You are the CISO working for a direct bank based in Taiwan that relies entirely on internet banking. You are reviewing applicable legal and regulatory requirements for compliance. Which of the following will concern you most?
A. Procurement staff issued a contract without minimum security requirements
B. The development team used an open-source component with an unknown source
C. Policies are published after a new law or regulation as a reactive response
D. Personal data is open for the data subject to update

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is B. The development team used an open-source component with an unknown source.

Laws and regulations, contracts, industry standards, policies, due care/due diligence, Ethics are sources of compliance requirements. This question is asking about legal and regulatory requirements.

An open-source component with an unknown source is a legal and regulatory concern of intellectual property. There are a variety of open-source licenses, such as GNU General Public License (GPL), the Apache License, Berkeley Software Distribution (BSD), MIT License, and so forth. “Unknown source” implies the license is not reviewed. Using a component with an unknown source might violate intellectual property law.

Personal data open for the data subject to update may be related to privacy laws, GDPR for example. However, it is compliant with privacy principles, instead of a concern.

Contract or policy issues may be related to laws and regulations but not directly related.

It’s also a good practice to publish policies after a new law or regulation is in effect so that the organization can be compliant with it.