Electronic Communications Surveillance

[Olds, Rhyddian]

Hi Open Source Readiness SIG, happy Friday.

 

Has there been any conversation about whether GitHub/GitLab/Slack can be integrated with an organisation’s electronic communications surveillance systems?  As you are all likely to know, electronic communications surveillance is a regulatory requirement for financial services organisations and allowing employees to raise issues, raise PRs, chat via Slack etc. unsurveilled is always going to be a big ask.  Even if it’s retrospectively by a batch feed, I wondered if there’s been any concrete conversations about it or whether these facilities already exist.

 

Regards,

Rhyddian

 

[Tobie Langel]

Thank you so much for asking this question.

I've always had a hard time getting clear answers as to what requirements of regulated industries impact open source contributions. This is the first time I'm actually presented with one.

Are there any easily understandable articles on how electronic communication surveillance requirements must be implemented in regulated industries?

My hunch is that key reasons there aren't good solutions to this issue is that the problem has never been articulated in a way that is actionable by the vendors you mentioned. So doing so by providing clear requirements would be very helpful.

Additionally, if there are good industry practices that help meet legal requirements in regulated industries, documenting them within FINOS (or in the Todo Group) would also be very useful (granted it's not presented as legal advice), as there isn't a lot of information on this topic that's readily available (here's one of the rare articles I can think of: https://todogroup.org/guides/casestudies/capitalone/).

Best,

--tobie

---

Tobie Langel

Principal, UnlockOpen

--
You received this message because you are subscribed to the Google Groups "General List for FINOS Open Source Readiness" group.
To unsubscribe from this group and stop receiving emails from it, send an email to osr+uns...@finos.org.
To view this discussion on the web visit https://groups.google.com/a/finos.org/d/msgid/osr/3eabf962a01c4567832b469d713e4f73%40citi.com.

[Olds, Rhyddian]

Hi Tobie.  I’m not sure there are “easily understandable” 😊 articles but every regulator has a description of the relevant requirement.  For instance the UK’s FCA has guidance in CMCOB 2.3 which you can find here: https://www.handbook.fca.org.uk/handbook/CMCOB/2/3.html

 

An addendum question: given open source contributions, issues, PRs are public, has there been any conversation or known documentation regarding the Github data retention policies?  Things like:

1. Is everything kept “forever”
2. If a project is archived, can it still be searched for contributions by a specific contributor?
3. If you were to lookup a given Github account, would “archived” projects show in their activity history?
4. If a project owner deletes an issue, is it “gone” gone, or still visible in some way?  I know the audit has a trail of who deletes an issue and when but are the issue contents still visible?

 

These questions might be unnerving contributors outside of Financial Services but are the sorts of things that are likely to help ease concerns of the regulators.

 

Regards,

Rhyddian

 

From: [External] o...@finos.org <o...@finos.org> On Behalf Of [External] Tobie Langel
Sent: 25 February 2022 16:31
To: Olds, Rhyddian [ICG-IT]
Cc: phol...@github.com; o...@finos.org
Subject: Re: Electronic Communications Surveillance

 

This Message is From an External Sender This message came from outside of your organization.

 

To view this discussion on the web visit https://groups.google.com/a/finos.org/d/msgid/osr/CAKgxSaCh9V_-rRoRyrbmZLUbs2bn0KG4eQk-1CkKas3YGZZg8w%40mail.gmail.com.

[Gabriele Columbro]

Great convo - thanks for getting it started.

This topic has come up several times in the past, particularly for Github (but it would be great to make an actual concrete discussion topic at the SIG). I think the two relevant approaches to address this issue I have heard in this Community are:

• Some firms mandate their employees to have their corporate address associated in their Github account, at least as a secondary email address. Not the whole story by any means, but at least it means that every notification is sent to the corporate email address for retention (after the fact) purposes. 
• Some firms have more advanced proxying/filtering systems - I wonder +Underwood, Robert F has any experience to share here.
• As I am sure you know, Citi has open sourced Git Proxy into FINOS - that was our initial attempt to provide an open source (git specific) tool to address some of these requirements - I would love to see this group have a concrete discussion if that tool can be enhanced/completed to address SIG agreed requirements

Finally, between this discussion and the broader one on regulators + open source licenses, I wonder if something along the lines of "identify outstanding open source regulatory requirements and create / improve open source projects to address them" should be a work stream in the SIG roadmap (to be discussed next week /cc @VM Brasseur (CTO) @Smulovics, Peter).

Thanks,

Gab

--

Gabriele Columbro | Executive Director | FINOS

📱 +1 (404) 432-7652 | 🕊 @mindthegabz

   

Check out the first FINOS State of Open Source in Financial Services report to learn how open source is becoming a cornerstone of this industry and valuable insights to get your organization in this journey!

Become a FINOS Member to accelerate your organization path to value in engaging with open source communities!

To view this discussion on the web visit https://groups.google.com/a/finos.org/d/msgid/osr/13645d1608a74fce8337a726edb8b62f%40citi.com.

[Sultan Meghji]

Thanks for including me on this, and in my new private sector role of ‘unemployed’, I look forward to contributing more!

--

Sultan Meghji
calendly.com/sultanmeghji
+17737042377
@sultanmeghji