Data Leakage Risk
Data leakage risk refers to the potential for sensitive or confidential information to be unintentionally or maliciously disclosed outside of an organization, leading to potential harm to the organization's reputation, finances, or legal standing.
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. - Data Breach, Wikipedia
In the past, many financial firms have prohibited the use of social media and sharing sites in order to mitigate the risk of data leakage. However, it is important to balance the risk of data leakage against the benefits of using these sites.
This raises the question of whether employees can use sites like GitHub, where uploading data is commonplace, while still having controls in place to mitigate data leakage.
Example: According to ZD Net in 2019 hundreds of thousands of GitHub repos have leaked cryptographic keys.
Example: A notable example of a code leak occurred in July 2020, when source code for several high-profile Nintendo video games and internal development tools were leaked online. This leak, dubbed the "Gigaleak," contained source code, prototypes, and assets for various popular games such as Super Mario Kart, The Legend of Zelda: A Link to the Past, and Super Mario World, among others.
Open source software is typically distributed under specific licensing terms and conditions that may affect how the software can be used, modified, and distributed. Compliance with these licensing requirements is essential to ensure that the organization does not infringe on the intellectual property rights of the software developers or violate the terms of the license.
Leakage of personal information has a knock-on to Reputational Risk and Legal Risk, as explored in the section below. As noted in the BOK activities addressing supply chain security, incorporating secure development into the Software Development Lifecycle is therefore also a compliance issue.
Risk Management Activities
Making The Case For Contribution
Organisational change can be very hard to achieve since organisations are naturally protective of themselves and the status quo. Setting up an OSPO and beginning an open source journey will seem like a risky and dangerous proposition for many parts of an organisation.
Open Source Contribution Training
It is generally preferable if an Open Source Contribution Policy can be enforced via tooling (so called policy as code). However, often policy will refer to behaviours and expectations of staff which cannot be controlled through systems. In these cases, training courses will be needed to help promote desired behaviours.
This article looks at the best practices around surveillance (of communications) to enable open source contribution.
This article looks at the best practices around publication (of code) to enable open source contribution.