[Governance] Compliance Committee?

Bev Corwin bev.corwin at owasp.org
Tue Dec 9 13:00:10 UTC 2014

Dear Martin,

Could you kindly help me understand / clarify what you mean by "cannot be
open" in your previous email? Thanks!

Best wishes,

On Tue, Dec 9, 2014 at 4:32 AM, Tobias <tobias.gondrom at owasp.org> wrote:

>  I agree with Josh's proposal and would very much like to encourage that.
> Two small questions:
> 1. feedback and thoughts?
> 2. any volunteers?
> Best wishes, Tobias
> On 09/12/14 06:10, Josh Sokol wrote:
>  Joerg,
> Sure, not a problem.  To understand what we are talking about, let me
> start with how we handle any issues that may arise today.  At the beginning
> of each year, the OWASP Board of Directors appoints a Compliance Officer as
> is specified by our current Whistleblower Policy (
> https://www.owasp.org/index.php/Governance/Whistleblower_Policy).  This
> person is supposed to be someone who is not currently serving on the Board
> of Directors so that they can evaluate any issues that arise as a trusted,
> but unbiased, advisor to the Board and Executive Director.  Martin is our
> current Compliance Officer and we have entrusted him to independently
> investigate and report on a number of situations like those that are
> mentioned here (
> http://owasp.blogspot.com/2014/10/report-of-complaint-against-owasp-board.html).
> The problem is that Martin is just one person and this is purely a
> volunteer role.  We've had a large number of these investigations this year
> that he's handled and it's become quite overwhelming.  In order to avoid
> long delays due to the overwhelming work load and to add additional
> objectivity into the mix, the idea was proposed of having this Compliance
> Officer role filled by a committee instead of an individual.  The jury is
> still out (pun somewhat intended) on what exactly that means, but that's
> why I put it out there for discussion.
> One of the platforms that I ran on for the OWASP Board elections was my
> desire to return power back to the people of OWASP.  The resurrection of
> the OWASP Committees (
> http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a step in
> the right direction, IMHO, and having a separate group of individuals (a
> committee) whose role it is to handle concerns of ethics violations,
> problems between staff, Board, and members, etc is another step in the
> direction of creating checks and balances for our organization.  Thus, I'm
> putting it out there for others to comment on and help to shape the future
> of OWASP Governance.  Does that help to explain what a "Compliance
> Committee" is about?
>  ~josh
> On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org>
> wrote:
>> Hey Josh,
>>  thanks for sharing this.
>>  May I ask, cause I really don`t get it, what this "Compliance Comittee"
>> is all about?
>> From the points above I understand that there should be rules how to get
>> the "membership" , but I can`t imagine what the theme of the party is.
>>  Kind regards
>>  Joerg
>>  On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>>>   Martin recently sent a message to some members of the Board proposing
>>> the idea of a Compliance Committee (see below).  I think this is a great
>>> idea and want to support it, but feel that this is a discussion that should
>>> be had in public on our Governance list.  Martin agreed and so I'm putting
>>> this out here to see how others feel.  He's got a host of excellent
>>> questions in his original message that definitely require some deep
>>> thoughts about how we want this process to work.  Is there somebody from
>>> our community who feels particularly passionate about the idea of a
>>> Compliance Committee and would like to take the lead here?
>>>  ~josh
>>>  ---------- Forwarded message ----------
>>> From: Martin Knobloch <martin.knobloch at owasp.org>
>>> Date: Mon, Nov 17, 2014 at 3:42 AM
>>> Subject: Re: Compliance committee
>>> To: Jim Manico <jim.manico at owasp.org>, Fabio Cerullo <fcerullo at owasp.org>,
>>> Josh Sokol <josh.sokol at owasp.org>
>>>      Hi Jim,
>>>  We have discussed a 'Compliant Committee'  (or whatever to call it)
>>> previously via email and at the AppSec-Eu and US.
>>>  In general, I am in favor of such a committee, but there is a lot to
>>> think about:
>>>  Due to the different nature (responsibilities), the membership of the
>>> committee cannot be open as for the other committees
>>>  - therefore, we have to decide, can people apply or should the members
>>> be nominated?
>>>  - nomination, application handled by whom?
>>>  - screening of nominated / elected members?
>>>  - time / expiration of committee 'membership'
>>>  Whistle-blower  policy (and other regulations):
>>>  - what are the implications / are there any changes needed in relation
>>> to the current (and currently updated) policies?
>>>  - More guidelines, in short term some overhead, would be needed
>>>  I can think of more, when given more time.
>>>  Again, I am in favor of this, but it has to be done right form the
>>> beginning!
>>>  Cheers,
>>>  -martin
>>>  _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
> _______________________________________________
> Governance mailing listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141209/4c6e5088/attachment.html>

More information about the Governance mailing list