[Owasp-board] Role of the Compliance Officer

Tobias tobias.gondrom at owasp.org
Thu Feb 27 18:06:06 UTC 2014


I agree. simply the aspect that we have two differing interpretations of
the same document is an indicator that the document is probably
ambiguous and we need to fix the document.

Regarding using a form and/or email: I have no strong opinion on that.
Whatever works best.
I like structure, too.

Regarding your point #2, I added a comment inline below.

Best, Tobias

Ps.: btw. if we reword this document, this email discussion should
probably be forwarded to the governance list. 

On 27/02/14 17:39, Josh Sokol wrote:
> Tobias,
> 1) What the form would add is enforcement of structure and process. 
> It makes it very clear what information is required in order to "blow
> the whistle".  If the information is missing, then the request is
> invalid.  Black and white.  This suggestion came from Martin, not from
> me.  I was restating and I am supportive of this as it allows him to
> apply a binary operation to determining which requests have enough
> information in order to investigate further.
> As for the purpose of blowing the whistle without exposing oneself,
> this can still easily be handled through the process.  Rather than
> providing a name, this can be made optional.  If no name is provided,
> and no further contact is initiated, then the request would be
> evaluated for completeness and entertained based on the data
> provided.  If no name is provided, but contact is initiated in private
> with Martin, then the source code remain anonymous, but the allegation
> would be disclosed.  It is Martin's role to ensure that "whistle
> blowing" activities do not result in retaliation
> 2) I don't think we have the same interpretation of the written
> document which leads me to believe that it is unclear and requires
> modification for clarification of intent.  When I read it, I see "The
> OWASP Foundation's Compliance Officer will notify the person who
> submitted a complaint and acknowledge receipt of the reported
> violation or suspected violation. All reports will be promptly
> investigated and appropriate corrective action will be taken if
> warranted by the investigation."  To me, this says that the Compliance
> Officer will investigate and provide corrective action as well if
> warranted.  Investigation = Judge, Determination = Jury, Corrective
> Action = Executioner.  I agree that a report will be provided to the
> Board, but this policy specifies far more than just that.

Please keep in mind, that the "OWASP Whistleblower & Anti-Retaliation
Policy" is not only about describing the role of the compliance officer
but about how OWASP as an organisation handles such cases overall, with
the Compliance officer being one part / mechanism of it.
So actually with that overall scope, if you look at the two sentences in
detail, this reads:
First sentence: "... the compliance officer will notify the person... "
(action done by the officer)
Second sentence: "All reports will be promptly investigated and
appropriate corrective action will be taken if warranted by the
investigation." Note passive voice. This is not only about the
compliance officer. The org including the officer shall investigate
promptly. And it does not mean corrective actions are taken by the
compliance officer, but by the organisation, i.e. whoever is empowered
from the organisation to take such actions. For operational questions,
that might be the ED, for general issues this would be the board.

> 3) I agree that this should be the end result.  I think that the
> current policy implies that not only does the Compliance Officer make
> this report, but also takes some action including determination and
> punishment.  Sounds like we agree that this should not be the case?
> I believe I understand the intent of the policy and am 100% behind
> that.  I think that we need to clearly define the process here so that
> Martin, or any future Compliance Officer, is aware of how it should
> work from start to end, what our expectations are of for him, and how
> those expectations affect the investigation which he is conducting.

I agree.

> ~josh
> On Thu, Feb 27, 2014 at 11:18 AM, Tobias <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>     Hi Josh,
>     my understanding is the following:
>     1. the main purpose of compliance officer is to allow people to
>     "blow the whistle" without exposing themselves (if they fear
>     retaliation) I.e. someone can send an email to him in confidence
>     via compliance at owasp.org <mailto:compliance at owasp.org> without
>     exposing oneself. Note: I am not sure a google form would add
>     anything beyond the email we already have, in fact one might feel
>     that it rather is more risky of loosing confidentiality with the
>     form than a simple email. So am not sure what the form would add.
>     This is mainly for purposes if there are issues with staff or
>     financial or accounting issues. E.g. a staff member would find a
>     accounting irregularity or potentially fraudulent behaviour and
>     wants to report the issue and the evidence in confidence to avoid
>     retaliation from the suspected person (that is if that person is
>     in a position to exercise such retaliation).
>     2. Second, based on the written document, my understanding is that
>     the compliance officer is investigator and advisor, but not judge.
>     In several places, the policy states clearly that the compliance
>     officer works on behalf of the board and provides the report to
>     the board for judgement.
>     One edge case might be if the compliance officer finds proof that
>     the board itself would act in a fraudulent way, in which case, I
>     would expect the Compliance officer to report this to the
>     community and the police - along with the found evidence.
>     3. The end result from the compliance officer is his report to the
>     board, preferably with a recommendation.
>     (note again: the key feature is that the compliance officer may
>     leave out the identity of the reporting person in his report - not
>     the evidence itself uncovered in his investigation - to protect
>     that person from retaliation.)
>     This is basically the standard compliance officer / whistle blower
>     scenario for organisations. If you and Martin feel that the
>     current policy is not clear enough on the purpose and scope of the
>     role or ambiguous, the board should indeed clarify it.
>     Best regards, Tobias
>     On 27/02/14 14:54, Josh Sokol wrote:
>>     Board,
>>     I have been speaking with Martin in private in an attempt to
>>     clarify my understanding of the role of the compliance officer
>>     and the processes involved.  It sounds like, to some extent, we
>>     are expecting him to develop the process, instead of regulate and
>>     enforce it, and this doesn't seem fair or correct as the act of
>>     creating the process could actually create accusations of bias. 
>>     As such, I think that it is reasonable for the Board to discuss
>>     what this process should look like beginning with intake,
>>     inclusive of investigation, and ending with the resolution.  Some
>>     important questions:
>>     1) How is the complaint initiated?
>>     I think that we should strongly discourage allegations on the
>>     pubic mailing lists as accusations will lead to conflict which
>>     leads to chaos.  Yoda said that, right?  In any case, Martin had
>>     an excellent idea to create a form requesting specific
>>     information from the accuser.  If the form is not completed
>>     properly, then I think it is fair for the Compliance Officer to
>>     either request additional information if the source is known or
>>     discard it if the source is not known.  My suggestion was to have
>>     this form go to compliance at owasp.org
>>     <mailto:compliance at owasp.org> which would be the new mailing list
>>     (I'm not sure I like "ombud").  This way the Board and others
>>     could stay in the loop on the public facing side, which includes
>>     the original allegation, but will continue to allow the
>>     compliance officer to perform the investigation from there.
>>     2) The reporting procedure
>>     (https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
>>     says that people are required to report their complaints to the
>>     Compliance Officer who then has the responsibility to investigate
>>     all reported complaints.  Is the Compliance officer required to
>>     notify anyone at the time of complaint or at any point during the
>>     process?
>>     My personal feeling is that, as with any system, there should be
>>     checks and balances, so I feel like this activity should not be
>>     run completely in a vacuum.  I believe that the Compliance
>>     Officer should be required to report the complaint to the Board
>>     (not necessarily the person who reported it unless relevant) and
>>     should be required to maintain evidence of the investigation for
>>     review by the Board.  I'm fine with the investigation itself
>>     being a relative black box, but evidence, along with the
>>     recommendation, should be provided to the Board as the end result.
>>     3) What is the end result of the Compliance Officers investigation?
>>     The way this whistleblower policy current reads "appropriate
>>     corrective action will be taken if warranted by the
>>     investigation" and "the Compliance Officer will complete a final
>>     report noting the actors involved, allegations, remediation
>>     actions, and rationale for the determination".  So, to be clear,
>>     the policy today not only has the Compliance Officer receiving
>>     the complaint, but performing the investigation, and doling out
>>     the punishment.  In effect, we have made the Compliance Officer
>>     judge, jury, and executioner.  Our unbiased Compliance Officer
>>     can no longer maintain his objectivity in future investigations
>>     if he is responsible for all three of these roles.  In my
>>     opinion, the Compliance Officer should , in the end, provide a
>>     report to the Board with a recommendation and rationale for the
>>     determination as well as supporting evidence that they considered
>>     to make that decision.  This report should be made public, on the
>>     compliance mailing list.  Then, the Board should vote (if
>>     necessary) on the result. 
>>     Am I way off base here or does this make sense?  Please discuss.
>>     ~josh
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/f8de92e0/attachment-0001.html>

More information about the Owasp-board mailing list