T8.3.3 - REPORTING SECURITY WEAKNESSES Implementation Guidance
The entity shall report observed or suspected information security weaknesses in systems or services.
Back to T8.3.3 - P4 - REPORTING SECURITY WEAKNESSES
A security weakness (or vulnerability) is a flow which allows an attacker to reduce a system’s information assurance.
All employees, contractors and external party users should report these matters to the point of contact as quickly as possible in order to prevent information security incidents. The reporting mechanism should be as easy, accessible and available as possible. They should be informed that they should not, in any circumstances, attempt to prove a suspected weakness. Testing weaknesses might be interpreted as a potential misuse of the system and could also cause damage to the information system or service and result in legal liability for the individual performing the testing.
