DIY information security policy template for not-for-profits
It might seem like not-for-profits (NFPs) are small targets for cyber criminals (or threat actors), but it’s this train of thought that makes them particularly vulnerable to cyber-attacks.
Without a formal security policy implemented, not-for-profits will find it almost impossible to appropriately address potential cyber security risks appropriately. In this article we’ll cover the foundations of establishing an Information Security Policy and offer recommendations on select controls to strengthen your organisation’s security in an increasingly online and digital world.
Information Security Policy
An Information Security Policy is one of the most important documents an NFP can have in place to protect its organisation and respond to any information security or cyber incidents.
This policy should act as a reference point during cyber-related incidents and help employees understand what their responsibilities are in relation to cyber security.
While information security policies might differ across organisations, listed below are some key policy themes that should be included:
- Governance and Policy Foundation
- Access and Identity Management
- Technology and Data Protection
- People and Awareness
It may also cover more technical information security controls such as:
- Identification controls
- Protective controls
- Detective controls
- Response and Recovery controls
In collaboration with Infoxchange, PwC Australia has developed an Information Security Policy Template which includes details on each of those sections above and is a great resource tailored for NFPs of different sizes and risk profiles. We encourage you to download and customise this template to define and formally document your organisation’s cyber security practices and processes.
Take control of your cyber risk
We highly recommend that every NFP organisation develops an information security policy to protect their organisation. With a detailed and considered policy in place, you can be confident that security risks will be appropriately addressed, managed and remediated in a timely manner.
Further Reading
Information and cyber security doesn’t happen in a digital vacuum. It’s important to consider what other parts of the organisation can inform or help frame your information security policy. Read our other article, How your whole organisation informs your cyber security to learn more.
Also consider implementing this policy in conjunction with an end-user security policy and privacy policy to provide a strong foundation for the protection of your organisation’s information and operations.
An accompanying IT security register template is also available for download – this register will assist your organisation in the implementation of some of the security measures outlined in the policy.
Status message
Thanks for rating this guide.