the countermeasure equals the cost of the asset. Here, you might weigh the potential for the countermeasure to be needed before making a decision.



With the countermeasure costing more than the asset, the benefit does not make sense in this case in terms of financial cost.

For information security planning, the risk analysis allows management to look at the requirements and balance them with business objectives and the costs. For an information security program to be successful, the merging of security processes and procedures with the business requirements is essential. A major part of that is the protection of the assets, and the risk assessment helps in that analysis.

Identifying Threats and Vulnerabilities

The previous section identified the various risk categories and factors that go into a risk analysis. For that analysis to weigh the potential for a risk to occur, the analysis should identify the threats and vulnerabilities that could occur.

There is no single way to identify whether a threat or vulnerability could occur in the environment being analyzed. Most environments are so complex that a vulnerability in one area could affect another area of the business. These cascading errors could be caused not only by a malicious attack, but also by errors in processing, which are called illogical processing.

Threat Agents

These are what cause the threats by exploiting vulnerabilities.

Identifying the threats to information assets is the process of identifying the threat agents that can cause a threat to the environment. Threat agents can be human, programmatic (such as an error or malware), or a natural disaster. The risk factors in the previous section provide a view into the number of possible threat agents an asset could have. Audits look at all the potential threat agents and determine which factors result in the risk to the asset.

After the threat agents, vulnerability, and risk have been identified, the risk analysis then concentrates on the loss potential, or what would be lost if the threat agent exploited the vulnerability. Whether the loss is from corruption or deletion of data to the physical destruction of computer and network equipment, there will be a cost to the loss of the asset. The loss is not limited to the cost of the asset. Risk analysis should also consider the loss of productivity, whether it be a delay or halt in work.

Loss Potential

This is what would be lost if the threat agent is successful in exploiting a vulnerability.

Delayed Loss

This is the amount of loss that can occur over time.

Not every loss will occur immediately. Take disclosure of critical data, for example. The loss from when the data is disclosed might not happen immediately. But if the disclosure was to a competitor involved in industrial espionage, the potential loss could occur over time in the form of lost clients and business. The loss potential for this type of delayed loss can attempt to estimate the costs to recover. Because the nature of the losses are unknown, making this type of estimate can be difficult.

Another delayed loss can be embedded in the cost of business. If data that is used to calculate fees, taxes, or other fiscal obligations is corrupted, a loss potential exists for interest and penalties that would have to be paid when the problems are discovered, which will be more than the costs to repair the damage. In more extreme cases, your organization could lose the confidence of its customers and investors, which could cause additional damage.

Asset Valuation

There are two ways to evaluate assets and the risk associated with their loss. The quantitative approach attempts to assign a dollar value to the risk for analyzing the cost of the potential effectiveness of the countermeasure. A qualitative approach uses a scoring system to rank threats and effectiveness of the countermeasures relative to the system and environment. Most commercial organizations prefer the quantitative approach because it allows for a way to plan budgets and for nontechnical management to understand the impact of their decisions.

Quantitative Versus Qualitative

A quantitative approach to risk analysis uses monetary values to assess risk. The qualitative approach uses a scoring system to determine risk relative to the environment.However, a qualitative analysis is good for understanding the severity of the risk analysis relative to the environment, which is easier for some to understand.

When using the quantitative approach, you should remember that it cannot quantify every asset and every threat. When looking at the values at the extremes, whether high or low, the numbers tend to not reflect the reality of the quantitative analysis. It is up to the team doing the risk analysis to determine which approach is best.

An Internal Risk Analysis Versus Using Outside Consultants

Some might feel that their own systems and security professionals could perform the risk assessment. They do know the systems and understand the processing that occurs. However, although the people your company employs might be very competent, they might be too intimate with operations to be able to tell a technical risk from a process risk. Outsiders do not have the same ties, so they are not prejudiced by "what has been."

When selecting an outside company to do a risk assessment, make sure it has the resources to understand the latest security information and industry best practices so it can provide a complete risk assessment. It must understand all the risks involved in all aspects of information technology. Because these companies do this on a daily basis, they have more insights into what to expect as they perform their tests.

Risk analysis is an investigation into the various assets, assigning risk and determining mitigations. To do this, the risk assessment team must investigate all the assets, taking into account all the variables that can affect the costs. The steps that are followed in a risk analysis are

  1. Identify the assets.

  2. Assign value to the assets.

  3. Identify the risks and threats corresponding to each asset.

  4. Estimate the potential loss from that risk or threat.

  5. Estimate the possible frequency of the threat occurring.

  6. Calculate the cost of the risk.

  7. Recommend countermeasures or other remedial activities.

Each step is explained in Step By Step 3.1.


3.1 Risk Analysis Steps

  1. Identify the assets. When you identify your information assets, you must consider more than the systems and network components. Information assets can also be the organization's data. A company's sales data that contains customer information and buying habits is as much of an asset as the disk and systems that store the information. Risk analysts will look at the organization's business process and ask which information is important to the business processes. In this process, more emphasis can be put on the information that is important, such as sales data, rather than the company phone book.

  2. This is where maintaining documentation and having a solid configuration management system can help. Rather than forcing a full discovery of all assets, including programs and databases, the documentation and configuration management systems can point to the bulk of the assets and provide a basis to begin the analysis. This is not to say that a risk assessment cannot be performed without this help. Some risk assessments are performed to gather this information, which is perfectly reasonable when establishing a new or more stringent information security program.

  3. Next, you must assign value to the assets. Assigning value is not a simple task. For hardware or software, the value can be the purchase or the replacement costs. Setting the value to information assets is where the process becomes difficult. To determine value, you would answer the following questions:

    • How much revenue does this data generate?

    • How much does it cost to maintain?

    • How much would it cost if the data were lost?

    • How much would it cost to recover or re-create?

    • How much would it be worth to the competition?

  4. After all the assets are identified, the analysis then identifies all the threats and risks. The various risk categories are examined, and the various factors are applied until a list of possible threats is created. There is no scientific way to determine which risk categories apply to an asset—it is a subjective determination. However, some common sense should prevail. For example, data cannot be damaged by fire, but the disks on which it resides can be. The risk for the data could be damage or unavailability because of hardware failure, which reduces a number of risk factors and potential countermeasures.

  5. The next step is to go through the various assets and the threats to estimate how much would be lost if the threat occurs. Obviously, this is easy for hardware and software because costs can be taken from invoices or actual replacement costs. But what happens when the asset is data? How much would it cost if access to critical data were lost? How much would it cost to be recovered or regenerated? What if it was improperly disclosed?

  6. When estimating the costs for the loss, all factors should be considered. For example, if workstations are infected with a virus, the cost of recovery should be counted, and so should the loss of productivity. Estimating productivity loss is not easy because the salaries and benefits for each employee affected should be considered, as well as the duration of the loss. Although a number of employees at different salary levels might work on the recovery effort, many times an estimate is based on an average salary. The numbers produced are appropriate for a risk analysis.

    The estimated cost of the potential loss is used to calculate the single-loss expectancy (SLE) for the asset. SLE uses the asset value and the exposure factor (see step 5) to give the dollar amount of the potential loss if the threat came to pass. These calculations are discussed in step 6.

    Single-Loss Expectancy (SLE)

    This is the amount of the potential loss for a specific threat.

  7. The frequency of occurrence is used to estimate the percentage of loss on a particular asset because of a threat. Also called the exposure factor (EF), this value recognizes that a threat does not result in a total loss. For example, a fiber-optic cable running between two buildings being cut by a maintenance worker affects only the cable and the productivity for its cut, which might be only 20% of the organization's infrastructure. For this asset, the EF would be 0.20 for calculations.

  8. Risk analysis is based on the loss over the course of a year. The annualized rate of occurrence (ARO) is the ratio of the estimated possibility that the threat will take place in a 1-year time frame. The ARO can be expressed as 0.0 if the threat will never occur, through 1.0 if the threat will always occur. For example, the ARO for a workstation virus might be set to 1.0, whereas a power outage to the network operations center that might occur once every 4 years would have an ARO of 0.25.

    Risk Analysis Variables

    Variables of risk analysis are annualized loss expectancy, annualized rate of occurrence, exposure factor, and single loss expectancy.

  9. Now that the collection of facts and figures has been completed, the next step is to plug in the various calculations to determine the annualized loss expectancy (ALE), which tells the analyst the maximum amount that should be spent on the countermeasure to prevent the threat from occurring. If the countermeasure costs more than the ALE, it can indicate a risk that the organization might take. This is discussed later in this chapter.

  10. To determine the ALE, each threat undergoes the following calculation:

    6.1. The SLE is calculated by multiplying the value of the asset by the EF:

    SLE = asset value x EF

    6.2. The ALE is calculated by multiplying the SLE by the ARO:

    ALE = SLE x ARO

    To illustrate these calculations, Table 3.2 has a short example with a few assets using a mythical Web server system.

    This sample organization uses a network operations center (NOC) that cost $500,000 to set up where the major threat is a fire. Should there be a fire, a 45% total loss is estimated. However, according to the fire department, the area where the NOC is located has a fire every 5 years, resulting in an ARO of 0.20. Using these values, the ALE for the NOC is $45,000.

    Similar calculations were made on the other assets. The asset values and EF were discovered as part of the audit; the ARO was also determined as part of the investigation. For example, when worried about power failure on the Web servers, the utility company was asked about the average length of outage in the area. In this example, the utility company predicted a major outage once every 2 years, thus resulting in a 0.50 ARO.

    Using the ALE, the organization has an overview of the risks, their likelihood of happening, and what would be lost if the threat occurred. It is also known how much can be spent to protect the asset against the threats. For example, protecting against a power failure on the Web servers should cost no more than $3,125. After some investigation, the cost of an uninterruptible power supply that works in the NOC is revealed to cost $4,500. A business decision could be made to not employ the counter- measure because it would cost more than the loss.

  11. The final step is to recommend countermeasures or other activities to mitigate the risk. This is the topic of the following sections.




Asset Value





Network operations center







Web servers

Power failure






Web data







Customer data







Qualitative Risk Analysis

A qualitative risk analysis is a more subjective analysis that ranks threats, countermeasures, and their effectiveness on a scoring system rather than by assigning dollar values. There are various ways of doing this from group decisions such as the Delphi method to using surveys and interviews for their ranking system.

Doing a qualitative risk analysis is a bit different from a quantitative analysis. In a quantitative analysis, the analyst does not have to be an expert in the business of the organization or have an extensive knowledge of the systems. Using her basic knowledge, she can analyze the basic business processes and use formulas to assess value to the asset and threats. Qualitative analysts are experts in the systems and the risks being investigated. They are able to use their expertise, along with the users of the system, to give the threats appropriate ranks.

To do a qualitative risk analysis, the major threats are identified and the scenarios for the possible sources of the threat are analyzed. The scores generated in this analysis show the likelihood of the threat occurring, the potential for the severity, and the degree of loss. Additionally, the potential countermeasures are analyzed by ranking them for their effectiveness.

When the analysis is completed, the scores for the threat are compared to the countermeasures. If the scores for the countermeasure are greater than the threat, it usually means that the countermeasure will be more effective in protecting the asset. However, remember that this is a subjective analysis, so the meanings of the rankings are also open to interpretation.

Countermeasure Selection and Evaluation

Organizations employ countermeasures, or safeguards, to protect information assets. In selecting the proper countermeasures, it makes good business sense to find a countermeasure that is also the most cost-effective. Determining the most cost-effective countermeasure is called a cost/benefit analysis.

A cost/benefit analysis looks at the ALE, the annual cost of the safeguard, and the ALE after the countermeasure is installed to determine whether the costs show a benefit for the organization. The calculation can be written as follows:

Value of Countermeasure = ALE (without countermeasure) – Cost (safeguard) – ALE (with countermeasure)

Using the Web server example from Table 3.2, let's say that the cost of a universal power supply (UPS)—to purchase and operate—is $1,000 per year. Even with the UPS, the exposure factor (EF) is reduced to 5% (0.05) because a power outage that lasts longer than the UPS can supply power is possible. The utility reports that an outage that will last longer than the UPS occurs once every 5 years, reducing the annual rate of occurrence (ARO) to 20% (0.20). Thus, the following calculation should be used:

    ALE (with UPS) = Cost (Web server) x EF x ARO

    ALE (with UPS) = $25,000 x $1,250 x 0.20

    ALE (with UPS) = $250

With the UPS, the ALE is now $250. Using that for the cost/benefit analysis, you can calculate the following:

    Value of countermeasure = $3,125 – $1,000 – $250

    Value of countermeasure = $1,875

With the value of the countermeasure at $1,875 and the cost at $1,000, the benefit of $875 per year for the countermeasure makes it a benefit for the organization.

One area skipped over was the operation cost of the UPS. The cost of operating the UPS can be a combination of power usage, modifications that might have been necessary to install the device, maintenance, and so on. When looking at the actual cost of the countermeasure during a cost/benefit analysis, all the costs need to be considered. If the countermeasure affects productivity, the loss must be accounted for. Should there be additional testing, those costs also must go into the cost of the countermeasure to get its true cost.

This is also not a straightforward analysis. Some threats might occur once over a period of 10 years or more. Even for expensive assets, an ARO of less than 0.10 can cause the analyst to consider whether the countermeasure is worth the cost over the entire time to prevent the threat. For example, the likelihood of an earthquake destroying the network operations center in the New York City area is very low, even in an area that has seen some earthquakes. Seismologists might think that an earthquake causing some damage would occur once every 15 years (an ARO of 6.67%). But is this enough of a threat to provide countermeasures for?

Effectiveness and Functionality of Countermeasures

Choosing a countermeasure for the amount of cost is a pure business way of analyzing risk. However, as security professionals, we understand that regardless of the cost, the countermeasure is not worth using unless it protects the asset. Information security professionals should work with business people to select the most effective counter- measure that will function to properly protect the asset.

Another consideration is countermeasures that can protect against multiple threats. That potential earthquake in New York might be mitigated by the rigorous building construction guidelines that keep buildings from toppling in high winds. In an information security context, a firewall can be used as a filter to prevent various network-based attacks and as a content filter to stop malicious mobile code.

Tying It Together

Risk assessment tells the organization what the risks are; it is up to the organization to determine how to manage the risks. Risk management is the trade-off an organization makes regarding that risk. You should remember that not every risk could be mitigated. It is the job of management to decide how that risk is handled. In basic terms, the choices are

  • Do nothing—If you do this, you must accept the risk and the potential loss if the threat occurs.

  • Reduce the risk—You do this by implementing a countermeasure and accepting the residual risk.

  • Transfer the risk—You do this by purchasing insurance against the damage.

These decisions can be made only after identifying the assets, analyzing the risk, and determining countermeasures. Management uses these steps to make the proper decisions based on the risks found during this process. Figure 3.3 illustrates these steps.

Figure 3.3 The three steps of a risk analysis.

Residual Risk

This is the value of the risk after implementing the countermeasure.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.


Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.


If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.


This site is not directed to children under the age of 13.


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020