How to Create an OSS Policy: 11 Best Practices

11 Tips for Creating an OSS Policy

Get Management Buy-InGet Management Buy-In

Development teams usually have an in-depth understanding of OSS benefits, but management may not, so tell them about the efficiencies and advantages OSS affords your business.

Identify Key ShareholdersIdentify Key Shareholders

Gather a team with cross-functional responsibilities: software architects, developers and engineers, QA and release managers, legal counsel, product and business managers, and security pros.

Understand Your Product Development ProcessUnderstand Your Product Development Process

How is your organization using OSS? It may be crucial for your legal and business teams to understand your product development process so you don’t create an OSS policy that stalls or hinders your development cycle or product innovation.

Evaluate Open-Source UseEvaluate Open-Source Use

Open source can be used to build your product, but it might not be distributed with it. Internal or external use can have different license implications. Whenever you use, consume or contribute to open source, stay compliant and protect your intellectual property from exposure.

Audit Your CodeAudit Your Code

During your evaluation process, engage a third-party service to perform a code audit to help uncover the open-source code you use throughout your organization. As part of an OSS governance program, catalog and monitor what arrives from open-source and third-party suppliers.

Draft a PolicyDraft a Policy

After all key stakeholders have assessed your company’s use of OSS, draft a formal policy. If you have multiple divisions, it’s not necessary to have the same policy across each line of business.

Review Policy With StakeholdersReview Policy With Stakeholders

Circulate the policy among stakeholders for review and approval. Make sure your OSS policy works for development processes and aligns with your business goals.

Implement It Across Your EnterpriseImplement It Across Your Enterprise

For your policy to be implemented successfully, train people in OSS. Address what it is, what it isn’t, and how it will work in your company. Create clear documentation and communicate with engineering and other key groups to make sure they understand how the policy works.

Build in a Feedback LoopBuild in a Feedback Loop

During the implementation process, obtain feedback from the key players you’re training. “The best way to kill an open-source compliance program is to document something that is not in line with how people are actually working,” cautions Harmon’s Alyssa Harvey Dawson.

Regularly Review and Update PolicyRegularly Review and Update Policy

Your OSS policy must align with your company’s business goals. As your policy becomes integrated and changes occur in your organization, collect feedback and adapt the policy to ensure that it consistently works with your development processes.


By following these steps, you can build an effective OSS policy that ensures compliance and mitigates operational risk. It will also enable product development teams to successfully produce and distribute innovative products that keep your customers happy.

Karen A. Frenkel
Karen A. Frenkel
Karen A. Frenkel is a contributor to CIO Insight. She covers cybersecurity topics such as digital transformation, vulnerabilities, phishing, malware, and information governance.

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.

Latest Articles