Compliance Dashboard AI Act Art. 50 GDPR Accountability Access & Suppliers Security Intake

Use this page to define how HEA-World receives, triages, records, fixes, and closes security incidents and vulnerability reports. This is a process scaffold until a monitored contact path and incident evidence exist.

Framework Rows

ISO27001-6, NIS2-21-2, NIS2-21-5, NIS2-21-6

Public Copy Rule

Do not publish a security contact on the trust page until the path is monitored and has an accountable owner.

Source Plan

private/technology&Architecture/compliance/20260706_quick_win_compliance_closure_plan.md

Intake Note Fields

Field What To Capture Evidence Expectation
Contact pathSecurity email or monitored form.Confirmed as monitored before public trust-page use.
Intake ownerNamed role responsible for first review.Use a role, not only a person, so ownership survives handoff.
Severity levelsCritical, high, medium, low with short HEA-specific examples.Severity must drive triage target and escalation.
Triage SLA targetInitial review target by severity.Record target and actual timestamps when incidents occur.
Evidence capturedReporter, timestamp, affected system, data exposure, user impact, requestId/log IDs, containment decision.No secrets or raw credentials in incident notes.
Notification decisionWho decides whether customer or regulatory notification may be needed.Decision timestamp and rationale must be recorded.
Remediation recordWhere fix, guardrail, changelog, and lessons learned are recorded.Link PR, guardrail, and wegotitwrong.md entry when relevant.