[Owasp-board] OWASP Whistleblower Policy Updates

Andrew van der Stock vanderaj at owasp.org
Thu Nov 13 05:01:29 UTC 2014


And by the way, this is a great readable policy. Good job on getting it to
this point.

Andrew

On Thu, Nov 13, 2014 at 3:57 PM, Andrew van der Stock <vanderaj at owasp.org>
wrote:

> The policy is big on keeping things confidential. Now I do think this can
> be helpful to diffuse hot tempers, but is it actually necessary? I am happy
> if this is a policy that is adopted from a formal DRP or whistleblowers
> policy, and that's the norm for this type of policy.
>
> Time limits. It always seems like Australia is a breeding ground for bush
> lawyers, but one of the issues we had over the last three years is a sports
> doping scandal. The regulator took a very long time to come to a
> conclusion. Should the policy put in guidelines for timely conclusions? I
> would like to see all investigations investigated and finalised within 90
> days to be fair on the person being investigated as well as provide a timly
> outcome for those whose complaints are upheld. Is this possible and still
> maintain quality of results?
>
> Lastly, I think "neutrality" is a good goal, but independence is the word
> I think you mean when the policy says "neutral". The compliance officer not
> only needs to be independent, so as to enable investigations where
> Foundation or Board members are the complainants or the subject of an
> investigation, but also they need to be strong enough to resist efforts to
> compromise their independence, such as limiting scope of investigations
> (such as restricting the time or the nature of the complaint). I strongly
> feel that the Compliance Officer should be able to set their own terms of
> reference and run the complaints process without interference.
>
> Andrew
>
> On Thu, Nov 13, 2014 at 3:03 PM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> 1. The compliant officers role as neutral conciliator / mediator
>>> It might be people hesitate in filing an official complaint, as this is
>>> a harsh measure, and reaching out to the compliant officer as neutral party
>>> in an not yet escalated conflict.
>>> The current policy does not describe this possibility, it comes close to
>>> "IV. Commitment to Peaceful Conflict Resolution", but without filing an
>>> official compliant.
>>> This could be in chapter "IX. Compliance Officer".
>>> Q: is this part of the compliant officers role?
>>>
>>
>> I *think* what you're talking about is under section III. Initiating an
>> Informal Complaint.  The ED, Board, and Compliance Officer are all
>> identified in this paragraph as possible contacts for informal complaints.
>>
>> 2. Early notification of the compliant officer in case of serious
>>> complaints.
>>> As reason history has shown actions of investigation should been handed
>>> to the investigation soon possible. It might not be part of the
>>> Whistelblower Policy, but can we find an agreement any serious complaints
>>> the board or a board member has received, the Compliant Officer should be
>>> notified about early, before escalation!
>>>
>>
>> I agree that the Board needs to work with the Compliance Officer to
>> discuss serious complaints as early as possible.  I think that what you are
>> referring to here is basically the difference between an informal and a
>> formal complaint.  At the stage of an informal complaint, the goal is to
>> resolve the conflict with those that the conflict involves.  I have no
>> argument either for or against involving the Compliance Officer at this
>> stage.  But once we get to the formal complaint stage, then I think that
>> the Compliance Officer becomes the key player in the conflict resolution
>> process.
>>
>> In general, I think the role, responsibility of the Compliance Officer
>>> should be expressed in more clearly. As the independence of the board.
>>>
>>
>> Maybe you could provide an example wording for what you would like to see
>> changed here?  This is effectively what I was going with under section IX
>> when I say "The Compliance Officer is empowered to conduct their
>> investigations in isolation of the Board in order to maintain neutrality,
>> but are free to involve members of the Board as necessary.  It is solely
>> the Compliance Officer’s charge to determine whether or not a complaint can
>> be considered valid for investigation though any individual may submit a
>> complaint as noted above."
>>
>> ~josh
>>
>> On Wed, Nov 12, 2014 at 5:07 PM, Martin Knobloch <
>> martin.knobloch at owasp.org> wrote:
>>
>>> Josh, et all,
>>>
>>> Two questions from my side as current developments raised this.
>>>
>>> 1. The compliant officers role as neutral conciliator / mediator
>>> It might be people hesitate in filing an official complaint, as this is
>>> a harsh measure, and reaching out to the compliant officer as neutral party
>>> in an not yet escalated conflict.
>>> The current policy does not describe this possibility, it comes close to
>>> "IV. Commitment to Peaceful Conflict Resolution", but without filing an
>>> official compliant.
>>> This could be in chapter "IX. Compliance Officer".
>>> Q: is this part of the compliant officers role?
>>>
>>> 2. Early notification of the compliant officer in case of serious
>>> complaints.
>>> As reason history has shown actions of investigation should been handed
>>> to the investigation soon possible. It might not be part of the
>>> Whistelblower Policy, but can we find an agreement any serious complaints
>>> the board or a board member has received, the Compliant Officer should be
>>> notified about early, before escalation!
>>>
>>> In general, I think the role, responsibility of the Compliance Officer
>>> should be expressed in more clearly. As the independence of the board.
>>>
>>> Cheers,
>>> -martin
>>>
>>> On Wed, Nov 12, 2014 at 7:40 PM, Josh Sokol <josh.sokol at owasp.org>
>>> wrote:
>>>
>>>> Based on the feedback I received from Martin, I made a few changes to
>>>> the Whistleblower policy that I had previously sent out.  Please review
>>>> when you have a chance and feel free to provide feedback either via comment
>>>> or by responding back to this e-mail.  Here is the link:
>>>>
>>>>
>>>> https://docs.google.com/a/owasp.org/document/d/1OwoHQtNGWxpr2qgSGbTqCRJJYLayh5d8zvzxoh2Cnqk/edit
>>>>
>>>> Thanks!
>>>>
>>>> ~josh
>>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141113/4917f606/attachment.html>


More information about the Owasp-board mailing list