TykeClone's Journal: Government Banking Regulators weigh in on open source

This week, the FFIEC and the FDIC issued an interagency guidance on the use of open source software in financial institutions.

This is important to those of us who work in IT in banks. The guidance will be used by your IT examiners to grade you on how you are mitigating the "risks" as shown in the guidance. Where these examiners aren't IT professionals (they're more like auditors with no IT experience), they go by the book on looking at your infrastructure.

As guidances go, this one isn't too bad - issues (whether you agree with them or not) are clearly laid out and terms are explained in words that the examiners can understand.

The guidance breaks down the risks into strategic (compatibility, forking, maturity, and TCO), operational (code integrity, documentation, contigency planning, and external support), and legal (SCO - enough said).

The legal section of the guidance is right on - there are legal issues that are still being hashed out - see SCO vs. IBM.

The strategic risks aren't too badly written. They're basically saying to use the right tool for the job. Hopefully the examiners will read it that way.

The operational risks are way off. They talk about a lack of support and documentation for open source projects - which is bullhockey for the ones that I've used. They also spoke of contingency planning - and thought it would be difficult to replace your software in the event that you needed to - also not entirely true. The operational risks section looked like it was written from a press release by Microsoft.