~3-page information security policy template on reporting incidents.
Information security incidents (including events, incidents, compliance breaches, disasters, vulnerabilities, threats, nonconformities and accidents) and near-misses, particularly those directly affecting the organisation’s information, should normally be reported to Help Desk.
Help Desk's role includes initiating and coordinating the appropriate responses, liaising with relevant experts and escalating to senior management if appropriate.
Where fraud or serious malpractice is suspected or alleged, this may be reported to management or in confidence to Internal Audit.
Workers must not report, disclose or discuss information security matters, including incidents, breaches and near-misses, outside the organisation unless duly authorised to do so by senior management, or legally obliged to do so. Carelessly blabbering about a privacy breach on social media would be 'career-limiting'.
Supplied as an MS Word document, readily customised for your organisation's specific situation.