This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Transparency Policy"

From OWASP
Jump to: navigation, search
m (cleanup of links)
(Added the whistleblower exception)
Line 42: Line 42:
 
| Information pertaining to legal action, or pending legal action
 
| Information pertaining to legal action, or pending legal action
 
| Restricted to just staff and BoD members with a legitimate need to access information.  Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
 
| Restricted to just staff and BoD members with a legitimate need to access information.  Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
 +
|-
 +
| Information pertaining to a whistlerblower complaint, ethics complaint, or similar, including the allegation, the investigation, and the outcome. 
 +
| Restricted to just the Compliance officer, BoD members, Executive Director, and select staff when required.  Must never be disclosed publicly either before, during, or after the processing of the complaint via the [https://www.owasp.org/index.php/Governance/Whistleblower_Policy Whistlerblower policy].  Should the complaint be made public, then the Board of Directors may choose which information, if any, to release based on the situation and the best interest of the organization.
 
|}
 
|}
  

Revision as of 14:47, 19 June 2014

Transparency Policy

Policy Status

WORKING DRAFT - this is a working draft being discussed on the Governance List. When completed, this will be presented to the Board of Directors for adoption. Once accepted, this notice will be updated to reflect the the policy is binding on members.

"O" is for Open: An introduction

The "O" in OWASP is for "Open" - Section 1.03 of the OWASP Bylaws defines the value "Open" to mean:

"Everything at OWASP is radically transparent from our finances to our code."

This raises the question, what does "radically transparent" mean? Is there anything that can't be disclosed to the membership and/or public?

This policy defines what is not allowed to be disclosed, either because of legal, ethical, or privacy obligations.

Radical Transparency

OWASP is committed to making its governance, processes, and finances transparent, so that any outside observer can determine how decisions were considered and ultimately agreed upon. When and where possible, OWASP must provide transparency.

There are, however, certain areas where transparency cannot be provided, either because it violates a law, is unethical, or goes against the expectation of privacy. The rule of thumb for transparency is to default all information as public, or if it must be restricted, the mandate is to make it as widely available as possible.

Levels of information restriction:

  1. Public (most open)
  2. All OWASP members, staff, Board of Directors
  3. Some members and/or staff, Board of Directors
  4. Executive Director, Compliance Officer, Board of Directors
  5. Executive Director, Board of Directors
  6. Board of Directors (most restricted)

Exclusions from Radical Transparency

In this section, an attempt is made to enumerate situations where OWASP cannot provide transparency. Note that this list is not exhaustive, and future situations where there is a question about transparency should use this as a guide.

Exclusion Notes
Staff records as maintained for Human Resources purposes Restricted to just staff and BoD members with a legitimate need to access records. Must never be disclosed unless permission is given from the staff member that the record pertains to.
Information pertaining to legal action, or pending legal action Restricted to just staff and BoD members with a legitimate need to access information. Must never be disclosed publicly either before, during, or after the legal action unless permitted by legal counsel.
Information pertaining to a whistlerblower complaint, ethics complaint, or similar, including the allegation, the investigation, and the outcome. Restricted to just the Compliance officer, BoD members, Executive Director, and select staff when required. Must never be disclosed publicly either before, during, or after the processing of the complaint via the Whistlerblower policy. Should the complaint be made public, then the Board of Directors may choose which information, if any, to release based on the situation and the best interest of the organization.

Policy Violations

All members must comply with this policy, or will be subject to disciplinary action, including the possibility of suspension or revocation of membership, exclusion from OWASP events and email lists, or other such action as determined.