[Owasp-board] Role of the Compliance Officer

Josh Sokol josh.sokol at owasp.org
Thu Feb 27 17:39:13 UTC 2014


1) What the form would add is enforcement of structure and process.  It
makes it very clear what information is required in order to "blow the
whistle".  If the information is missing, then the request is invalid.
Black and white.  This suggestion came from Martin, not from me.  I was
restating and I am supportive of this as it allows him to apply a binary
operation to determining which requests have enough information in order to
investigate further.

As for the purpose of blowing the whistle without exposing oneself, this
can still easily be handled through the process.  Rather than providing a
name, this can be made optional.  If no name is provided, and no further
contact is initiated, then the request would be evaluated for completeness
and entertained based on the data provided.  If no name is provided, but
contact is initiated in private with Martin, then the source code remain
anonymous, but the allegation would be disclosed.  It is Martin's role to
ensure that "whistle blowing" activities do not result in retaliation

2) I don't think we have the same interpretation of the written document
which leads me to believe that it is unclear and requires modification for
clarification of intent.  When I read it, I see "The OWASP Foundation's
Compliance Officer will notify the person who submitted a complaint and
acknowledge receipt of the reported violation or suspected violation. All
reports will be promptly investigated and appropriate corrective action
will be taken if warranted by the investigation."  To me, this says that
the Compliance Officer will investigate and provide corrective action as
well if warranted.  Investigation = Judge, Determination = Jury, Corrective
Action = Executioner.  I agree that a report will be provided to the Board,
but this policy specifies far more than just that.

3) I agree that this should be the end result.  I think that the current
policy implies that not only does the Compliance Officer make this report,
but also takes some action including determination and punishment.  Sounds
like we agree that this should not be the case?

I believe I understand the intent of the policy and am 100% behind that.  I
think that we need to clearly define the process here so that Martin, or
any future Compliance Officer, is aware of how it should work from start to
end, what our expectations are of for him, and how those expectations
affect the investigation which he is conducting.


On Thu, Feb 27, 2014 at 11:18 AM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Hi Josh,
> my understanding is the following:
> 1. the main purpose of compliance officer is to allow people to "blow the
> whistle" without exposing themselves (if they fear retaliation) I.e.
> someone can send an email to him in confidence via compliance at owasp.orgwithout exposing oneself. Note: I am not sure a google form would add
> anything beyond the email we already have, in fact one might feel that it
> rather is more risky of loosing confidentiality with the form than a simple
> email. So am not sure what the form would add.
> This is mainly for purposes if there are issues with staff or financial or
> accounting issues. E.g. a staff member would find a accounting irregularity
> or potentially fraudulent behaviour and wants to report the issue and the
> evidence in confidence to avoid retaliation from the suspected person (that
> is if that person is in a position to exercise such retaliation).
> 2. Second, based on the written document, my understanding is that the
> compliance officer is investigator and advisor, but not judge. In several
> places, the policy states clearly that the compliance officer works on
> behalf of the board and provides the report to the board for judgement.
> One edge case might be if the compliance officer finds proof that the
> board itself would act in a fraudulent way, in which case, I would expect
> the Compliance officer to report this to the community and the police -
> along with the found evidence.
> 3. The end result from the compliance officer is his report to the board,
> preferably with a recommendation.
> (note again: the key feature is that the compliance officer may leave out
> the identity of the reporting person in his report - not the evidence
> itself uncovered in his investigation - to protect that person from
> retaliation.)
> This is basically the standard compliance officer / whistle blower
> scenario for organisations. If you and Martin feel that the current policy
> is not clear enough on the purpose and scope of the role or ambiguous, the
> board should indeed clarify it.
> Best regards, Tobias
> On 27/02/14 14:54, Josh Sokol wrote:
>     Board,
>  I have been speaking with Martin in private in an attempt to clarify my
> understanding of the role of the compliance officer and the processes
> involved.  It sounds like, to some extent, we are expecting him to develop
> the process, instead of regulate and enforce it, and this doesn't seem fair
> or correct as the act of creating the process could actually create
> accusations of bias.  As such, I think that it is reasonable for the Board
> to discuss what this process should look like beginning with intake,
> inclusive of investigation, and ending with the resolution.  Some important
> questions:
> 1) How is the complaint initiated?
> I think that we should strongly discourage allegations on the pubic
> mailing lists as accusations will lead to conflict which leads to chaos.
> Yoda said that, right?  In any case, Martin had an excellent idea to create
> a form requesting specific information from the accuser.  If the form is
> not completed properly, then I think it is fair for the Compliance Officer
> to either request additional information if the source is known or discard
> it if the source is not known.  My suggestion was to have this form go to
> compliance at owasp.org which would be the new mailing list (I'm not sure I
> like "ombud").  This way the Board and others could stay in the loop on the
> public facing side, which includes the original allegation, but will
> continue to allow the compliance officer to perform the investigation from
> there.
>  2) The reporting procedure (
> https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
> says that people are required to report their complaints to the Compliance
> Officer who then has the responsibility to investigate all reported
> complaints.  Is the Compliance officer required to notify anyone at the
> time of complaint or at any point during the process?
> My personal feeling is that, as with any system, there should be checks
> and balances, so I feel like this activity should not be run completely in
> a vacuum.  I believe that the Compliance Officer should be required to
> report the complaint to the Board (not necessarily the person who reported
> it unless relevant) and should be required to maintain evidence of the
> investigation for review by the Board.  I'm fine with the investigation
> itself being a relative black box, but evidence, along with the
> recommendation, should be provided to the Board as the end result.
>   3) What is the end result of the Compliance Officers investigation?
>  The way this whistleblower policy current reads "appropriate corrective
> action will be taken if warranted by the investigation" and "the Compliance
> Officer will complete a final report noting the actors involved,
> allegations, remediation actions, and rationale for the determination".
> So, to be clear, the policy today not only has the Compliance Officer
> receiving the complaint, but performing the investigation, and doling out
> the punishment.  In effect, we have made the Compliance Officer judge,
> jury, and executioner.  Our unbiased Compliance Officer can no longer
> maintain his objectivity in future investigations if he is responsible for
> all three of these roles.  In my opinion, the Compliance Officer should ,
> in the end, provide a report to the Board with a recommendation and
> rationale for the determination as well as supporting evidence that they
> considered to make that decision.  This report should be made public, on
> the compliance mailing list.  Then, the Board should vote (if necessary) on
> the result.
>  Am I way off base here or does this make sense?  Please discuss.
>  ~josh
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/4939acab/attachment-0001.html>

More information about the Owasp-board mailing list