This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Chapter Handbook/Chapter 4: Chapter Administration"

From OWASP
Jump to: navigation, search
m (Organizing Your Contacts)
(Money not Tracked by the Foundation)
 
(24 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 
==Owasp.org Email Accounts==
 
==Owasp.org Email Accounts==
Owasp.org email accounts are provided for paid OWASP members and Chapter Leaders. If you do not have one and fall into one of these categories, submit your request to http://sl.owasp.org/contactus.
+
Owasp.org email accounts are provided for paid OWASP members, Chapter Leaders, and Project Leaders. If you do not have one and fall into one of these categories, submit your request through the contact us form.
  
 +
It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy. The email address of chapter leaders is listed both on the chapter wiki page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.
  
The standard format followed for email addresses is: firstname.[email protected].
+
Your OWASP email account is also linked to your Google Drive account.  You can use it to access or build community documents as needed.
 
 
 
 
It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy.  The email address of chapter leaders is listed both on the chapter wiki page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.
 
 
 
 
==OWASP Wiki==
 
==OWASP Wiki==
Maintaining the web site is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed, when looking at our list of meeting locations by geographic region: https://www.owasp.org/index.php/Category:OWASP_Chapter
+
Maintaining the website is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed when looking at our list of [[:Category:OWASP Chapter|meeting locations by geographic region]]: a[[:Category:OWASP Chapter|n]]<nowiki/>d o[[:Category:OWASP Chapter|n]]<nowiki/>e o[[:Category:OWASP Chapter|f]] [[:Category:OWASP Chapter|t]]<nowiki/>h[[:Category:OWASP Chapter|e]] [[:Category:OWASP Chapter|m]]<nowiki/>a[[:Category:OWASP Chapter|i]]<nowiki/>n w[[:Category:OWASP Chapter|a]]<nowiki/>y[[:Category:OWASP Chapter|s]] [[:Category:OWASP Chapter|f]]<nowiki/>o[[:Category:OWASP Chapter|r]] [[:Category:OWASP Chapter|prospective]] [[:Category:OWASP Chapter|m]]<nowiki/>e[[:Category:OWASP Chapter|m]]<nowiki/>b[[:Category:OWASP Chapter|e]]<nowiki/>r[[:Category:OWASP Chapter|s or sponsors]] [[:Category:OWASP Chapter|t]]<nowiki/>o f[[:Category:OWASP Chapter|i]]<nowiki/>n[[:Category:OWASP Chapter|d]] [[:Category:OWASP Chapter|y]]<nowiki/>o[[:Category:OWASP Chapter|u]]<nowiki/>r c[[:Category:OWASP Chapter|h]]<nowiki/>a[[:Category:OWASP Chapter|p]]<nowiki/>t[[:Category:OWASP Chapter|e]]<nowiki/>r[[:Category:OWASP Chapter|.]]
 
 
 
 
Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available.  So that people don’t have to hunt around for your meeting information make sure to post the information on your wiki page as soon as the meeting is set.
 
 
 
 
 
The local chapter web site should include at least:
 
*Information about the chapter leadership, including best way to contact.
 
*Link to the chapter’s mailing list.
 
*Information about future and historical events.
 
*The presentations given in past meetings.
 
 
 
Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are fine to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page should be the authoritative information at all times.
 
 
 
 
 
If you have not already created an account on our wiki site (which can be used to edit your chapter's wiki page), please do so using the following link: https://www.owasp.org/index.php/Special:RequestAccount
 
  
 +
Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available and accessible. Therefore it is imperative that  the information is posted on your wiki page as soon as the meeting is set.  People must not be required to pay or sign up for a service to learn about your meetings. 
  
Tips on wiki markup/editing: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:Formatting
+
The local chapter wiki page must include at least:
 +
* Information about the chapter leadership, including best way to contact.
 +
* Link to the chapter’s mailing list.
 +
* Information about future and historical events.
 +
* The presentations given in past meetings.
 +
Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are useful to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page must be the authoritative information source at all times. Some services will have an official alternative.  One example of this is MeetUp Pro which will has an api that will allow you to mirror the meeting information you post on your MeetUp Pro account to your wiki page and the OWASP Events Calendar (Coming 2017).
  
 +
If you have not already created a user account on our wiki site to edit your chapter's wiki page, [[Special:RequestAccount|please do so]].
  
You can copy and paste the wiki code for this “template” here: https://www.owasp.org/index.php/Sample_Chapter_Page
+
T[[Special:RequestAccount|o]] [[Special:RequestAccount|e]]<nowiki/>n[[Special:RequestAccount|s]]<nowiki/>u[[Special:RequestAccount|r]]<nowiki/>e u[[Special:RequestAccount|n]]<nowiki/>i[[Special:RequestAccount|f]]<nowiki/>o[[Special:RequestAccount|r]]<nowiki/>m[[Special:RequestAccount|i]]<nowiki/>t[[Special:RequestAccount|y]] [[Special:RequestAccount|a]]<nowiki/>n[[Special:RequestAccount|d]] [[Special:RequestAccount|e]]<nowiki/>a[[Special:RequestAccount|s]]<nowiki/>e o[[Special:RequestAccount|f]] [[Special:RequestAccount|r]]<nowiki/>e[[Special:RequestAccount|a]]<nowiki/>d[[Special:RequestAccount|i]]<nowiki/>n[[Special:RequestAccount|g]] [[Special:RequestAccount|o]]<nowiki/>n t[[Special:RequestAccount|h]]<nowiki/>e w[[Special:RequestAccount|i]]<nowiki/>k[[Special:RequestAccount|i]], O[[Special:RequestAccount|W]]A[[Special:RequestAccount|S]]P h[[Special:RequestAccount|a]]<nowiki/>s a s[[Special:RequestAccount|e]]<nowiki/>t o[[Special:RequestAccount|f]] [[Special:RequestAccount|guidelines]] [[Special:RequestAccount|f]]<nowiki/>o[[Special:RequestAccount|r]] [[Special:RequestAccount|d]]<nowiki/>e[[Special:RequestAccount|s]]<nowiki/>i[[Special:RequestAccount|g]]<nowiki/>n[[Special:RequestAccount|i]]<nowiki/>n[[Special:RequestAccount|g]] [[Special:RequestAccount|y]]<nowiki/>o[[Special:RequestAccount|u]]<nowiki/>r w[[Special:RequestAccount|i]]<nowiki/>k[[Special:RequestAccount|i]] [[Special:RequestAccount|p]]<nowiki/>a[[Special:RequestAccount|g]]<nowiki/>e[[Special:RequestAccount|.]]  Tips on wiki markup/editing can be found here: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:FormattingYou can copy and paste the [[Sample Chapter Page|wiki code for the chapter template]] [[Sample Chapter Page|.]]
  
 
==Local Domain Names==
 
==Local Domain Names==
Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the country web page on the wiki. It is important to note that the OWASP wiki is the only web site that ensures OWASP values and principles.
+
Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the chapter web page on the wiki and vice versa. It is important to note that the OWASP wiki is the only website that ensures OWASP values and principles.
 
 
 
 
A few countries (such as China) have not been able to access the wiki and therefore the local domain name is used as the main source of information about OWASP for the country.
 
 
 
  
Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account. If additional paperwork or authorization is needed for the registration, submit your request to http://sl.owasp.org/contactus. Also, please notify the Foundation (through this same form) if you have registered the name to help us keep track of what domain names have been purchased by OWASP.
+
A few countries (such as China) have not been able to access the wiki and therefore the local domain name is used as the main source of information about OWASP for the country. If an exception is permitted, every effort must be made to announce changes to leadership and upcoming meetings on the chapter wiki page so that the global site information is up to date.  If all else fails, you can do this by submitting a case through the [http://sl.owasp.org/contactus Contact Us] form.  
  
 +
Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account.  To maintain brand cohesion all domain names must be “OWASP [Chapter location]”   If additional paperwork or authorization is needed for the registration, submit your request through the [http://sl.owasp.org/contactus Contact Us form]. You must notify the Foundation through this same form if you have registered the name to help us keep track of what domain names have been purchased by OWASP.
  
 
==Mailing Lists==
 
==Mailing Lists==
The chapter mailing list should be used mostly to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or appsec-related issues.
+
The chapter mailing list should be used to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or AppSec-related issues  
  
 +
Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed. Should a post need to be moderated, you will receive an email from your list requesting approval.
  
Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed.  Should a post need to be moderated, you will receive an email from your list requesting approval.
+
When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader's list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.
  
 +
Some other suggestions:
 +
* It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send emails to multiple mailing lists outside of India.
  
When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader's list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.
+
* The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and nonsubscribers.
 
 
  
Some other suggestions:
+
* The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
*It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send e-mails to multiple mailing lists outside of India.
+
** For discussion details: see “[https://lists.owasp.org/pipermail/owasp-leaders/2011-September/006072.html <nowiki>[Owasp-leaders] Job Leads on Chapter Mailing Lists?</nowiki>]
+
** OWASP has a [https://www.linkedin.com/groups?jobs=&gid=36874&trk=groups_most_recent-h-jobs&_mSplash=1%7CJob Jobs Board] on LinkedIn. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page visit our LinkedIn Jobs page.
*The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and non-subscribers.
 
 
 
*The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
 
**For discussion details: see “[Owasp-leaders] Job Leads on Chapter Mailing Lists?”
 
**The OWASP Wiki has a [[OWASP_Jobs|link to the OWASP Job Board]] from the home page. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page contact us.
 
  
 
==Social Media==
 
==Social Media==
Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Additionally, social media used under the OWASP chapter name, should abide by the [[About_OWASP|OWASP Principles and Code of Ethics]].
+
Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Social media used under the OWASP chapter name, must abide by the [[About OWASP|OWASP Principles and Code of Ethics]]. Additionally, anyone who posts or moderates OWASP branded social media must sign and abide by the Social Media Agreement.
  
 +
While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account,  this account login information with other members of the leadership team and with the Foundation. When new leadership takes over, the information must be handed over to the new leader(s).
  
While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account, please share this account login information with other members of the leadership team. When new leadership takes over, the information should be handed over to the new leader(s).
+
Note that, the chapter page on the OWASP wiki is the official representation of the chapter. Therefore, communication on social media platforms complement rather than replace the wiki page. Chapter members cannot be required to sign up for any social media account to get access to meeting notices. Do keep any new event or activity announcements up to date on the wiki page, per section 4.2. It is important that any social media platform the chapter uses be openly accessible, regularly maintained and updated with accurate information.  Should the chapter choose to leave a platform, it should close the social media account and alert the Foundation using the [http://sl.owasp.org/contactus Contact Us] form.
  
  
If social media is one of the main forms of communication your chapter uses to spread the word about meetings and events, it is important that the page be maintained and updated with accurate information.
+
Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms -- choose the forum that will be best for your geographic area and audience):
 
+
* [http://delicious.com/ Delicious]
 
+
* [http://digg.com/ Digg]
Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms -- choose the forum that will be best for your geographic area):
+
* [http://www.eventbrite.com/ Eventbrite]
*Delicious - http://delicious.com/
+
* [https://www.facebook.com/groups/owaspfoundation/ Facebook]
*Digg - http://digg.com/
+
* [http://www.flickr.com/ Flickr]
*Eventbrite - http://www.eventbrite.com/
+
* [http://www.linkedin.com/ LinkedIn]
*Facebook - http://www.facebook.com/
+
* [https://www.meetup.com/pro/OWASP/ MeetUp]
*Flickr - http://www.flickr.com/
+
* [https://twitter.com/owasp?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor Twitter]
*LinkedIn - http://www.linkedin.com/
+
If the chapter opens an account on a service that the Foundation also uses, is advisable that the chapter follow the Foundation account.  
*Meetup - http://www.meetup.com/
+
==Organizing Your Contacts==
*Ning - http://myowasp.ning.com/
+
It is recommended that each Chapter have a central database (you have access to the tools to maintain this in your force portal) in which to organize their contacts and other important information. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, local affiliations (and point of contact within the organization), and sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also  “Recruiting List Members.
*Newsvine - http://www.newsvine.com/
 
*Reddit - http://www.reddit.com/
 
*Stumbleupon - http://www.stumbleupon.com/
 
*Twitter - http://twitter.com/
 
 
 
  
==Organizing Your Contacts==
+
When using the contact database, remember to abide by our privacy rule. Member contact lists may not be distributed outside of chapter leadership.
It is recommended that each chapter have a central database (something as simple as a google spreadsheet) in which to organize their contact database. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, Local Affiliations (and point of contact within the organization), and Sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also the section below on “Recruiting List Members.
 
  
 
==Handling Money==
 
==Handling Money==
Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner.
+
Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation [[About OWASP|purpose]], [[OWASP Strategic Goals|goals]], [[About OWASP|principles]], and [[About OWASP|code of ethics]]. Accordingly, chapter finances should be handled in a transparent manner as described in [[Chapter Handbook/Chapter 2: Mandatory Chapter Rules|Chapter 2]]
 
 
 
 
A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Global Chapter Committee.
 
  
 +
A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records. Some key guidelines about managing your chapter budget:
 +
* Any Chapter which has a $0 or low bank account can ask for a grant.  The funding request must include specifically what you wish to spend the money on.  Any amount in your chapter account will first be subtracted from the request.  For example, if you ask for $100 to pay for refreshments but have $40 in your account, we may give you a grant of $60.  Needing a grant does not guarantee the OWASP Foundation will provide a grant.  Pre-approval is required to ensure an expense is covered, especially if there's a chance of it exceeding a chapters's total funds.
 +
* Any Chapter with more than $5000 at the end of the year must submit a budget for the use of these monies or risk the surplus being put in the general outreach fund
 +
* Some ways of using funds require prior approval (see below).
 +
* All discussions about using funds, requests for funds, and budgets must be linked to transparently on the chapter wiki or in the chapter list archives.
 +
* Chapters have the right to ask for large budget items from the board during the annual budget creation (Prior to November first) (see below).<br>
  
 
===Spending Guidelines===
 
===Spending Guidelines===
 
For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:
 
For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:
*Meeting venue rental
+
** Meeting venue rental
*Refreshments for a meeting
+
** Refreshments for a meeting
*Promotion of a meeting
+
** Promotion of a meeting
*OWASP Merchandise
+
** OWASP Merchandise
  
 +
If, however, the expense does not fall under one of the above categories or is greater than $500, a second signer (another chapter leader or board member) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, some chapters still prefer to have a second signer to avoid the appearance of conflict of interest. . Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer.  The exact details of the reimbursement process can be found under [[Reimbursement_Process_Details|Reimbursement Process Details]]
  
If, however, the expense does not fall under one of the above categories or is greater than $500, a  second person (another chapter leader or board member if possible) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, a second signer is still required.  Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer.
+
From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the [[Funding|OWASP Funding page]] under "Additional  Resources" to see your chapter's current funding balance.
 
 
 
 
From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission.  
 
 
 
 
 
Exceptions to the guidelines can be brought to the [[Global Chapter Committee]] for approval and tracking.
 
  
 +
Exceptions to the guidelines can be brought to the Staff for potential approval and tracking.
  
 
===Additional Expense Policies===
 
===Additional Expense Policies===
A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public, preferably on the wiki.
+
A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented on the wiki with all other chapter specific policies. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public on the wiki with the budget.
  
  
 
===Reimbursement Process===
 
===Reimbursement Process===
The recommended process for paying for chapter-related expenses is to prepay for the expense and submit the receipt through the OWASP [http://sl.owasp.org/reimbursement-request reimbursement request form] to get your money back. This is a standardized reimbursement procedure through for OWASP. When your request is submitted, a authorization request will be send to the appropriate chapter (leaders) for approval. You will not receive your reimbursement until the approval has been received.
+
The recommended process for paying for chapter-related expenses is to pay for the expense out of pocket and submit the receipt through the [https://owasporg.atlassian.net/servicedesk/customer/portals OWASP reimbursement request form] to get your money back. This is a standardized reimbursement procedure for OWASP. When your request is submitted, an authorization request will be sent to the appropriate chapter leaders for approval. You will not receive your reimbursement until the approval has been received.
 
 
In case of doubt if an expense is in line with the OWASP principles, get advise from the [[Global Chapter Committee]].  
 
  
 +
In case of doubt if an expense is in line with the OWASP principles, get advice from the [[About The Open Web Application Security Project|Community Manager]].
  
 
===Chapter Budgets===
 
===Chapter Budgets===
Line 127: Line 103:
 
[http://www.google.com/url?q=https%3A%2F%2Fdocs.google.com%2Fa%2Fowasp.org%2Fspreadsheet%2Fccc%3Fkey%3D0ApZ9zE0hx0LNdDQxakhaM1VWVG83N1ZwMGZCRGhYR3c%26hl%3Den_US%23gid%3D0 Sample Budget Template]
 
[http://www.google.com/url?q=https%3A%2F%2Fdocs.google.com%2Fa%2Fowasp.org%2Fspreadsheet%2Fccc%3Fkey%3D0ApZ9zE0hx0LNdDQxakhaM1VWVG83N1ZwMGZCRGhYR3c%26hl%3Den_US%23gid%3D0 Sample Budget Template]
  
 +
Chapters do not hold their own money, it is held in trust for them by the OWASP Foundation. However Chapters can track their balances using the Chapter funding totals provided on the [[Funding|OWASP Funding page]] and write a budget for the use of funds where desired.  However all chapters with more than $5,000 in their account by October 1st must submit a budget prior to November 1 for inclusion in the Foundation budget for the following calendar year. The budget should identify how they plan to spend the money in their account over the course of the next year. A future projection budget can be included as well for forecasted spending within the next 2 years. Unbudgeted funds may be diverted to other chapters, or Community Engagement Funding accounts if the chapter cannot be contacted or a budget is not received prior to January 1.
 +
 +
Separate from the aforementioned budgeting process for chapter and project accounts, any OWASP Leader can create a budget and provide it to the OWASP Board prior to November 1 for inclusion in the Foundation budget planning process. The budget will be reviewed by the Executive Director and Board and, if approved, incorporated into the overall OWASP Foundation budget for the following year. This would effectively set aside the funds to use at the appropriate period of time, in the future, with no further approvals necessary. Money that is budgeted in this manner, that wasn’t spent during the calendar year, would be returned back to the OWASP Foundation general funds.
  
 
===Money not Tracked by the Foundation===
 
===Money not Tracked by the Foundation===
Chapter leaders should not be accepting finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.  
+
Chapter leaders cannot accept finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.
 
 
  
If the sponsor pays the vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.
+
If a sponsor pays a vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.
  
 +
To avoid the appearance of impropriety, direct all potential donors to the Donate button on your chapter wiki page or to an approved third party processor.
  
 
==Charging for Events==
 
==Charging for Events==
It is against OWASP’s core values and principles to charge people to attend chapter meetings. A chapter may decide to charge for a training, one-day speaker event, or local conference though. If your chapter is charging a fee for training, event, or conference, the registration should go through RegOnline.
+
It is against OWASP’s core values and principles to charge people to attend chapter meetings. However, a chapter may decide to charge for a training, or local conference. If your chapter is charging a fee for training, event, or conference, the registration must go through the Foundation’s account on your chosen registration platform.  Learn more by using the [http://sl.owasp.org/contactus Contact Us form].  
  
Any event that charges an admission fee, or requires more than $1000 foundation funds must be submitted to the [https://ocms.owasp.org OCMS System] and approved by the [[Global Conferences Committee]]. Should you feel that your event should be managed by the [[Global Chapter Committee]] instead of the [[Global Conferences Committee]] please submit an email to the chairs of '''both''' the Chapters and Conferences Committees with your rationale for consideration of an exception.
+
Any event that charges an admission fee or requires more than $1000 foundation funds must be submitted to the [https://ocms.owasp.org/ OCMS System] and approved by the [[About The Open Web Application Security Project|Executive Director]].  To host an event, please read the [[How to Host a Conference]] page.
  
 
==Insurance==
 
==Insurance==
The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through http://sl.owasp.org/contactus.  
+
The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through the [http://sl.owasp.org/contactus Contact Us] form.  
  
  
 
==(Signing) Contracts==
 
==(Signing) Contracts==
Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please contact us for approval.
+
Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please [http://sl.owasp.org/contactus contact us] for approval.
  
 
[[Category:Chapter_Handbook]]
 
[[Category:Chapter_Handbook]]

Latest revision as of 00:58, 7 July 2019

Owasp.org Email Accounts

Owasp.org email accounts are provided for paid OWASP members, Chapter Leaders, and Project Leaders. If you do not have one and fall into one of these categories, submit your request through the contact us form.

It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy. The email address of chapter leaders is listed both on the chapter wiki page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.

Your OWASP email account is also linked to your Google Drive account.  You can use it to access or build community documents as needed.

OWASP Wiki

Maintaining the website is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed when looking at our list of meeting locations by geographic region: and one of the main ways for prospective members or sponsors to find your chapter.

Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available and accessible. Therefore it is imperative that  the information is posted on your wiki page as soon as the meeting is set.  People must not be required to pay or sign up for a service to learn about your meetings. 

The local chapter wiki page must include at least:

  • Information about the chapter leadership, including best way to contact.
  • Link to the chapter’s mailing list.
  • Information about future and historical events.
  • The presentations given in past meetings.

Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are useful to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page must be the authoritative information source at all times. Some services will have an official alternative.  One example of this is MeetUp Pro which will has an api that will allow you to mirror the meeting information you post on your MeetUp Pro account to your wiki page and the OWASP Events Calendar (Coming 2017).

If you have not already created a user account on our wiki site to edit your chapter's wiki page, please do so.

To ensure uniformity and ease of reading on the wiki, OWASP has a set of guidelines for designing your wiki page.  Tips on wiki markup/editing can be found here: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:FormattingYou can copy and paste the wiki code for the chapter template .

Local Domain Names

Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the chapter web page on the wiki and vice versa. It is important to note that the OWASP wiki is the only website that ensures OWASP values and principles.

A few countries (such as China) have not been able to access the wiki and therefore the local domain name is used as the main source of information about OWASP for the country. If an exception is permitted, every effort must be made to announce changes to leadership and upcoming meetings on the chapter wiki page so that the global site information is up to date.  If all else fails, you can do this by submitting a case through the Contact Us form.

Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account.  To maintain brand cohesion all domain names must be “OWASP [Chapter location]”   If additional paperwork or authorization is needed for the registration, submit your request through the Contact Us form. You must notify the Foundation through this same form if you have registered the name to help us keep track of what domain names have been purchased by OWASP.

Mailing Lists

The chapter mailing list should be used to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or AppSec-related issues

Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed. Should a post need to be moderated, you will receive an email from your list requesting approval.

When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader's list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.

Some other suggestions:

  • It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send emails to multiple mailing lists outside of India.
  • The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and nonsubscribers.
  • The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
    • For discussion details: see “[Owasp-leaders] Job Leads on Chapter Mailing Lists?
    • OWASP has a Jobs Board on LinkedIn. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page visit our LinkedIn Jobs page.

Social Media

Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Social media used under the OWASP chapter name, must abide by the OWASP Principles and Code of Ethics. Additionally, anyone who posts or moderates OWASP branded social media must sign and abide by the Social Media Agreement.

While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account,  this account login information with other members of the leadership team and with the Foundation. When new leadership takes over, the information must be handed over to the new leader(s).

Note that, the chapter page on the OWASP wiki is the official representation of the chapter. Therefore, communication on social media platforms complement rather than replace the wiki page. Chapter members cannot be required to sign up for any social media account to get access to meeting notices. Do keep any new event or activity announcements up to date on the wiki page, per section 4.2. It is important that any social media platform the chapter uses be openly accessible, regularly maintained and updated with accurate information.  Should the chapter choose to leave a platform, it should close the social media account and alert the Foundation using the Contact Us form.


Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms -- choose the forum that will be best for your geographic area and audience):

If the chapter opens an account on a service that the Foundation also uses, is advisable that the chapter follow the Foundation account.  

Organizing Your Contacts

It is recommended that each Chapter have a central database (you have access to the tools to maintain this in your force portal) in which to organize their contacts and other important information. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, local affiliations (and point of contact within the organization), and sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also “Recruiting List Members.”

When using the contact database, remember to abide by our privacy rule. Member contact lists may not be distributed outside of chapter leadership.

Handling Money

Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation purpose, goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner as described in Chapter 2

A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records. Some key guidelines about managing your chapter budget:

  • Any Chapter which has a $0 or low bank account can ask for a grant.  The funding request must include specifically what you wish to spend the money on.  Any amount in your chapter account will first be subtracted from the request.  For example, if you ask for $100 to pay for refreshments but have $40 in your account, we may give you a grant of $60. Needing a grant does not guarantee the OWASP Foundation will provide a grant. Pre-approval is required to ensure an expense is covered, especially if there's a chance of it exceeding a chapters's total funds.
  • Any Chapter with more than $5000 at the end of the year must submit a budget for the use of these monies or risk the surplus being put in the general outreach fund
  • Some ways of using funds require prior approval (see below).
  • All discussions about using funds, requests for funds, and budgets must be linked to transparently on the chapter wiki or in the chapter list archives.
  • Chapters have the right to ask for large budget items from the board during the annual budget creation (Prior to November first) (see below).

Spending Guidelines

For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:

    • Meeting venue rental
    • Refreshments for a meeting
    • Promotion of a meeting
    • OWASP Merchandise

If, however, the expense does not fall under one of the above categories or is greater than $500, a second signer (another chapter leader or board member) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, some chapters still prefer to have a second signer to avoid the appearance of conflict of interest. . Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer. The exact details of the reimbursement process can be found under Reimbursement Process Details

From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the OWASP Funding page under "Additional Resources" to see your chapter's current funding balance.

Exceptions to the guidelines can be brought to the Staff for potential approval and tracking.

Additional Expense Policies

A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented on the wiki with all other chapter specific policies. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public on the wiki with the budget.


Reimbursement Process

The recommended process for paying for chapter-related expenses is to pay for the expense out of pocket and submit the receipt through the OWASP reimbursement request form to get your money back. This is a standardized reimbursement procedure for OWASP. When your request is submitted, an authorization request will be sent to the appropriate chapter leaders for approval. You will not receive your reimbursement until the approval has been received.

In case of doubt if an expense is in line with the OWASP principles, get advice from the Community Manager.

Chapter Budgets

Sample Budget Template

Chapters do not hold their own money, it is held in trust for them by the OWASP Foundation. However Chapters can track their balances using the Chapter funding totals provided on the OWASP Funding page and write a budget for the use of funds where desired.  However all chapters with more than $5,000 in their account by October 1st must submit a budget prior to November 1 for inclusion in the Foundation budget for the following calendar year. The budget should identify how they plan to spend the money in their account over the course of the next year. A future projection budget can be included as well for forecasted spending within the next 2 years. Unbudgeted funds may be diverted to other chapters, or Community Engagement Funding accounts if the chapter cannot be contacted or a budget is not received prior to January 1.

Separate from the aforementioned budgeting process for chapter and project accounts, any OWASP Leader can create a budget and provide it to the OWASP Board prior to November 1 for inclusion in the Foundation budget planning process. The budget will be reviewed by the Executive Director and Board and, if approved, incorporated into the overall OWASP Foundation budget for the following year. This would effectively set aside the funds to use at the appropriate period of time, in the future, with no further approvals necessary. Money that is budgeted in this manner, that wasn’t spent during the calendar year, would be returned back to the OWASP Foundation general funds.

Money not Tracked by the Foundation

Chapter leaders cannot accept finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.

If a sponsor pays a vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.

To avoid the appearance of impropriety, direct all potential donors to the Donate button on your chapter wiki page or to an approved third party processor.

Charging for Events

It is against OWASP’s core values and principles to charge people to attend chapter meetings. However, a chapter may decide to charge for a training, or local conference. If your chapter is charging a fee for training, event, or conference, the registration must go through the Foundation’s account on your chosen registration platform.  Learn more by using the Contact Us form.

Any event that charges an admission fee or requires more than $1000 foundation funds must be submitted to the OCMS System and approved by the Executive Director.  To host an event, please read the How to Host a Conference page.

Insurance

The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through the Contact Us form.


(Signing) Contracts

Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please contact us for approval.