[Owasp-leaders] email SOPs when employees are leaving OWASP (was: Re: My expectation is that nobody is reading my @owasp.org emails)

Tobias tobias.gondrom at owasp.org
Tue Jul 1 16:59:41 UTC 2014

On 01/07/14 16:59, Josh Sokol wrote:
> Regarding specifically what Dennis requested with respect to
> Samantha's @owasp.org <http://owasp.org> e-mail account, policies
> indicates that these e-mail accounts are a privilege for OWASP members
> <https://www.owasp.org/index.php/Individual_Member>, leaders
> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#Owasp.org_Email_Accounts>,
> and staff.  Samantha is not a member
> <https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdEhnSDBEVVd0cVctb3d6c1RFUkJOeXc&hl=en#gid=1>,
> she does not currently lead a project, chapter, or other OWASP
> initiative, and she resigned as a member of our staff.  Are we
> suggesting that we should make Samantha an exception to our policies? 
> I am personally open to this, given her past service to our community,
> but we should be clear that this is not a right, but rather, something
> nice that we'd do to honor her contributions.  And, of course, it
> would be pending a volunteer effort to address the access control
> issues that were previously identified.

Honestly, I don't see the point.

To remove email access and set an auto-responder is common best practice
in most companies. And in this case it was definitely necessary to avoid
getting project leaders email requests being lost, delayed, not acted on
or misdirected and maintain confidentiality of data. And btw. this best
practice is common, irrespective of what great deeds an employee has
done for the organisation during their tenure.

Samantha is not a member. She does not currently lead a project,
chapter, or other OWASP initiative, and she resigned as a member of our
staff. Therefore I do not see why she should be supplied with an OWASP
email address?

Maybe the reason for Dennis to request such exception could be because
Samantha is his wife.
But IMHO nepotism is not a good reason for an organisation to grant
exceptions. And I am very much against that.

On a technical solution basis, I definitely agree that we should look
into moving to a more role based approach (aka e.g.
"project-manager at owasp.org") and possibly combine that with groups.
Please note that our ops team has already made efforts in this direction
by establishing the "Contact Us" form (which is linked with a ticketing
system) as the primary interface.

Having said that, for the time being until we figured out all
mis-communication and data confidentiality questions, the default
solution should be following standard best practices:
1. at end of employment remove email and system access and set an
ex-employees email to auto-respond.
2. if the ex-employee is also a member or wants to become a new member,
we can provide a new email account with a slightly different name. (yes,
that is slightly inconvenient for the ex-employee, however necessary to
ensure that no requests or confidential data are being misdirected to
him/her email account under the false assumption that the person would
still be working for OWASP.)

Best regards, Tobias

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/375e14d0/attachment.html>

More information about the OWASP-Leaders mailing list