Digital Security Policy Template for Nonprofits

Assessing Risk

To decide how best to use limited resources to protect your organization, first you need to think through possible worst case scenarios, and decide which are most important. Security professionals call this “threat modeling.” According to the EFF, “Security isn’t just about the tools you use or the software you download. It begins with understanding the unique threats you face and how you can counter those threats.” The EFF has a great guide on how to think about threat modeling here. The key is to identify a small number (like 3–5) of worst case scenarios that could actually happen to your organization that would have catastrophic consequences. Then you can build your security objectives and security plan around avoiding these worst case scenarios. Below are some example worst case scenarios to consider.

Choosing Security Objectives

Once you’ve identified ~3–5 worst case scenarios for your organization, now you can define your security objectives: what you will protect with your security policies and why. This involves a complex set of choices, because adding rules usually means adding work, cost, and time. The security benefits need to justify the costs. Some productivity tools trade off security and usability, some policies are so cumbersome that users work around them, and some protections are too expensive for small or medium organizations to afford. It’s important to choose tradeoffs that make the best use of your limited money and time, and that support processes your staff can and will actually use. Here are some tradeoffs to consider.

Sample Security Objectives:

  • Use paid versions of off-the-shelf productivity tools that allow for control over data retention and access management
  • Always adopt end-to-end encryption if it’s available.
  • Adopt more user-friendly collaboration tools for most communication, and more secure collaboration tools for communication that needs to be explicitly private and protected.
  • Invest time and effort training staff to protect themselves from phishing attacks
  • Protect member personal identifying information in all systems
  • Use the principle of least privilege to grant access to data and systems. Instead of by default granting everyone access to everything, be intentional about what data, systems, and strategic communication access is granted to staff and allies.

Sample Digital Security Policies

Once you’ve identified your most important worst case scenarios, and have defined security objectives that will guide you in protecting against these scenarios, you can write out security policies for your organization.

Sample Security Checklist For Staff

  • Password protect your phone and computer
  • Enable Multi-Factor Authentication or 2-Step Verification on email
  • Enable Login Verification or Multi Factor Authentication on all social media accounts including Facebook, Twitter, and Instagram
  • Audit Account Recovery settings, especially for email: confirm that you can access your email’s ‘account recovery’ phone / email, and that the account recovery email address is also protected with Multi Factor Authentication
  • If you use gmail, perform a “Security Checkup” on your google account to recent access locations and authorized apps are legitimate:
  • Call your cell phone provider and put a pin on your cell phone account, to protect from SIM swap attacks
  • Be vigilant about the ongoing risk of email phishing
  • Be vigilant about social media impersonation attacks: verify all connection requests and direct messages and only share personal information with verified accounts
  • Use a password manager to store passwords
  • Use only strong passwords (longer is better), and never reuse passwords across accounts
  • Keep all devices including phone and laptop up to date with software updates

Sample Personal Data Access Policy

  • Do not share any staff personal identifying information internally or externally without consent of the staff member
  • Do not forward email between organization’s email and your personal email. Do not use your personal email to manage, edit, or share the organization’s documents.
  • Require permission to bulk download member email personal identifying information
  • Delete all user data files after using
  • Do not store lists of members or staff private information outside of approved document storage systems

Sample Retention Policies

Why should you care about retention policies? External parties can’t subpoena and hackers can’t steal information you do not store.

  • Retain organizational email for 6 month window, and auto-delete email older than 6 months
  • Retain chat messages for 90 days, and auto-delete chat older than 90 days
  • Retain documents for a 6 month window, and auto-delete documents older than 6 months

Sample Credential Management Policy

  • Use a password manager to store personal credentials, team credentials, to generate random strong passwords, and to safely copy and paste passwords when in public environments, like working from a coffee shop.
  • When possible, teams should grant each user their own account, and avoid sharing accounts whenever possible.
  • Use a password manager vaults for sharing credentials, and do not share passwords via google docs, email, chat, wiki, SMS.
  • Avoid using listservs or groups for account usernames when possible. For example, if your organization’s Twitter account’s username is then anyone subscribed to this group can change your org’s twitter password using Twitter’s “forgot password” feature.
  • Always use 2 factor authentication when it’s available for accounts, including email, social media, and web-based services.
  • Never reuse passwords.
  • Always use strong passwords. All systems and data are only as safe as the weakest staff password.

Sample device policy:

  • Password protected
  • Enable disk encryption
  • Enable firewall
  • Keep current with its software updates
  • Use privacy screens and webcam covers

Sample email administration policy:

  • Enable multi-factor enforcement org-wide.
  • Disallow auto-forwarding to external accounts, because you can’t control whether these external accounts have multi-factor enforcement enabled, and your org assets and data accessible via email are only as secure as the least secure account.
  • Disallow any 3rd party email integrations that request deep access to staff email accounts. Explicitly whitelist approved integrations.
  • New accounts should be created with temporary passwords that force a password change on first login.
  • Disable POP and IMAP access.

Examples of most secure tools

Some data, communication, and processes need to be treated with the most security and protection. To achieve this goal, default to end-to-end encrypted tools, and communication mechanisms that leave minimal digital traces.

Sample Emergency Guidance for Staff

“Has my email been hacked?”

  • If there’s any suspicion or doubt, change your password immediately
  • Go through your email provider’s security audit processes, check for any access that appears to be someone other than you, also verify your account recovery methods
  • Ask an email admin to run administrative reports on document access and email history to better understand what data (if any) was leaked
  • Identify which other accounts had this email address specified as the backup email (like social media or bank accounts), and change all the passwords on those accounts too
  • If you are at all unsure about whether the email is a phishing email, do not click on any of the links in this email, do not forward the email to others, and do not open any attachments.
  • Submit untrusted links and files to VirusTotal, an online service that checks files and links against several different anti-virus engines and reports the results.
  • Take a screenshot and ask for advice but please do not mass forward the email.
  • If there’s any suspicion or doubt about what you clicked on or what you typed your email and password into, change your password immediately, and follow the steps listed above



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ann Lewis

Ann Lewis

Mission-driven tech exec, CTO, formerly senior advisor SBA, CTO MoveOn