Incident reporting training module
Last reviewed 2026-05-07
Purpose
This is the required incident-reporting training module for HiringCoachAI personnel. It explains what to report, how quickly to report it, and what not to do when something might affect security, privacy, availability, or customer trust.
The full response plan is incident response. This module is the signable training artifact for personnel.
1. Report Early
Report anything that might be a security, privacy, availability, or abuse incident. Early reports are better than delayed certainty.
Examples include:
- Lost or stolen device, authenticator, or credential.
- Suspicious login, MFA prompt, email, link, attachment, or document share.
- Customer data sent to the wrong place.
- Public exposure of an internal document.
- Possible vulnerability, auth bypass, data leak, or unauthorized access.
- Major outage, data corruption, or failed backup or restore process.
- Vendor alert involving a HiringCoachAI sub-processor.
2. Use The Right Contact
Report internally to the Security Officer. External vulnerability reports go to [email protected] through the responsible disclosure process.
Privacy issues should also be routed to the Privacy Officer at [email protected].
3. Preserve Evidence
Do not delete logs, screenshots, documents, emails, browser history, or suspicious files just because they look bad. Preserve the facts and let the Incident Commander decide what to collect.
Useful details include time, URL, user, device, system, error message, screenshot, affected account, and what action was taken before the report.
4. Avoid Uncoordinated Fixes
If customer data, production systems, credentials, or evidence may be involved, do not perform a deep investigation alone. Stop the risky action if you can do so safely, then escalate.
Do not notify customers, vendors, regulators, law enforcement, or public channels unless the Incident Commander assigns that responsibility.
5. Understand Severity In Plain Terms
| Severity | Plain meaning |
|---|---|
| Sev 1 | Confirmed breach, major data exposure, ransomware, or widespread outage |
| Sev 2 | Suspected breach, major outage, serious vulnerability, or payment-impacting failure |
| Sev 3 | Limited incident, partial outage, or vulnerability with bounded impact |
| Sev 4 | Minor issue with no customer impact |
The Security Officer assigns final severity and coordinates containment, communications, recovery, and post-incident review.
Acknowledgment
By acknowledging this module in /admin/onboarding, I confirm that I understand what to report, will report potential incidents promptly, will preserve evidence, and will not make external notifications unless assigned to do so.