[Owasp-board] Role of the Compliance Officer

Josh Sokol josh.sokol at owasp.org
Thu Feb 27 18:23:20 UTC 2014

It sounds like you and I agree on the intent of the document as well as the
general process.  I think that we should work on clarifying the language so
that it explicitly says what we intend it to say and present that
clarification to the Governance list.  Tom provided a link with some
excellent examples of policies that are far more thorough and better worded
than what exists today.  I suggest that we use them as a starting point to
overhaul this document.

Eoin, we unanimously appointed Martin into the role of Compliance Officer
for 2014.  I'm not sure what your question/statement is.


On Thu, Feb 27, 2014 at 12:06 PM, Tobias <tobias.gondrom at owasp.org> wrote:

>  Josh,
> I agree. simply the aspect that we have two differing interpretations of
> the same document is an indicator that the document is probably ambiguous
> and we need to fix the document.
> Regarding using a form and/or email: I have no strong opinion on that.
> Whatever works best.
> I like structure, too.
> Regarding your point #2, I added a comment inline below.
> Best, Tobias
> Ps.: btw. if we reword this document, this email discussion should
> probably be forwarded to the governance list.
> On 27/02/14 17:39, Josh Sokol wrote:
>    Tobias,
>  1) What the form would add is enforcement of structure and process.  It
> makes it very clear what information is required in order to "blow the
> whistle".  If the information is missing, then the request is invalid.
> Black and white.  This suggestion came from Martin, not from me.  I was
> restating and I am supportive of this as it allows him to apply a binary
> operation to determining which requests have enough information in order to
> investigate further.
>  As for the purpose of blowing the whistle without exposing oneself, this
> can still easily be handled through the process.  Rather than providing a
> name, this can be made optional.  If no name is provided, and no further
> contact is initiated, then the request would be evaluated for completeness
> and entertained based on the data provided.  If no name is provided, but
> contact is initiated in private with Martin, then the source code remain
> anonymous, but the allegation would be disclosed.  It is Martin's role to
> ensure that "whistle blowing" activities do not result in retaliation
>  2) I don't think we have the same interpretation of the written document
> which leads me to believe that it is unclear and requires modification for
> clarification of intent.  When I read it, I see "The OWASP Foundation's
> Compliance Officer will notify the person who submitted a complaint and
> acknowledge receipt of the reported violation or suspected violation. All
> reports will be promptly investigated and appropriate corrective action
> will be taken if warranted by the investigation."  To me, this says that
> the Compliance Officer will investigate and provide corrective action as
> well if warranted.  Investigation = Judge, Determination = Jury, Corrective
> Action = Executioner.  I agree that a report will be provided to the Board,
> but this policy specifies far more than just that.
> Please keep in mind, that the "OWASP Whistleblower & Anti-Retaliation
> Policy" is not only about describing the role of the compliance officer but
> about how OWASP as an organisation handles such cases overall, with the
> Compliance officer being one part / mechanism of it.
> So actually with that overall scope, if you look at the two sentences in
> detail, this reads:
> First sentence: "... the compliance officer will notify the person... "
> (action done by the officer)
> Second sentence: "All reports will be promptly investigated and
> appropriate corrective action will be taken if warranted by the
> investigation." Note passive voice. This is not only about the compliance
> officer. The org including the officer shall investigate promptly. And it
> does not mean corrective actions are taken by the compliance officer, but
> by the organisation, i.e. whoever is empowered from the organisation to
> take such actions. For operational questions, that might be the ED, for
> general issues this would be the board.
>  3) I agree that this should be the end result.  I think that the current
> policy implies that not only does the Compliance Officer make this report,
> but also takes some action including determination and punishment.  Sounds
> like we agree that this should not be the case?
>  I believe I understand the intent of the policy and am 100% behind that.
> I think that we need to clearly define the process here so that Martin, or
> any future Compliance Officer, is aware of how it should work from start to
> end, what our expectations are of for him, and how those expectations
> affect the investigation which he is conducting.
> I agree.
>  ~josh
> On Thu, Feb 27, 2014 at 11:18 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>  Hi Josh,
>> my understanding is the following:
>> 1. the main purpose of compliance officer is to allow people to "blow the
>> whistle" without exposing themselves (if they fear retaliation) I.e.
>> someone can send an email to him in confidence via compliance at owasp.orgwithout exposing oneself. Note: I am not sure a google form would add
>> anything beyond the email we already have, in fact one might feel that it
>> rather is more risky of loosing confidentiality with the form than a simple
>> email. So am not sure what the form would add.
>> This is mainly for purposes if there are issues with staff or financial
>> or accounting issues. E.g. a staff member would find a accounting
>> irregularity or potentially fraudulent behaviour and wants to report the
>> issue and the evidence in confidence to avoid retaliation from the
>> suspected person (that is if that person is in a position to exercise such
>> retaliation).
>> 2. Second, based on the written document, my understanding is that the
>> compliance officer is investigator and advisor, but not judge. In several
>> places, the policy states clearly that the compliance officer works on
>> behalf of the board and provides the report to the board for judgement.
>> One edge case might be if the compliance officer finds proof that the
>> board itself would act in a fraudulent way, in which case, I would expect
>> the Compliance officer to report this to the community and the police -
>> along with the found evidence.
>> 3. The end result from the compliance officer is his report to the board,
>> preferably with a recommendation.
>> (note again: the key feature is that the compliance officer may leave out
>> the identity of the reporting person in his report - not the evidence
>> itself uncovered in his investigation - to protect that person from
>> retaliation.)
>> This is basically the standard compliance officer / whistle blower
>> scenario for organisations. If you and Martin feel that the current policy
>> is not clear enough on the purpose and scope of the role or ambiguous, the
>> board should indeed clarify it.
>> Best regards, Tobias
>> On 27/02/14 14:54, Josh Sokol wrote:
>>      Board,
>>  I have been speaking with Martin in private in an attempt to clarify my
>> understanding of the role of the compliance officer and the processes
>> involved.  It sounds like, to some extent, we are expecting him to develop
>> the process, instead of regulate and enforce it, and this doesn't seem fair
>> or correct as the act of creating the process could actually create
>> accusations of bias.  As such, I think that it is reasonable for the Board
>> to discuss what this process should look like beginning with intake,
>> inclusive of investigation, and ending with the resolution.  Some important
>> questions:
>> 1) How is the complaint initiated?
>> I think that we should strongly discourage allegations on the pubic
>> mailing lists as accusations will lead to conflict which leads to chaos.
>> Yoda said that, right?  In any case, Martin had an excellent idea to create
>> a form requesting specific information from the accuser.  If the form is
>> not completed properly, then I think it is fair for the Compliance Officer
>> to either request additional information if the source is known or discard
>> it if the source is not known.  My suggestion was to have this form go to
>> compliance at owasp.org which would be the new mailing list (I'm not sure I
>> like "ombud").  This way the Board and others could stay in the loop on the
>> public facing side, which includes the original allegation, but will
>> continue to allow the compliance officer to perform the investigation from
>> there.
>>  2) The reporting procedure (
>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
>> says that people are required to report their complaints to the Compliance
>> Officer who then has the responsibility to investigate all reported
>> complaints.  Is the Compliance officer required to notify anyone at the
>> time of complaint or at any point during the process?
>> My personal feeling is that, as with any system, there should be checks
>> and balances, so I feel like this activity should not be run completely in
>> a vacuum.  I believe that the Compliance Officer should be required to
>> report the complaint to the Board (not necessarily the person who reported
>> it unless relevant) and should be required to maintain evidence of the
>> investigation for review by the Board.  I'm fine with the investigation
>> itself being a relative black box, but evidence, along with the
>> recommendation, should be provided to the Board as the end result.
>>   3) What is the end result of the Compliance Officers investigation?
>>  The way this whistleblower policy current reads "appropriate corrective
>> action will be taken if warranted by the investigation" and "the Compliance
>> Officer will complete a final report noting the actors involved,
>> allegations, remediation actions, and rationale for the determination".
>> So, to be clear, the policy today not only has the Compliance Officer
>> receiving the complaint, but performing the investigation, and doling out
>> the punishment.  In effect, we have made the Compliance Officer judge,
>> jury, and executioner.  Our unbiased Compliance Officer can no longer
>> maintain his objectivity in future investigations if he is responsible for
>> all three of these roles.  In my opinion, the Compliance Officer should ,
>> in the end, provide a report to the Board with a recommendation and
>> rationale for the determination as well as supporting evidence that they
>> considered to make that decision.  This report should be made public, on
>> the compliance mailing list.  Then, the Board should vote (if necessary) on
>> the result.
>>  Am I way off base here or does this make sense?  Please discuss.
>>  ~josh
>>  _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/11929e33/attachment-0001.html>

More information about the Owasp-board mailing list