The security policy sets out a notification method for events and vulnerabilities relating to IT security, to enable the implementation of corrective actions as rapidly as possible. Formal procedures for phased feedback and flagging should be drawn up and staff made aware that they should flag up various types of events and vulnerabilities liable to have an effect on security. These events should be flagged up to the designated person as quickly as possible. This will usually be the person responsible for IT systems security or the Chief Executive Officer of the organisation.
The security policy consists of a coherent and effective policy for managing reported incidents. The responsibilities and procedures for dealing with incidents are defined in the policy. The management has opted for a continuous improvement process for the general monitoring, assessment and management of incidents relating to IT security, as well as for the corrective actions implemented. This process oversees the collection of proof necessary to meet legal requirements and to enable the reconstruction of events and decisions.
Shortcomings to security obligations should be dealt with in the same way as incidents, even if the shortcoming has had no impact on IT or organisational security.