SlideShare a Scribd company logo
1 of 8
These slides do not contain legal advice
Open Chain Maturity Model
Roadmap
Capability Maturity Model – What is a CMM?
A framework for determining the degree of capability,
adaptability and resilience of a business function within
an organisation, with the aim of optimising continuous
improvement.
Maturity Model – High Level Approach
Indicative levels of maturity
• INITIAL: Minimal knowledge of open source compliance practice and procedure
• REPEATABLE: Some steps towards compliance. Some systems in place, but
application ad hoc
• DEFINED/IMPLEMENTED: Policies, practice and procedure in place, but not
necessarily in operation
• MANAGED: Policies etc. in place, and in operation, and improved as considered
necessary
• OPTIMISING: Policies etc. in place, in operation, and actively managed using
appropriate metrics and a process of continuous improvement.
Maturity Model – High Level Approach
59%
38%
64%
50%
5
4
3
2
1
Measured
Maturity
Score
Target
Systems
Information
People &
Organisation
Process
Optimising
Managed
Defined / Implemented
Repeatable
Initial
The capabilities of the organisation that have
been developed to manage open source
software development will be considered
against the requirements of the OpenChain
Specification v2.1, ISO/IEC 5230:2020.
They will be categorised into four types of
capability; people and organisational, process,
information, and systems.
Maturity will be assessed against five levels of
completeness as shown.
The target level will be specific to each
organisation and can be set according to their
ambition and view of business risk and
priorities for delivery.
The gap between target level and measured
level presents defines opportunities for
improvement and is easily converted to
implementation plans,
OpenChain Provides a Potential Framework
1. The Specification (ISO 5230:2020) contains the set of characteristics that a quality
Open Source development function possess within an organisation.
2. Each OpenChain requirement can be mapped against a business function, and a
degree of maturity can be assigned to each business function.
3. We propose a hierarchy. Top level requirements will be applicable across all
organisations.
4. Second level requirements can be tailored to the method of implementation chosen by
the organisation.
5. It’s compatible with existing best practice in capability maturity modelling across the
whole range of an organisation’s business functions, not just software development (or
open source software development).
ISO Requirements and Processes
Governance Strategy and Oversight
6
3.1.1 Policy
Appoint policy author, owner, exec sponsor
Publish policy
Review policy
Distribute policy
Track awareness of policy
Review performance against policy
objectives
Enablement and Performance Management
3.1.4 Program scope
Define programme scope
Review appropriateness of programme scope
Define risks to be managed
Define benefits to be achieved
3.1.2 Competence
Identify roles and responsibilities
Determine competence required
Determine training need
Assess competence achieved
3.2.2 Effectively
resourced
Review programme resourcing and funding
Track progress against policy objectives
Analyse progress against policy objectives
3.5.1 Contributions
Develop policy for contributions (in and outbound)
Review and maintain policy
Track progress against policy
Review performance (risks and benefits)
3.1.3 Awareness
Communicate open source and contribution
policy
Track awareness of policies
Communicate implications of non-
compliance
Track non-compliance events
Track awareness of contribution policy
Open Chain Delivery
3.6.1 Conformance,
3.6.2 Duration
Review OpenChain
conformance (18 month)
Manage 3rd party
certification
3.1.5 License
Obligations
Identify licenses in use
Document license
obligations
3.3.2 License
Compliance
review license compliance
across distribution modes
Produce contributions
guidelines for contributors
3.3.1 Bill of
Materials
Produce SBOM
Review and approve SBOM
Maintain version and distribution
history
Licence analysis
Produce records of process followed
3.4.1 Compliance
Artifacts
Generate artefacts
Distribute artifacts
Record artifacts
3.2.1 Access
Respond to compliance inquiries
Track nature of response to inquiries
Review performance of inquiry responses
Example assessment 3.3.1 Bill of Materials
People and Organisation Capability Processes Capabiliity
Attributes P&O Maturity Questions Process Attributes Process Maturity Questions
Key role holders
Development Team
Leader
Associated roles
DevOps Specialist
Does a role exist for
generating (or
maintaining the system
which generates) SBOMs?
Are role/responsibility
holders suitably trained?
Do role/responsibility
holders have the
necessary competencies?
Key processes
Produce SBOM
Review and approve
SBOM
Maintain version and
distribution history
Produce records of
process followed
Does a process exist
(automated or not) for
generating SBOMs?
Does a process exist for
reviewing and approving
SBOMs?
As part of any process
involving SBOMs, are
suitable records kept?
Information Capability Systems Capability
Information
Attributes
Information maturity
question
Systems Attributes Systems Maturity Questions
Key Information
Component
manifests
Correct SBOMs
SBOM records &
metadata
Are component manifests
made available for
compliance purposes?
Are SBOMs generated?
Do SBOMs contain sufficient
correct data for licence
compliance?*
Are SBOMs generated in a
way which facilitates other
risk management or
operational processes (e.g.
security/vulnerability or
export control)
Are standards (e.g. SPDX,
CycloneDX) used to generate
SBOMs
Are the standards used to
generate SBOMs consistent
across the organisation?
Key systems
Compliance toolchain*
Emerging good practice
Metadata repository
(such as SW360)
Does the compliance
toolchain have functionality
for generating SBOMs?
Where issues are identified
(e.g., a failing test) is it
possible to remedy the issue
in-situ?
Is compliance metadata
stored in a suitable system
such as SW360?
Full Profile Assessment
Rapid view of gaps and priorities
Deeper analysis possible by each
of the four capability lenses.
Supports optimisation of open
chain programme

More Related Content

Similar to Maturity Models - Open Compliance Summit 2023

QAI - Cmmi Overview - Induction ppt
QAI - Cmmi Overview - Induction pptQAI - Cmmi Overview - Induction ppt
QAI - Cmmi Overview - Induction pptQAIites
 
Making Smart Choices: Strategies for CMMI Adoption
Making Smart Choices: Strategies for CMMI AdoptionMaking Smart Choices: Strategies for CMMI Adoption
Making Smart Choices: Strategies for CMMI Adoptionrhefner
 
CMMi level 3 presentation
CMMi level 3 presentationCMMi level 3 presentation
CMMi level 3 presentationadinmani
 
A process maturity model for requirements engineering
A process maturity model for requirements engineeringA process maturity model for requirements engineering
A process maturity model for requirements engineeringIan Sommerville
 
PECB Webinar: Aligning ISO 25000 and CMMI for Development
PECB Webinar: Aligning ISO 25000 and CMMI for DevelopmentPECB Webinar: Aligning ISO 25000 and CMMI for Development
PECB Webinar: Aligning ISO 25000 and CMMI for DevelopmentPECB
 
Adopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelAdopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelCognizant
 
Capability maturity model cmm lecture 8
Capability maturity model cmm lecture 8Capability maturity model cmm lecture 8
Capability maturity model cmm lecture 8Abdul Basit
 
Requirements Maturity Model Overview
Requirements Maturity Model OverviewRequirements Maturity Model Overview
Requirements Maturity Model OverviewIAG Consulting
 
9.process improvement chapter 9
9.process improvement chapter 99.process improvement chapter 9
9.process improvement chapter 9Warui Maina
 
ISTQB Advanced Study Guide - 8
ISTQB Advanced Study Guide - 8ISTQB Advanced Study Guide - 8
ISTQB Advanced Study Guide - 8Yogindernath Gupta
 
ICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITMohammad Abdul Matin Emon
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsRicky Smith CMRP, CMRT
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Smart ERP Solutions, Inc.
 

Similar to Maturity Models - Open Compliance Summit 2023 (20)

QAI - Cmmi Overview - Induction ppt
QAI - Cmmi Overview - Induction pptQAI - Cmmi Overview - Induction ppt
QAI - Cmmi Overview - Induction ppt
 
Intro to CMM.pdf
Intro to CMM.pdfIntro to CMM.pdf
Intro to CMM.pdf
 
Making Smart Choices: Strategies for CMMI Adoption
Making Smart Choices: Strategies for CMMI AdoptionMaking Smart Choices: Strategies for CMMI Adoption
Making Smart Choices: Strategies for CMMI Adoption
 
CMMi level 3 presentation
CMMi level 3 presentationCMMi level 3 presentation
CMMi level 3 presentation
 
A process maturity model for requirements engineering
A process maturity model for requirements engineeringA process maturity model for requirements engineering
A process maturity model for requirements engineering
 
PECB Webinar: Aligning ISO 25000 and CMMI for Development
PECB Webinar: Aligning ISO 25000 and CMMI for DevelopmentPECB Webinar: Aligning ISO 25000 and CMMI for Development
PECB Webinar: Aligning ISO 25000 and CMMI for Development
 
Software process maturity+ framework
Software process maturity+ frameworkSoftware process maturity+ framework
Software process maturity+ framework
 
Adopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment ModelAdopting the Right Software Test Maturity Assessment Model
Adopting the Right Software Test Maturity Assessment Model
 
Capability maturity model cmm lecture 8
Capability maturity model cmm lecture 8Capability maturity model cmm lecture 8
Capability maturity model cmm lecture 8
 
Online testing strategy
Online testing strategyOnline testing strategy
Online testing strategy
 
Ch28
Ch28Ch28
Ch28
 
Requirements Maturity Model Overview
Requirements Maturity Model OverviewRequirements Maturity Model Overview
Requirements Maturity Model Overview
 
9.process improvement chapter 9
9.process improvement chapter 99.process improvement chapter 9
9.process improvement chapter 9
 
Introduction To Cmm1
Introduction To Cmm1Introduction To Cmm1
Introduction To Cmm1
 
ISTQB Advanced Study Guide - 8
ISTQB Advanced Study Guide - 8ISTQB Advanced Study Guide - 8
ISTQB Advanced Study Guide - 8
 
ICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of ITICAB - ITK Chapter 3 class 6-7 - Management of IT
ICAB - ITK Chapter 3 class 6-7 - Management of IT
 
Cmm
CmmCmm
Cmm
 
testing
testingtesting
testing
 
Tool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendationsTool Box Talk - CMRP exam recommendations
Tool Box Talk - CMRP exam recommendations
 
Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2Navigating HCM Compliance Through Managed Services Part 2
Navigating HCM Compliance Through Managed Services Part 2
 

More from Shane Coughlan

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAShane Coughlan
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...Shane Coughlan
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingShane Coughlan
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingShane Coughlan
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19Shane Coughlan
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleShane Coughlan
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20Shane Coughlan
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06Shane Coughlan
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06Shane Coughlan
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09Shane Coughlan
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxShane Coughlan
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...Shane Coughlan
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesShane Coughlan
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27Shane Coughlan
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30Shane Coughlan
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeShane Coughlan
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxShane Coughlan
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11Shane Coughlan
 

More from Shane Coughlan (20)

OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCAOpenChain Webinar: AboutCode and Beyond - End-to-End SCA
OpenChain Webinar: AboutCode and Beyond - End-to-End SCA
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full RecordingOpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
OpenChain Education Work Group Monthly Meeting - 2024-04-10 - Full Recording
 
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full RecordingOpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
OpenChain AI Study Group - Europe and Asia Recap - 2024-04-11 - Full Recording
 
OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19OpenChain Monthly Meeting North America and Asia - 2024-03-19
OpenChain Monthly Meeting North America and Asia - 2024-03-19
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
openEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scaleopenEuler Community Overview - a presentation showing the current scale
openEuler Community Overview - a presentation showing the current scale
 
OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20OpenChain AI Study Group - North America and Europe - 2024-02-20
OpenChain AI Study Group - North America and Europe - 2024-02-20
 
AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06AI Study Group North America - Europe 2024-02-06
AI Study Group North America - Europe 2024-02-06
 
OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06OpenChain Monthly North America / Europe Call - 2024-02-06
OpenChain Monthly North America / Europe Call - 2024-02-06
 
OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09OpenChain Export Control Work Group 2024-01-09
OpenChain Export Control Work Group 2024-01-09
 
Openchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptxOpenchain AI Study Group 2024-01-23.pptx
Openchain AI Study Group 2024-01-23.pptx
 
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
OpenChain Webinar #58 - FOSS License Management through aliens4friends in Ecl...
 
OpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics SlidesOpenChain Annual Report 2023 - Key Metrics Slides
OpenChain Annual Report 2023 - Key Metrics Slides
 
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
OpenChain Webinar 57 - The Open Source Initiative - 2023-11-27
 
FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30FOSSLight Community Day 2023-11-30
FOSSLight Community Day 2023-11-30
 
OpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your CodeOpenChain Webinar #56: Generative AI and Your Code
OpenChain Webinar #56: Generative AI and Your Code
 
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptxFrom One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
From One Standard to a Family - Taiwan Work Group - 2023-08-15.pptx
 
OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11OpenChain Japan Work Group Meeting #28 - 2023-07-11
OpenChain Japan Work Group Meeting #28 - 2023-07-11
 

Recently uploaded

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanNeo4j
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaNeo4j
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...Neo4j
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfkalichargn70th171
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AIAGATSoftware
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Andreas Granig
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbankkasambamuno
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024MulesoftMunichMeetup
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Chirag Panchal
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConNatan Silnitsky
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Maxim Salnikov
 

Recently uploaded (20)

Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit MilanWorkshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
Workshop: Enabling GenAI Breakthroughs with Knowledge Graphs - GraphSummit Milan
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale IbridaUNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
UNI DI NAPOLI FEDERICO II - Il ruolo dei grafi nell'AI Conversazionale Ibrida
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
CERVED e Neo4j su una nuvola, migrazione ed evoluzione di un grafo mission cr...
 
Test Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdfTest Automation Design Patterns_ A Comprehensive Guide.pdf
Test Automation Design Patterns_ A Comprehensive Guide.pdf
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
Abortion Clinic In Pretoria ](+27832195400*)[ 🏥 Safe Abortion Pills in Pretor...
 
BusinessGPT - Security and Governance for Generative AI
BusinessGPT  - Security and Governance for Generative AIBusinessGPT  - Security and Governance for Generative AI
BusinessGPT - Security and Governance for Generative AI
 
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024Automate your OpenSIPS config tests - OpenSIPS Summit 2024
Automate your OpenSIPS config tests - OpenSIPS Summit 2024
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
^Clinic ^%[+27788225528*Abortion Pills For Sale In witbank
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
Anypoint Code Builder - Munich MuleSoft Meetup - 16th May 2024
 
Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024Food Delivery Business App Development Guide 2024
Food Delivery Business App Development Guide 2024
 
Effective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeConEffective Strategies for Wix's Scaling challenges - GeeCon
Effective Strategies for Wix's Scaling challenges - GeeCon
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?Prompt Engineering - an Art, a Science, or your next Job Title?
Prompt Engineering - an Art, a Science, or your next Job Title?
 

Maturity Models - Open Compliance Summit 2023

  • 1. These slides do not contain legal advice Open Chain Maturity Model Roadmap
  • 2. Capability Maturity Model – What is a CMM? A framework for determining the degree of capability, adaptability and resilience of a business function within an organisation, with the aim of optimising continuous improvement.
  • 3. Maturity Model – High Level Approach Indicative levels of maturity • INITIAL: Minimal knowledge of open source compliance practice and procedure • REPEATABLE: Some steps towards compliance. Some systems in place, but application ad hoc • DEFINED/IMPLEMENTED: Policies, practice and procedure in place, but not necessarily in operation • MANAGED: Policies etc. in place, and in operation, and improved as considered necessary • OPTIMISING: Policies etc. in place, in operation, and actively managed using appropriate metrics and a process of continuous improvement.
  • 4. Maturity Model – High Level Approach 59% 38% 64% 50% 5 4 3 2 1 Measured Maturity Score Target Systems Information People & Organisation Process Optimising Managed Defined / Implemented Repeatable Initial The capabilities of the organisation that have been developed to manage open source software development will be considered against the requirements of the OpenChain Specification v2.1, ISO/IEC 5230:2020. They will be categorised into four types of capability; people and organisational, process, information, and systems. Maturity will be assessed against five levels of completeness as shown. The target level will be specific to each organisation and can be set according to their ambition and view of business risk and priorities for delivery. The gap between target level and measured level presents defines opportunities for improvement and is easily converted to implementation plans,
  • 5. OpenChain Provides a Potential Framework 1. The Specification (ISO 5230:2020) contains the set of characteristics that a quality Open Source development function possess within an organisation. 2. Each OpenChain requirement can be mapped against a business function, and a degree of maturity can be assigned to each business function. 3. We propose a hierarchy. Top level requirements will be applicable across all organisations. 4. Second level requirements can be tailored to the method of implementation chosen by the organisation. 5. It’s compatible with existing best practice in capability maturity modelling across the whole range of an organisation’s business functions, not just software development (or open source software development).
  • 6. ISO Requirements and Processes Governance Strategy and Oversight 6 3.1.1 Policy Appoint policy author, owner, exec sponsor Publish policy Review policy Distribute policy Track awareness of policy Review performance against policy objectives Enablement and Performance Management 3.1.4 Program scope Define programme scope Review appropriateness of programme scope Define risks to be managed Define benefits to be achieved 3.1.2 Competence Identify roles and responsibilities Determine competence required Determine training need Assess competence achieved 3.2.2 Effectively resourced Review programme resourcing and funding Track progress against policy objectives Analyse progress against policy objectives 3.5.1 Contributions Develop policy for contributions (in and outbound) Review and maintain policy Track progress against policy Review performance (risks and benefits) 3.1.3 Awareness Communicate open source and contribution policy Track awareness of policies Communicate implications of non- compliance Track non-compliance events Track awareness of contribution policy Open Chain Delivery 3.6.1 Conformance, 3.6.2 Duration Review OpenChain conformance (18 month) Manage 3rd party certification 3.1.5 License Obligations Identify licenses in use Document license obligations 3.3.2 License Compliance review license compliance across distribution modes Produce contributions guidelines for contributors 3.3.1 Bill of Materials Produce SBOM Review and approve SBOM Maintain version and distribution history Licence analysis Produce records of process followed 3.4.1 Compliance Artifacts Generate artefacts Distribute artifacts Record artifacts 3.2.1 Access Respond to compliance inquiries Track nature of response to inquiries Review performance of inquiry responses
  • 7. Example assessment 3.3.1 Bill of Materials People and Organisation Capability Processes Capabiliity Attributes P&O Maturity Questions Process Attributes Process Maturity Questions Key role holders Development Team Leader Associated roles DevOps Specialist Does a role exist for generating (or maintaining the system which generates) SBOMs? Are role/responsibility holders suitably trained? Do role/responsibility holders have the necessary competencies? Key processes Produce SBOM Review and approve SBOM Maintain version and distribution history Produce records of process followed Does a process exist (automated or not) for generating SBOMs? Does a process exist for reviewing and approving SBOMs? As part of any process involving SBOMs, are suitable records kept? Information Capability Systems Capability Information Attributes Information maturity question Systems Attributes Systems Maturity Questions Key Information Component manifests Correct SBOMs SBOM records & metadata Are component manifests made available for compliance purposes? Are SBOMs generated? Do SBOMs contain sufficient correct data for licence compliance?* Are SBOMs generated in a way which facilitates other risk management or operational processes (e.g. security/vulnerability or export control) Are standards (e.g. SPDX, CycloneDX) used to generate SBOMs Are the standards used to generate SBOMs consistent across the organisation? Key systems Compliance toolchain* Emerging good practice Metadata repository (such as SW360) Does the compliance toolchain have functionality for generating SBOMs? Where issues are identified (e.g., a failing test) is it possible to remedy the issue in-situ? Is compliance metadata stored in a suitable system such as SW360?
  • 8. Full Profile Assessment Rapid view of gaps and priorities Deeper analysis possible by each of the four capability lenses. Supports optimisation of open chain programme