[Owasp-board] [Global_chapter_committee] A New Event Policy for OWASP

Mark Bristow mark.bristow at owasp.org
Tue Feb 28 00:38:09 UTC 2012


I think this is a great idea.

-Mark

Sent from my wireless device

On Feb 27, 2012, at 7:36 PM, Tin Zaw <tin.zaw at owasp.org> wrote:

> Mark and Josh,
>
> I am glad we are in agreement on the end result of this exercise (of
> coming up with a unified event profit-sharing/chapter-finance
> policies/guidelines).
>
> Can we agree also on how to reconcile our differences? Obviously, both
> committees and their leaders have different views and that's why we
> are here trying to sort this out. So, the question is how.
>
> My proposal is that each committee work separately on its own answers
> to the questions that Michael has posted. We should also add a
> priority (or points?) on how important a particular answer is. An
> answer to each question can be consider as a draft policy proposed by
> the corresponding committee.
>
> Two committees then reconcile these differences by negotiating two
> sets of draft policies. There will be give and take, and each
> committee might have some items that they consider non-negotiable.
> This negotiation/reconciliation should be facilitated by board members
> or other committee chairs/members (Jason Li?).
>
> If we can do this within the deadline that Michael has imposed, I
> think we will come up with some solutions that is acceptable to OWASP
> chapters for a foreseeable future.
>
> Of course, what I proposed is just an idea subject to further
> discussion and refinement. And I am proposing HOW we should resolve
> our differences, not WHAT the end result should be.
>
> What do you think?
>
> On Mon, Feb 27, 2012 at 4:20 PM, Mark Bristow <mark.bristow at owasp.org> wrote:
>> I absolutely agree that we need to come up with a single policy here that
>> applies universally.  I don't think we are doing a service to our chapters
>> or events by having confusing sets of conflicting rules.
>>
>>
>> On Mon, Feb 27, 2012 at 5:11 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>>>
>>> +1 Good Point Jason.  I sent a personal e-mail to Mark echoing this
>>> sentiment.  It's definitely in all of our best interests to come up with a
>>> single event policy that leverages the strengths and avoids the weaknesses
>>> from each committee.
>>>
>>> ~josh
>>>
>>> On Fri, Feb 24, 2012 at 5:46 PM, Tin Zaw <tin.zaw at owasp.org> wrote:
>>>>
>>>> Jason,
>>>>
>>>> Good point. I think we should aim to come up with one set of
>>>> guidelines to meetings, events and chapter finances.
>>>>
>>>> It is very likely that each committee will come up with different
>>>> drafts but the drafts need to be reconciled with the board's help to
>>>> become OWASP policies or guidelines.
>>>>
>>>> Thanks.
>>>>
>>>> On Fri, Feb 24, 2012 at 3:43 PM, Jason Li <jason.li at owasp.org> wrote:
>>>>> One thing I would suggest getting away from is the concept of whether
>>>>> an
>>>>> event is "controlled by" the Chapter Committee vs the Conferences
>>>>> Committee.
>>>>>
>>>>> That kind of mentality makes this policy-making very confrontational.
>>>>>
>>>>> This work isn't about one committee or another - it's about
>>>>> establishing a
>>>>> unified policy that makes sense for all of OWASP at a macro and micro
>>>>> scale.
>>>>>
>>>>> In fact, I see no reason why there couldn't be an event that had
>>>>> policies
>>>>> and support mechanisms from both committees that applied to the event.
>>>>>
>>>>> -Jason
>>>>>
>>>>> On Thu, Feb 23, 2012 at 1:46 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>>
>>>>>> Chapter Committee Members,
>>>>>>
>>>>>> Hopefully by now you have all had a chance to read Michael's e-mail
>>>>>> regarding the Board's decision on the LASCON request for exemption and
>>>>>> the
>>>>>> desire for a change in policy around events.  We should all view the
>>>>>> discussions which will follow as an excellent way for our committee to
>>>>>> shape
>>>>>> the future of Chapters and their ability to grow and be sustainable
>>>>>> over the
>>>>>> long-term.  To summarize, the board has asked us to work with the
>>>>>> Conference
>>>>>> Committee to come up with a policy which address all of the following
>>>>>> guiding objectives:
>>>>>>
>>>>>> Chapter empowerment through a profit sharing model that is in line
>>>>>> with
>>>>>> our core value of Innovation
>>>>>> No profit caps on gains from specific events
>>>>>> Annual review, requirements, or rules to address the issue of stale
>>>>>> chapter funds in excessive amounts
>>>>>> Periodic recap on funds spent by chapters to help ensure funds are
>>>>>> appointed on items aligned with the "OWASP Mission"
>>>>>> Added controls to prevent conflicts between large chapter events and
>>>>>> core
>>>>>> global conferences.
>>>>>> A dedicated committee with continual and significant control over the
>>>>>> core
>>>>>> OWASP global events (Conferences Committee)
>>>>>> A model which accounts for costs associated with Foundation resources
>>>>>> provided to local events.
>>>>>> Controls to prevent chapters from over-committing on financial costs
>>>>>> Final policy and structure should ensure no incentive for chapters to
>>>>>> form
>>>>>> legal entities in their own countries.
>>>>>> Chapters must use established technology methods (RegOnline) any time
>>>>>> money is handled
>>>>>> CFPs need to use established OWASP procedures
>>>>>> A single "source of truth" for all events.  (I assume this means a
>>>>>> single
>>>>>> place to coordinate all events)
>>>>>> Naming standards for all events
>>>>>> Logo standards that include OWASP on all logos, event sites,
>>>>>> collateral,
>>>>>> etc
>>>>>>
>>>>>> I feel very strongly that these are guidelines that we can work with
>>>>>> in
>>>>>> order to craft this new policy.  That said, before we get started on
>>>>>> the
>>>>>> policy itself, I have a few questions for you all.
>>>>>>
>>>>>> 1) What criteria do we use to distinguish between an event controlled
>>>>>> by
>>>>>> the Chapter Committee vs an event controlled by the Conferences
>>>>>> Committee.
>>>>>> It's clear that the label of "Conference" is not enough.  I also feel
>>>>>> strongly that metrics such as "number of attendees" or "where
>>>>>> attendees are
>>>>>> from" make for poor determining factors as they fail to account for
>>>>>> chapter
>>>>>> growth on a local level and OWASP Foundation growth on a regional
>>>>>> level.
>>>>>> Personally, I think this decision belongs in the hands of the event
>>>>>> planners
>>>>>> with approval from the committee they ultimately choose to go with.
>>>>>> Both
>>>>>> committees need to list out what structure they provide around event
>>>>>> planning so the organizers have expectations set up front.
>>>>>>
>>>>>> 2) What kind of profit sharing model makes sense?  The board has
>>>>>> specifically said they want a model that supports innovation, removes
>>>>>> caps,
>>>>>> and accounts for Foundation costs.  Assuming that we can enumerate
>>>>>> what
>>>>>> these Foundation costs are in relation to events, what can we do here
>>>>>> to
>>>>>> reward and even incentivize our chapters for putting on their own
>>>>>> events,
>>>>>> raising money, educating, and hopefully becoming self-sustaining?
>>>>>> Personally, I believe that any model which focuses on percentage
>>>>>> splits here
>>>>>> is inherently flawed.  In my arguments to the Board on behalf of
>>>>>> LASCON I
>>>>>> stated that what needs to happen (at least as it relates to Chapter
>>>>>> events)
>>>>>> is a tiered approach for profit sharing.
>>>>>>
>>>>>> Step 1 - We account for all obvious expenses for the event.  In
>>>>>> theory,
>>>>>> all events should be limited to the amount of up-front money they can
>>>>>> commit
>>>>>> specifically to cover things like venue deposits.  I think we need to
>>>>>> come
>>>>>> up with an amount for what this would be before committee approval is
>>>>>> necessary.  We should strongly discourage spending additional funds
>>>>>> beyond
>>>>>> those required for "start up" until other funding has been obtained to
>>>>>> cover
>>>>>> the costs.
>>>>>>
>>>>>> Step 2 - We account for all Foundation expenses for the event.  We
>>>>>> need to
>>>>>> enumerate what exactly these are and come up with a way to "bill" them
>>>>>> by
>>>>>> event.  I would think this includes things like event insurance and
>>>>>> Foundation staff time, but I've never been successful in getting a
>>>>>> good
>>>>>> dollar value or listing on what all of the Foundational expenses are.
>>>>>> In
>>>>>> any case, I think once the "hard costs" are covered under Step 1, we
>>>>>> need to
>>>>>> cover these Foundational "soft costs".
>>>>>>
>>>>>> Step 3 - We give the participating chapters what they need to become
>>>>>> self-sustaining.  This is where our approach should differ from the
>>>>>> Conference Committee in that we are focused on "Chapter Events'
>>>>>> whereas they
>>>>>> are focused on "Foundation Events".  So, the question becomes....how
>>>>>> do we
>>>>>> know what the chapters need to become self-sustaining?  I know that
>>>>>> several
>>>>>> people have brought forth objections to this in the past, but I
>>>>>> believe the
>>>>>> answer here is a chapter budget.  It doesn't have to be anything
>>>>>> overly
>>>>>> complex.  In fact, our current chapter handbook actually already has a
>>>>>> sample chapter budget referenced in it that is extremely simple.  We
>>>>>> just
>>>>>> need something that lists out a chapter's expenses over the course of
>>>>>> the
>>>>>> year.  Yes, sometimes budgets will be imprecise, but that's life in
>>>>>> the real
>>>>>> world.  If a chapter can take the time to run an event outside of
>>>>>> their
>>>>>> meetings that makes enough money to get to this step, then they
>>>>>> certainly
>>>>>> have the ability to do a simple budget.  These budgets also help us
>>>>>> address
>>>>>> the board's concern over stale funds in chapter accounts.
>>>>>>
>>>>>> Step 4 - Any time we have enough money to get to this step, we should
>>>>>> consider this "gravy".  With the chapter already getting what the need
>>>>>> in
>>>>>> order to self-sustain, and the foundation already getting what it
>>>>>> needs to
>>>>>> cover it's costs, the only real caveat placed on these funds is that
>>>>>> they
>>>>>> should be used to benefit the foundation.  What that means I don't
>>>>>> really
>>>>>> know.  Personally, I'd like to see some of these funds invested back
>>>>>> into
>>>>>> the regional OWASP effort if one exists.  Using LASCON as an example,
>>>>>> I'd
>>>>>> like to see some of our excess funds flow to the Dallas and Houston
>>>>>> chapters
>>>>>> that are strapped for cash, and subsequently, the ability to do big
>>>>>> things
>>>>>> like the Austin Chapter.  I'm going to make a proposal here, but am
>>>>>> open to
>>>>>> any other suggestions.  I'd like to see a 50/50 split on these
>>>>>> remaining
>>>>>> funds between the Foundation to support growth at an organizational
>>>>>> level
>>>>>> and any other chapters or projects that the planners feel strongly
>>>>>> about
>>>>>> supporting.  If none, all remaining funds should go to the Foundation
>>>>>> by
>>>>>> default.
>>>>>>
>>>>>> 3) How do we provide for an annual review, requirements, or rules to
>>>>>> address the issue of stale chapter funds in excessive amounts?
>>>>>> Obviously,
>>>>>> stale funds only applies to chapters with a substantial amount of
>>>>>> money in
>>>>>> their accounts, but the problem is determining what is "excessive".
>>>>>> Because
>>>>>> of this, I don't think we can set some random value here.  For
>>>>>> example, the
>>>>>> Austin Chapter requires about $6,650 in funds each year while the
>>>>>> Houston
>>>>>> Chapter is barely doing anything with and has hardly any money in
>>>>>> their bank
>>>>>> account.  I think the answer here is that all chapters with over a
>>>>>> certain
>>>>>> amount of money in their account (defined by whatever we think is
>>>>>> "excessive
>>>>>> amounts" of stale funds) need to be audited on an annual basis.  I
>>>>>> already
>>>>>> discussed my thoughts with the committee around what that number is
>>>>>> and how
>>>>>> to handle the audit with the use of budgets, but am open to other
>>>>>> suggestions that address this requirement from the board.
>>>>>>
>>>>>> I'd like to gather some feedback from the committee (Conference
>>>>>> Committee
>>>>>> feel free to chime in here as well) on these three topics and try to
>>>>>> gather
>>>>>> consensus before we move on to how we are going to address the other
>>>>>> issues.  Thanks!
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> ---------- Forwarded message ----------
>>>>>> From: Michael Coates <michael.coates at owasp.org>
>>>>>> Date: Wed, Feb 22, 2012 at 7:24 PM
>>>>>> Subject: [Global_conference_committee] LASCON Exception - Board Vote
>>>>>> To: Josh Sokol <josh.sokol at ni.com>, Mark Bristow
>>>>>> <mark.bristow at owasp.org>
>>>>>> Cc: OWASP Foundation Board List <owasp-board at lists.owasp.org>,
>>>>>> global_chapter_committee at lists.owasp.org,
>>>>>> global_conference_committee at lists.owasp.org
>>>>>>
>>>>>>
>>>>>> We wanted to thank everyone for the open, honest, and respectful
>>>>>> discussion of the Lascon exception issue.  The board has considered
>>>>>> the
>>>>>> information provided by all parties as well as the principles and
>>>>>> mission of
>>>>>> OWASP.  After discussion and deliberation we've reached the following
>>>>>> decision:
>>>>>>
>>>>>>
>>>>>> The OWASP Board has voted to approve the following:
>>>>>> =
>>>>>> Approve LASCON Exception per current chapter & committee rules with
>>>>>> the
>>>>>> recommendation that LASCON considers the objectives provided by the
>>>>>> Board
>>>>>> for the new policy. Further, this is the second and final exception
>>>>>> for
>>>>>> LASCON.
>>>>>>
>>>>>> The updated chapter/conference policy must be approved within 45 days
>>>>>> or
>>>>>> LASCON exception is revoked.
>>>>>> =
>>>>>>
>>>>>>
>>>>>> Recommendations for the New Policy
>>>>>>
>>>>>> The OWASP board would like the conferences and chapters committees to
>>>>>> work
>>>>>> together to jointly draft and approve an update to the policies
>>>>>> governing
>>>>>> chapters and conference events. We appreciate all the hard work that
>>>>>> the
>>>>>> committees have put forth to grow our chapters and conferences to its
>>>>>> current state.  We've accomplished some great things and this is
>>>>>> another
>>>>>> situation where we have to review and adjust as a result of our
>>>>>> continued
>>>>>> growth and success as an organization (a good problem to have).
>>>>>>
>>>>>> As global committee members you are in the best place to determine the
>>>>>> specifics of this policy; however, we would like to set an overall
>>>>>> direction
>>>>>> that will be worked towards and we’ve outlined the following
>>>>>> objectives that
>>>>>> should be considered for the updated chapter and conference policies.
>>>>>>
>>>>>>
>>>>>> We encourage the committees to review these guiding objectives and
>>>>>> work to
>>>>>> build a structure that will encourage the growth of OWASP and our
>>>>>> mission.
>>>>>>
>>>>>>        • Guiding Objectives
>>>>>>                • We would like to see chapter empowerment through a
>>>>>> profit
>>>>>> sharing model that is in line with our core value of Innovation
>>>>>>                • We have concerns over the use of profit caps on gains
>>>>>> from specific events
>>>>>>                • We would like some sort of annual review,
>>>>>> requirements,
>>>>>> or rules to address the issue of stale chapter funds in excessive
>>>>>> amounts
>>>>>>                • We would like some periodic recap on funds spent by
>>>>>> chapters to help ensure funds are appointed on items aligned with the
>>>>>> “OWASP
>>>>>> Mission”.
>>>>>>                • We recognize there could be concerns over conflicting
>>>>>> large chapter events and our core global conferences. Controls should
>>>>>> be
>>>>>> added to prevent this conflict (perhaps CFP blackout periods in
>>>>>> regions
>>>>>> within X months of a global event)
>>>>>>                • We would like a dedicated committee with continual
>>>>>> and
>>>>>> significant control over the core OWASP global events (i.e. conference
>>>>>> committee)
>>>>>>                • Foundation has resources that can be are being
>>>>>> provided
>>>>>> to local chapter events but we need these costs to be accounted for in
>>>>>> the
>>>>>> chapter's event planning
>>>>>>                • Controls are needed to prevent chapters from
>>>>>> over-committing on financial costs
>>>>>>                • Final policy and structure created by the committees
>>>>>> should ensure, as much as is possible, that there is no incentive for
>>>>>> chapters to form legal entities in their own countries.  Any such
>>>>>> activity
>>>>>> has significant implications for the foundation and must be discussed
>>>>>> and
>>>>>> coordinated  with the Foundation Board.
>>>>>>        • Infrastructure
>>>>>>                • Chapters must use established technology methods
>>>>>> (such as
>>>>>> regonline) any time money is handled
>>>>>>                • CFPs need to use established OWASP procedures
>>>>>>                • A single “source of truth” is needed for all events
>>>>>> so
>>>>>> that OWASP employees can best assist all events.  These include events
>>>>>> under
>>>>>> either  committee’s purview.
>>>>>>        • Branding
>>>>>>                • Naming standard enforced for all events (e.g. OWASP
>>>>>> X)
>>>>>>                • Logo standards that includes OWASP on all logos,
>>>>>> event
>>>>>> sites, collateral, etc
>>>>>>
>>>>>>
>>>>>> Thanks for the significant efforts that have been made thus far and we
>>>>>> look forward to the updated policy/policies that can take OWASP and
>>>>>> our
>>>>>> growing member and chapter base to the next level.
>>>>>>
>>>>>>
>>>>>> Lastly, Kate will update the official vote record to reflect our vote
>>>>>> and
>>>>>> capture the above guiding objectives on the wiki.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -The OWASP Board
>>>>>>
>>>>>> Michael Coates
>>>>>> michael.coates at owasp.org
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_conference_committee mailing list
>>>>>> Global_conference_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_conference_committee
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Global_chapter_committee mailing list
>>>>>> Global_chapter_committee at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/global_chapter_committee
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Tin Zaw, CISSP, CSSLP
>>>> Chapter Leader and President, OWASP Los Angeles Chapter
>>>> Member, OWASP Global Chapter Committee
>>>> Google Voice: (213) 973-9295
>>>> LinkedIn: http://www.linkedin.com/in/tinzaw
>>>
>>>
>>
>>
>>
>> --
>> Mark Bristow
>> (703) 596-5175
>> mark.bristow at owasp.org
>>
>> OWASP Global Conferences Committee Chair - http://is.gd/5MTvF
>> OWASP DC Chapter Co-Chair - http://is.gd/5MTwu
>> AppSec DC Organizer - https://www.appsecdc.org
>>
>
>
>
> --
> Tin Zaw, CISSP, CSSLP
> Chapter Leader and President, OWASP Los Angeles Chapter
> Member, OWASP Global Chapter Committee
> Google Voice: (213) 973-9295
> LinkedIn: http://www.linkedin.com/in/tinzaw


More information about the Owasp-board mailing list