Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

07) Does your organisation have a process for employees, contractors, and suppliers to report suspected or known information security breaches and weaknesses?

January 30, 2023
Business Resilience
Reporting Breaches

Answer yes if your organisation has a documented process for reporting information security incidents, or suspected information security incidents (this is typically via an IT helpdesk). Please describe the process in the notes, or provide a process document (as a PDF file) as evidence.

It is important that your company has established a process by which employees, contractors, and third party suppliers can report suspected information security incidents to be investigated. This process should be known by all staff members and should be included within your security awareness programmes to ensure staff diligently report breaches or suspicious events.

Typically, employees and enrolled contractors can report suspected security incidents to your IT service desk or IT support staff. Your support staff or service desk should then have a documented process for investigating, categorising, and escalating the incident. This process should invoke your incident response plan.

Third party suppliers usually report any suspected or know breaches to whomever is responsible for supplier relationships within your company. This is usually a supplier relationship manager (SRM) or other procurement resource. These resources should be aware of the escalation process once a third party supplier has reported a breach.

How to implement the control

Ensure that you have a documented and embedded process by which employees, contractors, and third party suppliers can report data breaches and security incidents for investigation.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.