Codebase Risk
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Open source software may have hidden costs, such as maintenance, support, security, and compliance. Users and contributors need to be aware of the total cost of ownership and the implications of using different licenses.
Data leakage risk refers to the potential for sensitive or confidential information to be unintentionally or maliciously disclosed outside of an organization, leading to potential harm to the organization's reputation, finances, or legal standing.
Software dependency risk refers to the potential negative consequences of relying on external software components that can compromise the security, performance, quality or functionality of an organization's software systems.
Legal risk refers to the potential for an organization to face legal consequences and financial or reputational harm as a result of its actions or decisions that violate laws and regulations.
Operational Risk refers to the risk of loss resulting from inadequate or failed internal processes, human errors, systems or external events.
Reputational risk refers to the potential harm to an organization's reputation and credibility as a result of its actions or decisions.
Accounting regulations for financial institutions are a set of rules and standards that govern how these institutions record, report, and interpret financial data.
Anti-money laundering (AML) regulations are a set of procedures, laws, and regulations designed to halt the practice of generating income through illegal actions, such as laundering money. The use of open source software may present risks related to anti-money laundering and sanctions compliance, particularly if the software is used to facilitate financial transactions.
Anti-trust laws apply to banks by promoting competition and prohibiting behaviors that restrict it.
Regulated industries need to track communications internally and externally. Keep in mind these broad principles about communication in regulated firms:
These laws require financial institutions to implement measures that prevent, detect, and report suspicious activities or transactions related to the financing of terrorism or terrorist organizations.
Many organisations are bound by what is allowed to cross their borders. For example: in Swiss banks, there are strong controls in place to make sure no data leaves Switzerland. This is a consideration for code too, as code contributed to GitHub is data leaving the organisation and there may be requirements around these obligations.
Cybersecurity regulation refers to legal measures and guidelines designed to protect networks, devices, programs, and data from digital attacks, theft, damage, or unauthorized access. These regulations impose standards, procedures, and responsibilities on individuals, organizations, and governments to ensure the confidentiality, integrity, and availability of digital information and systems.
Export controls are legal and regulatory measures implemented by countries to control the export of sensitive goods, technology, software, and information for reasons related to national security, foreign policy, or economic protection.
Open source software is typically distributed under specific licensing terms and conditions that may affect how the software can be used, modified, and distributed. Compliance with these licensing requirements is essential to ensure that the organization does not infringe on the intellectual property rights of the software developers or violate the terms of the license.
Labour laws apply to all sectors, including banking. While they don't specifically target the banking industry, they do have significant implications for how banks operate and manage their employees.
Leakage of personal information has a knock-on to Reputational Risk and Legal Risk, as explored in the section below. As noted in the BOK activities addressing supply chain security, incorporating secure development into the Software Development Lifecycle is therefore also a compliance issue.
Many countries are prevented from selling into certain territories (US into Iran for example).
The CEO, or Chief Executive Officer, is the highest-ranking executive in a company and is responsible for leading and overseeing its overall direction and operations.
The Chief Information Officer (CIO) is The CIO oversees IT governance, data management, and information security, as well as the maintenance and enhancement of existing systems to support the organization's day-to-day operations.
The Chief Technology Officer CTO is primarily responsible for driving the development and implementation of new technologies, products, and services.
Security Experts, headed by the Chief Information Security Officer (CISO) in a bank play a crucial role in maintaining security around the institution's sensitive data, IT systems, and digital assets. A security expert is responsible for ensuring the security of an organization's information systems and data. They conduct security assessments, identify vulnerabilities, and implement security controls to protect the company's data and systems.
Human Resources (HR) and training departments are responsible for the overall management of a company's human resources, including recruiting and hiring employees, managing employee benefits and compensation, and providing training and development opportunities.
An Internal Auditor is a professional who ensures organizations and companies have accurate accounting throughout the year. They ensure that other accounting teams follow proper procedures and that all accounts are updated and accurate.
The legal team is responsible for providing legal advice and support to the organization.
Although Risk and Compliance are separate roles within the bank, for the purposes of the body of knowledge we will be considering them a single concern. However, it's worth understanding the difference:
A security expert is responsible for ensuring the security of an organization's information systems and data. They conduct security assessments, identify vulnerabilities, and implement security controls to protect the company's data and systems.