[Owasp-board] [Global_chapter_committee] A New Event Policy for OWASP

Mark Bristow mark.bristow at owasp.org
Tue Feb 28 00:20:05 UTC 2012


I absolutely agree that we need to come up with a single policy here that
applies universally.  I don't think we are doing a service to our chapters
or events by having confusing sets of conflicting rules.

On Mon, Feb 27, 2012 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

> +1 Good Point Jason.  I sent a personal e-mail to Mark echoing this
> sentiment.  It's definitely in all of our best interests to come up with a
> single event policy that leverages the strengths and avoids the weaknesses
> from each committee.
>
> ~josh
>
> On Fri, Feb 24, 2012 at 5:46 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>
>> Jason,
>>
>> Good point. I think we should aim to come up with one set of
>> guidelines to meetings, events and chapter finances.
>>
>> It is very likely that each committee will come up with different
>> drafts but the drafts need to be reconciled with the board's help to
>> become OWASP policies or guidelines.
>>
>> Thanks.
>>
>> On Fri, Feb 24, 2012 at 3:43 PM, Jason Li <jason.li at owasp.org> wrote:
>> > One thing I would suggest getting away from is the concept of whether an
>> > event is "controlled by" the Chapter Committee vs the Conferences
>> Committee.
>> >
>> > That kind of mentality makes this policy-making very confrontational.
>> >
>> > This work isn't about one committee or another - it's about
>> establishing a
>> > unified policy that makes sense for all of OWASP at a macro and micro
>> scale.
>> >
>> > In fact, I see no reason why there couldn't be an event that had
>> policies
>> > and support mechanisms from both committees that applied to the event.
>> >
>> > -Jason
>> >
>> > On Thu, Feb 23, 2012 at 1:46 PM, Josh Sokol <josh.sokol at owasp.org>
>> wrote:
>> >>
>> >> Chapter Committee Members,
>> >>
>> >> Hopefully by now you have all had a chance to read Michael's e-mail
>> >> regarding the Board's decision on the LASCON request for exemption and
>> the
>> >> desire for a change in policy around events.  We should all view the
>> >> discussions which will follow as an excellent way for our committee to
>> shape
>> >> the future of Chapters and their ability to grow and be sustainable
>> over the
>> >> long-term.  To summarize, the board has asked us to work with the
>> Conference
>> >> Committee to come up with a policy which address all of the following
>> >> guiding objectives:
>> >>
>> >> Chapter empowerment through a profit sharing model that is in line with
>> >> our core value of Innovation
>> >> No profit caps on gains from specific events
>> >> Annual review, requirements, or rules to address the issue of stale
>> >> chapter funds in excessive amounts
>> >> Periodic recap on funds spent by chapters to help ensure funds are
>> >> appointed on items aligned with the "OWASP Mission"
>> >> Added controls to prevent conflicts between large chapter events and
>> core
>> >> global conferences.
>> >> A dedicated committee with continual and significant control over the
>> core
>> >> OWASP global events (Conferences Committee)
>> >> A model which accounts for costs associated with Foundation resources
>> >> provided to local events.
>> >> Controls to prevent chapters from over-committing on financial costs
>> >> Final policy and structure should ensure no incentive for chapters to
>> form
>> >> legal entities in their own countries.
>> >> Chapters must use established technology methods (RegOnline) any time
>> >> money is handled
>> >> CFPs need to use established OWASP procedures
>> >> A single "source of truth" for all events.  (I assume this means a
>> single
>> >> place to coordinate all events)
>> >> Naming standards for all events
>> >> Logo standards that include OWASP on all logos, event sites,
>> collateral,
>> >> etc
>> >>
>> >> I feel very strongly that these are guidelines that we can work with in
>> >> order to craft this new policy.  That said, before we get started on
>> the
>> >> policy itself, I have a few questions for you all.
>> >>
>> >> 1) What criteria do we use to distinguish between an event controlled
>> by
>> >> the Chapter Committee vs an event controlled by the Conferences
>> Committee.
>> >> It's clear that the label of "Conference" is not enough.  I also feel
>> >> strongly that metrics such as "number of attendees" or "where
>> attendees are
>> >> from" make for poor determining factors as they fail to account for
>> chapter
>> >> growth on a local level and OWASP Foundation growth on a regional
>> level.
>> >> Personally, I think this decision belongs in the hands of the event
>> planners
>> >> with approval from the committee they ultimately choose to go with.
>> Both
>> >> committees need to list out what structure they provide around event
>> >> planning so the organizers have expectations set up front.
>> >>
>> >> 2) What kind of profit sharing model makes sense?  The board has
>> >> specifically said they want a model that supports innovation, removes
>> caps,
>> >> and accounts for Foundation costs.  Assuming that we can enumerate what
>> >> these Foundation costs are in relation to events, what can we do here
>> to
>> >> reward and even incentivize our chapters for putting on their own
>> events,
>> >> raising money, educating, and hopefully becoming self-sustaining?
>> >> Personally, I believe that any model which focuses on percentage
>> splits here
>> >> is inherently flawed.  In my arguments to the Board on behalf of
>> LASCON I
>> >> stated that what needs to happen (at least as it relates to Chapter
>> events)
>> >> is a tiered approach for profit sharing.
>> >>
>> >> Step 1 - We account for all obvious expenses for the event.  In theory,
>> >> all events should be limited to the amount of up-front money they can
>> commit
>> >> specifically to cover things like venue deposits.  I think we need to
>> come
>> >> up with an amount for what this would be before committee approval is
>> >> necessary.  We should strongly discourage spending additional funds
>> beyond
>> >> those required for "start up" until other funding has been obtained to
>> cover
>> >> the costs.
>> >>
>> >> Step 2 - We account for all Foundation expenses for the event.  We
>> need to
>> >> enumerate what exactly these are and come up with a way to "bill" them
>> by
>> >> event.  I would think this includes things like event insurance and
>> >> Foundation staff time, but I've never been successful in getting a good
>> >> dollar value or listing on what all of the Foundational expenses are.
>> In
>> >> any case, I think once the "hard costs" are covered under Step 1, we
>> need to
>> >> cover these Foundational "soft costs".
>> >>
>> >> Step 3 - We give the participating chapters what they need to become
>> >> self-sustaining.  This is where our approach should differ from the
>> >> Conference Committee in that we are focused on "Chapter Events'
>> whereas they
>> >> are focused on "Foundation Events".  So, the question becomes....how
>> do we
>> >> know what the chapters need to become self-sustaining?  I know that
>> several
>> >> people have brought forth objections to this in the past, but I
>> believe the
>> >> answer here is a chapter budget.  It doesn't have to be anything overly
>> >> complex.  In fact, our current chapter handbook actually already has a
>> >> sample chapter budget referenced in it that is extremely simple.  We
>> just
>> >> need something that lists out a chapter's expenses over the course of
>> the
>> >> year.  Yes, sometimes budgets will be imprecise, but that's life in
>> the real
>> >> world.  If a chapter can take the time to run an event outside of their
>> >> meetings that makes enough money to get to this step, then they
>> certainly
>> >> have the ability to do a simple budget.  These budgets also help us
>> address
>> >> the board's concern over stale funds in chapter accounts.
>> >>
>> >> Step 4 - Any time we have enough money to get to this step, we should
>> >> consider this "gravy".  With the chapter already getting what the need
>> in
>> >> order to self-sustain, and the foundation already getting what it
>> needs to
>> >> cover it's costs, the only real caveat placed on these funds is that
>> they
>> >> should be used to benefit the foundation.  What that means I don't
>> really
>> >> know.  Personally, I'd like to see some of these funds invested back
>> into
>> >> the regional OWASP effort if one exists.  Using LASCON as an example,
>> I'd
>> >> like to see some of our excess funds flow to the Dallas and Houston
>> chapters
>> >> that are strapped for cash, and subsequently, the ability to do big
>> things
>> >> like the Austin Chapter.  I'm going to make a proposal here, but am
>> open to
>> >> any other suggestions.  I'd like to see a 50/50 split on these
>> remaining
>> >> funds between the Foundation to support growth at an organizational
>> level
>> >> and any other chapters or projects that the planners feel strongly
>> about
>> >> supporting.  If none, all remaining funds should go to the Foundation
>> by
>> >> default.
>> >>
>> >> 3) How do we provide for an annual review, requirements, or rules to
>> >> address the issue of stale chapter funds in excessive amounts?
>> Obviously,
>> >> stale funds only applies to chapters with a substantial amount of
>> money in
>> >> their accounts, but the problem is determining what is "excessive".
>> Because
>> >> of this, I don't think we can set some random value here.  For
>> example, the
>> >> Austin Chapter requires about $6,650 in funds each year while the
>> Houston
>> >> Chapter is barely doing anything with and has hardly any money in
>> their bank
>> >> account.  I think the answer here is that all chapters with over a
>> certain
>> >> amount of money in their account (defined by whatever we think is
>> "excessive
>> >> amounts" of stale funds) need to be audited on an annual basis.  I
>> already
>> >> discussed my thoughts with the committee around what that number is
>> and how
>> >> to handle the audit with the use of budgets, but am open to other
>> >> suggestions that address this requirement from the board.
>> >>
>> >> I'd like to gather some feedback from the committee (Conference
>> Committee
>> >> feel free to chime in here as well) on these three topics and try to
>> gather
>> >> consensus before we move on to how we are going to address the other
>> >> issues.  Thanks!
>> >>
>> >> ~josh
>> >>
>> >> ---------- Forwarded message ----------
>> >> From: Michael Coates <michael.coates at owasp.org>
>> >> Date: Wed, Feb 22, 2012 at 7:24 PM
>> >> Subject: [Global_conference_committee] LASCON Exception - Board Vote
>> >> To: Josh Sokol <josh.sokol at ni.com>, Mark Bristow <
>> mark.bristow at owasp.org>
>> >> Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>,
>> >> global_chapter_committee at lists.owasp.org,
>> >> global_conference_committee at lists.owasp.org
>> >>
>> >>
>> >> We wanted to thank everyone for the open, honest, and respectful
>> >> discussion of the Lascon exception issue.  The board has considered the
>> >> information provided by all parties as well as the principles and
>> mission of
>> >> OWASP.  After discussion and deliberation we've reached the following
>> >> decision:
>> >>
>> >>
>> >> The OWASP Board has voted to approve the following:
>> >> =
>> >> Approve LASCON Exception per current chapter & committee rules with the
>> >> recommendation that LASCON considers the objectives provided by the
>> Board
>> >> for the new policy. Further, this is the second and final exception for
>> >> LASCON.
>> >>
>> >> The updated chapter/conference policy must be approved within 45 days
>> or
>> >> LASCON exception is revoked.
>> >> =
>> >>
>> >>
>> >> Recommendations for the New Policy
>> >>
>> >> The OWASP board would like the conferences and chapters committees to
>> work
>> >> together to jointly draft and approve an update to the policies
>> governing
>> >> chapters and conference events. We appreciate all the hard work that
>> the
>> >> committees have put forth to grow our chapters and conferences to its
>> >> current state.  We've accomplished some great things and this is
>> another
>> >> situation where we have to review and adjust as a result of our
>> continued
>> >> growth and success as an organization (a good problem to have).
>> >>
>> >> As global committee members you are in the best place to determine the
>> >> specifics of this policy; however, we would like to set an overall
>> direction
>> >> that will be worked towards and we’ve outlined the following
>> objectives that
>> >> should be considered for the updated chapter and conference policies.
>> >>
>> >>
>> >> We encourage the committees to review these guiding objectives and
>> work to
>> >> build a structure that will encourage the growth of OWASP and our
>> mission.
>> >>
>> >>        • Guiding Objectives
>> >>                • We would like to see chapter empowerment through a
>> profit
>> >> sharing model that is in line with our core value of Innovation
>> >>                • We have concerns over the use of profit caps on gains
>> >> from specific events
>> >>                • We would like some sort of annual review,
>> requirements,
>> >> or rules to address the issue of stale chapter funds in excessive
>> amounts
>> >>                • We would like some periodic recap on funds spent by
>> >> chapters to help ensure funds are appointed on items aligned with the
>> “OWASP
>> >> Mission”.
>> >>                • We recognize there could be concerns over conflicting
>> >> large chapter events and our core global conferences. Controls should
>> be
>> >> added to prevent this conflict (perhaps CFP blackout periods in regions
>> >> within X months of a global event)
>> >>                • We would like a dedicated committee with continual and
>> >> significant control over the core OWASP global events (i.e. conference
>> >> committee)
>> >>                • Foundation has resources that can be are being
>> provided
>> >> to local chapter events but we need these costs to be accounted for in
>> the
>> >> chapter's event planning
>> >>                • Controls are needed to prevent chapters from
>> >> over-committing on financial costs
>> >>                • Final policy and structure created by the committees
>> >> should ensure, as much as is possible, that there is no incentive for
>> >> chapters to form legal entities in their own countries.  Any such
>> activity
>> >> has significant implications for the foundation and must be discussed
>> and
>> >> coordinated  with the Foundation Board.
>> >>        • Infrastructure
>> >>                • Chapters must use established technology methods
>> (such as
>> >> regonline) any time money is handled
>> >>                • CFPs need to use established OWASP procedures
>> >>                • A single “source of truth” is needed for all events so
>> >> that OWASP employees can best assist all events.  These include events
>> under
>> >> either  committee’s purview.
>> >>        • Branding
>> >>                • Naming standard enforced for all events (e.g. OWASP X)
>> >>                • Logo standards that includes OWASP on all logos, event
>> >> sites, collateral, etc
>> >>
>> >>
>> >> Thanks for the significant efforts that have been made thus far and we
>> >> look forward to the updated policy/policies that can take OWASP and our
>> >> growing member and chapter base to the next level.
>> >>
>> >>
>> >> Lastly, Kate will update the official vote record to reflect our vote
>> and
>> >> capture the above guiding objectives on the wiki.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -The OWASP Board
>> >>
>> >> Michael Coates
>> >> michael.coates at owasp.org
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> Global_conference_committee mailing list
>> >> Global_conference_committee at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>> >>
>> >>
>> >> _______________________________________________
>> >> Global_chapter_committee mailing list
>> >> Global_chapter_committee at lists.owasp.org
>> >> https://lists.owasp.org/mailman/listinfo/global_chapter_committee
>> >>
>> >
>> >
>> > _______________________________________________
>> > Owasp-board mailing list
>> > Owasp-board at lists.owasp.org
>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>> >
>>
>>
>>
>> --
>> Tin Zaw, CISSP, CSSLP
>> Chapter Leader and President, OWASP Los Angeles Chapter
>> Member, OWASP Global Chapter Committee
>> Google Voice: (213) 973-9295
>> LinkedIn: http://www.linkedin.com/in/tinzaw
>>
>
>


-- 
Mark Bristow
(703) 596-5175
mark.bristow at owasp.org

OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
AppSec DC Organizer - https://www.appsecdc.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20120227/4a15b18a/attachment-0001.html>


More information about the Owasp-board mailing list