organizational structure:Designating open source personnel and defining roles
1. What we do in this chapter
This chapter designates open source management personnel and,Document roles and responsibilities.
When you run organization-designer agent, the three outputs below are automatically generated.
output/organization/role-definition.md— Role definition for each person in chargeoutput/organization/raci-matrix.md— Activity-specific responsibility matrixoutput/organization/appointment-template.md— Contact person appointment template
This step is ISO/IEC 5230 G1.3(3.1.2), G2.1 (3.2.2), G2.2 (3.2.1)and ISO/IEC 18974 equivalent requirements.
2. Why designating a person in charge comes first
Open source management is an activity that requires decision making. “Can I use this library?”,“How do we respond to this vulnerability?” — Somebody has to answer these questions. If there is no responsibility, there is no policy,The process doesn't actually work either.
That's why the standard requires designation of a contact person in the first place. Without organization, all subsequent activities fall into disarray.
In actual open source dispute cases, the consequences of the absence of a person in charge are specific.
- In case of violation of GPL license:Since there is no one to respond to, you are left with the risk of litigation. Who will release the source code?,Golden time is lost because it has not been decided who will take legal action.
- Upon announcement of a CVE vulnerability:Responses are delayed by weeks due to the inability to identify components affected by their products. If there is no SBOM and no person in charge, the issue will be recognized late.
- Delivery destination SBOM upon request:There is an increasing number of cases where SBOM submission clauses are included in contracts. Without a person in charge and a process, submission itself is impossible, resulting in contract disruption.
3. Roles required by the standard
ISO/IEC 5230 and ISO/IEC 18974 have two things in common:
- Designate a person in charge(G1.3 / 3.1.2):The person or group responsible for managing the open source program must be clearly identified.
- External inquiry receiving channel(G2.2 / 3.2.1):There must be a formal channel to receive requests for fulfillment of license obligations and reports of vulnerabilities.
OSPM in common to meet both standards(Open Source Program Manager),legal affairs,security officer,A Development Representative role is required.
Detailed responsibilities and required competencies for each role are defined in [KWG Open Source Guide — Organization].(https://openchain-project.github.io/OpenChain-KWG/guide/opensource_for_enterprise/1-teams/)See .
External inquiry receiving channel(G2.2 Requirements)
You must specify an official email or channel to receive requests for fulfillment of license obligations and vulnerability reports. This is an explicit requirement of the standard and,It is as important as designating a person in charge.
example:
opensource@company.com— External inquiries regarding licensingsecurity@company.com— Receive vulnerability reports
Integrating the two channels and operating them under a single address is also a realistic option for small organizations.
Contribution and Project Disclosure Contact Person(G3L.6 / §3.5.1)
If you plan to contribute to an external open source project or release an internal project as open source,You need to add the roles below to your RACI matrix:
| Activities | Primary Contact | Approver |
|---|---|---|
| Executing open source contribution activities | development representative(R) | OSPM (A) |
| Public review of in-house projects | development representative(R) | OSPM·Legal Affairs(A) |
| Comprehensive response to external license and security inquiries | OSPM(R) | — |
Gather evidence for periodic review(ISO/IEC 18974 §4.1.2.5·§4.1.2.6)
ISO/IEC 18974 requires periodic review and evidence of internal best practice conformance of open source programs. During initial certification, partial fulfillment is permitted by establishing a review plan;,renewal certification(18 months later)Fully satisfied with actual review history.
role-definition.md must contain the following:
- Designate a reviewer
- review cycle(Recommended once a year)
- Review history table(Initially written as a blank row,Fill upon renewal)
4. Realistic composition plan by company size
| scale | Structure plan | Minimum number of people | Recommended |
|---|---|---|---|
| Startup/Small(Less than 10 developers) | One person can hold OSPM + Legal + Security positions | 1 person | CTO or senior developer in charge |
| small business(10~100 people) | 1 person dedicated to OSPM,Concurrent positions in legal affairs and security | 2~3 people | Legal affairs use external advice |
| Medium/Large Enterprise(100 or more people) | Recommend forming a dedicated team,Separation by role | 4 or more people | OSPO officially established |
importance:It is okay for roles to overlap in a small organization. The important thing is to be clear about who is responsible.
5. Self-study
It interacts with agents and creates organizational artifacts.
-
Read this article — Understand the concept of roles
-
Decide on a configuration plan that suits your company’s size and situation(See section 4)
-
run agent:
Check before executionTerminate the current Claude session first(
/exitorCtrl+C)After doing it,Run the command below in a new terminal.cd agents/02-organization-designer
claude -
When the Claude prompt opens, type
시작. The agent asks the six questions in order.Agent conversation example(Click to expand)
Below is an example of a conversation flow with an actual agent. When the user enters
시작, the process goes like this.Agent guidance message:
hello! This is an agent that creates organization/personnel output. If you answer 6 questions, 3 deliverable files will be automatically created.
Question 1/5 — Please tell us your company name and department name.
Sample answer: (main)Tech start,Development TeamQuestion 2/5 — How many developers are there in total?
`Sample answer:50 people
Question 3/5 — Is there a dedicated staff member dedicated to open source work?(Concurrent duties / 1 person in charge / 2 to 5 people / 5 or more people)
Sample answer:Concurrent dutiesQuestion 4/5 — Do you have legal advice?(None / Own legal team / Utilization of external legal firm)
Sample answer:Utilization of an external legal firmQuestion 5/5 — Do you have any security team advice?(None / Own security team / Utilization of external security consulting)
Sample answer:NoneQuestion 6/6 — Do you plan to contribute to external open source projects or release internal projects as open source?(Contribution only / Public only / Both / None)
Sample answer:NoneExample of output upon completion of creation:
file Content output/organization/role-definition.mdDefining Roles and Responsibilities,External Inquiry Channel output/organization/raci-matrix.mdRACI Matrix,Person in charge by role output/organization/appointment-template.mdOfficer Appointment Letter Template Items that require manual entry:
- Contact person's actual name
- Development team representative email
- Open source tools and education budget status
-
Answer 6 questions from agent:
- Company name and department name
- Total number of developers
- Dedicated staff size(Concurrent duties / 1 person in charge / 2 to 5 people / 5 or more people)
- Legal advice available(None / Own legal team / Utilization of external legal firm)
- Security team consultation(None / Own security team / Utilization of external security consulting)
- Whether there is a plan to contribute/disclose
-
Confirm creation of
output/organization/
Upon completing the exercise, the three files below will be created.
Created file:
output/organization/role-definition.mdoutput/organization/raci-matrix.mdoutput/organization/appointment-template.md
Items that must be included in the file:
- Open source contact name and contact information
- Responsibilities by role(R/A/C/I)definition
- External license inquiry and vulnerability reporting channel(email)
In the generated files, make sure placeholders such as {assignee name} and {email address} are filled with actual values.
Completing this lab will meet the requirements below:
ISO/IEC 5230
| Item ID | Requirements | Self-certification checklist |
|---|---|---|
| 3.1.2 | Defining Contact Persons and Roles | Do you have documented roles and responsibilities for your open source program? |
| 3.2.1 | External inquiry reception channel | Do you have a publicly visible contact method for open source compliance inquiries? |
| 3.2.2 | Role/Responsibility Matrix | Do you have a process for reviewing and remediating open source license obligations? |
ISO/IEC 18974
| Item ID | Requirements | Self-certification checklist |
|---|---|---|
| 4.1.2 | Define security personnel and roles | Do you have documented roles and responsibilities for your open source security assurance program? |
| 4.2.1 | External vulnerability reporting channel | Do you have a publicly visible contact method for open source vulnerability reporting? |
| 4.2.2 | Security Role/Responsibility Matrix | Do you have a process for assigning responsibilities for handling open source security vulnerabilities? |
6. Example of generated output
role-definition.md sample
## Open Source Program Manager (OSPM)
**Program Manager**: Hong Gil-dong (Senior Engineer, Development Team)
**Contact**: opensource@example.com
### Key Responsibilities
- Approve and review open source usage
- Maintain policy documents
- Receive and respond to external inquiries
raci-matrix.md sample
| Activities | OSPM | Legal | Security | development |
|---|---|---|---|---|
| Approved for use of open source | R, A | C | C | I |
| License Review | A | R | I | C |
| Response to CVE vulnerabilities | A | I | R | C |
| create SBOM | A | I | C | R |
(R=Run,A=Final responsibility,C=negotiation,I=Information sharing)
7. Completion Confirmation Checklist
-
output/organization/role-definition.mdcreated -
output/organization/raci-matrix.mdcreated -
output/organization/appointment-template.mdcreated - Open source contact name and contact information defined
- External inquiry email/channel specified
📋 Example of output: Organizational Output Best PracticesYou can check the actual format of the generated file at .
8. Next steps
Once you've completed organizing your organization, move on to establishing open source policies.
Terminate the current Claude session first(/exit or Ctrl+C)After doing it,Run the command below in a new terminal.
cd agents/03-policy-generator
claude
or Establishment of open source policy:The first step to legal protectionYou can go to and read the policy chapter first before proceeding.