[Owasp-leaders] email SOPs when employees are leaving OWASP

Tobias tobias.gondrom at owasp.org
Wed Jul 2 20:42:12 UTC 2014

Hi Timur,

am not fully convinced, but if you like, we could discuss this in
detail, e.g. on the governance list?

Just fyi: am kind of sitting on the fence, because at the moment I 
don't really see us having a problem here giving ex-employees a new
email address if needed and my hesitation with the different format for
staff is that it might give our staff the feeling that they would not be
separated from our community. And second that even though in theory
semantically beautiful, that it could make life unnecessarily complex
with multiple email accounts per person.

In theory I can see the concept behind your idea, and my German heart
may like it, but it does a bit feel like "over-engineering" for a
problem we don't have.

Possibly an approach would be to discuss a proposal on the governance
list, depending on how many people have an opinion about this and then
put it to a community vote.

Just my 2cents.


On 02/07/14 01:33, Timur 'x' Khrotko (owasp) wrote:
> Ok, Tobias, I am convinced that distinguishing board members by this
> tagging in the email id was a wrong idea.
> Probably distinguishing between owasp community members and the staff
> this way can still make sense. Consider tagging staff members by
> addresses like samantha.groves at staff.owasp.org
> <mailto:samantha.groves at staff.owasp.org>. It is easy to manage
> suborganizations like 'staff' within our Google Apps domain. If she
> (anyone) remains community member, she can have/keep the @owasp.org
> <http://owasp.org> email. On her exit from the staff the staff account
> is suspended/deleted, thus blocking access to documents is easily
> manged. In case a member becomes hired worker at the Foundation
> (Samantha returns :), she receives the staff account (again).
> Of course if the case of an employee becoming member of the community
> and continue their participation in the community after leaving the
> staff is not a significant case, than the ugly tagging like
> john.malkovich.exemployee at owasp.org
> <mailto:john.malkovich.exemployee at owasp.org> is still an option. 
> On Jul 1, 2014 10:12 PM, "Tobias" <tobias.gondrom at owasp.org
> <mailto:tobias.gondrom at owasp.org>> wrote:
>     Hm, I don't think a special board member email account is
>     necessary and really like to be clear on one point because it
>     seems to be a common misconception for some people:
>     Board members as individuals have _*no*_ special authority or powers.
>     Only the board as a whole group has authority over our organisation.
>     I think it is very important to really keep that fact in mind.
>     Individual board members need to be seen and treated as any normal
>     active member of our community. And in fact I would not want
>     people to use email addresses with the word "board" in them as
>     that might give others the false impression that an individual
>     board member would have any special authority or be talking on
>     behalf of the board. (Only under rare circumstances would this
>     happen when one board member is effectively communicating the
>     result of a vote taken by the board.)
>     Therefore, I think separate emails for board members are not
>     required and could in fact be misleading, communicating a false
>     sense of authority.
>     Also it is important to remember that the role of board member
>     does not have any operational powers or duties, like our staff
>     have.  So e.g. when people want to launch a project, have chapter
>     questions, etc., our staff is in charge.
>     Board members can help with information about finding the right
>     contact person or help with advise on how OWASP works, or we can
>     propose things to the board for consideration or vote. All these
>     things are more based on knowledge, not on any special powers or
>     authority of the individual. And that is pretty much it.
>     So if you send an email to a board member you should see this as
>     sending an email to any other OWASP leader with deep knowledge of
>     our current community. Compared to when you are sending an email
>     to a staff member, you expect certain operational things to happen.
>     Small note: please note, that the board in our current
>     restructuring may assign responsibilities to members of the
>     community like in the form of the committees and leaders of the
>     community (incl. board members) and also may appoint an temporary
>     ED when Sarah our current ED will be leaving. In this case it is
>     important to recognise that these responsibilities may be assigned
>     to a person (incl. to a board member) by the board, but are only
>     by assignment and not due to the mere aspect that a person is on
>     the board. (With one exception, as following our bylaws, the
>     chairman of the board does have some executive powers due to his
>     role.)
>     Best wishes, Tobias
>     On 01/07/14 18:59, Timur 'x' Khrotko (owasp) wrote:
>>     Then probably the privileged accounts are to be signified as such:
>>     tobias.gondrom at board.owasp.org
>>     <mailto:tobias.gondrom at board.owasp.org>
>>     Gapps provides so called suborganizations. You will then have two
>>     accounts, one as OWASP member and one for your director role.
>>     Setting this up as alias in your Gmail client is easy. Sensitive
>>     documents will be shared with your director account then.
>>     Semantics is important in security, isn't it ,)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140702/b3ac3580/attachment.html>

More information about the OWASP-Leaders mailing list