EVALUATING RISKS OF OPEN SOURCE SOFTWARE
Enterprises are in a quandary when it comes to business applications. On the one hand, applications are the lifeblood of most organisations in today’s business climate: better applications mean business teams are more effective, more fluid, and can respond faster and more nimbly to changes in the marketplace. Faster and more reliable deployment of applications in turn means business teams realise those benefits faster. In short, business applications – and the processes we have in place to support their timely release, appropriate functioning and ongoing maintenance – speak directly to the competitiveness of our organisations as a whole.
On the other hand though, applications can sometimes engender risk (a fact we as compliance and risk professionals probably know better than anybody else.) There are technical risks that relate to the application itself and the infrastructure on which it resides; there are supply chain risks that vary depending on how the application is sourced and provided (for example, if it’s in the cloud or if vendor personnel have direct access to it); and there are also potential compliance risks depending on how it is used (for example, if it stores, processes or transmits credit card information, or employee or customer personally identifiable information (PII)).
The point is, given both the incredible value that applications bring to the business as well as the potential risks that applications can cause, it’s a truism that being able to holistically, accurately and objectively evaluate the risk equation for business applications is a key tenet of ensuring the business stays protected. One might argue in fact that the ability to manage application risk is a touchstone of an effective risk management program as a whole – and likewise goes hand in hand with an effective compliance strategy.
Oct-Dec 2015 Issue
ISACA