Home » FOSS Governance Fundamentals

Understanding IT Governance

FOSSBazaar is no longer being updated. The information on this site is preserved for your convenience but may be out of date. Please visit Linux Foundation's Open Compliance Program for current information and activities.

Hewlett-Packard's picture
Posted November 7th, 2007 by Hewlett-Packard

IT governance can be defined as a set of processes to effectively manage all IT assets, functions, and processes which support business goals and the fusion of business and IT. An enforceable program of IT governance is the key to gaining more value from open source and protecting the interests of your organization.

It is important to understand the context in which FOSS governance fits into your organization's overall IT governance system. Understanding and targeting open source issues within your organization is the first of many steps in developing and implementing a FOSS governance system. It is crucial to have a full understanding of the impact that using open source has in your organization. The following section identifies the areas within an organization's IT governance structure that are likely to be impacted by the use of FOSS.

Starting a FOSS Governance Program

The ways in which your organization responds to FOSS governance depends on the nature of the business. As you move forward into the challenges and opportunities associated with using FOSS, it is important to consider the areas impacted by IT governance in order to determine the interactions with open source governance. The objective is to identify ways to implement or improve an existing FOSS governance program that is suitable for your organization.

Scope of FOSS Governance

FOSS use within an organization can range from simple deployment to more complex applications in development projects. Keeping in mind the intended use of FOSS throughout an organization, it is important to determine which areas of the organization are impacted and to what extent. To properly address FOSS issues and assess the needs of impacted areas, it helps to identify the impact areas and address certain questions.

Examples of Impacted Areas

The following list provides examples of areas that could potentially be impacted by the use of FOSS and questions that can be used to help assess the needs of these areas:

Project/Program Methodology

  • What criteria are used to review the use of FOSS in development processes?

  • What methods are used to assess product quality versus deployment and development quality?

  • What program complexities are incurred with each incremental inclusion of additional FOSS technologies?

Human Capital

  • What should an organization’s policy be governing employee participation on FOSS projects?

  • Where does open source participation and use tie into an individual’s performance plan?

  • When an employee participates in FOSS development, what are the guidelines separating personal versus organizational contribution?

IT Infrastructure

  • How do FOSS deployment, distribution, and management processes change within the existing IT infrastructure management?

IT Procurement

  • What changes to the procurement processes are needed to capitalize on FOSS?

  • How does procurement ensure that a supplier’s products are not in violation of FOSS licenses?

IT Outsourcing

  • What are the implications with regard to FOSS if the organization wants to outsource work?

  • How can an organization mitigate the attendant risks?

  • When FOSS development is outsourced, what policies need to be in place with the outsource company defining the use of FOSS? Can the outsource company use FOSS for their organization or other customers?

  • What licenses are acceptable in outsourcing? If FOSS is used, then what obligations does the outsourcing company have in keeping the code confidential?

Software Development Life Cycle

  • What modifications are needed for the Software Development Life Cycle (SDLC) to leverage FOSS? For example, if an organization buys a product from a supplier, the organization typically monitors the viability of the vendor.

  • How does the organization monitor the viability of the open source community or product itself?

IT Portfolio Management

  • What changes are necessary to criteria used for managing the IT portfolio, especially the technical fit, to properly compare FOSS solutions with vendor supplied or in-house development?