An open source security policy should be set up no differently than any other security strategy and policy. Document the environment, assess the risks, design and implement controls to mitigate the risks, and monitor and actively manage your environment.
You should take into consideration the issues I raised in this answer to another question. These may reveal some additional risks. A risk that is present for open source software, but possibly not found in commercial software, is a potential lack of support or patches to fix issues.
This was first published in November 2005