<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    > We already have a process under Committees 2.0 wherein these
    SAC's could be created by regional groups, but with a more
    well-defined scope and potentially budget. <br>
    <br>
    I think this is a good point. No need to vote, a structure in in
    place, go for it!<br>
    <br>
    Aloha,<br>
    Jim<br>
    <br>
    <div class="moz-cite-prefix">On 4/18/16 4:47 AM, Josh Sokol wrote:<br>
    </div>
    <blockquote
cite="mid:CAFwvDeySUco4eYNGQhaR7+TJTpJTcNDzSWjwiFq2oMA1mmfmfQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div>I tend to agree with Andrew about it not being votable as
          it is and I find myself asking "Why" a lot with this.† We
          already have a process under Committees 2.0 wherein these
          SAC's could be created by regional groups, but with a more
          well-defined scope and potentially budget.† This seems like
          forcing a structure where it doesn't currently exist because
          it's not needed or desired.† I would say that the single
          biggest reason to do this is to grow OWASP leadership
          throughout the world for better diversity and representation
          at the Board level.† Now, if that is the goal here, there
          should be an open call following the Committees 2.0 model,
          rather than an appointment to a post.† My suggestion, instead,
          is to put out a formal recommendation that regions establish
          their own council's under the Committees 2.0 framework.† Let
          them determine their boundaries based on level of interest,
          geo-politics, etc.† Come up with a potential scope based on
          this document, but allow them to modify or append to it as
          desired.† Tom, you're the one who always says that we should
          be managing to policy.† We have a policy around how these
          groups should be created.† Let's follow that.† This is just a
          matter of encouraging people to utilize that policy to
          accomplish a bigger-picture objective by the Board.<br>
          <br>
        </div>
        ~josh<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sat, Apr 16, 2016 at 3:12 AM, Andrew
          van der Stock <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:vanderaj@owasp.org" target="_blank">vanderaj@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div style="word-wrap:break-word">Tom
              <div><br>
              </div>
              <div>Itís just not votable as is, and itíll get stuck
                again unless itís completely re-drafted for clarity.</div>
              <div><br>
              </div>
              <div>
                <div>I'd like to see this completely re-drafted. A lot
                  of this information exists in this document, but it
                  disagrees with itself several times. Let's get a bit
                  of focus †</div>
                <div><br>
                </div>
                <div>WHAT WHY WHEN WHO WHERE</div>
                <div><br>
                </div>
                <div>WHY are we setting them up, and what OWASP hopes to
                  achieve from these SACs</div>
                <div><br>
                </div>
                <div>WHAT are their duties</div>
                <div>WHAT is their place in our organisation - an org
                  chart would be awesome</div>
                <div><br>
                </div>
                <div>WHEN will they meet</div>
                <div>WHEN will they meet with the Board</div>
                <div>WHEN what is the length of appointment†</div>
                <div><br>
                </div>
                <div>WHO makes up a regional security council</div>
                <div>HOW will they be elected or appointed</div>
                <div><br>
                </div>
                <div>WHERE shall they meet together</div>
                <div>WHERE will they meet with the Board</div>
                <div><br>
                </div>
                <div>Additionally, let's use the one word consistently
                  throughout - they are either a group, or a council. If
                  they are a council, let's stick to that terminology.†</div>
              </div>
              <div><br>
              </div>
              <div>I think when setting up regional advisory groups like
                this, we need to cognizant of our values - transparency,
                openness and mission. Why are we setting these things
                up? Who do they report to? If they have no budget, it
                will still cost us. There are proposals that require
                them to meet 4 times a year, and if thatís F2F, plus
                they meet with us two or four times a year (which is
                confusing as we donít meet 4 times a year F2F), then
                basically, weíre looking at around $50-80k per year in
                travel costs with 4 or 5 SACs. Going from Australia to
                China for a F2F is an expensive air fare. Plus, China
                does not see Australia as part of Asia. Some of these
                groupings only makes sense to Westerners, not to folks
                in these regions. Iíd expect some of these groupings to
                fall apart once they get going.†</div>
              <div><br>
              </div>
              <div>I believe very strongly that we need these groups,
                but they need to have clear reporting lines - do they
                report to the Community manager or to us? If they report
                to us, that means the community manager has no sway over
                them, and they arenít really then helping with community
                or outreach. We delegate for a reason. If they report to
                the Community manager, then I think a report tabled to
                the Community manager twice a year, who then reports to
                us at our Face to Face is sufficient.†</div>
              <div><br>
              </div>
              <div>We need to have a mechanism to dissolve a SAC if it
                becomes dormant or dysfunctional. This is absolutely
                essential, again as OWASP India has shown us.†</div>
              <div><br>
              </div>
              <div>I also think India is a big enough place that it
                needs its own council, especially as demonstrated
                recently. Almost all of the folks on the OWASP FB group
                come from India, and Iíd conservatively put it at over
                7000 based on name alone.†</div>
              <div><br>
              </div>
              <div>I would like to see nominations put forward by us,
                the ops team, and the local folks, and direct elections
                held each year along with the Boardís elections, for
                five folks per SAC. 10-12 folks is far too many. Itís
                difficult to get reasonable consensus once you reach 4
                folks, and practically impossible when 12 folks are
                involved. Try deciding on a bar let alone where a
                conference is held. I think whatever the number, it
                should always be an odd number of folks so that
                †decisions can be reached.†</div>
              <div><br>
              </div>
              <div>thanks</div>
              <div>Andrew</div>
              <div><br>
              </div>
              <div><br>
              </div>
              <div><br>
                <div>
                  <blockquote type="cite">
                    <div>
                      <div class="h5">
                        <div>On 16 Apr 2016, at 13:13, Tom Brennan -
                          OWASP <<a moz-do-not-send="true"
                            href="mailto:tomb@owasp.org" target="_blank">tomb@owasp.org</a>>
                          wrote:</div>
                        <br>
                      </div>
                    </div>
                    <div>
                      <div>
                        <div class="h5">Board,
                          <div><br>
                          </div>
                          <div>Final comments on working doc requested
                            Wednesday 4/20</div>
                          <div><br>
                          </div>
                          <div>
                            <div><a moz-do-not-send="true"
href="https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api"
                                target="_blank">https://docs.google.com/a/proactiverisk.com/document/d/16y0acWfeZ_skcO27D-conivvlbSqPbAC1xTY5UfJi_4/edit?usp=docslist_api</a><br>
                            </div>
                          </div>
                          <br>
                          <br>
                          -- <br>
                          <div dir="ltr">
                            <div>
                              <div dir="ltr">
                                <div>
                                  <div style="font-size:small">Tom
                                    Brennan<br>
                                  </div>
                                  <div style="font-size:small"><span
                                      style="font-size:12.8px">GPG ID:
                                      DC6AA149 | Fingerprint: 12A6 9978
                                      45BB 1562 C921 †B228 BD0F D9C6
                                      DC6A A</span><br>
                                  </div>
                                  <div style="font-size:small"><span
                                      style="font-size:12.8px"><br>
                                    </span></div>
                                  <div style="font-size:small"><span
                                      style="font-size:12.8px">OWASP
                                      Foundation | <a
                                        moz-do-not-send="true"
                                        href="http://www.owasp.org/"
                                        target="_blank"><a class="moz-txt-link-abbreviated" href="http://www.owasp.org">www.owasp.org</a></a></span></div>
                                  <div style="font-size:small">Tel:
                                    †(m)†<a moz-do-not-send="true"
                                      href="tel:973-506-9304"
                                      value="+19735069304"
                                      target="_blank">973-506-9304</a></div>
                                  <br style="font-size:12.8px">
                                  <span style="font-size:12.8px">Need to
                                    book time with me to discuss an
                                    existing or a future project click
                                    on my virtual calendar†</span><span
                                    style="font-size:12.8px"><a
                                      moz-do-not-send="true"
                                      href="http://www.proactiverisk.com/brennan"
                                      style="font-size:12.8px"
                                      target="_blank"><a class="moz-txt-link-freetext" href="http://www.proactiverisk.com/brennan">http://www.proactiverisk.com/brennan</a></a></span><br>
                                </div>
                              </div>
                            </div>
                          </div>
                          <br>
                          <br>
                        </div>
                      </div>
                      <font style="background-color:white"
                        color="#808080" size="2"><span
                          style="font-family:'times new roman'">The
                          information contained in this message and any
                          attachments may be privileged, confidential,
                          proprietary or otherwise protected from
                          disclosure. If you, the reader of this
                          message, are not the intended recipient, you
                          are hereby notified that any dissemination,
                          distribution, copying or use of this message
                          and any attachment is strictly prohibited. If
                          you have received this message in error,
                          please notify the sender immediately by
                          replying to the message, permanently delete it
                          from your computer and destroy any printout.</span></font>_______________________________________________<br>
                      Owasp-board mailing list<br>
                      <a moz-do-not-send="true"
                        href="mailto:Owasp-board@lists.owasp.org"
                        target="_blank">Owasp-board@lists.owasp.org</a><br>
                      <a moz-do-not-send="true"
                        href="https://lists.owasp.org/mailman/listinfo/owasp-board"
                        target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
                    </div>
                  </blockquote>
                </div>
                <br>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            Owasp-board mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.owasp.org/mailman/listinfo/owasp-board"
              rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-board</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Owasp-board mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Owasp-board@lists.owasp.org">Owasp-board@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-board">https://lists.owasp.org/mailman/listinfo/owasp-board</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>