[Owasp-board] Discussion on Proposal 6

Andrew van der Stock vanderaj at owasp.org
Wed Oct 14 13:35:28 UTC 2015


This is all too hard. Let's work with OWASP's expense management software,
which regardless of the product, 99.99% built upon the idea of submitting
receipts, which are vetted above a certain dollar value, and subsequently
repaid. Creating additional burdens on foundation staff, whilst not adding
anything to expense management governance of what would be considered
"petty cash" funds or expense claims just over complicates things.

Expenses are extremely well understood by every business out there. We just
don't need to make this any more complicated than a basic system with
sufficient checks and balances on bigger ticket items.

My concern that the wording here is that anything anyone manages to get
through the expense reimbursement process automatically opens the flood
gates, with no barriers to the number of claims or upper limits on the
dollar value. That's terrible governance, and will lead to us or the
Foundation Staff saying no in case they create precedent. We don't want
automatic "no", we want good governance over money that's currently sitting
idle. We can achieve the goal of moving money out of OWASP and into
chapters and projects and outreach, whilst not creating a huge financial
risk for us.

I think we need to have another go at this. My vote as it stands would be
"no", even though we are aiming in exactly the same direction.

thanks,
Andrew

On Wed, Oct 14, 2015 at 11:20 AM, Josh Sokol <josh.sokol at owasp.org> wrote:

> Tobias,
>
> The fact that we are trying to keep an active list in a policy document
> (the handbooks) to begin with is the problem.  This is a horrible process.
> The handbooks should refer to a wiki page or other document that can be
> dynamically updated as new expenses are approved.  We should not generate a
> new copy of the handbooks.  That is ridiculous.
>
> I guess I'm not sure how this structure is unclear or confusing.  Keep a
> running list of expenses in a page that is publicly accessible.  By nature
> of being text in a browser it is automatically searchable.  That seems
> stupid simple to me.  Way easier than trying to review expenses on a
> regular basis and add them to a policy document.
>
> In any case, if you don't have a proposal for a change in text, then I
> will go ahead and motion for a vote and see where we are at.
>
> ~josh
> On Oct 13, 2015 5:12 PM, "Tobias Gondrom" <tgondrom at gmx.net> wrote:
>
>> Josh,
>>
>> Let's fix the problem instead of creating a new list, just because the
>> old one was not totally uptodate. Especially as we have not even really
>> tried hard to update the existing list and keep it maintained. So I would
>> rather fix the problem you mention, aka "update the list", then to make a
>> more complicated construct with letting people parse and search through a
>> long unstructured list.
>>
>> This will equally achieve the same objective, which I agree is important.
>> Just with clearer structure and less searching and confusion.
>>
>> Best regards, Tobias
>>
>>
>> On 13/10/15 21:10, Josh Sokol wrote:
>>
>> All,
>>
>> Take a look at the list of what is allowed in the project or chapter
>> handbook.  Then consider all of the things that chapters and projects spend
>> their money on today.  These lists are not kept up-to-date which what is
>> appropriate.  It's not a problem in-and-of-itself as Paul et al are usually
>> pretty quick to approve, but we have heard from a number of members of our
>> community that it is NOT CLEAR WHAT they can spend their money on.  Think
>> of the current approach as an Access Control List where we have a default
>> deny and a very short list of what is allowed through.  It's secure, but
>> the usability is challenging.  This proposal allows us to dynamically
>> expand that ACL based on what others in the organization are doing.  Stuff
>> not in the list requires approval from Ops, just as it does today, but with
>> the knowledge that approval is an explicit approval for anyone to do it.
>> We should have no situation at OWASP where something is OK for one chapter
>> or project and not OK for another.  If you can think of one, please let me
>> know and prove me wrong.  Liability is limited to 1) The amount in a
>> chapter or project account (ie. they are spending "their" money) and 2)
>> What has already been approved for someone else.  This is VERY LOW RISK and
>> VERY HIGH REWARD because it gets money moving.  If you want to propose
>> revised language to fine-tune it, please do so, but this is very much
>> necessary to get people spending.
>>
>> ~josh
>>
>> On Tue, Oct 13, 2015 at 11:45 AM, Paul Ritchie <paul.ritchie at owasp.org>
>> wrote:
>>
>>> To Foundation Board list.
>>>
>>> *On this proposal #6, and the red-tape issue, or excessive effort for
>>> Operations:*
>>>
>>> On approving and paying reimbursements, we really don't have much
>>> red-tape....when the expense is fully covered within the Chapter or Project
>>> budget.
>>> We Ask:  Does the Project/Chapt have the budget?    Does the expense fit
>>> the guidelines in the Handbook?   IF yes, the reimbursement is paid, no
>>> problem.
>>>
>>> *On Maintaining a list*
>>> From an operations point, I'd like to keep the Project & Chapter
>>> Handbooks updated as the source of the spending guidelines & policy
>>> statements. Those are our "manuals" and I'd like to reinforce all community
>>> members to look there first.  The current lists could be updated by Noreen
>>> & Claudia.
>>>
>>> For new listing, it is probably smart to add a list or table of
>>> 'approved & supported' expenses to the wiki pages for Funding, Projects &
>>> Chapters.   My belief here is that it is the 'same info' as found in the
>>> Handbook, its just immediately visible on the main page of the Project or
>>> Chapter wiki pages.
>>> Yes, some medium amount of work to create & update this list, but its
>>> mostly a one-time effort.
>>>
>>> *The only Caution:*
>>>
>>> We have seen a couple projects or chapters ask for hardware, or
>>> cloud-based software services.  My Caution is that before we just
>>> auto-approve an expense for this category of 'stuff' we ask if the Chapter
>>> or Project need can be solved with existing Foundation
>>> Infrastructure.......or the infrastructure already owned or rented by other
>>> Chapters.
>>>
>>> Just trying to minimize redundancy on this topic.   Plus, ownership is a
>>> red-tape issue here as the Foundation is the only one who has been signing
>>> contracts and agreements for hardware & software.
>>>
>>> Paul
>>>
>>>
>>>
>>>
>>> Best Regards, Paul Ritchie
>>> OWASP Executive Director
>>> paul.ritchie at owasp.org
>>>
>>>
>>> On Tue, Oct 13, 2015 at 2:43 AM, Jim Manico <jim.manico at owasp.org>
>>> wrote:
>>>
>>>> Been thinking about this, I think you're right Fabio and Tobias.
>>>> Perhaps make this bill more general and let operations figure out the "how"?
>>>>
>>>> It's doesn't look like this will pass as is.
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> On Oct 13, 2015, at 11:35 AM, Fabio Cerullo <fcerullo at owasp.org> wrote:
>>>>
>>>> I share Tobias concerns on this one. A populated list maintained by the
>>>> Foundation might be a better approach IMHO.
>>>>
>>>> Fabio Cerullo
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>>
>>>> On 13 Oct 2015, at 6:27 a.m., Jim Manico <jim.manico at owasp.org> wrote:
>>>>
>>>>
>>>> 1. Sorry for re-iterating my point from before, but I do think this
>>>> will create more effort, compared to a list of pre-approved items. I think
>>>> a list of pre-approved items will be less "red-tape" than to make everyone
>>>> go through the list of published precedents and then let us find out
>>>> whether they are the "same".
>>>>
>>>> All that this "bill" is saying is : Keep a list of per-approved items
>>>> and add to it over time as new items get approved. I do not see this as
>>>> adding more work over time and the effort should lessen as less new item
>>>> categories get approved over time.
>>>>
>>>>
>>>> 2. I also like to point out that the current proposal text does not
>>>> speak of the "exact same thing in the past" as Josh used in his
>>>> explanation. The current proposal text is more broadly and may result in us
>>>> discussing what is the "same" from the precedents.
>>>>
>>>> Let me be clear, I am not against the spirit of the approach, only I
>>>> have doubts about this specific implementation route. Overall, I really
>>>> think the consolidated (updated) list of acceptable expenses is the best
>>>> approach. As I mentioned, it is a good idea to populate and update this
>>>> list based on previous published expenses, but I really prefer the
>>>> consolidated list to be the reference point, not an unsorted list of all
>>>> expenses from the past (that potentially lacks context information and what
>>>> not).
>>>>
>>>> Fair concerns, this is the right time to be discussing...
>>>>
>>>>
>>>> Best regards, Tobias
>>>>
>>>>
>>>>
>>>>
>>>> On 13/10/15 06:33, Jim Manico wrote:
>>>>
>>>> Do you see this "bill" causing harm to the foundation in some way? I do
>>>> not. I see this as facilitating efficiency, primary, which is a good thing.
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundation
>>>> https://www.owasp.org
>>>> Join me in Rome for AppSecEU 2016!
>>>>
>>>> On Oct 13, 2015, at 6:22 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>
>>>> Right.
>>>>
>>>> Do we spend a lot of time with red tape currently?
>>>>
>>>> Matt
>>>>
>>>>
>>>> On Mon, Oct 12, 2015 at 10:59 PM, Jim Manico <jim.manico at owasp.org>
>>>> wrote:
>>>>
>>>>> The motivation here is efficiency, removal of red tape and
>>>>> encouragement to spend for the mission. Once an expense type is approved
>>>>> the goal of this "bill" is to have that expense type auto-approved.
>>>>>
>>>>> --
>>>>> Jim Manico
>>>>> Global Board Member
>>>>> OWASP Foundation
>>>>> https://www.owasp.org
>>>>> Join me in Rome for AppSecEU 2016!
>>>>>
>>>>> On Oct 13, 2015, at 4:26 AM, Matt Konda <matt.konda at owasp.org> wrote:
>>>>>
>>>>> I'm still considering #6 as are all but Josh and Jim based on this
>>>>> discussion thread.
>>>>>
>>>>> I am supportive of the idea behind it and would vote yes if it came to
>>>>> a head.
>>>>>
>>>>> Honestly, I don't think it is risky but I don't think I grasp the
>>>>> motivation - perhaps Josh and/or Paul could elaborate on how this might
>>>>> help the Foundation.
>>>>>
>>>>> Matt
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Oct 9, 2015 at 4:18 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>> wrote:
>>>>>
>>>>>> Andrew,
>>>>>>
>>>>>> I definitely hear you, but we have rules in place to even prevent
>>>>>> that.  For example Section 4.10 of the Chapter Leader Handbook
>>>>>> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#.28Signing.29_Contracts>
>>>>>>  says that "Chapter leaders are not authorized to sign contracts or
>>>>>> enter into any legal agreements on behalf of the OWASP Foundation".  You
>>>>>> will not have any sort of a $50k venue guarantee for services without a
>>>>>> signed contract.  This is the control that prevents abuse in that specific
>>>>>> situation.  There are many others.
>>>>>>
>>>>>> Also, keep in mind that they are authorized only so long as "*they
>>>>>> have an account balance which covers that expense in full*".  So, if
>>>>>> a Chapter or Project has $50k in their account, and wants to spend it on a
>>>>>> venue for a conference, why should we stand in their way or require
>>>>>> additional approvals if others have done the exact same thing in the past?
>>>>>> The limiting factor here is their account balance and we need to empower
>>>>>> them to spend it how they desire as long as it is in adherence with the
>>>>>> OWASP mission.
>>>>>>
>>>>>> Tobias: This has not been motioned or seconded yet.  I put it out
>>>>>> there for discussion first, since there was not a general consensus on it.
>>>>>>
>>>>>> ~josh
>>>>>>
>>>>>> On Fri, Oct 9, 2015 at 3:49 PM, Tobias <tobias.gondrom at owasp.org>
>>>>>> wrote:
>>>>>>
>>>>>>> As our mailing-list got a bit swamped, this might have got lost in
>>>>>>> the hundred voting emails, do we have any further discussion elements on
>>>>>>> this one?
>>>>>>> And if people like vote on this, can they please confirm that they
>>>>>>> have at least acknowledged this discussion when casting their vote?
>>>>>>> Thanks, Tobias
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 09/10/15 14:17, Andrew van der Stock wrote:
>>>>>>>
>>>>>>> I am really keen to reduce the amount of bureaucracy involved in
>>>>>>> expense management, but this is a really well trodden path in every single
>>>>>>> SME to major enterprise.
>>>>>>>
>>>>>>> My main concern is no upper bounds on pre-approved expenses. This
>>>>>>> means that a local chapter that managed to get an approval for a $50k
>>>>>>> conference centre fee, say AppSec AU in 2011, would mean that all chapters
>>>>>>> would be automatically allowed to claim that expense too. I want to enable
>>>>>>> that, whilst not allowing us to be hit with hundreds of large conferences
>>>>>>> being organised throughout the year. We simply don't have the staff
>>>>>>> bandwidth nor the funds to do that today.
>>>>>>>
>>>>>>> Typical financial governance is pre-approval for expenses under a
>>>>>>> certain dollar value, and a single sign off within the Foundation approval
>>>>>>> for expenses between say the cut off and say a $10k limit, and senior
>>>>>>> management approval above $10k. In my view, we can hit the home run we all
>>>>>>> are looking for, whilst still maintaining good financial governance over
>>>>>>> major expenses whilst not ruling out ANY type of expense that a chapter
>>>>>>> might be able to come up with.
>>>>>>>
>>>>>>> My view is that we go through all the paid out expenses over the
>>>>>>> last two years, and work out some limits. We can tummy tussle over the
>>>>>>> exact limits, but I feel the following would be a good start:
>>>>>>>
>>>>>>> $0 - $1500 should cover nearly all expenses paid to date along with
>>>>>>> the above proposal's list of pre-approved expenses
>>>>>>> $1500 to $10k should be an approval level granted to a project
>>>>>>> coordinator or chapters coordinator. All expenses are subject to sign off
>>>>>>> prior to incurring the expense
>>>>>>> $10k ... $100k is within the signing range of the Executive
>>>>>>> Director, and would require pre-approval before incurring the expense
>>>>>>> Above $100k would require Exec Dir + Board approval.
>>>>>>>
>>>>>>> That way, local area conference bills of $50k don't hit us without
>>>>>>> forewarning, and yet we have the flexibility of allowing LAScon and AppSec
>>>>>>> Cali to work without a special rule or budgetary process. The majority of
>>>>>>> projectors, catering, room fees, and so on would never be huge amounts of
>>>>>>> work for Foundation staff.
>>>>>>>
>>>>>>> I think it hits what you're trying to achieve without opening us up
>>>>>>> to some serious financial problems down the track.
>>>>>>>
>>>>>>> thanks,
>>>>>>> Andrew
>>>>>>>
>>>>>>> On Fri, Oct 9, 2015 at 1:20 PM, Josh Sokol <josh.sokol at owasp.org>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Here is the current text for proposal 6:
>>>>>>>>
>>>>>>>> *If a request for funding has been approved for one chapter or
>>>>>>>> project, then it can be considered an acceptable expense for all chapters
>>>>>>>> or projects.  If they have an account balance which covers that expense in
>>>>>>>> full, then they should be considered pre-approved for spending.*
>>>>>>>>
>>>>>>>> *Tobias:*
>>>>>>>> I agree in spirit, but I think this needs clarification and am a
>>>>>>>> bit concerned about liberal interpretations of what is the same expense
>>>>>>>> type. Expenses tend to not be exactly identical and I like to safe chapter
>>>>>>>> and project leads from searching the public expense lists for precedence.
>>>>>>>> As one example if a flight ticket is approved for a chapter leader to
>>>>>>>> attend the AppSec chapter leader workshop, that should not mean we also
>>>>>>>> approve a flight ticket to Bahamas for holiday for another chapter leader.
>>>>>>>> Technically both are flight expenses for chapter leaders. (I know I am
>>>>>>>> splitting hairs...)
>>>>>>>>
>>>>>>>> Suggested revision:
>>>>>>>> Proposal 6: If a request for funding has been approved for one
>>>>>>>> chapter or project, then it can be considered an acceptable expense for all
>>>>>>>> chapters or projects. Our operations team shall periodically (at least once
>>>>>>>> every 3 months) review the list of published expenses and if new expense
>>>>>>>> types come up add them to the published list of acceptable expenses. If the
>>>>>>>> chapters or projects have an account balance which covers that expense in
>>>>>>>> full, then they should be considered pre-approved for spending.
>>>>>>>>
>>>>>>>> *Josh:*
>>>>>>>> I think that we need to trust people to do the right thing.  To my
>>>>>>>> knowledge, we have never had a person try to request reimbursement for a
>>>>>>>> trip to the Bahamas because someone got a flight paid for to AppSec.  Also,
>>>>>>>> keep in mind that this is a reimbursement process so our Operations Team
>>>>>>>> determines whether a request is legit.  To me, it would seem like you're
>>>>>>>> putting a lot of extra work on the Ops Team with little added benefit since
>>>>>>>> they are still going to have to find a way to write it up so that it will
>>>>>>>> not be misinterpreted.  I think we have reasonable controls in place to
>>>>>>>> prevent abuse and our liability here is minimal.  I don't see a need to
>>>>>>>> revise it in this manner.
>>>>>>>>
>>>>>>>> *Tobias:*
>>>>>>>> Well, I don't think to maintain a list of good examples is
>>>>>>>> unnecessarily heavy workload. And in the long run, searching through a long
>>>>>>>> unstructured list of published expense claims will be more work load for
>>>>>>>> both the staff and the community to check for good expense precedents. If
>>>>>>>> we do this one time per quarter, the effort is clearly limited. If we
>>>>>>>> (staff and leaders) have to review an unlimited year long list for
>>>>>>>> precedent, this seems much more effort.
>>>>>>>>
>>>>>>>> *Josh:*
>>>>>>>> In theory we are supposed to be maintaining a list of good examples
>>>>>>>> already.  Some of them are listed in the Chapter and Project Leader
>>>>>>>> Handbooks.  That said, they aren't anywhere close to all of the possible
>>>>>>>> things one would want to spend their money on.  The idea here was simply to
>>>>>>>> maintain the running list of all expenses that are approved or denied
>>>>>>>> (proposal 5) and use that to drive spending.  Again, I think this comes
>>>>>>>> down to a matter of trust.  We need to trust our Leaders to do the right
>>>>>>>> thing.  We need to trust the staff to ensure that the reimbursement is
>>>>>>>> legitimate before sending them a check.  With so many complaints about
>>>>>>>> difficulties withe the reimbursement process (as much as I've never seen
>>>>>>>> them), we should be looking for ways to strip away the red tape, not add
>>>>>>>> more of it.
>>>>>>>>
>>>>>>>> ~josh
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Owasp-board mailing list
>>>>>>>> Owasp-board at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Owasp-board mailing list
>>>>>> Owasp-board at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> Owasp-board mailing list
>>>>> Owasp-board at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>> --
>>>> Jim Manico
>>>> Global Board Member
>>>> OWASP Foundationhttps://www.owasp.org
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Owasp-board mailing list
>>>> Owasp-board at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>>
>>>>
>>>
>>> _______________________________________________
>>> Owasp-board mailing list
>>> Owasp-board at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-board
>>>
>>>
>>
>>
>> _______________________________________________
>> Owasp-board mailing listOwasp-board at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-board
>>
>>
>>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20151015/6cc87c19/attachment-0001.html>


More information about the Owasp-board mailing list