~2 page information security policy template on whistleblowing.
The policy encourages people to 'blow-the-whistle' on fraud and other impropriety, issues or concerns (such as security vulnerabilities), allowing them to be investigated.
Whisleblowing can be a valuable source of information on incidents involving insiders that otherwise tend to remain hidden by the perpetrators.
The arrangements to receive, evaluate, investigate and resolve reported issues need to be put in place first (hence the template policy should be revised to reflect your actual arrangements, if any). We suggest identifying a trustworthy senior person (such as the CEO) or function (such as Internal Audit) as the focal point, someone that people trust to take matters seriously, investigate them thoroughly and deal with them properly.