Privacy, Licensing & Organizational Policies
Key Takeaways
- Software licensing types include per-seat (per device), per-user (per person), site license (unlimited within an organization), open-source (free, code available), and subscription (recurring payment).
- Personally Identifiable Information (PII) includes names, Social Security numbers, addresses, phone numbers, email addresses, and financial data — all must be protected according to privacy regulations.
- GDPR (European Union), HIPAA (US healthcare), and PCI-DSS (payment card industry) are key regulatory frameworks that govern how organizations must handle sensitive data.
- Acceptable Use Policies (AUP) define how employees may use company IT resources, including internet use, email, software installation, and social media during work hours.
- End-of-life (EOL) software no longer receives security patches and must be upgraded or replaced — running EOL software creates significant security vulnerabilities.
Last updated: March 2026
Privacy, Licensing & Organizational Policies
Software Licensing
| License Type | Description | Example |
|---|---|---|
| Per-Seat (Per Device) | License tied to a specific computer | Office installed on 50 specific PCs = 50 licenses |
| Per-User | License tied to a person (can use on multiple devices) | Microsoft 365 per-user (5 devices per user) |
| Site License | Unlimited use within an organization or location | Campus-wide software agreement |
| Open-Source | Source code available, often free | Linux, Firefox, LibreOffice |
| Freeware | Free to use but source code is not available | Adobe Acrobat Reader, 7-Zip |
| Shareware/Trial | Free trial with limited features or time period | WinRAR, many productivity tools |
| Subscription | Recurring payment (monthly/annual) | Microsoft 365, Adobe Creative Cloud |
| Volume License | Bulk purchase at discounted rates | Enterprise Windows/Office deployments |
| EULA | End User License Agreement — legal terms for using software | Every commercial software installation |
Digital Rights Management (DRM)
- Technology that controls how digital content can be used, copied, or distributed
- Common in software, music, video, and ebooks
- Examples: Product keys, online activation, anti-copying measures
Regulated Data Types
Personally Identifiable Information (PII)
Information that can identify a specific individual:
- Full name
- Social Security Number (SSN)
- Date of birth
- Home address
- Phone number
- Email address
- Driver's license number
- Financial account numbers
- Biometric data
Protected Health Information (PHI)
- Any health-related information linked to an individual
- Governed by HIPAA (Health Insurance Portability and Accountability Act)
- Includes medical records, test results, prescriptions, insurance information
- Must be encrypted in storage and transmission
Payment Card Industry Data (PCI)
- Credit/debit card numbers, expiration dates, CVV codes
- Governed by PCI-DSS (Payment Card Industry Data Security Standard)
- Must never be stored in plain text
- Requires encryption, access controls, and regular security audits
Key Regulations
| Regulation | Scope | Key Requirement |
|---|---|---|
| GDPR | European Union (+ global companies handling EU data) | Data protection, right to erasure, consent requirements |
| HIPAA | US healthcare industry | PHI protection, breach notification, encryption |
| PCI-DSS | Anyone handling payment card data | Card data encryption, access controls, auditing |
| SOX | US publicly traded companies | Financial record integrity, audit trails |
| FERPA | US educational institutions | Student education record privacy |
Organizational Policies
Acceptable Use Policy (AUP)
Defines permitted and prohibited use of company IT resources:
- Internet usage guidelines (blocked categories, personal use limits)
- Email usage rules (no personal use, no forwarding sensitive data)
- Software installation restrictions (no unauthorized software)
- Social media guidelines during work hours
- Consequences for policy violations
Incident Response Plan
Defined steps for handling security incidents:
- Preparation — Establish procedures, train staff, deploy tools
- Identification — Detect and confirm the incident
- Containment — Limit the damage and prevent spread
- Eradication — Remove the threat from the environment
- Recovery — Restore systems to normal operation
- Lessons Learned — Document and improve processes
Password Policy
- Minimum length, complexity, and rotation requirements
- Account lockout thresholds
- MFA requirements
- Password manager recommendations
Data Retention Policy
- How long different types of data must be kept
- When and how data should be securely destroyed
- Legal and regulatory retention requirements
End-of-Life (EOL) Software
| Concern | Detail |
|---|---|
| Security Risk | No more security patches — vulnerabilities remain unpatched |
| Compliance Risk | Using EOL software may violate regulatory requirements |
| Compatibility | New software and hardware may not support EOL systems |
| Support | Vendor no longer provides technical support |
| Action Required | Upgrade, replace, or isolate EOL systems from the network |
Example: Windows 10 reaches end of support on October 14, 2025. After that date, no security updates are released, making systems vulnerable to new threats.
Test Your Knowledge
What type of software license allows unlimited installations within an organization?
A
B
C
D
Test Your Knowledge
Which regulation governs the protection of patient health information in the United States?
A
B
C
D
Test Your Knowledge
Why is it critical to upgrade or replace end-of-life (EOL) software?
A
B
C
D
Test Your KnowledgeOrdering
Arrange the incident response steps in the correct order:
Arrange the items in the correct order
1
Recovery
2
Identification
3
Lessons Learned
4
Preparation
5
Containment
6
Eradication
Congratulations!
You've completed this section
Continue exploring other exams