generated from OWASP/www-projectchapter-example
-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #146 from OWASP/rewtd-patch-1
Updating the Compliance pages to reflect the change from Committee and to add the two current officers
- Loading branch information
Showing
2 changed files
with
46 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| - image: people/board-grant.png | ||
| name: Grant Ongers | ||
| twitter: https://twitter.com/rewtd | ||
| linkedin: https://www.linkedin.com/in/rewtd/ | ||
| location: United Kingdom | ||
| - image: | ||
| name: Rick Mello | ||
| twitter: | ||
| linkedin: https://www.linkedin.com/in/rick-mello/ | ||
| location: United States |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -28,7 +28,7 @@ OWASP encourages participants and members who have concerns about breaches of po | |
|
|
||
| A. **Employees**. The OWASP Foundation has an approved Staff Handbook covering the Foundation's employment and HR policies, including complaints, whistleblowing policies and processes. Foundation staff wishing to make a complaint or report should follow the policy and process as detailed in the most recently approved Employee Handbook, as published in OWASP's HR portal. If an OWASP member or participant wishes to make an informal complaint relating to a staff member or Foundation process, please contact the OWASP Executive Director in the first instance, who will may escalate the issue to OWASP's HR firm, the Board, or both, as the case requires. Staff are required to follow OWASP's Code of Conduct, but informal complaints or whistleblower reports by the public about Foundation staff will be handled per the Staff Handbook. | ||
|
|
||
| B. **Non-Employees**. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the [OWASP Compliance Committee](mailto:[email protected]). This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chair of the Board or the Compliance Committee. | ||
| B. **Non-Employees**. All individuals are encouraged to share questions, concerns, suggestions, or complaints with OWASP’s Executive Director, a member of the OWASP Board of Directors, or the [OWASP Compliance Team](mailto:[email protected]). This person will then serve as their point-of-contact during the Whistleblower process, as well as the person responsible for capturing and archiving all related evidence, unless a conflict of interest is identified. If a conflict of interest is identified, the point-of-contact will defer responsibility to either the Chair of the Board or (another member of) the Compliance Team. | ||
|
|
||
| Please report incidents or concerns as soon as possible. Informal reports over one year of age are unlikely to be resolved to anyone's satisfaction. Please proceed to a formal complaint if the incident or concern occurred more than a year in the past. | ||
|
|
||
|
|
@@ -38,7 +38,7 @@ The OWASP Foundation recognizes that conflict between contributors participating | |
|
|
||
| ### V. Initiating a Formal Complaint | ||
|
|
||
| At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the [OWASP Compliance Committee](mailto:[email protected]). A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Committee will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking). If the formal complaint relates to Foundation staff or procedures, the Compliance Committee will forward the complaint to the Executive Director for resolution following the complaints or whistleblower process as set out in the latest approved Staff Handbook, and report the matter to the Board for oversight purposes. | ||
| At any point in time, an OWASP Foundation board member, employee, or volunteer may choose to file a formal complaint regarding the ethical or legal violations of another member of our community. This complaint must be submitted in writing (non-verbal) to the [OWASP Compliance Team](mailto:[email protected]). A valid complaint must include all background information necessary to evaluate the request, a list of each ethical or legal violation, as well as all evidence to support the claims. Upon submission, the Compliance Team will evaluate that the complaint is valid and will respond back that either the complaint has been accepted, or it is lacking information necessary to properly evaluate (specifying what it is lacking). If the formal complaint relates to Foundation staff or procedures, the Compliance Team will forward the complaint to the Executive Director for resolution following the complaints or whistleblower process as set out in the latest approved Staff Handbook, and report the matter to the Board for oversight purposes. | ||
|
|
||
| Once a complaint has been determined as valid, the complainant is asked to cease direct contact with the individual whom they are making the complaint against. Attempts to facilitate direct contact, especially regarding the complaint in question, may result in the complaint being dismissed by a Compliance Officer. Currently, we also ask that the complainant refrain from speaking on the matter with anyone other than a Compliance Officer, to ensure the utmost amount of confidentiality and integrity on the matter. Disregarding this request may also result in the complaint being dismissed by a Compliance Officer. The Compliance Officer will notify the OWASP Foundation Board of Directors that a formal complaint has been filed, the date it was filed, the complainant’s name, and the party or parties named in the complaint. | ||
|
|
||
|
|
@@ -50,26 +50,54 @@ After a Compliance Officer has determined that a complaint is valid and has noti | |
|
|
||
| ### VII. Concluding an Investigation | ||
|
|
||
| Once a Compliance Officer is satisfied that they have spoken to all concerned parties and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Committee. At this point, the investigation can be considered closed. | ||
| Once a Compliance Officer is satisfied that they have spoken to all concerned parties and feels that they have enough information necessary to make a recommendation, they will begin to create a final report noting the allegations, the actors involved, their determination as to the veracity of the allegations, any remedial actions recommended, and any rationale for their determinations. Once complete, the final report will be provided to the complainant, the subject of the complaint, and any actors, individually, involved to allow them the opportunity to comment on the final report, which will not affect the final determination. They will be given 72 hours to respond, at which point, all responses will be aggregated alongside the final report, and any evidence collected during the investigation, and provided to the Executive Director and the OWASP Foundation Board of Directors by the Compliance Team. At this point, the investigation can be considered closed. | ||
|
|
||
| ### VIII. Determination by the Board | ||
|
|
||
| Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Committee report, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Committee. Appropriate corrective action will be taken if warranted by the investigation. | ||
| Once the OWASP Foundation Board of Directors receives the final report, actor comments, and supporting evidence, they will require sufficient time to review and discuss all aspects of the situation and investigation. They should strongly consider the recommendations of the Compliance Team report, but are by no means required to follow them. From here, the standard OWASP Foundation process for Board of Director proposals and voting will apply except that any Director named in the complaint will not be allowed to vote. Once an outcome has been agreed to, a formal decision will be written up and made public, via a post on the OWASP Blog and the OWASP Leaders List, within two weeks of the vote, along with the report provided by the Compliance Team. Appropriate corrective action will be taken if warranted by the investigation. | ||
|
|
||
| ### IX. Compliance Officer | ||
|
|
||
| The OWASP Foundation’s Compliance Officers are responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Committee will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. Compliance Committee Officers are empowered to conduct their investigations in isolation of the Board in order to maintain independence but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether a complaint can be considered valid for investigation though any individual may submit a complaint as noted above. | ||
| The OWASP Foundation’s Compliance Officers are responsible for ensuring that all complaints about unethical or illegal conduct are investigated and resolved. The Compliance Team will advise the Board of Directors on all complaints and their resolution and will report at least annually on any compliance activity relating to accounting or alleged financial improprieties. Compliance Officers are empowered to conduct their investigations in isolation of the Board in order to maintain independence but are free to involve members of the Board as necessary. It is solely the Compliance Officer’s charge to determine whether a complaint can be considered valid for investigation though any individual may submit a complaint as noted above. | ||
|
|
||
| The Compliance Committee shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved. | ||
| The Compliance Team shall immediately notify the Board of Directors and Executive Director of any concerns or complaint regarding corporate accounting practices, internal controls or auditing and work with the committee until the matter is resolved. | ||
|
|
||
| At least one Compliance Officer shall be identified by the Board of Directors and approved by a two thirds vote by January 1 of each year. A member of the OWASP Board of Directors may not also serve as the Compliance Officer during their tenure on the Board. If the Board of Directors is not able to affirmative two thirds vote on at least one Compliance Officer, a neutral, third-party executive ombuds service will be contracted to serve in this role. | ||
|
|
||
| The current Compliance Officers are: Fiona Collins | ||
| The current Compliance Officers are: | ||
| <section id="compliance-officers" class="corporate"> | ||
| <div> | ||
| {% for member in site.data.members %} | ||
| <div class="member-container"> | ||
| <hr/> | ||
| <div class="member-img-container"> | ||
| <div class="member-img" style="background-image: url(https://owasp.org/assets/images/{{ member.image }});"></div> | ||
| </div> | ||
| <div class="member-caption"><h2>{{ member.name }}</h2> | ||
| <hr><strong>Compliance Officer</strong><br/> | ||
| <div class="member-location">{{member.location}}</div> | ||
| {% if member.twitter %} | ||
| {% assign arr = member.twitter | split: "/" %} | ||
| {% assign lastindex = arr.size | minus: 1 %} | ||
| <div class="member-location"><a href="{{member.twitter}}">@{{ arr[lastindex] }}</a></div> | ||
| {% else %} | ||
| <br/> | ||
| {% endif %} | ||
| {% if member.linkedin %} | ||
| <div class="member-location"><a href="{{member.linkedin}}">{{ member.linkedin }}</a></div> | ||
| {% else %} | ||
| <br/> | ||
| {% endif %} | ||
| </div><br/><br/> | ||
| </div> | ||
| {% endfor %} | ||
| </div> | ||
| </section> | ||
|
|
||
| ### X. Confidentiality | ||
|
|
||
| Violations or suspected violations may be submitted on a confidential basis by the complainant. Reports of violations or suspected violations will be kept confidential to the extent possible, consistent with the need to conduct an adequate investigation. | ||
|
|
||
| ### XI. Contact | ||
|
|
||
| The Complaint / Whistleblower / Compliance Committee's email address is: [compliance '@' owasp.org](mailto:[email protected]) | ||
| The Complaint / Whistleblower / Compliance Team's email address is: [compliance '@' owasp.org](mailto:[email protected]) | ||