[Owasp-board] Final comments requested

Jim Manico jim.manico at owasp.org
Mon Apr 18 18:36:52 UTC 2016


> We already have a process under Committees 2.0 wherein these SAC's
could be created by regional groups, but with a more well-defined scope
and potentially budget.

I think this is a good point. No need to vote, a structure in in place,
go for it!

Aloha,
Jim

On 4/18/16 4:47 AM, Josh Sokol wrote:
> I tend to agree with Andrew about it not being votable as it is and I
> find myself asking "Why" a lot with this.  We already have a process
> under Committees 2.0 wherein these SAC's could be created by regional
> groups, but with a more well-defined scope and potentially budget. 
> This seems like forcing a structure where it doesn't currently exist
> because it's not needed or desired.  I would say that the single
> biggest reason to do this is to grow OWASP leadership throughout the
> world for better diversity and representation at the Board level. 
> Now, if that is the goal here, there should be an open call following
> the Committees 2.0 model, rather than an appointment to a post.  My
> suggestion, instead, is to put out a formal recommendation that
> regions establish their own council's under the Committees 2.0
> framework.  Let them determine their boundaries based on level of
> interest, geo-politics, etc.  Come up with a potential scope based on
> this document, but allow them to modify or append to it as desired. 
> Tom, you're the one who always says that we should be managing to
> policy.  We have a policy around how these groups should be created. 
> Let's follow that.  This is just a matter of encouraging people to
> utilize that policy to accomplish a bigger-picture objective by the Board.
>
> ~josh
>
> On Sat, Apr 16, 2016 at 3:12 AM, Andrew van der Stock
> <vanderaj at owasp.org <mailto:vanderaj at owasp.org>> wrote:
>
>     Tom
>
>     It’s just not votable as is, and it’ll get stuck again unless it’s
>     completely re-drafted for clarity.
>
>     I'd like to see this completely re-drafted. A lot of this
>     information exists in this document, but it disagrees with itself
>     several times. Let's get a bit of focus  
>
>     WHAT WHY WHEN WHO WHERE
>
>     WHY are we setting them up, and what OWASP hopes to achieve from
>     these SACs
>
>     WHAT are their duties
>     WHAT is their place in our organisation - an org chart would be
>     awesome
>
>     WHEN will they meet
>     WHEN will they meet with the Board
>     WHEN what is the length of appointment 
>
>     WHO makes up a regional security council
>     HOW will they be elected or appointed
>
>     WHERE shall they meet together
>     WHERE will they meet with the Board
>
>     Additionally, let's use the one word consistently throughout -
>     they are either a group, or a council. If they are a council,
>     let's stick to that terminology. 
>
>     I think when setting up regional advisory groups like this, we
>     need to cognizant of our values - transparency, openness and
>     mission. Why are we setting these things up? Who do they report
>     to? If they have no budget, it will still cost us. There are
>     proposals that require them to meet 4 times a year, and if that’s
>     F2F, plus they meet with us two or four times a year (which is
>     confusing as we don’t meet 4 times a year F2F), then basically,
>     we’re looking at around $50-80k per year in travel costs with 4 or
>     5 SACs. Going from Australia to China for a F2F is an expensive
>     air fare. Plus, China does not see Australia as part of Asia. Some
>     of these groupings only makes sense to Westerners, not to folks in
>     these regions. I’d expect some of these groupings to fall apart
>     once they get going. 
>
>     I believe very strongly that we need these groups, but they need
>     to have clear reporting lines - do they report to the Community
>     manager or to us? If they report to us, that means the community
>     manager has no sway over them, and they aren’t really then helping
>     with community or outreach. We delegate for a reason. If they
>     report to the Community manager, then I think a report tabled to
>     the Community manager twice a year, who then reports to us at our
>     Face to Face is sufficient. 
>
>     We need to have a mechanism to dissolve a SAC if it becomes
>     dormant or dysfunctional. This is absolutely essential, again as
>     OWASP India has shown us. 
>
>     I also think India is a big enough place that it needs its own
>     council, especially as demonstrated recently. Almost all of the
>     folks on the OWASP FB group come from India, and I’d
>     conservatively put it at over 7000 based on name alone. 
>
>     I would like to see nominations put forward by us, the ops team,
>     and the local folks, and direct elections held each year along
>     with the Board’s elections, for five folks per SAC. 10-12 folks is
>     far too many. It’s difficult to get reasonable consensus once you
>     reach 4 folks, and practically impossible when 12 folks are
>     involved. Try deciding on a bar let alone where a conference is
>     held. I think whatever the number, it should always be an odd
>     number of folks so that  decisions can be reached. 
>
>     thanks
>     Andrew
>
>
>
>>     On 16 Apr 2016, at 13:13, Tom Brennan - OWASP <tomb at owasp.org
>>     <mailto:tomb at owasp.org>> wrote:
>>
>>     Board,
>>
>>     Final comments on working doc requested Wednesday 4/20
>>
>>     https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api
>>
>>
>>     -- 
>>     Tom Brennan
>>     GPG ID: DC6AA149 | Fingerprint: 12A6 9978 45BB 1562 C921  B228
>>     BD0F D9C6 DC6A A
>>
>>     OWASP Foundation | www.owasp.org <http://www.owasp.org/>
>>     Tel:  (m) 973-506-9304 <tel:973-506-9304>
>>
>>     Need to book time with me to discuss an existing or a future
>>     project click on my virtual
>>     calendar http://www.proactiverisk.com/brennan
>>
>>
>>     The information contained in this message and any attachments may
>>     be privileged, confidential, proprietary or otherwise protected
>>     from disclosure. If you, the reader of this message, are not the
>>     intended recipient, you are hereby notified that any
>>     dissemination, distribution, copying or use of this message and
>>     any attachment is strictly prohibited. If you have received this
>>     message in error, please notify the sender immediately by
>>     replying to the message, permanently delete it from your computer
>>     and destroy any
>>     printout._______________________________________________
>>     Owasp-board mailing list
>>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>     _______________________________________________
>     Owasp-board mailing list
>     Owasp-board at lists.owasp.org <mailto:Owasp-board at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-board
>
>
>
>
> _______________________________________________
> Owasp-board mailing list
> Owasp-board at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-board

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20160418/59a1cddc/attachment-0001.html>


More information about the Owasp-board mailing list