[Governance] Compliance Committee?

Tobias tobias.gondrom at owasp.org
Tue Dec 9 09:32:06 UTC 2014

I agree with Josh's proposal and would very much like to encourage that.
Two small questions:
1. feedback and thoughts?
2. any volunteers?
Best wishes, Tobias

On 09/12/14 06:10, Josh Sokol wrote:
> Joerg,
> Sure, not a problem.  To understand what we are talking about, let me 
> start with how we handle any issues that may arise today.  At the 
> beginning of each year, the OWASP Board of Directors appoints a 
> Compliance Officer as is specified by our current Whistleblower Policy 
> (https://www.owasp.org/index.php/Governance/Whistleblower_Policy). 
> This person is supposed to be someone who is not currently serving on 
> the Board of Directors so that they can evaluate any issues that arise 
> as a trusted, but unbiased, advisor to the Board and Executive 
> Director.  Martin is our current Compliance Officer and we have 
> entrusted him to independently investigate and report on a number of 
> situations like those that are mentioned here 
> (http://owasp.blogspot.com/2014/10/report-of-complaint-against-owasp-board.html). 
> The problem is that Martin is just one person and this is purely a 
> volunteer role.  We've had a large number of these investigations this 
> year that he's handled and it's become quite overwhelming.  In order 
> to avoid long delays due to the overwhelming work load and to add 
> additional objectivity into the mix, the idea was proposed of having 
> this Compliance Officer role filled by a committee instead of an 
> individual. The jury is still out (pun somewhat intended) on what 
> exactly that means, but that's why I put it out there for discussion.
> One of the platforms that I ran on for the OWASP Board elections was 
> my desire to return power back to the people of OWASP.  The 
> resurrection of the OWASP Committees 
> (http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a 
> step in the right direction, IMHO, and having a separate group of 
> individuals (a committee) whose role it is to handle concerns of 
> ethics violations, problems between staff, Board, and members, etc is 
> another step in the direction of creating checks and balances for our 
> organization.  Thus, I'm putting it out there for others to comment on 
> and help to shape the future of OWASP Governance.  Does that help to 
> explain what a "Compliance Committee" is about?
> ~josh
> On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org 
> <mailto:joerg.stephan at owasp.org>> wrote:
>     Hey Josh,
>     thanks for sharing this.
>     May I ask, cause I really don`t get it, what this "Compliance
>     Comittee" is all about?
>     From the points above I understand that there should be rules how
>     to get the "membership" , but I can`t imagine what the theme of
>     the party is.
>     Kind regards
>     Joerg
>     On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>         Martin recently sent a message to some members of the Board
>         proposing the idea of a Compliance Committee (see below).  I
>         think this is a great idea and want to support it, but feel
>         that this is a discussion that should be had in public on our
>         Governance list. Martin agreed and so I'm putting this out
>         here to see how others feel.  He's got a host of excellent
>         questions in his original message that definitely require some
>         deep thoughts about how we want this process to work.  Is
>         there somebody from our community who feels particularly
>         passionate about the idea of a Compliance Committee and would
>         like to take the lead here?
>         ~josh
>         ---------- Forwarded message ----------
>         From: *Martin Knobloch* <martin.knobloch at owasp.org
>         <mailto:martin.knobloch at owasp.org>>
>         Date: Mon, Nov 17, 2014 at 3:42 AM
>         Subject: Re: Compliance committee
>         To: Jim Manico <jim.manico at owasp.org
>         <mailto:jim.manico at owasp.org>>, Fabio Cerullo
>         <fcerullo at owasp.org <mailto:fcerullo at owasp.org>>, Josh Sokol
>         <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>         Hi Jim,
>         We have discussed a 'Compliant Committee' (or whatever to call
>         it) previously via email and at the AppSec-Eu and US.
>         In general, I am in favor of such a committee, but there is a
>         lot to think about:
>         Due to the different nature (responsibilities), the membership
>         of the committee cannot be open as for the other committees
>         - therefore, we have to decide, can people apply or should the
>         members be nominated?
>         - nomination, application handled by whom?
>         - screening of nominated / elected members?
>         - time / expiration of committee 'membership'
>         Whistle-blower  policy (and other regulations):
>         - what are the implications / are there any changes needed in
>         relation to the current (and currently updated) policies?
>         - More guidelines, in short term some overhead, would be needed
>         I can think of more, when given more time.
>         Again, I am in favor of this, but it has to be done right form
>         the beginning!
>         Cheers,
>         -martin
>         _______________________________________________
>         Governance mailing list
>         Governance at lists.owasp.org <mailto:Governance at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/governance
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141209/8e78c78a/attachment-0001.html>

More information about the Governance mailing list