Date   

Invitation: OpenChain Global Work Teams - Fourth Monday Call @ Monthly from 23:00 to 00:00 on the fourth Monday (JST) (main@lists.openchainproject.org)

 

You have been invited to the following event.

OpenChain Global Work Teams - Fourth Monday Call

When
Monthly from 23:00 to 00:00 on the fourth Monday Japan Standard Time
Where
Zoom - https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 (map)
Calendar
main@...
Who
scoughlan@... - creator
main@...
Join Zoom Meeting
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456
One tap mobile
⁨+16699006833,,9990120120#,,,,*123456#⁩ US (San Jose)
⁨+12532158782,,9990120120#,,,,*123456#⁩ US (Tacoma)

Dial by your location
        ⁨+1 669 900 6833⁩ US (San Jose)
        ⁨+1 253 215 8782⁩ US (Tacoma)
        ⁨+1 301 715 8592⁩ US (Washington DC)
        ⁨+1 312 626 6799⁩ US (Chicago)
        ⁨+1 346 248 7799⁩ US (Houston)
        ⁨+1 408 638 0968⁩ US (San Jose)
        ⁨+1 646 876 9923⁩ US (New York)
Meeting ID: 999 012 0120
Passcode: 123456
Find your local number:
https://us02web.zoom.us/u/kW7exlfu

Going (main@...)?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Invitation: OpenChain Bi-Weekly Webinar @ Monthly from 23:00 to 00:00 on the third Monday (JST) (main@lists.openchainproject.org)

 

You have been invited to the following event.

OpenChain Bi-Weekly Webinar

When
Monthly from 23:00 to 00:00 on the third Monday Japan Standard Time
Where
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 (map)
Calendar
main@...
Who
scoughlan@... - creator
main@...
This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here : https://www.openchainproject.org/webinars-interviews

Join Zoom Meeting
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456
One tap mobile
⁨+16699006833,,9990120120#,,,,*123456#⁩ US (San Jose)
⁨+12532158782,,9990120120#,,,,*123456#⁩ US (Tacoma)

Dial by your location
        ⁨+1 669 900 6833⁩ US (San Jose)
        ⁨+1 253 215 8782⁩ US (Tacoma)
        ⁨+1 301 715 8592⁩ US (Washington DC)
        ⁨+1 312 626 6799⁩ US (Chicago)
        ⁨+1 346 248 7799⁩ US (Houston)
        ⁨+1 408 638 0968⁩ US (San Jose)
        ⁨+1 646 876 9923⁩ US (New York)
Meeting ID: 999 012 0120
Passcode: 123456
Find your local number:
https://us02web.zoom.us/u/kW7exlfu

Going (main@...)?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Invitation: OpenChain Mini-Summit @ Thu Mar 11, 2021 00:00 - 03:00 (JST) (main@lists.openchainproject.org)

 

You have been invited to the following event.

OpenChain Mini-Summit

When
Thu Mar 11, 2021 00:00 – 03:00 Japan Standard Time
Where
⁨https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 (map)
Calendar
main@...
Who
jmcginnis@... - creator
main@...
Agenda: 

First Hour: Specification editing with focus on optional security extension to ISO 5230. This will take the form of an explanatory document illustrating OpenChain usage in this context.

Second Hour: Education editing with focus on finalizing submission for LF training to turn into the OpenChain online course.

Third Hour: Automation review, to provide a summary of the experience and knowledge gained from the OpenChain reference tooling work group, and to identity the “pain points” for interoperability between open source tooling for open source compliance.

Join Zoom Meeting
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456
One tap mobile
⁨+16699006833,,9990120120#,,,,*123456#⁩ US (San Jose)
⁨+12532158782,,9990120120#,,,,*123456#⁩ US (Tacoma)

Dial by your location
        ⁨+1 669 900 6833⁩ US (San Jose)
        ⁨+1 253 215 8782⁩ US (Tacoma)
        ⁨+1 301 715 8592⁩ US (Washington DC)
        ⁨+1 312 626 6799⁩ US (Chicago)
        ⁨+1 346 248 7799⁩ US (Houston)
        ⁨+1 408 638 0968⁩ US (San Jose)
        ⁨+1 646 876 9923⁩ US (New York)
Meeting ID: 999 012 0120
Passcode: 123456
Find your local number:
https://us02web.zoom.us/u/kW7exlfu

Going (main@...)?   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Invitation: OpenChain Global Work Team Call (2nd Monday) @ Monthly from 15:00 to 16:00 on the second Monday (JST) (main@lists.openchainproject.org)

 

You have been invited to the following event.

OpenChain Global Work Team Call (2nd Monday)

When
Monthly from 15:00 to 16:00 on the second Monday Japan Standard Time
Where
⁨https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09 (map)
Calendar
main@...
Who
rbraun@... - creator
main@...
Join Zoom Meeting
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Meeting ID: 999 012 0120
Passcode: 123456
One tap mobile
⁨+16699006833,,9990120120#,,,,*123456#⁩ US (San Jose)
⁨+12532158782,,9990120120#,,,,*123456#⁩ US (Tacoma)

Dial by your location
        ⁨+1 669 900 6833⁩ US (San Jose)
        ⁨+1 253 215 8782⁩ US (Tacoma)
        ⁨+1 301 715 8592⁩ US (Washington DC)
        ⁨+1 312 626 6799⁩ US (Chicago)
        ⁨+1 346 248 7799⁩ US (Houston)
        ⁨+1 408 638 0968⁩ US (San Jose)
        ⁨+1 646 876 9923⁩ US (New York)
Meeting ID: 999 012 0120
Passcode: 123456
Find your local number:
https://us02web.zoom.us/u/kW7exlfu

Going (main@...)?   All events in this series:   Yes - Maybe - No    more options »

Invitation from Google Calendar

You are receiving this courtesy email at the account main@... because you are an attendee of this event.

To stop receiving future updates for this event, decline this event. Alternatively you can sign up for a Google account at https://calendar.google.com/calendar/ and control your notification settings for your entire calendar.

Forwarding this invitation could allow any recipient to send a response to the organizer and be added to the guest list, or invite others regardless of their own invitation status, or to modify your RSVP. Learn More.


Re: [partners] [openchain] Certification Services

 

Marcel, Andrew, thank you for raising this topic.

I want to clarify the intent and view of the OpenChain Project regarding Third-Party Certification to our specification. 

Firstly, OpenChain 2.1 / ISO 5230 is a standard focused on defining the key requirements of a quality open source compliance program. It does this by identifying process inflection points that must be filled by an entity adopting the standard. 

It follows that the starting point is a program, and a program can be self-certified, independently assessed or third-party certified to exist and have the required process inflection points filled. This is what Andrew referred to as program certification. It has always been the intent of the project, and continues to be, that program certification is valid for all forms of certification related to OpenChain 2.1 / ISO 5230.

System certification with or without using another standard such as ISO 17021 - ‘Conformity assessment — Requirements for bodies providing audit and certification of management systems‘ is also a valid approach from the perspective of the OpenChain Project. It is a different type of approach, encompassing both the determination of the process content (as per program certification) and an assessment of effectiveness in a “live environment.”

In some jurisdictions certifiers may wish or may have a requirement to be accredited in a manner such as the German DAkkS, and thus may use ISO 17021 in that context, but such accreditation is not compulsory with respect to ISO standards. [1] From global feedback so far, we expect companies to choose from a mixture of program certification, system certification and to apply their own preferences to how these are accomplished. This variation will reflect how other standards have been applied around the world. 

The question of how to choose a certifier is with respect to reliability is therefore market-based. People can elect to choose a certifier that is accredited by a geographic body and/or one that leverages as ISO CASCO standard like ISO 17021 and/or a certifier that is approved by the OpenChain Project. They can elect to have a program certified as per the program requirements of OpenChain 2.1 / ISO 5230, or they can elect to have the requirements of OpenChain 2.1 / ISO 5230 supplemented by additional system requirements such as ISO 17021.

Summary:

The OpenChain Project endorses and supports both program and system certification. The specific shakeout of what becomes the norm in each industry sector will be driven by the economics and the procurement contracts in each sector. This is be design, to ensure the standard is adopted and leveraged by companies in every geography and every market segment.


Shane Coughlan
OpenChain General Manager
+818040358083
Book a meeting:
https://meetings.hubspot.com/scoughlan

On Mar 3, 2021, at 6:48, Marcel (PwC DE) via lists.openchainproject.org <marcel.scholze=pwc.com@...> wrote:


Hello all,

This is an interesting idea; however, creating different variations of certifications might dilute the credibility of an ISO/IEC 5230 certificate. Also, it would be my understanding that it is not in line with audit and ISO practices and might result in confusion.

With ISO/IEC 5230, we have an official ISO framework which specifies the requirements of a quality open source license compliance program – for which a certification body should follow ISO certification requirements, the ISO/IEC 17021 for audit and certification of management systems.

ISO 17021 - audit and certification of management systems- defines that such an audit is conducted in two stages; stage 1 being a review of documentation of the management system (I would call it “design effectiveness audit”) and stage 2 to evaluate the implementation, including the effectiveness of the management system (I would call it “operating effectiveness audit”). So within stage 2, an ISO 17021 conformant certification body needs to obtain sufficient evidence of the effectiveness of the management measures, which includes sample testing where applicable. This does not require the management system to be in operation for a long period of time, such as a year, but it must be in operation so that the effectiveness of the measures can be demonstrated through evidence or reperformance of measures. Certifications as such (unlike some other audit reports such as ISAE 3000 or ISAE 3402) are per se related to a point in time, so it does not give an indication of the past or a specific period of time; e.g. it does not say that the management system has been effective for the last 12 months etc., but it gives an indication of the date of certification and, if applicable, for the subsequent period through surveillance audits.

According to ISO 17021, there can be no certification of only design effectiveness / stage 1 - operational effectiveness must also be assessed. I assume an accreditation of such a certification procedure by the state authorities (in Germany DAkkS) is not possible. To provide a certificate only on stage 1 would bring a lot of confusion to the market.

There is still the self-certification around, customer specific audits, and audit reports e.g. as per ISAE 3000 can be performed. To support companies even further a “certification readiness audit” can be performed before certification.

PwC issues ISO/IEC 5230 certificates only on the basis of ISO 17021 compliant audits, including e.g. IAF MD #1, #4, #5, ensuring that anyone holding a PwC certificate can rely on full compliance with ISO 5230 and surrounding ISO certification requirements.

Kind regards,
Marcel

Marcel Scholze (DE)
PwC | Director | Open Source Software Services & IT-Sourcing
Phone: +49 69 95851746 | Mobile: +49 151 161 57 049
Email: marcel.scholze@...
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft
Friedrich-Ebert-Anlage 35-37 | 60327 | Frankfurt a. M. | Germany

Find out about Open Source Software Management: https://www.pwc.de/opensource

Vorsitzender des Aufsichtsrates: WP StB Dr. Norbert Vogelpoth
Geschäftsführer: WP StB Dr. Ulrich Störk, WP StB Dr. Peter Bartels, Dr. Joachim Englert, WP StB Petra Justenhoven, WP Clemens Koch, StB Marius Möller, WP StB Uwe Rittmann, StB RA Klaus Schmidt, StB CPA Mark Smith
Sitz der Gesellschaft: Frankfurt am Main, Amtsgericht Frankfurt am Main HRB 107858
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft ist Mitglied von PricewaterhouseCoopers International, einer Company limited by guarantee registriert in England und Wales
Datenschutz: Hinweise zur Datenverarbeitung bei PricewaterhouseCoopers GmbH WPG finden Sie unter Datenschutzhinweise PricewaterhouseCoopers GmbH WPG


On Tue, 2 Mar 2021 at 18:15, Andrew K <andrew.katz@...> wrote:

Hi All

 

There’s been quite a lot of traffic on the list about how audits and certification are going to work, and I’d like to open up how we are approaching this. It’s important that people understand what an OpenChain certification means, and how it can be arrived at. To that end, we’ve spent a lot of time working with an audit specialist with experience in a broad range of fields from process to financial services to quality assurance to come up with our own audit processes and procedures. We’ve come to the conclusion that we need at (at minimum)  two levels of certification. 

 

One reason for this is that an organisation may seek third party certification directly after implementing an OpenChain compliance program. There should be a place in the marketplace for such a certification, but, again, such a certification will not be as in-depth as a certification which has tested the operations of the practices and procedures. This second level of certification will necessarily mean that the program has been in operation for a period of time (a year, for example), so that its outputs can be tested against the expectations of the program. Naturally, to receive this certification, the organisation will have to have been operating for sufficient time for the data to be available, so this level of certification cannot be offered immediately after implementation of the program. 

 

In brief, we make a distinction between “Program Certification” and “Systems Certification”.

 

Program Certification confirms that OpenChain policies, practices and procedures are in place which are compliant. This is similar to verifying that the answers to the self-certification questionnaire are independently verified, and, in addition, confirming that, if operated properly (including build systems etc.) those policies, practices and procedures are capable of producing the required outputs (so in this respect it goes somewhat further than verifying self-certification on its own).

 

Systems Certification requires Program Certification, but it also requires that the organisation has been operating an OpenChain program for a period of time sufficient for us to certify both that the organisation’s program meets Program Certification standards, and also that those policies, practices and procedures verifiably meet the outcomes required by the OpenChain Specification. The former is, in effect, a readiness and capability certification, and the latter is a more comprehensive certification to audit standards, so it will require sample-testing that compliance artifacts for components are correctly generated, that licence choices have been correctly assigned, that training records have been correctly met, and so on. 

 

Establishing the criteria for Program Certification is fairly straightforward, as it is based very much on the structure and content of the self-certification questionnaire, together with some additional checks to confirm the plausibility of the processes to be employed to implement the program. Systems Certification is somewhat more complex, in that it requires that audit processes are established to check that the expected outputs are in line with the actual outputs. It is not appropriate to do a complete code analysis here, for example (in the same way that a financial auditor undertaking a business’s annual audit will not check to ensure that every expenses receipt submitted to an organisation has been correctly entered into its accounting system), but a structured set of control-based checks will be used to provide the relevant confidence level.  

 

We are putting together an internal specification for how the Systems Certification would work, and we are basing it on existing certification standards (such as Management Systems Certification ISO/IEC 17021 1). Clearly, it is in the interest of OpenChain that the levels of certification to be adopted are agreed on by the OpenChain Project, and, ultimately, we would consider that the certification programs themselves (and their operators) are independently verified by organisations such as UKAS in the UK, and DAkkS in Germany. 

 

We’re very happy to discuss this further. 

 

All the best

 

 

Andrew

 

 

Andrew Katz

Orcro Limited

+44 1628 470003

+44 7970 835001

orcro.co.uk

 

Jubilee House, 213 Oxford Street, London, W1D 2LF

Thames House, Mere Park, Dedmere Road, Marlow, Bucks SL7 1PB (registered office)

Orcro Limited is a limited company registered in England and Wales under Number 11173406. VAT number: GB 289 7831 32. Orcro Limited is not regulated as a law firm and does not provide legal advice, but has a relationship with Moorcrofts LLP. We are happy to work with either Moorcrofts LLP or your own chosen legal advisers. Individuals’ qualifications are as set out in their bio page. Reference to an individual as a lawyer, solicitor or paralegal does not mean that they are acting in that capacity as an Orcro staff member.

 

Data protection: we process your personal data to keep in touch with you, to carry out work for you or your organisation, for internal administration (including employment) for regulatory purposes and for limited marketing purposes (for which you can require us to stop at any time). For more information see https://orcro.co.uk/privacy-summary/ or contact team@...

 

 

 

 

 

 

 

 


Diese Information ist ausschliesslich fuer den Adressaten bestimmt und kann vertrauliche oder gesetzlich geschuetzte Informationen enthalten. Wenn Sie nicht der bestimmungsgemaesse Adressat sind, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Anderen als dem bestimmungsgemaessen Adressaten ist es untersagt, diese E-Mail zu lesen, zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. Wir verwenden aktuelle Virenschutzprogramme. Fuer Schaeden, die dem Empfaenger gleichwohl durch von uns zugesandte mit Viren befallene E-Mails entstehen, schliessen wir jede Haftung aus. 
* * * * *
The information contained in this email is intended only for its addressee and may contain confidential and/or privileged information. If the reader of this email is not the intended recipient, you are hereby notified that reading, saving, distribution or use of the content of this email in any way is prohibited. If you have received this email in error, please notify the sender and delete the email. We use updated antivirus protection software. We do not accept any responsibility for damages caused anyhow by viruses transmitted via email.


Webinar #19 – OpenChain ISO 5230 in the Supply Chain

 

Our latest webinar recording is now available. Enjoy!
Webinar #19 – OpenChain ISO 5230 in the Supply Chain
https://www.openchainproject.org/featured/2021/03/02/webinar-19


Re: Certification Services

Marcel (PwC DE)
 

Hello all,

This is an interesting idea; however, creating different variations of certifications might dilute the credibility of an ISO/IEC 5230 certificate. Also, it would be my understanding that it is not in line with audit and ISO practices and might result in confusion.

With ISO/IEC 5230, we have an official ISO framework which specifies the requirements of a quality open source license compliance program – for which a certification body should follow ISO certification requirements, the ISO/IEC 17021 for audit and certification of management systems.

ISO 17021 - audit and certification of management systems- defines that such an audit is conducted in two stages; stage 1 being a review of documentation of the management system (I would call it “design effectiveness audit”) and stage 2 to evaluate the implementation, including the effectiveness of the management system (I would call it “operating effectiveness audit”). So within stage 2, an ISO 17021 conformant certification body needs to obtain sufficient evidence of the effectiveness of the management measures, which includes sample testing where applicable. This does not require the management system to be in operation for a long period of time, such as a year, but it must be in operation so that the effectiveness of the measures can be demonstrated through evidence or reperformance of measures. Certifications as such (unlike some other audit reports such as ISAE 3000 or ISAE 3402) are per se related to a point in time, so it does not give an indication of the past or a specific period of time; e.g. it does not say that the management system has been effective for the last 12 months etc., but it gives an indication of the date of certification and, if applicable, for the subsequent period through surveillance audits.

According to ISO 17021, there can be no certification of only design effectiveness / stage 1 - operational effectiveness must also be assessed. I assume an accreditation of such a certification procedure by the state authorities (in Germany DAkkS) is not possible. To provide a certificate only on stage 1 would bring a lot of confusion to the market.

There is still the self-certification around, customer specific audits, and audit reports e.g. as per ISAE 3000 can be performed. To support companies even further a “certification readiness audit” can be performed before certification.

PwC issues ISO/IEC 5230 certificates only on the basis of ISO 17021 compliant audits, including e.g. IAF MD #1, #4, #5, ensuring that anyone holding a PwC certificate can rely on full compliance with ISO 5230 and surrounding ISO certification requirements.

Kind regards,
Marcel

Marcel Scholze (DE)
PwC | Director | Open Source Software Services & IT-Sourcing
Phone: +49 69 95851746 | Mobile: +49 151 161 57 049
Email: marcel.scholze@...
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft
Friedrich-Ebert-Anlage 35-37 | 60327 | Frankfurt a. M. | Germany

Find out about Open Source Software Management: https://www.pwc.de/opensource

Vorsitzender des Aufsichtsrates: WP StB Dr. Norbert Vogelpoth
Geschäftsführer: WP StB Dr. Ulrich Störk, WP StB Dr. Peter Bartels, Dr. Joachim Englert, WP StB Petra Justenhoven, WP Clemens Koch, StB Marius Möller, WP StB Uwe Rittmann, StB RA Klaus Schmidt, StB CPA Mark Smith
Sitz der Gesellschaft: Frankfurt am Main, Amtsgericht Frankfurt am Main HRB 107858
PricewaterhouseCoopers GmbH Wirtschaftsprüfungsgesellschaft ist Mitglied von PricewaterhouseCoopers International, einer Company limited by guarantee registriert in England und Wales
Datenschutz: Hinweise zur Datenverarbeitung bei PricewaterhouseCoopers GmbH WPG finden Sie unter Datenschutzhinweise PricewaterhouseCoopers GmbH WPG


On Tue, 2 Mar 2021 at 18:15, Andrew K <andrew.katz@...> wrote:

Hi All

 

There’s been quite a lot of traffic on the list about how audits and certification are going to work, and I’d like to open up how we are approaching this. It’s important that people understand what an OpenChain certification means, and how it can be arrived at. To that end, we’ve spent a lot of time working with an audit specialist with experience in a broad range of fields from process to financial services to quality assurance to come up with our own audit processes and procedures. We’ve come to the conclusion that we need at (at minimum)  two levels of certification. 

 

One reason for this is that an organisation may seek third party certification directly after implementing an OpenChain compliance program. There should be a place in the marketplace for such a certification, but, again, such a certification will not be as in-depth as a certification which has tested the operations of the practices and procedures. This second level of certification will necessarily mean that the program has been in operation for a period of time (a year, for example), so that its outputs can be tested against the expectations of the program. Naturally, to receive this certification, the organisation will have to have been operating for sufficient time for the data to be available, so this level of certification cannot be offered immediately after implementation of the program. 

 

In brief, we make a distinction between “Program Certification” and “Systems Certification”.

 

Program Certification confirms that OpenChain policies, practices and procedures are in place which are compliant. This is similar to verifying that the answers to the self-certification questionnaire are independently verified, and, in addition, confirming that, if operated properly (including build systems etc.) those policies, practices and procedures are capable of producing the required outputs (so in this respect it goes somewhat further than verifying self-certification on its own).

 

Systems Certification requires Program Certification, but it also requires that the organisation has been operating an OpenChain program for a period of time sufficient for us to certify both that the organisation’s program meets Program Certification standards, and also that those policies, practices and procedures verifiably meet the outcomes required by the OpenChain Specification. The former is, in effect, a readiness and capability certification, and the latter is a more comprehensive certification to audit standards, so it will require sample-testing that compliance artifacts for components are correctly generated, that licence choices have been correctly assigned, that training records have been correctly met, and so on. 

 

Establishing the criteria for Program Certification is fairly straightforward, as it is based very much on the structure and content of the self-certification questionnaire, together with some additional checks to confirm the plausibility of the processes to be employed to implement the program. Systems Certification is somewhat more complex, in that it requires that audit processes are established to check that the expected outputs are in line with the actual outputs. It is not appropriate to do a complete code analysis here, for example (in the same way that a financial auditor undertaking a business’s annual audit will not check to ensure that every expenses receipt submitted to an organisation has been correctly entered into its accounting system), but a structured set of control-based checks will be used to provide the relevant confidence level.  

 

We are putting together an internal specification for how the Systems Certification would work, and we are basing it on existing certification standards (such as Management Systems Certification ISO/IEC 17021 1). Clearly, it is in the interest of OpenChain that the levels of certification to be adopted are agreed on by the OpenChain Project, and, ultimately, we would consider that the certification programs themselves (and their operators) are independently verified by organisations such as UKAS in the UK, and DAkkS in Germany. 

 

We’re very happy to discuss this further. 

 

All the best

 

 

Andrew

 

 

Andrew Katz

Orcro Limited

+44 1628 470003

+44 7970 835001

orcro.co.uk

 

Jubilee House, 213 Oxford Street, London, W1D 2LF

Thames House, Mere Park, Dedmere Road, Marlow, Bucks SL7 1PB (registered office)

Orcro Limited is a limited company registered in England and Wales under Number 11173406. VAT number: GB 289 7831 32. Orcro Limited is not regulated as a law firm and does not provide legal advice, but has a relationship with Moorcrofts LLP. We are happy to work with either Moorcrofts LLP or your own chosen legal advisers. Individuals’ qualifications are as set out in their bio page. Reference to an individual as a lawyer, solicitor or paralegal does not mean that they are acting in that capacity as an Orcro staff member.

 

Data protection: we process your personal data to keep in touch with you, to carry out work for you or your organisation, for internal administration (including employment) for regulatory purposes and for limited marketing purposes (for which you can require us to stop at any time). For more information see https://orcro.co.uk/privacy-summary/ or contact team@...

 

 

 

 

 

 

 

 


Diese Information ist ausschliesslich fuer den Adressaten bestimmt und kann vertrauliche oder gesetzlich geschuetzte Informationen enthalten. Wenn Sie nicht der bestimmungsgemaesse Adressat sind, unterrichten Sie bitte den Absender und vernichten Sie diese Mail. Anderen als dem bestimmungsgemaessen Adressaten ist es untersagt, diese E-Mail zu lesen, zu speichern, weiterzuleiten oder ihren Inhalt auf welche Weise auch immer zu verwenden. Wir verwenden aktuelle Virenschutzprogramme. Fuer Schaeden, die dem Empfaenger gleichwohl durch von uns zugesandte mit Viren befallene E-Mails entstehen, schliessen wir jede Haftung aus. 
* * * * *
The information contained in this email is intended only for its addressee and may contain confidential and/or privileged information. If the reader of this email is not the intended recipient, you are hereby notified that reading, saving, distribution or use of the content of this email in any way is prohibited. If you have received this email in error, please notify the sender and delete the email. We use updated antivirus protection software. We do not accept any responsibility for damages caused anyhow by viruses transmitted via email.


Certification Services

Andrew K
 

Hi All

 

There’s been quite a lot of traffic on the list about how audits and certification are going to work, and I’d like to open up how we are approaching this. It’s important that people understand what an OpenChain certification means, and how it can be arrived at. To that end, we’ve spent a lot of time working with an audit specialist with experience in a broad range of fields from process to financial services to quality assurance to come up with our own audit processes and procedures. We’ve come to the conclusion that we need at (at minimum)  two levels of certification. 

 

One reason for this is that an organisation may seek third party certification directly after implementing an OpenChain compliance program. There should be a place in the marketplace for such a certification, but, again, such a certification will not be as in-depth as a certification which has tested the operations of the practices and procedures. This second level of certification will necessarily mean that the program has been in operation for a period of time (a year, for example), so that its outputs can be tested against the expectations of the program. Naturally, to receive this certification, the organisation will have to have been operating for sufficient time for the data to be available, so this level of certification cannot be offered immediately after implementation of the program. 

 

In brief, we make a distinction between “Program Certification” and “Systems Certification”.

 

Program Certification confirms that OpenChain policies, practices and procedures are in place which are compliant. This is similar to verifying that the answers to the self-certification questionnaire are independently verified, and, in addition, confirming that, if operated properly (including build systems etc.) those policies, practices and procedures are capable of producing the required outputs (so in this respect it goes somewhat further than verifying self-certification on its own).

 

Systems Certification requires Program Certification, but it also requires that the organisation has been operating an OpenChain program for a period of time sufficient for us to certify both that the organisation’s program meets Program Certification standards, and also that those policies, practices and procedures verifiably meet the outcomes required by the OpenChain Specification. The former is, in effect, a readiness and capability certification, and the latter is a more comprehensive certification to audit standards, so it will require sample-testing that compliance artifacts for components are correctly generated, that licence choices have been correctly assigned, that training records have been correctly met, and so on. 

 

Establishing the criteria for Program Certification is fairly straightforward, as it is based very much on the structure and content of the self-certification questionnaire, together with some additional checks to confirm the plausibility of the processes to be employed to implement the program. Systems Certification is somewhat more complex, in that it requires that audit processes are established to check that the expected outputs are in line with the actual outputs. It is not appropriate to do a complete code analysis here, for example (in the same way that a financial auditor undertaking a business’s annual audit will not check to ensure that every expenses receipt submitted to an organisation has been correctly entered into its accounting system), but a structured set of control-based checks will be used to provide the relevant confidence level.  

 

We are putting together an internal specification for how the Systems Certification would work, and we are basing it on existing certification standards (such as Management Systems Certification ISO/IEC 17021 1). Clearly, it is in the interest of OpenChain that the levels of certification to be adopted are agreed on by the OpenChain Project, and, ultimately, we would consider that the certification programs themselves (and their operators) are independently verified by organisations such as UKAS in the UK, and DAkkS in Germany. 

 

We’re very happy to discuss this further. 

 

All the best

 

 

Andrew

 

 

Andrew Katz

Orcro Limited

+44 1628 470003

+44 7970 835001

orcro.co.uk

 

Jubilee House, 213 Oxford Street, London, W1D 2LF

Thames House, Mere Park, Dedmere Road, Marlow, Bucks SL7 1PB (registered office)

Orcro Limited is a limited company registered in England and Wales under Number 11173406. VAT number: GB 289 7831 32. Orcro Limited is not regulated as a law firm and does not provide legal advice, but has a relationship with Moorcrofts LLP. We are happy to work with either Moorcrofts LLP or your own chosen legal advisers. Individuals’ qualifications are as set out in their bio page. Reference to an individual as a lawyer, solicitor or paralegal does not mean that they are acting in that capacity as an Orcro staff member.

 

Data protection: we process your personal data to keep in touch with you, to carry out work for you or your organisation, for internal administration (including employment) for regulatory purposes and for limited marketing purposes (for which you can require us to stop at any time). For more information see https://orcro.co.uk/privacy-summary/ or contact team@...

 

 

 

 

 

 

 

 


OpenChain Bi-Weekly Webinar - Mon, 2021-03-01 #cal-notice

main@lists.openchainproject.org Calendar <noreply@...>
 

OpenChain Bi-Weekly Webinar

When:
Monday, 1 March 2021
10:00pm to 11:00pm
(GMT-08:00) America/Los Angeles

Where:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

Organizer:
scoughlan@... 00818040358083

Description:
This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

Password

  • 123456

One Tap Telephone (no screensharing)

  • +358 9 4245 1488,,9990120120# Finland
  • +33 7 5678 4048,,9990120120# France
  • +49 69 7104 9922,,9990120120# Germany
  • +852 5808 6088,,9990120120# Hong Kong
  • +39 069 480 6488,,9990120120# Italy
  • +353 6 163 9031,,9990120120# Ireland
  • +81 524 564 439,,9990120120# Japan
  • +82 2 6105 4111,,9990120120# Korea
  • +34 917 873 431,,9990120120# Spain
  • +46 850 539 728,,9990120120# Sweden
  • +41 43 210 71 08,,9990120120# Switzerland
  • +44 330 088 5830,,9990120120# UK
  • +16699006833,,9990120120# US (San Jose)
  • +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#


Starting in five minutes: Webinar - OpenChain ISO 5230 in the supply chain so far

 

The OpenChain Bi-Weekly Webinar begins in five minutes. This time we will explore OpenChain ISO 5230 in the supply chain so far. An interactive session with plenty of room for questions.

Join freely:
https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09


OpenChain Bi-Weekly Webinar - Mon, 2021-03-01 10:00pm-11:00pm, Please RSVP #cal-reminder

main@lists.openchainproject.org Calendar <main@...>
 

Reminder: OpenChain Bi-Weekly Webinar

When: Monday, 1 March 2021, 10:00pm to 11:00pm, (GMT-08:00) America/Los Angeles

Where:https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

An RSVP is requested. Click here to RSVP

Organizer: Shane Coughlan scoughlan@... 00818040358083

Description: This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

Password

  • 123456

One Tap Telephone (no screensharing)

  • +358 9 4245 1488,,9990120120# Finland
  • +33 7 5678 4048,,9990120120# France
  • +49 69 7104 9922,,9990120120# Germany
  • +852 5808 6088,,9990120120# Hong Kong
  • +39 069 480 6488,,9990120120# Italy
  • +353 6 163 9031,,9990120120# Ireland
  • +81 524 564 439,,9990120120# Japan
  • +82 2 6105 4111,,9990120120# Korea
  • +34 917 873 431,,9990120120# Spain
  • +46 850 539 728,,9990120120# Sweden
  • +41 43 210 71 08,,9990120120# Switzerland
  • +44 330 088 5830,,9990120120# UK
  • +16699006833,,9990120120# US (San Jose)
  • +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#


OpenChain Mini-Summit, March 10th

Jennifer McGinnis <jmcginnis@...>
 


OpenChain Mini-Summit is coming soon!

Date & Times:
March 10th 7 am PST  / 3 pm UTC /  3 pm GMT / 4 pm CET / 8:30 pm IST / 11 pm Taiwan / 11 pm CST  /
12 am (March 11th) KST / 12 am (March 11th) JST
Agenda: 
First Hour: Specification editing with focus on optional security extension to ISO 5230. This will take the form of an explanatory document illustrating OpenChain usage in this context.
Second Hour: Education editing with focus on finalizing submission for LF training to turn into the OpenChain online course.
Third Hour: Automation review, to provide a summary of the experience and knowledge gained from the OpenChain reference tooling work group, and to identity the “pain points” for interoperability between open source tooling for open source compliance.
Location:
Event will be held on Zoom:
Meeting ID: 999 012 0120 Password: 123456


Re: OpenChain Certification and Business Value

reza.alavi@wipro.com
 

Hi Jan,

 

I take your point of corporate change and thank you for highlighting change management as one of the critical issues. In my experience, I’ve seen many enterprises are struggling in their change management challenges while technology is continually changing. During the rise of regulation and linear software development, enterprises tend to demonstrate that they have fully auditable IT controls and regulate release into production systems. Therefore, they adopted a rigorous and sometimes entirely inflexible IT change management process approach. Some of the best practice frameworks, such as ITIL, are considered to create a responsible team (change advisory board) to assess requests for change against risk and their impacts and collision avoidance. The purpose of this is to balance the stability of enterprises and innovation.  However, this traditional approach to change management created several challenges, such as increased overhead costs and, more importantly, the frustration for developments and operations teams. So, instead of change management being an enabler, it became a constraint.

 

The open source software compliance regime may not go smoothly to the RFC (request for change) process in many enterprises and creates a pain point for development, operation, security teams. Thus, open source compliance is seen as unmanageable and detriment to business.

 

I think it is time for some changes in the change management approach!

 

Warm regards,

Reza

 

Reza Alavi

Managing Consultant, UK&I/CE

Security, Risk, Compliance & Assurance

M: +44 7890 636734

Wipro Limited

3 Sheldon Square, London W2 6HY

                                             

             

signature_1775046155 

 

 

From: main@... <main@...> On Behalf Of Jan Thielscher via lists.openchainproject.org
Sent: 25 February 2021 16:07
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Hello Aitken,

 

thank you for pointing this out. I can underline this experience as well.

My suspicion is, that project ownership and traditional corporate structures are root causes of this.

 

We try to organize projects from the beginning as corporate change projects. This does not make it easier to sell, but it sets the right expectations at sponsor level. When starting a project initiated in corporate legal, you may succeed in IT / Dev but might fail in corporate purchase or later in HR, when it comes to adjusting developer contracts concerning contributions…

 

Thus I would suggest to frame it from the beginning as a corporate change.

 

Best regards

Jan

 

Von: <main@...> im Auftrag von "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
Antworten an: "main@..." <main@...>
Datum: Donnerstag, 25. Februar 2021 um 15:36
An: "main@..." <main@...>
Betreff: Re: [openchain] OpenChain Certification and Business Value

 

Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.

 

 

Regards,

 

Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat

650-704-6321

1494361338303_PastedImage

 

 

 

 

Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Thanks Mary. An important point.

 

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

 

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

 

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

 

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

 

Regards

 

Shane 

 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:

To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


OpenChain Global Work Team Meeting 2020-02-22

 

OpenChain Global Work Team Meeting 2020-02-22
https://www.openchainproject.org/featured/2021/02/25/openchain-global-work-team-meeting-2020-02-22

We are doing a lot of editing. Here is what we are working on:
• We want to close the comments on this Word document to create our new free online training course on edX. We currently have a lot of suggestions around parts 1~4 and need suggestions around parts 5~8. Please review and add notes to help us make this happen for late March delivery!
https://1drv.ms/w/s!AsXJVqby5kpnkRE0rsGzo5lduvaq?e=t0aEs5
• We want to improve our one-slide overview for the purpose of putting it into our supplier “Introduction to OpenChain” slide deck:
https://1drv.ms/p/s!AsXJVqby5kpnkRmAupkc3JkJP7ni
• We want to review the supplier “Introduction to OpenChain” slide deck to consider refinements to language to make it super clear and simple for organizations completely new to OpenChain:
https://1drv.ms/p/s!AsXJVqby5kpnkRUxneDgBQMWIUmx
• Finally, we want to update two specific areas of our general project overview slides. The first, slide 22, is about explaining the place of OpenChain in the eco-system. What is the best way to visualize this? The second is to review the project summary language on slide 26 to consider if it fits your mental model of how we should be summarized:
https://1drv.ms/p/s!AsXJVqby5kpnkRbTu0pv0Jgb0aAQ

If we get all this together we will have the perfect package to hand to suppliers and other interested parties to onboard them into our ecosystem.


OpenChain Bi-Weekly Webinar - Mon, 2021-03-01 10:00pm-11:00pm, Please RSVP #cal-reminder

main@lists.openchainproject.org Calendar <main@...>
 

Reminder: OpenChain Bi-Weekly Webinar

When: Monday, 1 March 2021, 10:00pm to 11:00pm, (GMT-08:00) America/Los Angeles

Where:https://us02web.zoom.us/j/9990120120?pwd=NzVCaFE2L1RRRFZaSkk0dm8xdlplUT09

An RSVP is requested. Click here to RSVP

Organizer: Shane Coughlan scoughlan@... 00818040358083

Description: This is part of the bi-weekly OpenChain Webinar series. Every two weeks we have international speakers covering a wide range of topics related to practical open source compliance challenges, solutions and considerations. You can learn more about this series here: https://www.openchainproject.org/webinars-interviews

Join Our Zoom Meeting

Password

  • 123456

One Tap Telephone (no screensharing)

  • +358 9 4245 1488,,9990120120# Finland
  • +33 7 5678 4048,,9990120120# France
  • +49 69 7104 9922,,9990120120# Germany
  • +852 5808 6088,,9990120120# Hong Kong
  • +39 069 480 6488,,9990120120# Italy
  • +353 6 163 9031,,9990120120# Ireland
  • +81 524 564 439,,9990120120# Japan
  • +82 2 6105 4111,,9990120120# Korea
  • +34 917 873 431,,9990120120# Spain
  • +46 850 539 728,,9990120120# Sweden
  • +41 43 210 71 08,,9990120120# Switzerland
  • +44 330 088 5830,,9990120120# UK
  • +16699006833,,9990120120# US (San Jose)
  • +12532158782,,9990120120# US

Find your local number: https://zoom.us/u/abeUqy3kYQ
Not all countries have available numbers.

After dialing the local number enter 9990120120#


Re: OpenChain Certification and Business Value

Jan Thielscher
 

Hello Aitken,

 

thank you for pointing this out. I can underline this experience as well.

My suspicion is, that project ownership and traditional corporate structures are root causes of this.

 

We try to organize projects from the beginning as corporate change projects. This does not make it easier to sell, but it sets the right expectations at sponsor level. When starting a project initiated in corporate legal, you may succeed in IT / Dev but might fail in corporate purchase or later in HR, when it comes to adjusting developer contracts concerning contributions…

 

Thus I would suggest to frame it from the beginning as a corporate change.

 

Best regards

Jan

 

Von: <main@...> im Auftrag von "Andrew Aitken via lists.openchainproject.org" <andrew.aitken=wipro.com@...>
Antworten an: "main@..." <main@...>
Datum: Donnerstag, 25. Februar 2021 um 15:36
An: "main@..." <main@...>
Betreff: Re: [openchain] OpenChain Certification and Business Value

 

Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.

 

 

Regards,

 

Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat

650-704-6321

1494361338303_PastedImage

 

 

 

 

Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Thanks Mary. An important point.

 

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

 

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

 

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

 

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

 

Regards

 

Shane 

 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:

To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: OpenChain Certification and Business Value

Andrew Aitken
 

Shane, to your point, having been involved in building or advising on over 50+ governance programs, one area of weakness we consistently see is around supply chain management. Many organizations set up sophisticated processes, tooling and automation to manage code they build and deploy and only give a passing thought to code ingested or embedded and deployed in their products from 3rd parties.

 

 

Regards,

 

Andrew Aitken

Global Open Source Practice Leader

in/opensourcestrategy AndrewOSS_Strat

650-704-6321

1494361338303_PastedImage

 

 

 

 

Sensitivity: Internal & Restricted

From: main@... <main@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Thursday, February 25, 2021 2:07 AM
To: main@...
Subject: Re: [openchain] OpenChain Certification and Business Value

 

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

Thanks Mary. An important point.

 

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

 

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

 

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

 

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

 

Regards

 

Shane 

 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:

To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.

'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'


Re: OpenChain Certification and Business Value

 

Thanks Mary. An important point.

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

Regards

Shane 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.


Re: OpenChain Certification and Business Value

 

Thanks Mary. An important point.

Many companies have existing and effective measures in place to address open source compliance. OpenChain does not invalidate or forcibly replace these measures, but it does provide a unified method for approaching the problem space moving forward. 

Because OpenChain is particularly useful in the context of supply chain management - both base compliance and in ensuring harmonized process approaches - it offers the potential offer greater effectiveness and efficiency than bespoke approaches. This is a key driver to our observed engagement and growth.

The bias in expressing business values tends to be towards reduced resource cost (less time on bespoke approaches and governance) with increased speed (faster problem analysis and remediation).

I do aim to have case studies unfolding over this year providing metrics, though in the specific content the % gained for ISO 5230 is still being unpacked due to the newness to market.

We will have a mini-summit shortly. Perhaps we can take an hour for existing conformant companies to talk about their derived business value?

Regards

Shane 

On Feb 23, 2021, at 1:42, Mattran, Mary <mary.mattran@...> wrote:
To me, this is a strange answer.  My company is not OC compliant, but we certainly have been taking compliance seriously and have much in place to support that commitment in the form of compliance reviews.  So, we don't break the law.  OC Compliance is not a law.  It is a standard for having a robust compliance program.  If you already have ways of ensuring you are not violating licenses/law, the question is "what value does it have for me to go the extra mile to become OC compliant?"  An important question for companies to answer.  

My company supplies automotive subsystems to auto manufacturers.  The auto manufacturers are starting to ask about our plans to be OC compliant.  It is a business-to-business question, and easier for us to answer.  If I am a customer looking for COTS, I am likely not going to ask if the SW is OC Compliant, so it may have no business value to that vendor to take the extra steps to OC compliance.


Re: The business of OpenChain certifications

Asai, Yoshinaho
 

Hi all,

I'm sorry for being late to join this topics. I'm Asai from TUEV SUED Japan in charge of Functional Safety and OSS certificate.
Because we are just started the job transfer process from former colleagues.
It may takes a couple of months to announce that we are ready now again.

From year of 2021 on we(TUEV SUED Japan, FS Team) will be responsible for the certificate acc. to ISO 5230 globally.
We have more than 20 years experiences for Functional Safety Business in any category.
So that we can adapt ISO 5203 without any difficulties because of our experience. Functional Safety Business includes lots of assessment
Like software development(V-V model so on), System management audit and analysis of software development process.

Once we are ready of course we will announce again officially. And also we are interesting to start working with clients who are interesting to have the 3rd party certificate in advance to other company. We can work together under reasonable conditions in that case.
As I said we already issued more than 500 certificates as professional way acc. to ISO policy as notified body and certification body. (We are accredited by Governmental organization(EU/Germany, Dakks/ZLS).)
We are confident to sale our mark as professional level in the global market for sure. The only thing I want to know is how much company are willing to have it. For us ISO 26262 certificate business were somehow no good results in automotive market. If OC certificate are well required in the market, of course we will do our best to show the certificate holder/comply with ISO 5230 as professional level in a single level judgement as certification body.

Best regards,

淺井 由尚 (Yoshinaho Asai)
Functional Safety Team, TUEV SUED Japan

-----Original Message-----
From: main@... <main@...> On Behalf Of Shane Coughlan via lists.openchainproject.org
Sent: Monday, February 22, 2021 5:06 PM
To: main@...
Subject: Re: [openchain] The business of OpenChain certifications

"Attention! External Mail. Be careful with Links/Attachments!"

Hi Dirk

Self-certification is not an interim step. It is and always will be at the core of the project. In over five years in market it has proven to be an effective and efficient method of promoting better compliance. We have yet to have a reported case of misrepresentation in this space. Naturally, if such a case occurred in the future, we would address. We have several measures to do so, including but not limited to our trademarks.

Regarding TUV SÜD specifically, the certification business has moved to Japan. Asai San in that office is in charge, and I am happy to make an introduction as useful. The Japan and Korea offices are currently talking with clients.

More broadly, as Marcel pointed out, there are reputable certifiers and auditors in play. We expect to build and announce further relationships in this space throughout 2021. The key measure for effective engagement beyond their individual reputation is their participation in the OpenChain Partner Program. This ensures their application has been vetted by our governing board.

Even more broadly, with ISO 5230 gaining traction in procurement, we expect to see an uptick in both independent assessment (similar to ISO 26262, and already provided by law firms and services providers in our eco-system), alongside full third party certification by organizations like PwC and TUV SÜD.

Regards

Shane

On Feb 21, 2021, at 19:51, Dirk Riehle <dirk@...> wrote:

Hi all,

I assume that the short-term business value of having an OpenChain certification (as a company) is that you can promise your customers lower open source compliance costs. Longer-term I assume the OpenChain (or a comparable one) certification to be a must-have.

Which begs the question where we are on the business of certifications in general. I assume that the self-certification was only an intermediate step and that there should be full blown certifications like the one by TUEV Sued.

https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
openchainproject.org%2Fresources%2Fcase-study-3rd-party-cert&amp;data=
04%7C01%7CYoshinaho.Asai%40tuvsud.com%7Ca13b275a43cc42dc84d008d8d708a7
50%7Ca110956708154e1f88afe23555482aaa%7C0%7C0%7C637495779460465458%7CU
nknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
WwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=UhEjcyFsX3GSZ%2FKEPDjxivEqgczvLvd79
HUfJrzaYJQ%3D&amp;reserved=0

When I last looked into how certifications work (ten years ago), there had to be three separate entities to turn this into a viable business:

1. Curriculum designers (those who determine the content) 2. Trainers
/ consultants who get customers in shape 3. The certification agency
and its mark (e.g. TUEV or UL or ...)

I believe this working group is 1. for any OpenChain derived certification marks. Trainers / consultants 2. are plenty, including yours truly.

The missing part seem to be the certification agencies (and their assessors). The people who drove forward the TUEV certification mark have left; not sure much is going on there. Any other agencies?

I'd be curious how the certification agencies establish believable marks. I assume that there will never by a generic (LF) OpenChain certification mark, only TUEV or UL marks. For this, the certification agencies need to set up their assessment program.

I can't find it, but I thought there was an ISO standard on how to set-up certification agencies (i.e. how to get certified as an agency that can issue high-quality marks). Does this apply or can anyone (Joe's Waffle House) create a mark as long as they have the marketing dollars to make customers believe the mark means something?

Cheers, Dirk

--
Confused about open source?
Get clarity through
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbaya
ve.com%2Ftraining&amp;data=04%7C01%7CYoshinaho.Asai%40tuvsud.com%7Ca13
b275a43cc42dc84d008d8d708a750%7Ca110956708154e1f88afe23555482aaa%7C0%7
C0%7C637495779460475451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLC
JQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=LyjlVDiV
SIC83EQkHppR6kB%2B1xBeLnyp3Y03a%2BjQSCs%3D&amp;reserved=0
--
Website:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdirk
riehle.com%2F&amp;data=04%7C01%7CYoshinaho.Asai%40tuvsud.com%7Ca13b275
a43cc42dc84d008d8d708a750%7Ca110956708154e1f88afe23555482aaa%7C0%7C0%7
C637495779460475451%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIj
oiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=fNmifCpSmLbG
dIDeoEQBwBYyXI3rtQMANTOxPQS4IgU%3D&amp;reserved=0 - Twitter:
@dirkriehle Ph (DE): +49-157-8153-4150 - Ph (US): +1-650-450-8550





921 - 940 of 4758