FINOS would like to develop a "map" of the components of a complete open source readiness program to give members a high-level view of what components they've implemented and which they need further work on. In this session, participants began to collaboratively brainstorm an outline of the major components of this map, starting from the overall outline below and focusing on the details of the planning and oversight process for designing an open source program.

• Planning and oversight of open source readiness process
  • Selecting stakeholders
    • Senior sponsor at CIO/CTO level w/understanding of open source–technical and business
    • Compliance
      • Risk & control
        • Policy producing function
        • Risk audit of new initiatives
        • Data leakage prevention
        • Electronic communications
      • Legal (IP)
      • Software license management & procurement
    • Engineering
      • SDLC–known end-user constraints & costs, existing processes and how they fit in to an open source process
      • Senior developers with experience with:
        • Firewall policy exception requests/change management policy
        • SDLC
        • Deployment
        • On-the-ground developer experience
      • Group architecture
        • New technology review & introduction
        • Design authority lead
      • Tooling
      • Networks & firewall
      • Security/CISO
  • Process design
    • Reference Open Source Policy
    • Example process
      • Choose pilot project & walk through/document exercise
      • Convene stakeholders to determine what's needed re: policy & process
        • Group audit
        • Group architecture
      • Put together counsel of necessary stakeholders
        • May be the same as OSRB or may just overlap
      • Establish charter/terms of reference for counsel
        • Questions to address
          • What are the risks to be addressed?
          • What decisions need to be made & by whom?
            • Document at each step
          • What must be put in place immediately or in the future re:
            • Risk & remediation
            • Contribution process design & controls
            • Ongoing responsibilities
          • What approvals are needed and who needs to be involved?
            • Business value
            • Maintenance of project
            • Risk & control
            • Legal
        • Elements:
          • Mission statement
          • Questionnaire for prospective contributors
          • Collaboration site
          • Rules of procedure for counsel
          • Open source software principles
  • Meeting frequency and structure
  • Best practices for ensuring progress
• Consumption of open source
  • Tracking
  • Licensing Policy
    • License Compliance Handbook
  • Artifact repositories
  • Audits of existing use
• Contribution to open source
  • Elements of request & review process
  • Internal guidance for participants
    • License Compliance Handbook
  • Interface between internal & external repositories
    • "Synchronator" workflow
  • Evaluating IP embodied in prospective contributions
• Publication of internal projects
  • Identifying candidates for open source
  • Self-hosting versus contribution to a Foundation
  • Clearance process
    • License Compliance Handbook
• Automated license and security scans
  • Selecting a vendor
  • When scanning is necessary
  • When and what degree of human intervention & review is required
• Training & Socialization
  • Promoting open source policy & opportunities
  • Training program
    • Online training materials
  • Documentation
  • Innersource