Chapter Handbook/Chapter 4: Chapter Administration

Owasp.org Email Accounts
Owasp.org email accounts are provided for paid OWASP members, Chapter Leaders, and Project Leaders. If you do not have one and fall into one of these categories, submit your request to http://sl.owasp.org/contactus.

The standard format followed for email addresses is: firstname.lastname@owasp.org.

It is recommended that chapter leaders use their owasp.org email account for all OWASP related matters. There are a number of reasons for this including: a separation between your contributions for OWASP and other volunteer or paid work you may do, eliminating the appearance of conflict of interest (by using a work email address for OWASP matters), and protecting your personal privacy. The email address of chapter leaders is listed both on the chapter wiki page (a means of contact) as well as the administrator of the chapter mailing list. Using an owasp.org email address prevents your personal email address from being listed on a public site.

OWASP Wiki
Maintaining the web site is the most basic aspect of promoting an OWASP chapter. This is the place where people will be directed, when looking at our list of meeting locations by geographic region: https://www.owasp.org/index.php/Category:OWASP_Chapter

Part of holding free and open chapter meetings is making the information about your meetings (time and place) freely available. So that people don’t have to hunt around for your meeting information make sure to post the information on your wiki page as soon as the meeting is set.

The local chapter web site should include at least:
 * Information about the chapter leadership, including best way to contact.
 * Link to the chapter’s mailing list.
 * Information about future and historical events.
 * The presentations given in past meetings.

Other promotional services such as LinkedIn, Facebook, Twitter, Ning, Meetup, etc. are fine to inform people about your local chapter and its activities; however, the OWASP Chapter Wiki Page should be the authoritative information at all times.

If you have not already created an account on our wiki site (which can be used to edit your chapter's wiki page), please do so using the following link: https://www.owasp.org/index.php/Special:RequestAccount

Tips on wiki markup/editing: http://www.mediawiki.org/wiki/Help:Editing_pages#Edit_Summary and http://www.mediawiki.org/wiki/Help:Formatting

You can copy and paste the wiki code for this “template” here: https://www.owasp.org/index.php/Sample_Chapter_Page

Local Domain Names
Many leaders wish to purchase a local domain name for their OWASP chapter, and this domain should point to the chapter web page on the wiki. It is important to note that the OWASP wiki is the only web site that ensures OWASP values and principles.

A few countries (such as China) have not been able to access the wiki and therefore the local domain name is used as the main source of information about OWASP for the country. If an exception is permitted, every effort must be made to announce changes to leadership and upcoming meetings on the chapter wiki page so that the global site information is up to date.

Chapter leaders are free to register local domain names and submit the expense for reimbursement from their chapter’s account. If additional paperwork or authorization is needed for the registration, submit your request to http://sl.owasp.org/contactus. Also, please notify the Foundation (through this same form) if you have registered the name to help us keep track of what domain names have been purchased by OWASP.

Mailing Lists
The chapter mailing list should be used mostly to inform list members about local OWASP activities. In addition to chapter meetings, which should all be posted to the list, many chapters use their list as a way to communicate information about upcoming security events, projects the chapter is working on, or appsec-related issues.

Chapter leaders will be given the administrative password for their chapter mailing list and will be responsible for moderation of the list. If additional moderators need to be added to your list, please feel free to add them as needed. Should a post need to be moderated, you will receive an email from your list requesting approval.

When a person is listed as an administrator of a mailing list they will receive all email sent to the OWASP leader's list. Please add all (additional) chapter leaders to the administrative area on the mailing list so that they will receive timely communication from the community.

Some other suggestions:
 * It is frowned upon by the OWASP Community to “spam” OWASP mailing lists regarding conferences in other regions. For example, it would be inappropriate for someone hosting a non-OWASP conference in India to send e-mails to multiple mailing lists outside of India.
 * The best way to prevent “spam” from your chapter’s mailing list is to enable list moderation. This can be done by logging into the mailing list administrative interface and clicking on “Privacy Options” and “Sender filter.” There are options for moderating posts by both mailing list subscribers and non-subscribers.


 * The subject of posting job leads to a chapter’s mailing list is handled differently by each chapter. Some chapters encourage it as long as the jobs are local and security related, others frown upon it, instead encouraging the people hiring to stand up and promote their openings in person at the chapter meetings.
 * For discussion details: see “[Owasp-leaders] Job Leads on Chapter Mailing Lists?”
 * OWASP has a [|Job Board] on LinkedIn. OWASP does not endorse commercial products or services and provides this listing for the benefit of the community. If you have additional questions or would like to post a job opening to this page visit our LinkedIn Jobs page.

Social Media
Similar to the OWASP chapter mailing lists, social media under the “OWASP” Chapter name should be used to inform subscribers about OWASP activities as well as communicate information about upcoming security events, projects the chapter is working on, or other appsec-related issues. Additionally, social media used under the OWASP chapter name, should abide by the OWASP Principles and Code of Ethics.

While the chapter leader or member that sets up the account will hold the password and be the official “owner” of the account, please share this account login information with other members of the leadership team. When new leadership takes over, the information should be handed over to the new leader(s).

Note that, the chapter page on the OWASP wiki is the official representation of the chapter. Therefore, communication on social media platforms should complement not replace the wiki page. Chapter members should not be required to sign up for any social media account to get access to meeting notices. Do keep any new event or activity announcements up to date on the wiki page, per section 4.2. If social media is one of the main forms of communication your chapter uses to spread the word about meetings and events, it is important that the page be openly accessible, regularly maintained and updated with accurate information.

Ideas for social media platforms used by current OWASP chapters (it is not necessary for each chapter to have an account with each of these platforms -- choose the forum that will be best for your geographic area):
 * Delicious - http://delicious.com/
 * Digg - http://digg.com/
 * Eventbrite - http://www.eventbrite.com/
 * Facebook - http://www.facebook.com/
 * Flickr - http://www.flickr.com/
 * LinkedIn - http://www.linkedin.com/
 * Meetup - http://www.meetup.com/
 * Ning - http://myowasp.ning.com/
 * Newsvine - http://www.newsvine.com/
 * Reddit - http://www.reddit.com/
 * Stumbleupon - http://www.stumbleupon.com/
 * Twitter - http://twitter.com/

Organizing Your Contacts
It is recommended that each chapter have a central database (something as simple as a google spreadsheet) in which to organize their contact database. This can be a comprehensive list of mailing list subscribers, LinkedIn group members, Local Affiliations (and point of contact within the organization), and Sponsors (past, current, future). This will not only help when it is time to pass chapter management onto a new person, but also with direct mailings (which often generate more results than “list” mailings) and finding future venues, sponsors, or even speakers. See also the section below on “Recruiting List Members.”

When using the contact database, remember to abide by our privacy rule. Member contact lists may not be distributed outside of chapter leadership.

Handling Money
Chapter funds should be used for your chapter and must be spent in line with the OWASP Foundation goals, principles, and code of ethics. Accordingly, chapter finances should be handled in a transparent manner.

A chapter should have a treasurer who is in charge of money. This person can be (and often is) the leader. His/her name should be communicated to the Community Manager so we can update our official records.

Spending Guidelines
For the following common expenses, if the expenditure is under $500, Chapter Leaders can consider their purchase “white-listed” for reimbursement out of the chapter’s account, provided that the chapter has the necessary funds in its account:
 * Meeting venue rental
 * Refreshments for a meeting
 * Promotion of a meeting
 * OWASP Merchandise

If, however, the expense does not fall under one of the above categories or is greater than $500, a second person (another chapter leader or board member if possible) must sign off on the purchase. While travel for speakers is a common expense and may fall under $500, a second signer is still required. Similarly, a donation of money out of the chapter’s account back to the Foundation, requires a second signer.

From an administrative perspective, OWASP has a responsibility to show its supporters that their donations (via members, sponsorship or other) are being used properly - in support of the OWASP mission. Visit the OWASP Donation Scoreboard to see your chapter's current funding balance.

Exceptions to the guidelines can be brought to the Executive Director for approval and tracking.

Additional Expense Policies
A chapter is free to adopt any additional procedure for authorizing expenses as long as it is also authorized by the treasurer (or leader) and documented. The treasurer (or leader) must, in addition to any bookkeeping required by local authorities, keep a list of expenses made. This list should be made public, preferably on the wiki.

Reimbursement Process
The recommended process for paying for chapter-related expenses is to prepay for the expense and submit the receipt through the OWASP reimbursement request form to get your money back. This is a standardized reimbursement procedure through for OWASP. When your request is submitted, a authorization request will be send to the appropriate chapter (leaders) for approval. You will not receive your reimbursement until the approval has been received.

In case of doubt if an expense is in line with the OWASP principles, get advice from the Community Manager.

Chapter Budgets
Sample Budget Template

Money not Tracked by the Foundation
Chapter leaders should not be accepting finances/funds through their own bank accounts. OWASP Foundation (US) and OWASP Inc. (Europe) have been created for the purpose of handling funds. Other countries have hired third party companies to handle their finances. If OWASP funds will be handled by a third party, notify the OWASP Foundation in advance to make sure any necessary paperwork is completed.

If a sponsor pays a vendor directly (for signage, food, venue, etc.), then this is a transaction that the Foundation does not need to track. However, if the sponsor needs a receipt or record of the transaction (for tax or other purposes), the money WILL need to go through the Foundation.

To avoid appearance of impropriety, forward all potential donors to the Donate button on your chapter wiki page or to approved third party processors.

Charging for Events
It is against OWASP’s core values and principles to charge people to attend chapter meetings. A chapter may decide to charge for a training, one-day speaker event, or local conference though. If your chapter is charging a fee for training, event, or conference, the registration should go through RegOnline.

Any event that charges an admission fee, or requires more than $1000 foundation funds must be submitted to the OCMS System and approved by the Executive Director.

Insurance
The OWASP Foundation carries insurance coverage that is sufficient for most meetings. If you need a certificate of insurance or have additional questions about insurance, please submit your request through http://sl.owasp.org/contactus.

(Signing) Contracts
Chapter leaders are not authorized to sign contracts or enter into any legal agreements on behalf of the OWASP Foundation. If a signed contract is needed to guarantee your meeting venue or another service you would like for your chapter, please contact us for approval.