[Owasp-board] [Global_chapter_committee] A New Event Policy for OWASP

Tin Zaw tin.zaw at owasp.org
Fri Feb 24 23:46:29 UTC 2012


Jason,

Good point. I think we should aim to come up with one set of
guidelines to meetings, events and chapter finances.

It is very likely that each committee will come up with different
drafts but the drafts need to be reconciled with the board's help to
become OWASP policies or guidelines.

Thanks.

On Fri, Feb 24, 2012 at 3:43 PM, Jason Li <jason.li at owasp.org> wrote:
> One thing I would suggest getting away from is the concept of whether an
> event is "controlled by" the Chapter Committee vs the Conferences Committee.
>
> That kind of mentality makes this policy-making very confrontational.
>
> This work isn't about one committee or another - it's about establishing a
> unified policy that makes sense for all of OWASP at a macro and micro scale.
>
> In fact, I see no reason why there couldn't be an event that had policies
> and support mechanisms from both committees that applied to the event.
>
> -Jason
>
> On Thu, Feb 23, 2012 at 1:46 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>> Chapter Committee Members,
>>
>> Hopefully by now you have all had a chance to read Michael's e-mail
>> regarding the Board's decision on the LASCON request for exemption and the
>> desire for a change in policy around events.  We should all view the
>> discussions which will follow as an excellent way for our committee to shape
>> the future of Chapters and their ability to grow and be sustainable over the
>> long-term.  To summarize, the board has asked us to work with the Conference
>> Committee to come up with a policy which address all of the following
>> guiding objectives:
>>
>> Chapter empowerment through a profit sharing model that is in line with
>> our core value of Innovation
>> No profit caps on gains from specific events
>> Annual review, requirements, or rules to address the issue of stale
>> chapter funds in excessive amounts
>> Periodic recap on funds spent by chapters to help ensure funds are
>> appointed on items aligned with the "OWASP Mission"
>> Added controls to prevent conflicts between large chapter events and core
>> global conferences.
>> A dedicated committee with continual and significant control over the core
>> OWASP global events (Conferences Committee)
>> A model which accounts for costs associated with Foundation resources
>> provided to local events.
>> Controls to prevent chapters from over-committing on financial costs
>> Final policy and structure should ensure no incentive for chapters to form
>> legal entities in their own countries.
>> Chapters must use established technology methods (RegOnline) any time
>> money is handled
>> CFPs need to use established OWASP procedures
>> A single "source of truth" for all events.  (I assume this means a single
>> place to coordinate all events)
>> Naming standards for all events
>> Logo standards that include OWASP on all logos, event sites, collateral,
>> etc
>>
>> I feel very strongly that these are guidelines that we can work with in
>> order to craft this new policy.  That said, before we get started on the
>> policy itself, I have a few questions for you all.
>>
>> 1) What criteria do we use to distinguish between an event controlled by
>> the Chapter Committee vs an event controlled by the Conferences Committee.
>> It's clear that the label of "Conference" is not enough.  I also feel
>> strongly that metrics such as "number of attendees" or "where attendees are
>> from" make for poor determining factors as they fail to account for chapter
>> growth on a local level and OWASP Foundation growth on a regional level.
>> Personally, I think this decision belongs in the hands of the event planners
>> with approval from the committee they ultimately choose to go with.  Both
>> committees need to list out what structure they provide around event
>> planning so the organizers have expectations set up front.
>>
>> 2) What kind of profit sharing model makes sense?  The board has
>> specifically said they want a model that supports innovation, removes caps,
>> and accounts for Foundation costs.  Assuming that we can enumerate what
>> these Foundation costs are in relation to events, what can we do here to
>> reward and even incentivize our chapters for putting on their own events,
>> raising money, educating, and hopefully becoming self-sustaining?
>> Personally, I believe that any model which focuses on percentage splits here
>> is inherently flawed.  In my arguments to the Board on behalf of LASCON I
>> stated that what needs to happen (at least as it relates to Chapter events)
>> is a tiered approach for profit sharing.
>>
>> Step 1 - We account for all obvious expenses for the event.  In theory,
>> all events should be limited to the amount of up-front money they can commit
>> specifically to cover things like venue deposits.  I think we need to come
>> up with an amount for what this would be before committee approval is
>> necessary.  We should strongly discourage spending additional funds beyond
>> those required for "start up" until other funding has been obtained to cover
>> the costs.
>>
>> Step 2 - We account for all Foundation expenses for the event.  We need to
>> enumerate what exactly these are and come up with a way to "bill" them by
>> event.  I would think this includes things like event insurance and
>> Foundation staff time, but I've never been successful in getting a good
>> dollar value or listing on what all of the Foundational expenses are.  In
>> any case, I think once the "hard costs" are covered under Step 1, we need to
>> cover these Foundational "soft costs".
>>
>> Step 3 - We give the participating chapters what they need to become
>> self-sustaining.  This is where our approach should differ from the
>> Conference Committee in that we are focused on "Chapter Events' whereas they
>> are focused on "Foundation Events".  So, the question becomes....how do we
>> know what the chapters need to become self-sustaining?  I know that several
>> people have brought forth objections to this in the past, but I believe the
>> answer here is a chapter budget.  It doesn't have to be anything overly
>> complex.  In fact, our current chapter handbook actually already has a
>> sample chapter budget referenced in it that is extremely simple.  We just
>> need something that lists out a chapter's expenses over the course of the
>> year.  Yes, sometimes budgets will be imprecise, but that's life in the real
>> world.  If a chapter can take the time to run an event outside of their
>> meetings that makes enough money to get to this step, then they certainly
>> have the ability to do a simple budget.  These budgets also help us address
>> the board's concern over stale funds in chapter accounts.
>>
>> Step 4 - Any time we have enough money to get to this step, we should
>> consider this "gravy".  With the chapter already getting what the need in
>> order to self-sustain, and the foundation already getting what it needs to
>> cover it's costs, the only real caveat placed on these funds is that they
>> should be used to benefit the foundation.  What that means I don't really
>> know.  Personally, I'd like to see some of these funds invested back into
>> the regional OWASP effort if one exists.  Using LASCON as an example, I'd
>> like to see some of our excess funds flow to the Dallas and Houston chapters
>> that are strapped for cash, and subsequently, the ability to do big things
>> like the Austin Chapter.  I'm going to make a proposal here, but am open to
>> any other suggestions.  I'd like to see a 50/50 split on these remaining
>> funds between the Foundation to support growth at an organizational level
>> and any other chapters or projects that the planners feel strongly about
>> supporting.  If none, all remaining funds should go to the Foundation by
>> default.
>>
>> 3) How do we provide for an annual review, requirements, or rules to
>> address the issue of stale chapter funds in excessive amounts?  Obviously,
>> stale funds only applies to chapters with a substantial amount of money in
>> their accounts, but the problem is determining what is "excessive".  Because
>> of this, I don't think we can set some random value here.  For example, the
>> Austin Chapter requires about $6,650 in funds each year while the Houston
>> Chapter is barely doing anything with and has hardly any money in their bank
>> account.  I think the answer here is that all chapters with over a certain
>> amount of money in their account (defined by whatever we think is "excessive
>> amounts" of stale funds) need to be audited on an annual basis.  I already
>> discussed my thoughts with the committee around what that number is and how
>> to handle the audit with the use of budgets, but am open to other
>> suggestions that address this requirement from the board.
>>
>> I'd like to gather some feedback from the committee (Conference Committee
>> feel free to chime in here as well) on these three topics and try to gather
>> consensus before we move on to how we are going to address the other
>> issues.  Thanks!
>>
>> ~josh
>>
>> ---------- Forwarded message ----------
>> From: Michael Coates <michael.coates at owasp.org>
>> Date: Wed, Feb 22, 2012 at 7:24 PM
>> Subject: [Global_conference_committee] LASCON Exception - Board Vote
>> To: Josh Sokol <josh.sokol at ni.com>, Mark Bristow <mark.bristow at owasp.org>
>> Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>,
>> global_chapter_committee at lists.owasp.org,
>> global_conference_committee at lists.owasp.org
>>
>>
>> We wanted to thank everyone for the open, honest, and respectful
>> discussion of the Lascon exception issue.  The board has considered the
>> information provided by all parties as well as the principles and mission of
>> OWASP.  After discussion and deliberation we've reached the following
>> decision:
>>
>>
>> The OWASP Board has voted to approve the following:
>> =
>> Approve LASCON Exception per current chapter & committee rules with the
>> recommendation that LASCON considers the objectives provided by the Board
>> for the new policy. Further, this is the second and final exception for
>> LASCON.
>>
>> The updated chapter/conference policy must be approved within 45 days or
>> LASCON exception is revoked.
>> =
>>
>>
>> Recommendations for the New Policy
>>
>> The OWASP board would like the conferences and chapters committees to work
>> together to jointly draft and approve an update to the policies governing
>> chapters and conference events. We appreciate all the hard work that the
>> committees have put forth to grow our chapters and conferences to its
>> current state.  We've accomplished some great things and this is another
>> situation where we have to review and adjust as a result of our continued
>> growth and success as an organization (a good problem to have).
>>
>> As global committee members you are in the best place to determine the
>> specifics of this policy; however, we would like to set an overall direction
>> that will be worked towards and we’ve outlined the following objectives that
>> should be considered for the updated chapter and conference policies.
>>
>>
>> We encourage the committees to review these guiding objectives and work to
>> build a structure that will encourage the growth of OWASP and our mission.
>>
>>        • Guiding Objectives
>>                • We would like to see chapter empowerment through a profit
>> sharing model that is in line with our core value of Innovation
>>                • We have concerns over the use of profit caps on gains
>> from specific events
>>                • We would like some sort of annual review, requirements,
>> or rules to address the issue of stale chapter funds in excessive amounts
>>                • We would like some periodic recap on funds spent by
>> chapters to help ensure funds are appointed on items aligned with the “OWASP
>> Mission”.
>>                • We recognize there could be concerns over conflicting
>> large chapter events and our core global conferences. Controls should be
>> added to prevent this conflict (perhaps CFP blackout periods in regions
>> within X months of a global event)
>>                • We would like a dedicated committee with continual and
>> significant control over the core OWASP global events (i.e. conference
>> committee)
>>                • Foundation has resources that can be are being provided
>> to local chapter events but we need these costs to be accounted for in the
>> chapter's event planning
>>                • Controls are needed to prevent chapters from
>> over-committing on financial costs
>>                • Final policy and structure created by the committees
>> should ensure, as much as is possible, that there is no incentive for
>> chapters to form legal entities in their own countries.  Any such activity
>> has significant implications for the foundation and must be discussed and
>> coordinated  with the Foundation Board.
>>        • Infrastructure
>>                • Chapters must use established technology methods (such as
>> regonline) any time money is handled
>>                • CFPs need to use established OWASP procedures
>>                • A single “source of truth” is needed for all events so
>> that OWASP employees can best assist all events.  These include events under
>> either  committee’s purview.
>>        • Branding
>>                • Naming standard enforced for all events (e.g. OWASP X)
>>                • Logo standards that includes OWASP on all logos, event
>> sites, collateral, etc
>>
>>
>> Thanks for the significant efforts that have been made thus far and we
>> look forward to the updated policy/policies that can take OWASP and our
>> growing member and chapter base to the next level.
>>
>>
>> Lastly, Kate will update the official vote record to reflect our vote and
>> capture the above guiding objectives on the wiki.
>>
>>
>>
>>
>>
>> -The OWASP Board
>>
>> Michael Coates
>> michael.coates at owasp.org
>>
>>
>>
>> _______________________________________________
>> Global_conference_committee mailing list
>> Global_conference_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>
>>
>> _______________________________________________
>> Global_chapter_committee mailing list
>> Global_chapter_committee at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/global_chapter_committee
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>



-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Member, OWASP Global Chapter Committee
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw


More information about the Owasp-board mailing list