[Governance] Transparency Policy

Eoin Keary eoin.keary at owasp.org
Fri Jun 20 15:51:38 UTC 2014


Lets consider conflicts of interest within the whistleblower and BoD when
making decisions.
Declaration of interests must be performed before involvement or decision
making.



On Fri, Jun 20, 2014 at 4:41 PM, Michael Coates <michael.coates at owasp.org>
wrote:

> Bil,
>
> This is really good stuff and I think it's moving towards the right
> direction. Often confusions arise from differing or unclear expectations
> and this document should really help.
>
> Here's my feedback:
>
> *- Exclusions from Radical Transparency & Handling the Inappropriate
> Disclosure*
> We agree by this document that it isn't acceptable for the individual to
> inappropriately share the "excluded" information in certain settings.
> However, how do we handle that shared information if that happens? For
> example, if whistle blower claims aren't to be made public "either before,
> during, or after the processing of the complaint" then what do we do with
> the posted information?
>
> (a) Should it live on and be both publicly accessible and archived at
> owasp? If so, this seems to be undermining the point of this policy.
> (b) Should it be deleted and replaced with a message that the complaint
> has been received but it's not appropriate (per this policy) to post it
> publicly? If so, we should be very clear through this policy that this is
> the expected series of events.
>
> *- Updates to the Policy*
> I think we should add a final section that states the following:
> Updates to this policy can be made by discussion and general consensus on
> the governance mailing list. Final approval for modifications will be
> ratified by the OWASP Foundation Board.
>
> *- Levels of information restriction*
> I'm not sure if I see a difference between levels (1) and (2) in our
> current setup. We could certainly look to change our setup, but I wanted to
> raise this for consideration. For example, because all mailing lists are
> public there is no distinction in my mind between (1) Public (most open)
> and (2) All OWASP members, staff, Board of Director. This means that any
> information posted to mailing lists must be appropriate to be disclosed to
> (1) Public.
>
> *- Levels (5) and (6)*
> (5) Executive Director, Board of Directors & (6) Board of Directors (most
> restricted)
> I think it is good to specify that some information falls into these
> categories and must be discussed in a non-public forum. This speaks to the
> larger value of expectation setting for everyone.
>
> The purpose of this section is to make it clear that the document can
> evolve and to direct people to the right place to have that conversation.
>
>
> Thanks for your work on this. I think it is a really good item to clarify
> and set expectations on a topic that can be ambiguous otherwise.
>
>
>
>
>
> --
> Michael Coates
> @_mwc
>
>
>
> On Fri, Jun 20, 2014 at 1:29 AM, Bil Corry <bil.corry at owasp.org> wrote:
>
>> Let me clarify my comment – I am hooking into the existing disciplinary
>> policy, rather than creating a parallel process within the Transparency
>> policy.  There are a variety of policies that can be violated, it makes
>> more sense to have a single disciplinary policy that the rest can refer to,
>> rather than creating individual disciplinary sections in each policy.
>>
>>
>>
>> I can clean up the disciplinary policy after we're done with the
>> transparency policy, if that's desired.
>>
>>
>>
>> To answer your question – if I were to setup a system, it would be a
>> committee of members that weigh the evidence and make a ruling.  The BoD
>> can then be used to appeal the decision.
>>
>>
>>
>> - Bil
>>
>>
>>
>> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
>> *Sent:* Thursday, June 19, 2014 10:17 PM
>>
>> *To:* Bil Corry
>> *Cc:* OWASP GOVERNING
>> *Subject:* Re: [Governance] Transparency Policy
>>
>>
>>
>> Please don't feel like you have to defer to any existing policy or make
>> any assumptions.  If you're taking the time and effort to draft this
>> policy, who would you ideally like to see make that decision?
>>
>> ~josh
>>
>>
>>
>> On Thu, Jun 19, 2014 at 2:36 PM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>> Good question – I defer to the Whistleblower policy as to the
>> disciplinary details, but my assumption is the BoD makes the final
>> determination.  The Whistleblower policy can be updated to be more clear on
>> this point.
>>
>>
>>
>> - Bil
>>
>>
>>
>> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
>> *Sent:* Thursday, June 19, 2014 6:19 PM
>>
>>
>> *To:* Bil Corry
>> *Cc:* OWASP GOVERNING
>> *Subject:* Re: [Governance] Transparency Policy
>>
>>
>>
>> One question for clarity, who determines the action as a result of a
>> policy violation?  The Compliance Officer?  A Committee?  The Board?  The
>> ED?
>>
>> ~josh
>>
>>
>>
>> On Thu, Jun 19, 2014 at 9:48 AM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>> Thanks Josh, I've updated the violation section based on your
>> suggestion.  I also added the whistleblower exception, as our whistleblower
>> policy states it is a confidential process.
>>
>>
>>
>>
>>
>> - Bil
>>
>>
>>
>> *From:* Josh Sokol [mailto:josh.sokol at owasp.org]
>> *Sent:* Thursday, June 19, 2014 4:06 PM
>> *To:* Bil Corry
>> *Cc:* OWASP GOVERNING
>> *Subject:* Re: [Governance] Transparency Policy
>>
>>
>>
>> I really like where this is going.  It reads similar to a data
>> classification plan and maybe we should even consider labeling documents
>> based on the levels outlined.  When I have some time, I will try to add
>> additional examples for consideration.  In the meantime, my only advice may
>> be to rephrase the policy violations section at the bottom more along the
>> lines of "including the possibility of suspension or revocation of
>> membership, exclusion from OWASP events and mailing lists, or other such
>> action as determined."
>>
>> ~josh
>>
>>
>>
>> On Thu, Jun 19, 2014 at 5:18 AM, Bil Corry <bil.corry at owasp.org> wrote:
>>
>> Hello Governance,
>>
>>
>>
>> I am proposing we create (and have the BoD adopt) a policy on
>> transparency to clarify the information that should never be shared
>> publicly.
>>
>>
>>
>> To that end, I've created an initial draft, which you can find here:
>>
>>
>>
>> https://www.owasp.org/index.php/Transparency_Policy
>>
>>
>>
>> I'm requesting discussion and feedback on the draft, along with
>> additional exclusions (I only started with two).
>>
>>
>>
>> Thank you for your time in advance,
>>
>>
>>
>> - Bil
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Governance mailing list
>> Governance at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/governance
>>
>>
>
> _______________________________________________
> Governance mailing list
> Governance at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/governance
>
>


-- 
Global Board Member
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/governance/attachments/20140620/0de0ed57/attachment-0001.html>


More information about the Governance mailing list