~2 page information security policy template on whistleblowing.
 
The policy encourages people to 'blow-the-whistle' on fraud and other impropriety, issues or concerns (such as security vulnerabilities), allowing them to be investigated.
 
Whisleblowing can be a valuable source of information on serious incidents such as frauds involving insiders that otherwise tend to remain well hidden by the perpetrators.
 
The arrangements to receive, evaluate, investigate and resolve reported issues need to be put in place first (hence the template policy should be revised to reflect your actual arrangements, if any). We suggest identifying a trustworthy senior person (such as the CEO) or function (such as Internal Audit) as the focal point, someone that people trust to be receptive, take matters seriously, investigate them thoroughly and deal with them properly.
 
If people are denied the opportunity to report wrongdoing through official channels, and are discouraged or unwilling to do so unofficially, they may just shut up ... or go to the authorities or the press. Either way, the organisation misses a golden opportunity.
 
Supplied as an MS Word document, readily customised for your organisation's specific situation.