Maturity checklist

docs/bok/Activities/Level-1/Managing.md

@@ -7,14 +7,21 @@ tags:
   - HR-Training (Role)
   - Placeholder
   - Level 1 (OSMM)
+checklist:
+- title: Choice
+  description: The organisation has a process to choose between open source alternatives.
+- title: Realizing The Benefit
+  description: Management realizes the benefits of open source.
+- title: Cost Savings
+  description: Management understands the cost savings of open source.
+- title: Support
+  description: The organisation has a process for obtaining support for open source components.
 sidebar_position: 1
 list_image: /img/bok/page-types/activity.png
 ---
 
 This article is a follow-up to the [Using Open Source Software](Using) and covers some details about how to manage staff that are using open source.
 
-**PLACEHOLDER**
-
 ## Skills Inventory
 
 One activity that is commonly undertaken when an organisation is beginning the open source journey is to figure out _who in the organisation has pre-existing skills_ that can be leveraged:
@@ -35,13 +42,23 @@ Once open source software has been chosen for consumption, it will need to be de
 
 At this stage it may be necessary to evaluate the open source's [Total Cost of Ownership](../../Measurements/Project#total-cost-of-ownership-tco)
 
+## Open Source Support
+
+Paying for a support contract for open source software offers several significant benefits, especially for businesses that rely on these technologies for critical operation:
+
+- They ensures priority access to expert assistance.
+- Support contracts often come with assurances of regular updates and security patches,
+- Financial contributions through support contracts can fund ongoing development and improvements.
+
 ## Source Control
 
 Organisations involved in developing software should ensure they have appropriate [source control](../../Artifacts/Repositories#source-repository), whether or not they are using open source in the development process.
 
+
 ## Further Reading
 
 - [Good Governance Initiative](../../Training/Good-Governance-Initiative)
 
+## Maturity Checklist
 
-
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-1/Using.md

@@ -9,8 +9,17 @@ tags:
   - Level 1 (OSMM)
   - Consuming (Activity)
   - Repository (Artifact)
-image: /img/bok/page-types/activity.png
+list_image: /img/bok/page-types/activity.png
 sidebar_position: 0
+checklist:
+- title: Use
+  description: Open source components are used across the organisation.
+- title: Preferring Open Source
+  description: Open source solutions are preferred over proprietary software.
+- title: Procurement
+  description: There is a defined process for using open source in the organisation.
+- title: Process Efficiency
+  description: The procurement process doesn't hinder open source consumption. 
 ---
 
 Using open source software within a financial services organisation poses unique challenges.  This article outlines some of the potential pitfalls and solutions when getting started.

docs/bok/Activities/Level-2/Consumption-Compliance.md

@@ -7,6 +7,17 @@ tags:
   - Legal Risk
 sidebar_position: 0
 sidebar_label: Compliance
+checklist:
+  - title: Risk Management
+    description: The organisation's enterprise risk management function considers open source risks
+  - title: Risk Appetite
+    description: Open source risk appetite is understood
+  - title: Compliance
+    description: Open source risk management is part of the organisational compliance policy
+  - title: Controls
+    description: Standardized controls are in place around open source consumption
+  - title: Monitoring
+    description: Open source controls are monitored
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -188,3 +199,6 @@ See Also:
 
 
 
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-2/Consumption-Training.md

@@ -7,6 +7,11 @@ tags:
   - OSPO (Role)
 sidebar_position: 8
 sidebar_label: Training
+checklist:
+  - title: Training Program
+    description: The organisation has a training program for teams working on open source software
+  - title: Internal Training
+    description: The organisation provides internal training on open source usage policies and procedures
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -160,3 +165,6 @@ _Will the content need to be updated more frequently?_
 
 Example: External links can change from time to time. Using external resources on the training course will reduce the risk of having broken links and having to update the course.
 
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-2/Creating-An-OSPO.md

@@ -8,6 +8,17 @@ sidebar_position: 7
 sidebar_label: OSPO
 authors:
   name: Pooi Cheong
+checklist:
+  - title: Creation
+    description: The organisation has an open source project office (OSPO)
+  - title: Stakeholders
+    description: The OSPO has stakeholders from relevant functional areas of the organisation
+  - title: Awareness
+    description: Staff are aware of the purpose of the OSPO and how to engage with it
+  - title: Consultation
+    description: The OSPO is consulted when the organisation starts new open source activity
+  - title: Measurement
+    description:  The OSPO measures usage according to published metrics
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -186,3 +197,7 @@ At some point, you may be in the position to hire permanent staff for the OSPO,
 
 - Is the OSPO able to make recommendations around which open source libraries and projects to invest in?  If so, can they create metrics around how much this simplifies the technology landscape?   
 
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-2/Creating-Policy.md

@@ -8,8 +8,12 @@ tags:
   - Level 2 (OSMM)
 sidebar_position: 5
 sidebar_label: Policy
+checklist:
+  - title: Consumption Policy
+    description: The organisation has an open source consumption policy
 list_image: /img/bok/page-types/activity.png
 ---
+
 **THIS IS A PLACEHOLDER**
 
 Refer to [Policy](../../Artifacts/Policy) as the _output_ from this activity.
@@ -18,7 +22,7 @@ Refer to [Policy](../../Artifacts/Policy) as the _output_ from this activity.
 
 
 
-<Excerpt link="https://todogroup.org/guides/create-program/#program-structure" title="Open Source Policy" from="TODO Group">
+<BoxOut image="/img/bok/page-types/artifact.png" link="https://todogroup.org/guides/create-program/#program-structure" title="Open Source Policy" linkText="From TODO Group">
 
 When drafting open source policies, among the many topics that need to be discussed are:
 
@@ -33,9 +37,14 @@ When drafting open source policies, among the many topics that need to be discus
 - How a company can grow a community of like-minded external developers around it to keep it thriving
 - Rules that help determine when code should be released as open source or kept as intellectual property
 
-</Excerpt>
+</BoxOut>
 
 
 ### The Policy
 
 It can take a long time to get policy approved - you need people on-side to help build this from the policy team (expand). (1 year as an example)
+
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-2/License-Management.md

@@ -1,5 +1,5 @@
 ---
-title: License Compliance Management
+title: Open Source Software License Compliance Management
 tags: 
   - CIO (Role)
   - Developer (Role)
@@ -10,6 +10,15 @@ tags:
   - License (Artifact)
 sidebar_position: 2
 sidebar_label: License Management
+checklist:
+  - title: IP Compliance
+    description: There is an automated process in place for managing OSS IP compliance
+  - title: Allow-List
+    description: The organization implements one or more allow-lists for open source licence types
+  - title: License Training
+    description: Internal license compliance training is provided for individuals who require it
+  - title: ISO/IEC 5230:2020
+    description: The firm embeds the OpenChain license compliance standard
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -146,3 +155,7 @@ Using the correct licenses will form part of License Policy and it will be neces
 - **[A Developer's Guide To Open Source Licenses](https://www.toptal.com/open-source/developers-guide-to-open-source-licenses)**.  Delves into the details of what developers need to know about licenses.
 
 - **[FINOS License Categories](https://community.finos.org/docs/governance/Software-Projects/license-categories)**.  How licenses are categorized for the FINOS Foundation.
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-2/Software-Inventory.md

@@ -11,6 +11,19 @@ tags:
   - CVE (Artifact)
   - Repository (Artifact)
 sidebar_position: 1
+checklist:
+  - title: Tracking
+    description: The organisation has a software asset registry
+  - title: Runtime Awareness
+    description: The organisation is aware of the open source software running within it
+  - title: Life-cycle
+    description: Open source components are managed from ingestion through to end-of-life
+  - title: Requirements
+    description: The organisation tracks issues, fixes and versions for each component via an automated process
+  - title: Ownership
+    description: The organisation identifies an owner for each open source component in production
+  - title: Production Support
+    description: The organisation has a plan to support open source components in production
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -95,3 +108,9 @@ Here are some tools marketed as handling runtime software inventory.  We are int
 
 
 </BoxOut>
+
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />
+

docs/bok/Activities/Level-2/Supply-Chain-Security.md

@@ -14,6 +14,15 @@ tags:
   - Repository (Artifact)
 sidebar_position: 4
 sidebar_label: Security
+checklist:
+  - title: Security Training
+    description: Security training is provided for teams working on open source software
+  - title: Scanning
+    description: The organisation uses code scanning tool to scan and audit software composition
+  - title: Testing
+    description: The organisation performs penetration tests and periodic threat assessment
+  - title: OpenChain 
+    description: The firm embeds the OpenChain supply chain standard
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -305,3 +314,7 @@ Following [SolarWinds](#example-solar-winds) the US government became concerned
 
  - [OpenChain Security Assurance](../../Artifacts/OpenChain-SecurityAssurance) an ISO Standard from the Linux Foundation.
 
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Community-Engagement.md

@@ -9,6 +9,17 @@ sidebar_position: 7
 sidebar_label: Engagement
 authors:
   - name: "Brittany Istenes"
+checklist:
+  - title: Aspiration
+    description: The organisation tracks open source projects it intends to contribute to
+  - title: Community
+    description: The organisation has an open source community manager function
+  - title: Social Media
+    description: The organisation fosters and encourages outreach for visibility of open source projects
+  - title: Measurement
+    description: The organisation measures the effectiveness of community engagement
+  - title: Hosting
+    description: The organization hosts open source repositories on publicly accessible platforms
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -92,3 +103,7 @@ If you answered yes to many of the questions listed above, you can follow the gu
 - https://opensource.com/article/22/12/open-source-community-management
 - https://www.redhat.com/en/blog/best-practices-community-practice-open-source-way-journey
 
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Contribution-Compliance.md

@@ -7,6 +7,17 @@ tags:
   - Compliance (Role)
 sidebar_position: 3
 sidebar_label: Compliance
+checklist:
+  - title: Policy
+    description: The organisation has policies to govern contribution to open source ecosystems
+  - title: Tracking Contribution
+    description: The organisation tracks employee open source contributions irrespective of the classification of the project
+  - title: Contribution Risk Management
+    description: Enterprise risk management processes include open source contribution risks
+  - title: Contribution Risk Appetite
+    description: The balance of open source contribution risks are understood by stakeholders
+  - title: Contribution Efficiency
+    description: Organisational tools and processes don't restrict open source contribution
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -81,3 +92,8 @@ Your policy is likely to want to mandate staff training so that staff are aware
 In this section we look at some regulations that an open source policy will need to consider, and suggest appropriate controls for complying with each (and _evidencing_ compliance after the fact).
 
 <BokTagList tag="Contribution" filter="Regulations" />
+
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Contribution-Training.md

@@ -9,6 +9,9 @@ tags:
   - Operational Risk
 sidebar_position: 4
 sidebar_label: Training
+checklist:
+  - title: Contribution Training
+    description: Staff are provided with training and coverage is measured
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -209,3 +212,6 @@ Describe procedures for approvals on this.
 
 Describe company policy on this.
 
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Culture.md

@@ -14,6 +14,13 @@ authors:
   - name: Rob Moffat
   - name: Rhyddian Olds
   - name: Andy Smith
+checklist:
+  - title: Promotion
+    description: The organisation promotes and rewards contribution to open source projects
+  - title: Contribution Efficiency
+    description: Organisational processes don't restrict open source contribution
+  - title: InnerSource
+    description: The organisation measures effectiveness of its InnnerSource program
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -205,3 +212,8 @@ source program that engages with the broader community helps to support an organ
 efforts to scale its open source ecosystem. Engaging with the open source community in a
 variety of ways helps to foster developer relations and encourage collaboration between
 organizations in the broader open source community.
+
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Making-The-Case.md

@@ -258,3 +258,7 @@ One argument against [having an OSPO](../Level-2/Creating-An-OSPO) is the cost.
 
 </BoxOut>
 
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />

docs/bok/Activities/Level-3/Public-Development.md

@@ -6,6 +6,11 @@ tags:
   - Placeholder
 sidebar_position: 1
 sidebar_label: Public Development
+checklist:
+  - title: Contribution
+    description: The organisation contributes to existing open source projects
+  - title: Recognition
+    description: The organisation recognises employees contributing in their own time
 list_image: /img/bok/page-types/activity.png
 ---
 
@@ -60,6 +65,11 @@ One of the common misconceptions of open source software is that the only way to
 - Improving docs
 - Triage / reproduce issues
 - Project Management
+- Perform tests, write tests
+- Improve UI
+- Graphics 
+- Marketing
+- Localisation
 - Performing / writing tests
 - Improving UI
 - Creating graphics 
@@ -71,3 +81,7 @@ One of the common misconceptions of open source software is that the only way to
 Many forms of contribution will require use of a Pull Request - a request to pull your proposed changes (to code, docs, etc.) into the repository. While GitHub provides some documentation on [how to create a pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request), effective pull requests communicate their purpose.
 
 Keavy McMinn wrote a post on the GitHub blog in 2015 on [How to write the perfect Pull Request](https://github.blog/2015-01-21-how-to-write-the-perfect-pull-request/), based on thoughtbot's [code review guide](https://github.com/thoughtbot/guides/tree/main/code-review). Both are great resources to help open source contributors and maintainers communicate about proposed changes.
+
+## Maturity Checklist
+
+<ArticleChecklist checklist={frontMatter.checklist} title={frontMatter.title} />