SID-PPL-04 — Information Security Event Reporting
| Property | Value |
|---|
| Owner | operator |
| Category | process |
| CSF Function | detect |
| Group | People Security Controls |
Description
Personnel must be able and required to report observed or suspected
information security events promptly through defined channels.
Implementation requirements:
(1) Reporting channels: define and publish at least one primary
channel (e.g. security@ email, ticketing system) and
one out-of-band channel (e.g. phone/Signal) for use when primary
is unavailable or the event involves the primary channel owner.
(2) Scope of reportable events: suspicious access, phishing attempts
targeting wallet users or staff, credential misuse indicators,
device loss/compromise, abnormal system behavior, policy
violations.
(3) No-retaliation policy: explicitly documented; staff must be aware
that good-faith reports are protected.
(4) Response SLA: initial acknowledgement within 4 hours; triage
and classification within 24 hours. SLAs MUST be documented.
(5) Awareness: reporting procedure MUST be covered in security
awareness training (SID-PPL-02) and included in onboarding.
(6) Integration with incident management: reports feed directly
into the incident response process (SID-OPS-01).
Review criteria: documented reporting channels, no-retaliation
policy, response SLA, evidence of inclusion in training materials.
Source References
Framework Requirements
ISO 27001 Annex A: A.6.8