When you notice a security violation by someone you know, what is the appropriate action?

Noticing a security violation means you should escalate it through the proper channels so it can be investigated and handled correctly. The ISSO is the designated official responsible for information security incidents and policy enforcement. Reporting to the ISSO ensures the incident is managed consistently, evidence is preserved, and the right steps—containment, notification, remediation—are taken without exposing you to unnecessary risk or violating privacy rules. Confronting the person privately can put you at risk, may reveal sensitive details, and can interfere with the formal investigation. Ignoring it leaves a vulnerability open and could put others at risk. Posting publicly can violate confidentiality, possibly defame someone, and bypass the official process needed to address the incident.