Publication Summary

Title	Information Security Whistleblowing Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 Information security whistleblowing policy 9

2.1 Whistleblowing definition 9

2.2 Who can raise a concern 9

2.3 Types of relevant concern 9

2.4 How to raise a concern 10

2.5 Information required when raising a concern 10

2.6 Confidentiality and support for whistleblowers 10

2.7 Handling of concerns raised 11

2.8 External Disclosures 11

2.9 Legal rights regarding whistleblowing 11

2.10 Malicious whistleblowing 12

Introduction

[Organization Name] accepts that there is a risk that sometimes, despite its best efforts, there may be violations of its information security policy or other actions taken by its personnel which could represent malpractice or be contrary to public interest or applicable legislation. By encouraging a culture of openness, it may be feasible to both prevent such occurrences in the first place, and to address them when and if they do happen. This may only be possible if people are willing to come forward to raise concerns, safe in the knowledge that by doing so, they will not be risking victimisation or the loss of their job. The act of coming forward, referred to as “whistleblowing”, is encouraged within [Organization Name] and protection is provided to ensure that concerns can be raised in a confidential manner.

The purpose of this document is to describe [Organization Name]’s policy with respect to whistleblowing in the area of information security. Note that concerns regarding areas other than information security are covered in separate policies.

Whistleblowers are protected by law in many countries, including:

• Within the European Union, by the European Whistleblower Protection Directive

• In the UK, by the Public Interest Disclosure Act and the Employment Rights Act

• At the federal level in the USA, by the Whistleblower Protection Act

• By the Public Interest Disclosure Act in Australia

• [State relevant laws for the countries in which your organization operates – note that some legislation may only apply in specific sectors, for example public sector]

It is [Organization Name]’s duty to comply with relevant legislation with regard to whistleblowing.

The following policies and procedures are relevant to this document:

• Acceptable Use Policy

• Information Security Event Reporting Procedure

• Privacy and Personal Data Protection Policy

Information security whistleblowing policy

Whistleblowing definition

Whistleblowing is defined as the reporting of suspected or actual wrongdoing by a whistleblower.

Further definitions to support this are as follows:

• Wrongdoing - action(s) or omission(s) that can cause harm

• Whistleblower – a person who reports suspected or actual wrongdoing, and has reasonable belief that the information is true at the time of reporting

• Reasonable belief - a belief held by an individual based on observation, experience or information known to that individual, which would also be held by a person in the same circumstances

(These definitions are taken from ISO 37002 – Whistleblowing management systems – Guidelines).

Who can raise a concern

Under this whistleblowing policy, concerns may be raised by any employee or other interested party of [Organization Name]. This includes suppliers, customers, partners and temporary personnel.

Types of relevant concern

Concerns may be raised about any information security-related matter. Examples of actual or potential wrongdoing could include:

• Actual or potential legal violations, for example of data protection law

• Noncompliance with information security policy

• Inadequate information security controls

• Breaches that have not been handled or reported appropriately

• Suspicions about various forms of malpractice, including fraud and corruption affecting information security within [Organization Name]

Whistleblowing does not include personal grievances (such as bullying, harassment or discrimination) affecting the individual making the complaint, which should be raised via normal management channels or using the grievance procedure.

How to raise a concern

Concerns should be raised confidentially to your immediate line manager in the first instance. This may be done via any reasonable method, including verbally, via email or in writing.

If you feel that it is inappropriate to raise the concern with your line manager, you may approach their manager directly, or another person within the organization who is particularly relevant to the concern, for example the Chief Information Security Officer (CISO).

In a case where you do not feel that this is appropriate, you may report your concern to a member of the Executive Team.

Although still permitted, whistleblowers are encouraged not to submit reports anonymously as this makes their investigation more difficult and may result in legal protections not being applicable.

Information required when raising a concern

When raising a concern, sufficient detail will need to be provided to allow it to be investigated and verified. This will typically include:

• Dates and times of relevant events

• Names of people involved

• A full description of what is understood to have happened, or could happen

• Any other information useful to an investigation

Care should be taken to ensure the accuracy of the information provided, and evidence should be included where possible, although this is not essential.

Confidentiality and support for whistleblowers

It is a fundamental principle of this policy and of relevant legal protection that the whistleblower should not suffer negative consequences, such as victimisation, demotion or loss of employment, through their actions.

Whistleblowing reports will be kept confidential and the identity of the person making the report will not be made known except to those involved in the investigation. If it becomes impossible to maintain confidentiality, this will be discussed with the whistleblower first.

Where appropriate, access to advice and counselling services will be made available to the whistleblower during the investigation.

The whistleblower may be accompanied at meetings by a colleague or trade union representative if they choose to do so.

Handling of concerns raised

It will be the responsibility of the person to whom the concern was raised to either investigate it directly, or to raise it confidentially with an appropriate person. Depending on the issue, a more in-depth formal investigation may result.

Whistleblowing reports must be dealt with consistently and fairly.

The person raising the concern (the whistleblower) will be kept informed regarding the progress and results of investigations, unless this is not permitted for third party confidentiality reasons.

Where appropriate, independent subject matter experts may be called upon to conduct the investigation and liaise with the whistleblower.

External Disclosures

It is [Organization Name] policy to encourage the reporting of concerns internally, so that the organization has an opportunity to handle the matter in the most appropriate way. In the event that a whistleblower feels justified in reporting the concern outside of the organization, they should at first consider bodies that have a regulatory role in our industry. This will help to ensure that legal protections for the whistleblower remain applicable.

Reporting concerns directly to the media or making them public via the Internet without following internal procedures may be seen as an unreasonable route and so result in disciplinary action being taken. This may also limit the legal protection available to the whistleblower.

Legal rights regarding whistleblowing

The legal obligations of [Organization Name] with regard to whistleblowing vary according to the country involved.

Within the European Union, the organization has a responsibility to:

• Acknowledge receipt of a whistleblower report within a seven-day period

• Provide prompt and appropriate feedback to the whistleblower during the investigation

• Complete the investigation of the concern within 90 days of the filing of the report

• Ensure comprehensive records of the investigation are maintained

[Add legal obligations within the countries in which your organization operates].

Malicious whistleblowing

Whistleblowing reports must be made in good faith and in a reasonable belief that the information provided is true. Reports made with malicious intent may be subject to disciplinary action