Best-practice cyber security governance

Cyber security for NFP Boards

Cyber security is a business function, not a specific technology function. Board members need to know enough about cyber security to be able to have strategic discussions with staff and specialists and understand the right questions to ask, but they don’t need to be technical experts.

The Australian Institute of Company Directors (AICD) has published a comprehensive guide to cyber security governance principles. The accompanying Snapshot and the SME and NFP Director Checklist documents are a great place for SME/NFP Directors to start. 

The five sets of governance principles cover roles and responsibilities, cyber strategy, cyber risk management, creating a cyber resilient culture and cyber incident planning. The Snapshot provides some great questions covering these five areas:

1. Does the board understand cyber risks well enough to oversee and challenge?
2. Who has primary responsibility for cyber security in our management team?
3. Who has internal responsibility for the management and protection of our key digital assets and data?
4. Where, and with whom, are our key digital assets and data located?
5. Is cyber risk specifically identified in the organisation’s risk management framework?
6. How regularly does management present to the board or risk committee on the effectiveness of cyber risk controls?
7. Is cyber security training mandatory across the organisation and is it differentiated by area or role?
8. How is the effectiveness of training measured?
9. Do we have a Cyber Incident Response Plan, including a comprehensive communications strategy, informed by simulation exercises and testing?
10. Can we access external support if necessary to assist with a significant cyber security incident?

Australian NFP’s also need to understand legislative obligations including privacy laws, the Notifiable Data Breaches Scheme, state-specific legislation and potentially legislation pertaining to health records.

For more information, see these resources:

• The AICD’s Cyber Security Governance Principles provides Snapshot and Checklist documents for SME and NFP Directors; many of the operational elements are covered within our Cyber Security Capability Framework. It also provides a comprehensive set of principles applicable to boards of larger organisations
• Privacy guidelines for not-for-profits developed by Pricewaterhouse Coopers Australia, covering obligations under the Privacy Act, the Australian Privacy Principles and the Notifiable Data Breaches Scheme
• Justice Connect’s fabulous guide to Privacy laws for NFP’s including fact sheets on Privacy, AI and Cyber Security
• Our Guide to Data Sharing Agreements and Data Privacy Resources includes links to First Nations Data Sovereignty resources and for state-specific legislation
• UTS Open (University of Technology Sydney) provide a great short course, Cybersecurity for Company Directors, see Cybersecurity for Company Directors (online) - UTS Open

Cyber security for NFP Managers

Recommended cyber security policies and governance approaches include the following:

• Everyone in your organisation undertakes cyber security awareness training. Our free Cyber Security Essentials training is available if you do not yet have anything in place.
• You have implemented an end-user security policy – if you don’t have one, you can download our template and modify it to your organisation’s needs
• You have implemented an information security policy to govern the organisation’s cyber security – again, if you don’t have one you can download our template and modify it to your organisation’s needs
• Your organisational risk management processes include a cyber security component
• Cyber security incident response processes are well established. The information security policy template noted above gives an overview of what’s needed in an incident response process or plan.
• You’ve taken out cyber security insurance, if it is appropriate to your organisation’s needs.

More broadly, what you need to do will depend on your organisation’s size, the sophistication of the systems and technology you manage, and sensitivity of the information you hold and use.

• For starters, every organisation must implement these fundamental security measures: Cyber Security Essentials. This basic level of cyber security capability might be sufficient for small, virtual organisations that use only a few cloud systems such as Google Workspace, and don’t own and manage desktop or laptop computers (or for that matter servers!)
• Many non-profit organisations will have some infrastructure to manage and/or hold sensitive data. They will want to progress to an intermediate level of cyber security capability: Achieving intermediate cyber security.
• Where significant risks or obligations require further mitigation, and resources permit, organisations that have achieved intermediate capability might work towards advanced capability. This will include consideration of Maturity Level 2 or 3 compliance with the ASD’s Essential Eight, and of an external certification such as ISO 27001. See Achieving advanced cyber security.

We offer a range of training resources to support your journey, covering such topics as Cyber Security Essentials for NFP Staff, Cyber security self-assessment & work plan development, and Cyber security for NFP managers.