Resources for Federal Financial Institutions Examination Council (FFIEC)

FFIEC: Risk Management of Free and Open Source Software

The Federal Financial Institutions Examination Council (FFIEC)

This guidance is intended to raise awareness within the financial services industry of risks and risk management practices applicable to the use of free and open source software (FOSS). For the purpose of this guidance, FOSS refers to software that users are allowed to run, study, modify, and redistribute without paying a licensing fee.Access to source code is a pre-requisite to the use of FOSS. A few of the most well-known examples of FOSS are the Linux operating system, Apache web server, and mySQL database.FOSS is also widely used for network monitoring, diagnosis, and vulnerability testing tools such as the Snort and Kismet network intrusion detection systems, Nessus and Nmap security scanners, and Kismet wireless network detector.

The Federal Financial Institutions Examination Council (FFIEC) agencies3 believe that the use of FOSS by financial institutions or their technology service providers (hereafter referred to as institutions) involves strategic business decisions. The implementation of those decisions should include prudent risk management practices.

View the Resource

Share or bookmarklet this web page at: