Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Open Source Software relationships

    Posted 06-22-2022 09:02 AM
    Does anyone have any considerations around open source software relationships with vendors? 

    Should we create a new tier for these kind of relationships since there will more than likely be very little due diligence needed?

  • 2.  RE: Open Source Software relationships

    Posted 06-23-2022 09:18 AM
    Appropriate handling of Open Source is an ongoing discussion with my cyber, technology/development, and TPRM teams. 

    What level of tracking is relevant for TPRM? Is that relevance different for cyber (breach vulnerability), technology/development (support concerns) ?

    Should TPRM inventory include Open Source tools/utilities, Open Source solutions, Open Source components, use of Open Source in commercial software solutions (Nth party - is Nth party even possible), where do GitHub/GitLab fit in,  etc. ? 

    Interested in seeing other opinions on this topic.