[Owasp-board] Discussion on Proposal 6

Josh Sokol josh.sokol at owasp.org
Wed Oct 14 00:20:54 UTC 2015


Tobias,

The fact that we are trying to keep an active list in a policy document
(the handbooks) to begin with is the problem.  This is a horrible process.
The handbooks should refer to a wiki page or other document that can be
dynamically updated as new expenses are approved.  We should not generate a
new copy of the handbooks.  That is ridiculous.

I guess I'm not sure how this structure is unclear or confusing.  Keep a
running list of expenses in a page that is publicly accessible.  By nature
of being text in a browser it is automatically searchable.  That seems
stupid simple to me.  Way easier than trying to review expenses on a
regular basis and add them to a policy document.

In any case, if you don't have a proposal for a change in text, then I will
go ahead and motion for a vote and see where we are at.

~josh
On Oct 13, 2015 5:12 PM, "Tobias Gondrom" <tgondrom at gmx.net> wrote:

> Josh,
>
> Let's fix the problem instead of creating a new list, just because the old
> one was not totally uptodate. Especially as we have not even really tried
> hard to update the existing list and keep it maintained. So I would rather
> fix the problem you mention, aka "update the list", then to make a more
> complicated construct with letting people parse and search through a long
> unstructured list.
>
> This will equally achieve the same objective, which I agree is important.
> Just with clearer structure and less searching and confusion.
>
> Best regards, Tobias
>
>
> On 13/10/15 21:10, Josh Sokol wrote:
>
> All,
>
> Take a look at the list of what is allowed in the project or chapter
> handbook.  Then consider all of the things that chapters and projects spend
> their money on today.  These lists are not kept up-to-date which what is
> appropriate.  It's not a problem in-and-of-itself as Paul et al are usually
> pretty quick to approve, but we have heard from a number of members of our
> community that it is NOT CLEAR WHAT they can spend their money on.  Think
> of the current approach as an Access Control List where we have a default
> deny and a very short list of what is allowed through.  It's secure, but
> the usability is challenging.  This proposal allows us to dynamically
> expand that ACL based on what others in the organization are doing.  Stuff
> not in the list requires approval from Ops, just as it does today, but with
> the knowledge that approval is an explicit approval for anyone to do it.
> We should have no situation at OWASP where something is OK for one chapter
> or project and not OK for another.  If you can think of one, please let me
> know and prove me wrong.  Liability is limited to 1) The amount in a
> chapter or project account (ie. they are spending "their" money) and 2)
> What has already been approved for someone else.  This is VERY LOW RISK and
> VERY HIGH REWARD because it gets money moving.  If you want to propose
> revised language to fine-tune it, please do so, but this is very much
> necessary to get people spending.
>
> ~josh
>
> On Tue, Oct 13, 2015 at 11:45 AM, Paul Ritchie <paul.ritchie at owasp.org>
> wrote:
>
>> To Foundation Board list.
>>
>> *On this proposal #6, and the red-tape issue, or excessive effort for
>> Operations:*
>>
>> On approving and paying reimbursements, we really don't have much
>> red-tape....when the expense is fully covered within the Chapter or Project
>> budget.
>> We Ask:  Does the Project/Chapt have the budget?    Does the expense fit
>> the guidelines in the Handbook?   IF yes, the reimbursement is paid, no
>> problem.
>>
>> *On Maintaining a list*
>> From an operations point, I'd like to keep the Project & Chapter
>> Handbooks updated as the source of the spending guidelines & policy
>> statements. Those are our "manuals" and I'd like to reinforce all community
>> members to look there first.  The current lists could be updated by Noreen
>> & Claudia.
>>
>> For new listing, it is probably smart to add a list or table of 'approved
>> & supported' expenses to the wiki pages for Funding, Projects & Chapters.
>> My belief here is that it is the 'same info' as found in the Handbook, its
>> just immediately visible on the main page of the Project or Chapter wiki
>> pages.
>> Yes, some medium amount of work to create & update this list, but its
>> mostly a one-time effort.
>>
>> *The only Caution:*
>>
>> We have seen a couple projects or chapters ask for hardware, or
>> cloud-based software services.  My Caution is that before we just
>> auto-approve an expense for this category of 'stuff' we ask if the Chapter
>> or Project need can be solved with existing Foundation
>> Infrastructure.......or the infrastructure already owned or rented by other
>> Chapters.
>>
>> Just trying to minimize redundancy on this topic.   Plus, ownership is a
>> red-tape issue here as the Foundation is the only one who has been signing
>> contracts and agreements for hardware & software.
>>
>> Paul
>>
>>
>>
>>
>> Best Regards, Paul Ritchie
>> OWASP Executive Director
>> paul.ritchie at owasp.org
>>
>>
>> On Tue, Oct 13, 2015 at 2:43 AM, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>> Been thinking about this, I think you're right Fabio and Tobias. Perhaps
>>> make this bill more general and let operations figure out the "how"?
>>>
>>> It's doesn't look like this will pass as is.
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> On Oct 13, 2015, at 11:35 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>>>
>>> I share Tobias concerns on this one. A populated list maintained by the
>>> Foundation might be a better approach IMHO.
>>>
>>> Fabio Cerullo
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>>
>>> On 13 Oct 2015, at 6:27 a.m., Jim Manico <jim.manico at owasp.org> wrote:
>>>
>>>
>>> 1. Sorry for re-iterating my point from before, but I do think this will
>>> create more effort, compared to a list of pre-approved items. I think a
>>> list of pre-approved items will be less "red-tape" than to make everyone go
>>> through the list of published precedents and then let us find out whether
>>> they are the "same".
>>>
>>> All that this "bill" is saying is : Keep a list of per-approved items
>>> and add to it over time as new items get approved. I do not see this as
>>> adding more work over time and the effort should lessen as less new item
>>> categories get approved over time.
>>>
>>>
>>> 2. I also like to point out that the current proposal text does not
>>> speak of the "exact same thing in the past" as Josh used in his
>>> explanation. The current proposal text is more broadly and may result in us
>>> discussing what is the "same" from the precedents.
>>>
>>> Let me be clear, I am not against the spirit of the approach, only I
>>> have doubts about this specific implementation route. Overall, I really
>>> think the consolidated (updated) list of acceptable expenses is the best
>>> approach. As I mentioned, it is a good idea to populate and update this
>>> list based on previous published expenses, but I really prefer the
>>> consolidated list to be the reference point, not an unsorted list of all
>>> expenses from the past (that potentially lacks context information and what
>>> not).
>>>
>>> Fair concerns, this is the right time to be discussing...
>>>
>>>
>>> Best regards, Tobias
>>>
>>>
>>>
>>>
>>> On 13/10/15 06:33, Jim Manico wrote:
>>>
>>> Do you see this "bill" causing harm to the foundation in some way? I do
>>> not. I see this as facilitating efficiency, primary, which is a good thing.
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundation
>>> https://www.owasp.org
>>> Join me in Rome for AppSecEU 2016!
>>>
>>> On Oct 13, 2015, at 6:22 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>
>>> Right.
>>>
>>> Do we spend a lot of time with red tape currently?
>>>
>>> Matt
>>>
>>>
>>> On Mon, Oct 12, 2015 at 10:59 PM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> The motivation here is efficiency, removal of red tape and
>>>> encouragement to spend for the mission. Once an expense type is approved
>>>> the goal of this "bill" is to have that expense type auto-approved.
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> On Oct 13, 2015, at 4:26 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>
>>>> I'm still considering #6 as are all but Josh and Jim based on this
>>>> discussion thread.
>>>>
>>>> I am supportive of the idea behind it and would vote yes if it came to
>>>> a head.
>>>>
>>>> Honestly, I don't think it is risky but I don't think I grasp the
>>>> motivation - perhaps Josh and/or Paul could elaborate on how this might
>>>> help the Foundation.
>>>>
>>>> Matt
>>>>
>>>>
>>>>
>>>> On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol <josh.sokol at owasp.org>
>>>> wrote:
>>>>
>>>>> Andrew,
>>>>>
>>>>> I definitely hear you, but we have rules in place to even prevent
>>>>> that.  For example Section 4.10 of the Chapter Leader Handbook
>>>>> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
>>>>>  says that "Chapter leaders are not authorized to sign contracts or
>>>>> enter into any legal agreements on behalf of the OWASP Foundation".  You
>>>>> will not have any sort of a $50k venue guarantee for services without a
>>>>> signed contract.  This is the control that prevents abuse in that specific
>>>>> situation.  There are many others.
>>>>>
>>>>> Also, keep in mind that they are authorized only so long as "*they
>>>>> have an account balance which covers that expense in full*".  So, if
>>>>> a Chapter or Project has $50k in their account, and wants to spend it on a
>>>>> venue for a conference, why should we stand in their way or require
>>>>> additional approvals if others have done the exact same thing in the past?
>>>>> The limiting factor here is their account balance and we need to empower
>>>>> them to spend it how they desire as long as it is in adherence with the
>>>>> OWASP mission.
>>>>>
>>>>> Tobias: This has not been motioned or seconded yet.  I put it out
>>>>> there for discussion first, since there was not a general consensus on it.
>>>>>
>>>>> ~josh
>>>>>
>>>>> On Fri, Oct 9, 2015 at 3:49 PM, Tobias <tobias.gondrom at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> As our mailing-list got a bit swamped, this might have got lost in
>>>>>> the hundred voting emails, do we have any further discussion elements on
>>>>>> this one?
>>>>>> And if people like vote on this, can they please confirm that they
>>>>>> have at least acknowledged this discussion when casting their vote?
>>>>>> Thanks, Tobias
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 09/10/15 14:17, Andrew van der Stock wrote:
>>>>>>
>>>>>> I am really keen to reduce the amount of bureaucracy involved in
>>>>>> expense management, but this is a really well trodden path in every single
>>>>>> SME to major enterprise.
>>>>>>
>>>>>> My main concern is no upper bounds on pre-approved expenses. This
>>>>>> means that a local chapter that managed to get an approval for a $50k
>>>>>> conference centre fee, say AppSec AU in 2011, would mean that all chapters
>>>>>> would be automatically allowed to claim that expense too. I want to enable
>>>>>> that, whilst not allowing us to be hit with hundreds of large conferences
>>>>>> being organised throughout the year. We simply don't have the staff
>>>>>> bandwidth nor the funds to do that today.
>>>>>>
>>>>>> Typical financial governance is pre-approval for expenses under a
>>>>>> certain dollar value, and a single sign off within the Foundation approval
>>>>>> for expenses between say the cut off and say a $10k limit, and senior
>>>>>> management approval above $10k. In my view, we can hit the home run we all
>>>>>> are looking for, whilst still maintaining good financial governance over
>>>>>> major expenses whilst not ruling out ANY type of expense that a chapter
>>>>>> might be able to come up with.
>>>>>>
>>>>>> My view is that we go through all the paid out expenses over the last
>>>>>> two years, and work out some limits. We can tummy tussle over the exact
>>>>>> limits, but I feel the following would be a good start:
>>>>>>
>>>>>> $0 - $1500 should cover nearly all expenses paid to date along with
>>>>>> the above proposal's list of pre-approved expenses
>>>>>> $1500 to $10k should be an approval level granted to a project
>>>>>> coordinator or chapters coordinator. All expenses are subject to sign off
>>>>>> prior to incurring the expense
>>>>>> $10k ... $100k is within the signing range of the Executive Director,
>>>>>> and would require pre-approval before incurring the expense
>>>>>> Above $100k would require Exec Dir + Board approval.
>>>>>>
>>>>>> That way, local area conference bills of $50k don't hit us without
>>>>>> forewarning, and yet we have the flexibility of allowing LAScon and AppSec
>>>>>> Cali to work without a special rule or budgetary process. The majority of
>>>>>> projectors, catering, room fees, and so on would never be huge amounts of
>>>>>> work for Foundation staff.
>>>>>>
>>>>>> I think it hits what you're trying to achieve without opening us up
>>>>>> to some serious financial problems down the track.
>>>>>>
>>>>>> thanks,
>>>>>> Andrew
>>>>>>
>>>>>> On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> Here is the current text for proposal 6:
>>>>>>>
>>>>>>> *If a request for funding has been approved for one chapter or
>>>>>>> project, then it can be considered an acceptable expense for all chapters
>>>>>>> or projects.  If they have an account balance which covers that expense in
>>>>>>> full, then they should be considered pre-approved for spending.*
>>>>>>>
>>>>>>> *Tobias:*
>>>>>>> I agree in spirit, but I think this needs clarification and am a bit
>>>>>>> concerned about liberal interpretations of what is the same expense type.
>>>>>>> Expenses tend to not be exactly identical and I like to safe chapter and
>>>>>>> project leads from searching the public expense lists for precedence. As
>>>>>>> one example if a flight ticket is approved for a chapter leader to attend
>>>>>>> the AppSec chapter leader workshop, that should not mean we also approve a
>>>>>>> flight ticket to Bahamas for holiday for another chapter leader.
>>>>>>> Technically both are flight expenses for chapter leaders. (I know I am
>>>>>>> splitting hairs...)
>>>>>>>
>>>>>>> Suggested revision:
>>>>>>> Proposal 6: If a request for funding has been approved for one
>>>>>>> chapter or project, then it can be considered an acceptable expense for all
>>>>>>> chapters or projects. Our operations team shall periodically (at least once
>>>>>>> every 3 months) review the list of published expenses and if new expense
>>>>>>> types come up add them to the published list of acceptable expenses. If the
>>>>>>> chapters or projects have an account balance which covers that expense in
>>>>>>> full, then they should be considered pre-approved for spending.
>>>>>>>
>>>>>>> *Josh:*
>>>>>>> I think that we need to trust people to do the right thing.  To my
>>>>>>> knowledge, we have never had a person try to request reimbursement for a
>>>>>>> trip to the Bahamas because someone got a flight paid for to AppSec.  Also,
>>>>>>> keep in mind that this is a reimbursement process so our Operations Team
>>>>>>> determines whether a request is legit.  To me, it would seem like you're
>>>>>>> putting a lot of extra work on the Ops Team with little added benefit since
>>>>>>> they are still going to have to find a way to write it up so that it will
>>>>>>> not be misinterpreted.  I think we have reasonable controls in place to
>>>>>>> prevent abuse and our liability here is minimal.  I don't see a need to
>>>>>>> revise it in this manner.
>>>>>>>
>>>>>>> *Tobias:*
>>>>>>> Well, I don't think to maintain a list of good examples is
>>>>>>> unnecessarily heavy workload. And in the long run, searching through a long
>>>>>>> unstructured list of published expense claims will be more work load for
>>>>>>> both the staff and the community to check for good expense precedents. If
>>>>>>> we do this one time per quarter, the effort is clearly limited. If we
>>>>>>> (staff and leaders) have to review an unlimited year long list for
>>>>>>> precedent, this seems much more effort.
>>>>>>>
>>>>>>> *Josh:*
>>>>>>> In theory we are supposed to be maintaining a list of good examples
>>>>>>> already.  Some of them are listed in the Chapter and Project Leader
>>>>>>> Handbooks.  That said, they aren't anywhere close to all of the possible
>>>>>>> things one would want to spend their money on.  The idea here was simply to
>>>>>>> maintain the running list of all expenses that are approved or denied
>>>>>>> (proposal 5) and use that to drive spending.  Again, I think this comes
>>>>>>> down to a matter of trust.  We need to trust our Leaders to do the right
>>>>>>> thing.  We need to trust the staff to ensure that the reimbursement is
>>>>>>> legitimate before sending them a check.  With so many complaints about
>>>>>>> difficulties withe the reimbursement process (as much as I've never seen
>>>>>>> them), we should be looking for ways to strip away the red tape, not add
>>>>>>> more of it.
>>>>>>>
>>>>>>> ~josh
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing list
>>>>>>> Owasp-board at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> --
>>> Jim Manico
>>> Global Board Member
>>> OWASP Foundationhttps://www.owasp.org
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>> _______________________________________________
>> Owasp-board mailing list
>> Owasp-board at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>
>
> _______________________________________________
> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151013/b4c35aa7/attachment-0001.html>


More information about the Owasp-board mailing list