[Owasp-board] Role of the Compliance Officer

Eoin Keary eoin.keary at owasp.org
Fri Feb 28 08:33:22 UTC 2014


Fine, my bad. 
What training can we give Martin given his role is much larger than just whistleblower?
What are the responsibilities, approach and activities of compliance within a 501?




Eoin Keary
Owasp Global Board
+353 87 977 2988


On 27 Feb 2014, at 20:53, Tobias <tobias.gondrom at owasp.org> wrote:

> Yes, Josh is correct. 
> 
> As documented in our board votes: 
> https://www.owasp.org/index.php/OWASP_Board_Votes
> 
> December 16, 2013	Compliance Officer per Whistleblower Policy for 2014 - Martin Knobloch, vote on mailing list	Tom, Seba, Dave, Michael, Jim, Eoin	
> Pass (Unanimous)	December 29, 2013
> And confirmed during email exchanges, including Eoin's own email: 
> http://lists.owasp.org/pipermail/owasp-board/2013-December/012797.html
> 
> Best wishes, Tobias
> 
> 
> Tobias Gondrom
> Owasp Global Board
> Secretary of the Board
> 
> 
> 
> On 27/02/14 20:37, Josh Sokol wrote:
>> Ummmm....to my understanding there is no "Whistleblower" role.  Only the "Compliance Officer" who supports our Whistleblower Policy.  This is what we voted on to my recollection.
>> 
>> ~josh
>> 
>> 
>> On Thu, Feb 27, 2014 at 1:38 PM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> Hi Josh, no we appointed him as whistleblower. I suggested him for the role. This role is different. 
>>> 
>>> 
>>> Eoin Keary
>>> Owasp Global Board
>>> +353 87 977 2988
>>> 
>>> 
>>> On 27 Feb 2014, at 18:23, Josh Sokol <josh.sokol at owasp.org> wrote:
>>> 
>>>> It sounds like you and I agree on the intent of the document as well as the general process.  I think that we should work on clarifying the language so that it explicitly says what we intend it to say and present that clarification to the Governance list.  Tom provided a link with some excellent examples of policies that are far more thorough and better worded than what exists today.  I suggest that we use them as a starting point to overhaul this document.
>>>> 
>>>> Eoin, we unanimously appointed Martin into the role of Compliance Officer for 2014.  I'm not sure what your question/statement is.
>>>> 
>>>> ~josh
>>>> 
>>>> 
>>>> On Thu, Feb 27, 2014 at 12:06 PM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>> Josh, 
>>>>> 
>>>>> I agree. simply the aspect that we have two differing interpretations of the same document is an indicator that the document is probably ambiguous and we need to fix the document. 
>>>>> 
>>>>> Regarding using a form and/or email: I have no strong opinion on that. Whatever works best. 
>>>>> I like structure, too. 
>>>>> 
>>>>> Regarding your point #2, I added a comment inline below. 
>>>>> 
>>>>> Best, Tobias
>>>>> 
>>>>> 
>>>>> Ps.: btw. if we reword this document, this email discussion should probably be forwarded to the governance list.  
>>>>> 
>>>>> 
>>>>> 
>>>>> On 27/02/14 17:39, Josh Sokol wrote:
>>>>>> Tobias,
>>>>>> 
>>>>>> 1) What the form would add is enforcement of structure and process.  It makes it very clear what information is required in order to "blow the whistle".  If the information is missing, then the request is invalid.  Black and white.  This suggestion came from Martin, not from me.  I was restating and I am supportive of this as it allows him to apply a binary operation to determining which requests have enough information in order to investigate further.
>>>>>> 
>>>>>> As for the purpose of blowing the whistle without exposing oneself, this can still easily be handled through the process.  Rather than providing a name, this can be made optional.  If no name is provided, and no further contact is initiated, then the request would be evaluated for completeness and entertained based on the data provided.  If no name is provided, but contact is initiated in private with Martin, then the source code remain anonymous, but the allegation would be disclosed.  It is Martin's role to ensure that "whistle blowing" activities do not result in retaliation
>>>>>> 
>>>>>> 2) I don't think we have the same interpretation of the written document which leads me to believe that it is unclear and requires modification for clarification of intent.  When I read it, I see "The OWASP Foundation’s Compliance Officer will notify the person who submitted a complaint and acknowledge receipt of the reported violation or suspected violation. All reports will be promptly investigated and appropriate corrective action will be taken if warranted by the investigation."  To me, this says that the Compliance Officer will investigate and provide corrective action as well if warranted.  Investigation = Judge, Determination = Jury, Corrective Action = Executioner.  I agree that a report will be provided to the Board, but this policy specifies far more than just that.
>>>>> 
>>>>> Please keep in mind, that the "OWASP Whistleblower & Anti-Retaliation Policy" is not only about describing the role of the compliance officer but about how OWASP as an organisation handles such cases overall, with the Compliance officer being one part / mechanism of it. 
>>>>> So actually with that overall scope, if you look at the two sentences in detail, this reads: 
>>>>> First sentence: "... the compliance officer will notify the person... " (action done by the officer)
>>>>> Second sentence: "All reports will be promptly investigated and appropriate corrective action will be taken if warranted by the investigation." Note passive voice. This is not only about the compliance officer. The org including the officer shall investigate promptly. And it does not mean corrective actions are taken by the compliance officer, but by the organisation, i.e. whoever is empowered from the organisation to take such actions. For operational questions, that might be the ED, for general issues this would be the board. 
>>>>> 
>>>>>> 
>>>>>> 3) I agree that this should be the end result.  I think that the current policy implies that not only does the Compliance Officer make this report, but also takes some action including determination and punishment.  Sounds like we agree that this should not be the case?
>>>>>> 
>>>>>> I believe I understand the intent of the policy and am 100% behind that.  I think that we need to clearly define the process here so that Martin, or any future Compliance Officer, is aware of how it should work from start to end, what our expectations are of for him, and how those expectations affect the investigation which he is conducting.
>>>>> 
>>>>> I agree. 
>>>>> 
>>>>>> 
>>>>>> ~josh
>>>>>> 
>>>>>> 
>>>>>> On Thu, Feb 27, 2014 at 11:18 AM, Tobias <tobias.gondrom at owasp.org> wrote:
>>>>>>> Hi Josh, 
>>>>>>> 
>>>>>>> my understanding is the following: 
>>>>>>> 1. the main purpose of compliance officer is to allow people to "blow the whistle" without exposing themselves (if they fear retaliation) I.e. someone can send an email to him in confidence via compliance at owasp.org without exposing oneself. Note: I am not sure a google form would add anything beyond the email we already have, in fact one might feel that it rather is more risky of loosing confidentiality with the form than a simple email. So am not sure what the form would add. 
>>>>>>> 
>>>>>>> This is mainly for purposes if there are issues with staff or financial or accounting issues. E.g. a staff member would find a accounting irregularity or potentially fraudulent behaviour and wants to report the issue and the evidence in confidence to avoid retaliation from the suspected person (that is if that person is in a position to exercise such retaliation). 
>>>>>>> 
>>>>>>> 2. Second, based on the written document, my                                               understanding is that the compliance officer is investigator and advisor, but not judge. In several places, the policy states clearly that the                                               compliance officer works on behalf of the board and provides the report to the board for judgement. 
>>>>>>> One edge case might be if the compliance officer finds proof that the board itself would act in a fraudulent way, in which case, I would expect the Compliance officer to report this to the community and the police - along with the found evidence. 
>>>>>>> 
>>>>>>> 3. The end result from the compliance officer is his report to the board, preferably with a recommendation. 
>>>>>>> (note again: the key feature is that the compliance officer may leave out the identity of                                               the reporting person in his report - not the evidence itself uncovered in his investigation - to protect that person from retaliation.)
>>>>>>> 
>>>>>>> This is basically the standard compliance officer / whistle blower scenario for organisations. If you and Martin feel that the current policy is not clear enough on the purpose and scope of the role or ambiguous, the board should indeed clarify it. 
>>>>>>> 
>>>>>>> Best regards, Tobias
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> On 27/02/14 14:54, Josh Sokol wrote:
>>>>>>>> Board,
>>>>>>>> 
>>>>>>>> I have been speaking with Martin in private in an attempt to clarify my understanding of the role of the compliance officer and the processes involved.  It sounds like, to some extent, we are expecting him to develop the process, instead of regulate and enforce it, and this doesn't seem fair or correct as the act of creating the process could actually create accusations of bias.  As such, I think that it is reasonable for the Board to discuss what this process should look like beginning with intake, inclusive of investigation, and ending with the resolution.  Some important questions:
>>>>>>>> 
>>>>>>>> 1) How is the complaint initiated?
>>>>>>>> 
>>>>>>>> I think that we should strongly discourage allegations on the pubic mailing lists as accusations will lead to conflict which leads to                                                           chaos.  Yoda said that, right?  In any case, Martin had an excellent idea to create a form requesting specific information from the accuser.  If the form is not completed properly, then I think it is fair for the Compliance Officer to either request additional information if the source is known or discard it if the source is not known.  My suggestion was to have this form go to compliance at owasp.org which would be the new mailing list (I'm not sure I like "ombud").  This way the Board and others could stay in the loop on the public facing side, which includes the original allegation, but will continue to allow the compliance officer to perform the investigation from there.
>>>>>>>> 
>>>>>>>> 2) The reporting procedure (https://www.owasp.org/index.php/Governance/Whistleblower_Policy#Reporting_Procedure) says that people are required to report their complaints to the Compliance Officer who then has the responsibility to investigate all reported complaints.  Is the Compliance officer required to notify anyone at the time of                                                           complaint or at any point during the process?
>>>>>>>> 
>>>>>>>> My personal feeling is that, as with any system, there should be checks and balances, so I feel like this activity should not be run completely in a vacuum.  I believe that                                                           the Compliance Officer should be required to report the complaint to the Board (not necessarily the person who reported it unless                                                           relevant) and should be required to maintain evidence of the investigation for review by the Board.  I'm fine with the investigation itself being a relative black box, but evidence, along with the recommendation, should be provided to the Board as the end result.
>>>>>>>> 
>>>>>>>> 3) What is the end result of the Compliance Officers investigation?
>>>>>>>> 
>>>>>>>> The way this whistleblower policy current reads "appropriate corrective action will be taken if warranted by the investigation" and "the Compliance Officer will complete a final report noting the actors involved, allegations, remediation actions, and rationale for the determination".  So, to be clear, the policy today not only has the Compliance Officer receiving the complaint, but performing the investigation, and doling out the punishment.                                                          In effect, we have made the Compliance Officer judge, jury, and executioner.  Our unbiased Compliance Officer can no longer maintain his objectivity in future investigations                                                         if he is responsible for all three of these roles.  In my opinion, the Compliance Officer should ,                                                         in the end, provide a report to the Board with a recommendation and rationale for the determination as well as supporting evidence that they considered to make that decision.  This report should be made public, on the compliance mailing list.  Then, the Board should vote (if necessary) on the result.  
>>>>>>>> 
>>>>>>>> Am I way off base here or does this make sense?  Please discuss.
>>>>>>>> 
>>>>>>>> ~josh
>>>>>>>> 
>>>>>>>> 
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20140228/0b6ecb2c/attachment-0001.html>


More information about the Owasp-board mailing list