[Governance] Compliance Committee?

Joerg Stephan joerg.stephan at owasp.org
Mon Dec 8 22:22:51 UTC 2014


Yep, that was the clarification :-)

So, now, spare time followers of this list (like me), can follow that idea

My 2 cents on this topic,
I think it is a great Idea, in general, strange and sad part is just that
this idea is driven by the problem that Martin (sorry, lets say: one
person) can`t handle all problems, we faced this year, alone. I know that
Martin does a great job, but for the future this duty, and I really think
its a huge responsibility, should be carried by more people.
As the board, i f i got it right, appoints this particular person, I think
the best idea would that the board just appoints a "Head of..." and two


On Mon, Dec 8, 2014 at 11:10 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Joerg,
> Sure, not a problem.  To understand what we are talking about, let me
> start with how we handle any issues that may arise today.  At the beginning
> of each year, the OWASP Board of Directors appoints a Compliance Officer as
> is specified by our current Whistleblower Policy (
> https://www.owasp.org/index.php/Governance/Whistleblower_Policy).  This
> person is supposed to be someone who is not currently serving on the Board
> of Directors so that they can evaluate any issues that arise as a trusted,
> but unbiased, advisor to the Board and Executive Director.  Martin is our
> current Compliance Officer and we have entrusted him to independently
> investigate and report on a number of situations like those that are
> mentioned here (
> http://owasp.blogspot.com/2014/10/report-of-complaint-against-owasp-board.html).
> The problem is that Martin is just one person and this is purely a
> volunteer role.  We've had a large number of these investigations this year
> that he's handled and it's become quite overwhelming.  In order to avoid
> long delays due to the overwhelming work load and to add additional
> objectivity into the mix, the idea was proposed of having this Compliance
> Officer role filled by a committee instead of an individual.  The jury is
> still out (pun somewhat intended) on what exactly that means, but that's
> why I put it out there for discussion.
> One of the platforms that I ran on for the OWASP Board elections was my
> desire to return power back to the people of OWASP.  The resurrection of
> the OWASP Committees (
> http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a step in
> the right direction, IMHO, and having a separate group of individuals (a
> committee) whose role it is to handle concerns of ethics violations,
> problems between staff, Board, and members, etc is another step in the
> direction of creating checks and balances for our organization.  Thus, I'm
> putting it out there for others to comment on and help to shape the future
> of OWASP Governance.  Does that help to explain what a "Compliance
> Committee" is about?
> ~josh
> On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org>
> wrote:
>> Hey Josh,
>> thanks for sharing this.
>> May I ask, cause I really don`t get it, what this "Compliance Comittee"
>> is all about?
>> From the points above I understand that there should be rules how to get
>> the "membership" , but I can`t imagine what the theme of the party is.
>> Kind regards
>> Joerg
>> On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> Martin recently sent a message to some members of the Board proposing
>>> the idea of a Compliance Committee (see below).  I think this is a great
>>> idea and want to support it, but feel that this is a discussion that should
>>> be had in public on our Governance list.  Martin agreed and so I'm putting
>>> this out here to see how others feel.  He's got a host of excellent
>>> questions in his original message that definitely require some deep
>>> thoughts about how we want this process to work.  Is there somebody from
>>> our community who feels particularly passionate about the idea of a
>>> Compliance Committee and would like to take the lead here?
>>> ~josh
>>> ---------- Forwarded message ----------
>>> From: Martin Knobloch <martin.knobloch at owasp.org>
>>> Date: Mon, Nov 17, 2014 at 3:42 AM
>>> Subject: Re: Compliance committee
>>> To: Jim Manico <jim.manico at owasp.org>, Fabio Cerullo <fcerullo at owasp.org>,
>>> Josh Sokol <josh.sokol at owasp.org>
>>> Hi Jim,
>>> We have discussed a 'Compliant Committee'  (or whatever to call it)
>>> previously via email and at the AppSec-Eu and US.
>>> In general, I am in favor of such a committee, but there is a lot to
>>> think about:
>>> Due to the different nature (responsibilities), the membership of the
>>> committee cannot be open as for the other committees
>>> - therefore, we have to decide, can people apply or should the members
>>> be nominated?
>>> - nomination, application handled by whom?
>>> - screening of nominated / elected members?
>>> - time / expiration of committee 'membership'
>>> Whistle-blower  policy (and other regulations):
>>> - what are the implications / are there any changes needed in relation
>>> to the current (and currently updated) policies?
>>> - More guidelines, in short term some overhead, would be needed
>>> I can think of more, when given more time.
>>> Again, I am in favor of this, but it has to be done right form the
>>> beginning!
>>> Cheers,
>>> -martin
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141208/a7149b1f/attachment.html>

More information about the Governance mailing list