A Five-Step Compliance Process for FOSS Identification and Review