Reporting Security Incidents, Vulnerabilities, and Threats Policy

This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.

Jim McConnell  |  info@askmcconnell.com  |  askmcconnell.com

Reporting Security Incidents, Vulnerabilities, and Threats Policy

Updated: 21 March 2025

Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Many times things we do online will impact people’s lives physically, financially, and emotionally. So whether it is a physical security issue, cyber security issue, or any other security issue — reporting incidents, vulnerabilities, and threats is critical and must be timely.

  • I will report non-criminal, non-life-threatening but urgent security incidents, concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline.
  • I will report non-urgent security incidents, concerns, vulnerabilities, and threats to the proper operational owner and my supervisor during current business hours.
  • I will report crimes and life-threatening situations to law enforcement (911 or country equivalent) and to either my supervisor or the organization’s Ethics Hotline immediately, or when it is safe to do so.
  • I will report safety issues that may cause security issues to my supervisor and the organization’s safety officer immediately upon discovery.
  • I will confirm all reports were received at the first available morning time if initial reports were made during evening or early morning hours.
  • I will report to my assigned travel warden at pre-arranged times and checkpoints when travelling on business. If I cannot contact my warden at the pre-arranged time due to non-security or non-safety reasons, I will attempt to relay a message through a trusted contact.

Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.

________________________
Print Full Legal Name

________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License

________________________
Date

🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.