[Governance] Transparency Policy

Michael Coates michael.coates at owasp.org
Fri Jun 20 15:41:01 UTC 2014


Bil,

This is really good stuff and I think it's moving towards the right
direction. Often confusions arise from differing or unclear expectations
and this document should really help.

Here's my feedback:

*- Exclusions from Radical Transparency & Handling the Inappropriate
Disclosure*
We agree by this document that it isn't acceptable for the individual to
inappropriately share the "excluded" information in certain settings.
However, how do we handle that shared information if that happens? For
example, if whistle blower claims aren't to be made public "either before,
during, or after the processing of the complaint" then what do we do with
the posted information?

(a) Should it live on and be both publicly accessible and archived at
owasp? If so, this seems to be undermining the point of this policy.
(b) Should it be deleted and replaced with a message that the complaint has
been received but it's not appropriate (per this policy) to post it
publicly? If so, we should be very clear through this policy that this is
the expected series of events.

*- Updates to the Policy*
I think we should add a final section that states the following:
Updates to this policy can be made by discussion and general consensus on
the governance mailing list. Final approval for modifications will be
ratified by the OWASP Foundation Board.

*- Levels of information restriction*
I'm not sure if I see a difference between levels (1) and (2) in our
current setup. We could certainly look to change our setup, but I wanted to
raise this for consideration. For example, because all mailing lists are
public there is no distinction in my mind between (1) Public (most open)
and (2) All OWASP members, staff, Board of Director. This means that any
information posted to mailing lists must be appropriate to be disclosed to
(1) Public.

*- Levels (5) and (6)*
(5) Executive Director, Board of Directors & (6) Board of Directors (most
restricted)
I think it is good to specify that some information falls into these
categories and must be discussed in a non-public forum. This speaks to the
larger value of expectation setting for everyone.

The purpose of this section is to make it clear that the document can
evolve and to direct people to the right place to have that conversation.


Thanks for your work on this. I think it is a really good item to clarify
and set expectations on a topic that can be ambiguous otherwise.





--
Michael Coates
@_mwc



On Fri, Jun 20, 2014 at 1:29 AM, Bil Corry <bil.corry at owasp.org> wrote:

> Let me clarify my comment – I am hooking into the existing disciplinary
> policy, rather than creating a parallel process within the Transparency
> policy.  There are a variety of policies that can be violated, it makes
> more sense to have a single disciplinary policy that the rest can refer to,
> rather than creating individual disciplinary sections in each policy.
>
>
>
> I can clean up the disciplinary policy after we're done with the
> transparency policy, if that's desired.
>
>
>
> To answer your question – if I were to setup a system, it would be a
> committee of members that weigh the evidence and make a ruling.  The BoD
> can then be used to appeal the decision.
>
>
>
> - Bil
>
>
>
> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
> *Sent:* Thursday, June 19, 2014 10:17 PM
>
> *To:* Bil Corry
> *Cc:* OWASP GOVERNING
> *Subject:* Re: [Governance] Transparency Policy
>
>
>
> Please don't feel like you have to defer to any existing policy or make
> any assumptions.  If you're taking the time and effort to draft this
> policy, who would you ideally like to see make that decision?
>
> ~josh
>
>
>
> On Thu, Jun 19, 2014 at 2:36 PM, Bil Corry <bil.corry at owasp.org> wrote:
>
> Good question – I defer to the Whistleblower policy as to the disciplinary
> details, but my assumption is the BoD makes the final determination.  The
> Whistleblower policy can be updated to be more clear on this point.
>
>
>
> - Bil
>
>
>
> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
> *Sent:* Thursday, June 19, 2014 6:19 PM
>
>
> *To:* Bil Corry
> *Cc:* OWASP GOVERNING
> *Subject:* Re: [Governance] Transparency Policy
>
>
>
> One question for clarity, who determines the action as a result of a
> policy violation?  The Compliance Officer?  A Committee?  The Board?  The
> ED?
>
> ~josh
>
>
>
> On Thu, Jun 19, 2014 at 9:48 AM, Bil Corry <bil.corry at owasp.org> wrote:
>
> Thanks Josh, I've updated the violation section based on your suggestion.
> I also added the whistleblower exception, as our whistleblower policy
> states it is a confidential process.
>
>
>
>
>
> - Bil
>
>
>
> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
> *Sent:* Thursday, June 19, 2014 4:06 PM
> *To:* Bil Corry
> *Cc:* OWASP GOVERNING
> *Subject:* Re: [Governance] Transparency Policy
>
>
>
> I really like where this is going.  It reads similar to a data
> classification plan and maybe we should even consider labeling documents
> based on the levels outlined.  When I have some time, I will try to add
> additional examples for consideration.  In the meantime, my only advice may
> be to rephrase the policy violations section at the bottom more along the
> lines of "including the possibility of suspension or revocation of
> membership, exclusion from OWASP events and mailing lists, or other such
> action as determined."
>
> ~josh
>
>
>
> On Thu, Jun 19, 2014 at 5:18 AM, Bil Corry <bil.corry at owasp.org> wrote:
>
> Hello Governance,
>
>
>
> I am proposing we create (and have the BoD adopt) a policy on transparency
> to clarify the information that should never be shared publicly.
>
>
>
> To that end, I've created an initial draft, which you can find here:
>
>
>
> https://www.owasp.org/index.php/Transparency_Policy
>
>
>
> I'm requesting discussion and feedback on the draft, along with additional
> exclusions (I only started with two).
>
>
>
> Thank you for your time in advance,
>
>
>
> - Bil
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
>
>
>
>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20140620/6e108cb0/attachment.html>


More information about the Governance mailing list