[Owasp-leaders] CPE credits?

Matt Tesauro matt.tesauro at owasp.org
Tue Jun 14 17:11:26 UTC 2016


John,

I think your point about ISACA is why OWASP should only manage who did what
when - aka the metadata around a potential CPE event - for those that ask.

What I mean by that is that every certification org has their own rules
about how much 'credit' a CPE activity provides a member with that cert.

OWASP doesn't want to have to track what ISACA, ISC2, EC-Council, ...
thinks a 1 hour chapter meeting is worth in terms of CPE.  Instead, create
an opt-in mechanism where those that need/want CPEs provide some info so a
chapter can confirm the CPE if ISACA, ISC2, EC-Council asks.

Key it that we don't ask the chapters, conference organizers, trainers, etc
to keep detailed records on all attendees.  Just provide a way that those
that need it can note their attendance in a way that can be verified later
in case of an audit.  Basically, what Josh said. :)

For example, you could put the 'proof' in Google Drive folder under your @
owasp.org account and share it with the other chapter leaders.  The
technical specifics aren't as important as it being a low burden on those
holding events.

Cheers!

--
-- Matt Tesauro
OWASP AppSec Pipeline Lead
https://www.owasp.org/index.php/OWASP_AppSec_Pipeline
OWASP WTE Project Lead
*https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project
<https://www.owasp.org/index.php/OWASP_Web_Testing_Environment_Project>*
http://AppSecLive.org <http://appseclive.org/> - Community and Download site

On Tue, Jun 14, 2016 at 11:58 AM, John Patrick Lita <
john.patrick.lita at owasp.org> wrote:

> Hi Josh,
>
> Thank you for this information, what about ISACA members?
>
> *John Patrick Lita *
> Manager for cyber security and IT services
> OWASP Manila chapter chairman
> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
> *https://www.owasp.org/index.php/Manila
> <https://www.owasp.org/index.php/Manila>*
> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>
> On Wed, Jun 15, 2016 at 12:55 AM, Josh Sokol <josh.sokol at owasp.org> wrote:
>
>> OWASP Austin uses eventbrite as a means to have people register for our
>> meetings.  They have the ability to print a sign-in sheet which we then put
>> out at the meeting.  We have experimented with sending CPE certificates in
>> the past, but it's high effort and low return.  (ISC)2 only occasionally
>> audits people who self-submit CPEs and I think I only had one or two over
>> the two years that I ran the chapter.  I just provided an e-mail saying "I
>> verify that <PERSON X> attended the hour-long <DATE> OWASP meeting."
>> They've never questioned it.  I would recommend similar as it's very low
>> effort and seems to satisfy the requirements.
>>
>> ~josh
>>
>> On Tue, Jun 14, 2016 at 11:39 AM, John Patrick Lita <
>> john.patrick.lita at owasp.org> wrote:
>>
>>> Hi All,
>>>
>>> Maybe a chapter leader will create a google form 'like josh' said and
>>> the chapter will keep it, or send a copy for the OWASP board for references
>>>
>>> *John Patrick Lita *
>>> Manager for cyber security and IT services
>>> OWASP Manila chapter chairman
>>> FB Page @OwaspManila <https://www.facebook.com/OwaspManila>
>>> *https://www.owasp.org/index.php/Manila
>>> <https://www.owasp.org/index.php/Manila>*
>>> <https://lists.owasp.org/mailman/listinfo/owasp-manila>
>>>
>>> On Wed, Jun 15, 2016 at 12:33 AM, Tiffany Long <tiffany.long at owasp.org>
>>> wrote:
>>>
>>>> Hello Andrew,
>>>>
>>>> OWASP does not maintain a database of CPE credits.  However each
>>>> chapter can choose to do so. As to how, I suggest discussing with your
>>>> board the most sustainable way to collect the information as any method
>>>> should be easily handed down with leadership shifts.  As Josh suggested
>>>> collected sign-in sheets (or pictures of the sign-in sheets kept digitally
>>>> and tagged by date) would be a low impact long term solution.
>>>>
>>>> Below is an excerpt from the handbook and the link to the page should
>>>> you need to refer others.
>>>>
>>>> Best,
>>>> Tiffany
>>>>
>>>> Collecting CPE Forms[edit
>>>> <https://www.owasp.org/index.php?title=Chapter_Handbook/Chapter_7:_Organizing_Chapter_Meetings&action=edit&section=25>
>>>> ]
>>>>
>>>> Send out CPE credits to attendees that requested them or explain to
>>>> them that ISC2 (as a example) is a self certify -- if organizations such as
>>>> those want to designate someone to collect and validate they are welcome to
>>>> do so, but that is not a responsibility of OWASP Chapter Leaders.
>>>>
>>>>
>>>>
>>>> https://www.owasp.org/index.php/Chapter_Handbook/Chapter_7:_Organizing_Chapter_Meetings#Collecting_CPE_Forms
>>>>
>>>> On Tue, Jun 14, 2016 at 9:08 AM, Andrew van der Stock <
>>>> vanderaj at owasp.org> wrote:
>>>>
>>>>> Hi Tiffany,
>>>>>
>>>>> Can you please outline best practices for people running chapter
>>>>> meetings, day long events, and conferences in relation to providing the
>>>>> correct CPE credits to attendees? i.e. do we state how many points and in
>>>>> what class they should claim, or do we need to maintain a list of folks
>>>>> claiming CPE for attending (hope not).
>>>>>
>>>>> I had a query from JP (cc'd), who is helping run a day long course and
>>>>> they were asked about this. I personally just add my attendance in the ISC
>>>>> portal and no one has hassled me or the event yet, but I'm sure there's
>>>>> some sort of protocol we should have ready in case.
>>>>>
>>>>> thanks,
>>>>> Andrew
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20160614/bb6bd9d3/attachment-0001.html>


More information about the OWASP-Leaders mailing list