1. Purpose
Establish requirements for internal and external communications during and after cybersecurity incidents to ensure accurate, timely, and coordinated messaging.
2. Scope
This policy applies to all communications related to cybersecurity incidents at [ORGANIZATION], including internal notifications, external disclosures, regulatory notifications, and media communications.
3. Policy
3.1 Internal Communications
Internal incident communications shall be coordinated by the Incident Commander and Communications Lead as defined in the Incident Response Policy.
Internal stakeholder notification shall follow this escalation path: P1 incidents (CEO, executive team, board as appropriate, all within [CUSTOMIZE: 1 hour] of confirmation), P2 incidents (CISO, CIO, affected department heads within [CUSTOMIZE: 4 hours]), P3/P4 incidents (security management within standard workflow).
All internal communications shall use pre-approved templates where available and shall be factual without speculation.
Incident communications shall use secure channels (encrypted email, secure messaging) and shall not include technical indicators of compromise that could aid an attacker.
3.2 External Communications
All external communications regarding security incidents shall be approved by [CUSTOMIZE: Legal/CISO/CEO] before release.
Only designated spokespersons may communicate with media regarding security incidents. All media inquiries shall be directed to [CUSTOMIZE: Communications/PR team].
Customer notifications shall be clear, actionable, and include: description of the incident, data or services affected, steps [ORGANIZATION] is taking, steps the customer should take, and contact information for questions.
Law enforcement notification shall be coordinated by [CUSTOMIZE: Legal/CISO] when the incident involves criminal activity.
3.3 Regulatory Notifications
[ORGANIZATION] shall maintain a register of all applicable breach notification requirements by jurisdiction and regulation.
Regulatory notifications shall be submitted within required timeframes and shall include all information required by the applicable regulation.
Copies of all regulatory notifications shall be retained by [CUSTOMIZE: Legal Department] for at least [CUSTOMIZE: 7 years].
4. Compliance
Compliance with this policy is mandatory for all personnel within its scope. Compliance will be monitored through periodic audits, automated controls, and management review.
Exceptions to this policy must be documented with a business justification, approved by [CUSTOMIZE: CISO/Security Team], and reviewed at least annually.
5. Enforcement
Violations of this policy may result in disciplinary action up to and including termination of employment or contract, and may result in civil or criminal penalties where applicable law has been violated.
[ORGANIZATION] reserves the right to audit compliance with this policy at any time, with or without notice.
6. Review and Revision
This policy shall be reviewed at least annually by [CUSTOMIZE: CISO/Policy Owner] and updated as necessary to reflect changes in the threat landscape, regulatory requirements, or organizational structure.
All revisions shall be documented with version number, date, author, and description of changes.
Policy Approval
Approved By
Title
Date
Document Control