[Owasp-board] Final comments requested

Andrew van der Stock vanderaj at owasp.org
Sat Apr 16 08:12:05 UTC 2016


It’s just not votable as is, and it’ll get stuck again unless it’s completely re-drafted for clarity.

I'd like to see this completely re-drafted. A lot of this information exists in this document, but it disagrees with itself several times. Let's get a bit of focus  


WHY are we setting them up, and what OWASP hopes to achieve from these SACs

WHAT are their duties
WHAT is their place in our organisation - an org chart would be awesome

WHEN will they meet
WHEN will they meet with the Board
WHEN what is the length of appointment 

WHO makes up a regional security council
HOW will they be elected or appointed

WHERE shall they meet together
WHERE will they meet with the Board

Additionally, let's use the one word consistently throughout - they are either a group, or a council. If they are a council, let's stick to that terminology. 

I think when setting up regional advisory groups like this, we need to cognizant of our values - transparency, openness and mission. Why are we setting these things up? Who do they report to? If they have no budget, it will still cost us. There are proposals that require them to meet 4 times a year, and if that’s F2F, plus they meet with us two or four times a year (which is confusing as we don’t meet 4 times a year F2F), then basically, we’re looking at around $50-80k per year in travel costs with 4 or 5 SACs. Going from Australia to China for a F2F is an expensive air fare. Plus, China does not see Australia as part of Asia. Some of these groupings only makes sense to Westerners, not to folks in these regions. I’d expect some of these groupings to fall apart once they get going. 

I believe very strongly that we need these groups, but they need to have clear reporting lines - do they report to the Community manager or to us? If they report to us, that means the community manager has no sway over them, and they aren’t really then helping with community or outreach. We delegate for a reason. If they report to the Community manager, then I think a report tabled to the Community manager twice a year, who then reports to us at our Face to Face is sufficient. 

We need to have a mechanism to dissolve a SAC if it becomes dormant or dysfunctional. This is absolutely essential, again as OWASP India has shown us. 

I also think India is a big enough place that it needs its own council, especially as demonstrated recently. Almost all of the folks on the OWASP FB group come from India, and I’d conservatively put it at over 7000 based on name alone. 

I would like to see nominations put forward by us, the ops team, and the local folks, and direct elections held each year along with the Board’s elections, for five folks per SAC. 10-12 folks is far too many. It’s difficult to get reasonable consensus once you reach 4 folks, and practically impossible when 12 folks are involved. Try deciding on a bar let alone where a conference is held. I think whatever the number, it should always be an odd number of folks so that  decisions can be reached. 


> On 16 Apr 2016, at 13:13, Tom Brennan - OWASP <tomb at owasp.org> wrote:
> Board,
> Final comments on working doc requested Wednesday 4/20
> https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api <https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api>
> -- 
> Tom Brennan
> GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228 BD0F D9C6 DC6A A
> OWASP Foundation | www.owasp.org <http://www.owasp.org/>
> Tel:  (m) 973-506-9304
> Need to book time with me to discuss an existing or a future project click on my virtual calendar http://www.proactiverisk.com/brennan <http://www.proactiverisk.com/brennan>
> The information contained in this message and any attachments may be privileged, confidential, proprietary or otherwise protected from disclosure. If you, the reader of this message, are not the intended recipient, you are hereby notified that any dissemination, distribution, copying or use of this message and any attachment is strictly prohibited. If you have received this message in error, please notify the sender immediately by replying to the message, permanently delete it from your computer and destroy any printout._______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160416/265a01ad/attachment.html>

More information about the Owasp-board mailing list