Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-4.6

Explain the importance of prohibited content/activity and privacy, licensing, and policy concepts

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 4.6: Explain the importance of prohibited content/activity and privacy, licensing, and policy concepts

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 4.0 Operational Procedures Weight: Part of the 21% Operational Procedures domain Depth: Explain. The candidate must recognize incident response steps, licensing types, NDAs, regulated data categories, acceptable use policies, and compliance requirements.

What this objective tests

You should understand the formal IR steps (chain of custody, order of volatility, documentation, drive imaging), the licensing landscape (EULA, perpetual, personal vs corporate, open-source), NDA scope, regulated data categories, AUP, and compliance enforcement via splash screens.

Key facts

Incident response (IR):

  • Structured response when something bad happens: breach, malware, data loss, misuse.

Chain of custody:

  • Documented record of who handled evidence, when, where, what they did.
  • Required for evidence to hold up in court or formal investigation.
  • Breaks in chain of custody can invalidate evidence.

Informing management / law enforcement as necessary:

  • Internal: escalate to security team, manager, legal.
  • External: law enforcement for crimes (FBI IC3 for cyber crimes in the US), regulators for breach notification (HIPAA breach notification within 60 days, GDPR within 72 hours).

Copy of drive (data integrity and preservation):

  • Forensic image: bit-for-bit copy of the original drive, preserving deleted file fragments and metadata.
  • Made with write-blocker (read-only adapter) and tools like FTK Imager, dd, EnCase.
  • Original drive is preserved; analysis happens on the copy.

Incident documentation:

  • Timeline of events, actions taken, people involved, evidence collected, findings.
  • Required for post-incident review, audits, legal proceedings, future training.

Order of volatility:

  • Sequence to collect evidence from most volatile (lost fastest) to least.
  • Standard order: CPU registers/cache > RAM > network state (running connections, ARP cache) > running processes/temp files > disk > backups > printed/archived data.
  • Collect volatile data first; otherwise it disappears (RAM clears on power off).

Licensing / Digital Rights Management (DRM) / End-User License Agreement (EULA):

  • License: legal permission to use software under specified terms.
  • DRM: technical enforcement of license terms (activation, copy protection, regional locks).
  • EULA: contract between software vendor and user; sets terms.

Valid licenses:

  • Properly licensed software within terms (user count, environment, duration).
  • Audits verify compliance; non-compliance leads to true-up costs or legal action.

Perpetual license agreement:

  • One-time purchase grants right to use the software indefinitely. May include limited support/upgrade window.
  • Older licensing model; some vendors still offer (e.g., Microsoft Office 2024 LTSC), but most software is moving to subscription.

Personal-use license vs corporate-use license:

  • Personal: one user, one or few devices, non-commercial. Cheaper.
  • Corporate: per-seat or per-device, commercial use, often includes deployment and admin features.
  • Using personal-licensed software for business work is a license violation.

Open-source license:

  • Source code available; license sets terms for use, modification, redistribution.
  • Common licenses: MIT (permissive), Apache 2.0 (permissive), GPL (copyleft, requires derivatives to also be open).
  • "Open source" doesn't mean "free of obligations." Read the license.

Non-disclosure agreement (NDA) / Mutual NDA (MNDA):

  • Contract restricting disclosure of confidential information.
  • NDA: one party shares confidential info with another.
  • MNDA: both parties share confidential info with each other.
  • Common when MSPs onboard clients or when vendors evaluate technology.

Regulated data categories:

  • Data subject to specific legal protections.

Credit card payment information:

  • PCI DSS compliance required for any system handling cardholder data.
  • Storing CCV/CVV is generally prohibited.
  • Cardholder data environment must be segmented and monitored.

Personal government-issued information:

  • Social Security numbers, driver's licenses, passports.
  • High-value identity theft target. Encryption + access controls + minimal retention.

Personally Identifiable Information (PII):

  • Information that identifies an individual: name, address, phone, email, biometrics, IP address (in some interpretations).
  • Subject to GDPR (EU), CCPA (California), and similar.

Healthcare data (PHI under HIPAA):

  • Health information tied to an individual.
  • HIPAA in the US, equivalent regulations elsewhere.
  • Strong access controls, audit logging, encryption requirements.

Data retention requirements:

  • How long data must (or must not) be kept. Driven by industry (HIPAA: 6+ years for medical records), legal (tax records 7 years), policy (delete user data within 30 days of account closure).
  • Both minimum retention and maximum retention matter; some regs require deletion after a period.

Acceptable Use Policy (AUP):

  • Document defining what users can/can't do with the org's IT resources.
  • Common elements: no personal use during work hours (varies), no unauthorized software, no harassment, no piracy, no unauthorized data transfer.
  • Users sign on hire; required for accountability.

Regulatory and business compliance requirements:

  • HIPAA (healthcare), PCI DSS (payment cards), SOC 2 (service orgs), GDPR (EU privacy), CCPA (California privacy), FERPA (education), GLBA (financial), SOX (public company financial reporting).
  • Each prescribes controls and documentation; periodic audits verify compliance.

Splash screens:

  • Login banner displayed before user signs in, stating acceptable use, monitoring notice, no expectation of privacy.
  • Required by some regulations (DoD, certain HIPAA contexts) to establish legal grounds for monitoring.

Common gotchas

  • Personal-use license used for business work. License violation. Audit findings get expensive.
  • Order of volatility ignored. Powered off the PC first, lost RAM evidence forever.
  • No chain of custody on a drive image. Evidence inadmissible.
  • Splash screen never updated. Old policy, weak legal position.
  • PII in a "test" database. Same regulations apply. Use synthetic test data.
  • AUP unsigned by long-tenured employees. Risk for enforcement actions.
  • Open-source license violation (e.g., shipping GPL code in proprietary product without source). Legal exposure.

Real-world context

Incident response playbook outline:

  1. Detect / report: user, alert, monitoring.
  2. Triage: confirm, assess scope, classify severity.
  3. Contain: isolate affected systems (network disconnect, not power-off if volatile evidence matters).
  4. Preserve evidence: capture order of volatility, image drives, document.
  5. Eradicate: remove malware, close attack path.
  6. Recover: restore from clean backups, verify systems are clean.
  7. Lessons learned: post-incident review, update controls, train staff.

For each step: who does it, what tools, what records. Don't improvise during an incident.

Compliance starting points for an SMB:

  • Acceptable Use Policy signed by all employees.
  • Privacy notice on the website covering data collection and rights (GDPR/CCPA-aligned).
  • MSA + NDA with clients and vendors.
  • License inventory with renewal dates and per-seat counts.
  • Data classification identifying which data is regulated and where it lives.
  • Retention schedule matching policies to data types.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 4.6](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [NIST SP 800-61: Computer Security Incident Handling Guide](https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final)
  • [HHS: HIPAA Overview](https://www.hhs.gov/hipaa/)
  • [PCI Security Standards: PCI DSS](https://www.pcisecuritystandards.org/)
  • [GDPR Official Text](https://gdpr-info.eu/)
  • [Open Source Initiative: Licenses](https://opensource.org/licenses/)