any software you install onto your computer or server at your company usually includes some type of license the terms of this license are usually presented during the installation process it's that long contract that you always scroll all the way through and click okay at the bottom inside of that license includes terms and conditions that set the overall use of the software how many copies of this software you can make and what your backup options for the software might be many of these terms and conditions also include information about how the software is licensed it might be a per seat license so when you purchase one license that one license is assigned to a seat that's usually a person that's in your organization if you have 20 people that need to use this software then you'll need 20 per seat licenses some software is licensed as a concurrent license which determines how many people can use this software concurrently so if there's 20 people in your organization that need to use this license but only 10 of those people will be using it at any particular time then you only need 10 concurrent licenses some software is licensed by duration this is a ongoing subscription that you might use based on an annual subscription a three-year subscription or some other time frame in most of these cases you are able to use the software up until that expiration date and then past that point you will need to relic the software to continue to use it if you're purchasing a license of software to use at home this is usually a personal license this is usually associated with the computer that you're using although there is some software that allows you to install it on multiple devices within your own home and in the home market this software is often licensed on a perpetual basis that means you pay one cost to be able to use this software and you don't have to pay any additional costs in the future in a corporate environment we have many more people that need to use this software so we might purchase per seat licenses or it might be a site license where we can install this software on all of our systems in the company these types of licenses usually come with an annual renewal so you have to make sure that you pay your renewal cost every year to keep using that software the software might be available online and you might have direct access to the source code very often this is software that is licensed as free and open-source software or foss this free and open source software comes with the source code you can modify the source code and compile the source code yourself to run on your own computers this is very different for example than purchasing software from a company like Microsoft microsoft does not provide you with the source code they simply give you an executable that will run on the platforms that you're using with closed source software you don't have any access to the code and you have no way to modify any part of that application that long list of terms and conditions that you see during the installation process is known as an enduser licensing agreement or a ULA this is effectively an online contract that you must agree to before you're able to continue with that installation process there may be times when one of your software vendors would like to stop by and demonstrate pre-release capabilities of software that may be coming in the future but before they show you this pre-release software they require you to sign a non-disclosure agreement or an NDA this is a confidentiality agreement it ensures that one or more people involved in the contract will not disclose what they've seen to anyone else this is very common when you're working with a third party and you need some type of privacy or confidentiality between these parties this might be to maintain trade secrets or perhaps we just don't want any of these business activities to be known by anyone else the example of a software company having a meeting with you to show you pre-release software may require a unilateral NDA but if you're also sharing information with the software company you might need a bilateral NDA where both parties maintain the confidentiality of what's talked about during that meeting these are formal contracts they'll usually slide a piece of paper across the table that you'll need to sign to confirm that you agree with everything listed in that non-disclosure agreement the credit card industry has created comprehensive rules regarding the processing and storage of credit card information we refer to this as the payment card industry data security standard or PCIDSS you'll often hear people abbreviate this as simply PCI a summary of just part of the PCIDSS revolves around six control objectives so you need to make sure that you build and maintain a secure network and secure systems that are on that network you have to protect card holder data especially if you are storing that information you need to maintain a vulnerability management program this ensures that the credit card company knows that you are performing constant audits to keep your network safe you need to provide strong access control measures so there might not only be a username and password but also multiffactor authentication there needs to be a regular monitoring and testing of all of your networks and you should maintain an information security policy which is really a good best practice whether you're protecting credit card information or any other type of data we also store a great deal of private information with our governments government information is used for social security purposes there's personal information on your driver's license and many governments have a great deal of health care information that they also store there are most likely a number of restrictions associated with the collection and storage of government information so you'll need to check with your local laws to see what you're able to do with government data and what information you're not allowed to collect unfortunately this collection of information by the government can sometimes be a disadvantage for example in July of 2015 the OPM or the Office of Personnel Management was compromised and personal information was leaked onto the internet this included names social security numbers date of birth job assignments and other private information a total of 21 12 million people were affected by this government breach any data that you can use to identify an individual is referred to as PII this is personally identifiable information it's usually a good idea when you're writing security policies to document how your organization will handle PII we often forget how valuable this personal information can be we sometimes think of a name and an address as something that is easily available to anyone but in reality that combined with other pieces of information can create a privacy issue so we have to think about how we use this PII as a normal part of our data processing and how we protect that information from others we often use PII as a security tool and attackers love to get their hands on personal information because it might gain them access to bank account information or they may be able to perform a password reset because the password reset process is asking about personal details that are part of this PII a similar type of personal information that focuses on health care information is PHI protected health information this might include your health care records your health status or anything else associated with your medical history of course we use many different healthcare providers in our day-to-day life and there are standard ways that these providers can transfer your PHI from one of the providers to another over a secure channel in the United States we have laws associated with protected health information known as HIPPA this is the Health Insurance Portability and Accountability Act of 1996 your organization may have a process in place to store information over a long period of time and it may also include versioned information over that long period of time so there might be a document that has changed today that document may be different tomorrow and it might be updated again the day after part of your job might be to retain all of these different versions and have a way that we can revert back to a previous version at any time we might also have data retention requirements based around the recovery of data for example if our organization is infected with a virus or a worm we might need a way to go back in time up to 30 days to be able to recover some of our company's data and often data retention is built into the laws that we must follow as part of our normal business practices for example if you're in a legal firm or you work for the government there might be laws that require email to be retained over a number of years or if you're a public corporation there might be requirements to store tax information or financial details for a long period of time you'll need to check with the laws in your area or that deal with your organization to see what the data retention requirements might be for you when you start working for a company they might ask you to sign a document known as an AUP this is an acceptable use policy this is a set of documentation that describes how the technology you've been given should be used as part of your normal job function for example your company might have specific rules associated with using the internet telephones computers mobile devices and any other type of technology this documentation is often used by an organization to limit their legal liability if somebody needs to be dismissed from the organization due to a misuse of the technology they have documentation signed by you that says that you will agree with these rules and regulations another way to inform people of an expectation on a system is to provide that message when they're logging in we often refer to this message as a splash screen sometimes this splash screen is simplyformational and telling you what is expected of you when you're using this particular service or this might be a legal requirement and you're required to agree with this splash screen before you're able to use this service for example if I want to use the geographical information service from my local government there's a splash screen that is presented during the login process this splash screen says if you have any web accessibility issues with this site here's an email contact or phone number during normal Orange County government business hours and they give that as Monday through Friday 8 to 5:00 and then they show that the data is provided as is without any warranty any representation of accuracy and more legal information that's important to know as you're using this data from this government agency