A plus 1002 Sub-objective 4.6 – Explain the processes for addressing prohibited content/ activity, and privacy, licensing, and policy concepts

Welcome to ExamNotes by CertBlaster! In this installment, we will examine Objective 4.6 Explain the processes for addressing prohibited content/activity and privacy, licensing, and policy concepts. We will discuss the issues and procedures surrounding the use of data that is in violation of corporate policies.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

Incident Response

In some cases, violations may be innocent transgressions attributed to the employee’s misinterpretation of the rules. For others, violations may be flagrant with legal implications. In either case and regardless of how one became aware of the violation, it is important to adhere to company policy in order to ensure proper handling of the situation.

It may be tempting to err on the side of leniency for some matters. However, this is NOT your decision to make. In the worst case, failure to report incidents could make you an accomplice. Every company has slight terminology variations as to what is and is not acceptable use. The fundamental principles will be the same. For example, every company will have an Acceptable Use Policy (AUP) that is part of the employment agreement and is also freely available for employee review. Read it completely and follow it to the letter.

First response

For any case where you believe there has been a legal infraction or poor judgment, the incident should be reported as defined by corporate policy. There is no situation where you would confront the employee directly. Confronting the employee provides time for the employee to cover up the transgression and opens the door for unauthorized parties who are not involved in the process to overhear your discussion. Keep your discussion within the authorized channels. Your handling of matters involving data breaches will likely be scrutinized by the legal team, making it important that you follow company guidelines to the letter. Take clear notes regarding reporting and the actions you take.

Identify

An incident may be identified through personal observation or through the routine observation of network logs. Log files will uncover unauthorized personnel accessing restricted data. Immediately document this behavior and bring it to the proper individual(s) for escalation.

Report through proper channels

Always report strictly to the appropriate parties as indicated by your organizational Security Policy. The process you follow and the manner in which you report will be closely scrutinized. Be clear, accurate, and complete in your reporting.

Data/device preservation

In cases where there is evidence of foul play or corporate espionage, the preservation of data is of paramount importance. A forensic team should be involved in order to securely handle, store, and validate any digital media. Network logs and MRU lists showing recently accessed documents will solidify your case. Obtain the services of a forensic expert before you handle anything. The slightest change could render the evidence inadmissible.

Use of documentation/documentation changes

Company policies are subject to change in order to keep pace with the evolving corporate environment. While these policies are easily accessible by employees, all employees should be notified when a change is made and given instructions on how to view the updated documentation. For a lengthy document, the exact change should be explicitly stated in order to prevent employees from overlooking it.

Chain of custody

Whenever evidence is necessary to create or support a case, all records and physical support need to be carefully preserved. This is accomplished using a form called a Chain of Custody. The Chain of Custody is designed to allow anyone who comes in contact with the evidence the ability to record the date/time they come into possession, the actions that were taken, the release date/time, and the party it was remanded to. Fill this form out completely because any mistakes or gaps will render the evidence inadmissible. Sign for everything you take in possession and obtain signatures from those you transfer possession to. Any gaps in this process can be interpreted as a point of evidence corruption.

Tracking of evidence/documenting process

The documentation surrounding the handling of evidence is crucial in any legal matter and will be subsequently reviewed for completeness and accuracy. You and all parties concerned in the handling of physical and digital evidence should be prepared to present accurate, irrefutable records proving the time/date received and what actions were performed. The Chain of Custody and the Due Care taken for these materials while in your possession are both incredibly important. Forensics experts should be involved immediately as their skill set includes the storage and preservation of volatile digital data. They are capable of recovering the most volatile data such as system RAM as well as preserving the integrity of storage media by making workable original copies.

Licensing / DRM / EULA

A common infraction involving midsized to large corporations is caused by employees misunderstanding or disregarding software licensing. While organizations make every effort to avoid copyright infringement, there are cases where a careless employee may feel that a special graphics program or a piece of music will enhance their presentation. The legality of this practice may come into question, causing financial hardship for the company.  

It falls to the user to carefully read the End User License Agreement (EULA) before accepting it. The EULA contains clauses regarding the acceptable use of the product and the ramifications of misuse among other legally binding matters.

In practice, very few users actually read the agreement and simply accept it. Blind acceptance is a liability.

Lastly, Digital Rights Management (DRM) protects artists from having their works used in unauthorized manners. The DRM is digitally embedded in the media and is aggressively enforced.

What navigating Licensing, DRM & EULA can feel like

Open source vs. commercial license

Software can be generally classified into two groups: open source and closed source or commercial license.

For open source (freeware) software, the source code is freely available and can be modified by subsequent developers providing that any derivative works remain freely available and there are no fees for its use. This software is developed by and for a community that values the betterment of the product over financial reward. The Linux and Android operating systems are great examples of this philosophy.

Closed source software is commercial for-profit programming that charges for the use of its programs. Closed source code is closely guarded and not available. Obviously, the use of this programming will be controlled by various licenses as you will see below.

Personal license vs. enterprise licenses

When using commercial software, the license is purchased based on the intended use. Personal use is defined as a single user installing the product on personal devices in their home. In the corporate environment, products are usually covered under an enterprise site license that grants use to all employees. If the software is particularly expensive or if use is confined to a small group or department, a per-seat license may be more cost-effective. This license limits the installations to a predetermined number of users.

Regulated data

The types of data described below are regulated by the government and are considered regulated data. Often a healthcare provider will employ a compliance officer to ensure that all regulations policies and laws are adhered to. For your test preparation, note the following information.

PII

Personally Identifiable Information (PII) is the information about a person that would be considered confidential. This includes a person’s full name, complete address, credit card numbers, date of birth, social security number, and their health records. Entities that store this information are subject to strict legally binding guidelines regarding the confidential storage and dissemination of this information. PII is a high-value target for hackers who can use this data to create identities, accessing and depleting all assets, or even falsely creating new lines of credit. Lists containing this information are easily attainable on the black market.

Don’t release this information without careful consideration. Something as simple as a job application contains enough information for someone to deplete an individual’s assets and ruin their credit.

PCI

The Payment Card Industry (PCI) has defined standards to safeguard credit card information during transmission and storage (where applicable). Major credit card companies comply with these standards as do the vendors and retailers receiving the data. Fraud is prevalent and is prevented by many implemented standards. A vendor may contact the card owner when a suspicious transaction is attempted.

PHI

Protected health information (PHI) refers to data regarding an individual’s personal health record. This information is protected by the government through the Health Insurance Portability and Accountability Act (HIPAA) which imposes strict penalties for security breaches. Hospitals, medical practices, medical personnel, and other entities must comply with HIPAA regulations. Consent will be asked if health information needs to be disclosed.

GDPR

The European Union (EU) has implemented the General Data Protection Regulation (GDPR) which provides more control over the collection, sharing, and storage of personal information. It covers data that can uniquely identify an individual such as their genetic and biometric information, their name, and their address (physical and IP). The GDPR includes a provision that the individual is contacted if their information is breached.

Follow corporate end-user policies and security best practices

Every corporation has security policies regarding the handling of personal and corporate data. Be knowledgeable of these policies and follow them to the letter. Guidelines will also exist covering the handling of PII in certain situations. Treat these as absolute rules with no room for personal interpretation. Your job and someone’s financial well-being can both suffer irreparable damage.

Click here for the A+ Practice Test Bundle for A+ Exams 220-1001 & 220-1002

That’s all for Objective 220-1002 4.6! You are very close to the end. Keep up the good work! Good Luck on the test!

By continuing to browse this site, you accept the use of cookies and similar technologies that will allow the use of your data by CertBlaster in order to produce audience statistics- see our privacy policy.