[Owasp-board] OWASP Whistleblower Policy Updates

Tobias tobias.gondrom at owasp.org
Thu Nov 20 05:10:28 UTC 2014


Hi all,

I think travel to have meetings in person about complaints is not 
feasible for an organisation of our size.
We are a global organisation and complaints are coming from anywhere. So 
only under special circumstances should we make the financial investment 
to arrange travel for face-2-face meetings.
And we use skype/Google hangout for all other operations, so it would be 
overdoing it to spend money on travel to see face to face complaining 
parties.

Looking at the amount of complaints work coming in over the last 24 
months, I would agree that a compliance team would be more suitable to 
allow for a timely resolution and to share the burden across several 
people.

Best, Tobias




On 17/11/14 06:32, Bil Corry wrote:
>
> This may be of interest:
>
> IETF Anti-Harassment Procedures
>
> http://datatracker.ietf.org/doc/draft-farrresnickel-harassment/?include_text=1
>
> - Bil
>
> *From:*owasp-board-bounces at lists.owasp.org 
> [mailto:owasp-board-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
> *Sent:* Saturday, November 15, 2014 3:02 AM
> *To:* Martin Knobloch; Andrew van der Stock
> *Cc:* OWASP Foundation Board List; Matt Konda
> *Subject:* Re: [Owasp-board] OWASP Whistleblower Policy Updates
>
> I think the answer here is to turn the "compliance officer" role into 
> a "compliance committee". This is to much for one person.
>
> > I would be, to a certain extend and only if there is a clear 
> benefit, be willing to travel. But is the board okay with the 
> additional expenses?
>
> This seems rather expensive, both in your lost work time and in travel 
> costs. Do you think something like online video would suffice?
>
> Thank you, Martin.
> - Jim
>
> On 11/13/14 5:38 PM, Martin Knobloch wrote:
>
>     Andrew, Josh,
>
>     I like your comments Andrew and am definitely in favor of a soon
>     as possible investigation and closing of matters. Unfortunately,
>     it is as Josh says, as volunteer I do not have the resources to
>     guarantee this.
>
>     On the other hand, some issues are just not possible to solve
>     inside the suggested time limit of 90 days. Reasons for that can
>     be dependencies like court procedures etc. Of course, luckily we
>     can consider those as exceptions to the rule.
>
>     So, for the first point, if a 90 day closure is wanted, I would
>     need to occasionally drop assignments in order to full-fill this
>     expectations. Of course, thereby I would loos income. With other
>     words, on a volunteer-base this is not possible.
>
>     One thing, this has been discussed earlier, there would also be
>     the option of seeing people in person in order to solve matters.
>     Downside would be (next to loosing assignments as said before)
>     travel expenses.
>
>     I would be, to a certain extend and only if there is a clear
>     benefit, be willing to travel. But is the board okay with the
>     additional expenses?
>
>     Of course, there is still the matter of lost of income.
>
>     Cheers,
>
>     -martin
>
>     On Thu, Nov 13, 2014 at 8:19 AM, Andrew van der Stock
>     <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>
>     Actually thinking more about whistleblower policies, I know that
>     my soon to be ex-employer not only has confidentiality around this
>     but also an anonymous tip off box so as to encourage free and
>     frank disclosure of difficult topics. Sunshine is the best
>     disinfectant is as the saying goes, and I don't mind sunshine
>     being let in.
>
>     Considering the desired outcomes of blowing the whistle is to
>     provide tip offs about poor behavior or not so nice activities and
>     possibly about those who wield some power within the organisation,
>     I think confidentiality is actually important to provide a layer
>     of protection for those willing to put in a complaint. So please
>     ignore me on confidentiality.
>
>     As you say, I think as long as the process is demonstrably fair
>     and balanced, and the results communicated publicly, that is in my
>     view sufficient. Let's not worry about it.
>
>     thanks,
>
>     Andrew
>
>     On Thu, Nov 13, 2014 at 4:39 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>     The confidentiality piece is an interesting one and I feel like it
>     really becomes a situational thing.  My biggest concern is that
>     when initially disclosed, an accusation feels more like an attack
>     to the accused, but without the ability to defend oneself.  On the
>     other end, you have people who feel like a public ruling is a
>     violation of our code of ethics because it can "injure and impugn"
>     their professional reputation. That said, we are an open
>     organization and having a truly transparent process fits that
>     mold.  But then again, what about a more personal situation
>     involving sexual harassment or similar? Publicly disclosing that
>     could lead to unwanted embarrassment.  I'll be the first one to
>     say that I don't have a good answer here and would be willing to
>     listen if someone feels passionately about it one way or the other.
>
>     I like the general idea of imposing a time limit for the reasons
>     you mentioned.  My concern is that our Compliance Officer is only
>     one person and can be handling multiple issues at one time.  We
>     also have to keep in mind that they are 100% volunteer in this
>     capacity and putting time constraints on them could be very
>     stressful and lead to a less effective investigation in order to
>     fit it in the timeframe.  I'm not sure how much sense it would
>     make to time-box this.
>
>     Yes, you are right.  Independence, not neutrality, is really the
>     more fitting word here.  I've changed it.  Thanks for your
>     feedback.  I love your passion Andrew!
>
>     ~josh
>
>     On Wed, Nov 12, 2014 at 10:57 PM, Andrew van der Stock
>     <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>
>     The policy is big on keeping things confidential. Now I do think
>     this can be helpful to diffuse hot tempers, but is it actually
>     necessary? I am happy if this is a policy that is adopted from a
>     formal DRP or whistleblowers policy, and that's the norm for this
>     type of policy.
>
>     Time limits. It always seems like Australia is a breeding ground
>     for bush lawyers, but one of the issues we had over the last three
>     years is a sports doping scandal. The regulator took a very long
>     time to come to a conclusion. Should the policy put in guidelines
>     for timely conclusions? I would like to see all investigations
>     investigated and finalised within 90 days to be fair on the person
>     being investigated as well as provide a timly outcome for those
>     whose complaints are upheld. Is this possible and still maintain
>     quality of results?
>
>     Lastly, I think "neutrality" is a good goal, but independence is
>     the word I think you mean when the policy says "neutral". The
>     compliance officer not only needs to be independent, so as to
>     enable investigations where Foundation or Board members are the
>     complainants or the subject of an investigation, but also they
>     need to be strong enough to resist efforts to compromise their
>     independence, such as limiting scope of investigations (such as
>     restricting the time or the nature of the complaint). I strongly
>     feel that the Compliance Officer should be able to set their own
>     terms of reference and run the complaints process without
>     interference.
>
>     Andrew
>
>     On Thu, Nov 13, 2014 at 3:03 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>         1. The compliant officers role as neutral conciliator / mediator
>
>         It might be people hesitate in filing an official complaint,
>         as this is a harsh measure, and reaching out to the compliant
>         officer as neutral party in an not yet escalated conflict.
>
>         The current policy does not describe this possibility, it
>         comes close to "*IV. Commitment to Peaceful Conflict
>         Resolution*", but without filing an official compliant.
>
>         This could be in chapter "*IX. Compliance Officer*".
>
>         Q: is this part of the compliant officers role?
>
>     I *think* what you're talking about is under section III.
>     Initiating an Informal Complaint.  The ED, Board, and Compliance
>     Officer are all identified in this paragraph as possible contacts
>     for informal complaints.
>
>     2. Early notification of the compliant officer in case of serious
>     complaints.
>     As reason history has shown actions of investigation should been
>     handed to the investigation soon possible. It might not be part of
>     the Whistelblower Policy, but can we find an agreement any serious
>     complaints the board or a board member has received, the Compliant
>     Officer should be notified about early, before escalation!
>
>
>     I agree that the Board needs to work with the Compliance Officer
>     to discuss serious complaints as early as possible.  I think that
>     what you are referring to here is basically the difference between
>     an informal and a formal complaint.  At the stage of an informal
>     complaint, the goal is to resolve the conflict with those that the
>     conflict involves.  I have no argument either for or against
>     involving the Compliance Officer at this stage.  But once we get
>     to the formal complaint stage, then I think that the Compliance
>     Officer becomes the key player in the conflict resolution process.
>
>     In general, I think the role, responsibility of the Compliance
>     Officer should be expressed in more clearly. As the independence
>     of the board.
>
>     Maybe you could provide an example wording for what you would like
>     to see changed here? This is effectively what I was going with
>     under section IX when I say "The Compliance Officer is empowered
>     to conduct their investigations in isolation of the Board in order
>     to maintain neutrality, but are free to involve members of the
>     Board as necessary.  It is solely the Compliance Officer’s charge
>     to determine whether or not a complaint can be considered valid
>     for investigation though any individual may submit a complaint as
>     noted above."
>
>     ~josh
>
>     On Wed, Nov 12, 2014 at 5:07 PM, Martin Knobloch
>     <martin.knobloch at owasp.org <mailto:martin.knobloch at owasp.org>> wrote:
>
>     Josh, et all,
>
>     Two questions from my side as current developments raised this.
>
>     1. The compliant officers role as neutral conciliator / mediator
>
>     It might be people hesitate in filing an official complaint, as
>     this is a harsh measure, and reaching out to the compliant officer
>     as neutral party in an not yet escalated conflict.
>
>     The current policy does not describe this possibility, it comes
>     close to "*IV. Commitment to Peaceful Conflict Resolution*", but
>     without filing an official compliant.
>
>     This could be in chapter "*IX. Compliance Officer*".
>
>     Q: is this part of the compliant officers role?
>
>     2. Early notification of the compliant officer in case of serious
>     complaints.
>     As reason history has shown actions of investigation should been
>     handed to the investigation soon possible. It might not be part of
>     the Whistelblower Policy, but can we find an agreement any serious
>     complaints the board or a board member has received, the Compliant
>     Officer should be notified about early, before escalation!
>
>     In general, I think the role, responsibility of the Compliance
>     Officer should be expressed in more clearly. As the independence
>     of the board.
>
>     Cheers,
>
>     -martin
>
>     On Wed, Nov 12, 2014 at 7:40 PM, Josh Sokol <josh.sokol at owasp.org
>     <mailto:josh.sokol at owasp.org>> wrote:
>
>     Based on the feedback I received from Martin, I made a few changes
>     to the Whistleblower policy that I had previously sent out. Please
>     review when you have a chance and feel free to provide feedback
>     either via comment or by responding back to this e-mail.  Here is
>     the link:
>
>     https://docs.google.com/a/owasp.org/document/d/1OwoHQtNGWxpr2qgSGbTqCRJJYLayh5d8zvzxoh2Cnqk/edit
>
>     Thanks!
>
>     ~josh
>
>
>
>
>     _______________________________________________
>
>     Owasp-board mailing list
>
>     Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20141119/e1ae2907/attachment-0001.html>


More information about the Owasp-board mailing list