Privacy Policy

1. Scope of this Privacy Policy

This Privacy Policy applies to information collected by Systems Risk Advisory, LLC through the Systems Risk Advisory website, contact forms, downloadable resource forms, email inquiries, speaking and workshop inquiries, consulting inquiries, and other business communications connected to this website.

This Privacy Policy does not replace the terms of any signed consulting agreement, nondisclosure agreement, statement of work, data handling agreement, or other written agreement between Systems Risk Advisory and a client. If a separate written agreement applies, that agreement controls the covered engagement materials and client information addressed by that agreement.

This website is intended for business, public-sector, utility, critical infrastructure, professional, and organizational use. It is not intended for children or for personal consumer services.

2. Information we may collect

Systems Risk Advisory may collect information you choose to provide, including your name, organization, role, business email address, phone number, state, service area, organization type, service interests, preferred contact method, and the general information you include in a website form, email, download request, or business inquiry.

If you request a downloadable guide, checklist, toolkit, briefing material, newsletter, event information, or similar resource, Systems Risk Advisory may collect the information needed to send the requested material and understand the type of organization requesting it.

If you contact Systems Risk Advisory about consulting, speaking, workshops, tabletop exercises, assessments, emergency planning, OT/ICS or SCADA security, physical security, incident response planning, or related services, Systems Risk Advisory may collect the information needed to respond, scope the request, prepare a proposal, schedule a discussion, and maintain normal business records.

The website may also collect limited technical and usage information, such as browser type, device type, pages viewed, referring page, date and time of access, approximate location derived from technical data, and similar website usage data. This information may be collected through web server logs, analytics tools, security tools, or hosting provider services.

3. Do not submit sensitive security information through website forms

Do not submit passwords, credentials, network diagrams, firewall rules, vulnerability details, exploit information, incident evidence, sensitive operational information, facility security weaknesses, law enforcement-sensitive information, protected critical infrastructure information, regulated data, or other sensitive security details through the website contact form or a general inquiry form.

Use website forms only to request contact and describe the general nature of your need. Detailed security information should be shared only through an approved channel and only after appropriate scope, authorization, and handling expectations are established.

If you are experiencing an active emergency, follow your internal emergency, incident response, legal, insurance, law enforcement, operational, and vendor escalation procedures. The website contact form is not an emergency reporting channel.

4. How we use information

Systems Risk Advisory may use information to respond to inquiries, schedule calls, provide requested resources, evaluate service fit, prepare proposals, deliver consulting services, communicate about engagements, manage business relationships, support speaking or workshop requests, and maintain normal business records.

Systems Risk Advisory may also use information to improve website content, understand audience needs, protect website and business systems, prevent misuse, troubleshoot technical issues, comply with legal obligations, enforce website terms, and protect the rights, safety, and security of Systems Risk Advisory, clients, prospective clients, and others.

If you request email updates, resources, or similar communications, Systems Risk Advisory may use your contact information to send relevant professional information. You may opt out of nonessential email communications by using the unsubscribe method provided, if available, or by contacting Systems Risk Advisory directly.

5. How we may share information

Systems Risk Advisory does not sell personal information. Systems Risk Advisory may share information with service providers that support normal business operations, such as website hosting, email, form processing, analytics, security, document storage, scheduling, payment, accounting, customer relationship management, or similar business tools.

Systems Risk Advisory may share information with qualified specialists, advisors, or support personnel when needed to evaluate, scope, support, or deliver an engagement. Information shared for that purpose should be limited to what is needed for the work and handled consistent with applicable engagement expectations.

Systems Risk Advisory may disclose information when required by law, legal process, subpoena, court order, regulatory request, public records-related process applicable to a client, or to protect rights, safety, security, property, or legal interests.

Systems Risk Advisory may share information with your consent or at your direction, including when you ask Systems Risk Advisory to coordinate with your staff, legal counsel, insurer, IT provider, SCADA integrator, engineer, vendor, emergency management partner, or other third party.

6. Cookies, analytics, and website tools

The website may use cookies, server logs, analytics tools, security tools, spam prevention tools, and similar technologies to operate the website, understand page usage, maintain security, and improve content.

If advertising pixels, remarketing tools, newsletter tracking, or additional third-party analytics are added later, this Privacy Policy should be reviewed and updated to describe those tools and available choices.

You can adjust browser settings to limit or block some cookies. Blocking cookies may affect how some websites or forms function.

7. Email communications and downloadable resources

If you request a downloadable resource, toolkit, checklist, guide, article, event information, or similar material, Systems Risk Advisory may use the information you provide to send the requested material, respond to related questions, and understand what types of organizations are using the resource.

Systems Risk Advisory may send follow-up communications related to the requested resource, related services, or professional topics relevant to critical infrastructure cybersecurity, physical security, OT/ICS and SCADA security, emergency planning, incident response planning, exercises, and resilience.

You may ask to stop receiving nonessential marketing or resource communications. Operational, transactional, proposal, engagement, billing, legal, or security-related communications may still be sent when needed for legitimate business purposes.

8. Data retention

Systems Risk Advisory retains information for as long as reasonably needed for the purposes described in this Privacy Policy, including responding to inquiries, managing business records, supporting engagements, complying with legal obligations, resolving disputes, maintaining security, and documenting business decisions.

Retention periods may vary based on the type of information, the nature of the relationship, legal and contractual requirements, accounting requirements, operational needs, and whether an engagement or proposal is active.

Systems Risk Advisory may delete, archive, or de-identify information when it is no longer needed, subject to legal, contractual, operational, and recordkeeping requirements.

9. Security

Systems Risk Advisory uses reasonable administrative, technical, and organizational measures intended to protect information. No website, email system, form, hosting provider, storage system, or internet transmission can be guaranteed completely secure.

Because SRA works in cybersecurity, physical security, OT/ICS, SCADA, emergency planning, and critical infrastructure contexts, visitors should use extra care before submitting any security-sensitive information through open website channels.

Detailed client security information should be exchanged only through approved methods and under appropriate scope, authorization, and handling expectations.

10. Client and engagement information

Consulting engagements may involve information that is more sensitive than ordinary website contact information. Examples may include policies, procedures, planning documents, facility information, cyber and physical security observations, OT/ICS or SCADA architecture information, incident response materials, and emergency planning details.

Client and engagement information should be handled under the applicable proposal, statement of work, nondisclosure agreement, consulting agreement, data handling instructions, public records considerations, or other written terms that apply to that engagement.

Systems Risk Advisory does not publish client names, facility details, network details, security findings, incident details, or other sensitive engagement information without appropriate authorization.

11. Third-party links and services

The website may link to third-party websites, platforms, publications, event pages, book retailers, professional profiles, government resources, association pages, or other external services. Systems Risk Advisory is not responsible for the privacy practices, content, availability, or security of third-party websites or services.

When you leave the Systems Risk Advisory website, review the privacy policy and terms that apply to the third-party site or service you visit.

12. Your choices

You may contact Systems Risk Advisory to request that your contact information be updated, corrected, removed from nonessential communications, or reviewed for deletion where appropriate. Some information may need to be retained for legitimate business, legal, contractual, accounting, security, or recordkeeping purposes.

Privacy rights may vary by jurisdiction. Systems Risk Advisory will review reasonable privacy requests consistent with applicable law, contractual obligations, client obligations, and business recordkeeping needs.

To make a privacy request, contact Systems Risk Advisory using the contact information listed in this Privacy Policy.

13. Children

This website is not directed to children under 13 and is not intended to collect personal information from children. If Systems Risk Advisory learns that information from a child has been submitted through the website, Systems Risk Advisory may delete the information unless retention is legally required.

14. Changes to this Privacy Policy

Systems Risk Advisory may update this Privacy Policy from time to time. The updated version should be posted on this page with a revised last updated date. Continued use of the website after an update means the revised policy applies to later website use and later information submissions.

15. Contact

For privacy questions or requests, contact Systems Risk Advisory at kowens@systemsriskadvisory.com.

Systems Risk Advisory is based in Washington State and serves clients nationally, with onsite and remote support available depending on scope.