~3½-page information security policy template on reporting incidents.
 
Information security incidents should normally be reported promptly to Help Desk.
 
Help Desk's role includes initiating and coordinating the appropriate responses, liaising with relevant experts, keeping everyone informed and escalating serious matters to senior management if appropriate. 
 
Where fraud or serious malpractice is suspected or alleged, this may be reported to management or in confidence to Internal Audit. 
 
Workers must not report, disclose or discuss information security matters outside the organisation unless duly authorised to do so by senior management, or legally obliged to do so.  Carelessly blabbering about, say, a privacy breach on social media would be 'career-limiting'.
 
Supplied as an MS Word document, readily customised for your organisation's specific situation.