6.1. A confidential system for reporting data security and protection breaches and near misses is in place and actively used

6.2. All user devices are subject to anti-virus protections while email services benefit from spam filtering and protection deployed at the corporate gateway

6.3. Known vulnerabilities are acted on based on advice from CareCERT, and lessons are learned from previous incidents and near misses