Organizational Output Best Practice
organization-designer This is a completed example of three outputs generated by the agent.
Use it to check missing items by comparing it with your output/organization/ file.
Go to reference: Organization Chapter Guide
Define open source roles and responsibilities
Document: role-definition.md
- Company Name: Tech Unicorn
- Written date: 2026-03-23
- Author: DevOps Team Open Source Manager
Related Standards
- 5230 §3.1.2.1·§3.1.2.2
- 18974 §4.1.2.1·§4.1.2.2·§4.1.2.3
1. List of open source program roles
| Role | Contact person/department | Key Responsibilities |
|---|---|---|
| Open source representative | DevOps Team (1 person concurrently) | Establishing policies, reviewing licenses, responding to external inquiries |
| Security Officer | Security Team | CVE Scan, vulnerability response |
| Legal Affairs | Legal Team | Licensing disputes, legal advice |
| Development team representative | Development Team (Representative of each department) | Process Compliance, SBOM Update |
2. Required competencies for each role
| Role | Required Competencies |
|---|---|
| Open source representative | Open source licensing basics, SBOM tool operation, understanding OpenChain standards |
| Security Officer | Understanding CVE/CVSS, operating vulnerability analysis tools, patch management |
| Legal Affairs | Open source licensing legal obligations, contract review |
| Development team representative | Authorization Process, SBOM Creation Tool Basics |
3. Channel for receiving external inquiries
Related Standards
- 5230 §3.2.1.1
- 18974 §4.2.1.1
- License compliance inquiries: opensource@sktelecom.com
- Report security vulnerability: security@sktelecom.com
- Response Program Manager: DevOps Team Open Source Program Manager
- Target response time: Within 5 business days
4. How to approach legal advice
Related Standards
- 5230 §3.2.2.3
- Internal Legal Team: Yes
- How to utilize external legal affairs: After initial review by the internal legal team, link with an external law firm if necessary
5. vulnerability remediation expertise
Related Standards
- 18974 §4.2.2.3
- Responsible Organization: Security Team
- External resources available: KrCERT support, external security consulting (if required)
6. Best Practice Conformance Verification Representative
Related Standards
- 18974 §4.1.2.6
- Verification Manager: DevOps Team Open Source Manager
- Review cycle: Once a year
- First review date: 2026-12-31
7. Scaling options by scale (optional)
As the size of the organization grows and open source management becomes more complex, consider additional governance structures below.
- OSRB (Open Source Review Board): A committee that handles licensing, security, contribution, and disclosure approval. It is comprised of open source staff, legal affairs, security, and development representatives, and convenes once a month or when an issue arises.
- OSPO (Open Source Program Office): An organization dedicated to open source strategy and governance. Consider formal organization when there are three or more dedicated personnel.
Open source RACI matrix
Document: raci-matrix.md
- Company Name: Tech Unicorn
- Written date: 2026-03-23
Related Standards
- 5230 §3.2.2.1·§3.2.2.2·§3.2.2.4
- 18974 §4.2.2.1·§4.2.2.2·§4.2.2.4
R=Responsible, A=Accountable, C=Consulted, I=Informed
RACI matrix
| work | Open source representative | Development Team | Security Team | Legal | Management |
|---|---|---|---|---|---|
| Review and approval for open source use | A | R | C | C | I |
| License Compliance Review | R | C | I | C | I |
| SBOM creation and management | A | R | I | I | I |
| vulnerability scanning and response | C | R | R | I | I |
| Policy establishment and renewal | R | C | C | C | A |
| Education program operation | R | I | I | I | I |
| Response to external licensing inquiries | R | C | I | C | I |
| Response to reports of external security vulnerabilities | C | I | R | I | I |
| Self-certification declaration | R | I | C | C | A |
Person in charge by role
Related Standards
- 5230 §3.2.2.1·§3.2.2.2
| Role | Contact name | Department | Dedicated/Concurrent Position | |
|---|---|---|---|---|
| Open source representative | (Enter the person in charge) | DevOps Team | opensource@sktelecom.com | Concurrent position |
| Development team representative | (Enter the name of the person in charge) | Development Team | (Enter email) | Concurrent position |
| Security Manager | (Enter the name of the person in charge) | Security Team | security@sktelecom.com | Concurrent position |
| Legal Affairs | (Enter the name of the person in charge) | Legal Team | (Enter email) | Always |
Budget allocation status
Related Standards
- 5230 §3.2.2.2
- 18974 §4.2.2.2
| Item | Status |
|---|---|
| Deployment of dedicated personnel | 1 concurrent position (DevOps team) |
| Open source tool budget | (Fill in after confirmation) |
| Legal Advisory Budget | Available (operated by internal legal team) |
| External training budget | (Fill in after confirmation) |
Non-Compliance Case Review Procedure
Related Standards
- 5230 §3.2.2.5
In case of license non-compliance:
- Person in charge identifies and records non-compliance
- Assess the level of violation through consultation with the legal team
- Establishment of corrective action plan (license replacement, source code disclosure, etc.)
- Reexamine according to the
output/process/usage-approval.mdprocess - Supplementing policies/processes to prevent recurrence
Internal Responsibility Assignment Procedure
Related Standards
- 5230 §3.2.2.4
- 18974 §4.2.2.4
When new open source-related work occurs:
- Open source manager defines work details
- Assignment of personnel based on RACI matrix
- Update role-definition.md and this document