[Owasp-board] Role of the Compliance Officer

Tobias tobias.gondrom at owasp.org
Thu Feb 27 20:53:05 UTC 2014

Yes, Josh is correct.

As documented in our board votes:

December 16, 2013 	Compliance Officer per Whistleblower Policy
<https://www.owasp.org/index.php/Governance/Whistleblower_Policy> for
2014 - Martin Knobloch, vote on mailing list
<http://lists.owasp.org/pipermail/owasp-board/2013-December/012790.html> 	Tom,
Seba, Dave, Michael, Jim, Eoin 	
	Pass (Unanimous) 	December 29, 2013

And confirmed during email exchanges, including Eoin's own email:

Best wishes, Tobias

Tobias Gondrom
Owasp Global Board
Secretary of the Board

On 27/02/14 20:37, Josh Sokol wrote:
> Ummmm....to my understanding there is no "Whistleblower" role.  Only
> the "Compliance Officer" who supports our Whistleblower Policy.  This
> is what we voted on to my recollection.
> ~josh
> On Thu, Feb 27, 2014 at 1:38 PM, Eoin Keary <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
>     Hi Josh, no we appointed him as whistleblower. I suggested him for
>     the role. This role is different. 
>     Eoin Keary
>     Owasp Global Board
>     +353 87 977 2988 <tel:%2B353%2087%20977%202988>
>     On 27 Feb 2014, at 18:23, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>>     It sounds like you and I agree on the intent of the document as
>>     well as the general process.  I think that we should work on
>>     clarifying the language so that it explicitly says what we intend
>>     it to say and present that clarification to the Governance list. 
>>     Tom provided a link with some excellent examples of policies that
>>     are far more thorough and better worded than what exists today. 
>>     I suggest that we use them as a starting point to overhaul this
>>     document.
>>     Eoin, we unanimously appointed Martin into the role of Compliance
>>     Officer for 2014.  I'm not sure what your question/statement is.
>>     ~josh
>>     On Thu, Feb 27, 2014 at 12:06 PM, Tobias
>>     <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>> wrote:
>>         Josh,
>>         I agree. simply the aspect that we have two differing
>>         interpretations of the same document is an indicator that the
>>         document is probably ambiguous and we need to fix the document.
>>         Regarding using a form and/or email: I have no strong opinion
>>         on that. Whatever works best.
>>         I like structure, too.
>>         Regarding your point #2, I added a comment inline below.
>>         Best, Tobias
>>         Ps.: btw. if we reword this document, this email discussion
>>         should probably be forwarded to the governance list. 
>>         On 27/02/14 17:39, Josh Sokol wrote:
>>>         Tobias,
>>>         1) What the form would add is enforcement of structure and
>>>         process.  It makes it very clear what information is
>>>         required in order to "blow the whistle".  If the information
>>>         is missing, then the request is invalid.  Black and white. 
>>>         This suggestion came from Martin, not from me.  I was
>>>         restating and I am supportive of this as it allows him to
>>>         apply a binary operation to determining which requests have
>>>         enough information in order to investigate further.
>>>         As for the purpose of blowing the whistle without exposing
>>>         oneself, this can still easily be handled through the
>>>         process.  Rather than providing a name, this can be made
>>>         optional.  If no name is provided, and no further contact is
>>>         initiated, then the request would be evaluated for
>>>         completeness and entertained based on the data provided.  If
>>>         no name is provided, but contact is initiated in private
>>>         with Martin, then the source code remain anonymous, but the
>>>         allegation would be disclosed.  It is Martin's role to
>>>         ensure that "whistle blowing" activities do not result in
>>>         retaliation
>>>         2) I don't think we have the same interpretation of the
>>>         written document which leads me to believe that it is
>>>         unclear and requires modification for clarification of
>>>         intent.  When I read it, I see "The OWASP Foundation's
>>>         Compliance Officer will notify the person who submitted a
>>>         complaint and acknowledge receipt of the reported violation
>>>         or suspected violation. All reports will be promptly
>>>         investigated and appropriate corrective action will be taken
>>>         if warranted by the investigation."  To me, this says that
>>>         the Compliance Officer will investigate and provide
>>>         corrective action as well if warranted.  Investigation =
>>>         Judge, Determination = Jury, Corrective Action =
>>>         Executioner.  I agree that a report will be provided to the
>>>         Board, but this policy specifies far more than just that.
>>         Please keep in mind, that the "OWASP Whistleblower &
>>         Anti-Retaliation Policy" is not only about describing the
>>         role of the compliance officer but about how OWASP as an
>>         organisation handles such cases overall, with the Compliance
>>         officer being one part / mechanism of it.
>>         So actually with that overall scope, if you look at the two
>>         sentences in detail, this reads:
>>         First sentence: "... the compliance officer will notify the
>>         person... " (action done by the officer)
>>         Second sentence: "All reports will be promptly investigated
>>         and appropriate corrective action will be taken if warranted
>>         by the investigation." Note passive voice. This is not only
>>         about the compliance officer. The org including the officer
>>         shall investigate promptly. And it does not mean corrective
>>         actions are taken by the compliance officer, but by the
>>         organisation, i.e. whoever is empowered from the organisation
>>         to take such actions. For operational questions, that might
>>         be the ED, for general issues this would be the board.
>>>         3) I agree that this should be the end result.  I think that
>>>         the current policy implies that not only does the Compliance
>>>         Officer make this report, but also takes some action
>>>         including determination and punishment.  Sounds like we
>>>         agree that this should not be the case?
>>>         I believe I understand the intent of the policy and am 100%
>>>         behind that.  I think that we need to clearly define the
>>>         process here so that Martin, or any future Compliance
>>>         Officer, is aware of how it should work from start to end,
>>>         what our expectations are of for him, and how those
>>>         expectations affect the investigation which he is conducting.
>>         I agree.
>>>         ~josh
>>>         On Thu, Feb 27, 2014 at 11:18 AM, Tobias
>>>         <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>>
>>>         wrote:
>>>             Hi Josh,
>>>             my understanding is the following:
>>>             1. the main purpose of compliance officer is to allow
>>>             people to "blow the whistle" without exposing themselves
>>>             (if they fear retaliation) I.e. someone can send an
>>>             email to him in confidence via compliance at owasp.org
>>>             <mailto:compliance at owasp.org> without exposing oneself.
>>>             Note: I am not sure a google form would add anything
>>>             beyond the email we already have, in fact one might feel
>>>             that it rather is more risky of loosing confidentiality
>>>             with the form than a simple email. So am not sure what
>>>             the form would add.
>>>             This is mainly for purposes if there are issues with
>>>             staff or financial or accounting issues. E.g. a staff
>>>             member would find a accounting irregularity or
>>>             potentially fraudulent behaviour and wants to report the
>>>             issue and the evidence in confidence to avoid
>>>             retaliation from the suspected person (that is if that
>>>             person is in a position to exercise such retaliation).
>>>             2. Second, based on the written document, my
>>>             understanding is that the compliance officer is
>>>             investigator and advisor, but not judge. In several
>>>             places, the policy states clearly that the compliance
>>>             officer works on behalf of the board and provides the
>>>             report to the board for judgement.
>>>             One edge case might be if the compliance officer finds
>>>             proof that the board itself would act in a fraudulent
>>>             way, in which case, I would expect the Compliance
>>>             officer to report this to the community and the police -
>>>             along with the found evidence.
>>>             3. The end result from the compliance officer is his
>>>             report to the board, preferably with a recommendation.
>>>             (note again: the key feature is that the compliance
>>>             officer may leave out the identity of the reporting
>>>             person in his report - not the evidence itself uncovered
>>>             in his investigation - to protect that person from
>>>             retaliation.)
>>>             This is basically the standard compliance officer /
>>>             whistle blower scenario for organisations. If you and
>>>             Martin feel that the current policy is not clear enough
>>>             on the purpose and scope of the role or ambiguous, the
>>>             board should indeed clarify it.
>>>             Best regards, Tobias
>>>             On 27/02/14 14:54, Josh Sokol wrote:
>>>>             Board,
>>>>             I have been speaking with Martin in private in an
>>>>             attempt to clarify my understanding of the role of the
>>>>             compliance officer and the processes involved.  It
>>>>             sounds like, to some extent, we are expecting him to
>>>>             develop the process, instead of regulate and enforce
>>>>             it, and this doesn't seem fair or correct as the act of
>>>>             creating the process could actually create accusations
>>>>             of bias.  As such, I think that it is reasonable for
>>>>             the Board to discuss what this process should look like
>>>>             beginning with intake, inclusive of investigation, and
>>>>             ending with the resolution.  Some important questions:
>>>>             1) How is the complaint initiated?
>>>>             I think that we should strongly discourage allegations
>>>>             on the pubic mailing lists as accusations will lead to
>>>>             conflict which leads to chaos.  Yoda said that, right? 
>>>>             In any case, Martin had an excellent idea to create a
>>>>             form requesting specific information from the accuser. 
>>>>             If the form is not completed properly, then I think it
>>>>             is fair for the Compliance Officer to either request
>>>>             additional information if the source is known or
>>>>             discard it if the source is not known.  My suggestion
>>>>             was to have this form go to compliance at owasp.org
>>>>             <mailto:compliance at owasp.org> which would be the new
>>>>             mailing list (I'm not sure I like "ombud").  This way
>>>>             the Board and others could stay in the loop on the
>>>>             public facing side, which includes the original
>>>>             allegation, but will continue to allow the compliance
>>>>             officer to perform the investigation from there.
>>>>             2) The reporting procedure
>>>>             (https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure)
>>>>             says that people are required to report their
>>>>             complaints to the Compliance Officer who then has the
>>>>             responsibility to investigate all reported complaints. 
>>>>             Is the Compliance officer required to notify anyone at
>>>>             the time of complaint or at any point during the process?
>>>>             My personal feeling is that, as with any system, there
>>>>             should be checks and balances, so I feel like this
>>>>             activity should not be run completely in a vacuum.  I
>>>>             believe that the Compliance Officer should be required
>>>>             to report the complaint to the Board (not necessarily
>>>>             the person who reported it unless relevant) and should
>>>>             be required to maintain evidence of the investigation
>>>>             for review by the Board.  I'm fine with the
>>>>             investigation itself being a relative black box, but
>>>>             evidence, along with the recommendation, should be
>>>>             provided to the Board as the end result.
>>>>             3) What is the end result of the Compliance Officers
>>>>             investigation?
>>>>             The way this whistleblower policy current reads
>>>>             "appropriate corrective action will be taken if
>>>>             warranted by the investigation" and "the Compliance
>>>>             Officer will complete a final report noting the actors
>>>>             involved, allegations, remediation actions, and
>>>>             rationale for the determination".  So, to be clear, the
>>>>             policy today not only has the Compliance Officer
>>>>             receiving the complaint, but performing the
>>>>             investigation, and doling out the punishment.  In
>>>>             effect, we have made the Compliance Officer judge,
>>>>             jury, and executioner.  Our unbiased Compliance Officer
>>>>             can no longer maintain his objectivity in future
>>>>             investigations if he is responsible for all three of
>>>>             these roles.  In my opinion, the Compliance Officer
>>>>             should , in the end, provide a report to the Board with
>>>>             a recommendation and rationale for the determination as
>>>>             well as supporting evidence that they considered to
>>>>             make that decision.  This report should be made public,
>>>>             on the compliance mailing list.  Then, the Board should
>>>>             vote (if necessary) on the result. 
>>>>             Am I way off base here or does this make sense?  Please
>>>>             discuss.
>>>>             ~josh
>>>>             _______________________________________________
>>>>             Owasp-board mailing list
>>>>             Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>     _______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140227/63b79dc3/attachment-0001.html>

More information about the Owasp-board mailing list