Search| Browse| Contribute
Library| Blogs| Jobs| Podcasts| Wikis| Feeds
Page Location:
Home > Browse > Blogs > StuartYeates's blog > Regulatory guidance over deployment of open source software

Regulatory guidance over deployment of open source software

Created by Stuart Yeates (University of Oxford) on January 03, 2006

IT Director.com has published an article, based largely on an earlier report by the Federal Financial Institutions Examination Council (FFIEC) detailing the risks and benifits of institutional deployment of open source software. While dealing largely with conservative financial institutions, the advice and issues raised are of general applicability. The report concludes:

The use of FOSS by financial institutions does not pose risks that are fundamentally different from those presented by the use of proprietary or self-developed software.However, FOSS adoption and usage necessitates some distinctive risk management practices with which institutions must be familiar.
Bookmark/Search this page with:
   del.icio.us   Digg   Ma.gnolia   Google   Yahoo   Technorati
| |
StuartYeates's blog  Login to post comments  Send to Friend  4922 reads
Thank you for your kind
Submitted by StuartYeates on Fri, 2006/01/06 - 10:22am.

Thank you for your kind comments.

Don't be surprised about getting something for free out of the banking community, they play a very important role as ultra-conservative computer users. Particularly in the fields of reliability, security and auditing they've played a key role since the days when adding machines were strictly mechanical.

Looking at it from their point of view, they have a long-term interest in robust, secure and auditable systems (both computer systems and other systems) and an industry which is increasingly global, meaning individual bank systems must talk to peer systems around the world.

They're also very publicity shy, because falls in depositor confidence regularly lead to bank collapses, which means that much of the work is done either indirectly through industry groupings or by individuals who don't necessarily shout about their affiliation.

They work closely with various government bodies, including (in the US) the Federal Financial Institutions Examination Council (FFIEC) and people like the National Institute of Standards and Technology (NIST) who published a new encyption standard called Advanced Encryption Standard (AES) which will be used extensively in the banking world.

Login to post comments
A Treasure Trove - that's
Submitted by hes8 on Tue, 2006/01/03 - 7:06am.
A Treasure Trove - that's what Stuart uncovered for us. The article in IT Director is short - go ahead and read it and the FDIC report which is the other link (it doesn't actually link to the FFIEC booklet/manual - more about this below.) The FDIC "Letter" of advice to financial institutions is titled "Risk Management of Free and Open Source Software" (FOSS) and is a good (longer) treatment of prudent management practices.

But - since it focuses entirely on the risks of acquiring and using FOSS, IMHO it leaves a one-sided view. That is certainly unintentional, since it says that it is a supplement to the FFIEC Development and Acquisition IT Examination Handbook. This Handbook reviews the corresponding risks, and their management, for (1) developing software and (2) acquiring software. This Handbook plus the Letter provide a balanced treatment of risks/management for the three major sources of software.

Overall, this reading is IMHO a must for all higher ed IT management - even thought this isn't the intended audience. (Much of higher ed's IT management is already aware of all of these issues, but, even for them, this material would provide a good review.) (I'm also tickled at the idea of getting something good for free from the banking community. :-)

Login to post comments