Codebase Risk
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Data leakage risk refers to the potential for sensitive or confidential information to be unintentionally or maliciously disclosed outside of an organization, leading to potential harm to the organization's reputation, finances, or legal standing.
Legal risk refers to the potential for an organization to face legal consequences and financial or reputational harm as a result of its actions or decisions that violate laws and regulations.
Strategic risk refers to the potential for adverse outcomes resulting from decisions made by an organization's leadership regarding its long-term goals, objectives, and competitive position.
Accounting regulations for financial institutions are a set of rules and standards that govern how these institutions record, report, and interpret financial data.
Many organisations are bound by what is allowed to cross their borders. For example: in Swiss banks, there are strong controls in place to make sure no data leaves Switzerland. This is a consideration for code too, as code contributed to GitHub is data leaving the organisation and there may be requirements around these obligations.
Cybersecurity regulation refers to legal measures and guidelines designed to protect networks, devices, programs, and data from digital attacks, theft, damage, or unauthorized access. These regulations impose standards, procedures, and responsibilities on individuals, organizations, and governments to ensure the confidentiality, integrity, and availability of digital information and systems.
Export controls are legal and regulatory measures implemented by countries to control the export of sensitive goods, technology, software, and information for reasons related to national security, foreign policy, or economic protection.
Open source software is typically distributed under specific licensing terms and conditions that may affect how the software can be used, modified, and distributed. Compliance with these licensing requirements is essential to ensure that the organization does not infringe on the intellectual property rights of the software developers or violate the terms of the license.
Leakage of personal information has a knock-on to Reputational Risk and Legal Risk, as explored in the section below. As noted in the BOK activities addressing supply chain security, incorporating secure development into the Software Development Lifecycle is therefore also a compliance issue.
Many countries are prevented from selling into certain territories (US into Iran for example).
A security expert is responsible for ensuring the security of an organization's information systems and data. They conduct security assessments, identify vulnerabilities, and implement security controls to protect the company's data and systems.
Historically, employees in banks have faced challenges contributing to open source due to factors such as stringent regulatory environments, the sensitive nature of financial data, concerns over intellectual property rights, lack of internal policies or guidelines related to open source contributions, and a traditional banking culture that may not fully embrace the open, collaborative ethos of open source development.
Using open source within regulated organisations must be done in accordance with the policies and procedures in place to control risks and adhere to regulation. In this article we will look at:
THIS IS A PLACEHOLDER
Refer to Policy as the output from this activity.
THIS IS A PLACEHOLDER
Within the Open Source Ecosystem, millions of projects exist and some of the projects are duplicate efforts. The open source community is vast and sometimes very hard to reach.
THIS IS A PLACEHOLDER
We currently live in a world where OSS is everywhere, consumable, helpful and can make a positive or negative outcome on the programs we rely on. Strong open source projects can lessen technical debt, increase reusability and discoverability. For the purpose of this guide, we will cover some key principles and practices for managing your open source project effectively.
Managing talent in financial institutions is crucial because the quality, motivation, and expertise of their workforce directly influence the institutions' ability to innovate, maintain a competitive edge, comply with regulatory requirements, and ultimately drive financial performance and growth.
This guide is intended to help OSPOs of all maturity levels build an open source training course that is created with purpose to deliver impact. Whether your OSPO recently launched or is looking into re-doing the firms open source training, this guide will provide ideas and content that can be implemented to a comprehensive open source training course.
It is generally preferable if an Open Source Contribution Policy can be enforced via tooling (so called policy as code). However, often policy will refer to behaviours and expectations of staff which cannot be controlled through systems. In these cases, training courses will be needed to help promote desired behaviours.
THIS IS A PLACEHOLDER
THIS IS A PLACEHOLDER
Software inventory is a precondition to most of the activities involved in OSMM level 2. The first step to licence compliance or supply chain security is to understand what software is in your estate.
This section of the body of knowledge looks at the available training on open source.
Open Source Business Models
An open source policy is a set of guidelines that outlines how an organization will consume, contribute to, and create open source software. It defines the rules that govern the use, distribution, and licensing of open source software within the organization. It establishes processes for evaluating open source software, managing the risks associated with its use, and ensuring compliance with legal and ethical requirements.
THIS IS A PLACEHOLDER