4.6 Explain the process for addressing prohibited content/activity, and privacy, licensing, and policy concepts

Six control objectives

- Build and Maintain a Secure Network and Systems - Protect Cardholder Data - Maintain a Vulnerability Management Program - Implement Strong Access Control Measures - Regularly Monitor and Test Networks - Maintain an Information Security Policy

PCI DSS (Payment Card Industry Data Security Standard)

A standard for protecting credit cards

Incident response: Chain of Custody

Control evidence - Maintain integrity Everyone who contacts the evidence - Avoid tampering, use hashes Label and catalog everything - Seal, store and protect. Use digital signatures

Personal License

Designed for the home user Usually associated with a single device Or small group of devices owned by the same person Perpetual (One time) purchase

EULA (End User Licensing Agreement)

Determines how the software can be used

Incident response: Documentation

Documentation must be available - No questions Gather as much information as possible - Written notes, pictures Documentation always changes - Constant updating, Have a process in place, Use the wiki model

Policies

General IT guidelines Determines how technology should be used Provides processes for handling important technology decisions

Incident Response: First response

Identify the issue - Logs, in person, monitoring data Report to proper channels - don't delay Collect and protect information relating to an event

PHI (Protected Health Information)

Individually identifiable health information that is transmitted or maintained by electronic media.

PII (Personally Identifiable Information)

Information that can be used to identify an individual. Should be protected as sensitive data.

GDPR (General Data Protection Regulation)

New European Union law on data protection and privacy for individuals.

Enterprise License

Per-seat purchase / Site license The software may be installed everywhere Annual renewals

Security best practices

Some security techniques are accepted standards Covers both processes and technologies You need a firewall, Use WPA2, Use strong passwords

FOSS (Free and open software)

Source code is freely available, End user can compile their own executable

Closed source / Commercial

Source code is private, End user gets compiled executable

DRM (Digital Rights Management)

Used to manage the use of software