Chapter Handbook/Chapter 4: Chapter Administration

Owasp.org Email Accounts
Owasp.org email accounts are provided for paid OWASP members, Chapter Leaders, and Project Leaders. If you do not have one and fall into one of these categories, submit your request through the contact us form.

It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy. The email address of chapter leaders is listed both on the chapter wiki page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.

Your OWASP email account is also linked to your Google Drive account. You can use it to access or build community documents as needed.

OWASP Wiki
Maintaining the website is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed when looking at our list of meeting locations by geographic region: an d on e of t he m ai n wa ys f or prospective m em be rs or sponsors t o fi nd y ou r ch ap te r.

Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available and accessible. Therefore it is imperative that  the information is posted on your wiki page as soon as the meeting is set. People must not be required to pay or sign up for a service to learn about your meetings.

The local chapter wiki page must include at least: Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are useful to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page must be the authoritative information source at all times. Some services will have an official alternative. One example of this is MeetUp Pro which will has an api that will allow you to mirror the meeting information you post on your MeetUp Pro account to your wiki page and the OWASP Events Calendar (Coming 2017).
 * Information about the chapter leadership, including best way to contact.
 * Link to the chapter’s mailing list.
 * Information about future and historical events.
 * The presentations given in past meetings.

If you have not already created a user account on our wiki site to edit your chapter's wiki page, please do so.

To e ns ur e un if or mi ty a nd e as e of r ea di ng o n th e wi ki, OWASP ha s a se t of guidelines f or d es ig ni ng y ou r wi ki p ag e.  Tips on wiki markup/editing can be found here: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:FormattingYou can copy and paste the wiki code for the chapter template.

Local Domain Names
Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the chapter web page on the wiki and vice versa. It is important to note that the OWASP wiki is the only website that ensures OWASP values and principles.

A few countries (such as China) have not been able to access the wiki and therefore the local domain name is used as the main source of information about OWASP for the country. If an exception is permitted, every effort must be made to announce changes to leadership and upcoming meetings on the chapter wiki page so that the global site information is up to date. If all else fails, you can do this by submitting a case through the Contact Us form.

Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account. To maintain brand cohesion all domain names must be “OWASP [Chapter location]”   If additional paperwork or authorization is needed for the registration, submit your request to through the Contact Us form. You must notify the Foundation through this same form if you have registered the name to help us keep track of what domain names have been purchased by OWASP.

Mailing Lists
The chapter mailing list should be used to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or AppSec-related issues

Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed. Should a post need to be moderated, you will receive an email from your list requesting approval.

When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader's list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.

Some other suggestions:
 * It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send emails to multiple mailing lists outside of India.


 * The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and nonsubscribers.


 * The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
 * For discussion details: see “[Owasp-leaders Job Leads on Chapter Mailing Lists? ]”
 * OWASP has a Jobs Board on LinkedIn. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page visit our LinkedIn Jobs page.

Social Media
Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Social media used under the OWASP chapter name, must abide by the OWASP Principles and Code of Ethics. Additionally, anyone who posts or moderates OWASP branded social media must sign and abide by the Social Media Agreement.

While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account,  this account login information with other members of the leadership team and with the Foundation. When new leadership takes over, the information must be handed over to the new leader(s).

Note that, the chapter page on the OWASP wiki is the official representation of the chapter. Therefore, communication on social media platforms complement rather than replace the wiki page. Chapter members cannot be required to sign up for any social media account to get access to meeting notices. Do keep any new event or activity announcements up to date on the wiki page, per section 4.2. It is important that any social media platform the chapter uses be openly accessible, regularly maintained and updated with accurate information. Should the chapter choose to leave a platform, it should close the social media account and alert the Foundation using the Contact Us form.

Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms -- choose the forum that will be best for your geographic area and audience): If the chapter opens an account on a service that the Foundation also uses, is advisable that the chapter follow the Foundation account.
 * Delicious
 * Digg
 * Eventbrite
 * Facebook
 * Flickr
 * LinkedIn
 * MeetUp
 * Twitter

Organizing Your Contacts
It is recommended that each chapter have a central database (you have access to the tools to maintain this in your force portal) in which to organize their contacts and other important information. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, local affiliations (and point of contact within the organization), and sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also t “Recruiting List Members.”

When using the contact database, remember to abide by our privacy rule. Member contact lists may not be distributed outside of chapter leadership.

Handling Money
Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation purpose, goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner as described in Chapter 2

A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records. Some key guidelines about managing your chapter budget:
 * Any Chapter which has a $0 or low bank account can ask for a grant.  The funding request must include specifically what you wish to spend the money on.  Any amount in your chapter account will first be subtracted from the request.  For example, if you ask for $100 to pay for refreshments but have $40 in your account, we may give you a grant of $60. Needing a grant does not guarantee the OWASP Foundation will provide a grant.  Pre-approval is required to ensure an expense is covered, especially if there's a chance of it exceeding a chapters's total funds.
 * Any Chapter with more than $5000 at the end of the year must submit a budget for the use of these monies or risk the surplus being put in the general outreach fund
 * Some ways of using funds require prior approval (see below).
 * All discussions about using funds, requests for funds, and budgets must be linked to transparently on the chapter wiki or in the chapter list archives.
 * Chapters have the right to ask for large budget items from the board during the annual budget creation (Prior to November first) (see below).

Spending Guidelines
For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:
 * Meeting venue rental
 * Refreshments for a meeting
 * Promotion of a meeting
 * OWASP Merchandise

If, however, the expense does not fall under one of the above categories or is greater than $500, a second signer (another chapter leader or board member) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, some chapters still prefer to have a second signer to avoid the appearance of conflict of interest. . Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer.

From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the OWASP Funding page under "Additional Resources" to see your chapter's current funding balance.

Exceptions to the guidelines can be brought to the Staff for potential approval and tracking.

Additional Expense Policies
A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented on the wiki with all other chapter specific policies. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public on the wiki with the budget.

Reimbursement Process
The recommended process for paying for chapter-related expenses is to pay for the expense out of pocket and submit the receipt through the OWASP reimbursement request form to get your money back. This is a standardized reimbursement procedure for OWASP. When your request is submitted, an authorization request will be send to the appropriate chapter leaders for approval. You will not receive your reimbursement until the approval has been received.

In case of doubt if an expense is in line with the OWASP principles, get advice from the Community Manager.

Chapter Budgets
Sample Budget Template

Chapters do not hold their own money, it is held in trust for them by the OWASP Foundation. However Chapters can track their balances using the Chapter funding totals provided on the OWASP Funding page and write a budget for use of funds where desired. However all chapters with more than $5,000 in their account by October 1st must submit a budget prior to November 1 for inclusion in the Foundation budget for the following calendar year. The budget should identify how they plan to spend the money in their account over the course of the next year. A future projection budget can be included as well for forecasted spending within the next 2 years. Unbudgeted funds may be diverted to other chapters, or Community Engagement Funding accounts if the chapter cannot be contacted or a budget is not received prior to January 1.

Separate from the aforementioned budgeting process for chapter and project accounts, any OWASP Leader can create a budget and provide it to the OWASP Board prior to November 1 for inclusion in the Foundation budget planning process. The budget will be reviewed by the Executive Director and Board and, if approved, incorporated into the overall OWASP Foundation budget for the following year. This would effectively set aside the funds to use at the appropriate period of time, in the future, with no further approvals necessary. Money that is budgeted in this manner, that wasn’t spent during the calendar year, would be returned back to the OWASP Foundation general funds.

Money not Tracked by the Foundation
Chapter leaders cannot accept finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.

If a sponsor pays a vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.

To avoid appearance of impropriety, direct all potential donors to the Donate button on your chapter wiki page or to an approved third party processor.

Charging for Events
It is against OWASP’s core values and principles to charge people to attend chapter meetings. However, a chapter may decide to charge for a training, or local conference. If your chapter is charging a fee for training, event, or conference, the registration must go through the Foundation’s account on your chosen registration platform. Learn more by using the Contact Us form.

Any event that charges an admission fee or requires more than $1000 foundation funds must be submitted to the OCMS System and approved by the Executive Director. To host an event, please read the How to Host a Conference page.

Insurance
The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through the Contact Us form.

(Signing) Contracts
Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please contact us for approval.