| HN Mirror

Agree with this but I would also ask the auditor to be very specific about the risk that she believes your organisation is exposed to. If its a specific concern about the suitability/support of certain tools in use in your infrastructure, you can respond to/address those. In particular, I would make sure that the risk is clear about the impact it could have if an OSS project was discontinued (as the parent refers to): its unlikely to have an immediate impact as, by definition, you have a working instance of the tool and the source code so nothing stops working. In many ways this is comparable to the sort of escrow clauses that auditors sometimes look for in commercial support arrangements and which are often deemed acceptable mitigation for commercial products. She should also be clear about likelihood. In my experience (I've been an auditor for c18 years), it can be the case that auditors think about the doomsday scenario - e.g. ALL of the OSS projects you use close down - rather than the more likely scenario that one or maybe two go dark. Again, if she can articulate the specific risk it may be possible for you to respond to real likelihood of a key tool's project stopping (which would parent's approach already covered but which can be prioritised according to risk).

If however its a more general/vague concern about OSS support then you'll have a hard time dealing with it and acceptance may be the appropriate route.