Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai

Slides:



Advertisements
Similar presentations
Effective Contract Management Planning
Advertisements

Roadmap for Sourcing Decision Review Board (DRB)
Chapter 7: Key Process Areas for Level 2: Repeatable - Arvind Kabir Yateesh.
More CMM Part Two : Details.
Software Engineering Code Of Ethics And Professional Practice
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
By Saurabh Sardesai October 2014.
Software Quality Matters Ronan Fitzpatrick School of Computing Dublin Institute of Technology.
Purpose of the Standards
Supplier Ethics: Program Checklist
Database Auditing Models Dr. Gabriel. 2 Auditing Overview Audit examines: documentation that reflects (from business or individuals); actions, practices,
Managing Project Procurement
Release & Deployment ITIL Version 3
Internal Auditing and Outsourcing
Update on The Open Compliance Program Phil Koltun, Ph.D. Director, Open Compliance Program
The Key Process Areas for Level 2: Repeatable Ralph Covington David Wang.
SQA Architecture Software Quality By: MSMZ.
Introduction to ISO New and modified requirements.
1 Building and Maintaining Information Systems. 2 Opening Case: Yahoo! Store Allows small businesses to create their own online store – No programming.
Continual Service Improvement Process
SENG521 (Fall SENG 521 Software Reliability & Testing Software Product & process Improvement using ISO (Part 3d) Department.
Service Transition & Planning Service Validation & Testing
1.  Describe an overall framework for project integration management ◦ RelatIion to the other project management knowledge areas and the project life.
ISM 5316 Week 3 Learning Objectives You should be able to: u Define and list issues and steps in Project Integration u List and describe the components.
Quality Assurance vs Quality Control
Georgia Institute of Technology CS 4320 Fall 2003.
 Definition of a quality Audit  Types of audit  Qualifications of quality auditors  The audit process.
Project management Topic 1 Project management principles.
NATIONAL CONFERENCE Intellectual Property Policies for Universities and Innovation dr. sc. Vlatka Petrović Head, Technology Transfer Office Acting Head,
The Second Annual Medical Device Regulatory, Reimbursement and Compliance Congress Presented by J. Glenn George Thursday, March 29, 2007 Day II – Track.
TOTAL QUALITY MANAGEMENT
State of Georgia Release Management Training
~ pertemuan 4 ~ Oleh: Ir. Abdul Hayat, MTI 20-Mar-2009 [Abdul Hayat, [4]Project Integration Management, Semester Genap 2008/2009] 1 PROJECT INTEGRATION.
SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:
Overview PRINCE Hogeschool Rotterdam. 2 Project definition  A project is a temporary organization that is created for the purpose of delivering.
Pertemuan 14 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
BSBPMG501A Manage Project Integrative Processes Manage Project Integrative Processes Project Integration Processes – Part 2 Diploma of Project Management.
Agenda  Purpose  Processes  Deliverables  Executing Activities 4.3.
28 June 2016 | Proprietary and confidential information. © Mphasis 2013 Audit and its classifications Mar-2016 Internal Auditor Training.
Responsibilities of Sponsor, Investigator and Monitor
03/01/12Centre For Development Of Advanced Computing Chennai 1 OPEN SOURCE COMPLIANCE PROGRAM.
Centre for Development of Advanced Computing Chennai 103/01/12 Open Source Compliance Program K.K.Dhanesh
FOSS Compliance Certification Program The Linux Foundation.
Presenter: Igna Visser Date: Wednesday, 18 March 2015
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Project Planning: Scope and the Work Breakdown Structure

CPA Gilberto Rivera, VP Compliance and Operational Risk
Software Project Configuration Management
Software Quality Control and Quality Assurance: Introduction
Responsibilities of Sponsor, Investigator and Monitor
Software Planning Guidelines
Understanding the Principles and Their Effect on the Audit
Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014
TechStambha PMP Certification Training
Software Requirements
FOSS Compliance Certification Program
Module P6 Principle 6: Establish and Maintain a Management Process for Intellectual Property, Proprietary Information, and Competition-Sensitive Data Learning.
Description of Revision
Meet your facilitators
Engineering Processes
Data Management Capability Assessment Model
Chemical Purchasing.
Chapter 11: Software Configuration Management
QA Reviews Lecture # 6.
Taking the STANDARDS Seriously
Managing Project Work, Scope, Schedules, and Cost
Executive Project Kickoff
Software Reviews.
{Project Name} Organizational Chart, Roles and Responsibilities
Presentation transcript:

Centre for Development of Advanced Computing Chennai 103/1/12 Open Source Compliance Program Vidhyalakshmi A CDAC chennai

Centre for Development of Advanced Computing Chennai 203/1/12 Open Source Compliance Program Overview OSS policy / Policy formation Adaptation of business process Supply chain responsibilities Review and approval of OSS use. Verification steps and Process adherence audit OSS Inventory and record keeping(OSS Repository) Code distribution mechanism Staffing and Training Organizing compliance function

Centre for Development of Advanced Computing Chennai 303/1/12 OSS Policy Insist use of OSS in the business environment. An organizational policy enables the company to incorporate and use OSS in their products. The policy is signed by a senior executive and is communicated to the entire workforce.

Centre for Development of Advanced Computing Chennai 403/1/12 OSS Policy The policy addresses Roles and responsibilities for compliance actions. Review and approval process for use of OSS. Guidelines for contributions to community projects. Core processes. The management team endorses the policy.

Centre for Development of Advanced Computing Chennai 503/1/12 Adaptation of business process Fitting OSS compliance within the context of existing business processes. Existing business processes modified with OSS compliance activities. Supply Chain’s supplier selection procedures to be tailored.

Centre for Development of Advanced Computing Chennai 603/1/12 Adaptation of business process Process management assures OSS compliance activities at early in the product development cycle. Late-cycle verification steps used before external distribution occurs. Training in OSS compliance.

Centre for Development of Advanced Computing Chennai 703/1/12 Adaptation of business process How and where are open source compliance activities injected into existing business processes? Product planning and product authorization Project planning and scheduling Architectural design review Documentation Verification Release readiness review Treat compliance as one more type of project activity to be routinely planned and executed.

Centre for Development of Advanced Computing Chennai 803/1/12 Supply chain responsibilities Companies update their supply chain procedures (deal flow process). The third party software providers disclose FOSS and a statement on FOSS license obligations. The company’s supply chain personnel must ensure the FOSS license obligations.

Centre for Development of Advanced Computing Chennai 903/1/12 Supply chain responsibilities The supplier inform the FOSS community. Agreements relating to outsourced development of software. Supply chain personnel mandate all source code and ensure license obligations.

Centre for Development of Advanced Computing Chennai 1003/1/12 Reviews two important reviews: Architecture review Linkage analysis review The goal of architecture review is to identify: Components that are FOSS (used “as is” or modified) Components that are proprietary Components that are third party licensed under a commercial license Component dependencies Communication protocols Dynamic versus static linking

Centre for Development of Advanced Computing Chennai 1103/1/12 Reviews contd... Components that live in kernel space versus user space Components that use shared header files Other FOSS specific software component with different FOSS license. The result of the architecture review is an analysis of the licensing obligations that may extend from the FOSS to the proprietary or third party components. The linkage analysis review Find potentially problematic code combinations at the static and dynamic link level. The goal is to determine if any FOSS obligations are extending to proprietary or third party software components.

Centre for Development of Advanced Computing Chennai 1203/1/12 Review of Supplier FOSS Disclosures Review of FOSS Disclosures A list of the FOSS packages used, including names, version numbers, and URLs of original download sites. Applicable license(s), license version(s), and URLs for license text. The change log for the modifications. Dependencies and linkages (if any) between each FOSS component and other FOSS or proprietary software components. FOSS compliance team might perform the following review steps for FOSS packages from the disclosure: Visit the homepage for the disclosed FOSS package to confirm the licensing information. Download the FOSS software, unpack it, and examine its contents. Look for files such as a README, COPYING, LICENSES, AUTHORS, etc.,

Centre for Development of Advanced Computing Chennai 1303/1/12 Review of Supplier FOSS Disclosures Examine the license text with the assistance of Company’s Law Department. Examine GPL, LGPL, or other copyright-licensed software. Engage supplier in discussion. Due Diligence in Regard to Supplier’s FOSS Compliance How does Company know that its suppliers’ disclosures are complete and accurate? Should Company rely on its suppliers’ disclosures?

Centre for Development of Advanced Computing Chennai 1403/1/12 Review of Suppliers Compliance Review the Code Company can ask that a supplier to provide source code for its entire deliverable. Company can ask a supplier to scan its own code using an automated tool and provide a scan report on identified FOSS and its licensing. Review the Supplier’s Compliance Process Company should assess the supplier’s practices in a disciplined manner. The Open Compliance Self- Assessment Checklist is ideal for appraising compliance programs.

Centre for Development of Advanced Computing Chennai 1503/1/12 Approvals As part of the approval step in the compliance process, there are two main recommended practices: Verifying that all sub-tasks related to the compliance ticket have been completed and closed before approving the compliance ticket. Recording a summary of the discussions that lead to the decision approval or denial.

Centre for Development of Advanced Computing Chennai 1603/1/12 Verification steps The verification steps taken by the OSS Compliance team to confirm that OSS obligations have been properly met. The compliance team perform verification activities according to a defined procedure. The compliance team verifies the source code license obligations have been met by time a product is considered ready for release. The compliace team verifies the copy right notices, license text and any modification logs have been included accurately. The compliance team verifies the OSRB approval has been obtained for all OSS packages in the release. The compliance team verifies the third party suppliers obligarion issues.

Centre for Development of Advanced Computing Chennai 1703/1/12 Process adherence audit The process adherence audits are used to determine whether the organization follows its defined compliance process. Audits assess the extent to which execution of compliance process produces expected compliance results. Audit determines whether the organization maintains accurate records about the OSS contents of its products and of the compliance activities it performs.

Centre for Development of Advanced Computing Chennai 1803/1/12 OSS Inventory and Recordkeeping The organization's need to maintain accurate records of OSS content and OSS compliane activities. The organization tracts the progress of compliance activities for a product being readied for release. The organization tracks progress of the OSS discovery process and of scans and audits on the product’s code. The organization systematically tracks closure of OSS issues identified during the discovery process. The organization tracks progress of the review and approval process for OSS cases. The organization tracks progress of obligation satisfaction for a product being readied for release.

Centre for Development of Advanced Computing Chennai 1903/1/12 OSS Inventory and Recordkeeping The organization maintains complete and accurate records about the OSS content in its products. A defined format is used to record information about the OSS included. The OSRB maintains accurate records about its reviews and review outcomes, including any limitations or conditions on approval that might necessitate a different outcome in another context. The organization uses past records of OSS review and approval as an aid when reviewing new OSS cases for approval.

Centre for Development of Advanced Computing Chennai 2003/1/12 OSS Inventory and Recordkeeping Policy Document Project Management Plan Estimation Sheet Open Source Compliance Practices in Organizational Business Process Process Improvement Log Process Improvement Track Sheet Metric Sheet FMEA Audit Logs OSRB Documents Source code scan report Review and approvals

Code distribution mechanism As part of the process to satisfy source code obligations, the company should place the complete source code and all FOSS packages, into a software repository. Verification activities should assure that source code and all FOSS packages in the product have been approved by the OSRB. The company should also define a code distribution mechanism that satisfies the requirements of particular FOSS licenses.

Centre for Development of Advanced Computing Chennai 2203/1/12 Staffing The skilled individuals are made available to contribute to the compliance effort. To perform compliance functions. To Prepare and address the estimates of total compliance effort and duration to the Organization's compliance requirement. To track and record the compliance activities.

Centre for Development of Advanced Computing Chennai 2303/1/12 Training Training addresses the communications needed to assure that the entire company understands what must be done to achieve OSS compliance. The organization maintains a definition of who must take training. Training records are maintained. i)Training objectives are set. ii)Follow-up actions are taken to assure planned training is completed. OSS training is integrated into the organization’s training curriculum and made a part of organizational and personal objectives. OSS training is provided as part of new hire orientation. Refresher training on OSS compliance is provided periodically.

Centre for Development of Advanced Computing Chennai 2403/1/12 Organizing compliance function

Centre for Development of Advanced Computing Chennai 2503/1/12 Organizing Compliance Function There are two teams involved in achieving compliance: core team and extended team. The core team: The Open Source Review Board (OSRB) legal counsels The compliance officer. OSRB Ensuring compliance with both third party software and FOSS licensing obligations. Facilitating effective usage of FOSS in commercial products within the company. Ensuring that FOSS license obligations do not extend to proprietary software or third party software.

Centre for Development of Advanced Computing Chennai 2603/1/12 FOSS Compliance -Where to start...

Centre for Development of Advanced Computing Chennai 2803/1/12 OSRB Participants Legal Representative Review and approve usage, modification, distribution of FOSS Provide legal guidance Contribute to creation of the FOSS training Contribute to creation and improvement of the compliance program Review and approve content of web portals in relation to compliance Review and approve the list of obligations to fulfill for each software component included in a product Sign off on product release from a compliance perspective

Centre for Development of Advanced Computing Chennai 3003/1/12 Members of Extended team Open Source Executive Committee(OSEC) Set up FOSS strategy Reviewing and approving licensing proprietary source code under a FOSS license. Documentation Ensuring the written offer to provide source code. Appropriate notices (copyrights and attributions) in the product documentation. Localization Translate the FOSS licenses and notices The industry practice is to keep FOSS licenses in their native language.

Centre for Development of Advanced Computing Chennai 3103/1/12 Members of Extended team Supply Chain Disclose FOSS with a statement on FOSS license obligations. IT support and maintenance The tools Automation infrastructure used by the compliance program. Requests from the OSRB to develop tools Corporate Development Company policies Mandate that source code be evaluated from a compliance perspective.

Centre for Development of Advanced Computing Chennai 3203/1/12 Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.