[Owasp-board] [Vote Requested] Loss from AppSec Asia

Seba seba at owasp.org
Wed Dec 21 18:39:07 UTC 2011


I agree

On Wed, Dec 21, 2011 at 6:30 PM, Eoin <eoin.keary at owasp.org> wrote:

> Pay back this time but limit liability going forward in the contractual
> sense, as we discussed.
>
>
> On 21 Dec 2011, at 17:12, Michael Coates <michael.coates at owasp.org> wrote:
>
> Board Vote requested to pay $5500 to cover a portion of the AppSec Asia
> losses.
>
>
> Further actions (not part of this vote) - We'll work with conference
> committee to shore up the contracts and avoid this situation in the future.
> An item to discuss in January's call.
>
>
> Michael Coates
> OWASP
>
>
>
> Begin forwarded message:
>
> *From: *Michael Coates <michael.coates at owasp.org>
> *Date: *December 15, 2011 6:08:25 PM PST
> *To: *Sarah Baso <sarah.baso at owasp.org>
> *Cc: *Kate Hartmann <kate.hartmann at owasp.org>, Tin Zaw <tin.zaw at owasp.org>,
> Mark Bristow <mark.bristow at owasp.org>, alison mcnamee <
> alison.shrader at owasp.org>, MattTesauro Tesauro <mtesauro at gmail.com>,
> OWASP Foundation Board List <owasp-board at lists.owasp.org>, Lucas Ferreira
> <lucas.ferreira at owasp.org>, global_conference_committee <
> global_conference_committee at lists.owasp.org>
> *Subject: **Re: [Owasp-board] [Global_conference_committee] Loss from
> AppSec Asia*
>
> Sarah,
>
> Thanks for this summary.  I've reread the threads on this issue and also
> Sarah's summary below.
>
> Here is where I am sitting on this issue:
>
> - OWASP was made aware of this event and signed off on it as an official
> owasp event
> - Per Lucas Ferreira's email (forwarded by Sarah on 12/7/11) OWASP did
> enter into a relationship with SecZone
> - We had some controls in place to require visibility into expenses. These
> controls failed since we did not receive requested documentation
> - The total loss is at $16,166.22
> -- DBAppSecurity will cover $4742
> -- SecZone will cover $6,000
> -- This leaves $5,500
>
> *I believe we should cover a share of this loss ($5500) and also look at
> the $5,500 as an investment in the China region*.  We have tremendous
> growth opportunities in the AsiaPac region and hopefully we can help this
> OWASP region get on its feet for self funding events too.
>
>
> Moving forward:
> Mark suggested several items to refine our policies to help prevent future
> situations such as this.  Lucas as pointed out that we need to be more
> effective in reacting when our intermediate checkpoints are not being met.
>  In addition we should update our agreements to ensure caps are established
> and clear boundaries on who is controlling what aspects of the financial
> operations.
>
> Sarah, you also outlined several action items in your email. I'd like to
> get those on the schedule so we can work to address each of those points to
> strengthen our ability to work with other organizations for future
> conferences.
>
>
>
> Michael Coates
> OWASP
>
>
>
> On Dec 9, 2011, at 9:50 AM, Sarah Baso wrote:
>
> Michael -
>
> I think there are 3 different "issues" being discussed in this thread.
>
> *1. How can OWASP to limit its liability and ensure financial
> transparency when organizations other then the OWASP Foundation (US) and
> OWASP, Inc. (Europe) are handling event or chapter money?*
> *
> *
> As explained in Lucas's email (which I agree with): Event contract we
> entered into with SecZone defines the relationship between the parties as
> well as responsibilities.  That being said, there are a couple big
> "responsibilities" that SecZone had that they did not follow through on:
> providing monthly statements on the financials of the conference AND seeking
> authorization from the foundation before taking any actions that
> may incur any expenses to the event.
>
> "In short, I think the problem is not in defining rules. If the process had
> been followed, we would have better information and early warnings
> about the problems, making it easier to manage. The problem we have is that
> we have been unable to enforce the process with conference
> organizers. My feeling is that we need to rely less on trust and really
> require the organizers to follow the process define in the contract."
>
> *So action points for the committee:*
>
>    - Ensure that a detailed and comprehensive contract is signed by all
>    3rd parties handling event finances (anytime it is someone other than the
>    OWASP Foundation in US and OWASP Inc in Europe) should include certain
>    terms decided by the Board.
>
>
>    - Better define and vet budgets and impose additional auditing
>    requirements as event planning is in process. This includes:
>
>            --> Require initial budgets as described for approvals
>            --> Require events to report actual expenditures/revised
> budgets monthly
>            --> Have all expenditures not within the original budget for
> that line item be approved by the GCC liaison (and updated on subsequent
>                 projections).* I would recommend that expenditures over a
> certain dollar amount require a "second signer" who is aware        *
> *                of current **OWASP financial situation (committee chair,
> board member, Kate, etc.)*
>
>
> *Action points for the Board/Foundation*
>
> *Adopt a template contract (or contract terms) to be used any time a 3rd
> party --someone other than the OWASP Foundation (US) and OWASP Inc.
> (Europe)-- is handling OWASP Funds*. It should require the exact things
> we asked for in the agreement with SecZone:  providing monthly statements
> on the financials of the conference AND seeking authorization from the
> foundation before taking any actions that may incur any expenses to the
> event or chapter (that will be covered by the Foundation)
>
> This contract can set a maximum out of pocket liability (set dollar
> amount) if the terms are not adhered to.  While I certainly don't want
>  anyone to be held personally liable for running a conference that results
> in a loss, when the Foundation is authorizing another entity to make
> expenditures (and decisions) on its behalf, we need to be pro-active in
> limiting our liability. They can either involve us in their decisions (by
> providing budget updates and getting authorization before spending), or
> take on complete responsibility for the financial liability.
>
> One thing no one has mentioned (although it undoubtedly is a
> consideration): OWASP has a responsibility to show its supporters that
> their donations (via members, sponsorship or other) are being used properly
> - in support of the OWASP mission. Anytime we (OWASP) is giving up control
> of how its funds are used, we also are supposing a level of trust that the
> funds will be spent appropriately. I think this trust is good to a certain
> extent, but people in China (or other areas of the world) may not have the
> same understanding of this Fiducuary Duty that we do, and they will not be
> held accountable as we will here in the US. Thus, the only financially
> responsible decision is for us to limit the amount of money we will will
> "reimburse" or "cover" when the expenses haven't been provided or
> pre-approved.
>
> *I am happy to work on putting a draft contract together based on the 3rd
> party contracts we have used in the past.*
>
> *2. What is relationship between SecZone and OWASP - both OWASP China and
> the OWASP Foundation? *
> I am going to follow up on this in a separate thread. It is important, but
> slightly tangential to the purpose of this thread.
>
> *3. Event Specific: How do we handle this loss?*
> In this case, the OWASP Foundation should realize a $5,500 loss for this
> event (which is what the event organizers are asking for).  They are
> currently at a $16,166.22 loss, but Frank Fan's company (DBAppSecurity)
> still owes $4742 and SecZone has said they can cover about $6,000 of the
> loss. The leaves about $5,500 for us to cover.
>
> Seczone did not adhere to its financial responsibilities as outlined in
> our event contract with them. However, since they acted in good faith and
> we could have done a better job setting forth the repercussions for not
> adhering to the contract, I think it is fair for us to pay about $5500 or
> splitting the loss with Seczone.  This is a good chance for us to learn
> from our mistakes and understand what we can do differently to prevent this
> (or larger losses) from happening in the future.
>
>
> Regards,
>
> Sarah Baso
>
>
> --
> Administrator for
> OWASP Global Conference Committee
> OWASP Global Chapter Committee
>
> Dir: 312-869-2779
> skype: sarah.baso
>
>
>
>
>
> On Wed, Dec 7, 2011 at 3:44 PM, Michael Coates <michael.coates at owasp.org>wrote:
>
>> From the brief details I've gleaned here it sounds like everyone has been
>> working for the common good. But we have some losses and need to
>> appropriately handle them.  There are several moving parts.  Kate, Sarah,
>> can one of yo
>
> _______________________________________________
>
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20111221/d279d99b/attachment-0001.html>


More information about the Owasp-board mailing list