• Communicate policies throughout your entire organization. "It can't be just in IT, because you might have people in other departments downloading it," Driver says.
He and his colleagues see value in open source -- it's free, flexible and adaptable. But they're also aware of the challenges involved in maintaining it. Phillips, who is active in the Society for Information Management, says it's tough to determine when to contribute changes to the open-source community, when to make updates and patches, and when to pay for support services.
To balance the risks and rewards, Phillips says his IT department has decided to steer clear of open source for core systems, such as those running student registration, financials and human resources, unless the university can buy support contracts for it. On the other hand, Phillips says open-source software supports the high-speed innovation that IT needs for a growing body of applications, such as mobile tools.
And when open source is in the picture, governance is essential, he says. The university's information security office reviews open source code proposed for use to ensure that it's secure and that the university meets the licensing terms. The project management office tracks the code, following the ITIL standards set up by the software development office. Programmers must document what they use where and what modifications are made.
"We use our own protocols. We document what we did, what we used, give proper attribution. We have approved programming standards," says Phillips, adding that staffers are asked to share any new code they write with the open-source community.
Fordham's IT department tracks all of its software using Subversion, an open-source version-control tool. Phillips says he can't point to any specific problem that has been avoided to prove that such attention pays off. "But I'm sure we will," he says. "Already it's proved itself in that we know when people are working on the wrong version of software."
Mitigating the technical risks posed by open-source software is one reason IT has to do a better job of governing it. Making sure the organization complies with all licensing and legal requirements is another, Asay says.
Asay says some developers might still think that "open source" means "in the public domain" and that using open source code won't infringe on anyone's intellectual property rights. But, in fact, open-source software comes with copyright protection, and licenses specify how the code can be used.
There are numerous open-source licenses, with the GNU General Public License being the most widely used. The licenses generally specify if or when you have to publicly disclose the code's use, attribute it, and/or contribute changes and modifications back to the community from whence the code came.
Sign up for MIS Asia eNewsletters.