Privacy, Licensing, and Policy for CompTIA A+ 220-1102

Software licensing defines how software may be used. License types: Commercial/Retail: purchased for a fixed number of devices (per-seat or per-device). Must comply with the license agreement. OEM (Original Equipment Manufacturer): sold with hardware, tied to that device — cannot be transferred to another computer. Generally cheaper than retail but non-transferable. Volume licensing: enterprise contracts allowing installation on many devices (Microsoft Select, Open License, Enterprise Agreement). Open source: source code is publicly available. Sub-types: Free to use, modify, and distribute (GPL, MIT, Apache, BSD). GPL: derivative works must also be GPL (copyleft). MIT/BSD/Apache: permissive — derivative works can be proprietary. Freeware: free to use, no source code access, not open source (example: Adobe Reader older versions). Shareware: try before you buy — limited trial period or features. Subscription: paid recurring fee (Microsoft 365, Adobe Creative Cloud). License portability: Microsoft 365 allows installation on multiple devices under one subscription — check license terms. Software Asset Management (SAM): ensures all software is properly licensed — avoids audit penalties.

PII: any information that can identify a specific individual. Examples: name, email, phone number, social security number, date of birth, address, IP address, biometric data, financial account numbers, medical records. PHI (Protected Health Information): PII related to health conditions — protected by HIPAA. PCI (Payment Card Industry): standards protecting credit card data. Why PII matters for A+ technicians: when providing support, technicians may encounter PII on user screens, in databases, or on files. Technicians must handle PII carefully: minimum access necessary, do not copy or share unnecessarily, do not leave PII visible on unattended screens, report accidental exposure. Data retention policies: organizations must retain some records for compliance (HIPAA: 6 years, financial: 7 years) and securely dispose of data no longer needed. Right to be forgotten (GDPR): individuals can request deletion of their personal data. Cloud data location: data sovereignty — some regulations require data to be stored in specific countries.

HIPAA (Health Insurance Portability and Accountability Act): U.S. regulation. Protects PHI. Requires access controls, audit logging, encryption, and breach notification. Penalties: $100–$50,000 per violation. GDPR (General Data Protection Regulation): EU regulation. Applies to any organization handling EU residents' data. Requires consent, data minimization, breach notification within 72 hours. CCPA (California Consumer Privacy Act): U.S. state law giving California residents rights over their personal data. PCI-DSS (Payment Card Industry Data Security Standard): not a government law — industry standard for organizations handling payment cards. Requires encryption, network segmentation, access controls, regular audits. FERPA (Family Educational Rights and Privacy Act): protects student educational records. SOX (Sarbanes-Oxley): financial reporting and record-keeping requirements for public companies. Incident reporting obligations: many regulations require breach notification — HIPAA within 60 days to HHS, GDPR within 72 hours to supervisory authority.

AUP: written policy that users must agree to before using organizational IT resources. Covers: permitted and prohibited use of company equipment, networks, email, and internet access. Examples of prohibited activities: accessing illegal content, installing unauthorized software, using company systems for personal business, bypassing security controls, sharing credentials. AUP enforcement: technical controls enforce much of the AUP (content filtering, application whitelisting, MDM). Policy violations: documented in HR records, may result in disciplinary action up to termination. Technical monitoring: many organizations monitor internet usage, email, and system activity. Users should have no expectation of privacy on company systems — the AUP typically states this explicitly. Mobile device AUP: covers both corporate-issued and BYOD devices. Personal use limitations for BYOD devices. New hire onboarding: AUP signed at hiring, reviewed periodically. Refresh training when policy changes.

Mandatory reporting scenarios: Discovered child exploitation material: mandatory report to law enforcement (NCMEC CyberTipline in US) regardless of who it belongs to. Personal data breach: mandatory reporting to regulatory bodies (HIPAA: HHS, GDPR: supervisory authority) and affected individuals. Illegal activity on company systems: follow company policy — typically involves HR, legal, and management before involving law enforcement. Ethics in IT: do not use admin credentials to snoop in user accounts beyond what's necessary for the support task. Honest documentation: accurately document what was done and found — don't cover up mistakes. Protecting confidential information: client and employer information is confidential — NDAs and fiduciary duty apply. Code of ethics: CompTIA's IT Professional Code of Ethics emphasizes: honesty, integrity, objectivity, competence, confidentiality, and respecting laws. Social media and public statements: don't share client/employer confidential information on social media.