There are four key steps to developing an open source management policy:
- Identify key stakeholders
- Obtain an organizational commitment
- Draft the policy
- Review and approve the policy
Step 1: Identify key stakeholders
Identifying and including important stakeholders should be first on your list. These functional responsibilities may include software architects, software developers and engineers, quality assurance and release management personnel, the legal team and product and business managers. In addition, organizations with sensitive data or which may be using open source in products that transact sensitive client or customer data should include someone from the CISO’s office or other security stakeholders responsible for software entering the organization and being released from the organization.
Step 2: Obtain an organizational commitment
This is the most important success factor! Securing a commitment from stakeholders to contribute the time and effort to the policy and sharing an understanding of the policy’s importance can make or break your efforts. Experience shows that policy development teams are most effective when they work from a clearly articulated statement of the company’s OSS strategy, including statements of the benefits the company wishes to realize and the risks the company wishes to manage.
An effective way to solidify this commitment is collecting and disseminating information about your organization’s use and plans for OSS. Share documents that include:
- Existing OSS policies and processes
- Comprehensive lists of OSS currently used within the organization
- Existing license compliance requirements and procedures
- Any security issues associated with any of the OSS currently used
- All agreements and business relationships related to OSS
- New and future initiatives that may involve OSS
Step 3: Draft the policy
Policies are typically developed in a series of meetings of the relevant stakeholders. This is where the trade-offs inherent in any policy must be discussed and resolved, and include:
- Controlling risk vs. development productivity
- Creating broad, simple rules vs. specific, more complex rules
- Self-checking vs. independent checking
- Using judgment calls vs. detailed prescriptions
To speed this process, you may wish to consider using a facilitator with extensive OSS policy development experience.
We recommend that open source policies include the following eight elements:
Program administration and management
Determining responsibilities for the policy itself and overseeing the program’s management. Consider assigning tasks to individuals or creating an Open Source Management Board.
Discovery, acquisition and evaluation
Efficiently finding and properly evaluating new software packages helps avoid future problems and risks. As such, OSS policies typically recommend certain sources of code (including the code already in-house) and establish evaluation criteria for use throughout the organization. Such policies should further evaluate the need for and deployment of automated OSS component tracking tools in order to fully identify all components that an organization is using. Simply relying on engineers to report what OSS they are using and where typically does not tell the full story, as OSS enters an organization via a number of avenues and hence much may go undetected and untracked.
Review and approval
This policy specifies how an OSS component evaluation is reviewed and who may approve it for specified use. Typically, policies establish an OSS Review Board consisting of key stakeholders who can inform decisions, although sometimes a simpler approval cycle can be established for already approved components and reuse needs.
Embedded OSS is subject to the same license compliance requirements, security risks and potential operational risks as downloaded OSS. OSS policies should require suppliers to report each OSS element embedded in their deliverables, any modifications and known security risks in addition to any license and compliance terms.
Code and documentation management
Policies should specify that original source code, build files, documentation and license declaration for each OSS component must be archived and all internal modifications must be tracked. Most organizations require that OSS archives are kept up-to-date with internal bug fixes and enhancements. In addition, you should also require tracking in order to generate reports identifying all uses of OSS components.
Identify a responsible party for continuously tracking security vulnerabilities and bugs, notifying users of updates and applying fixes as necessary.
Ensuring compliance with relevant OSS licenses is a critical element of OSS management. We recommend auditing each release to verify that no undocumented or misdocumented OSS is included and that all compliance requirements are met.
For OSS acquired from communities, often the source of support is through community participation. OSS policies should specify the kinds of community participation permitted (or required) and the standards and controls for these activities — whether your company mandates no community participation or active participation, or some level between, articulating these expectations is key.
Step 4: Review and approve the policy
Circulate the policy among stakeholders for review and approval. Most organizations are able to develop a final policy document after two or three revisions.
And remember: no policy remains unchanged — most companies will go through several rapid revisions as they gain experience during implementation, and after that, it’s useful to periodically review and fine-tune the policy.
(Revised from a 2012 post.)