Create an effective governance policy for open source software



Form a governance committee

OSS governance is best addressed by a cross-functional team that has clear responsibility for defining the OSS governance policy and defining the processes that ensure compliance.

Committee members should represent a range of relevant organizational areas. Governance is not an individual’s full-time job, and the different aspects of governance do not entirely reside in one area of ​​the organization. The committee should therefore include representatives from as many relevant parts of the organization as possible.

Committee members often start with a core group of leaders in software engineering or enterprise architecture, combined with other stakeholders in IT operations, security and risk, finance, law and compliance. , to name a few.

Membership of a committee is not a prerequisite for the contribution of stakeholder groups. Committees should, however, define and document the levels of participation of committee members and non-committee stakeholders. A RACI graph provides a method to categorize implication as:

  • Responsible: In charge of results for a specific policy issue.
  • Accountable: Involved in the definition and compliance of a specific issue.
  • Consulted: Provides feedback and information on a specific issue.
  • Informed: Keeps abreast of decisions related to a specific issue.

Due to its cross-functional nature, the committee is accountable to executives responsible for company policy, although it may report directly to senior legal counsel, the Chief Information Security Officer (CISO) or CIO, according to the organizational structure.

Develop a governance policy

Effective policies define what is allowed and who has the power to decide about the use of free software. The policy also documents the processes and procedures required for compliance, as well as the consequences of non-compliance. Policies will benefit from greater buy-in if they are explicitly linked to the organization’s defined goals for free software adoption, as well as its risk tolerance, decision-making criteria, and the rationale for the adoption. adoption of certain constraints.

From this foundation, the policy addresses three different levels of OSS engagement:

  • Consumption. What types of OSS technologies can be used? Are there different rules for different licensing models, for products versus libraries, or for free software bundled into other products? Who approves the use? Under what constraints? Etc.
  • Contribution. Are developers allowed to contribute to an OSS project? If allowed, do they contribute as company representatives or as individuals? Can they do this during the business’s time, and if so, how much? Etc.
  • Creation. Does the organization want to open its own software? Can a developer start an open source project? Who can approve an open source project? Who is responsible for an open source project? Etc.

Define the conditions for compliance with policies

For many organizations, forming a committee and developing a governance policy is relatively straightforward and straightforward. However, the real benefit of a governance policy lies in its adoption and compliance. This requires that committee heads:

  • Socialize the OSS governance policy. Share the governance policy with all employees who interact with OSS technology. Leverage existing organizational systems and processes to disseminate the policy and solicit feedback on it. Different media should be used to inform employees of the compliance policy and expectations. They could include town hall-style meetings and question-and-answer sessions, as well as learning materials and certification tests. The committee should publish all documents in an accessible location and have a system for updating or extending the documentation when policy changes.
  • Implement compliance processes. Design the processes required by the policy so that they are simple, clear and efficient to execute at scale. Without an effective process design, those requesting authorization will ignore them and the committee members responsible for approvals will get bogged down in details, rendering the policy ineffective.
  • Automate processes: Take advantage of automation tools to make the process both easy to use and difficult to bypass. The OSS Governance Committee can develop a workflow application, for example, that allows product teams to easily submit OSS product requests. It can also integrate automation into the DevOps toolchain to prevent developers from including untrusted OSS code and libraries in their products, for example by mandating the use of composition analysis tools. software (SCA).

The original article by Anne Thomas, senior vice president analyst at Gartner, is here.

The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto / Blue Planet Studio



Leave A Reply