BenchmarksStack Ranking
H33-128H33-CKKSH33-256H33-BFV32H33-FHE-IQFHE OverviewZK LookupsBiometricsH33-3-KeyH33-MPCPQC ArchitecturePQ VideoStorage EncryptionAI DetectionEncrypted Search
APIsPricingTokenDocsWhite PaperBlogAboutSecurity Demo
Log InGet API Key
Home/Compliance/Security Event Reporting
ISO 27001

Security Event Reporting Procedure

ISO 27001 Control A.6.8 — Effective: March 8, 2026

Document ID: H33-SER-001

Classification: Internal / All Personnel

Owner: Eric Beans, CEO / CISO

Approved: March 8, 2026

Next Review: March 2027

1. Purpose

This procedure establishes the process for reporting information security events at H33, in accordance with ISO 27001:2022 control A.6.8 (Information security event reporting). It ensures that security events are reported promptly, assessed consistently, and escalated appropriately to minimize impact on H33's operations and customers.

All H33 personnel (employees, contractors, and third-party users) are required to report observed or suspected security events through the channels defined in this procedure.

2. Definitions

2.1 Security Event

An identified occurrence of a system, service, or network state indicating a possible breach of information security policy or failure of controls, or a previously unknown situation that may be security relevant. Security events may or may not escalate into security incidents.

2.2 Security Incident

One or more related information security events that have a significant probability of compromising business operations and threatening information security. A security incident is a confirmed event that requires a coordinated response.

2.3 Data Breach

A security incident in which sensitive, protected, or confidential data has been accessed, disclosed, or exfiltrated by an unauthorized party. Data breaches trigger specific notification obligations under applicable law (HIPAA, GDPR, state breach notification statutes).

3. Reporting Channels

Security events may be reported through any of the following channels. All channels are monitored during business hours and critical severity alerts are monitored 24/7.

Channel Contact Use Case
Email security@h33.ai General security event reports, non-urgent findings
Slack #security-incidents Real-time alerts, urgent event notification, team coordination
Phone Security Officer direct line Critical (P1) events requiring immediate response
Anonymous security@h33.ai (anonymous form) Concerns requiring anonymity

4. What to Report

Personnel must report any observed or suspected security event, including but not limited to:

  • Unauthorized access attempts: Suspicious login activity, privilege escalation, access from unknown locations or devices
  • Suspicious system behavior: Unexpected processes, unexplained performance degradation, unusual network traffic, unexpected configuration changes
  • Lost or stolen devices: Laptops, phones, USB drives, or any device with access to H33 systems or data
  • Phishing attempts: Suspicious emails, messages, or links targeting H33 personnel or impersonating H33
  • Policy violations: Observed violations of H33 security policies (e.g., sharing credentials, disabling security controls)
  • Malware indicators: Suspicious files, unexpected pop-ups, anti-virus alerts, ransomware indicators
  • Third-party compromises: Notifications from vendors about breaches that may affect H33 data or services
  • Physical security events: Tailgating, unauthorized visitors, suspicious packages
  • Cryptographic anomalies: Unexpected FHE decryption failures, signature verification failures, key material anomalies

When in doubt, report it. It is always better to report a non-event than to fail to report a genuine security incident. There is no penalty for good-faith reporting of events that turn out to be benign.

5. Reporting Procedure

When a security event is observed or suspected, the reporter should follow these steps:

  1. Notify immediately: Contact the Security Officer via Slack (#security-incidents) or email (security@h33.ai). For P1 Critical events, also call the Security Officer directly.
  2. Document the event: Record the following information as completely as possible:
    • Who: Who observed the event? Who may be involved?
    • What: What happened? What systems, data, or services are affected?
    • When: When was the event first observed? Is it ongoing?
    • Where: What systems, networks, or physical locations are involved?
    • How: How was the event detected? What indicators were observed?
  3. Preserve evidence: Do not delete logs, emails, files, or other potential evidence. Take screenshots if possible. Note any error messages or system states.
  4. Do not attempt remediation: Unless explicitly authorized by the Security Officer, do not attempt to fix, investigate, or remediate the issue. Unauthorized actions may destroy evidence or worsen the situation.
  5. Maintain confidentiality: Do not discuss the event with unauthorized individuals. Do not post details on public channels, social media, or external platforms.

6. Severity Levels

The Security Officer will classify each reported event according to the following severity levels:

P1 Critical

Examples: Active data breach with confirmed data exfiltration, compromised production credentials or signing keys, full system compromise, ransomware deployment

Response time: Within 15 minutes

Actions: Immediate containment, Security Officer + CEO notified, all-hands incident response, customer notification preparation, legal counsel engaged

P2 High

Examples: Suspected breach under investigation, active DDoS attack, production service outage with security implications, unauthorized access to internal systems

Response time: Within 1 hour

Actions: Security Officer leads investigation, affected systems isolated if needed, incident ticket created, stakeholders updated hourly

P3 Medium

Examples: Policy violation by employee, suspicious but unconfirmed activity, phishing email targeting multiple employees, misconfigured security control detected

Response time: Within 4 hours

Actions: Security Officer assesses and assigns, corrective action planned, monitoring increased on affected systems

P4 Low

Examples: Failed login attempts below threshold, minor configuration anomalies, routine vulnerability scan findings, single phishing email (reported, not clicked)

Response time: Within 24 hours

Actions: Security Officer reviews and logs, tracked for trend analysis, addressed in next maintenance window if applicable

7. Escalation Path

Security events follow the escalation path below. Each level is notified when the event meets the criteria for that level, or when the lower level cannot adequately resolve the event.

Reporter (any H33 personnel) | v Security Officer (Eric Beans, CEO/CISO) | -- Classifies severity, initiates response v CEO / Executive Team | -- Notified for P1/P2 events v Legal Counsel | -- Engaged if data breach confirmed or suspected v Affected Customers | -- Notified within 72 hours (GDPR) | -- Notified within 60 days (HIPAA) v Regulators (if required) -- HHS (HIPAA breaches affecting 500+ individuals) -- State AG (per applicable breach notification statutes)

8. Post-Incident Review

Following the resolution of any P1 or P2 security incident (and optionally for P3 events), the Security Officer will conduct a post-incident review within 5 business days. The review covers:

  • Root Cause Analysis: What was the root cause? Was it a technical failure, human error, or process gap?
  • Timeline: Detailed timeline of detection, escalation, containment, and resolution
  • Impact Assessment: What data, systems, or customers were affected? What was the business impact?
  • Corrective Actions: What changes to controls, configurations, policies, or training are needed to prevent recurrence?
  • Lessons Learned: What worked well in the response? What should be improved?
  • Policy Updates: Are any security policies or procedures inadequate and requiring revision?

Post-incident reports are retained for a minimum of 3 years and are available to auditors upon request.

9. Non-Retaliation

H33 maintains a strict non-retaliation policy for security event reporting:

  • Good-faith reporting of security events is protected. No employee or contractor will face disciplinary action, termination, or other retaliation for reporting a suspected security event in good faith.
  • Anonymous reporting is available via the anonymous reporting channel. Anonymous reports receive the same priority and investigation as attributed reports.
  • Retaliation against a reporter is itself a policy violation subject to disciplinary action, up to and including termination.

10. Training and Awareness

All H33 personnel receive training on this procedure during onboarding and annually thereafter. Training covers:

  • How to recognize security events
  • Reporting channels and procedures
  • Examples of reportable events specific to H33 (cryptographic operations, cloud infrastructure, authentication systems)
  • Non-retaliation protections
  • Evidence preservation best practices

11. Review

This procedure is reviewed annually by the CEO/CISO, or more frequently following a significant security incident, organizational change, or regulatory update.

Version Date Author Change Description
1.0 March 8, 2026 Eric Beans Initial security event reporting procedure

Next scheduled review: March 2027

Report a Security Event

Email: security@h33.ai | Slack: #security-incidents