[Governance] Compliance Committee?

Bev Corwin bev.corwin at owasp.org
Thu Dec 11 01:28:59 UTC 2014

Thank you Martin, So much to think about! Very thoughtful and insightful.
Very much appreciated. Best wishes, Bev

On Wed, Dec 10, 2014 at 2:22 PM, Martin Knobloch <martin.knobloch at owasp.org>

> Hi Bev,
> My email that was shared on the list contained my 'thoughts to address'.
> In my opinion, the difference between the 'other Committees' and the
> suggested 'compliant committee' is the responsibility of the committee.
> I meant not to be open, as you do not want anyone to join who is involved
> or is knowingly going to be involved in a complaint matter. It is a task
> that does as integrity, responsibility and political correctness.
> Understanding of different cultures and the ability to divert assumptions
> from facts.
> For example, this is what I always ask myself, if you would be involved in
> a complaint matter, would you agree with whom is investigating this?
> Therefore, do we want nomination of committee members? State of
> achievements? Seniority and experience in the OWASP community? If you apply
> to this committee, what are the responsibilities you agree on? Is there a
> maximum / minimum time you sign up for?
> Lot of questions I wanted to board to brainstorm about before making this
> a public discussion. Not to keep it close, but to have an outline to discus
> rather than an never ending open discussion.
> Cheers,
> -martin
> On Tue, Dec 9, 2014 at 2:00 PM, Bev Corwin <bev.corwin at owasp.org> wrote:
>> Dear Martin,
>> Could you kindly help me understand / clarify what you mean by "cannot be
>> open" in your previous email? Thanks!
>> Best wishes,
>> Bev
>> On Tue, Dec 9, 2014 at 4:32 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>  I agree with Josh's proposal and would very much like to encourage
>>> that.
>>> Two small questions:
>>> 1. feedback and thoughts?
>>> 2. any volunteers?
>>> Best wishes, Tobias
>>> On 09/12/14 06:10, Josh Sokol wrote:
>>>  Joerg,
>>> Sure, not a problem.  To understand what we are talking about, let me
>>> start with how we handle any issues that may arise today.  At the beginning
>>> of each year, the OWASP Board of Directors appoints a Compliance Officer as
>>> is specified by our current Whistleblower Policy (
>>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy).  This
>>> person is supposed to be someone who is not currently serving on the Board
>>> of Directors so that they can evaluate any issues that arise as a trusted,
>>> but unbiased, advisor to the Board and Executive Director.  Martin is our
>>> current Compliance Officer and we have entrusted him to independently
>>> investigate and report on a number of situations like those that are
>>> mentioned here (
>>> http://owasp.blogspot.com/2014/10/report-of-complaint-against-owasp-board.html).
>>> The problem is that Martin is just one person and this is purely a
>>> volunteer role.  We've had a large number of these investigations this year
>>> that he's handled and it's become quite overwhelming.  In order to avoid
>>> long delays due to the overwhelming work load and to add additional
>>> objectivity into the mix, the idea was proposed of having this Compliance
>>> Officer role filled by a committee instead of an individual.  The jury is
>>> still out (pun somewhat intended) on what exactly that means, but that's
>>> why I put it out there for discussion.
>>> One of the platforms that I ran on for the OWASP Board elections was my
>>> desire to return power back to the people of OWASP.  The resurrection of
>>> the OWASP Committees (
>>> http://owasp.blogspot.com/2014/07/owasp-committees-20.html) was a step
>>> in the right direction, IMHO, and having a separate group of individuals (a
>>> committee) whose role it is to handle concerns of ethics violations,
>>> problems between staff, Board, and members, etc is another step in the
>>> direction of creating checks and balances for our organization.  Thus, I'm
>>> putting it out there for others to comment on and help to shape the future
>>> of OWASP Governance.  Does that help to explain what a "Compliance
>>> Committee" is about?
>>>  ~josh
>>> On Mon, Dec 8, 2014 at 3:49 PM, Joerg Stephan <joerg.stephan at owasp.org>
>>> wrote:
>>>> Hey Josh,
>>>>  thanks for sharing this.
>>>>  May I ask, cause I really don`t get it, what this "Compliance
>>>> Comittee" is all about?
>>>> From the points above I understand that there should be rules how to
>>>> get the "membership" , but I can`t imagine what the theme of the party is.
>>>>  Kind regards
>>>>  Joerg
>>>>  On Mon, Dec 8, 2014 at 10:40 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>>   Martin recently sent a message to some members of the Board
>>>>> proposing the idea of a Compliance Committee (see below).  I think this is
>>>>> a great idea and want to support it, but feel that this is a discussion
>>>>> that should be had in public on our Governance list.  Martin agreed and so
>>>>> I'm putting this out here to see how others feel.  He's got a host of
>>>>> excellent questions in his original message that definitely require some
>>>>> deep thoughts about how we want this process to work.  Is there somebody
>>>>> from our community who feels particularly passionate about the idea of a
>>>>> Compliance Committee and would like to take the lead here?
>>>>>  ~josh
>>>>>  ---------- Forwarded message ----------
>>>>> From: Martin Knobloch <martin.knobloch at owasp.org>
>>>>> Date: Mon, Nov 17, 2014 at 3:42 AM
>>>>> Subject: Re: Compliance committee
>>>>> To: Jim Manico <jim.manico at owasp.org>, Fabio Cerullo <
>>>>> fcerullo at owasp.org>, Josh Sokol <josh.sokol at owasp.org>
>>>>>      Hi Jim,
>>>>>  We have discussed a 'Compliant Committee'  (or whatever to call it)
>>>>> previously via email and at the AppSec-Eu and US.
>>>>>  In general, I am in favor of such a committee, but there is a lot to
>>>>> think about:
>>>>>  Due to the different nature (responsibilities), the membership of
>>>>> the committee cannot be open as for the other committees
>>>>>  - therefore, we have to decide, can people apply or should the
>>>>> members be nominated?
>>>>>  - nomination, application handled by whom?
>>>>>  - screening of nominated / elected members?
>>>>>  - time / expiration of committee 'membership'
>>>>>  Whistle-blower  policy (and other regulations):
>>>>>  - what are the implications / are there any changes needed in
>>>>> relation to the current (and currently updated) policies?
>>>>>  - More guidelines, in short term some overhead, would be needed
>>>>>  I can think of more, when given more time.
>>>>>  Again, I am in favor of this, but it has to be done right form the
>>>>> beginning!
>>>>>  Cheers,
>>>>>  -martin
>>>>>  _______________________________________________
>>>>> Governance mailing list
>>>>> Governance at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/governance
>>> _______________________________________________
>>> Governance mailing listGovernance at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/governance
>>> _______________________________________________
>>> Governance mailing list
>>> Governance at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/governance
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20141210/5dcc9c35/attachment.html>

More information about the Governance mailing list