[Owasp-leaders] email SOPs when employees are leaving OWASP (was: Re: My expectation is that nobody is reading my @owasp.org emails)

Timur 'x' Khrotko (owasp) timur at owasp.org
Tue Jul 1 17:59:21 UTC 2014


Then probably the privileged accounts are to be signified as such:
tobias.gondrom at board.owasp.org

Gapps provides so called suborganizations. You will then have two accounts,
one as OWASP member and one for your director role. Setting this up as
alias in your Gmail client is easy. Sensitive documents will be shared with
your director account then.

Semantics is important in security, isn't it ,)
On Jul 1, 2014 7:00 PM, "Tobias" <tobias.gondrom at owasp.org> wrote:

>
> On 01/07/14 16:59, Josh Sokol wrote:
>
>
>  Regarding specifically what Dennis requested with respect to Samantha's @
> owasp.org e-mail account, policies indicates that these e-mail accounts
> are a privilege for OWASP members
> <https://www.owasp.org/index.php/Individual_Member>, leaders
> <https://www.owasp.org/index.php/Chapter_Handbook/Chapter_4:_Chapter_Administration#Owasp.org_Email_Accounts>,
> and staff.  Samantha is not a member
> <https://docs.google.com/a/owasp.org/spreadsheet/ccc?key=0Ag5ZloRZ0SmjdEhnSDBEVVd0cVctb3d6c1RFUkJOeXc&hl=en#gid=1>,
> she does not currently lead a project, chapter, or other OWASP initiative,
> and she resigned as a member of our staff.  Are we suggesting that we
> should make Samantha an exception to our policies?  I am personally open to
> this, given her past service to our community, but we should be clear that
> this is not a right, but rather, something nice that we'd do to honor her
> contributions.  And, of course, it would be pending a volunteer effort to
> address the access control issues that were previously identified.
>
>
> Honestly, I don't see the point.
>
> To remove email access and set an auto-responder is common best practice
> in most companies. And in this case it was definitely necessary to avoid
> getting project leaders email requests being lost, delayed, not acted on or
> misdirected and maintain confidentiality of data. And btw. this best
> practice is common, irrespective of what great deeds an employee has done
> for the organisation during their tenure.
>
> Samantha is not a member. She does not currently lead a project, chapter,
> or other OWASP initiative, and she resigned as a member of our staff.
> Therefore I do not see why she should be supplied with an OWASP email
> address?
>
> Maybe the reason for Dennis to request such exception could be because
> Samantha is his wife.
> But IMHO nepotism is not a good reason for an organisation to grant
> exceptions. And I am very much against that.
>
>
>
> On a technical solution basis, I definitely agree that we should look into
> moving to a more role based approach (aka e.g. "project-manager at owasp.org"
> <project-manager at owasp.org>) and possibly combine that with groups.
> Please note that our ops team has already made efforts in this direction by
> establishing the "Contact Us" form (which is linked with a ticketing
> system) as the primary interface.
>
> Having said that, for the time being until we figured out all
> mis-communication and data confidentiality questions, the default solution
> should be following standard best practices:
> 1. at end of employment remove email and system access and set an
> ex-employees email to auto-respond.
> 2. if the ex-employee is also a member or wants to become a new member, we
> can provide a new email account with a slightly different name. (yes, that
> is slightly inconvenient for the ex-employee, however necessary to ensure
> that no requests or confidential data are being misdirected to him/her
> email account under the false assumption that the person would still be
> working for OWASP.)
>
> Best regards, Tobias
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-- 
Email us to enforce secure link with your mail servers (domain).
This message may contain confidential information - you should handle it 
accordingly.
Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140701/002f273d/attachment.html>


More information about the OWASP-Leaders mailing list