[Owasp-board] Discussion on Proposal 6

Tobias tobias.gondrom at owasp.org
Tue Oct 13 04:54:09 UTC 2015


1. Sorry for re-iterating my point from before, but I do think this will 
create more effort, compared to a list of pre-approved items. I think a 
list of pre-approved items will be less "red-tape" than to make everyone 
go through the list of published precedents and then let us find out 
whether they are the "same".

2. I also like to point out that the current proposal text does not 
speak of the "exact same thing in the past" as Josh used in his 
explanation. The current proposal text is more broadly and may result in 
us discussing what is the "same" from the precedents.

Let me be clear, I am not against the spirit of the approach, only I 
have doubts about this specific implementation route. Overall, I really 
think the consolidated (updated) list of acceptable expenses is the best 
approach. As I mentioned, it is a good idea to populate and update this 
list based on previous published expenses, but I really prefer the 
consolidated list to be the reference point, not an unsorted list of all 
expenses from the past (that potentially lacks context information and 
what not).

Best regards, Tobias




On 13/10/15 06:33, Jim Manico wrote:
> Do you see this "bill" causing harm to the foundation in some way? I 
> do not. I see this as facilitating efficiency, primary, which is a 
> good thing.
>
> --
> Jim Manico
> Global Board Member
> OWASP Foundation
> https://www.owasp.org <https://www.owasp.org/>
> Join me in Rome for AppSecEU 2016!
>
> On Oct 13, 2015, at 6:22 AM, Matt Konda <matt.konda at owasp.org 
> <mailto:matt.konda at owasp.org>> wrote:
>
>> Right.
>>
>> Do we spend a lot of time with red tape currently?
>>
>> Matt
>>
>>
>> On Mon, Oct 12, 2015 at 10:59 PM, Jim Manico <jim.manico at owasp.org 
>> <mailto:jim.manico at owasp.org>> wrote:
>>
>>     The motivation here is efficiency, removal of red tape and
>>     encouragement to spend for the mission. Once an expense type is
>>     approved the goal of this "bill" is to have that expense type
>>     auto-approved.
>>
>>     --
>>     Jim Manico
>>     Global Board Member
>>     OWASP Foundation
>>     https://www.owasp.org <https://www.owasp.org/>
>>     Join me in Rome for AppSecEU 2016!
>>
>>     On Oct 13, 2015, at 4:26 AM, Matt Konda <matt.konda at owasp.org
>>     <mailto:matt.konda at owasp.org>> wrote:
>>
>>>     I'm still considering #6 as are all but Josh and Jim based on
>>>     this discussion thread.
>>>
>>>     I am supportive of the idea behind it and would vote yes if it
>>>     came to a head.
>>>
>>>     Honestly, I don't think it is risky but I don't think I grasp
>>>     the motivation - perhaps Josh and/or Paul could elaborate on how
>>>     this might help the Foundation.
>>>
>>>     Matt
>>>
>>>
>>>
>>>     On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol <josh.sokol at owasp.org
>>>     <mailto:josh.sokol at owasp.org>> wrote:
>>>
>>>         Andrew,
>>>
>>>         I definitely hear you, but we have rules in place to even
>>>         prevent that.  For example Section 4.10 of the Chapter
>>>         Leader Handbook
>>>         <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
>>>         says that "Chapter leaders are not authorized to sign
>>>         contracts or enter into any legal agreements on behalf of
>>>         the OWASP Foundation".  You will not have any sort of a $50k
>>>         venue guarantee for services without a signed contract. 
>>>         This is the control that prevents abuse in that specific
>>>         situation.  There are many others.
>>>
>>>         Also, keep in mind that they are authorized only so long as
>>>         "*they have an account balance which covers that expense in
>>>         full*". So, if a Chapter or Project has $50k in their
>>>         account, and wants to spend it on a venue for a conference,
>>>         why should we stand in their way or require additional
>>>         approvals if others have done the exact same thing in the
>>>         past?  The limiting factor here is their account balance and
>>>         we need to empower them to spend it how they desire as long
>>>         as it is in adherence with the OWASP mission.
>>>
>>>         Tobias: This has not been motioned or seconded yet.  I put
>>>         it out there for discussion first, since there was not a
>>>         general consensus on it.
>>>
>>>         ~josh
>>>
>>>         On Fri, Oct 9, 2015 at 3:49 PM, Tobias
>>>         <tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>>
>>>         wrote:
>>>
>>>             As our mailing-list got a bit swamped, this might have
>>>             got lost in the hundred voting emails, do we have any
>>>             further discussion elements on this one?
>>>             And if people like vote on this, can they please confirm
>>>             that they have at least acknowledged this discussion
>>>             when casting their vote?
>>>             Thanks, Tobias
>>>
>>>
>>>
>>>             On 09/10/15 14:17, Andrew van der Stock wrote:
>>>>             I am really keen to reduce the amount of bureaucracy
>>>>             involved in expense management, but this is a really
>>>>             well trodden path in every single SME to major enterprise.
>>>>
>>>>             My main concern is no upper bounds on pre-approved
>>>>             expenses. This means that a local chapter that managed
>>>>             to get an approval for a $50k conference centre fee,
>>>>             say AppSec AU in 2011, would mean that all chapters
>>>>             would be automatically allowed to claim that expense
>>>>             too. I want to enable that, whilst not allowing us to
>>>>             be hit with hundreds of large conferences being
>>>>             organised throughout the year. We simply don't have the
>>>>             staff bandwidth nor the funds to do that today.
>>>>
>>>>             Typical financial governance is pre-approval for
>>>>             expenses under a certain dollar value, and a single
>>>>             sign off within the Foundation approval for expenses
>>>>             between say the cut off and say a $10k limit, and
>>>>             senior management approval above $10k. In my view, we
>>>>             can hit the home run we all are looking for, whilst
>>>>             still maintaining good financial governance over major
>>>>             expenses whilst not ruling out ANY type of expense that
>>>>             a chapter might be able to come up with.
>>>>
>>>>             My view is that we go through all the paid out expenses
>>>>             over the last two years, and work out some limits. We
>>>>             can tummy tussle over the exact limits, but I feel the
>>>>             following would be a good start:
>>>>
>>>>             $0 - $1500 should cover nearly all expenses paid to
>>>>             date along with the above proposal's list of
>>>>             pre-approved expenses
>>>>             $1500 to $10k should be an approval level granted to a
>>>>             project coordinator or chapters coordinator. All
>>>>             expenses are subject to sign off prior to incurring the
>>>>             expense
>>>>             $10k ... $100k is within the signing range of the
>>>>             Executive Director, and would require pre-approval
>>>>             before incurring the expense
>>>>             Above $100k would require Exec Dir + Board approval.
>>>>
>>>>             That way, local area conference bills of $50k don't hit
>>>>             us without forewarning, and yet we have the flexibility
>>>>             of allowing LAScon and AppSec Cali to work without a
>>>>             special rule or budgetary process. The majority of
>>>>             projectors, catering, room fees, and so on would never
>>>>             be huge amounts of work for Foundation staff.
>>>>
>>>>             I think it hits what you're trying to achieve without
>>>>             opening us up to some serious financial problems down
>>>>             the track.
>>>>
>>>>             thanks,
>>>>             Andrew
>>>>
>>>>             On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol
>>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>>                 Here is the current text for proposal 6:
>>>>
>>>>                 *If a request for funding has been approved for one
>>>>                 chapter or project, then it can be considered an
>>>>                 acceptable expense for all chapters or projects. If
>>>>                 they have an account balance which covers that
>>>>                 expense in full, then they should be considered
>>>>                 pre-approved for spending.*
>>>>
>>>>                 _*Tobias:*_
>>>>                 I agree in spirit, but I think this needs
>>>>                 clarification and am a bit concerned about liberal
>>>>                 interpretations of what is the same expense type.
>>>>                 Expenses tend to not be exactly identical and I
>>>>                 like to safe chapter and project leads from
>>>>                 searching the public expense lists for precedence.
>>>>                 As one example if a flight ticket is approved for a
>>>>                 chapter leader to attend the AppSec chapter leader
>>>>                 workshop, that should not mean we also approve a
>>>>                 flight ticket to Bahamas for holiday for another
>>>>                 chapter leader. Technically both are flight
>>>>                 expenses for chapter leaders. (I know I am
>>>>                 splitting hairs...)
>>>>
>>>>                 Suggested revision:
>>>>                 Proposal 6: If a request for funding has been
>>>>                 approved for one chapter or project, then it can be
>>>>                 considered an acceptable expense for all chapters
>>>>                 or projects. Our operations team shall periodically
>>>>                 (at least once every 3 months) review the list of
>>>>                 published expenses and if new expense types come up
>>>>                 add them to the published list of acceptable
>>>>                 expenses. If the chapters or projects have an
>>>>                 account balance which covers that expense in full,
>>>>                 then they should be considered pre-approved for
>>>>                 spending.
>>>>
>>>>                 _*Josh:*_
>>>>                 I think that we need to trust people to do the
>>>>                 right thing. To my knowledge, we have never had a
>>>>                 person try to request reimbursement for a trip to
>>>>                 the Bahamas because someone got a flight paid for
>>>>                 to AppSec.  Also, keep in mind that this is a
>>>>                 reimbursement process so our Operations Team
>>>>                 determines whether a request is legit.  To me, it
>>>>                 would seem like you're putting a lot of extra work
>>>>                 on the Ops Team with little added benefit since
>>>>                 they are still going to have to find a way to write
>>>>                 it up so that it will not be misinterpreted. I
>>>>                 think we have reasonable controls in place to
>>>>                 prevent abuse and our liability here is minimal.  I
>>>>                 don't see a need to revise it in this manner.
>>>>
>>>>                 _*Tobias:*_
>>>>                 Well, I don't think to maintain a list of good
>>>>                 examples is unnecessarily heavy workload. And in
>>>>                 the long run, searching through a long unstructured
>>>>                 list of published expense claims will be more work
>>>>                 load for both the staff and the community to check
>>>>                 for good expense precedents. If we do this one time
>>>>                 per quarter, the effort is clearly limited. If we
>>>>                 (staff and leaders) have to review an unlimited
>>>>                 year long list for precedent, this seems much more
>>>>                 effort.
>>>>
>>>>                 _*Josh:*_
>>>>                 In theory we are supposed to be maintaining a list
>>>>                 of good examples already.  Some of them are listed
>>>>                 in the Chapter and Project Leader Handbooks. That
>>>>                 said, they aren't anywhere close to all of the
>>>>                 possible things one would want to spend their money
>>>>                 on.  The idea here was simply to maintain the
>>>>                 running list of all expenses that are approved or
>>>>                 denied (proposal 5) and use that to drive spending.
>>>>                 Again, I think this comes down to a matter of
>>>>                 trust.  We need to trust our Leaders to do the
>>>>                 right thing.  We need to trust the staff to ensure
>>>>                 that the reimbursement is legitimate before sending
>>>>                 them a check. With so many complaints about
>>>>                 difficulties withe the reimbursement process (as
>>>>                 much as I've never seen them), we should be looking
>>>>                 for ways to strip away the red tape, not add more
>>>>                 of it.
>>>>
>>>>                 ~josh
>>>>
>>>>                 _______________________________________________
>>>>                 Owasp-board mailing list
>>>>                 Owasp-board at lists.owasp.org
>>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>>
>>>>             _______________________________________________
>>>>             Owasp-board mailing list
>>>>             Owasp-board at lists.owasp.org  <mailto:Owasp-board at lists.owasp.org>
>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Owasp-board mailing list
>>>         Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>     _______________________________________________
>>>     Owasp-board mailing list
>>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151013/89213ce8/attachment-0001.html>


More information about the Owasp-board mailing list