Chapter SOPs for the Denver Chapter

Communication SOPs

Publish meetings:

1. Chapter Mailing List (Denver and Boulder) REMEMBER: you must be a member of the lists else your notice will bounce AND someone will need to login to approve the message to be released to the list)
2. Wiki
3. via twitter @OWASP303
4. via Linked-In - create a Linked In event and also publish it in the "what's happening" section
5. via Facebook Denver OWASP
6. via GarysGuide

Quick list of ways for people to be informed about Chapter activities

• Follow @owasp303 on twitter
• Join the OWASP Denver group on Linked In http://www.linkedin.com/groups?gid=4221171
• Follow Denver OWASP on Facebook http://www.facebook.com/pages/Denver-Owasp/204248512996254?sk=wall
• Subscribe to the mailing list via self-service here: https://lists.owasp.org/mailman/listinfo/owasp-denver

(Boulder list is here: https://lists.owasp.org/mailman/listinfo/owasp-boulder )

Chapter Leader SOPs

Annual Tasks

1. Have at least one planning meeting with the Chapter and the Board. At a minimum, decide which months you intend to meet. Monthly is pretty aggressive, but 8 times over the course of the year is pretty dang respectable
2. Plan to present on current OWASP Projects. 1st or 2nd meeting of the year is good. Encourage participation, and try to leverage headlines. Solicit ideas for other projects and if appropriate, promote the new Chapter Project locally, with Chapter Sponsor (if any), and with the OWASP Board.
3. Plan to solicit a Chapter Sponsor. A company who contributes thousands of dollars for an annual sponsorship provides a LOT of flexibility in terms of scheduling speakers, SnowFROC logistics, etc
4. Plan to meet with your peers at ISSA, ISACA, and SQuAD meetings
5. Find or be the volunteer to honcho SnowFROC
6. Prepare and handoff to a worthy successor. It is tremendously difficult to find someone with the right combination of availability, integrity, common sense, and passion. It's even harder to tell the 2nd-best person that it's not their turn. It's really, really easy to hold an election and wash your hands of it, but it's painful if the election is stacked and a vendor/vendor rep wins and completely sucks forever. A bad leader will compromise the Chapter for years. Choose wisely.

Quarterly Tasks

1. Try to assemble the Board for coffee, lunch, beer, whatever. Get on the same page and brainstorm for the future. Have a candid conversation about what needs improvement and/or what worked so well it should be repeated. Have someone take and publish notes.
2. Try to do at least one Outreach event - go on-site to do Developer Security Orientation at an organization, give a preso at ISSA/ISACA/SQuAD, get a meeting covered by the local TV News station, whatever
3. Check for changes to OWASP policies or the Chapter Leaders' Handbook
4. Update your OWASP Projects Preso
5. See if you can budget time to attend the next major OWASP Con

Monthly Tasks

1. Get a speaker
2. Get a host
3. Get a sponsor
4. Announce/publish per the Communications SOP above

Weekly Tasks

1. Check for new members pending on the Linked In group
2. Eyeball Twitter and re-tweet relevant stuff

Ongoing Tasks

1. Be the Ambassador for the Chapter.
2. Promote the CONCEPT of Secure Coding and the Chapter.
3. Have a preso immediately available in case the Speaker falls through, and encourage your Board to do the same
4. Have a preso ready for Community Outreach. Some organizations want OWASP to come on-site to educate their users, developers, etc. YOU are probably the person going on-site.
5. Locate a host or facility for the meetings. Have a backup plan. Note that for 2012, average RSVP count was ~50 and average actual attendance was ~40
6. Monitor the OWASP Leaders mailing list and make noise if the Organization's headed somewhere that will be detrimental to the Chapter. Learn from others on the list.

Cat-herding Tips

Locally it's an all-volunteer organization, and as of 20121019 there are only 4 people on the whole planet who get paychecks from OWASP. Everyone else already has a day-job, and if OWASP isn't fun then only masochists will show up. At that point it won't be fun for you either (unless YOU'RE a masochist). It's going to take a lot of work to coordinate schedules. It's going to feel a lot like chaos. Here are some principles that will help keep the Team moving forward in the midst of chaos:

1. Let your Team know what's going on. This includes ensuring that they get as much advance notice as possible if you know you're not going to be available for a meeting etc
2. Try to stay current. You don't need to be the expert but it sure helps if you are at least able to cite recent examples of attacks against the OWASP Top 10 or WASC Top Whatever
3. Know your limits - technical, inter-personal, and in terms of the time available to commit. BEFORE you exceed your limits, consider asking your Boardmembers for a hand.
4. MAKE TIME to LEARN during meetings. It's very easy to get wrapped up in meeting logistics and/or chapter business during a preso. Try to set all that aside and LEARN.
5. Get to know your Board, your Chapter Members, regional Chapters, and other regional ITSec organizations, and try to keep their interests (and needs) in mind.
6. Set the example. Bring a Developer, bring a Tester, bring someone new to meetings. Pay to BE an OWASP member. BE PATIENT with nubes, especially Developers.
7. Ensure that roles and tasks are understood and that you followup as appropriate to help ensure accomplishment
8. Try to foster a team environment - including the Board, the Chapter, other Chapters (particularly on the Front Range), and other organizations (such as ISACA). Let the old-timers help the nubes. Denver InfoSec is a SMALL community, so building a team helps ensure that if the chips are down, true benefit can be derived from OWASP participation simply through leveraging connections of the "team."
9. Make the call. Lots of stuff is OK to defer to committee. Some stuff isn't. Typical decisions involve meeting cancellations, SnowFROC logistics/planning/delegation/scoping, sponsor selection, etc. Think it through, ask for suggestions, but do NOT waffle - make a call and let the Team move forward.
10. Foster ownership. The Board should feel that they've got substantial ownership in the success of the Chapter, and members and attendees should feel it's THEIR Chapter. If you get hit by a bus, the Chapter should be able to continue its mission - education and outreach
11. Recognize what you can and can't do given your team, the time available, and the scope of the task. It is very, very difficult to estimate the amount of planning, labor, politics, and TIME to get something done. Go for the win, but don't be afraid to look people in the eye and ask "will YOU be on-point for this task and BRING IT HOME or are you just another guy with great ideas and no time to actually execute?" Be more tactful than that, but recognize that EVERYONE's got GREAT ideas but only FEW people have the TIME and COMMITMENT to DELIVER. Nothing to take personally - it's just the nature of volunteer organizations. The best idea in the world SUX if it costs you your day job.
12. The buck stops with you. Delegate to the extent that you can, but recognize that YOU are the face of the Chapter and ultimately responsible for its success or failure. No pressure, but keep this in mind when you're looking for your replacement.

Return to Denver OWASP main page