When employees hide security concerns out of fear or confusion, small problems grow into big breaches. For example, an accounts team member at a Delhi export company noticed unusual login attempts but didn't report it—three months later, an attacker emptied the bank account because the issue went undetected. Employees who feel blamed for mistakes will also bypass security controls (like sharing passwords to 'get work done faster'), making your systems weaker. Without this open culture, you lose your first line of defense: the people actually using your systems every day.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You walk into the office and find employees either follow security rules blindly without understanding them, or quietly ignore rules they think are inconvenient. No one mentions security concerns to anyone.
Initial
You see that a few employees might mention a security problem to the IT person if directly asked, but most won't bring issues up on their own because they're unsure if they should or fear getting in trouble.
Developing
You notice that when you send an email about a security incident or rule, a handful of employees ask clarifying questions or mention related concerns. There's an informal way (email or chat) for people to reach out, but it's not publicized or formally tracked.
Defined
You find that employees regularly use a known channel (like email, a chat group, or a suggestion box) to ask security questions or report concerns, and someone actually responds to them within a few days. Managers occasionally encourage their teams to speak up.
Managed
You see that employees across departments confidently ask security questions, report suspicious activity, or request clarification on rules. There's a clear, fast response process (tracked in a log or ticketing system), and management regularly thanks people for raising concerns during team meetings.
Optimised
You observe that security questions and concerns are treated as valuable feedback throughout the organization. There's a formal, documented process with defined response times, regular training on how to report safely, metrics showing participation, and visible examples of improvements made based on employee input.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Create a simple one-page security contact guide listing who employees can talk to about security concerns (IT person, manager, or owner email). Print and post it near the office entrance and share via email once. | Business owner or manager | 2 hours |
| 1 → 2 | Set up a dedicated email address (e.g., security-help@company.com) monitored by one person. Send a brief email to all staff introducing it, and ask managers to mention it once in their next team meeting. | IT person or manager, with owner approval | 4 hours |
| 2 → 3 | Document a simple Security Question & Response process: define response time (e.g., 24 hours), assign a responsible person, keep a log in a spreadsheet, and hold a 15-minute all-hands meeting quarterly to highlight questions received and answers given. | Manager or owner with IT person | 1-2 weeks |
| 3 → 4 | Implement a basic ticketing system (free Google Form or Jotform) to log all security questions, set up auto-acknowledgment replies, measure response times, and include metrics in monthly team updates. Train all managers to proactively encourage reporting. | IT person with manager input | 2-4 weeks |
| 4 → 5 | Integrate security question handling into annual performance goals, formalize a 'no blame' policy in writing, conduct quarterly reviews of trends in questions received, use findings to improve security training, and celebrate improvements at company events. | Owner, manager, and IT person together | Ongoing quarterly reviews and policy updates |
Documents and records that prove your maturity level.
- A written or email announcement to all staff explaining how and where to report security concerns (contact details, response time promised)
- A log, spreadsheet, or ticketing system showing at least 5–10 security questions or concerns received in the last 3 months, with dates, topics, and responses given
- Signed acknowledgment or meeting minutes showing that managers have communicated the reporting process to their teams
- A documented Security Question & Response procedure with defined roles, escalation paths, and target response times
- Evidence of follow-up actions taken based on employee concerns (e.g., an email update saying 'We fixed the shared password issue mentioned by the finance team' or training adjusted based on feedback)
Prepare for these questions from customers or third-party reviewers.
- "How do employees report a security concern or ask a security question? Please show me the process and any announcements you've made about it."
- "Can you give me examples of security concerns raised by staff in the last 6 months and how they were handled?"
- "How do you make sure employees know they won't be punished or blamed for reporting a security issue?"
- "Who is responsible for responding to security questions, and how quickly do they respond?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and track security questions and concerns submitted by employees | Google Forms (set to collect responses in a spreadsheet) or Jotform free tier | Jira (₹3,000–8,000/year for basic team plan) or Freshdesk (₹3,000–5,000/year) |
| Send regular reminders and training emails encouraging employees to report concerns | Google Workspace email with templates, or Mailchimp free tier (up to 500 contacts) | Constant Contact (₹2,500–5,000/year for small business) |
| Create and share an internal security help guide or FAQ document | Google Docs or Notion (free personal workspace) | Notion Business (₹4,000–6,000/year) or Confluence (₹3,000–10,000/year) |
- Announcing a reporting channel once and assuming employees will use it—they forget quickly. You must repeat the message every quarter and remind managers to mention it.
- Making the report process too formal or complicated (long form, many approvals)—employees will avoid it. Keep it simple: a single email address or one-click form.
- Reacting defensively or blaming an employee when they report a concern—word spreads fast in small offices, and everyone will stop reporting after that. Always thank them, even if it turns out to be nothing.
- Never closing the loop—you receive a concern but never tell the employee what you did about it. They feel ignored and stop reporting. Always send a brief update, even if the answer is 'not a risk, here's why.'
- Treating security questions as interruptions instead of valuable input—if your IT person is always too busy or irritated, employees will ask colleagues instead, spreading misinformation.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Consent) and Schedule 2 (Accountability) – organizations must demonstrate that employees understand and can report data protection concerns without fear |
| CERT-In 2022 | Guideline 7.1 and 7.2 – incident reporting and employee awareness; encouraging staff to report suspected incidents |
| ISO 27001:2022 | Clause 6.3 (Awareness) and Annex A, Control A.7.2 (Competence) – employees must be made aware of security responsibilities and encouraged to report concerns |
| NIST CSF 2.0 | Function GV (Governance), Category GV.RO-03 (Communication) and Function PR (Protect), Category PR.AT-01 (Awareness and training) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →