[Owasp-board] Role of the Compliance Officer

Sarah Baso sarah.baso at owasp.org
Thu Feb 27 20:43:47 UTC 2014

Yes josh- you are correct.

On Feb 27, 2014, at 12:37 PM, Josh Sokol <josh.sokol at owasp.org> wrote:

Ummmm....to my understanding there is no "Whistleblower" role.  Only the
"Compliance Officer" who supports our Whistleblower Policy.  This is what
we voted on to my recollection.


On Thu, Feb 27, 2014 at 1:38 PM, Eoin Keary <eoin.keary at owasp.org> wrote:

> Hi Josh, no we appointed him as whistleblower. I suggested him for the
> role. This role is different.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988
> On 27 Feb 2014, at 18:23, Josh Sokol <josh.sokol at owasp.org> wrote:
> It sounds like you and I agree on the intent of the document as well as
> the general process.  I think that we should work on clarifying the
> language so that it explicitly says what we intend it to say and present
> that clarification to the Governance list.  Tom provided a link with some
> excellent examples of policies that are far more thorough and better worded
> than what exists today.  I suggest that we use them as a starting point to
> overhaul this document.
> Eoin, we unanimously appointed Martin into the role of Compliance Officer
> for 2014.  I'm not sure what your question/statement is.
> ~josh
> On Thu, Feb 27, 2014 at 12:06 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>  Josh,
>> I agree. simply the aspect that we have two differing interpretations of
>> the same document is an indicator that the document is probably ambiguous
>> and we need to fix the document.
>> Regarding using a form and/or email: I have no strong opinion on that.
>> Whatever works best.
>> I like structure, too.
>> Regarding your point #2, I added a comment inline below.
>> Best, Tobias
>> Ps.: btw. if we reword this document, this email discussion should
>> probably be forwarded to the governance list.
>> On 27/02/14 17:39, Josh Sokol wrote:
>>    Tobias,
>>  1) What the form would add is enforcement of structure and process.  It
>> makes it very clear what information is required in order to "blow the
>> whistle".  If the information is missing, then the request is invalid.
>> Black and white.  This suggestion came from Martin, not from me.  I was
>> restating and I am supportive of this as it allows him to apply a binary
>> operation to determining which requests have enough information in order to
>> investigate further.
>>  As for the purpose of blowing the whistle without exposing oneself, this
>> can still easily be handled through the process.  Rather than providing a
>> name, this can be made optional.  If no name is provided, and no further
>> contact is initiated, then the request would be evaluated for completeness
>> and entertained based on the data provided.  If no name is provided, but
>> contact is initiated in private with Martin, then the source code remain
>> anonymous, but the allegation would be disclosed.  It is Martin's role to
>> ensure that "whistle blowing" activities do not result in retaliation
>>  2) I don't think we have the same interpretation of the written document
>> which leads me to believe that it is unclear and requires modification for
>> clarification of intent.  When I read it, I see "The OWASP Foundation's
>> Compliance Officer will notify the person who submitted a complaint and
>> acknowledge receipt of the reported violation or suspected violation. All
>> reports will be promptly investigated and appropriate corrective action
>> will be taken if warranted by the investigation."  To me, this says that
>> the Compliance Officer will investigate and provide corrective action as
>> well if warranted.  Investigation = Judge, Determination = Jury, Corrective
>> Action = Executioner.  I agree that a report will be provided to the Board,
>> but this policy specifies far more than just that.
>> Please keep in mind, that the "OWASP Whistleblower & Anti-Retaliation
>> Policy" is not only about describing the role of the compliance officer but
>> about how OWASP as an organisation handles such cases overall, with the
>> Compliance officer being one part / mechanism of it.
>> So actually with that overall scope, if you look at the two sentences in
>> detail, this reads:
>> First sentence: "... the compliance officer will notify the person... "
>> (action done by the officer)
>> Second sentence: "All reports will be promptly investigated and
>> appropriate corrective action will be taken if warranted by the
>> investigation." Note passive voice. This is not only about the compliance
>> officer. The org including the officer shall investigate promptly. And it
>> does not mean corrective actions are taken by the compliance officer, but
>> by the organisation, i.e. whoever is empowered from the organisation to
>> take such actions. For operational questions, that might be the ED, for
>> general issues this would be the board.
>>  3) I agree that this should be the end result.  I think that the current
>> policy implies that not only does the Compliance Officer make this report,
>> but also takes some action including determination and punishment.  Sounds
>> like we agree that this should not be the case?
>>  I believe I understand the intent of the policy and am 100% behind
>> that.  I think that we need to clearly define the process here so that
>> Martin, or any future Compliance Officer, is aware of how it should work
>> from start to end, what our expectations are of for him, and how those
>> expectations affect the investigation which he is conducting.
>> I agree.
>>  ~josh
>> On Thu, Feb 27, 2014 at 11:18 AM, Tobias <tobias.gondrom at owasp.org>wrote:
>>>  Hi Josh,
>>> my understanding is the following:
>>> 1. the main purpose of compliance officer is to allow people to "blow
>>> the whistle" without exposing themselves (if they fear retaliation) I.e.
>>> someone can send an email to him in confidence via compliance at owasp.orgwithout exposing oneself. Note: I am not sure a google form would add
>>> anything beyond the email we already have, in fact one might feel that it
>>> rather is more risky of loosing confidentiality with the form than a simple
>>> email. So am not sure what the form would add.
>>> This is mainly for purposes if there are issues with staff or financial
>>> or accounting issues. E.g. a staff member would find a accounting
>>> irregularity or potentially fraudulent behaviour and wants to report the
>>> issue and the evidence in confidence to avoid retaliation from the
>>> suspected person (that is if that person is in a position to exercise such
>>> retaliation).
>>> 2. Second, based on the written document, my understanding is that the
>>> compliance officer is investigator and advisor, but not judge. In several
>>> places, the policy states clearly that the compliance officer works on
>>> behalf of the board and provides the report to the board for judgement.
>>> One edge case might be if the compliance officer finds proof that the
>>> board itself would act in a fraudulent way, in which case, I would expect
>>> the Compliance officer to report this to the community and the police -
>>> along with the found evidence.
>>> 3. The end result from the compliance officer is his report to the
>>> board, preferably with a recommendation.
>>> (note again: the key feature is that the compliance officer may leave
>>> out the identity of the reporting person in his report - not the evidence
>>> itself uncovered in his investigation - to protect that person from
>>> retaliation.)
>>> This is basically the standard compliance officer / whistle blower
>>> scenario for organisations. If you and Martin feel that the current policy
>>> is not clear enough on the purpose and scope of the role or ambiguous, the
>>> board should indeed clarify it.
>>> Best regards, Tobias
>>> On 27/02/14 14:54, Josh Sokol wrote:
>>>      Board,
>>>  I have been speaking with Martin in private in an attempt to clarify my
>>> understanding of the role of the compliance officer and the processes
>>> involved.  It sounds like, to some extent, we are expecting him to develop
>>> the process, instead of regulate and enforce it, and this doesn't seem fair
>>> or correct as the act of creating the process could actually create
>>> accusations of bias.  As such, I think that it is reasonable for the Board
>>> to discuss what this process should look like beginning with intake,
>>> inclusive of investigation, and ending with the resolution.  Some important
>>> questions:
>>> 1) How is the complaint initiated?
>>> I think that we should strongly discourage allegations on the pubic
>>> mailing lists as accusations will lead to conflict which leads to chaos.
>>> Yoda said that, right?  In any case, Martin had an excellent idea to create
>>> a form requesting specific information from the accuser.  If the form is
>>> not completed properly, then I think it is fair for the Compliance Officer
>>> to either request additional information if the source is known or discard
>>> it if the source is not known.  My suggestion was to have this form go to
>>> compliance at owasp.org which would be the new mailing list (I'm not sure
>>> I like "ombud").  This way the Board and others could stay in the loop on
>>> the public facing side, which includes the original allegation, but will
>>> continue to allow the compliance officer to perform the investigation from
>>> there.
>>>  2) The reporting procedure (
>>> https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
>>> says that people are required to report their complaints to the Compliance
>>> Officer who then has the responsibility to investigate all reported
>>> complaints.  Is the Compliance officer required to notify anyone at the
>>> time of complaint or at any point during the process?
>>> My personal feeling is that, as with any system, there should be checks
>>> and balances, so I feel like this activity should not be run completely in
>>> a vacuum.  I believe that the Compliance Officer should be required to
>>> report the complaint to the Board (not necessarily the person who reported
>>> it unless relevant) and should be required to maintain evidence of the
>>> investigation for review by the Board.  I'm fine with the investigation
>>> itself being a relative black box, but evidence, along with the
>>> recommendation, should be provided to the Board as the end result.
>>>   3) What is the end result of the Compliance Officers investigation?
>>>  The way this whistleblower policy current reads "appropriate corrective
>>> action will be taken if warranted by the investigation" and "the Compliance
>>> Officer will complete a final report noting the actors involved,
>>> allegations, remediation actions, and rationale for the determination".
>>> So, to be clear, the policy today not only has the Compliance Officer
>>> receiving the complaint, but performing the investigation, and doling out
>>> the punishment.  In effect, we have made the Compliance Officer judge,
>>> jury, and executioner.  Our unbiased Compliance Officer can no longer
>>> maintain his objectivity in future investigations if he is responsible for
>>> all three of these roles.  In my opinion, the Compliance Officer should ,
>>> in the end, provide a report to the Board with a recommendation and
>>> rationale for the determination as well as supporting evidence that they
>>> considered to make that decision.  This report should be made public, on
>>> the compliance mailing list.  Then, the Board should vote (if necessary) on
>>> the result.
>>>  Am I way off base here or does this make sense?  Please discuss.
>>>  ~josh
>>>  _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
Owasp-board mailing list
Owasp-board at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/5ca83dfd/attachment-0001.html>

More information about the Owasp-board mailing list