[Owasp-board] OWASP Whistleblower Policy Updates

Josh Sokol josh.sokol at owasp.org
Thu Nov 13 04:03:52 UTC 2014


>
> 1. The compliant officers role as neutral conciliator / mediator
> It might be people hesitate in filing an official complaint, as this is a
> harsh measure, and reaching out to the compliant officer as neutral party
> in an not yet escalated conflict.
> The current policy does not describe this possibility, it comes close to "IV.
> Commitment to Peaceful Conflict Resolution", but without filing an
> official compliant.
> This could be in chapter "IX. Compliance Officer".
> Q: is this part of the compliant officers role?
>

I *think* what you're talking about is under section III. Initiating an
Informal Complaint.  The ED, Board, and Compliance Officer are all
identified in this paragraph as possible contacts for informal complaints.

2. Early notification of the compliant officer in case of serious
> complaints.
> As reason history has shown actions of investigation should been handed to
> the investigation soon possible. It might not be part of the Whistelblower
> Policy, but can we find an agreement any serious complaints the board or a
> board member has received, the Compliant Officer should be notified about
> early, before escalation!
>

I agree that the Board needs to work with the Compliance Officer to discuss
serious complaints as early as possible.  I think that what you are
referring to here is basically the difference between an informal and a
formal complaint.  At the stage of an informal complaint, the goal is to
resolve the conflict with those that the conflict involves.  I have no
argument either for or against involving the Compliance Officer at this
stage.  But once we get to the formal complaint stage, then I think that
the Compliance Officer becomes the key player in the conflict resolution
process.

In general, I think the role, responsibility of the Compliance Officer
> should be expressed in more clearly. As the independence of the board.
>

Maybe you could provide an example wording for what you would like to see
changed here?  This is effectively what I was going with under section IX
when I say "The Compliance Officer is empowered to conduct their
investigations in isolation of the Board in order to maintain neutrality,
but are free to involve members of the Board as necessary.  It is solely
the Compliance Officer’s charge to determine whether or not a complaint can
be considered valid for investigation though any individual may submit a
complaint as noted above."

~josh

On Wed, Nov 12, 2014 at 5:07 PM, Martin Knobloch <martin.knobloch at owasp.org>
wrote:

> Josh, et all,
>
> Two questions from my side as current developments raised this.
>
> 1. The compliant officers role as neutral conciliator / mediator
> It might be people hesitate in filing an official complaint, as this is a
> harsh measure, and reaching out to the compliant officer as neutral party
> in an not yet escalated conflict.
> The current policy does not describe this possibility, it comes close to "IV.
> Commitment to Peaceful Conflict Resolution", but without filing an
> official compliant.
> This could be in chapter "IX. Compliance Officer".
> Q: is this part of the compliant officers role?
>
> 2. Early notification of the compliant officer in case of serious
> complaints.
> As reason history has shown actions of investigation should been handed to
> the investigation soon possible. It might not be part of the Whistelblower
> Policy, but can we find an agreement any serious complaints the board or a
> board member has received, the Compliant Officer should be notified about
> early, before escalation!
>
> In general, I think the role, responsibility of the Compliance Officer
> should be expressed in more clearly. As the independence of the board.
>
> Cheers,
> -martin
>
> On Wed, Nov 12, 2014 at 7:40 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> Based on the feedback I received from Martin, I made a few changes to the
>> Whistleblower policy that I had previously sent out.  Please review when
>> you have a chance and feel free to provide feedback either via comment or
>> by responding back to this e-mail.  Here is the link:
>>
>>
>> https://docs.google.com/a/owasp.org/document/d/1OwoHQtNGWxpr2qgSGbTqCRJJYLayh5d8zvzxoh2Cnqk/edit
>>
>> Thanks!
>>
>> ~josh
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141112/9dd66d6d/attachment.html>


More information about the Owasp-board mailing list