CISSP · Question #968
A retail company is looking to start a development project that will utilize open source components in its code for the first time. The development team has already acquired several open source compon
The correct answer is C. Establish an open-source compliance policy.. Before operationalizing open-source software use, an organization must establish a formal compliance policy to govern how open-source components are selected, approved, and managed. This foundational step precedes all other specific controls.
Question
A retail company is looking to start a development project that will utilize open source components in its code for the first time. The development team has already acquired several open source components and utilized them in proof of concept (POC) code. The team recognizes that the legal and operational risks are outweighed by the benefits of open-source software use. What MUST the organization do next?
Options
- AMandate that all open-source components be approved by the Information Security Manager
- BScan all open-source components for security vulnerabilities.
- CEstablish an open-source compliance policy.
- DRequire commercial support for all open-source components.
How the community answered
(19 responses)- A5% (1)
- B16% (3)
- C74% (14)
- D5% (1)
Why each option
Before operationalizing open-source software use, an organization must establish a formal compliance policy to govern how open-source components are selected, approved, and managed. This foundational step precedes all other specific controls.
Mandating approval by the Information Security Manager is a procedural control that should be defined within an open-source compliance policy, not a standalone first step taken before governance is established.
Scanning open-source components for vulnerabilities is an important security practice, but it is a tactical activity that should be required and governed by an overarching compliance policy rather than implemented ad hoc before any policy exists.
An open-source compliance policy is the foundational governance document that defines rules for selecting, approving, licensing, and managing open-source components across the organization. Without this policy, ad-hoc decisions lack consistency, legal license obligations (e.g., GPL, MIT, Apache) may be violated, and there is no framework under which security scanning, approval workflows, or support requirements can be enforced. Establishing the policy is the logical prerequisite that enables and structures all subsequent operational controls.
Requiring commercial support for all open-source components is one possible policy decision an organization might make, but it is an overly restrictive and costly measure that is not universally required and would itself need to be specified within a compliance policy framework.
Concept tested: Open-source software governance and compliance policy establishment
Source: https://www.linuxfoundation.org/resources/open-source-guides/using-open-source-code/
Topics
Community Discussion
No community discussion yet for this question.