Open Source Policy Builder

Size: px
Start display at page:

Download "Open Source Policy Builder"

Transcription

1 Open Source Policy Builder Effective and comprehensive open source policies are based on a thorough and unbiased organizational assessment. You can start building your organization s open source policy by answering these questions, taken from industry best practices, to develop guidelines, shared understanding, and policies. Embrace the power of open source confidently and consistently.

2 Table of Contents 1) Usage Policy and Governance of Open Source Software (OSS)...3 2) OSS License Compliance...5 3) Acquisition and Provisioning of OSS...6 4) OSS in the Supply Chain...7 5) OSS Tracking and Management...8 6) Security and Maintenance...8 7) OSS Community Interaction ) Training and Education

3 1) Usage Policy and Governance of Open Source Software (OSS) This section answers the question, How will we apply our OSS policy? Will it be on a global or divisional basis; will it govern based on usage, product, or license; or will you require product reviews and business justification before using all important aspects to building your policy. 1. What is the scope of your company s OSS policy? m Company-wide m Divisional/line of business m Department m Product 2. Who owns the creation and maintenance of your OSS policy? m Shared across groups m A standards committee (e.g. Open Source Review Board (OSRB)) m Open Source compliance officer 3. Do OSS components have to be certified before they can be implemented or deployed? If so, who certifies and what kinds of certification must be done? m None, no certification needed m Locally certified by owner or end-user m Formal certification by central IT staff m External certification m Commercial certification 4. If OSS components have to be certified before they can be implemented or deployed, when can OSS be deployed to production? m Before certification is complete m During the certification process m After certification is complete and successful 5. Which open source software (OSS) licenses are approved for use in your company s products? m All open source licenses m OSI-approved licenses only m All except reciprocal licenses m Company-specified list 3

4 6. What business justification is required before approval is given for the use of OSS in your company s products? m None needed m Must meet engineering requirements that specify the use of OSS m Must demonstrate business value total cost of ownership versus functionally-equivalent commercial software, return on investment, etc. m Must demonstrate why OSS was chosen over a commercial solution 7. Once the open source policy is established, what are the remediation requirements for existing products that incorporate OSS? m None, grandfathered in m Existing products with OSS must be inventoried (e.g., scanned, audited) within X days 8. Will OSS be distributed in your company s products? m No, all use is internal m No, but will be used in customer-facing environments m Yes, will distribute unmodified OSS externally m Yes, will distribute modified OSS externally m Yes, will integrate and distribute OSS with proprietary IP 9. Can OSS distributed in your company s products be modified? m No, must be used in native form m Can be modified with approval m Can be modified in specified ways m Can be modified in any way if not distributed m Can be modified without restriction 10. Are source code and binary code scanning required of all software in a distributed product to avoid IP infringement? m No m Yes, source code and binary code must be fingerprinted upon initial acquisition only m Yes, source code and binary code must be scanned periodically m Yes, source code and binary code must be scanned prior to company s product being commercially shipped m Other : 4

5 2) OSS License Compliance Perhaps one of the biggest concerns in the use of OSS today is license compliance. This section helps you answer the question of how your organization will handle the Who, what, when, and how of OSS license compliance. 1. Who in your organization is responsible for understanding and ensuring compliance with the terms and conditions of OSS licenses? m Legal m Audit m Engineering m Individual developers m IT management m Open Source Review Board (OSRB) m All of the above 2. What level in your organization is responsible for understanding and ensuring compliance with the terms and conditions of OSS licenses? m Corporate officer m Board of directors m Company counsel 3. Where can your customers obtain source code for products purchased from your company for license compliance purposes? m From the company via physical media through a fulfillment process m From the company site e.g., m From the Internet, any source (e.g., SourceForge, GitHub, Google Code, CodeProject, or other repositories) m From a third party supplier, e.g., Red Hat, IBM 4. What provisions (if any) are in place for dealing with software license conflicts? m None m Light we are only concerned with product-level licenses and potential conflicts m Robust we have the requisite tooling and procedures to identify all licensed software within the product 5

6 3) Acquisition and Provisioning of OSS OSS rarely goes through the well-established software procurement processes created by your organization. In many cases this doesn t pose an issue but, if no process exists, problems can occur down the road that could significantly increase risks. This section answers the question of how you manage the procurement of OSS. 1. Who owns OSS that is brought into the company for the express purpose of using in company products? Who is responsible for the initial acquisition and lifecycle management of an OSS component? m Individual developer m Each OSS component has a named owner m One person or central body/team, e.g. OSRB 2. Who is authorized to bring in OSS that will be used in the company s products? m Any employee m Only authorized employee(s) m Only Open Source Review Board (OSRB) 3. How do company employees acquire OSS for use in company products? m From the internet regardless of repository m From the public repository at OpenLogic Exchange ( m Internal, centralized location governed by the OSRB 4. Who is responsible for initiating OSS acquisition? m Individual developer m Procurement/supply chain management m Designated person or central body/team, e.g. OSRB m Requests are directed to the OSRB 6

7 4) OSS in the Supply Chain If you use and distribute OSS in your commercial products, you are ultimately responsible for license compliance even if that OSS was contained in a component obtained from a supplier. For an example of why this is important please see: An often-overlooked component of OSS policies is how you will handle OSS that comes into your organization from the supply chain. This section helps you build that component of your policy. 1. What are the requirements for software delivered to your company from a supplier? m None, it s the responsibility of the supplier to make sure they are adhering to any and all OSS or proprietary licenses m The supplier must detail all software in their components, including the specific licenses under which the software is being made available m The supplier must provide a contractual bill of lading that includes a detailed list of software, license(s), and test results from a code scan (e.g., OpenLogic) 2. How do your partners acquire OSS for use in your company s products? m From the internet regardless of repository m From the public repository at OpenLogic Exchange ( m An internal, centralized location governed by the partner s OSRB 3. What kind of indemnification must be provided by vendors who supply software to your company? m None software is provided as is m Minimal terms of license is sufficient m Full indemnification 4. What are the minimum damages required when dealing with a vendor that supplies software to your organization? m None (no damages; sufficient to cure the breach in an agreed-to timeframe) m Partial (damages only in actual costs incurred by company to address the breach) m Full (damages cover all costs including indirect costs e.g., loss of reputation) 5. What warranties must be obtained from vendors that supply software to your company? (e.g., free replacement of code that infringes on IP) m None (no warranties) m Bare bones all software provided as is m Vendor-supplied software includes/does not include OSS (simple yes/no) 6. Are vendors that supply software to your company required to run an OSS scan? m No m Only when vendors supply software that will be used in a product shipped to customers m Only when using outsourcers (commercial off the shelf (COTS) excluded) m Always 7

8 7. Does your company distinguish between companies that supply OSS and companies that provide proprietary software? m No m Yes 5) OSS Tracking and Management The heart of an OSS policy is how you plan to track the OSS used in your organization. This section helps you answer the question of how OSS is managed and tracked. 1. Who is responsible for maintaining inventory, usage, and other metadata related to OSS components, including licenses? m Individual developer m Company legal department m Each OSS component has a named owner m One central person or central body/team, e.g., Open Source Review Board (OSRB) 2. How are OSS components/projects tracked within your company? m No special project tracking of the repository m Custom-built project tracking tool m A vendor-provided tool (e.g., OpenLogic) 3. Where is OSS used in distributed company products housed? m Developer responsibility m Centrally-managed repository m Vendor-managed repository (e.g., OpenLogic) 6) Security and Maintenance Tracking is just part of the solution in terms of managing OSS. Maintaining your OSS and insuring you minimize associated security vulnerabilities and exposures is key to a successful OSS policy. This section answers the question of how you manage the security and maintenance of the OSS. 1. What level of technical support must be in place prior to implementing OSS in company products? m Individual developer responsibility m Provided by a formal internal team, development, or central IT m Combination of internal and external providers m Must have SLA signed with business partner 8

9 2. Who is responsible for overseeing the security of OSS components? Who will check if the code contains vulnerabilities? Who is responsible for applying security patches? m Individual end-user m One central person or central body/team, e.g. Open Source Review Board (OSRB) m Team to be named m IT security staff 3. What kind of security/integrity review is required before OSS is procured? m None m Download from an OSRB-approved repository is sufficient m MD5 checksum or other prevailing security verification method m Virus scan with an up-to-date fingerprint library m Complete source code scanning for security and integrity m Manual review 4. What kind of security/integrity review is required before OSS is incorporated into your company s products? m None m Verified download from an OSRB-approved repository is sufficient m Verified MD5 checksum (against OSRB-registered MD5) or other prevailing security verification method m Virus scan with an up-to-date fingerprint library m Complete source code scanning for security and integrity m Manual review 5. What kind of security/integrity review is required before shipping products that include OSS? m None m Company-conducted complete source code and binary code scanning for security and integrity m Certified scan results provided by supply chain vendors that include OSS in the components they supply to the company m Manual review 6. How will your company address project forking or abandonment of OSS used in company products? Are there alternate vendors/suppliers available? m Manage when it happens m Alternate vendor/suppliers are listed or identified prior to incorporating the software within company products m Active written response plan 7. Is there a minimum technical standard that must be met for OSS to be brought into the company for use in distributed products? m None developers take all the responsibility and use at their own risk m Project must be considered stable in SourceForge/Github and/or community must be considered stable (subject to approval by OSRB) m Must have significant widespread adoption as measured by downloads m Must have significant commercial base, i.e. MySQL dual-license 9

10 7) OSS Community Interaction Inevitably, as your developers use OSS, they will have interaction with OSS communities and groups. Whether it s to ask questions about packages they use or becoming committers and contributors on OSS projects, it s important that you have a policy in place to retain proprietary in using OSS and to protect the intellectual property created by your organization. This section answers the question of how to manage the interaction of your developers with the open source community. 1. Are contributions to open source projects allowed? m No m Yes, but only indirectly via use of a proxy (e.g., supplier) m Yes, with valid business need and/or approval from management/open Source Review Board (OSRB) m Yes, but only on employees own time m Yes, but employees must use non-corporate addresses for interacting with the community m Yes, no restrictions 2. When can an employee make a contribution to an OSS project if it is not related to company business? m Never this is a possible violation of employment contracts m Always, without attribution to company name and on employee s personal time and no requirement to inform the company of such activity 3. When can employees communicate with OSS communities (with company attribution)? m Never m When business need dictates but subject to approval/oversight of OSRB along with company communications department m Freely for any reason subject to employment guidelines 4. Are employees allowed to speak publicly about your organization s use of OSS in products? m No m Yes, with prior management approval m Yes, with specified approved topics m Yes, under any circumstance 10

11 8) Training and Education OSS training is becoming more important as companies utilize more OSS. Not only do you need to communicate and train employees on your internal policies, it is a very good idea to educate your people on the risks associated with OSS. This section answers the question of how and what training is required around OSS. 1. What type of OSS training will you deploy in your organization? m None m Basic OSS 101 create general awareness and education of OSS issues and risks m OSS education and policies general awareness and education on internal polices for compliance purposes m Specialized by group Different training for different groups: developers, project managers, compliance managers, legal, partners, etc. 2. Who will be required to take OSS training? m No one m Only designated groups that use or interact with OSS m Partners m All employees 3. Who will develop the training? m In-house m Out source 11

12 Rogue Wave provides software development tools for mission-critical applications. Our trusted solutions address the growing complexity of building great software and accelerates the value gained from code across the enterprise. Rogue Wave s portfolio of complementary, cross-platform tools helps developers quickly build applications for strategic software initiatives. With Rogue Wave, customers improve software quality and ensure code integrity, while shortening development cycle times. Copyright 2014 Rogue Wave Software. All Rights Reserved

Open Source Policy Builder

Open Source Policy Builder Open Source Policy Builder In This Guide: Key issues to consider when formulating an open source policy Characteristics of best-in-class open source policies Sample open source policy statements Helping

More information

Open Source Policy Builder

Open Source Policy Builder Open Source Policy Builder The following questions represent components of a comprehensive open source policy. Each question has several policy choices listed below. Your organization can build its open

More information

FOSS Governance Fundamentals

FOSS Governance Fundamentals FOSS Governance Fundamentals HP Part Number: 5992-4059 Published: January 2008 Edition: 1.0 Copyright 2008 Hewlett-Packard Development Company, L.P. Legal Notice Confidential computer software. Valid license

More information

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise

Table of contents. Best practices in open source governance. Managing the selection and proliferation of open source software across your enterprise Best practices in open source governance Managing the selection and proliferation of open source software across your enterprise Table of contents The importance of open source governance... 2 Executive

More information

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS

REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS REDUCE YOUR OPEN SOURCE SECURITY RISK: STRATEGIES, TACTICS, AND TOOLS Open source security must be a priority While there s no doubt that open source software (OSS) is here to stay, that doesn t mean that

More information

Four strategies to reduce your open source risk

Four strategies to reduce your open source risk Four strategies to reduce your open source risk Be aware and prepare for what could happen Rogue Wave Software / 5500 Flatiron Parkway, Suite 200 / Boulder, CO 80301, USA / www. Try and think of a single

More information

Managing Open Source Code Best Practices

Managing Open Source Code Best Practices Managing Open Source Code Best Practices September 24, 2008 Agenda Welcome and Introduction Eran Strod Open Source Best Practices Hal Hearst Questions & Answers Next Steps About Black Duck Software Accelerate

More information

Intellectual Property& Technology Law Journal

Intellectual Property& Technology Law Journal Intellectual Property& Technology Law Journal Edited by the Technology and Proprietary Rights Group of Weil, Gotshal & Manges LLP VOLUME 26 NUMBER 6 JUNE 2014 A Practical Approach to Working with Open

More information

Development, Acquisition, Implementation, and Maintenance of Application Systems

Development, Acquisition, Implementation, and Maintenance of Application Systems Development, Acquisition, Implementation, and Maintenance of Application Systems Part of a series of notes to help Centers review their own Center internal management processes from the point of view of

More information

Open Source Software: What You Need to Know. Presented By: Lisa Abe, Ian Kyer and Marek Nitoslawski

Open Source Software: What You Need to Know. Presented By: Lisa Abe, Ian Kyer and Marek Nitoslawski Open Source Software: What You Need to Know Presented By: Lisa Abe, Ian Kyer and Marek Nitoslawski September 15, 2005 Open source software ( OSS ): What you need to know Understanding the business and

More information

Executive Briefing: Four Steps to Creating an Effective Open Source Policy. Greg Olson Sr. Director OSS Management Olliance Group

Executive Briefing: Four Steps to Creating an Effective Open Source Policy. Greg Olson Sr. Director OSS Management Olliance Group Executive Briefing: Four Steps to Creating an Effective Open Source Policy Greg Olson Sr. Director OSS Management Olliance Group Speaker Greg Olson Sr. Director, Open Source Management Over 30 years of

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

FOSSBazaar A Governance Initiative to manage Free and Open Source Software life cycle

FOSSBazaar A Governance Initiative to manage Free and Open Source Software life cycle FOSSBazaar A Governance Initiative to manage Free and Open Source Software life cycle Table of contents Executive summary......2 What is FOSS Governance 3 The importance of open source governance...3 Why

More information

source OSS Watch University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/

source OSS Watch University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/ OSS Watch University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/ In this talk OSS Watch Impact points Reasons for considering open Policy revision and practical

More information

The Corporate Counsel s Guide to Open Source Software Policy Implementation

The Corporate Counsel s Guide to Open Source Software Policy Implementation The Corporate Counsel s Guide to Open Source Software Policy Implementation How to Protect the Enterprise from Risk while Helping Your Company More Efficiently Develop and Maintain Applications Black Duck

More information

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE

UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE UMHLABUYALINGANA MUNICIPALITY PATCH MANAGEMENT POLICY/PROCEDURE Originator Patch Management Policy Approval and Version Control Approval Process: Position or Meeting Number: Date: Recommended by Director

More information

ISM Online Course Offerings

ISM Online Course Offerings CERTIFICATION (CPSM and CPSD ) ISM Online Course Offerings 3968 Bridge Review Online Course 21 CEHs This course is designed as a review for current C.P.M. holders as part of their preparation for taking

More information

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks

Simplifying the Challenges of Mobile Device Security Three Steps to Reduce Mobile Device Security Risks Smartphones and tablets are invading the workplace along with the security risks they bring with them. Every day these devices go unchecked by standard vulnerability management processes, even as malware

More information

BOM based on what they input into fossology.

BOM based on what they input into fossology. SPDX Tool Website SPDX Tool Description License and copyright scanner that emits license names that conform to SPDX. In March a module should be added that gives the user an SPDX FOSSology fossology.org

More information

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement Auditor General s Office Governance and Management of City Computer Software Needs Improvement Transmittal Report Audit Report Management s Response Jeffrey Griffiths, C.A., C.F.E Auditor General, City

More information

BELTUG Paper. Software Licensing Audits Checklist

BELTUG Paper. Software Licensing Audits Checklist BELTUG Paper Software Licensing Audits Checklist August 2015 Why this Checklist? Software licensing audits are almost always seen as an inconvenience by the targeted organisations. Together with effective

More information

Asset management guidelines

Asset management guidelines Asset management guidelines 1 IT asset management (ITAM) overview Objective Provide a single, integrated view of agency assets in order to allow agencies to identify the asset location and assess the potential

More information

White Paper November 2006. BMC Best Practice Process Flows for Asset Management and ITIL Configuration Management

White Paper November 2006. BMC Best Practice Process Flows for Asset Management and ITIL Configuration Management White Paper November 2006 BMC Best Practice Process Flows for Asset and ITIL Configuration Copyright 2006 BMC Software, Inc. All rights reserved. BMC, the BMC logo, all other BMC product or service names,

More information

Simplifying the Challenges of Mobile Device Security

Simplifying the Challenges of Mobile Device Security WHITE PAPER Three Steps to Reduce Mobile Device Security Risks Table of Contents Executive Overview 3 Mobile Device Security: 3 Just as Critical as Security for Desktops, Servers, and Networks 3 Find the

More information

DOT.Comm Oversight Committee Policy

DOT.Comm Oversight Committee Policy DOT.Comm Oversight Committee Policy Enterprise Computing Software Policy Service Owner: DOTComm Operations Effective Date: TBD Review Schedule: Annual Last Review Date: Last Revision Date: Approved by:

More information

The 7 Myths of IP Risk: The Real Exposure Issues with Free and Open Source Software. Black Duck Software White Paper

The 7 Myths of IP Risk: The Real Exposure Issues with Free and Open Source Software. Black Duck Software White Paper The 7 Myths of IP Risk: The Real Exposure Issues with Free and Open Source Software Black Duck Software White Paper FOSS is widely recognized as providing significant technology, innovation and financial

More information

agility made possible

agility made possible SOLUTION BRIEF CA IT Asset Manager how can I manage my asset lifecycle, maximize the value of my IT investments, and get a portfolio view of all my assets? agility made possible helps reduce costs, automate

More information

Software as a Service: Guiding Principles

Software as a Service: Guiding Principles Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially

More information

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures?

SOLUTION BRIEF: CA IT ASSET MANAGER. How can I reduce IT asset costs to address my organization s budget pressures? SOLUTION BRIEF: CA IT ASSET MANAGER How can I reduce IT asset costs to address my organization s budget pressures? CA IT Asset Manager helps you optimize your IT investments and avoid overspending by enabling

More information

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products

The Security Development Lifecycle at SAP How SAP Builds Security into Software Products SAP Security Concepts and Implementation The Security Development Lifecycle at SAP How SAP Builds Security into Software Products Table of Contents 4 Integrating Security Right from the Start 4 Establishing

More information

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011

GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT. January 7, 2011 APPENDIX 1 GOVERNANCE AND MANAGEMENT OF CITY COMPUTER SOFTWARE NEEDS IMPROVEMENT January 7, 2011 Auditor General s Office Jeffrey Griffiths, C.A., C.F.E. Auditor General City of Toronto TABLE OF CONTENTS

More information

Vulnerability management lifecycle: defining vulnerability management

Vulnerability management lifecycle: defining vulnerability management Framework for building a vulnerability management lifecycle program http://searchsecurity.techtarget.com/magazinecontent/framework-for-building-avulnerability-management-lifecycle-program August 2011 By

More information

Domain 1 The Process of Auditing Information Systems

Domain 1 The Process of Auditing Information Systems Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge

More information

Open Source Management Practices Survey What R&D Teams Are Doing, And Why Their Results Are Poor Despite Their Efforts

Open Source Management Practices Survey What R&D Teams Are Doing, And Why Their Results Are Poor Despite Their Efforts Open Source Management Practices Survey What R&D Teams Are Doing, And Why Their Results Are Poor Despite Their Efforts Executive Summary Our research shows that while virtually all developers use open

More information

Software License Asset Management (SLAM) Part 1

Software License Asset Management (SLAM) Part 1 LANDesk White Paper Software License Asset Management (SLAM) Part 1 Five Steps to Reduce Software License Costs and Ensure Audit Preparedness Contents A Software Audit Looms in Your Future.... 3 Overbuying

More information

c University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/

c University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/ OSS Watch c University of Oxford This document is licensed under http://creativecommons.org/licenses/by-sa/2.0/uk/ key messages... These are the points to take away from this talk: is more than just a

More information

Open-Source vs. Proprietary Software Pros and Cons

Open-Source vs. Proprietary Software Pros and Cons Open-Source vs. Proprietary Software Pros and Cons Analyze the strengths and weaknesses of proprietary vs. open source software to determine what is best for your business. White Paper Weighing the Options

More information

Best Practices in Contract Migration

Best Practices in Contract Migration ebook Best Practices in Contract Migration Why You Should & How to Do It Introducing Contract Migration Organizations have as many as 10,000-200,000 contracts, perhaps more, yet very few organizations

More information

5 Steps for a Winning Open Source Compliance Program

5 Steps for a Winning Open Source Compliance Program 5 Steps for a Winning Open Source Compliance Program Kellan Ponikiewicz Peter Vescuso @black_duck_sw Black Duck 2013 Speakers Peter Vescuso EVP of Marketing Black Duck Software Kellan Ponikiewicz IP Counsel

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

Security Patch Management

Security Patch Management The knowledge behind the network. Security Patch Management By Felicia M. Nicastro Senior Network Systems Consultant International Network Services Security Patch Management March 2003 INS Whitepaper 1

More information

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels

Scanning Open Source Software and Managing License Obligations on IBM SmartCloud. Because code travels Scanning Open Source Software and Managing License Obligations on IBM SmartCloud Because code travels 1 Webinar Agenda Protecode & IBM SmartCloud Company IBM Partnership Solutions Managing Code Obligations

More information

Dynamic Service Desk. Unified IT Management. Solution Overview

Dynamic Service Desk. Unified IT Management. Solution Overview I T S E R V I C E + I T A S S E T M A N A G E M E N T INFRASTRUCTURE MANAGEMENT Dynamic Service Desk Unified IT Management Achieving business and IT alignment requires having insight into hardware and

More information

Validating Enterprise Systems: A Practical Guide

Validating Enterprise Systems: A Practical Guide Table of Contents Validating Enterprise Systems: A Practical Guide Foreword 1 Introduction The Need for Guidance on Compliant Enterprise Systems What is an Enterprise System The Need to Validate Enterprise

More information

Webinar on Dec 9, 2009. Presented by Kim Weins, Sr. VP of Marketing and Rod Cope, CTO and Founder of OpenLogic

Webinar on Dec 9, 2009. Presented by Kim Weins, Sr. VP of Marketing and Rod Cope, CTO and Founder of OpenLogic Top 10 Ways to Stretch Your Budget by Using Top 10 Ways to Stretch Your Budget by Using More Open Source Software in 2010 More Open Source Software in 2010 Webinar on Dec 9, 2009 Presented by Kim Weins,

More information

OPEN SOURCE SECURITY

OPEN SOURCE SECURITY OPEN SOURCE SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without

More information

Six Steps to SSL Certificate Lifecycle Management

Six Steps to SSL Certificate Lifecycle Management Six Steps to SSL Certificate Lifecycle Management Why you need an SSL certificate management solution and how to get started +1-888-690-2424 entrust.com Table of contents Introduction Page 3 Consequences

More information

Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc.

Open Source and the New Software Supply Chain. Mark Tolliver, CEO Palamida Inc. Open Source and the New Software Supply Chain Mark Tolliver, CEO Palamida Inc. Could You Sign This? Typical Software Project Metrics 2.9 GB 87,863 Files 8,535,345 LOC Copyright holders ~350 Archives 178

More information

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.

Compliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2. ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework

More information

Nexus Professional Whitepaper. Repository Management: Stages of Adoption

Nexus Professional Whitepaper. Repository Management: Stages of Adoption Sonatype Nexus Professional Whitepaper Repository Management: Stages of Adoption Adopting Repository Management Best Practices SONATYPE www.sonatype.com sales@sonatype.com +1 301-684-8080 12501 Prosperity

More information

Cisco Security Services

Cisco Security Services Cisco Security Services Cisco Security Services help you defend your business from evolving security threats, enhance the efficiency of your internal staff and processes, and increase the return on your

More information

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience

Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Copyright 2014 Carnegie Mellon University The Cyber Resilience Review is based on the Cyber Resilience Evaluation Method and the CERT Resilience Management Model (CERT-RMM), both developed at Carnegie

More information

Technology Lifecycle Management. A Model for Enabling Systematic Budgeting and Administration of Government Technology Programs

Technology Lifecycle Management. A Model for Enabling Systematic Budgeting and Administration of Government Technology Programs Technology Lifecycle Management A Model for Enabling Systematic Budgeting and Administration of Government Technology Programs Even as technology improves, government s fundamental IT challenge remains

More information

Open Source Management

Open Source Management Open Source Management Best practices for professional use of open source software Simont Braun Avenue Louise, 149/20 1050 Bruxelles T 32 2 533 17 71 F 32 2 533 17 97 E benjamin.docquir@simontbraun.eu

More information

An Oracle White Paper January 2010. Access Certification: Addressing & Building on a Critical Security Control

An Oracle White Paper January 2010. Access Certification: Addressing & Building on a Critical Security Control An Oracle White Paper January 2010 Access Certification: Addressing & Building on a Critical Security Control Disclaimer The following is intended to outline our general product direction. It is intended

More information

End-User Software License Agreement

End-User Software License Agreement End-User Software License Agreement This End-User Software License Agreement (the Agreement ) is a license agreement between you (the Licensee ) and IMSWorkX, Inc. ( IMSWorkX ), a Delaware corporation

More information

COMESA Guidelines on Free and Open Source Software (FOSS)

COMESA Guidelines on Free and Open Source Software (FOSS) COMESA Guidelines on Free and Open Source Software (FOSS) Introduction The COMESA Guidelines on Free and Open Source Software are a follow-up to the COMESA Regional FOSS Framework of 2009 whose main objective

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

IT Asset Inventory and Outsourcing: The Value of Visibility

IT Asset Inventory and Outsourcing: The Value of Visibility BDNA WHITE PAPER IT Asset Inventory and Outsourcing: The Value of Visibility October 2007 bdnacorp.com U.S. Corporate Headquarters 650.625.9530 Europe, Middle East & Africa +33.1.42.27.10.71 Asia Pacific

More information

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE

OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE OPEN SOURCE SOFTWARE CUSTODIAN AS A SERVICE Martin Callinan Martin.callinan@sourcecodecontrol.co Wednesday, June 15, 2016 Table of Contents Introduction... 2 Source Code Control... 2 What we do... 2 Service

More information

Your world runs on applications. Secure them with Veracode.

Your world runs on applications. Secure them with Veracode. Application Risk Management Solutions Your world runs on applications. Secure them with Veracode. Software Security Simplified Application security risk is inherent in every organization that relies on

More information

Altiris Asset Management Suite 7.1 from Symantec

Altiris Asset Management Suite 7.1 from Symantec Ensuring compliance and maximizing your IT investment Overviewview In IT change is inevitable, but asset management provides a starting point for disciplined, standards-based management that elevates the

More information

Free and Open Source Software Compliance: An Operational Perspective

Free and Open Source Software Compliance: An Operational Perspective Free and Open Source Software Compliance: An Operational Perspective 95 Free and Open Source Software Compliance: An Operational Perspective Philip Koltun a Director of Open Compliance Program, The Linux

More information

Attachment for IBM Internet Security Systems Products and Services

Attachment for IBM Internet Security Systems Products and Services IBM Customer Agreement IBM Ireland Limited Registered in Dublin: No. 16226 Registered Office: Oldbrook House 24-32 Pembroke Road Ballsbridge, Dublin 4. Attachment for IBM Internet Security Systems Products

More information

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance Whitepaper Security Best Practices for Evaluating Google Apps Marketplace Applications At a Glance Intended Audience: Security Officers CIOs of large enterprises evaluating Google Apps Marketplace applications

More information

Contract management's effect on in house counsel

Contract management's effect on in house counsel IBM Software Industry Solutions Industry/Product Identifier Contract management's effect on in house counsel Impacting contract visibility, analysis and compliance Emptoris Contract Management Solutions

More information

Get what s right for your business. Contact @lliance Technologies.

Get what s right for your business. Contact @lliance Technologies. Provisioning Looking for new technology? You need systems in line with your business goals. You also need those systems to interact seamlessly. We can help you get the right technology to the right place

More information

Free and Open-Source Software Diligence in Mergers, Acquisitions, and Investments

Free and Open-Source Software Diligence in Mergers, Acquisitions, and Investments Free and Open-Source Software Diligence in Mergers, Acquisitions, and Investments Andrew J. Hall Fenwick & West LLP April 16, 2013 Linux Foundation Collaboration Summit Presentation Topics Introduction

More information

CA Oblicore Guarantee for Managed Service Providers

CA Oblicore Guarantee for Managed Service Providers PRODUCT SHEET CA Oblicore Guarantee for Managed Service Providers CA Oblicore Guarantee for Managed Service Providers Value proposition CA Oblicore Guarantee is designed to automate, activate and accelerate

More information

Contract and Vendor Management Guide

Contract and Vendor Management Guide Contents 1. Guidelines for managing contracts and vendors... 2 1.1. Purpose and scope... 2 1.2. Introduction... 2 2. Contract and Vendor Management 2.1. Levels of management/segmentation... 3 2.2. Supplier

More information

LANDesk Management Suite 8, v8.1 Creating Custom Vulnerabilities

LANDesk Management Suite 8, v8.1 Creating Custom Vulnerabilities LANDesk Management Suite 8, v8.1 Creating Custom Vulnerabilities Revision 1.0 Rex Moffitt May 26, 2004 Information in this document is provided in connection with LANDesk Software products. No license,

More information

LCM IT Asset Management

LCM IT Asset Management LCM IT Asset Management Management Summary Version 1.0 (16.03.2011) Table of Contents 1 LCM IT Asset Management... 3 1.1 License master data... 4 1.2 Management of IT-relevant contractual relationships,

More information

Best Practices of Securing Your Software Intellectual Property Integrity...

Best Practices of Securing Your Software Intellectual Property Integrity... January 31, 2005. Best Practices of Securing Your Software Intellectual Property Integrity.......... Palamida, Inc. 612 Howard Street, Suite 100 San Francisco, CA 94105 info@palamida.com 415-777-9400 www.palamida.com

More information

A Best Practice Guide

A Best Practice Guide A Best Practice Guide Contents Introduction [2] The Benefits of Implementing a Privacy Management Programme [3] Developing a Comprehensive Privacy Management Programme [3] Part A Baseline Fundamentals

More information

IMPLEMENTATION DETAILS

IMPLEMENTATION DETAILS Policy: Title: Status: 1. Introduction ISP-I11 Software License Regulations Approved Information Security Policy Documentation IMPLEMENTATION DETAILS 1.1. The Software Management Policy (ISP-S13) makes

More information

Assurance in Service-Oriented Environments

Assurance in Service-Oriented Environments Assurance in Service-Oriented Environments Soumya Simanta Research, Technology, and System Solutions (RTSS) Program Software Engineering Institute Carnegie Mellon University Pittsburgh 15232 28 th October,

More information

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits?

How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits? SOLUTION BRIEF CA SERVICE MANAGEMENT - SOFTWARE ASSET MANAGEMENT How Can I Better Manage My Software Assets And Mitigate The Risk Of Compliance Audits? SOLUTION BRIEF CA DATABASE MANAGEMENT FOR DB2 FOR

More information

IBM Managed Security Services (Cloud Computing) hosted mobile device security management

IBM Managed Security Services (Cloud Computing) hosted mobile device security management IBM Managed Security Services (Cloud Computing) hosted mobile device security management Z125-8855-00 11-2011 Page 1 of 15 Table of Contents 1. Scope of Services... 3 2. Definitions... 3 3. Services...

More information

CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION

CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION CITY OF WAUKESHA HUMAN RESOURCES POLICY/PROCEDURE POLICY B-20 SOFTWARE USAGE AND STANDARDIZATION 1.0 Purpose and Scope of Policy It is the policy of the City of Waukesha (City) to respect all computer

More information

IT Risk Management: Guide to Software Risk Assessments and Audits

IT Risk Management: Guide to Software Risk Assessments and Audits IT Risk Management: Guide to Software Risk Assessments and Audits Contents Overview... 3 Executive Summary... 3 Software: Today s Biggest Security Risk... 4 How Software Risk Enters the Enterprise... 5

More information

Complete Patch Management

Complete Patch Management Complete Patch Management Targeted, Reliable and Cost-efficient Brief Secunia CSI Corporate Software Inspector Empower your organisation to take control of the vulnerability threat & optimize your ITsecurity

More information

HP Change Configuration and Release Management (CCRM) Solution

HP Change Configuration and Release Management (CCRM) Solution HP Change Configuration and Release Management (CCRM) Solution HP Service Manager, HP Release Control, and HP Universal CMDB For the Windows Operating System Software Version: 9.30 Concept Guide Document

More information

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two)

DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) DUE DILIGENCE Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two) By Amy Terry Sheehan Vendors and other third parties are vital to

More information

SharePoint Governance & Security: Where to Start

SharePoint Governance & Security: Where to Start WHITE PAPER SharePoint Governance & Security: Where to Start 82% The percentage of organizations using SharePoint for sensitive content. AIIM 2012 By 2016, 20 percent of CIOs in regulated industries will

More information

Introduction to OVAL: A new language to determine the presence of software vulnerabilities

Introduction to OVAL: A new language to determine the presence of software vulnerabilities Introduction to OVAL: A new language to determine the presence of software vulnerabilities Matthew Wojcik / Tiffany Bergeron / Robert Roberge November 2003 The MITRE Corporation Table of Contents Introduction

More information

Reducing Cost and Risk Through Software Asset Management

Reducing Cost and Risk Through Software Asset Management RESEARCH SUMMARY NOVEMBER 2013 Reducing Cost and Risk Through Software Asset Management A survey conducted by CA Technologies among delegate attendees at the 2013 Gartner IT Financial, Procurement & Asset

More information

CCH INCORPORATED, A WOLTERSKLUWER COMPANY ACCESS AGREEMENT FOR THE

CCH INCORPORATED, A WOLTERSKLUWER COMPANY ACCESS AGREEMENT FOR THE CCH INCORPORATED, A WOLTERSKLUWER COMPANY ACCESS AGREEMENT FOR THE Accounting Research Manager INFORMATION DATABASE PROVIDED THROUGH Mayer Hoffman McCann P.C. ("AGREEMENT" OR "ACCESS AGREEMENT") IN THIS

More information

Your Open Source Investment Know. Manage. Protect.

Your Open Source Investment Know. Manage. Protect. Using open source software provides a compelling business case, but if companies violate the software s licenses, the consequences can be more severe than they think. Open Source Risk Management s services

More information

NeXUS REPOSITORY managers

NeXUS REPOSITORY managers PRODUCT OVERVIEW NeXUS REPOSITORY managers Nexus OSS, Nexus Pro and Nexus Pro+ Nexus repository managers help organizations build better software, faster. Like a supply chain, applications are built by

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

IBM Tivoli Asset Management for IT

IBM Tivoli Asset Management for IT Cost-effectively manage the entire life cycle of your IT assets IBM Highlights Help control the costs of IT assets with a single product installation that tracks and manages hardware, software and related

More information

VULNERABILITY MANAGEMENT

VULNERABILITY MANAGEMENT VULNERABILITY MANAGEMENT A White Paper Presented by: MindPoint Group, LLC 8078 Edinburgh Drive Springfield, VA 22153 (o) 703.636.2033 (f) 866.761.7457 www.mindpointgroup.com blog.mindpointgroup.com SBA

More information

MASTER SERVICES AGREEMENT - DIGITAL ADVERTISING SERVICES

MASTER SERVICES AGREEMENT - DIGITAL ADVERTISING SERVICES MASTER SERVICES AGREEMENT - DIGITAL ADVERTISING SERVICES MASTER SERVICES AGREEMENT This Master Services Agreement (the Agreement ) shall govern the provision of services to the undersigned client (the

More information

IT ASSET MANAGEMENT SELECTED BEST PRACTICES. Sherry Irwin

IT ASSET MANAGEMENT SELECTED BEST PRACTICES. Sherry Irwin IT ASSET MANAGEMENT SELECTED BEST PRACTICES Sherry Irwin IT ASSET MANAGEMENT SELECTED BEST PRACTICES By Sherry Irwin INTRODUCTION As the discipline of IT asset management (ITAM) began to evolve in the

More information

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,

More information

Cloud Computing: Contracting and Compliance Issues for In-House Counsel

Cloud Computing: Contracting and Compliance Issues for In-House Counsel International In-house Counsel Journal Vol. 6, No. 23, Spring 2013, 1 Cloud Computing: Contracting and Compliance Issues for In-House Counsel SHAHAB AHMED Director Legal and Corporate Affairs, Microsoft,

More information

From Private to Hybrid Clouds through Consistency and Portability

From Private to Hybrid Clouds through Consistency and Portability Extending IT Governance From Private to Hybrid Clouds through Consistency and Portability Gordon Haff 2 Executive summary 3 beyond information security 3 from private to public and back again 4 consistency

More information

Productivity Through Open Source Policy Compliance

Productivity Through Open Source Policy Compliance Productivity Through Open Source Policy Compliance This article is part of a series on how Rational Collaborative Lifecycle Management (CLM) solutions support software development compliance. Today the

More information