Without a reporting path, employees either stay silent about problems or report them to the wrong person, wasting time while the damage spreads. A textile export company in Tamil Nadu lost ₹12 lakhs when an employee noticed suspicious login attempts but didn't know how to report it—by the time the owner found out three weeks later, customer data had been copied. Regulatory bodies like CERT-In and customers conducting audits now expect you to prove employees know how to escalate security issues. Delayed response to breaches can also trigger penalties under DPDP Act 2023 for not notifying affected persons quickly.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You ask an employee if they know how to report a security problem and they pause, confused, or suggest 'maybe tell the boss?' No formal reporting channel exists or is communicated. You find no written procedure, email address, or contact person designated for security reports.
Initial
You have a single point of contact—often the owner or one IT person—but it's not written down or officially told to staff. An employee might know to call or email one specific person, but new joiners are not told this during induction. There is no standardized form or process; reports are made informally by chat, email, or word-of-mouth.
Developing
You have created a simple one-page document with a security contact phone number, email, or Slack channel clearly listed, and it was shared once in an all-staff message or pinned in a common area. Most employees can name the contact, but there is no proof of understanding and no follow-up on whether reports are actually being received or acted upon. The procedure does not explain what to report or what happens next.
Defined
During induction training, all new employees learn the reporting procedure and receive written guidance (email, handbook, or poster) showing the contact details, examples of what to report (phishing, lost device, suspicious access), and what happens after they report. The IT person or owner acknowledges receipt of reports and provides basic feedback. You have a simple log or email folder showing reports have been received over the past few months.
Managed
You have a formal documented process: security reporting is part of the employee handbook, induction checklist, and refresher training happens yearly. Reports are logged with a ticket number, assigned to a responsible person, and the reporter receives confirmation of receipt within 24 hours and a brief update on resolution. You run a quarterly audit showing all staff have been trained and can describe the reporting process when asked.
Optimised
Reporting is integrated into your security culture and monitored continuously: employees receive training during onboarding and refresher sessions twice yearly, multiple reporting channels exist (email, phone, anonymous hotline or form, manager escalation), all reports are tracked in a formal system with timelines and metrics, and you measure employee awareness through anonymous surveys showing 90%+ staff know how and when to report. Response times and closure rates are reviewed in quarterly management meetings, and the process is regularly tested with simulated incident reports.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Identify one person (IT staff member, office manager, or owner) as the security contact and share their name, phone number, and email address with all staff via email or message. | Business owner or manager | 1 day |
| 1 → 2 | Create a simple one-page security reporting guide in English and Hindi (if relevant): list the contact details, give 3–4 real examples of what to report (phishing email, password shared, device stolen, unusual login), and post it in the office, email it to all staff, and add it to your employee handbook. | IT person or manager, with approval from owner | 1 week |
| 2 → 3 | Include the security reporting procedure in your formal induction process: new employees must read and sign off on the document, and the IT person must verbally explain it during their first week. Maintain a signed checklist. | HR or office manager, with IT person's input | 2–4 weeks |
| 3 → 4 | Set up a simple tracking log (spreadsheet or email folder) to record all reported issues: date, reporter name (optional for anonymous reports), description, person assigned, and resolution date. Conduct yearly refresher training for all staff and audit the log to confirm reports are being handled. | IT person or manager | 1–2 months |
| 4 → 5 | Establish multiple reporting channels (email, phone, anonymous online form using free tools like Google Forms), formalize response time targets (24-hour acknowledgment, 5-day resolution target), measure staff awareness quarterly via anonymous survey, and review metrics in management meetings. Test the system twice yearly with simulated reports. | IT person with manager oversight | Ongoing, 2–3 hours per month |
Documents and records that prove your maturity level.
- Written security reporting procedure document (one page minimum) with contact details, examples of reportable issues, and next steps clearly explained in plain language
- Email or message sent to all staff (with read receipt or acknowledgment) communicating the reporting contact and procedure
- Induction checklist or onboarding document signed by new employees confirming they have been briefed on security reporting
- Log or tracked folder showing at least three security reports received and handled over the past 6 months (with dates, descriptions, and resolution status)
- Evidence of at least one refresher training session (email, meeting notes, or attendance sheet) where the reporting process was reinforced to staff
Prepare for these questions from customers or third-party reviewers.
- "Can you show me the documented security reporting procedure and tell me how it is communicated to all employees, including new joiners?"
- "If an employee suspects a phishing attack or sees an unauthorized access attempt, who would they contact and how? Can you provide me with the contact details?"
- "Can you show me examples of security reports that have been submitted in the last 6 months and how they were handled?"
- "How do you confirm that all your staff—including remote workers and contractors—are aware of and understand the reporting process? What training or testing have you done?"
- "What response time do you commit to for acknowledging and resolving security reports, and how do you ensure reporters are kept informed?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Create and share a simple one-page reporting guide | Google Docs or Microsoft Word (free via OneDrive); LibreOffice Writer | Microsoft Office 365 (if not already subscribed) or blank |
| Log and track security reports with assignee and status | Google Sheets, Microsoft Excel (free online version), or Trello free tier | Jira (₹15,000–30,000/year), Asana (₹6,000–12,000/user/year), or Monday.com (₹8,000–20,000/year) |
| Create an anonymous or semi-anonymous reporting form for staff | Google Forms, Jotform free tier, or Typeform free tier | SurveySparrow (₹5,000–15,000/year) or Formstack (₹20,000+/year) |
| Measure employee awareness of reporting procedures via anonymous survey | Google Forms or Jotform | Qualtrics (₹50,000+/year) or SurveySparrow |
| Send encrypted or tracked security reports via email if needed | Gmail with read receipt and labels for organization | Proton Mail (₹6,000–12,000/year for business) or SecureWorks email (₹500–2,000/month) |
- Assuming one verbal announcement is enough: Indian MSMEs often tell staff once during a meeting and assume they remember; without written documentation, new joiners and casual staff are left unaware. Always document it in writing in simple language.
- Making the process too complicated or requiring too much detail: employees hesitate to report if they think they need to fill out a long form or provide perfect technical descriptions. Keep it simple: name, date, what you saw, who to contact. Let IT staff ask follow-up questions.
- Reporting to wrong people: in family-owned or small businesses, staff may tell their direct manager instead of the IT person or owner, causing delays or miscommunication. Clearly name one or two primary contacts and train managers to escalate security reports immediately rather than handle them.
- No feedback to reporters: when an employee reports a problem and hears nothing back, they lose trust and stop reporting next time. Commit to acknowledging reports within 24 hours and giving a brief update on what happened, even if it's 'We investigated and found nothing suspicious.'
- Ignoring anonymous reporting: fear of blame or punishment may silence employees; providing an anonymous channel (email alias, form, or trusted third party) can encourage more reports. Ensure reporters know they will not face punishment for good-faith reporting of suspected issues.
- Forgetting remote and contract staff: in a hybrid or distributed team, remote workers and contractors may not see office posters or be included in all-hands meetings. Use email, employee portal, or shared documents to reach everyone equally, and confirm receipt.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Data Security) and Section 6 (duties of data processor); requires notification of personal data breach without undue delay |
| CERT-In 2022 Guidelines | Rule 3 (Security Incident Reporting); organizations must have a documented incident reporting and response procedure |
| ISO 27001:2022 | Clause 7.4 (Communication) and Annex A.5.3 (Incident Management); requires that employees are aware of their role in reporting security incidents |
| NIST CSF 2.0 | Govern Function (GV.RO: Risk and Oversight) and Detect Function (DE.AE: Anomalies and Events); detection depends on awareness and reporting by personnel |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →