[Owasp-board] Discussion on Proposal 6

Jim Manico jim.manico at owasp.org
Tue Oct 13 05:27:33 UTC 2015


> 1. Sorry for re-iterating my point from before, but I do think this 
> will create more effort, compared to a list of pre-approved items. I 
> think a list of pre-approved items will be less "red-tape" than to 
> make everyone go through the list of published precedents and then let 
> us find out whether they are the "same".
All that this "bill" is saying is : Keep a list of per-approved items 
and add to it over time as new items get approved. I do not see this as 
adding more work over time and the effort should lessen as less new item 
categories get approved over time.
>
> 2. I also like to point out that the current proposal text does not 
> speak of the "exact same thing in the past" as Josh used in his 
> explanation. The current proposal text is more broadly and may result 
> in us discussing what is the "same" from the precedents.
>
> Let me be clear, I am not against the spirit of the approach, only I 
> have doubts about this specific implementation route. Overall, I 
> really think the consolidated (updated) list of acceptable expenses is 
> the best approach. As I mentioned, it is a good idea to populate and 
> update this list based on previous published expenses, but I really 
> prefer the consolidated list to be the reference point, not an 
> unsorted list of all expenses from the past (that potentially lacks 
> context information and what not).
Fair concerns, this is the right time to be discussing...
>
> Best regards, Tobias
>
>
>
>
> On 13/10/15 06:33, Jim Manico wrote:
>> Do you see this "bill" causing harm to the foundation in some way? I 
>> do not. I see this as facilitating efficiency, primary, which is a 
>> good thing.
>>
>> --
>> Jim Manico
>> Global Board Member
>> OWASP Foundation
>> https://www.owasp.org <https://www.owasp.org/>
>> Join me in Rome for AppSecEU 2016!
>>
>> On Oct 13, 2015, at 6:22 AM, Matt Konda <matt.konda at owasp.org 
>> <mailto:matt.konda at owasp.org>> wrote:
>>
>>> Right.
>>>
>>> Do we spend a lot of time with red tape currently?
>>>
>>> Matt
>>>
>>>
>>> On Mon, Oct 12, 2015 at 10:59 PM, Jim Manico <jim.manico at owasp.org 
>>> <mailto:jim.manico at owasp.org>> wrote:
>>>
>>>     The motivation here is efficiency, removal of red tape and
>>>     encouragement to spend for the mission. Once an expense type is
>>>     approved the goal of this "bill" is to have that expense type
>>>     auto-approved.
>>>
>>>     --
>>>     Jim Manico
>>>     Global Board Member
>>>     OWASP Foundation
>>>     https://www.owasp.org <https://www.owasp.org/>
>>>     Join me in Rome for AppSecEU 2016!
>>>
>>>     On Oct 13, 2015, at 4:26 AM, Matt Konda <matt.konda at owasp.org
>>>     <mailto:matt.konda at owasp.org>> wrote:
>>>
>>>>     I'm still considering #6 as are all but Josh and Jim based on
>>>>     this discussion thread.
>>>>
>>>>     I am supportive of the idea behind it and would vote yes if it
>>>>     came to a head.
>>>>
>>>>     Honestly, I don't think it is risky but I don't think I grasp
>>>>     the motivation - perhaps Josh and/or Paul could elaborate on
>>>>     how this might help the Foundation.
>>>>
>>>>     Matt
>>>>
>>>>
>>>>
>>>>     On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol
>>>>     <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>> wrote:
>>>>
>>>>         Andrew,
>>>>
>>>>         I definitely hear you, but we have rules in place to even
>>>>         prevent that.  For example Section 4.10 of the Chapter
>>>>         Leader Handbook
>>>>         <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
>>>>         says that "Chapter leaders are not authorized to sign
>>>>         contracts or enter into any legal agreements on behalf of
>>>>         the OWASP Foundation".  You will not have any sort of a
>>>>         $50k venue guarantee for services without a signed
>>>>         contract. This is the control that prevents abuse in that
>>>>         specific situation.  There are many others.
>>>>
>>>>         Also, keep in mind that they are authorized only so long as
>>>>         "*they have an account balance which covers that expense in
>>>>         full*". So, if a Chapter or Project has $50k in their
>>>>         account, and wants to spend it on a venue for a conference,
>>>>         why should we stand in their way or require additional
>>>>         approvals if others have done the exact same thing in the
>>>>         past?  The limiting factor here is their account balance
>>>>         and we need to empower them to spend it how they desire as
>>>>         long as it is in adherence with the OWASP mission.
>>>>
>>>>         Tobias: This has not been motioned or seconded yet.  I put
>>>>         it out there for discussion first, since there was not a
>>>>         general consensus on it.
>>>>
>>>>         ~josh
>>>>
>>>>         On Fri, Oct 9, 2015 at 3:49 PM, Tobias
>>>>         <tobias.gondrom at owasp.org
>>>>         <mailto:tobias.gondrom at owasp.org>> wrote:
>>>>
>>>>             As our mailing-list got a bit swamped, this might have
>>>>             got lost in the hundred voting emails, do we have any
>>>>             further discussion elements on this one?
>>>>             And if people like vote on this, can they please
>>>>             confirm that they have at least acknowledged this
>>>>             discussion when casting their vote?
>>>>             Thanks, Tobias
>>>>
>>>>
>>>>
>>>>             On 09/10/15 14:17, Andrew van der Stock wrote:
>>>>>             I am really keen to reduce the amount of bureaucracy
>>>>>             involved in expense management, but this is a really
>>>>>             well trodden path in every single SME to major
>>>>>             enterprise.
>>>>>
>>>>>             My main concern is no upper bounds on pre-approved
>>>>>             expenses. This means that a local chapter that managed
>>>>>             to get an approval for a $50k conference centre fee,
>>>>>             say AppSec AU in 2011, would mean that all chapters
>>>>>             would be automatically allowed to claim that expense
>>>>>             too. I want to enable that, whilst not allowing us to
>>>>>             be hit with hundreds of large conferences being
>>>>>             organised throughout the year. We simply don't have
>>>>>             the staff bandwidth nor the funds to do that today.
>>>>>
>>>>>             Typical financial governance is pre-approval for
>>>>>             expenses under a certain dollar value, and a single
>>>>>             sign off within the Foundation approval for expenses
>>>>>             between say the cut off and say a $10k limit, and
>>>>>             senior management approval above $10k. In my view, we
>>>>>             can hit the home run we all are looking for, whilst
>>>>>             still maintaining good financial governance over major
>>>>>             expenses whilst not ruling out ANY type of expense
>>>>>             that a chapter might be able to come up with.
>>>>>
>>>>>             My view is that we go through all the paid out
>>>>>             expenses over the last two years, and work out some
>>>>>             limits. We can tummy tussle over the exact limits, but
>>>>>             I feel the following would be a good start:
>>>>>
>>>>>             $0 - $1500 should cover nearly all expenses paid to
>>>>>             date along with the above proposal's list of
>>>>>             pre-approved expenses
>>>>>             $1500 to $10k should be an approval level granted to a
>>>>>             project coordinator or chapters coordinator. All
>>>>>             expenses are subject to sign off prior to incurring
>>>>>             the expense
>>>>>             $10k ... $100k is within the signing range of the
>>>>>             Executive Director, and would require pre-approval
>>>>>             before incurring the expense
>>>>>             Above $100k would require Exec Dir + Board approval.
>>>>>
>>>>>             That way, local area conference bills of $50k don't
>>>>>             hit us without forewarning, and yet we have the
>>>>>             flexibility of allowing LAScon and AppSec Cali to work
>>>>>             without a special rule or budgetary process. The
>>>>>             majority of projectors, catering, room fees, and so on
>>>>>             would never be huge amounts of work for Foundation staff.
>>>>>
>>>>>             I think it hits what you're trying to achieve without
>>>>>             opening us up to some serious financial problems down
>>>>>             the track.
>>>>>
>>>>>             thanks,
>>>>>             Andrew
>>>>>
>>>>>             On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol
>>>>>             <josh.sokol at owasp.org <mailto:josh.sokol at owasp.org>>
>>>>>             wrote:
>>>>>
>>>>>                 Here is the current text for proposal 6:
>>>>>
>>>>>                 *If a request for funding has been approved for
>>>>>                 one chapter or project, then it can be considered
>>>>>                 an acceptable expense for all chapters or
>>>>>                 projects. If they have an account balance which
>>>>>                 covers that expense in full, then they should be
>>>>>                 considered pre-approved for spending.*
>>>>>
>>>>>                 _*Tobias:*_
>>>>>                 I agree in spirit, but I think this needs
>>>>>                 clarification and am a bit concerned about liberal
>>>>>                 interpretations of what is the same expense type.
>>>>>                 Expenses tend to not be exactly identical and I
>>>>>                 like to safe chapter and project leads from
>>>>>                 searching the public expense lists for precedence.
>>>>>                 As one example if a flight ticket is approved for
>>>>>                 a chapter leader to attend the AppSec chapter
>>>>>                 leader workshop, that should not mean we also
>>>>>                 approve a flight ticket to Bahamas for holiday for
>>>>>                 another chapter leader. Technically both are
>>>>>                 flight expenses for chapter leaders. (I know I am
>>>>>                 splitting hairs...)
>>>>>
>>>>>                 Suggested revision:
>>>>>                 Proposal 6: If a request for funding has been
>>>>>                 approved for one chapter or project, then it can
>>>>>                 be considered an acceptable expense for all
>>>>>                 chapters or projects. Our operations team shall
>>>>>                 periodically (at least once every 3 months) review
>>>>>                 the list of published expenses and if new expense
>>>>>                 types come up add them to the published list of
>>>>>                 acceptable expenses. If the chapters or projects
>>>>>                 have an account balance which covers that expense
>>>>>                 in full, then they should be considered
>>>>>                 pre-approved for spending.
>>>>>
>>>>>                 _*Josh:*_
>>>>>                 I think that we need to trust people to do the
>>>>>                 right thing. To my knowledge, we have never had a
>>>>>                 person try to request reimbursement for a trip to
>>>>>                 the Bahamas because someone got a flight paid for
>>>>>                 to AppSec.  Also, keep in mind that this is a
>>>>>                 reimbursement process so our Operations Team
>>>>>                 determines whether a request is legit.  To me, it
>>>>>                 would seem like you're putting a lot of extra work
>>>>>                 on the Ops Team with little added benefit since
>>>>>                 they are still going to have to find a way to
>>>>>                 write it up so that it will not be misinterpreted.
>>>>>                 I think we have reasonable controls in place to
>>>>>                 prevent abuse and our liability here is minimal. 
>>>>>                 I don't see a need to revise it in this manner.
>>>>>
>>>>>                 _*Tobias:*_
>>>>>                 Well, I don't think to maintain a list of good
>>>>>                 examples is unnecessarily heavy workload. And in
>>>>>                 the long run, searching through a long
>>>>>                 unstructured list of published expense claims will
>>>>>                 be more work load for both the staff and the
>>>>>                 community to check for good expense precedents. If
>>>>>                 we do this one time per quarter, the effort is
>>>>>                 clearly limited. If we (staff and leaders) have to
>>>>>                 review an unlimited year long list for precedent,
>>>>>                 this seems much more effort.
>>>>>
>>>>>                 _*Josh:*_
>>>>>                 In theory we are supposed to be maintaining a list
>>>>>                 of good examples already.  Some of them are listed
>>>>>                 in the Chapter and Project Leader Handbooks. That
>>>>>                 said, they aren't anywhere close to all of the
>>>>>                 possible things one would want to spend their
>>>>>                 money on.  The idea here was simply to maintain
>>>>>                 the running list of all expenses that are approved
>>>>>                 or denied (proposal 5) and use that to drive
>>>>>                 spending. Again, I think this comes down to a
>>>>>                 matter of trust.  We need to trust our Leaders to
>>>>>                 do the right thing.  We need to trust the staff to
>>>>>                 ensure that the reimbursement is legitimate before
>>>>>                 sending them a check. With so many complaints
>>>>>                 about difficulties withe the reimbursement process
>>>>>                 (as much as I've never seen them), we should be
>>>>>                 looking for ways to strip away the red tape, not
>>>>>                 add more of it.
>>>>>
>>>>>                 ~josh
>>>>>
>>>>>                 _______________________________________________
>>>>>                 Owasp-board mailing list
>>>>>                 Owasp-board at lists.owasp.org
>>>>>                 <mailto:Owasp-board at lists.owasp.org>
>>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>             _______________________________________________
>>>>>             Owasp-board mailing list
>>>>>             Owasp-board at lists.owasp.org
>>>>>             <mailto:Owasp-board at lists.owasp.org>
>>>>>             https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>>         _______________________________________________
>>>>         Owasp-board mailing list
>>>>         Owasp-board at lists.owasp.org
>>>>         <mailto:Owasp-board at lists.owasp.org>
>>>>         https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>     _______________________________________________
>>>>     Owasp-board mailing list
>>>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>

-- 
Jim Manico
Global Board Member
OWASP Foundation
https://www.owasp.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151013/ff930209/attachment-0001.html>


More information about the Owasp-board mailing list