[Owasp-board] Role of the Compliance Officer
tobias.gondrom at owasp.org
Thu Feb 27 20:53:05 UTC 2014
Yes, Josh is correct.
As documented in our board votes:
December 16, 2013 Compliance Officer per Whistleblower Policy
2014 - Martin Knobloch, vote on mailing list
Seba, Dave, Michael, Jim, Eoin
Pass (Unanimous) December 29, 2013
And confirmed during email exchanges, including Eoin's own email:
Best wishes, Tobias
Owasp Global Board
Secretary of the Board
On 27/02/14 20:37, Josh Sokol wrote:
> Ummmm....to my understanding there is no "Whistleblower" role. Only
> the "Compliance Officer" who supports our Whistleblower Policy. This
> is what we voted on to my recollection.
> On Thu, Feb 27, 2014 at 1:38 PM, Eoin Keary <eoin.keary at owasp.org
> <mailto:eoin.keary at owasp.org>> wrote:
> Hi Josh, no we appointed him as whistleblower. I suggested him for
> the role. This role is different.
> Eoin Keary
> Owasp Global Board
> +353 87 977 2988 <tel:%2B353%2087%20977%202988>
> On 27 Feb 2014, at 18:23, Josh Sokol <josh.sokol at owasp.org
> <mailto:josh.sokol at owasp.org>> wrote:
>> It sounds like you and I agree on the intent of the document as
>> well as the general process. I think that we should work on
>> clarifying the language so that it explicitly says what we intend
>> it to say and present that clarification to the Governance list.
>> Tom provided a link with some excellent examples of policies that
>> are far more thorough and better worded than what exists today.
>> I suggest that we use them as a starting point to overhaul this
>> Eoin, we unanimously appointed Martin into the role of Compliance
>> Officer for 2014. I'm not sure what your question/statement is.
>> On Thu, Feb 27, 2014 at 12:06 PM, Tobias
>> <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>> wrote:
>> I agree. simply the aspect that we have two differing
>> interpretations of the same document is an indicator that the
>> document is probably ambiguous and we need to fix the document.
>> Regarding using a form and/or email: I have no strong opinion
>> on that. Whatever works best.
>> I like structure, too.
>> Regarding your point #2, I added a comment inline below.
>> Best, Tobias
>> Ps.: btw. if we reword this document, this email discussion
>> should probably be forwarded to the governance list.
>> On 27/02/14 17:39, Josh Sokol wrote:
>>> 1) What the form would add is enforcement of structure and
>>> process. It makes it very clear what information is
>>> required in order to "blow the whistle". If the information
>>> is missing, then the request is invalid. Black and white.
>>> This suggestion came from Martin, not from me. I was
>>> restating and I am supportive of this as it allows him to
>>> apply a binary operation to determining which requests have
>>> enough information in order to investigate further.
>>> As for the purpose of blowing the whistle without exposing
>>> oneself, this can still easily be handled through the
>>> process. Rather than providing a name, this can be made
>>> optional. If no name is provided, and no further contact is
>>> initiated, then the request would be evaluated for
>>> completeness and entertained based on the data provided. If
>>> no name is provided, but contact is initiated in private
>>> with Martin, then the source code remain anonymous, but the
>>> allegation would be disclosed. It is Martin's role to
>>> ensure that "whistle blowing" activities do not result in
>>> 2) I don't think we have the same interpretation of the
>>> written document which leads me to believe that it is
>>> unclear and requires modification for clarification of
>>> intent. When I read it, I see "The OWASP Foundation's
>>> Compliance Officer will notify the person who submitted a
>>> complaint and acknowledge receipt of the reported violation
>>> or suspected violation. All reports will be promptly
>>> investigated and appropriate corrective action will be taken
>>> if warranted by the investigation." To me, this says that
>>> the Compliance Officer will investigate and provide
>>> corrective action as well if warranted. Investigation =
>>> Judge, Determination = Jury, Corrective Action =
>>> Executioner. I agree that a report will be provided to the
>>> Board, but this policy specifies far more than just that.
>> Please keep in mind, that the "OWASP Whistleblower &
>> Anti-Retaliation Policy" is not only about describing the
>> role of the compliance officer but about how OWASP as an
>> organisation handles such cases overall, with the Compliance
>> officer being one part / mechanism of it.
>> So actually with that overall scope, if you look at the two
>> sentences in detail, this reads:
>> First sentence: "... the compliance officer will notify the
>> person... " (action done by the officer)
>> Second sentence: "All reports will be promptly investigated
>> and appropriate corrective action will be taken if warranted
>> by the investigation." Note passive voice. This is not only
>> about the compliance officer. The org including the officer
>> shall investigate promptly. And it does not mean corrective
>> actions are taken by the compliance officer, but by the
>> organisation, i.e. whoever is empowered from the organisation
>> to take such actions. For operational questions, that might
>> be the ED, for general issues this would be the board.
>>> 3) I agree that this should be the end result. I think that
>>> the current policy implies that not only does the Compliance
>>> Officer make this report, but also takes some action
>>> including determination and punishment. Sounds like we
>>> agree that this should not be the case?
>>> I believe I understand the intent of the policy and am 100%
>>> behind that. I think that we need to clearly define the
>>> process here so that Martin, or any future Compliance
>>> Officer, is aware of how it should work from start to end,
>>> what our expectations are of for him, and how those
>>> expectations affect the investigation which he is conducting.
>> I agree.
>>> On Thu, Feb 27, 2014 at 11:18 AM, Tobias
>>> <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>>
>>> Hi Josh,
>>> my understanding is the following:
>>> 1. the main purpose of compliance officer is to allow
>>> people to "blow the whistle" without exposing themselves
>>> (if they fear retaliation) I.e. someone can send an
>>> email to him in confidence via compliance at owasp.org
>>> <mailto:compliance at owasp.org> without exposing oneself.
>>> Note: I am not sure a google form would add anything
>>> beyond the email we already have, in fact one might feel
>>> that it rather is more risky of loosing confidentiality
>>> with the form than a simple email. So am not sure what
>>> the form would add.
>>> This is mainly for purposes if there are issues with
>>> staff or financial or accounting issues. E.g. a staff
>>> member would find a accounting irregularity or
>>> potentially fraudulent behaviour and wants to report the
>>> issue and the evidence in confidence to avoid
>>> retaliation from the suspected person (that is if that
>>> person is in a position to exercise such retaliation).
>>> 2. Second, based on the written document, my
>>> understanding is that the compliance officer is
>>> investigator and advisor, but not judge. In several
>>> places, the policy states clearly that the compliance
>>> officer works on behalf of the board and provides the
>>> report to the board for judgement.
>>> One edge case might be if the compliance officer finds
>>> proof that the board itself would act in a fraudulent
>>> way, in which case, I would expect the Compliance
>>> officer to report this to the community and the police -
>>> along with the found evidence.
>>> 3. The end result from the compliance officer is his
>>> report to the board, preferably with a recommendation.
>>> (note again: the key feature is that the compliance
>>> officer may leave out the identity of the reporting
>>> person in his report - not the evidence itself uncovered
>>> in his investigation - to protect that person from
>>> This is basically the standard compliance officer /
>>> whistle blower scenario for organisations. If you and
>>> Martin feel that the current policy is not clear enough
>>> on the purpose and scope of the role or ambiguous, the
>>> board should indeed clarify it.
>>> Best regards, Tobias
>>> On 27/02/14 14:54, Josh Sokol wrote:
>>>> I have been speaking with Martin in private in an
>>>> attempt to clarify my understanding of the role of the
>>>> compliance officer and the processes involved. It
>>>> sounds like, to some extent, we are expecting him to
>>>> develop the process, instead of regulate and enforce
>>>> it, and this doesn't seem fair or correct as the act of
>>>> creating the process could actually create accusations
>>>> of bias. As such, I think that it is reasonable for
>>>> the Board to discuss what this process should look like
>>>> beginning with intake, inclusive of investigation, and
>>>> ending with the resolution. Some important questions:
>>>> 1) How is the complaint initiated?
>>>> I think that we should strongly discourage allegations
>>>> on the pubic mailing lists as accusations will lead to
>>>> conflict which leads to chaos. Yoda said that, right?
>>>> In any case, Martin had an excellent idea to create a
>>>> form requesting specific information from the accuser.
>>>> If the form is not completed properly, then I think it
>>>> is fair for the Compliance Officer to either request
>>>> additional information if the source is known or
>>>> discard it if the source is not known. My suggestion
>>>> was to have this form go to compliance at owasp.org
>>>> <mailto:compliance at owasp.org> which would be the new
>>>> mailing list (I'm not sure I like "ombud"). This way
>>>> the Board and others could stay in the loop on the
>>>> public facing side, which includes the original
>>>> allegation, but will continue to allow the compliance
>>>> officer to perform the investigation from there.
>>>> 2) The reporting procedure
>>>> says that people are required to report their
>>>> complaints to the Compliance Officer who then has the
>>>> responsibility to investigate all reported complaints.
>>>> Is the Compliance officer required to notify anyone at
>>>> the time of complaint or at any point during the process?
>>>> My personal feeling is that, as with any system, there
>>>> should be checks and balances, so I feel like this
>>>> activity should not be run completely in a vacuum. I
>>>> believe that the Compliance Officer should be required
>>>> to report the complaint to the Board (not necessarily
>>>> the person who reported it unless relevant) and should
>>>> be required to maintain evidence of the investigation
>>>> for review by the Board. I'm fine with the
>>>> investigation itself being a relative black box, but
>>>> evidence, along with the recommendation, should be
>>>> provided to the Board as the end result.
>>>> 3) What is the end result of the Compliance Officers
>>>> The way this whistleblower policy current reads
>>>> "appropriate corrective action will be taken if
>>>> warranted by the investigation" and "the Compliance
>>>> Officer will complete a final report noting the actors
>>>> involved, allegations, remediation actions, and
>>>> rationale for the determination". So, to be clear, the
>>>> policy today not only has the Compliance Officer
>>>> receiving the complaint, but performing the
>>>> investigation, and doling out the punishment. In
>>>> effect, we have made the Compliance Officer judge,
>>>> jury, and executioner. Our unbiased Compliance Officer
>>>> can no longer maintain his objectivity in future
>>>> investigations if he is responsible for all three of
>>>> these roles. In my opinion, the Compliance Officer
>>>> should , in the end, provide a report to the Board with
>>>> a recommendation and rationale for the determination as
>>>> well as supporting evidence that they considered to
>>>> make that decision. This report should be made public,
>>>> on the compliance mailing list. Then, the Board should
>>>> vote (if necessary) on the result.
>>>> Am I way off base here or does this make sense? Please
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-board