Do you have an Incident / Event Response team with defined roles and response related qualifications available 24x7x365?
Is there an event reporting mechanism to support the reporting action, and to list all necessary actions in case of an information security event?
Do you have a formal disciplinary process for dealing with those who commit a security breach?
Is there a feedback process to ensure those reporting information security events are notified of the results after the issue has been dealt with and closed?
Is there a documented policy for incident management that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the policy?