[Owasp-board] Role of the Compliance Officer

Josh Sokol josh.sokol at owasp.org
Thu Feb 27 14:54:28 UTC 2014


I have been speaking with Martin in private in an attempt to clarify my
understanding of the role of the compliance officer and the processes
involved.  It sounds like, to some extent, we are expecting him to develop
the process, instead of regulate and enforce it, and this doesn't seem fair
or correct as the act of creating the process could actually create
accusations of bias.  As such, I think that it is reasonable for the Board
to discuss what this process should look like beginning with intake,
inclusive of investigation, and ending with the resolution.  Some important

1) How is the complaint initiated?

I think that we should strongly discourage allegations on the pubic mailing
lists as accusations will lead to conflict which leads to chaos.  Yoda said
that, right?  In any case, Martin had an excellent idea to create a form
requesting specific information from the accuser.  If the form is not
completed properly, then I think it is fair for the Compliance Officer to
either request additional information if the source is known or discard it
if the source is not known.  My suggestion was to have this form go to
compliance at owasp.org which would be the new mailing list (I'm not sure I
like "ombud").  This way the Board and others could stay in the loop on the
public facing side, which includes the original allegation, but will
continue to allow the compliance officer to perform the investigation from

2) The reporting procedure (
says that people are required to report their complaints to the Compliance
Officer who then has the responsibility to investigate all reported
complaints.  Is the Compliance officer required to notify anyone at the
time of complaint or at any point during the process?

My personal feeling is that, as with any system, there should be checks and
balances, so I feel like this activity should not be run completely in a
vacuum.  I believe that the Compliance Officer should be required to report
the complaint to the Board (not necessarily the person who reported it
unless relevant) and should be required to maintain evidence of the
investigation for review by the Board.  I'm fine with the investigation
itself being a relative black box, but evidence, along with the
recommendation, should be provided to the Board as the end result.

3) What is the end result of the Compliance Officers investigation?

The way this whistleblower policy current reads "appropriate corrective
action will be taken if warranted by the investigation" and "the Compliance
Officer will complete a final report noting the actors involved,
allegations, remediation actions, and rationale for the determination".
So, to be clear, the policy today not only has the Compliance Officer
receiving the complaint, but performing the investigation, and doling out
the punishment.  In effect, we have made the Compliance Officer judge,
jury, and executioner.  Our unbiased Compliance Officer can no longer
maintain his objectivity in future investigations if he is responsible for
all three of these roles.  In my opinion, the Compliance Officer should ,
in the end, provide a report to the Board with a recommendation and
rationale for the determination as well as supporting evidence that they
considered to make that decision.  This report should be made public, on
the compliance mailing list.  Then, the Board should vote (if necessary) on
the result.

Am I way off base here or does this make sense?  Please discuss.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/ecf030e6/attachment.html>

More information about the Owasp-board mailing list