[Governance] Compliance Committee?

Josh Sokol josh.sokol at owasp.org
Mon Dec 8 22:10:18 UTC 2014


Sure, not a problem.  To understand what we are talking about, let me start
with how we handle any issues that may arise today.  At the beginning of
each year, the OWASP Board of Directors appoints a Compliance Officer as is
specified by our current Whistleblower Policy (
https://www.owasp.org/index.php/Governance/Whistleblower_Policy).  This
person is supposed to be someone who is not currently serving on the Board
of Directors so that they can evaluate any issues that arise as a trusted,
but unbiased, advisor to the Board and Executive Director.  Martin is our
current Compliance Officer and we have entrusted him to independently
investigate and report on a number of situations like those that are
mentioned here (
The problem is that Martin is just one person and this is purely a
volunteer role.  We've had a large number of these investigations this year
that he's handled and it's become quite overwhelming.  In order to avoid
long delays due to the overwhelming work load and to add additional
objectivity into the mix, the idea was proposed of having this Compliance
Officer role filled by a committee instead of an individual.  The jury is
still out (pun somewhat intended) on what exactly that means, but that's
why I put it out there for discussion.

One of the platforms that I ran on for the OWASP Board elections was my
desire to return power back to the people of OWASP.  The resurrection of
the OWASP Committees (
http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a step in
the right direction, IMHO, and having a separate group of individuals (a
committee) whose role it is to handle concerns of ethics violations,
problems between staff, Board, and members, etc is another step in the
direction of creating checks and balances for our organization.  Thus, I'm
putting it out there for others to comment on and help to shape the future
of OWASP Governance.  Does that help to explain what a "Compliance
Committee" is about?


On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org>

> Hey Josh,
> thanks for sharing this.
> May I ask, cause I really don`t get it, what this "Compliance Comittee" is
> all about?
> From the points above I understand that there should be rules how to get
> the "membership" , but I can`t imagine what the theme of the party is.
> Kind regards
> Joerg
> On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Martin recently sent a message to some members of the Board proposing the
>> idea of a Compliance Committee (see below).  I think this is a great idea
>> and want to support it, but feel that this is a discussion that should be
>> had in public on our Governance list.  Martin agreed and so I'm putting
>> this out here to see how others feel.  He's got a host of excellent
>> questions in his original message that definitely require some deep
>> thoughts about how we want this process to work.  Is there somebody from
>> our community who feels particularly passionate about the idea of a
>> Compliance Committee and would like to take the lead here?
>> ~josh
>> ---------- Forwarded message ----------
>> From: Martin Knobloch <martin.knobloch at owasp.org>
>> Date: Mon, Nov 17, 2014 at 3:42 AM
>> Subject: Re: Compliance committee
>> To: Jim Manico <jim.manico at owasp.org>, Fabio Cerullo <fcerullo at owasp.org>,
>> Josh Sokol <josh.sokol at owasp.org>
>> Hi Jim,
>> We have discussed a 'Compliant Committee'  (or whatever to call it)
>> previously via email and at the AppSec-Eu and US.
>> In general, I am in favor of such a committee, but there is a lot to
>> think about:
>> Due to the different nature (responsibilities), the membership of the
>> committee cannot be open as for the other committees
>> - therefore, we have to decide, can people apply or should the members be
>> nominated?
>> - nomination, application handled by whom?
>> - screening of nominated / elected members?
>> - time / expiration of committee 'membership'
>> Whistle-blower  policy (and other regulations):
>> - what are the implications / are there any changes needed in relation to
>> the current (and currently updated) policies?
>> - More guidelines, in short term some overhead, would be needed
>> I can think of more, when given more time.
>> Again, I am in favor of this, but it has to be done right form the
>> beginning!
>> Cheers,
>> -martin
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141208/ef796016/attachment-0001.html>

More information about the Governance mailing list