[Governance] Compliance Committee?

Martin Knobloch martin.knobloch at owasp.org
Wed Dec 10 19:22:12 UTC 2014

Hi Bev,

My email that was shared on the list contained my 'thoughts to address'.
In my opinion, the difference between the 'other Committees' and the
suggested 'compliant committee' is the responsibility of the committee.

I meant not to be open, as you do not want anyone to join who is involved
or is knowingly going to be involved in a complaint matter. It is a task
that does as integrity, responsibility and political correctness.
Understanding of different cultures and the ability to divert assumptions
from facts.
For example, this is what I always ask myself, if you would be involved in
a complaint matter, would you agree with whom is investigating this?

Therefore, do we want nomination of committee members? State of
achievements? Seniority and experience in the OWASP community? If you apply
to this committee, what are the responsibilities you agree on? Is there a
maximum / minimum time you sign up for?

Lot of questions I wanted to board to brainstorm about before making this a
public discussion. Not to keep it close, but to have an outline to discus
rather than an never ending open discussion.


On Tue, Dec 9, 2014 at 2:00 PM, Bev Corwin <bev.corwin at owasp.org> wrote:

> Dear Martin,
> Could you kindly help me understand / clarify what you mean by "cannot be
> open" in your previous email? Thanks!
> Best wishes,
> Bev
> On Tue, Dec 9, 2014 at 4:32 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>  I agree with Josh's proposal and would very much like to encourage
>> that.
>> Two small questions:
>> 1. feedback and thoughts?
>> 2. any volunteers?
>> Best wishes, Tobias
>> On 09/12/14 06:10, Josh Sokol wrote:
>>  Joerg,
>> Sure, not a problem.  To understand what we are talking about, let me
>> start with how we handle any issues that may arise today.  At the beginning
>> of each year, the OWASP Board of Directors appoints a Compliance Officer as
>> is specified by our current Whistleblower Policy (
>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy).  This
>> person is supposed to be someone who is not currently serving on the Board
>> of Directors so that they can evaluate any issues that arise as a trusted,
>> but unbiased, advisor to the Board and Executive Director.  Martin is our
>> current Compliance Officer and we have entrusted him to independently
>> investigate and report on a number of situations like those that are
>> mentioned here (
>> http://owasp.blogspot.com/2014/10/report-of-complaint-against-owasp-board.html).
>> The problem is that Martin is just one person and this is purely a
>> volunteer role.  We've had a large number of these investigations this year
>> that he's handled and it's become quite overwhelming.  In order to avoid
>> long delays due to the overwhelming work load and to add additional
>> objectivity into the mix, the idea was proposed of having this Compliance
>> Officer role filled by a committee instead of an individual.  The jury is
>> still out (pun somewhat intended) on what exactly that means, but that's
>> why I put it out there for discussion.
>> One of the platforms that I ran on for the OWASP Board elections was my
>> desire to return power back to the people of OWASP.  The resurrection of
>> the OWASP Committees (
>> http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a step
>> in the right direction, IMHO, and having a separate group of individuals (a
>> committee) whose role it is to handle concerns of ethics violations,
>> problems between staff, Board, and members, etc is another step in the
>> direction of creating checks and balances for our organization.  Thus, I'm
>> putting it out there for others to comment on and help to shape the future
>> of OWASP Governance.  Does that help to explain what a "Compliance
>> Committee" is about?
>>  ~josh
>> On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org>
>> wrote:
>>> Hey Josh,
>>>  thanks for sharing this.
>>>  May I ask, cause I really don`t get it, what this "Compliance
>>> Comittee" is all about?
>>> From the points above I understand that there should be rules how to get
>>> the "membership" , but I can`t imagine what the theme of the party is.
>>>  Kind regards
>>>  Joerg
>>>  On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>>   Martin recently sent a message to some members of the Board
>>>> proposing the idea of a Compliance Committee (see below).  I think this is
>>>> a great idea and want to support it, but feel that this is a discussion
>>>> that should be had in public on our Governance list.  Martin agreed and so
>>>> I'm putting this out here to see how others feel.  He's got a host of
>>>> excellent questions in his original message that definitely require some
>>>> deep thoughts about how we want this process to work.  Is there somebody
>>>> from our community who feels particularly passionate about the idea of a
>>>> Compliance Committee and would like to take the lead here?
>>>>  ~josh
>>>>  ---------- Forwarded message ----------
>>>> From: Martin Knobloch <martin.knobloch at owasp.org>
>>>> Date: Mon, Nov 17, 2014 at 3:42 AM
>>>> Subject: Re: Compliance committee
>>>> To: Jim Manico <jim.manico at owasp.org>, Fabio Cerullo <
>>>> fcerullo at owasp.org>, Josh Sokol <josh.sokol at owasp.org>
>>>>      Hi Jim,
>>>>  We have discussed a 'Compliant Committee'  (or whatever to call it)
>>>> previously via email and at the AppSec-Eu and US.
>>>>  In general, I am in favor of such a committee, but there is a lot to
>>>> think about:
>>>>  Due to the different nature (responsibilities), the membership of the
>>>> committee cannot be open as for the other committees
>>>>  - therefore, we have to decide, can people apply or should the members
>>>> be nominated?
>>>>  - nomination, application handled by whom?
>>>>  - screening of nominated / elected members?
>>>>  - time / expiration of committee 'membership'
>>>>  Whistle-blower  policy (and other regulations):
>>>>  - what are the implications / are there any changes needed in relation
>>>> to the current (and currently updated) policies?
>>>>  - More guidelines, in short term some overhead, would be needed
>>>>  I can think of more, when given more time.
>>>>  Again, I am in favor of this, but it has to be done right form the
>>>> beginning!
>>>>  Cheers,
>>>>  -martin
>>>>  _______________________________________________
>>>> Governance mailing list
>>>> Governance at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/governance
>> _______________________________________________
>> Governance mailing listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141210/83c55b9e/attachment.html>

More information about the Governance mailing list