Monday, October 13, 2014

Report of complaint against OWASP Board members

Report of complaint against OWASP Board members

Community Update:  OWASP Complaint & Resolution per Whistle Blower Policy

October 10. 2014.   Early this year a complaint was filed against several members of the
OWASP board by a former OWASP employee. The complaint was raised internally in April,
2014 and an official complaint was also filed with the Arizona EEOC in June 2014.

Purpose: The Purpose of this update is to provide the OWASP community with transparency
about this issue, to summarize the actions taken by the OWASP Compliance Officer and Board
of Directors, and to demonstrate our commitment to our Code of Conduct and Whistle Blower
Policy and our respect for privacy concerns of all members of our community.

Summary of Complaint & Resolution:

The complaint cited several concerns including:
Issue 1: Complaint against a single Board member for breach of the OWASP Code of Conduct.

Issue 2: Complaint against OWASP Foundation for discrimination for Sex and National origin. 
This was later filed with the Arizona EEOC (Equal Employment Opportunity Commission). 

Issue 3: Complaint against 3 individual Board members for discrimination due to sexual or
national origin and a complaint against 1 of those for misuse of OWASP funds.

OWASP Investigation Process
OWASP has established several policies to handle situations like this including whistleblower
policy, privacy policy, anti-retaliation policy and a code of conduct policy. The role of the
Compliance Officer is to objectively investigate the issue, reach out to all parties involved,
create a statement of facts and provide this report to the board. The board reviews this
confidential information and then makes a determination of action. Additional information on the
OWASP policies can be found here.

During the investigation the Compliance Officer interviewed each of the people named in the
complaint (listed below), the foundation employee in charge of accounting and bookkeeping,
and the chairman of the board.

The former OWASP employee who made the claim declined to be interviewed or provide any
additional information or evidence beyond the original accusations.

These claims were handled in several parallel processes. First, per standard human resource
policies and the OWASP whistleblower policy these claims were reviewed by OWASP. Second,
the OWASP legal counsel was notified and asked to investigate the nature of the complaint to
protect the privacy of the individual as well as individual Board members. 

Since several Board members were named in the complaint, the OWASP Compliance officer
was assigned the task of interviewing all concerning parties, and providing a neutral, 3rd party
report based on those interviews. Also, legal counsel was asked to prepare for discussions with
Report of complaint against OWASP Board members the Arizona EEOC.  Legal counsel was asked for recommendations concerning the complaint against the Foundation, as well as against individual Board Members of OWASP based on evidence they gained from interviews and research.

Resolution by Claim
1.  The claim against 1 Board member for breach of OWASP code of conduct was
determined to be valid.  Disparaging remarks against an OWASP employee were made
on a public forum.  The Board member has apologized on the public forum.  

Outcome - The OWASP Compliance Officer has reviewed this situation and
believes no further action is necessary against the individual Board Member. The
violation of the code of conduct has been recorded and a public apology was
issued. It has also been noted that any future violations of the code of conduct
would require an escalation in response.

2.  The claim filed with the Arizona EEOC against the OWASP Foundation for discrimination
was declined because OWASP employs less than the required number of employees
covered by the statutes. 
Interviews and investigation by the OWASP Compliance Officer determined the claim to
be unfounded due to lack of evidence and witnesses. 

3.  The claim against 3 Board members for discrimination and against 1 Board Member for
misuse of OWASP funds was determined to be unfounded.  No evidence was brought
forward to validate the complaints of the claimant.

The OWASP Board has recognized the seriousness of the accusations and therefore to ensure
that all OWASP board members are acutely aware of their responsibilities and expectations
when dealing with members of the OWASP staff, community or the public, the board has agreed
that all OWASP board members will complete annual anti-harassment training. This will be
required of all board members starting with the 2015 board.

In summary, there is no outstanding or ongoing legal activity against OWASP related to these
events. The Compliance Officer noted that during the early stages of this complaint, the
OWASP Board operated in a fragmentary and occasionally unprofessional manner.  Additional
training for Board members on Human Resource practice and policy is scheduled to help
eliminate this problem going forward. The balance of this document describes the detail findings
of our independent Compliance Officer and it is intended to provide transparency and bring
closure to this issue for our community.

Detail Report on the Nature of the Complaint and Results of Compliance Officer
Investigations:

Claim of inappropriate public review of staff performance, violating the Board Code of Conduct
Investigation confirmed that Jim Manico did violate the Board Code of Conduct, section Board
Conduct with Foundation Staff that states: 

Never publicly criticize an individual employee - Board should never express concerns
about the performance of a Foundation employee in public. Comments about staff
performance should only be made to the Executive Director through private
correspondence or conversation. 

Jim violated this code of conduct when he sent emails to a public mailing list in March, 2014 that
criticized her performance (Thread: OWASP Project Manager Report: March 28, 2014). Board
leadership reminded Jim of his obligations under the Code of Conduct.  On April 4th, Jim
publicly apologized for this comments on the same public mailing list.

Outcome: The board agrees with the assessment of the Compliance Officer and Jim sincerely
regrets having made the comment.  The violation of the code of conduct has been recorded and
a public apology was issued. No further action is necessary.  It has also been noted that any
future violations of the code of conduct would require an escalation in response.

Claim of discrimination, that negative actions and retaliation were taken due to her gender and
national origin  

Claimed against Jim Manico, Eoin Keary and Josh Sokol both individually and as
representatives of the OWASP Foundation.  An EEOC complaint was filed with the State of
Arizona on June 5, 2014. On September 5, 2014 the EEOC complaint was closed with the 
status “The Respondent employs less than the required number of employees or is not
otherwise covered by the statutes.”

Investigation by the Compliance officer confirmed that the claim was unfounded due to lack of
evidence or witnesses. Nevertheless, the compliance officer was requested to investigate this
claim. The compliance officer’s investigation of all available information and interviews did not
reveal any actions of retaliation or any actions relating to gender or national origin.
Outcome: Claim was unfounded, no action necessary.  

Complaint against 3 individual Board members for discrimination due to sexual or national origin
and a complaint against 1 of those for misuse of OWASP funds.

This Complaint has been made via email on a public OWASP mailing list and is broken down
into 3 separate claims:

  • Issue 1:  Claim of breach of Code of Conduct and inappropriate sexual comments by Jim Manico.
Investigation by the compliance officer stated that the claimed sexual comment was part of a
verbal conversation that took place between both parties in a public setting, at an evening
cocktail party, with others present. 
Report of complaint against OWASP Board members
As noted above the former OWASP employee declined to provide additional information other
than the claimed inappropriate comment. As a result the claim of verbally sexual harassment
cannot be judged properly without the both parties state the context of the occasion of the
statement and the preceding that evening.

Outcome: To ensure that all OWASP board members are acutely aware of their responsibilities
and expectations when dealing with members of the operations team, OWASP community and
the public, the board has agreed that all OWASP board members will complete annual anti-harassment training. This will be required of all board members starting with the 2015 board.
This training requirement is in addition to all current required onboarding activities listed here.

  • Issue 2: Discrimination of the former employee due the employee’s sexual or national origin or retaliation by Josh Sokol, Jim Manico and Eoin Keary.
Investigation by the Compliance Officer of the claims of discrimination by interviewing the
involved parties, reviewing conversations between the employee and the accused Board
members as well as OWASP members who have worked with the accused Board members. 

As noted above the former OWASP employee declined to provide additional information other
than the claimed discrimination. As a result it is not possible to validate the reasons why the
former employee felt discriminated or any specific actions of discrimination by the accused
board members.

Outcome: There has been no proof of any of discrimination by the accused OWASP board
members towards the employee.

  • Issue 3:  Claim of financial mismanagement of OWASP funds against Eoin Keary.
Investigation by the Compliance Officer about access to funds and actual use of those funds
confirmed that this claim was unfounded.  Interviews with the involved parties show the
complaint was based on a misunderstanding about OWASP financial policy by the claimant. 
Eoin Keary does not have access to any of the financial systems and the OWASP foundation
funds are only accessible to OWASP President, Treasurer, Executive Director and Bookkeeper. 
A two-person, two-step approval process is required for release of payments. 

Outcome: This claim was has proven unfounded. There has been no indication or proof Eion
tried to circumvent or bypass the process described above, nor other financial mismanagement
from his side.

No comments: