[Owasp-board] Role of the Compliance Officer

Tom Brennan - OWASP tomb at owasp.org
Thu Feb 27 18:11:16 UTC 2014

Suggested review




Sent from my mobile autocorrect typos included call 9732020122 to discuss

> On Feb 27, 2014, at 10:09 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
> He was appointed the role of whistleblower not compliance? Eh?
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
>> On 27 Feb 2014, at 14:54, Josh Sokol <josh.sokol at owasp.org> wrote:
>> Board,
>> I have been speaking with Martin in private in an attempt to clarify my understanding of the role of the compliance officer and the processes involved.  It sounds like, to some extent, we are expecting him to develop the process, instead of regulate and enforce it, and this doesn't seem fair or correct as the act of creating the process could actually create accusations of bias.  As such, I think that it is reasonable for the Board to discuss what this process should look like beginning with intake, inclusive of investigation, and ending with the resolution.  Some important questions:
>> 1) How is the complaint initiated?
>> I think that we should strongly discourage allegations on the pubic mailing lists as accusations will lead to conflict which leads to chaos.  Yoda said that, right?  In any case, Martin had an excellent idea to create a form requesting specific information from the accuser.  If the form is not completed properly, then I think it is fair for the Compliance Officer to either request additional information if the source is known or discard it if the source is not known.  My suggestion was to have this form go to compliance at owasp.org which would be the new mailing list (I'm not sure I like "ombud").  This way the Board and others could stay in  the loop on the public facing side, which includes the original allegation, but will continue to allow the compliance officer to perform the investigation from there.
>> 2) The reporting procedure (https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure) says that people are required to report their complaints to the Compliance Officer who then has the responsibility to investigate all reported complaints.  Is the Compliance officer required to notify anyone at the time of complaint or at any point during the process?
>> My personal feeling is that, as with any system, there should be checks and balances, so I feel like this activity should not be run completely in a vacuum.  I believe that the Compliance Officer should be required to report the complaint to the Board (not necessarily the person who reported it unless relevant) and should be required to maintain evidence of the investigation for review by the Board.  I'm fine with the investigation itself being a relative black box, but evidence, along with the recommendation, should be provided to the Board as the end result.
>> 3) What is the end result of the Compliance Officers investigation?
>> The way this whistleblower policy current reads "appropriate corrective action will be taken if warranted by the investigation" and "the Compliance Officer will complete a final report noting the actors involved, allegations, remediation actions, and rationale for the determination".  So, to be clear, the policy today not only has the Compliance Officer receiving the complaint, but performing the investigation, and doling out the punishment.  In effect, we have made the Compliance Officer judge, jury, and executioner.  Our unbiased Compliance Officer can no longer maintain his objectivity in future investigations if he is responsible for all three of these roles.  In my opinion, the Compliance Officer should , in the end, provide a report to the Board with a recommendation and rationale for the determination as well as supporting evidence that they considered to make that decision.  This report should be made public, on the compliance mailing list.  Then, the Board should vote (if necessary) on the result.  
>> Am I way off base here or does this make sense?  Please discuss.
>> ~josh
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/33d238f4/attachment.html>

More information about the Owasp-board mailing list