[Owasp-board] [Global_chapter_committee] A New Event Policy for OWASP

Tin Zaw tin.zaw at owasp.org
Tue Feb 28 00:36:11 UTC 2012


Mark and Josh,

I am glad we are in agreement on the end result of this exercise (of
coming up with a unified event profit-sharing/chapter-finance
policies/guidelines).

Can we agree also on how to reconcile our differences? Obviously, both
committees and their leaders have different views and that's why we
are here trying to sort this out. So, the question is how.

My proposal is that each committee work separately on its own answers
to the questions that Michael has posted. We should also add a
priority (or points?) on how important a particular answer is. An
answer to each question can be consider as a draft policy proposed by
the corresponding committee.

Two committees then reconcile these differences by negotiating two
sets of draft policies. There will be give and take, and each
committee might have some items that they consider non-negotiable.
This negotiation/reconciliation should be facilitated by board members
or other committee chairs/members (Jason Li?).

If we can do this within the deadline that Michael has imposed, I
think we will come up with some solutions that is acceptable to OWASP
chapters for a foreseeable future.

Of course, what I proposed is just an idea subject to further
discussion and refinement. And I am proposing HOW we should resolve
our differences, not WHAT the end result should be.

What do you think?

On Mon, Feb 27, 2012 at 4:20 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
> I absolutely agree that we need to come up with a single policy here that
> applies universally.  I don't think we are doing a service to our chapters
> or events by having confusing sets of conflicting rules.
>
>
> On Mon, Feb 27, 2012 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>
>> +1 Good Point Jason.  I sent a personal e-mail to Mark echoing this
>> sentiment.  It's definitely in all of our best interests to come up with a
>> single event policy that leverages the strengths and avoids the weaknesses
>> from each committee.
>>
>> ~josh
>>
>> On Fri, Feb 24, 2012 at 5:46 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>>>
>>> Jason,
>>>
>>> Good point. I think we should aim to come up with one set of
>>> guidelines to meetings, events and chapter finances.
>>>
>>> It is very likely that each committee will come up with different
>>> drafts but the drafts need to be reconciled with the board's help to
>>> become OWASP policies or guidelines.
>>>
>>> Thanks.
>>>
>>> On Fri, Feb 24, 2012 at 3:43 PM, Jason Li <jason.li at owasp.org> wrote:
>>> > One thing I would suggest getting away from is the concept of whether
>>> > an
>>> > event is "controlled by" the Chapter Committee vs the Conferences
>>> > Committee.
>>> >
>>> > That kind of mentality makes this policy-making very confrontational.
>>> >
>>> > This work isn't about one committee or another - it's about
>>> > establishing a
>>> > unified policy that makes sense for all of OWASP at a macro and micro
>>> > scale.
>>> >
>>> > In fact, I see no reason why there couldn't be an event that had
>>> > policies
>>> > and support mechanisms from both committees that applied to the event.
>>> >
>>> > -Jason
>>> >
>>> > On Thu, Feb 23, 2012 at 1:46 PM, Josh Sokol <josh.sokol at owasp.org>
>>> > wrote:
>>> >>
>>> >> Chapter Committee Members,
>>> >>
>>> >> Hopefully by now you have all had a chance to read Michael's e-mail
>>> >> regarding the Board's decision on the LASCON request for exemption and
>>> >> the
>>> >> desire for a change in policy around events.  We should all view the
>>> >> discussions which will follow as an excellent way for our committee to
>>> >> shape
>>> >> the future of Chapters and their ability to grow and be sustainable
>>> >> over the
>>> >> long-term.  To summarize, the board has asked us to work with the
>>> >> Conference
>>> >> Committee to come up with a policy which address all of the following
>>> >> guiding objectives:
>>> >>
>>> >> Chapter empowerment through a profit sharing model that is in line
>>> >> with
>>> >> our core value of Innovation
>>> >> No profit caps on gains from specific events
>>> >> Annual review, requirements, or rules to address the issue of stale
>>> >> chapter funds in excessive amounts
>>> >> Periodic recap on funds spent by chapters to help ensure funds are
>>> >> appointed on items aligned with the "OWASP Mission"
>>> >> Added controls to prevent conflicts between large chapter events and
>>> >> core
>>> >> global conferences.
>>> >> A dedicated committee with continual and significant control over the
>>> >> core
>>> >> OWASP global events (Conferences Committee)
>>> >> A model which accounts for costs associated with Foundation resources
>>> >> provided to local events.
>>> >> Controls to prevent chapters from over-committing on financial costs
>>> >> Final policy and structure should ensure no incentive for chapters to
>>> >> form
>>> >> legal entities in their own countries.
>>> >> Chapters must use established technology methods (RegOnline) any time
>>> >> money is handled
>>> >> CFPs need to use established OWASP procedures
>>> >> A single "source of truth" for all events.  (I assume this means a
>>> >> single
>>> >> place to coordinate all events)
>>> >> Naming standards for all events
>>> >> Logo standards that include OWASP on all logos, event sites,
>>> >> collateral,
>>> >> etc
>>> >>
>>> >> I feel very strongly that these are guidelines that we can work with
>>> >> in
>>> >> order to craft this new policy.  That said, before we get started on
>>> >> the
>>> >> policy itself, I have a few questions for you all.
>>> >>
>>> >> 1) What criteria do we use to distinguish between an event controlled
>>> >> by
>>> >> the Chapter Committee vs an event controlled by the Conferences
>>> >> Committee.
>>> >> It's clear that the label of "Conference" is not enough.  I also feel
>>> >> strongly that metrics such as "number of attendees" or "where
>>> >> attendees are
>>> >> from" make for poor determining factors as they fail to account for
>>> >> chapter
>>> >> growth on a local level and OWASP Foundation growth on a regional
>>> >> level.
>>> >> Personally, I think this decision belongs in the hands of the event
>>> >> planners
>>> >> with approval from the committee they ultimately choose to go with.
>>> >> Both
>>> >> committees need to list out what structure they provide around event
>>> >> planning so the organizers have expectations set up front.
>>> >>
>>> >> 2) What kind of profit sharing model makes sense?  The board has
>>> >> specifically said they want a model that supports innovation, removes
>>> >> caps,
>>> >> and accounts for Foundation costs.  Assuming that we can enumerate
>>> >> what
>>> >> these Foundation costs are in relation to events, what can we do here
>>> >> to
>>> >> reward and even incentivize our chapters for putting on their own
>>> >> events,
>>> >> raising money, educating, and hopefully becoming self-sustaining?
>>> >> Personally, I believe that any model which focuses on percentage
>>> >> splits here
>>> >> is inherently flawed.  In my arguments to the Board on behalf of
>>> >> LASCON I
>>> >> stated that what needs to happen (at least as it relates to Chapter
>>> >> events)
>>> >> is a tiered approach for profit sharing.
>>> >>
>>> >> Step 1 - We account for all obvious expenses for the event.  In
>>> >> theory,
>>> >> all events should be limited to the amount of up-front money they can
>>> >> commit
>>> >> specifically to cover things like venue deposits.  I think we need to
>>> >> come
>>> >> up with an amount for what this would be before committee approval is
>>> >> necessary.  We should strongly discourage spending additional funds
>>> >> beyond
>>> >> those required for "start up" until other funding has been obtained to
>>> >> cover
>>> >> the costs.
>>> >>
>>> >> Step 2 - We account for all Foundation expenses for the event.  We
>>> >> need to
>>> >> enumerate what exactly these are and come up with a way to "bill" them
>>> >> by
>>> >> event.  I would think this includes things like event insurance and
>>> >> Foundation staff time, but I've never been successful in getting a
>>> >> good
>>> >> dollar value or listing on what all of the Foundational expenses are.
>>> >> In
>>> >> any case, I think once the "hard costs" are covered under Step 1, we
>>> >> need to
>>> >> cover these Foundational "soft costs".
>>> >>
>>> >> Step 3 - We give the participating chapters what they need to become
>>> >> self-sustaining.  This is where our approach should differ from the
>>> >> Conference Committee in that we are focused on "Chapter Events'
>>> >> whereas they
>>> >> are focused on "Foundation Events".  So, the question becomes....how
>>> >> do we
>>> >> know what the chapters need to become self-sustaining?  I know that
>>> >> several
>>> >> people have brought forth objections to this in the past, but I
>>> >> believe the
>>> >> answer here is a chapter budget.  It doesn't have to be anything
>>> >> overly
>>> >> complex.  In fact, our current chapter handbook actually already has a
>>> >> sample chapter budget referenced in it that is extremely simple.  We
>>> >> just
>>> >> need something that lists out a chapter's expenses over the course of
>>> >> the
>>> >> year.  Yes, sometimes budgets will be imprecise, but that's life in
>>> >> the real
>>> >> world.  If a chapter can take the time to run an event outside of
>>> >> their
>>> >> meetings that makes enough money to get to this step, then they
>>> >> certainly
>>> >> have the ability to do a simple budget.  These budgets also help us
>>> >> address
>>> >> the board's concern over stale funds in chapter accounts.
>>> >>
>>> >> Step 4 - Any time we have enough money to get to this step, we should
>>> >> consider this "gravy".  With the chapter already getting what the need
>>> >> in
>>> >> order to self-sustain, and the foundation already getting what it
>>> >> needs to
>>> >> cover it's costs, the only real caveat placed on these funds is that
>>> >> they
>>> >> should be used to benefit the foundation.  What that means I don't
>>> >> really
>>> >> know.  Personally, I'd like to see some of these funds invested back
>>> >> into
>>> >> the regional OWASP effort if one exists.  Using LASCON as an example,
>>> >> I'd
>>> >> like to see some of our excess funds flow to the Dallas and Houston
>>> >> chapters
>>> >> that are strapped for cash, and subsequently, the ability to do big
>>> >> things
>>> >> like the Austin Chapter.  I'm going to make a proposal here, but am
>>> >> open to
>>> >> any other suggestions.  I'd like to see a 50/50 split on these
>>> >> remaining
>>> >> funds between the Foundation to support growth at an organizational
>>> >> level
>>> >> and any other chapters or projects that the planners feel strongly
>>> >> about
>>> >> supporting.  If none, all remaining funds should go to the Foundation
>>> >> by
>>> >> default.
>>> >>
>>> >> 3) How do we provide for an annual review, requirements, or rules to
>>> >> address the issue of stale chapter funds in excessive amounts?
>>> >> Obviously,
>>> >> stale funds only applies to chapters with a substantial amount of
>>> >> money in
>>> >> their accounts, but the problem is determining what is "excessive".
>>> >> Because
>>> >> of this, I don't think we can set some random value here.  For
>>> >> example, the
>>> >> Austin Chapter requires about $6,650 in funds each year while the
>>> >> Houston
>>> >> Chapter is barely doing anything with and has hardly any money in
>>> >> their bank
>>> >> account.  I think the answer here is that all chapters with over a
>>> >> certain
>>> >> amount of money in their account (defined by whatever we think is
>>> >> "excessive
>>> >> amounts" of stale funds) need to be audited on an annual basis.  I
>>> >> already
>>> >> discussed my thoughts with the committee around what that number is
>>> >> and how
>>> >> to handle the audit with the use of budgets, but am open to other
>>> >> suggestions that address this requirement from the board.
>>> >>
>>> >> I'd like to gather some feedback from the committee (Conference
>>> >> Committee
>>> >> feel free to chime in here as well) on these three topics and try to
>>> >> gather
>>> >> consensus before we move on to how we are going to address the other
>>> >> issues.  Thanks!
>>> >>
>>> >> ~josh
>>> >>
>>> >> ---------- Forwarded message ----------
>>> >> From: Michael Coates <michael.coates at owasp.org>
>>> >> Date: Wed, Feb 22, 2012 at 7:24 PM
>>> >> Subject: [Global_conference_committee] LASCON Exception - Board Vote
>>> >> To: Josh Sokol <josh.sokol at ni.com>, Mark Bristow
>>> >> <mark.bristow at owasp.org>
>>> >> Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>,
>>> >> global_chapter_committee at lists.owasp.org,
>>> >> global_conference_committee at lists.owasp.org
>>> >>
>>> >>
>>> >> We wanted to thank everyone for the open, honest, and respectful
>>> >> discussion of the Lascon exception issue.  The board has considered
>>> >> the
>>> >> information provided by all parties as well as the principles and
>>> >> mission of
>>> >> OWASP.  After discussion and deliberation we've reached the following
>>> >> decision:
>>> >>
>>> >>
>>> >> The OWASP Board has voted to approve the following:
>>> >> =
>>> >> Approve LASCON Exception per current chapter & committee rules with
>>> >> the
>>> >> recommendation that LASCON considers the objectives provided by the
>>> >> Board
>>> >> for the new policy. Further, this is the second and final exception
>>> >> for
>>> >> LASCON.
>>> >>
>>> >> The updated chapter/conference policy must be approved within 45 days
>>> >> or
>>> >> LASCON exception is revoked.
>>> >> =
>>> >>
>>> >>
>>> >> Recommendations for the New Policy
>>> >>
>>> >> The OWASP board would like the conferences and chapters committees to
>>> >> work
>>> >> together to jointly draft and approve an update to the policies
>>> >> governing
>>> >> chapters and conference events. We appreciate all the hard work that
>>> >> the
>>> >> committees have put forth to grow our chapters and conferences to its
>>> >> current state.  We've accomplished some great things and this is
>>> >> another
>>> >> situation where we have to review and adjust as a result of our
>>> >> continued
>>> >> growth and success as an organization (a good problem to have).
>>> >>
>>> >> As global committee members you are in the best place to determine the
>>> >> specifics of this policy; however, we would like to set an overall
>>> >> direction
>>> >> that will be worked towards and we’ve outlined the following
>>> >> objectives that
>>> >> should be considered for the updated chapter and conference policies.
>>> >>
>>> >>
>>> >> We encourage the committees to review these guiding objectives and
>>> >> work to
>>> >> build a structure that will encourage the growth of OWASP and our
>>> >> mission.
>>> >>
>>> >>        • Guiding Objectives
>>> >>                • We would like to see chapter empowerment through a
>>> >> profit
>>> >> sharing model that is in line with our core value of Innovation
>>> >>                • We have concerns over the use of profit caps on gains
>>> >> from specific events
>>> >>                • We would like some sort of annual review,
>>> >> requirements,
>>> >> or rules to address the issue of stale chapter funds in excessive
>>> >> amounts
>>> >>                • We would like some periodic recap on funds spent by
>>> >> chapters to help ensure funds are appointed on items aligned with the
>>> >> “OWASP
>>> >> Mission”.
>>> >>                • We recognize there could be concerns over conflicting
>>> >> large chapter events and our core global conferences. Controls should
>>> >> be
>>> >> added to prevent this conflict (perhaps CFP blackout periods in
>>> >> regions
>>> >> within X months of a global event)
>>> >>                • We would like a dedicated committee with continual
>>> >> and
>>> >> significant control over the core OWASP global events (i.e. conference
>>> >> committee)
>>> >>                • Foundation has resources that can be are being
>>> >> provided
>>> >> to local chapter events but we need these costs to be accounted for in
>>> >> the
>>> >> chapter's event planning
>>> >>                • Controls are needed to prevent chapters from
>>> >> over-committing on financial costs
>>> >>                • Final policy and structure created by the committees
>>> >> should ensure, as much as is possible, that there is no incentive for
>>> >> chapters to form legal entities in their own countries.  Any such
>>> >> activity
>>> >> has significant implications for the foundation and must be discussed
>>> >> and
>>> >> coordinated  with the Foundation Board.
>>> >>        • Infrastructure
>>> >>                • Chapters must use established technology methods
>>> >> (such as
>>> >> regonline) any time money is handled
>>> >>                • CFPs need to use established OWASP procedures
>>> >>                • A single “source of truth” is needed for all events
>>> >> so
>>> >> that OWASP employees can best assist all events.  These include events
>>> >> under
>>> >> either  committee’s purview.
>>> >>        • Branding
>>> >>                • Naming standard enforced for all events (e.g. OWASP
>>> >> X)
>>> >>                • Logo standards that includes OWASP on all logos,
>>> >> event
>>> >> sites, collateral, etc
>>> >>
>>> >>
>>> >> Thanks for the significant efforts that have been made thus far and we
>>> >> look forward to the updated policy/policies that can take OWASP and
>>> >> our
>>> >> growing member and chapter base to the next level.
>>> >>
>>> >>
>>> >> Lastly, Kate will update the official vote record to reflect our vote
>>> >> and
>>> >> capture the above guiding objectives on the wiki.
>>> >>
>>> >>
>>> >>
>>> >>
>>> >>
>>> >> -The OWASP Board
>>> >>
>>> >> Michael Coates
>>> >> michael.coates at owasp.org
>>> >>
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Global_conference_committee mailing list
>>> >> Global_conference_committee at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Global_chapter_committee mailing list
>>> >> Global_chapter_committee at lists.owasp.org
>>> >> https://lists.owasp.org/mailman/listinfo/global_chapter_committee
>>> >>
>>> >
>>> >
>>> > _______________________________________________
>>> > Owasp-board mailing list
>>> > Owasp-board at lists.owasp.org
>>> > https://lists.owasp.org/mailman/listinfo/owasp-board
>>> >
>>>
>>>
>>>
>>> --
>>> Tin Zaw, CISSP, CSSLP
>>> Chapter Leader and President, OWASP Los Angeles Chapter
>>> Member, OWASP Global Chapter Committee
>>> Google Voice: (213) 973-9295
>>> LinkedIn: http://www.linkedin.com/in/tinzaw
>>
>>
>
>
>
> --
> Mark Bristow
> (703) 596-5175
> mark.bristow at owasp.org
>
> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
> AppSec DC Organizer - https://www.appsecdc.org
>



-- 
Tin Zaw, CISSP, CSSLP
Chapter Leader and President, OWASP Los Angeles Chapter
Member, OWASP Global Chapter Committee
Google Voice: (213) 973-9295
LinkedIn: http://www.linkedin.com/in/tinzaw


More information about the Owasp-board mailing list