Risk Management of Free and Open Source Software

04-CU-14 / November 2004
Risk Management of Free and Open Source Software
To
Federally Insured Credit Unions
Subject
Cybersecurity
Status
Active
To
Federally Insured Credit Unions
Subj
Risk Management of Free and Open Source Software

DEAR BOARD OF DIRECTORS:

The purpose of this letter is to make you aware of guidance recently released by the Federal Financial Examination Council (FFIEC)1 to financial institutions regarding risk management practices of free and open source software (FOSS). If your credit union uses, or is planning to use, free and open source software, I encourage you to carefully review the enclosed FFIEC guidance paper.

FOSS refers to software that users are allowed to run, study, modify, and redistribute without paying a licensing fee. The use of FOSS is increasing within the mainstream information technology and financial services industries.

While the use of FOSS does not pose risks that are fundamentally different from risks presented by proprietary or self-developed software, the acquisition and use of FOSS does necessitate implementation of unique risk management practices. This guidance supplements the FFIEC IT Examination Handbook, “Development and Acquisition Booklet” by addressing strategic, operational, and legal risk considerations in acquiring and using FOSS. Key points emphasized in the guidance paper include:

  • Software requirements should be driven by the credit union’s strategic business objectives. Institutions should evaluate the benefits of implementing software in terms of its effectiveness, efficiency, and ability to support future growth.
  • Operational risk considerations associated with the use of FOSS that warrant attention include code integrity, sufficiency of documentation, contingency planning, and support.
  • Credit unions should identify and consider the legal risks associated with the use of FOSS prior to deployment or development. Key legal risks include licensing, infringement, indemnification, and warranties.

I encourage you to consider the risk management practices associated with the use of FOSS contained in the enclosed guidance. Should you have any questions or concerns, please contact your NCUA Regional Office or State Supervisory Authority.

Sincerely,

/S/

JoAnn M. Johnson

Chairman

1Federal Financial Institution Examination Council member agencies include Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and the Office of Thrift Supervision.